Introduction

According to IBM "Cyber Security is the practice of protecting critical systems and sensitive information from digital attacks".

But if you Google articles about "Cyber Security tools" or "Cyber Security solutions" you find a lot of content about Kali Linux, Metasploit and Cain & Abel, but not much about SOC's and SOAR.

And in any case I'm not sure that Metasploit is one of the most common Cyber Security tools for protecting your data, especially if you don't even manage user identities and roles correctly.

In this in-depth guide you’ll get my opinion on:

• The 5 best Cyber Security tools you can use to protect your enterprise data
• What those Cyber Security tools actually do
• What are the best commercial Cyber Security tools
• How to use open source Cyber Security tools to get the most from your budget
• And lots more

So, if you’re ready to boost your knowledge about Cyber Security tools, then this guide is for you. So, let's dive right in.

Cyber Security Tools List

Governance Risk & Compliance (GRC)

We can't talk about GRC without first mentioning security controls, frameworks and standards.

As you probably know already there are many publicly available security standards and frameworks that you can use to implement controls for your security compliance in your organisation.  These standards include:

• ISO27001
• PCI-DSS
• CSA CCM
• ISAE-3402
• SOC
• BSI
• HIPAA

The problem is that if you work in a company that has customers in multiple vertical markets then the chances are that you will need to comply with many different standards, to ensure you keep your customers and their auditors happy.

Keeping documentation, processes, policies, and evidence, as well as maintaining multiple different security controls is a complex task, and very difficult to manage manually, especially if you are relying on spreadsheets, wikis, and ticketing systems alone.

But there is a better way to manage security compliance using the right Cyber Security tool. In this case, it’s called a governance risk and compliance (GRC) system. You can think of a GRC system as a CRM for security compliance. It’s a central repository where you store your security controls, evidence and everything needed for a stress-free audit.

Essential features of a good GRC system include:

• Compliance Dashboards
• Compliance Reporting
• Policy Management
• Audits Controls
• Evidence Collection
• Risk Management
• User Privilege Reviews
• Awareness Training Management
• Exception Management
• Notifications & Reminders

Although there are many GRC tools on the market, they are often costly and difficult to implement and manage.

Eramba is a modern GRC system that you can install on premise or in public cloud.  It is available as a free community edition or as an extended enterprise grade GRC with prices starting from as little as 3,000 EUR for an annual license.

Identity & Access Management (IAM)

Identity and access management (IAM) is fast becoming one of the most important Cyber Security tools for organisations.  Why is that?

One of the most common methods used by hackers to gain access to an organisation’s resources are through phishing and malware, which often leads to a ransomware attack. Once a hacker has gained access to an internal host, Identity and Access Management can be pivotal in limiting the scope of the ransomware attack.

Identity and Access Management is a combination of security technologies, processes & policies. Although there are specific IAM solutions, it is possible to implement IAM without a specialised IAM solution.  However, using a dedicated IAM solution has many advantages.

A good modern IAM solution will have many of the following features:

• Single sign on (SSO)
• Multi-factor authentication (MFA)
• Self-service portal
• User lifecycle management
• Zero trust
• Privileged access management
• Role based access control (RBAC)
• Auditing & reporting
• Identity Federation
• API

Although you can create your own IAM from various building blocks, is it advantageous to use a dedicated IAM solution?

This depends on the size of your organisation, your budget, and the capacity of your technical teams to implement an effective IAM system in the required timescale.

One problem with creating your own IAM is that many of the elements needed are developed by different vendors or by the open-source community. The architecture of each system will be completely different, and you may end up supporting different back-end databases which results in duplication. Software updates will be more complex, and you will have different user interfaces.

Two great SaaS based IAM solutions are available from Okta and Cisco Duo. Both have free plans as well as pay-as-you-go business models. A leading commercial on-premises IAM solution is Sailpoint and OpenIAM offers a community version of their IAM solution.

Web Application Firewall (WAF)

If you use a computer, you’ve probably heard the term firewall before, and if you work in IT, you will probably have come across them.

At a very basic level a firewall is a hardware device or software layer that isolates an untrusted network from a trusted network. Usually, you will find a firewall on the border of an organisation’s network, so you can call this device a network firewall.

Network firewalls work at layer 2, 3 or 4 of the OSI model, depending on how the firewall policy is configured.

An example of a hardware firewall is the Cisco ASA firewall.

A software firewall can also be called a host-based firewall, and it’s now recommended to install a software firewall on desktop and portable computers.  You can install host-based firewalls on servers and cloud instances, although for ease of management this is often not done.

Iptables is an example of a host-based firewall on the Linux operating system.

So, what is a Web Application Firewall (WAF)?

Like a network firewall a WAF can be a dedicated hardware appliance, or a software based WAF.

The WAF helps protect software applications that are accessible from the Internet by monitoring and/or filtering HTTP traffic between an Internet host and the protected web application.

A WAF is a Cyber Security Solution that protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection and many attack types in the OWASP top 10.

WAF’s work at layer 7 in the OSI model, and do not do the same job as a network firewall. They must be considered as only one element in the overall security architecture that protects a web application.

A good WAF will have many of the following features:

• OWASP top 10 protection
• Zero-day exploit mitigation
• Customisable rulesets
• Rate limiting
• Credential stuffing protection
• Bot protection
• Configurable attack response
• API protection

A new type of WAF now in common use is WAF as a service delivered as a SaaS consumption model. Cloudflare provides a popular and mature SaaS based WAF service as a complimentary service to their content delivery network (CDN).

Both Fortinet and F5 provide reliable and fully features WAF’s, as well as virtualised images and cloud based WAF as a service.

A widely used open-source WAF is ModSecurity, which now works with web servers like Apache and Nginx. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.

Security Information & Event Management (SIEM)

First of all what is a SIEM?  SIEM is an abbreviation for security information and event management.  It's a Cyber Security Solution that helps organisations monitor and protect their assets from Cyber Security threats.

A SIEM can be as simple as a single server or virtual machine, or it can be a complex combination of host-based agents, a centralised server and distributed sensors. Many vendors and managed security service providers (MSSP's) are now offering cloud based SIEM as a Service.

The essential features of a good SIEM are:

• Log centralisation
• Immutable logging
• Log event correlation
• Dashboard visualisations
• Incident Management
• Alert notification & reporting
• Compliance reporting
• Intrusion detection
• Threat intelligence monitoring
• Forensics & evidence collection
• API integration
• Vulnerability scanning

How can a SIEM benefit an organisation?

If you've ever been audited, I'm sure that the auditor asked you to see evidence of regularly checking system and security logs on servers. An essential aspect of PCI-DSS requirement 10.6.1 is the daily review of log records. This daily log review explicitly requires that all systems performing security functions are in scope.

To manually look at every log entry for every security device or server every day would be an impossible task if done manually.  The event correlation features of a good SIEM automates the analysis of logs to ensure that only alarms and alerts are highlighted to the security team, which means that the task is manageable.

Because good vulnerability management is critical to ensuring that organisations are not susceptible to malware and ransomware, another key feature is automated vulnerability scanning.

Compliance reporting and dashboards are also an invaluable feature of a good SIEM that can help organisations save time during an audit.  Many auditors will be familiar with popular SIEM's and this will ensure that at least you have less chance of having findings related to security log monitoring and other compliance tasks managed by the SIEM.

Underneath the hood a SIEM is a complex mix of different software applications and databases, and often these can be open source. The SIEM components will include a web server like Apache, an SQL database like Postgres, a vulnerability scanner like OpenVAS, an IDS like Suricata and a monitoring component like Nagios.

Just know that SIEM's have been around for a while and like other Cyber Security tools SIEM's are constantly evolving to include new features.

AT&T market their own SIEM solution under the brand AlienVault USM Anywhere. It is a cloud based SIEM as a service consumed in a SaaS model.

One of the main advantages of using AlienVault USM Anywhere cloud based SIEM is immutable logging. If you were to have an intrusion and an attacker was able to gain entry to your SIEM, it is very likely that logs would be destroyed during the attack, leaving no evidence for investigation. USM Anywhere solves this issue by making all logs read only in the cloud.

Security Orchestration and Response (SOAR)

First a little context. You've probably heard of DevOps, where application development and operations cultures merge.  The goal is better collaboration between teams which results in fast, efficient, and agile software deployments.

DevSecOps is a subset of DevOps that attempts to treat security vulnerabilities during the software development process, leveraging tools like SonarQube and to automate the detection of code vulnerabilities.

So what is Security Orchestration And Response?

Security orchestration and response (SOAR) is a technological process that helps security teams manage certain security operations through automation. It is a way to automate predefined tasks and improve incident response time. Despite being a fairly new technology, SOAR is now used in many security operations centres (SOC's).

Apart from not having the latest Cyber Security tools, the biggest challenge that SOC teams are facing today is the extremely high volume of alarms and alerts that they must review continuously.

SOAR helps solve this issue by using API’s or other interfaces. SOAR tools can connect to network or security devices, collect, and prioritise data from those devices, and automatically execute playbooks to automate an incident response or orchestrate the appropriate workflow.

SOAR has many benefits. It reduces the likely impact of security incidents of all types, while leveraging the existing security infrastructure, and reducing the risk of data loss.

Adding SOAR capability to an organisation’s security architecture improves their overall security posture as it closes the loop between security sensing devices and security enforcing devices.

A SOAR system automates repetitive manual tasks freeing up security analysts to focus on improving security rather than performing mundane tasks.

However, the biggest benefit of SOAR is its ability to provide faster incident response as security teams can quickly and accurately identify and assign incident severity levels, reducing the team's workload.

Many vendors are now offering SOAR solutions or adding SOAR functionality to their offerings.  The most promising enterprise solution on the market today is XSOAR from Palo Alto Networks.

If you are looking for a no-code SOAR solution for small business, then the Irish startup Tines has a community version which is a great option for you.

A Final Word About Cyber Security Tools

Although many vendors continue to support on-premises options, there is a trend to implement Cyber Security tools in public cloud using the SaaS model.

There are many advantages to this approach, including the ability for the SaaS provider to rapidly update software, add new features and reduce pricing through economy of scale and pay as you go models.

But there are dangers too.

You now have increased risk from supply chain attacks like the SolarWinds attack, which was one of the most damaging attacks seen in recent years.

If you'd like to know more about what Cyber Security is, then check out my other article about getting Clarity About Cyber Security.

And finally, if you want to be notified about the latest articles about Cyber Security tools and other topics in Cyber Security, then sign up to my newsletter.