Security testing isn’t just a nice-to-have - it should be the north star of effective security leadership. Your security validation program should be able to tell you, in real time, whether your security controls would stand up against the most advanced current threats, whether your current investments are driving ROI, and where you need to steer the business next.
That’s a lot of pressure, considering the rate at which new attack techniques and tactics are emerging, which is why the security validation market is evolving fast. A wide and diverse array of security testing methods are in use today, from vulnerability scanning to more sophisticated techniques such as breach and attack simulation (BAS), and practitioners commonly rely on frameworks such as MITRE ATT&CK to help get the job done.
But what really makes for an effective security testing solution? To help CISOs orient themselves in this fast-changing market, we’ve put together a list of five must-haves when assembling a modern, threat-centric security validation program.
Requirement 1: Ability to utilize imminent advanced threats
One of the greatest challenges in security testing is that new cyber threats are emerging all the time, and they use a wide spectrum of sophisticated techniques and tactics to achieve their ends. This includes techniques designed specifically to evade detection.
As such, while traditional vulnerability scanning solutions will help security teams gain visibility on new security issues as they are discovered (which may or may not be exploited in the next wave of attacks) they lack the all-important context of what threats are really up to “in the wild”. They enable security teams to identify potential “victims” in their business, but that’s not the same as responding to documented trends in adversary behavior.
Red team exercises can help organizations bring their validation more in line with real-world scenarios. However, red team testing is resource-intensive and time-consuming, so on its own won’t deliver against our second key requirement: 24x7x365 readiness.
Requirement 2: 24x7x365 validation
In cyber security, the enemy never sleeps. Not only are new threats emerging all the time, but they do so at such a rate that security stakeholders describe it as a “constant battle” to stay ahead, a 2020 Accenture report reveals.
In this environment, red team exercises - which may take weeks or even months to plan and execute - simply can’t deliver the level of round-the-clock threat readiness security teams need to succeed. While they have a vital role to play when it comes to testing security controls against the most sophisticated techniques, organizations will need to look elsewhere for continuous, 24x7x365 security validation.
Requirement 3: Assessing existing control capabilities
It may sound obvious, but an effective security testing solution needs to account for the full range of security controls already present in a business’ IT environment, however complex and multifaceted it may be. Without the ability to assess existing control capabilities, security validation tools will struggle to provide meaningful insight on the relevance of individual security gaps, and the priority in which they need to be addressed.
Requirement 4: Immediate mitigation
In some cases, security validation tools will highlight security gaps that need to be addressed as a matter of urgency. For this reason, we think it’s vital that an effective security testing solution should not only alert security teams to areas of risk, but arm them with the necessary information to remedy those risks within minutes. In some cases, this may involve a detailed to-do list of mitigation suggestions.
Requirement 5: Enable team communication and collaboration
Finally, an effective security testing solution needs to respond not only to the full range of threats out there, the full range of potential victims in the business and the full range of existing control capabilities, but also the many different functions, departments and individuals who need to be involved in responding to security risk.
Every security leader knows that driving communication and collaboration between security and business stakeholders is easier said than done. Effective validation should be able to help all stakeholders see and understand the complex relationships between threats, risks, mitigation actions and security ROI, and get the entire team to rally around a shared objective.
Does your security testing solution meet the five requirements described above, or are there still gaps you need to address? Download our whitepaper to find out more about the different approaches to validation and their pros and cons.