Many organizations have spent considerable time and resources building security programs to protect their users and data. Despite those best-laid plans, attackers still find ways to infiltrate systems, leaving personnel stunned to find that their security controls did not work as expected (if at all). This lands the organization in the unfortunate position of having to explain why controls failed while simultaneously responding to an incident.
To bridge the gap between expectations and capabilities, consistent and thorough security control testing is required. This advice is not new, but it is often easier said than done. Due to complexities, penetration tests are scheduled as infrequently as possible and are narrowed in scope and impact—rules that threat actors do not care about when they set their sights on your organization. SANS states that it is time to think of security control validation as a must-have, on-demand capability—one that is effective in highlighting the security weaknesses of an organization—so that security teams can prioritize remediation and implementation where necessary.
In this report, SANS examines Cymulate’s continuous security validation platform.