In the never-ending race between cyber-defenders and cyber-attackers, attackers benefit from the dramatic attack surface expansion resulting from the combination of connecting third parties, constant application modification pushes, mass adoption of cloud computing, and the massive migration to remote work.
With the defending side chronically understaffed, underbudgeted, and overwhelmed with projects, defense operations get harder and harder. Deflecting attacks despite the limited visibility provided by detection and response solutions and while handling data management challenges is turning into an exercise of constant firefighting, leaving little time for improving preparation against the existing and emerging Tactics, Techniques, and Procedures (TTPs) used by attackers.
How to Recapture the Advantage Over Cyber-Attackers?
The first step to regaining the advantage is to start thinking like the enemy. Regardless of their size or function, organizations need to switch to threat-informed defense.
By adopting the mind frame and the techniques of cyber-attackers, cyber-defenders considerably improve both their visibility into their own defensive tool array and their ability to prioritize their defensive measures according to their actual risks to the organization instead of relying exclusively on global statistical risks estimated by standards leaders such as NIST, CIS, and MITRE. Opting for a risk score based on the measured risk to your specific organization can dramatically help in prioritizing the mitigation work, focusing on the most urgent tasks, and removing the excessive noise.
The second step is to adopt a pro-active “never trust, always verify” methodology, and apply that line of thinking previously reserved to zero trust architecture to your defense line.
In this context, “never trust” applies to detection and response solutions. Regardless of how sophisticated the solutions are, they are always implemented by humans and, therefore, prone to errors. As a consequence, you need to “always verify” by continuously running security validation processes and shed light on blind spots that attackers could use to launch attacks or hide in the shadows.
With Automating Continuous Security Validation, No Need to Break the Bank to Run Offensive Testing
Compliance regulators and standardizing organizations, such as GDPR, SOC 2, PCI DSS v4.0, or ISO 27001, are already catching up with the need for offensive testing by requiring penetration testing on a regular basis. Yet, a bi-annual or quarterly penetration test will only give a snapshot of your organization’s security posture at a specific point in time. Furthermore, the report from the penetration test will take a few days or weeks before it is available, by which time both your environment and the threat landscape will have evolved. By the time the IT team gets to turn the report into a vulnerability patching schedule, it is already obsolete.
The automation of security validation is a process that can be suited to the resources available and scaled up as needed. Regardless of your organization’s size and the resource dedicated to cybersecurity, continuous security validation can be integrated and scaled up as required.
In order to facilitate examining the options, I will divide the functionalities an organization should look for in a continuous security validation solution based on three categories matching different organization sizes.
Scaling Continuous Security Validation as Needed
Not everyone’s security validation needs and resources are equal. Extended Security Posture Management (XSPM) is a methodology that goes beyond continuous security validation and can be tailored to fit various levels of resources or requirements.
Check below to get an idea of what would be best for your organization’s resources and team size. The level of services can always be scaled up by adding more functionalities when more resources become available.
- Basic – For organizations with limited resources and staff – I.e., up to five people – the focus is usually on attack prevention. The selected set of automated security validation needs to be simple to deploy and use. At a minimum, it must automate security control validation and provide prescriptive mitigation guidance to optimize security control resiliency, as well as threat intelligence operationalization.
- Progressing – More mature organizations with larger resources and a larger infrastructure benefit from incorporating a wider-ranging extended security posture management approach by adding a comprehensive set of modules enabling additional functionalities such as:
‣ Threat hunting and incident response practice – a module automating launching thousands of production-safe attacks coupled with real-time, on-site response by cyber-defenders enable the identification of high-risk vulnerabilities, their timely patching and easy to set up response practices.
‣ Optimizing and rationalizing the existing detection and response tool stack – integrating the security validation solution with current detection and response tools leads to identifying where configuration is lacking and the potential overlap between different tools or gaps in security coverage.
‣ Managing the entire attack surface – as organizations grow, keeping track of all digital assets that might be leveraged as entry points should be automated with attack surface management modules.
‣ Maintaining cyber and IT hygiene – applying an attack-based vulnerability management approach boosting the risk curtailment effect of the vulnerability patching and, as a bonus, considerably reduces vulnerability patching workload.
‣ Monitor and manage security drift – using the collected information to establish quantified baselines and monitor and correct the variance from these baselines with a minimum time gap.
- Advanced – Large organizations with a staff that includes an in-house red team can apply the extended security posture management approach to its full extent by scaling up its preemptive offensive program, not just the defenses, to:
‣ Provide an open purple teaming framework to enable the creation and automation of customized security assurance procedures and health checks tailored specifically for the environment and policies.
‣ Incorporate security validation into organizational risk management.
‣ Implement a continuous assurance program.
‣ Reduce manual work in automating scripting and launching common attack scenarios as well as in eliminating the tedious report generation after each exercise.
These resources-based functionality ranges, basic, progressing or advanced, should all provide end-to-end validation with varying degrees of depth, security risk scoring calculated not only by using industry-recognized standards such as the NIST Risk Management Framework, CVSS v3.0 Calculator, Microsoft’s DREAD or the MITRE ATT&CK™ Framework but also based on environment-specific attack paths, and the creation of an attack-based vulnerability patching prioritization plan.
To state the obvious, I will add that they should all include actionable analytics with automated executive and technical report generation and should integrate with most detection and response tools.
In today’s fast-evolving cyber-threat landscape, including automated security validation tools should be a top priority for any organization still lacking them. I hope that this breakdown of what to look for according to your organization’s size provides a handy, practical, and serviceable clarification of the constitutive elements of security validation and how any organization can incorporate the right level for its size.
Learn more about XSPM in this webinar, “The invisible player on every security team, regardless of budget or skills.”
See XSPM in your unique environment by starting a free 14-day trial.