How do you know if you’ll detect, prevent, or respond appropriately to malicious cyber activity? How do you know if you are doing it well? While these seem like fundamental questions getting to the heart of cybersecurity, most organizations have no idea. Even if they have great security products and compliance scorecards, they have no cognizance whether they can answer these questions in the affirmative.
Consider a recent example with a large government organization. They have if it all: the best technology, great compliance scores, and significant resources applied to the cybersecurity mission. We conducted a basic test of their Data Loss Prevention and they failed…miserably. A misconfiguration not only turned their solution to passive mode, but worse–notifications of blocks were erroneously being provided giving the security team a false sense of security. They had no idea and were blind to the fact. Some would say its cybersecurity malpractice to spend nearly over $25M (their annual budget) and not know the solutions you bought, installed, and operate are not actually working. Unfortunately this is not uncommon as there has not been a good way to instrument and test cybersecurity until now.
Some organizations conduct penetration testing and Red Teaming on a routine basis. This is a step in the right direction, but often the findings are not addressed. This is probably why Red Teams continue to have nearly a 100% success rate for accessing key organizational data. Further, Red Teams are expensive and provide results for a snapshot in time. Until these results are reversed on a consistent basis across our critical systems and infrastructure, we should continue to assume that our nation is at risk.
A Useful Approach
So what to do? First, it is helpful to have a framework. I come from a military background. Traditionally, the military is preparing for war: training, conducting exercises, making improvements, responding to intelligence, and conducting research and development. This leads to readiness and an explicit awareness of their ability to do their mission. This cycle of preparing, exercising, and evaluating is also critical for knowing that your security investment is working.
Penetration testing serves as a useful way to identify and score your organization’s security capabilities within this framework. The results show how your people, processes, and technology respond to malicious activity. There are new capabilities on the market that facilitate penetration testing of the cybersecurity stack and provide specific feedback to show how and why your security is not working. The results are used to tune the settings of your security products and retest. Security Instrumentation Platforms, like Verodin, provide a way to comprehensively, automatically, and continuously test the effectiveness of your security solution.
Bottom line: If you’re not testing, you don’t know if your security is good or bad (hint: it’s usually bad). If you don’t know the actual gaps, you can’t make improvements. If you’re not making your security better, you will continue to be blind to malicious activity threatening your mission.