Do You Evaluate Your Security Controls?

Tony MasonBreach & Attack Simulation, Enterprise Security

Do You Evaluate Your Security Controls?
How Secure Is Your Security Posture?

With many now working from home and businesses changing, are you sure your security controls are robust enough? When checking your security posture, be sure to ask the right questions.

The only way you can really see if your security controls are working effectively is to test them.  There are many tools available to do this.  However, you need to decide what you specifically want to know and how the findings are relevant to you at the moment. After that, you can choose the best tool for the job.

Typically, security teams use various testing tools to evaluate their infrastructure. According to SANS, 69.9% of security teams use vendor-provided testing tools, 60.2% use pen-testing tools, and 59.7% use homegrown tools and scripts.

Pen Testing

Vendor provided tools test for a specific security solution. Whereas pen testing is often used to check that controls meet compliance requirements, eg PCI DSS regulations. Automated pen tests are good at showing you whether an attacker can get in, highlighting the vulnerable pathways. However, they don’t always cover the entire kill chain.

They can imitate many threat actor techniques and even different payloads.  However, they typically don’t copy and fully automate the full Tactics, Techniques, and Procedures (TTPs) of a real threat actor.

Also, it is difficult to get consistent data from automated pen tests.  This is because they rely on skilled human pen testers, who typically have varying levels of expertise. 

Added to this, the sheer variety of pen-testing tools and different approaches can really complicate testing. An example of this can be seen with different attack vectors requiring different testing tools. These tools also tend to be weak at recognising vulnerabilities in business logic, which can skew results.

Pen testing is costly and requires a significant amount of advance planning. This means testing can often be restricted to only annually or half yearly. In addition, organisations can still be slow to respond accurately to immediate threats even with automated pen tests.  This is because pen-testing takes time to scope, conduct, and analyse. 

The SANS poll found that most respondents test their controls quarterly at best.

However, as we know, the real-world threat landscape is evolving every day. This means cyber criminals have lots of time to exploit any gaps or weaknesses in between each pen test.

Security Questions To Ask

According to Cymulate, if you want visibility into the effectiveness of security controls – right here, right now – you’ll have additional questions that pen testing cannot easily answer:

  • Are your controls working as they are supposed to work, and as you expect?
  • Are interdependent controls correctly generating and delivering the right data? For example, are your web gateway, firewall, and behaviour-based tools correctly alerting the SIEM when they detect suspicious activity?
  • Have configurations drifted over time or been set incorrectly? For instance, are controls actively detecting threats, or were they left in monitoring mode?
  • If you have rolled out new technology or settings, how have they affected your security posture?
  • Are controls able to defend against the newest threats and variants?
  • Does your security defend against the latest stealth techniques, such as living off the land (LOTL) fileless attacks by sophisticated attackers?
  • Do you have visibility into security outcomes that require both human processes and technology?
  • Is your blue team able to identify and respond effectively to alerts?

Breach and Attack Simulation (BAS) Tools

Automated Breach and Attack Simulation (BAS) tools enable you to answer these questions.

BAS complements point-in-time testing to continually challenge, measure, and optimise the effectiveness of security controls. BAS is automated, allowing you to test as needed, and the best solutions assess controls based on the latest malware strains and threat actor TTPs—without having to assemble teams of security experts.

Organisations are using BAS to:

  • Simulate attacks without jeopardising production environments
  • Simulate attacks across the full kill chain against all threats, including the latest attacker TTPs
  • Test continuously with the flexibility to target specific vectors, infrastructure, and internal teams for awareness against the latest threats
  • Automate simulations for repeatability and consistency
  • Conduct testing at any time interval—hourly, daily, weekly, or ad hoc with results in minutes
  • Identify gaps and evaluate controls against the MITRE ATT&CK framework
  • Remediate security posture and the company’s exposure using actionable insights

As the threat landscape changes daily and the attackers continue to up their game, you and your executive team need assurance that controls across the kill chain are indeed delivering the protection you need – every day, every hour, or every moment.

Cymulate, Breach & Attack Simulation (BAS)

For a growing number of organisations, BAS is delivering the continuous security control and cyber risk assessment data needed to achieve that goal.

Cymulate is a Breach and Attack Simulation (BAS) platform that lets you protect your organisation at the click of a button. Operating thousands of attack strategies, Cymulate shows you exactly where you’re exposed, and how to fix it.

During the Coronavirus Pandemic, our security controls are currently more vulnerable with many of our workforce working from home, with home VPNs, and more distractions etc.

To help, Cymulate are currently offering 60 days Free use of their license, no strings attached.  Please get in touch to take advantage of this offer and test your security now.  It may bring up some surprises, but better earlier rather than later.

Tel: 01628 362 784  Email: