American visionary computer scientist, Alan Curtis Kay, once said, “The best way to predict the future is to invent it.”
This statement holds today as enterprise IT infrastructures continue to expand and evolve rapidly and now routinely span across various data centers, workforces, and multiple clouds, and interacts with numerous third-party software suppliers.
This results in the need for regular adjustments to support internal users and enable product improvements. Ad-hoc updates can create inconsistencies within or between technology systems. When those result in system failures or outages, they are immediately noticed, and the IT team will scramble to fix them as rapidly as possible to minimize the related costs.
However, what is typically missed is the not-yet exploited threat exposure that sneaked in unnoticed and is likely to remain so until a cyber attacker uses them to launch a successful attack.
Spotting a Security Drift in Time
One way a security drift goes undetected is when it hides behind the misplaced sense of security relying on last quarter’s penetration test result, which leads to complacency. Another main security drift avenue is the creation of a new type of attack that might be undetected by EDR (Endpoint Detection and Response), gateways, and firewalls until it is identified and their database is updated, leaving infrastructures unprotected in the interim time.
But the main source of emerging security drift is some minor oversight by the IT or security team during routine tasks or configuration changes due to modifying ongoing projects or launching new ones.
To protect its infrastructure against these hidden risks, shifting from identifying exposure instead of protecting against known risk is a best practice approach now recommended by Gartner as Continuous Threat Exposure Management.
At Cymulate customer success, we often see first-hand how newly emerging exposure can be spotted and mitigated in quasi-real-time by applying continuous security validation methods such as Breach and Attack Simulation (BAS). BAS tools allows organizations to consistently ensure that their security controls are efficiently configured and capable of effectively protecting the organization.
Contrary to traditional security posture assessments that aim at finding one way to break in and progress within an infrastructure, Continuous Security Validation (CSV) methods not only identify security gaps once, they continue evaluating the resilience of live operating environment with set security baselines. CSV goal is to ensure that detection and response mechanisms are effective and to avoid an unnoticed security drift by continuously challenging the security controls’ efficacy. This monitors security not from an operational point of view, but from an efficacy verification perspective.
Instead of talking about the theory, let’s have a closer look at two recent examples from anonymized Cymulate customers.
Examples of Security Drift
Web Gateway
For our first example, we will look at an investment company located in EMEA and employing 1,200 people.
The organization initially used Cymulate BAS to establish a baseline that blocked all file downloads. Once that phase was completed, the organization switched to weekly assessments that continuously validated that their security controls remain effective.
One of these weekly assessments registered an unexplained spike in the web gateway’s risk score, from 0 to 100.
The subsequent investigation uncovered that a separate project run by the IT department was at the root of this sudden risk score spike. In order to run one of their projects, the IT team had modified the files download policy on the web gateway, allowing all the users in the organization to openly download files, causing a significant risk to the organization.
SIEM
The second example is taken from a manufacturing EMEA company with 7,000 employees.
This manufacturer runs two network environments – IT and OT.
In both environments, a local endpoint security management server forwards all the logs and events to the organizational SIEM (Security Information and Event Management) solution.
To validate both endpoint security posture and detection rate, the organization has set a weekly endpoint security assessment with SIEM integration enabled that worked seamlessly for months.
Then, suddenly, the SIEM events/alerts stopped appearing on the OT environment’s assessments.
The security analysts investigated the reasons behind this unintended silence. They discovered that the IT security team had upgraded the endpoint security server in the OT environment to a new one. Though this upgrade was planned and approved, the IT security team had forgotten to configure the new server to send SYSLOG events into the SIEM, effectively blinding the SIEM to any event, intrusion, or other, in the entire OT environment.
Those two cases are exemplative of the myriads of ways normal, well-intentioned activities in an organization can affect the infrastructure security and, in the absence of continuous security validation, lead to an unnoticed security drift.
At the Cymulate customer success department, such stories land on our desk almost daily, either because our customers call to thank us, or because they want to make sure that they did not miss anything or need some assistance in identifying the root cause for a spike in risk scores.
Not only are we always happy to help, we love to see the numerous ways continuous security validation processes are effective in drawing attention to newly appearing security drifts and help detect and fix them in time to preempt breaches.