top of page

Cybersecurity Consolidation: From XDR to Security Awareness Trainings

Plenty of acronyms: who's going to install and manage this?
Plenty of acronyms: who's going to install and manage this?

The fast pace of digital transformation has resulted in a colossal expansion of the attack surface, leaving businesses increasingly burdened with a complex security stack, overtired teams, and mounting cyber risks. Most IT teams will admit that the digital attack surface is “spiralling out of control”, and they are in constant fire-fighting mode, unable to cover their workloads.


To counter the threats, the cybersecurity industry has come up with plenty of acronyms: EDR, XDR, DLP, CASB, SDWAN, ZTNA, SWG, IPS, EPP, SAT and many more. This is reflected in many organizations' technology stacks, where not only costs are rising, but also complexity. And more complexity means more risk, as mistakes are easier to get unnoticed and the attack surface tends to get larger.

The sheer number of disparate tools from multiple vendors creates information silos, skills gaps and challenges in obtaining visibility.


At the same time, regulations such as DORA and NIS2 are pushing even small SMB companies into significant investments and additional work just to ensure compliance (watch an interview with a financial services SMB here, showing how regulation in the banking industry is driving cybersecurity investments).


Complexity invites breaches


That's why cybersecurity platform consolidation has become a significant trend as organizations aim to reduce the complexity of their security environments and improve overall risk management.


The consultancy house Gartner has been noticing this trend in its surveys: in 2022 it noticed companies are actively trying to reduce the number of cyber security vendors they rely on. Tellingly, the main driver of these initiatives was to reduce complexity and improve risk posture, not to save on budget or to improve procurement. It appears consolidated security investments can significantly reduce breaches


Also, more than half of organizations surveyed look primarily into 2 directions for vendor consolidation: extended detection and response (XDR) and secure access service edge (SASE) seem to be the ideal starting areas to begin consolidating vendors.


That is a sensible approach: XDR is ideally positioned to consolidate security functions on endpoint, servers and cloud resources, where tool sprawl has been particularly insidious. Also, the prevalence of TLS encrypted traffic on the network layer means that network security inspections can contribute much less to visibility and therefore security. Most of the security effort has to be directed at computing resources such as endpoint/server operating systems and cloud environments, all of which is more XDR's domain.


VPN vendors are increasingly facing zero day exploitation campaigns
VPN vendors are increasingly facing zero day exploitation campaigns

SASE on the other hand is combining SD-WAN and security features (SWG, CASB, NGFW, ZTNA) in a single offering, operated as a service and primarily delivered as a cloud managed service to customers. This approach is especially critical as maintaining and securing self-managed VPNs becomes increasingly challenging, with these systems frequently targeted by zero-day exploits and sophisticated attack campaigns (see here, here and here).


A risk management exercise


At the same time, it has become apparent that ransomware operators are thriving in environments where complexity is high (see CDK Global, Croatian Hanfa, and the British Library case): this often means outdated legacy equipment or applications, on-premises Active Directory combined with cloud assets in a hybrid scenario, a sprawl of entry points via VPN gateways, and of course poorly managed identities lacking multifactor authentication.


The Pareto Principle
Pareto 80/20 Rule

Apparently, successful attacks are the result of long neglected weaknesses that have been long present in the infrastructure.


This is why these weaknesses must be managed: first by identifying them and then prioritizing them by introducing risk scoring. Cybersecurity is thus becoming a risk management exercise underpinned by the Pareto principle.


To identify weaknesses vendors need to consolidate unparalleled coverage and visibility into all aspects of the organization environment. They are increasingly responding by integrating multiple cybersecurity capabilities into unified platforms. The focus is not only on detecting threats with XDR/EPP/Email/Web security protections, but also securing public and private access to resources via SASE/ZTNA, and finally provide posture assessments of various environments such as Active Directory, public clouds, identity stores, and many others.


The overall emerging picture is what some are calling Attack Surface Risk Management (ASRM).


Human centric security


Lastly, recent years have seen cybersecurity taking into account the human factor i.e. the employee ability to withstand social engineering attacks. As protection technology improves, attackers focus more and more on the low hanging fruit, i.e. user credentials stolen via social engineering attacks. After all, why bother breaking in when you can log in?


That's why cybersecurity is becoming a race to cover all elements of the attack surface: beginning with traditional endpoints, over cloud resources (PaaS and IaaS), up until the identities and user behavior. Thus, a contributor to risk is not only an unpatched Windows vulnerability, but also a VIP employee being easily lured into clicking on phishing simulation attacks. Continuous and automated security awareness education is becoming an integral part of cybersecurity protection.


Apparently, continuous education and a risk management approach is also being envisioned as a key aspect of many recently enacted regulations, such as the EU NIS2.


An example of the platform approach we've been discussing above is Trend Micro's Vision One: watch it being covered in our recent webinar as well as our review of its functionalities.



  Plenty of acronyms: who's going to install and manage this?  The fast pace of digital transformation has resulted in a colossal expansion of the attack surface, leaving businesses increasingly burdened with a complex security stack, overtired teams, and mounting cyber risks. Most IT teams will admit that the digital attack surface is “spiralling out of control”, and they are in constant fire-fighting mode, unable to cover their workloads.    To counter the threats, the cybersecurity industry has come up with plenty of acronyms: EDR, XDR, DLP, CASB, SDWAN, ZTNA, SWG, IPS, EPP, SAT and many more. This is reflected in many organizations' technology stacks, where not only costs are rising, but also complexity. And more complexity means more risk, as mistakes are easier to get unnoticed and the attack surface tends to get larger.  The sheer number of disparate tools from multiple vendors creates information silos, skills gaps and challenges in obtaining visibility.    At the same time, regulations such as DORA and NIS2 are pushing even small SMB companies into significant investments and additional work just to ensure compliance (watch an interview with a financial services SMB here, showing how regulation in the banking industry is driving cybersecurity investments).    Complexity invites breaches    That's why cybersecurity platform consolidation has become a significant trend as organizations aim to reduce the complexity of their security environments and improve overall risk management.     The consultancy house Gartner has been noticing this trend in its surveys: in 2022 it noticed companies are actively trying to reduce the number of cyber security vendors they rely on. Tellingly, the main driver of these initiatives was to reduce complexity and improve risk posture, not to save on budget or to improve procurement. It appears consolidated security investments can significantly reduce breaches    Also, more than half of organizations surveyed look primarily into 2 directions for vendor consolidation: extended detection and response (XDR) and secure access service edge (SASE) seem to be the ideal starting areas to begin consolidating vendors.    That is a sensible approach: XDR is ideally positioned to consolidate security functions on endpoint, servers and cloud resources, where tool sprawl has been particularly insidious. Also, the prevalence of TLS encrypted traffic on the network layer means that network security inspections can contribute much less to visibility and therefore security. Most of the security effort has to be directed at computing resources such as endpoint/server operating systems and cloud environments, all of which is more XDR's domain.        VPN vendors are increasingly facing zero day exploitation campaigns    SASE on the other hand is combining SD-WAN and security features (SWG, CASB, NGFW, ZTNA) in a single offering, operated as a service and primarily delivered as a cloud managed service to customers. This approach is especially critical as maintaining and securing self-managed VPNs becomes increasingly challenging, with these systems frequently targeted by zero-day exploits and sophisticated attack campaigns (see here, here and here).    A risk management exercise    At the same time, it has become apparent that ransomware operators are thriving in environments where complexity is high (see CDK Global, Croatian Hanfa, and the British Library case): this often means outdated legacy equipment or applications, on-premises Active Directory combined with cloud assets in a hybrid scenario, a sprawl of entry points via VPN gateways, and of course poorly managed identities lacking multifactor authentication.        Pareto 80/20 Rule  Apparently, successful attacks are the result of long neglected weaknesses that have been long present in the infrastructure.    This is why these weaknesses must be managed: first by identifying them and then prioritizing them by introducing risk scoring. Cybersecurity is thus becoming a risk management exercise underpinned by the Pareto principle.    To identify weaknesses vendors need to consolidate unparalleled coverage and visibility into all aspects of the organization environment. They are increasingly responding by integrating multiple cybersecurity capabilities into unified platforms. The focus is not only on detecting threats with XDR/EPP/Email/Web security protections, but also securing public and private access to resources via SASE/ZTNA, and finally provide posture assessments of various environments such as Active Directory, public clouds, identity stores, and many others.    The overall emerging picture is what some are calling Attack Surface Risk Management (ASRM).    Human centric security    Lastly, recent years have seen cybersecurity taking into account the human factor i.e. the employee ability to withstand social engineering attacks. As protection technology improves, attackers focus more and more on the low hanging fruit, i.e. user credentials stolen via social engineering attacks. After all, why bother breaking in when you can log in?    That's why cybersecurity is becoming a race to cover all elements of the attack surface: beginning with traditional endpoints, over cloud resources (PaaS and IaaS), up until the identities and user behavior. Thus, a contributor to risk is not only an unpatched Windows vulnerability, but also a VIP employee being easily lured into clicking on phishing simulation attacks. Continuous and automated security awareness education is becoming an integral part of cybersecurity protection.    Apparently, continuous education and a risk management approach is being envisioned as a key aspect of many recently enacted regulations, such as the EU NIS2.    An example of the platform approach we've been discussing here is Trend Micro's Vision One: watch it being covered in our recent webinar as well as our review of its functionalities.          A platform approach to attack surface risk management
A platform approach to attack surface risk management



Latest news

bottom of page