“How secure are we right now?” is the big question that keeps security professionals awake at night.
Like asking, “did I forget to lock the front door?” it’s a seemingly straightforward question but one that can cause CISOs to break out in a cold sweat.
As security professionals, we attempt to answer this all-important question every time we commission a pen test or red team exercise. In doing so, we obtain a partial understanding of how well critical assets are protected and a list of vulnerabilities to fix. However, the question never really goes away. Given the speed with which the threat landscape and IT environments evolve, the results can go out of date quickly.
The need to ensure critical assets are protected 24/7 is increasing demand for security teams to be aware of an organization’s security posture at all times. This is supported by recent guidance from the US Cyber Security and Infrastructure Security Agency (CISA), which recognizes the need for organizations to continually validate defenses against the latest adversary tactics, techniques and procedures (TTPs).
CISA Alert AA22-257A warns of ongoing malicious activity by advanced persistent threat (APT) actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) of the Iranian Government. The advisory – endorsed by the UK’s National Cyber Security Centre (NCSC) and other government agencies worldwide – is significant because it is the first time CISA has formally advised organizations to perform security validation frequently. It recommends that organizations continually test their security controls at scale against specific MITRE ATT&CK techniques.
We are used to CISA and other security agencies recommending indicators of compromise (IOCs) to monitor and CVEs to patch. However, by advising organizations for the first time to further mitigate their risks by validating security control effectiveness, the advisory can be read as a tacit admission that security teams can no longer rely solely on traditional approaches. Leveraging automation to validate security controls and processes is now essential for modern organizations to be proactive in their defense against cyber threats.
There are three key reasons why automated and continual security validation is now fundamental to helping organizations of all sizes enhance resilience:
1. Speed is of the Essence
Manually performed testing is essential to help identify complex vulnerabilities but, in isolation, doesn’t help organizations keep pace with rapidly evolving threats. Advanced exploits used by nation-state actors now fall into the hands of cyber-criminal groups within hours, meaning businesses need to react rapidly.
Periodic pen tests that take days or even weeks do not provide sufficient assurance that assets are secure against emerging attacks and deliver results that become out of date very quickly. The outcome of assessments can also be wildly inconsistent and wholly dependent upon the tester’s skill.
2. Security Tools Are Underutilized
Security teams are overloaded and under-resourced. The result is that many don’t have time to spend manually testing and tuning security controls to ensure they perform as expected.
Security tools don’t work optimally out of the box and must be tuned to every organization’s environment and use cases. Automating otherwise manual validation workloads can be a force multiplier for security professionals, enabling teams to optimize tools against the latest attack techniques with less effort.
3. A Holistic View is Needed
By continually testing the effectiveness of security controls, organizations can build a more holistic view of their security posture. Security teams need access to real-time metrics to demonstrate assurance to business leaders and external auditors.
Continuous and consistent security insights are required to help security leaders better quantify risk, benchmark performance, prove compliance and maximize the effectiveness of existing investments rather than resorting to procuring new tools.
How to Get Started
Security control validation may not have always been viewed as a priority by stretched security teams, but CISA’s endorsement is a major sign of its growing importance in helping organizations level up their cyber resilience by being more threat-centric and proactive. When CISA speaks, security teams should sit up and take notice.
Testing controls against the latest adversaries is becoming easier for all organizations. Any previous barriers of entry to adoption, such as cost and complexity, are now being eliminated by the latest solutions that not only automatically simulate threats but also help security teams optimize their toolsets to prevent and detect them.
By performing continual security validation as an essential part of security operations, security teams may sleep better after all.