Speed is of the essence in digital defense. As the latest Ponemon Institute Cost of a Data Breach Report makes clear, businesses and agencies that are able to respond to and contain an incident rapidly will save millions over their slower peers. The average total cost of a data breach increased by nearly 10%, the largest increase in nearly a decade. However, groups able to identify and contain a breach in less than 200 days saved an average of $1.26 million compared to those that needed more time. So, the right thing to do is put more cybersecurity solutions in place, right?

Not always. There are many tools that speed up breach response times, such as artificial intelligence (AI) and security automation. But these are challenging to implement. Groups with AI and automated security solutions saved 80% in total breach costs over those that did not. The use of such advanced tools is strongly connected with faster time-to-identify and time-to-contain. However, making the architecture more complex can make analysts’ jobs more difficult, too.

Recent research reveals this exact paradox. According to the 2020 Cyber Resilient Organization Report, security operations programs with fewer than 50 different solutions perform better than SecOps programs running more tools. In fact, those using fewer solutions are 9% faster to detect threats, and 7% better at responding to incidents. Past a certain point, adding more tech to the stack does increase network telemetry coverage and visibility. But it actually decreases operational effectiveness.

Shortening the On-Ramp for New Cybersecurity Solutions

How can we get past this dilemma and begin taking full advantage of the value of the new tech that we adopt? In the end, security leaders and vendors alike must work together to support data sharing, product interoperability and an open ecosystem. In the long run, this will support greater speed and responsiveness.

The slow-moving gears of procurement, deployment and internal bureaucracy can pose the largest threat to good posture. Every program must be able to respond nimbly to changes in threat actors’ skills and strategies.

Scaling Up

To do so, it’s key that we find vendors and partners that can help scale up defenses. That will help them keep pace with the demands of the growing business and evolving threat landscape. This means speeding up the process of implementing, customizing and tuning new tools and cybersecurity solutions as much as possible. That’s the case even if all those solutions aren’t from the same vendors. It means keeping the number of lines of code that SecOps workers are asked to write down to a bare minimum. And, most of all, it means ensuring that tools can work together quickly and seamlessly. At best, they should do so right out of the box, or on day one of their deployment.

The need for tool sets that work together smoothly is strong and pressing. Numerous vendors have responded by building architectures of their own. Another popular method is pushing the “single vendor” approach as a means of solving the management and interoperability challenges that different tool sets create. This approach has numerous shortcomings, including preventing people from employing a “best of breed” approach. That can cause them to miss out on the most innovative, advanced or efficient solutions. It can also prevent them from getting the most out of the investments they’ve already made. In the end, it isn’t practical, which is why most enterprise security programs continue to rely on a multi-vendor solution mix.

The Best Path Forward: An Open Approach


The approach championed by the Open Cybersecurity Alliance (OCA) and other open source advocates has numerous benefits for developers, workers and vendors alike. With robust data integrations and open APIs, vendors can get the most out of their real-time threat data. SecOps teams can share insights and findings among themselves. They can deploy analytics, orchestrated response tools and AI-powered assistants for incident investigation and case-building. And that’s without taking time away from higher value work, such as threat hunting, to build complex custom integrations.

Focused on enabling data interchange within the security event lifecycle, the people who make up OCA are creating standards and protocols that enable tools to seamlessly work together. It’s hoped that these standards will evolve into an industry-wide norm. That, in turn, might reduce the amount of time, effort and money companies will need to invest in building and maintaining integrations. This will make it so that even the most disparate tech and products can work together.

How Do Open Standards Help?

With open standards in place across cybersecurity solutions, workers will be able to:

  • Share information, analytics and orchestrated response patterns among team members and between tools
  • Gain enhanced visibility into the environment as a whole
  • Maximize the value of existing products and solutions, while reducing the need for new ones
  • Free themselves from vendor lock-in.

In turn, cybersecurity solutions vendors can:

  • Make their products more appealing to a wider customer base
  • Showcase the value of their internal engineering expertise
  • Provide their customers with greater value – and demonstrate this value consistently
  • Take advantage of when their solutions are reusable.

The Future of Cybersecurity Solutions

Numerous global vendors have joined OCA or voiced their support for this mission. In turn, their partnerships in support of interoperability are already speeding up data sharing and reducing integration costs. Cybersecurity workers and service providers are taking advantage of custom scripting or APIs to serve as the ‘glue’ that holds multi-vendor security architectures together. In addition, private enterprises like Netflix are getting into the game by releasing custom integration engines as open source projects.

Security teams have long wished that they could integrate new and advanced solutions into their environments quickly and with little effort. With greater emphasis on open standards and broad support for their adoption across private industry, government agencies, nonprofits and individual workers, OCA’s future looks bright. This brings new promise to the ongoing quest to reduce complexity in cybersecurity solutions.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today