January 18, 2022

Webinar: How To Improve Your Cybersecurity Posture On A Budget

Last week, we teamed up with our friends at Blumira to swap our best budget-saving tips for securing your public cloud environment. Here’s what you missed.

Image source: Fastfun23

It’s no secret that the cost of ransomware is a very real threat to your company’s existence. But unless your budget hovers somewhere around infinite, it can sometimes feel just as stressful trying to research cloud security tools that aren’t also going to bankrupt your business.

In fact, that very sentiment is one of the reasons why we created Tenacity — to democratize the cloud for everyone… not just enterprise customers.

That’s why we were so excited to team up with our friends at Blumira last week for a webinar all about improving your cybersecurity posture without breaking the bank. Throughout our conversation, we swapped our favorite free or low-cost tools that can improve your security coverage, along with tips for auditing your current security spend and finding areas to cut costs.

Today, we’re sharing some quick highlights from our conversation, but be sure to head to Blumira to watch the full webinar (or check out the video recording below) for our entire collection of tools and tips.

Why are security tools so expensive in the first place?

Nick Lumsden, CTO and Co-Founder of Tenacity: There are a handful of things that are really driving costs. One is just a high demand in the labor market. It's really, really hard to find experts, and in the absence of that expertise or as you're spreading teams thin, there are oftentimes shortcuts through technology that lead to all sorts of operational problems, which can actually create unnecessary costs inside of security and operating a cloud budget.

Matthew Warner, CTO and Co-Founder of Blumira: On the side of hiring, just the entirety of software engineering, security engineering, applying security, IT… the entirety of technical implementation of employees is really difficult because salaries change monthly at this point. Anyone who's in hiring knows that the salary that you offered last quarter is not the salary that you probably need to offer this quarter, and to do budgeting on a year-to-year basis for hiring alone makes that difficult. So when you think about, “How am I going to get the right people in place? What are they going to need to do?” — especially as it pertains to this conversation, just bringing in one security person or one cloud security architect isn't going to solve your budget or your security issues across your environment. 

Realistically, you either need to start building your teams out or leveraging technology to help you grow, because of the cost of traditional security. Building out a team is really only ingestible by large organizations because they can take the time now to build out those teams and create that structure. But even in those cases, they're still going to leverage those tools in order to easily improve their visibility, because it's impossible at this point to do anything other than just kind of try to keep up and move forward.

Alert fatigue is something that is talked about often in the sense that it can definitely hurt your security posture, but it’s underestimated in terms of the cost that it can bring to your organization. Can you talk a little bit about that?

Matthew:  Alert fatigue is a really interesting problem because it's one of those things that, as humans, we train ourselves inherently as we get more and more alerts to ignore them and move on. But when you do that, you're not only exhausting yourself, but you’re training your brain to be like, well… that doesn't matter. And when you move in that direction in terms of infrastructure alerting or security alerting, you inherently get the byproduct of reduced impact of other alerting from that infrastructure as well, or reduced care or concerned integrity as it pertains to that alerting.

So, with the growth of alert fatigue, what we often see is that organizations will utilize their security tools in a way that they think will work best for them. But, what ends up happening is that they get every alert from every scan they sign up for, and they’re never going to see the one out of 10,000 that resulted in an exploited environment.

You're much better off leveraging something like Tenacity which tells you what the configuration of your environment looks like and what is your baseline. Once you think about it more as it pertains to “How could someone actually exploit something in my environment and gain a foothold into my environment? How's my environment configured? What's my attack surface?” you can drill that alerting down to really what's important to you and what's important to your environment. 

It matters if someone gets a shell in your environment. It matters if you configure ACL's improperly. But it doesn't matter if someone's scanned your server for the 20th time, because I can guarantee someone's doing that. The moment that I'm here talking to you, it is happening. And it's really kind of about flipping how you think about security and flipping how you think about what's important in your environment and your risk mitigation needs.

Nick: The problem in the cybersecurity industry is that every tool is trying to be its own alerting engine. We’ve taken an experience-first, big data approach in that we would rather show you intelligence around what’s happening in the foundational security layer around the configuration.

So, let’s say you’ve installed Tenacity and we found 3,000 violations in your environment. Instead of throwing 3,000 alerts at you every time you log in, we're going to help you contextually look at that data and understand what's the most important thing that you can do first to reduce your attack surface. That's going to have a downstream effect in that now your cybersecurity tools are really monitoring and watching your environment, and they have a narrower set of things that they have to pay attention to. Therefore, your alerts just get better by taking action on that configuration. That's in our core philosophy. We want the experience of cybersecurity to be a great one.

Do you have any tips for someone who has too many tools or feels like their alerts are getting out of control? How do they go about consolidating those tools? 

Nick: There's a real phenomenon in cybersecurity or in the experience of running operations teams where you buy a tool, get it implemented, use it for about two weeks, and then that tool falls off the radar because it doesn't get prioritized in the 30 or 40 log-ins, tools, or portals you have to go to in order to manage it. I think there's a couple of techniques that you can use in order to reduce the tool sets you need. The first is really understanding what's going to be your source of urgency. Not having 30 sources of urgency, but having one or two that can tell you where you need to focus your time and effort is really, really important.

The second thing is not to ignore the three areas of a cybersecurity strategy. There's a lot of focus put on the users and training of users, which is great. But that’s a lot of money spent on 30 or 40 tools that people need, rather than getting the foundational security right. But getting foundational security right is critical.

Whether you use a tool like Tenacity, or whether you go out and use cloud native tools to get your configuration right, you want to minimize the amount of effort you have to put into managing all those tools and get them down to just the necessary set. 

Matt: Yeah, foundational security is one of those things that’s really easy to move past and think “I'm on to other things, so I'll worry about that later.” But foundational and fundamentals of security really are the only way to think about how you’re going to use all these tools. Contextualize them: What can I deprecate? How can I change? And if you don’t know how you're going to leverage a tool, it probably doesn't need to be in your stack. 

If you have something growing on a stack that is creating apathy, isn't actually helping you, or isn't critical, then that needs to be pulled out, tuned down, and reconsidered. As you move through that, that can be done through policy, through structure, or a few different ways. But without that quarterly process of review, it will always result in waste. 

Want to check out the rest of our webinar with Blumira, including our favorite tools and public cloud providers? Head over to Blumira’s site to watch the webinar On Demand now.

Latest articles

Browse all