5 Things To Look For in a Cybersecurity Tool

Published in

MITRE-Engenuity

4 min readJun 8, 2023

As Blue Team Lead for MITRE Engenuity’s ATT&CK® Evaluation program, I understand picking a cybersecurity tool can be difficult. In cybersecurity, the adversary can use multiple tactics, techniques, and procedures. To detect all of the malicious behaviors, what tools you utilize is important and rarely can one tool be built to capture all of it. Many tools have one sole purpose of collecting one piece of the story, but to get a holistic view of what’s happening you need more than one tool. These tips can help cybersecurity pros put together the right puzzle of tools that create a complete collage of what’s going on.

1. Is the Tool Scalable?

A security tool must be able to protect an organization’s users and devices, no matter how many or how far they are spread. Scalability is one of the most important factors to consider when choosing a security tool. A scalable tool should be able to support multiple platforms, environments, and on-premise systems as your organization grows.

A tool that inspects only one folder or type of operating system will not be able to detect all the malware an adversary can execute on your computer. If your organization has multiple operating systems, i.e., Windows, Linux, and/or MacOS, then the security tools you utilize should cover all in scope. A good malware scanner should be able to scan the whole system and look at different folders to find infections all over your hard drive or organization.

2. Is It Easy to Integrate?

Consider how easily tools can work together and pass along information. Cybersecurity tools should be able to communicate with one another, so that when a threat is detected, it can be addressed in a timely manner. Your tools should work together to create a seamless workflow and should not operate as a stand-alone.

If your tool includes application programming interfaces (APIs) you can consider connecting dashboards, alert systems, and fetching data from all your enterprise nodes to help with easy integration. This allows all the collected data from numerous hosts to be in one location. One simple location to gather data is log files. Typically, the log files on your system have various information of your computer that is easy to integrate into other platforms like a SIEM. Without your tools working together, it can slow down the searching process of the adversary.

3. Why do you need THIS tool?

When choosing a cybersecurity tool, you must consider what use case you have in mind. For example, if you need to analyze network activity, you might choose a network activity analyzer. Does your organization need specific malware protection or ML-driven security analysis to cover a large section of data? When you look at the needs of your organization, this means you shouldn’t try to use a screwdriver in place of a hammer. Cybersecurity tools must be purpose-built to address such scenarios effectively.

4. Backend-Support Available?

Backend support is critical when sustaining a cybersecurity tool against current day adversaries.

Look for:

Open-source tools that may be supported through a peer community.
Large-scale commercial products that should ideally include a premium support option.
Availability of professional services from implementation time forward.

You see, tools go out of cycle. They don’t keep up with things like code updates to fix security bugs or whatever else. So, don’t use a tool that’s 20 years old. There may be a bug you’ll experience from a tool that is no longer being maintained, and there won’t be a fix because it’s out of cycle. You must update the version and the tooling to the next tool. You’ve got to stay current with the times and how tools are evolving.

5. Compatibility?

Finally, the cybersecurity tool you select must be compatible with your existing and future technology investments.

Ask yourself:

Is it able to run on-premise or on different environments/platforms, per your requirements?
Is it compatible with different device variants, operating systems, and cloud vendors?
Is it vendor-agnostic? (Open-standards-based tools are the most compatible.)

This is all about ensuring your tools can operate on multiple systems. Otherwise, you will cut yourself off and be singular to just one operating system or environment.

In The End, Benefits Accrue

Keeping this all in mind shortens the time of analysis and the time to reconstruct your analysis environment or your detection environment. It also helps preempt potential errors like bugs or complications later down the line because you’re maintaining your analysis environment and/or your analysis tools.

All that optimizes effectiveness so you end up with not just passable analysis, but great analysis that covers what you need, what you’re looking for, and what you’re trying to protect.

You can download a quick reference guide compiled of what you learned in this blog here.

How ATT&CK Evaluations can help

ATT&CK Evaluations empowers cybersecurity professionals to make informed decisions about which vendors to pick based on what is most relevant to your organization’s needs and helps you understand your tool. Most importantly you can see if a tool detects and prioritizes known threats to your organization, which will help you to know if you’ll get an alert at the right time and in a way that allows you to trigger effective deterrence. Check out results from our latest enterprise evaluation of Wizard Spider & Sandworm.