If you’re only conducting snapshot in time security tests, you aren’t doing enough to protect your business.
By Erik Holmes, CEO, Cyber Guards
I’ve helped develop cybersecurity strategies for numerous companies over the past two decades.
There’s a standard line I find myself repeating all the time:
“If you test your security program once per year, you have an opportunity to improve your security program once per year.
If you test your security program daily, you have the opportunity to improve your security program every day.”
The average organization brings simulated attackers in once or twice a year to test the quality of their cyber security systems. But your controls need to prevent threats daily, so shouldn’t you be testing your security more often?
Organizations, large and small, are making this mistake. Toyota Japan recently revealed that they’d accidentally left the personal data of over 2 million customers exposed for nearly 10 years. Toyota added that it’s introducing a system to continuously monitor its cloud so the organization can detect and respond to threats faster.
Continuous security testing and attack path management help organizations gain a clearer picture of their cybersecurity posture. They’re more effective methods than traditional snapshot in time penetration testing, which gives a static view of a constantly-changing system. If you or your cybersecurity provider aren’t testing continuously and analyzing attack paths, there’s a good chance that the core assets of your business are at risk.
Let’s explain why, and explore three ways you can make sure you’re doing what’s needed to protect your business from bad actors and other threats:
What are continuous testing and attack path management?
Continuous security testing is a process that involves regularly searching your company’s software assets to identify issues and determine whether the controls in place would prevent an attack.
Attack path management is a method that focuses on identifying the root cause of the issues and rapidly closing down the paths that an attacker could take to exploit or damage critical assets.
The concepts work together. Continuous testing allows you to gain awareness of potential problems and attack path management helps you diagnose and fix them.
Both of these cybersecurity methodologies have emerged in the last 5-10 years. Most large companies are employing them, but they haven’t trickled down the SMB market as quickly.
Why are they so important?
Together, these strategies allow business leaders to gain immediate and continuous knowledge of their cybersecurity posture — rather than relying on outdated information that comes a few times a year.
I like to use the metaphor of cleaning a house. If you’re not continuously sweeping floors and wiping windows, your house will eventually get dirty. Failing to monitor your security posture means you’re less likely to find things that are out of place.
These methods are superior to alternatives. Snapshot in time testing, as the name suggests, only reveals your cybersecurity status at a singular point in time. This method can give you a misleading view of your cybersecurity. You’re limited by factors such as:
- Time: You might get a biased view based on seasonality, employees on PTO, etc.
- Scope: You can only test so many things in a given period, as opposed to coming back to the well continuously.
- Experience: If a cybersecurity professional sees something they don’t understand, it can get lost in the shuffle as they move on to something new.
Continuous security testing and attack path management help limit these constraints.
How to ensure your business is protected
Once you understand the importance of these methods, what can you do to make sure you’re protected?
Utilize free resources
I’d recommend that every organization looks into two free online resources:
- MITRE ATT&CK® Framework, which describes tactics and techniques that threat actors use to move into a new environment. Make sure your cybersecurity provider has all of these methods covered.
- Atomic Red Team™, a library of tests mapped to the MITRE ATT&CK® framework that teams can use to run tests on their environment on a regular basis.
Protect your most critical assets first
In the past, it was thought that if a bad actor couldn’t get past your firewall, you were safe. That’s not true anymore. I like to focus on a layered approach to threat remediation.
Work with your leadership team to identify the core elements of your business: your intellectual property (IP), personally identifiable data (PII), payment card industry data (PCI), etc. Draw attack paths to these critical assets and remediate those paths first. Then work outwards.
Evaluate your vendors
If you’re paying a vendor to use certain strategies, it’s fair to make sure that they’re actually using them. Even “best in class” organizations can be caught slacking. Especially if you’re a small or medium-sized business, make sure that your cybersecurity vendor is doing everything they can to protect your business.
AI and the future of continuous security testing
Pretty soon, artificial intelligence is going to help every business access the tools they need to continuously test their security and close down attack paths.
I’d predict that in the next few years, the Atomic Red Team will be able to tie AI and ML into their package of tests. Ideally, AI will be able to set up environments and deploy tests on its own. It’ll allow you to go on the offensive when it comes to security. This represents a potential game-changer for smaller companies that don’t have large in-house cybersecurity teams.
But for now, I’d recommend coupling continuous security testing with an industry-recognized framework to build a truly effective cybersecurity strategy. The more you test, the more likely you are to identify and subdue potential threats to your company.
Erik Holmes is the Chief Executive Officer at Cyber Guards, a people-first managed cybersecurity services company based in Memphis, Tennessee. Prior to founding Cyber Guards, Erik led Red Team Assessments at Deloitte Consulting, which he joined after a stint as Regional Director at BlackHorse Solutions. He was stationed at SEAL Team Six for ten years and has served eight combat deployments in Iraq, Afghanistan and Somalia.
Ad