By Erik Holmes, CEO, Cyber Guards
Over the past twenty years, while formulating cybersecurity roadmaps for diverse enterprises, I’ve echoed a fundamental philosophy:
“If you test your security program once per year, you have a real opportunity to improve your security program once per year.
If you test your security program every day, you have the opportunity to improve your security program every day.”
The average organization brings in simulated attackers (penetration testers, red teams) once or twice a year to test the quality of their cyber security systems. But your controls need to prevent threats daily, so shouldn’t you be testing your security more often?
Organizations large and small are making this mistake. Toyota Japan recently revealed that they’d accidentally left the personal data of over 2 million customers exposed for nearly 10 years. Toyota added that it’s introducing a system to continuously monitor its cloud so the organization can detect and respond to threats faster.
Continuous security testing and attack path management help organizations gain a clearer picture of their cybersecurity posture. These are more effective methods than traditional snapshot in time penetration testing, which gives a static view of a constantly-changing system. If you or your cybersecurity provider aren’t continuously testing your controls and analyzing attack paths, there’s a good chance that the core assets of your business are at risk.
Understanding continuous security testing and attack path management
Continuous security testing is the practice of challenging, measuring and optimizing the effectiveness of an organization’s security controls, infrastructure configurations, policy enforcement, etc. on an ongoing basis.
Attack path management adds context to continuous security testing. You’re moving from testing controls to securing critical assets. Context is everything when it comes to reducing risk. Instead of looking at endless lists of issues, attack path management combines them together into an attack graph to proactively uncover hidden attack paths and security control gaps across your cloud and on-prem networks.
With attack path management, you can efficiently pinpoint and address the issues that actually put your organization at risk. You then move to cutting off attack paths at key junctures for laser-focused remediation to proactively reduce your attack surface.
Both strategies are relatively new to the cybersecurity arena but are becoming mainstays for major corporations. However, small and medium-sized businesses have been slower to embrace these tactics.
Why are these new strategies so important?
These strategies allow business leaders to gain immediate and continuous knowledge of their cybersecurity posture. This is much preferred to the status quo; relying on outdated information that comes from testing once or twice a year — or even worse, waiting until a breach occurs to determine your gaps.
I like to use the metaphor of cleaning a house. If you’re not continuously sweeping floors and wiping windows, your house will eventually get dirty. Failing to monitor your security posture means you’re less likely to find things that are out of place.
Snapshot in time testing, as the name suggests, only reveals your cybersecurity status at a singular point in time. This method can give you a misleading view of your cybersecurity.
The constraints of snapshot in time testing
Traditional security tests are not effective because they have too many constraints. These constraints are typically in place due to an overarching financial constraint — i.e. the company doesn’t have the budget to support more robust testing. Other constraints include:
- Time: If you limit the testing to a time-bound period, the test can only yield findings that were presented during that time period. If your operations fluctuate seasonally, or key components of your environment were unavailable during the test, you will generate misleading results. If your team does not interact with the digital environment the way they normally would during that period, you could be led astray. And if you have a seasonal business and you test during the “off-season,” you won’t be getting a clear picture either.
- Scope: Due to the financial and time-bound constraints, these snapshot in time tests are often forced to be either too focused on a specific scenario (think DMZ to Domain Controller) or too general (“just see what you can find”). If we limit the scenarios, the network segments, or the cloud or on-premise environment, we lose the opportunity to capture the full picture of what is working and what needs to be improved. And worse, if we do not test our most critical assets, the business value of the engagement drops significantly.
- People: We can’t ignore the human elements of cybersecurity testing. People just do not perform the exact same way at the exact same level every day. The variance introduces project risk. Sometimes the constraint is experience, where the tester has never come across a technology before and they enter a research cycle, eating up valuable project time. Perhaps the constraint is mental, emotional or physical based on how that person is feeling that day. A bad morning, a lack of rest and struggles in personal lives all play a role in testing performance. I’ve witnessed these scenarios hundreds of times throughout my career.
In contrast, continuous security testing and attack path management mitigate these limitations.
Attack path management platforms allow organizations to test persistently and consistently, every day in a “do no harm” fashion. That means the organization can test daily to ensure they understand cyber risk in context every day.
There is no time gap in the results. Attack path management platforms do not have a scope limit. Users can create as many scenarios as they can imagine and can run them daily without impacting the network or endpoints. Attack path management also removes the human element. When a platform is synced to an industry-accepted attack arsenal, it performs the same way every day.
Applying these strategies in your business
So what’s the best way to implement these strategies? Here are a few ways to get started:
- Engage with Attack Path Management Experts: Many companies are lacking the internal resources to conduct continuous security testing and attack path management on their own. Working with a trusted MSSP can help you implement these strategies.
- Harness Free Tools: Familiarize yourself with the MITRE ATT&CK® Framework and Atomic Red Team™. These resources provide insights and practical tests to bolster your defenses at no cost to you (other than time for research and application).
- Prioritize Key Assets: Today’s cyber threats bypass superficial defenses. Identify and safeguard your principal business assets (IP, PII, PCI) and then expand outward. Start by understanding how the business operates, identify the most critical systems and add context to your tests.
The future of continuous security testing
The horizon of cybersecurity testing promises AI-driven initiatives. Soon, security testing tools will likely integrate AI, automating environment setups and test deployments. Such advancements will empower businesses, especially smaller entities, to proactively fortify their defenses.
But for now, you can focus on finding the right cybersecurity partners, using free tools to provide insights and prioritizing your key assets. I implore you to test your defenses every day, improve every day and protect what matters most first.
Erik Holmes is the Chief Executive Officer at Cyber Guards, a people-first managed cybersecurity services company based in Memphis, Tennessee. Prior to founding Cyber Guards, Erik led Red Team Assessments at Deloitte Consulting, which he joined after a stint as Regional Director at BlackHorse Solutions. He was stationed at SEAL Team Six for ten years and has served eight combat deployments in Iraq, Afghanistan and Somalia.