Five ways to lock down security control validation

Simple and important steps to make your cybersecurity program more efficient and effective. Read More

People like to ask what keeps me up at night. It’s not a specific threat, but a set of nagging questions: How do we know that our cybersecurity defenses will work when they must? Are our security teams prepared for future threats? Unless security teams test, exercise, and validate their cybersecurity program’s effectiveness, they won’t know the answer to these questions. So, how can security pros change the game for the better?

Here are five ways to make security programs more efficient and effective:

  1. Fine-tune existing security controls. A cybersecurity program consists of a complex ecosystem of people, processes, and technologies that work on detection and security operations. Our research has found that 82 percent of enterprise breaches should have been stopped by existing security controls but weren’t. Security fails because of misconfigurations or user error, and four out of five successful attacks leverage control failures or process problems at the victim organization. Successful security requires continuous validation; absent continuous validation, the program won’t work. Especially as threats evolve.
  2. Periodic compliance audits and red-team tests are insufficient; what’s needed are regular automated security control tests.  Historically, organizations have invested in compliance audits and red team testing to validate their security effectiveness. Companies can’t rely on a  once-a-year process focused on checking certain boxes to meet compliance requirements and determine security effectiveness. Irregular audits and manual tests cannot achieve the scale and scope required to provide real performance data and achieve optimum cybersecurity. Instead, security teams should aim to conduct regular, automated security control tests across the organization to ensure that security controls work consistently as intended. Each organization will have its own specific requirements depending on its risk tolerance, but an automated testing platform can validate security controls as frequently as the organization requires. This includes hourly or more.
  3. Take advantage of the MITRE ATT&CK framework. For years the security community held back on sharing threat information either because of intelligence classification or competitive constraints. The MITRE ATT&CK framework changed all of that in 2015 by offering the cybersecurity community a single repository of threat actor behavior. The ATT&CK framework operates as a globally-available, free, open framework of known adversary tactics, techniques and procedures. It offers a clear baseline of adversary behavior, eliminating fear, uncertainty, and doubt. Security professionals leverage MITRE’s insights to simulate attacker behavior in real-world scenarios and evaluate their security effectiveness against known threats. Governments all over the world use the framework to focus cyberdefenders on the threats that matter most.
  4. Deploy automated breach and attack simulation tools. Manual red-teaming demands significant time from highly skilled staff, too much to occur at the frequency required for true security effectiveness. That’s why breach and attack simulation tools have grown in popularity. The best products automate scenario-based security testing to find weaknesses and control failures in the security infrastructure. If a new application or a configuration unexpectedly opens a gap in the company’s defenses, security teams can discover it in a timely manner through regular testing. Once the security team becomes aware of such a weakness, they can take steps to eliminate it.
  5. Look for tools that scale and work in a production environment. A strong platform needs to deliver visibility into people, process, and technology effectiveness throughout a security organization. What does that demand from a product? First, it needs to scale across an enterprise. Second, the product needs to work in a production environment; a lab setting never functions as a precise replica of the actual systems the company needs to protect. Third and finally, security teams need an open and adaptable platform for new testing content as the company incorporates new threat information (from internal intelligence or external threat feeds). Absent any of these criteria, the investment will falter.

While automated testing serves as the foundation of breach and attack simulation, security teams benefit the most from a strong platform that can optimize their security program’s effectiveness. Done correctly, an automated testing platform generates real data about the team’s total performance. With real data, security teams can improve dozens of aspects of their security program, including post-incident response remediation, threat hunting, and investment decision-making by identifying issues with current or future processes or technologies. Performance data delivers the foundation for effective security management. Without it, teams are flailing.

By optimizing security organizations can maximize their budgets in uncertain times. Today, security teams face budget limits because of the coronavirus and its socio-economic disruptions. The combination of the MITRE ATT&CK framework, breach and attack simulation platforms, and a threat-informed defense will help companies focus on known threats and validate their team’s performance to make the most of increasingly scarce resources. Security optimization lets security teams pivot towards the future with clarity and optimal performance.

This article first appeared in SC Magazine online on November 12, 2020.

Chris Kennedy was CISO and vice president for customer success at AttackIQ