Companies use a variety of cyber resilience testing strategies to stay ahead of the curve. The most popular strategies are penetration testing and red teaming.
Both are great ways of analyzing cybersecurity protocols, but they’re increasingly running into limitations.
A typical business user can access and share information from a desktop, a mobile device, or an IoT device.
Data can be stored in on-site servers or on the cloud, thanks to infrastructure as a service business models. All of this makes it difficult for a business to define its network borders and entry points effectively.
Red teaming is often viewed as a method that overcomes traditional pentest vulnerabilities. However, both methods are ultimately time-bound. At some point, you need to stop running them to assess data. In a continuously evolving threat environment, these methods expose you to vulnerabilities.
What’s needed is a continuous security validation platform that constantly monitors potential threats to your system.
Here’s how you can implement such a platform in your organization.
1) Use Independent Technology
Continuous security validation (CSV) platforms aim to expose gaps in your organization’s cybersecurity structure.
The data they generate needs to be impartial since you’ll be using it to create a security baseline. Bias in any form might expose you to threats that you won’t be able to detect until it’s too late.
Cybersecurity tech vendors own different kinds of software. For example, you could end up testing an endpoint detection response software using validation technology from the same vendor.
A vendor is unlikely to rig validation data in favor of their product. However, you want your tests to be as fair and impartial as possible.
You must choose a platform that is unbiased and technology agnostic that produces data you can trust.
An agnostic partner can help you focus on the big picture without tying yourself into related service contracts. For example, a vendor’s CSV software might come bundled with their EDR suite.
An agnostic partner will also be more flexible in helping you implement solutions since they can adapt their technology to suit your needs.
You can adopt the tools you need, whether with your existing partner or third-party vendors, and integrate them with your CSV to give you a robust suite of solutions.
For example, Microsoft Defender ATP is many firms’ preferred EDR choice. A tech agnostic partner can simply integrate into this software, instead of forcing you to choose a product that doesn’t match your needs, simply because it comes bundled with the continuous monitoring solution.
Also Read: Top 10 Best Jobs in Cybersecurity Industry
2) Platforms, Not Tools
While you want to avoid using a fully automated suite of end to end security solutions, you shouldn’t be testing your technology stacks using solitary tools.
Open source tools are extremely useful in pinpointing specific vulnerabilities, but they rarely help you react and respond to threats across your stack.
The single tool approach also requires you to use and manually integrate different tools to produce working data. Needless to say, this is time-consuming and inefficient.
When evaluating a security validation platform, look for a platform that contains a diverse set of features that allows you to test your entire pipeline.
Cybersecurity evaluations evolve through different stages. Look for a CSV platform that provides solutions for every stage. Continuous monitoring begins with recon.
This stage is where you evaluate potential threats against your organization, and monitor for information on the web that an attacker can use. The next stage involves evaluating data entry points your organization uses.
For example, emails and web gateways are typical entry points that attackers take advantage of. Your firewall will handle any threats that arise at this stage, but you need to monitor for evolved attacks that might bypass your firewall or cripple it.
Some platforms allow you to simulate phishing campaigns that can be used to educate your employees as part of an awareness program.
Malicious programs are increasingly using AI to determine the easiest way to propagate through networks. They do this by taking advantage of misconfigurations and network architecture flaws.
Deploying a proactive CSV solution that highlights these weaknesses in your network will help you stay ahead of any potential attack.
Monitoring what leaves your network after an attack is just as important as evaluating what comes into it. Test your data loss prevention protocols by having your CSV platform try to extract sensitive data.
3) Emulate. Not Simulate
The typical testing cycle in a large organization involves creating a test environment that is ideally equal to production.
The idea is to test for security vulnerabilities within this sandbox before releasing code to production. If security tests pass in simulation, they should withstand anything a live environment can throw at your digital assets.
In practice, it doesn’t quite work this way unfortunately. Many organizations go one of two ways when it comes to building simulation environments.
They either assume the best case scenario or they assume the worst. The former case doesn’t provide realistic results that can be replicated in production. The latter might result in protocols that are far too stringent and might hamper your product.
The solution to all of this is to choose emulation instead of simulation. Emulation calls for attacks to be carried out against production assets to evaluate the entire stack. By observing attacker behavior and targeting likely points of failure in your stack, you can gather real data.
Emulation also spares you from having analysts create detailed pentest cases and analyzing results. Pentesting and red teaming exercises are carried out periodically and cannot help you replicate real-time threats completely.
In simulated environments, a large amount of focus is placed on replicating and maintaining the nature of the environment.
In emulation, this isn’t a requirement, and therefore, you can reverse engineer attack vectors more accurately.
For example, you can pay more attention to social engineering attacks, where there is no malware or vulnerability to detect.
4) Adopt a Standardized Framework and Evaluate Results Against it
Cybersecurity has come a long way in a very short time. Many industry leaders still think that standardized security frameworks are a bit too obvious and that they don’t provide much value.
One of the most developed industry security frameworks is the National Institute of Standards and Technology Cyber Security framework or the NIST CSF.
The five broad categories that the CSF identifies are the identification of assets, protection protocols, detection techniques, response protocols, and recovery protocols.
These broad categories are divided into subcategories, and they give you a comprehensive checklist that you can use to evaluate your CSV platform. You should use the CSF objectives to inform the tests you run during your simulation and emulation campaigns.
It’s helpful to work with a CSV provider that can help you figure out your organization’s needs. Typically, every platform will have a map that identifies how many CSF subcategories they can implement. Match these maps to your Framework Profile and check whether your organization’s needs are covered by the platform.
These frameworks address the same issues as the NIST CSF does and helps organizations bring business and technical operations onto the same page.
5) Use Integrations and Threat Modeling
In recent years, the CSV provider market seems to have divided itself into two categories. One set of providers assist by integrating continuous security monitoring into existing technology stacks and providing support via detection, measurement, and mitigation of threats.
The second set of providers focus solely on modeling and simulating scenarios that might afflict an organization.
Both of these types of services play an important role. The first kind of service platform is invaluable for SecOps and management to develop robust processes.
The second kind of service provider plays a major role in helping red teams develop scenarios and assists in creating ideal simulation environments.
Typically, organizations choose both types of providers to assist with the security infrastructure. When you combine these two categories of providers with other open-source EDR and pipeline testing platforms, what you have is a massive integration headache.
Each tool is going to provide different results, and your security team will need to manually integrate results.
Many CSV platforms offer multiple attack vector scenarios built into them. However, your platform needs to go beyond a mere simulation. Your platform should also allow you to test specific portions of your stack and integrate into it seamlessly.
Look for a platform built with an API-first approach. You won’t have any issues with integration, and you’ll be able to take advantage of both threat modeling as well as security validation through integration.
6) Continuous Monitoring for Continuous Security
CSV platforms provide massive value to organizations, but they aren’t a one-stop solution for your security needs. Combine CSV with EDR solutions to protect yourself from every scenario imaginable.
Run pentests and red teams as scheduled and monitor their results against data from your CSV platform. Adopting a holistic view of security is the best way to stay ahead of the threats that you face.