Organisations detect only a quarter of cyber attacks, on average, leaving them exposed and vulnerable.
There is more to robust cybersecurity than just bolstering your organisation‘s defences with extra layers of protection. It is also vital to validate your security capabilities by regularly testing and optimising those defences against the latest threats.
As the threat of ransomware escalates, both in the likelihood of an attack and the severity of its impact on an organisation, it is becoming a clear business risk rather than just an IT risk. This means the risk must be addressed in the boardroom rather than just in the server room.
Rather than executives requesting that their IT and security teams “tell me we’re secure”, instead executives should be insisting they ”show me we’re secure”, said Scott Deacon, senior director at Mandiant Consulting, FireEye.
The process needs to focus on security effectiveness and measured outcomes, Deacon said, taking an objective and prescriptive approach.
“Rather than just asking for reassurances, you need to see the objective empirical evidence,” he said. “They need to show you: are your security tools and people prepared, are you spending money in the right places and are you improving against clear metrics?
“We often see the wash up of organisations which have fallen prey to a cyber attack and, looking at their plethora of tools which failed to protect them, they finally realise that they lacked a clear and easy way to define their security effectiveness.”
While allowing organisations to strengthen, refine and optimise their cyber defences, security validation also allows them to detect and rectify misconfigurations. They can also ensure that the appropriate security alerts are triggered during an event and issued to the correct areas of the business such as the operations centre.
“Just pointing out what is broken or needs to be improved is only part of the value proposition of security validation,” Deacon said.
“A robust platform like Mandiant Security Validation doesn’t just flag what needs to be fixed, it actually tells you how to fix it so you can immediately reduce your exposure to that risk.”
Some organisations already evaluate their security effectiveness through exercises such as penetration testing and “red-teaming” cybersecurity drills which simulate a real attack while role-playing both attackers and defenders.
While such security testing can yield useful insight, penetration testing and red teaming tend to be one-off exercises and very myopic in their scope. One of the advantages of tools such as security validation is that these exercises can be automated, continuous and far more extensive while incorporating details of the very latest security threats and infiltration techniques.
Rather than limiting organisations to walking through a handful of scenarios in time-consuming red-teaming exercises, a security validation platform lets them test their environment against hundreds of scenarios.
They allow organisations to measure both their technical controls and operational effectiveness, Deacon said, presenting an end-to-end view of security all the way through to critical business assets.
“These tools can safely emulate the real attack, based on the very latest malware and attack vectors, from the scourge of ransomware to the most sophisticated cyber attacks from nation states,” he said.
“Security validation stresses your security platform in a way which demonstrates whether what you have in place is actually up to the task, plus it can also map improvements so you can see the impact of changes and track your progress.”
As IT and security departments are asked to do more with less, security validation is also a powerful tool for performing an ROI analysis to determine which technical controls are failing to operate and deliver value, are duplicated or are redundant.
Events such as upgrades and cloud migrations, along with mergers and acquisitions, can leave organisations with a tangle of legacy security controls. This makes it difficult to determine whether their cybersecurity budget allocation is optimal and in alignment with the needs of the business.
Rather than wait for scheduled cybersecurity evaluations, security validation tools can make such calculations daily to automatically flag issues of residual risk and potential areas for improvement.
This level of insight puts some “meat in the sandwich” around requesting changes in security budget allocations, Deacon said.
“Getting back to the idea of red teaming, security validation gives you visibility into exactly how you‘ve deployed your limited forces and whether you’ve left yourself vulnerable on some fronts,” he said.
“At FireEye we’re the incident response team which organisations call on to put out the flames but, I guarantee you, if they had applied security validation tooling and seen the weaknesses in their defences beforehand they could have thwarted the incident before it even started.”