One of the “holy grails” of cyber security is reducing all panes of glass used by incident responders to just one. This is a pipe dream many managers chase after in the name of efficiency and it is not unlikely to have reporting staff desire this too.

Despite all of this, I have long had the opinion that the single pane of glass concept is a fool’s errand and prefer to chase after reducing the windows used in incident response.

What is a “single pane of glass” anyway?

The “single pane of glass” (SPG) approach really is to reduce the complexity of performing tasks or absorbing information by making it solely available in one location only. This could be exemplified with a ticketing system which shows diagnostic data and have one-click tasks to handle basic functions.

Other examples that you may have seen include tools like Matrix and Hootsuite, which handle multiple online services.

As you can tell, it is not a cyber security problem entirely.

Interoperability is a nightmare

Here are typical tools I could expect to make cyber security incident responders successful:

  • Endpoint detection and response software (EDR)
  • Phishing email reporting
  • Network firewalls and detection
  • Logging software
  • Sandboxing for malware detonation

This is just a small list of software but is something I’ve had to try and make play nice.

Here’s a fun scenario that I expect could easily play out:

Jonathan in office services reports a phishing email. When the email is reported, an incident responder determines that it was malicious and that the URL the email linked to had mimicked the corporate login for a service which didn’t have two-factor. Said website was harvesting usernames and passwords and then offered a download to access a service.

The incident responder then takes the URL and checks to see who clicked on it and three employees were recorded to have visited the website. Web traffic logs were fortunately able to capture activity and it was determined that one of them who is in the help desk did sign in and download the file.

Now the incident responder has to grab an audit log from the EDR to see if the file was executed and is also grabbing the file from the machine to then test in the sandbox environment. The responder has since isolated the machine to prevent any further harm.

At this point, we’ve gone through five different software products, meaning five different windows had to be used. The single pane of glass approach would break down these functions into steps:

  1. Review the maliciousness of the email
  2. Search logs from network firewall to see who visited the URL contained within
  3. Retrieve EDR audit log
  4. Review audit log for execution
  5. Detonate the malware in the sandbox
  6. Isolate the computer

These are six steps and in theory all of these steps could be done with integrations. However, this is where it all begins to fall apart. I’m not even talking about the maturation required to get to the point where you’d consider all of this.

The big problem is whether or not the vendors you work with have bothered to make their APIs capable of doing anything useful.

Does your phishing email software have an API that allows you to pull the details into your ticketing system and close it off there? Do you have consistent firewalls across your environment so you know what websites are being visited? Can you remotely control your EDR software to pull a standard package of data from these systems? Can you also get the malware from said system to then automatically push into the sandbox?

I’ve run across many, many barriers where trying to get 30% of the way is impossible because the vendor has assumed you only want to use the user interface they provide. The useful functions required just don’t exist in a public API and any attempt to circumvent this by reverse engineer any other API or directly accessing an internal database violates the support agreement–I am trying my best to avoid naming a vendor here.

Accepting your fate

So what do you do in this scenario? Don’t use the SPG approach and just accept the reality that you will work to reduce the windows needed but only where practical. Options beyond that may include finding better vendors to work with too.

If you have a vendor promising you an automation tool that will give you that single pane of glass, press on them hard and maybe reconsider any future relationship with them because it’s again a fool’s errand and a waste of time.