Should I Focus on Breadth or Depth?
Which approach to managing security operations has a greater impact on security posture?
Pareto's principle – the notion that 80% of the outcome can be achieved with 20% of the effort – can be observed everywhere. From a business perspective, in everything from team structures to product development, organizations are in constant pursuit of doing what make the largest impact on their business.
The reach of the 80/20 rule is readily apparent in security, as well. Whether your organization recently went through a digital transformation or if you've been cloud-native from go, it becomes obvious to security teams that the scope involved with managing their digital environments is huge. This spans the sheer number of objects and resources (breadth) to their configuration and relationships with each other (depth).
So which approach to managing your digital environment – breadth or depth – makes the most sense to ensuring your organizations security posture?
- What does breadth look like?
- What does depth look like?
- What happens when you focus on breadth?
- What happens when you focus on depth?
- Which makes the most sense?
- Incorporating security democratization
What Does Breadth in Security Operations Look Like?
Efficiently managing security operations with an emphasis on breadth means your team has properly accounted for all of your digital environment's resources, from your infrastructure to DevOps tooling and more.
The goal for organizations is a robust inventory of all of their resources. In this case, there is more value placed on knowing what's actively in place and centralizing the data. Analysis that derives context.
What Does Depth in Security Operations Look Like?
Depth in security operations sacrifices a complete inventory of your environment in favor of a greater depth of understanding and context with your most critical resources – the 20%.
This could look a couple ways. If you are using AWS, it could mean tracking all of your active services rather than just EC2 instances or S3 buckets. The goal would be to tie in your most critical resources and objects to your company's security controls, risk analysis, and compliance requirements to ensure alignment. There is a priority set on understanding the give and take between services and tools to spot misconfigurations resulting in risks.
Security teams focused on depth know what users, devices, services, accounts and more have access to their most critical resources. Essentially, there is more value placed on aiding the analysis than on having a list.
What Happens when you Focus on Security Operations Breadth?
The main value of focusing on breadth is clarity of what is operating across your organization's environment. You have a robust, all-encompassing picture. Think of it like a map of a state like Arizona.
However, there are downsides. Most of which can be tied back into the amount of time needed to maintain this picture and adding a layer of context and understanding.
When security teams focus on breadth, there is an obsession with tracking anything and everything. The net positive outcome is a sense of everything in your environment. Think of it like a two dimensional map of Arizona.
One downside of this approach is the amount of time it takes to track down, manage and understand exactly what is going on across all of these resources, which pulls your focus from your critical resources.
There is also the tendency to treat resources as equal – when they are most certainly not. The net result is an over-distribution of time spent on things that are not important while also missing out on the context of why things look the way they do.
What Happens when you Focus on Security Operations Depth?
Security operations that concentrate on a depth of understanding their critical resources are leaning into the Pareto's principle more than the former because there is the acknowledgement that it is probably impossible to track down everything.
Using our map analogy from above, where breadth would be a map of Arizona, depth would be a topographical map of just the areas in and around the Grand Canyon. A more complete understanding on one area would be considered more valuable than a fundamental understanding of all areas.
When security teams focus on a depth of understanding regarding their most critical resources, the priority is reduced noise and simplicity. It is easy to know whether or not a change is important or if an apparent risk is actually a false positive.
There are some downsides: namely not having a complete picture of everything in your environment. While it is most likely the case that any one of these missed resources pose little threat to your organization's security posture, the aggregate number of resources increase the odds of a potential impact. That said, with shadow IT and DevOps, changes are constant and a focus on breadth may ultimately be in vain.
The Obvious Winner*
All of this said, there is still a clear winner when it comes to managing your organization's attack surface.
For most cloud-based and cloud-native organizations, having an in depth understanding of your security operations as they relate to your critical resources is going to drive a bigger impact on your overall security posture. Why? Understanding the ins-and-outs of your most critical resources increases your likelihood of spotting anomalies that require attention because you have context.
It isn't because these smaller assets and resources don't matter; we've certainly seen in recent security breaches that they do. But chasing coverage is unending, results in significant noise and distracts focus from your critical resources. Completing reliable security analysis takes time and including the other 80% makes it more difficult to navigate the data. There are simply too many things going on.
The asterisk above is meant to highlight that breadth matters, but the best way to cover the far-reaching facets of your digital environment is to empower a security mindset across your organization.
Finding Breadth through Security Democratization
Cloud-based organizations should lean on the power of numbers when it comes to maintaining their security posture across the other 80% of resources and objects. Teaching employees what they should be looking for will allow you to keep focus on analyzing relationships and changes tied to your critical info.
The ultimate go would be to have a depth of understanding across all of your resources. This requires a level of time and resource dedication to security most organizations could only dream. In the meantime, start with an emphasis on depth of understanding your most critical resources – the core 20%. Then gradually expand.