Similar to bad physical posture, poor cybersecurity practices in an organization are generally perceived to be difficult to change. It takes time to correct ugly slouching, just like how it can be quite challenging to detect problems in existing security controls and fix them.
However, it is not extremely difficult to address the vulnerabilities or weaknesses in an organization’s cybersecurity system. It is not going to be a walk in the park, but it is no “Mission: Impossible.”
One phrase provides a thorough summary of what needs to be done to address the problem of a weak security posture: “security validation.” This is the process of assessing the effectiveness of cyber defenses to spot defects and fix them. However, it is not as simple as it may sound.
Organizations cannot just undertake comprehensive testing of security controls and achieve the desired outcomes. What constitutes comprehensive testing? Which specific controls must be tested? How do organizations know that they have already covered everything they need to cover for them to say that they have undertaken sufficient security validation?
Unfortunately, given the evolving nature of cyber threats, nobody can ever be entirely sure about the reliability of their cyber defenses. The strong security system an organization puts up now may become vulnerable later on as creative and skillful cybercriminals find new ways to defeat security solutions.
To keep up with the advancing sophistication and overwhelming volumes of cyber attacks, many organizations are turning to automated continuous security validation. As the phrase implies, it is about automatically and repeatedly testing security controls. Cyber defenses are continuously stress-tested in line with the latest threat intelligence to make sure that they are ready to handle the most recent threats.
Improved security testing processes
How is the testing of security controls conducted? In the past, this was done by employing white hat hackers to attempt to breach the cyber defenses of an organization. An external or third-party group is commissioned to launch various attacks, while the organization’s own security team holds the line. This is penetration testing with red teaming and blue teaming.
Originally designed for military applications, this is one of the common ways to determine the effectiveness of a company’s cybersecurity. This approach, however, is costly and impractical especially in the context of continuous security testing. Companies, especially the smaller ones, cannot sustain perpetual security testing using traditional methods.
This is where automation and simulation provide an excellent upgraded solution. The simulation of cyber attacks to test the effectiveness of security controls can be undertaken through a unified platform that can mimic end-to-end attacks covering the full kill chain. Organizations can simulate cybercriminals’ reconnaissance actions, phishing campaigns, web gateway and email gateway attacks, web application firewall assaults, and various other attacks.
Automated continuous security validation does not necessarily supplant already established security strategies like purple teaming or the coming together of red and blue teams to identify and address security weaknesses. Purple teaming can be integrated into the security validation process, serving as another reliable source of inputs on detecting security defects weaknesses.
Moreover, continuous security validation may incorporate the MITRE ATT&CK framework, which is a comprehensive and up-to-date cyber attack tactics and techniques knowledge base used to boost the security validation processes of organizations. It presents a matrix of methods and processes used by cyber attackers as observed by various security experts worldwide. It is a cyber threat intelligence resource that helps organizations in preventing, promptly detecting, and remediating compromises.
Security posture challenges
Even with all the improvements in security validation, many companies still find it challenging to change and improve their security posture. The reasons for this can be summarized as follows:
- Lack of knowledge and adoption of the best solutions
- The human security weakness
A Ponemon study found that nearly half of the organizations surveyed have not evaluated their readiness in responding to cyberattacks. Only 47 percent of the survey’s respondents say that they do not evaluate regularly or do not assess at all the readiness of their incident response teams. Meanwhile, only 23 percent say that they have a predefined public relations and analyst relations plan in place in case a significant security compromise takes place. Additionally, 45 percent indicate that they do not share or get cyber threat intelligence and threat indicator details from other organizations.
“CSIRTs (Computer Security Incident Response Teams) are ill-prepared to respond to cyber threats,” as the Ponemon study puts it. Many organizations do not invest heavily in their cybersecurity readiness.
Many already acknowledge how important cybersecurity is, but the lack of information about the best security solutions as well as the lukewarm adoption of the best solutions remains. Another study shows that an alarming 73 percent of companies admit that they are not prepared for hacking attacks. They acknowledge that their cyber defenses are insufficient or nearly nonexistent.
As mentioned, cybersecurity technologies and strategies have already improved especially with the advent of collaborative efforts like MITRE ATT&CK. However, many continue to have excuses or refuse to consider it urgent to have their cyber protection upgraded.
On the other hand, humans continue to be regarded as the weakest link in cybersecurity. Many tech pundits have said this before, including Robert Kress, Managing Director for Accenture Security, pointed this out while citing statistics from Accenture’s Annual Cost of Cybercrime Study in a 2019 article. Clint Boulton of CSO Online wrote something similar, noting that “you might be surprised that it isn’t only rank-and-file employees duped by phishing scams who pose risks.”
People easily fall for social engineering schemes. Over 80 percent of the security incidents reported have been phishing and other social engineering attacks. These cybercrimes exploit the lack of knowledge, gullibility, and carelessness of many employees and even top officials in organizations. They unwittingly aid bad actors in successfully defeating security controls.
Moreover, there are times when people intentionally inactivate or fail to activate certain security controls or set aside protocols because of inconvenience. There are likewise instances when people put too much faith in the supposedly premium security solutions they obtain for their businesses, like in the anecdote shared by Clint Boulton in his CSO Online article about an employee who overstated the capabilities of a security platform from a particular vendor.
Overcoming the challenges
In both security posture challenges briefly discussed above, many would probably say that the solution is simple: knowledge about the right solutions and best security postures. If people know what to do, they can prepare for the threats and correct their bad practices. This is easier said than done, though.
Similar to the case of a problematic body posture, it is easy to know what the right body posture is. The difficult part is applying the knowledge and sustaining the application.
Companies that seek to achieve optimum cybersecurity defenses need to commit resources, time, and effort to obtain the right tools and train employees about using security solutions and maintaining best practices. These cannot be achieved by occasional orientations or seminars that span a few days or weeks. An effective security posture is a lifelong commitment, something many will struggle with.
For most organizations, establishing a security posture that works requires a culture change. Organizations may need to have a change in perspectives on how to deal with cyber threats and develop a sense of urgency in investing in the right security tools and systems. Additionally, everyone in an organization should be compelled to embrace better systems, particularly the continuous nature of security validation.
With the right security tools and systems, correcting a bad security posture is not a difficult task. Systems that employ automation and artificial intelligence can expedite the detection, identification, remediation, as well as prevention of threats. The challenging part is the unending nature of the process. Sustaining the corrected security posture can be an ordeal for many.
Organizations need to evaluate the effectiveness of their security controls in perpetuity. What works now may no longer be the same in the future because of the rapidly evolving nature of cyber threats and the constantly upgrading skills of bad actors. Keeping up with all the threats and ceaselessly making sure that the cyber defenses remain effective is not going to be a non-resource-consuming endeavor. Organizations need to be smart in choosing and implementing the right strategies and solutions.