No corporate executive should feel secure.
Every day, we keep hearing about yet another company getting hacked or losing sensitive data. Many enterprises do not even realize their systems are compromised until they receive an unexpected notification from an external party. Cybersecurity remains a top risk for companies and a hot topic for boardrooms.
To fend off cyber threats, most companies focus on:
But, how do we know our cyber defenses actually work?
Traditional Security Validation includes testing individual controls or a set of controls to ensure that they are designed appropriately and working effectively. For example:
- Validating that a firewall is configured according to a company’s configuration standards is considered testing of a singular control.
- Testing a set of relevant controls to verify whether the company is in compliance with the Payment Card Industry Data Security Standard (PCI-DSS) would be considered testing a set of controls.
While testing security controls in a traditional way could serve its intended purposes, the company should not feel secure solely based on traditional point-in-time control testing. The reality is that threats and an organization’s systems change on a daily basis, and a traditional control test that was effective yesterday may no longer be effective in mitigating a threat today.
Adversaries will always look for any weakness in a company’s environment, ranging from misconfigured systems to overly permissive access rules. New threats, vulnerabilities and zero-days are identified every day.
The only effective way to combat this is to think and act like an adversary.
Continuous Security Validation allows an organization to take cyber attackers’ perspective and stress-test its security stance.
While it includes elements of traditional validation methods described above, it focuses more on walking in hackers’ shoes. The chart below depicts key characteristics of Continuous Security Validation:
To implement and execute on Continuous Security Validation, a company could leverage industry best practices. A leading framework in this area is MITRE ATT&CK™ for Enterprise (ATT&CK).
ATT&CK for Enterprise is a framework that takes the perspective of an adversary trying to hack into a company using various known attack vectors. This framework provides a library of real-world hacking activities for companies to simulate in their own networking environment.
In its simplest form, an organization could pick a relevant attack vector (e.g. exfiltration over alternative protocol) from the ATT&CK Matrix and test its cyber defenses to validate that it could withstand that particular attack. They can then review and prioritize mitigation of identified gaps.
It’s important to note that internal red-teaming (an internal group taking hackers’ perspective) is a core component of this approach whereby these teams can use real scenarios and test the actual response and detection capabilities rather than just testing controls.
Continuous Security Validation will help a company:
- Increase its cyber resiliency by frequent testing and validation
- Test the effectiveness of its security controls and tools in preventing specific attack vectors
- Develop an organizational cyber threat model to focus on higher risk areas and key information assets
- Methodically analyze identified security observations
At the 2019 GRC Conference in Fort Lauderdale, Florida, USA, to take place 12-14 August, I will further explore Continuous Security Validation and describe how a company could use it to reduce its cyber exposure. We will also review key elements of ATT&CK for Enterprise and discuss how it can be leveraged to stand up and operate a Continuous Security Validation process.
About the author: Berk Algan is a risk management executive who takes pride in building exceptional Governance, Risk and Compliance (GRC) functions and developing high-performing teams. He currently leads the Technology & Security Risk Management group at Silicon Valley Bank.