Building the case for Security Validation

Image credit: USA Today

Events of the last month have shown that, despite best efforts and assumptions on how well protected corporate networks are, damaging Ransomware attacks and other cyber threats, continue to wreak havoc on companies and organisations in all industry sectors.

Just in the last month, we have seen crippling Ransomware attacks on Colonial Pipeline, the Irish Health Service, the University of Portsmouth, and many others.  In most, if not all, of these cases, the IT and information security teams will undoubtedly have told their management teams and oversight Boards, that they had invested in adequate security controls and that they conduct regular penetration testing.

So, it begs the question: why are corporate networks still so vulnerable to these attacks?  The answers to this are probably wide ranging, but one consistent theme is an assumption that corporate networks are protected because certain security controls are in place already.  This, however, ignores the fact that most security controls, like firewalls, endpoint security solutions, email filters, etc. require constant tuning and re-configuration in order to be able to detect and protect against the latest threats.

For many organisations, this re-tuning either does not happen or happens after periodic point-in-time testing, like after a penetration test.

Security Validation
What is needed is continuous security validation.  A vendor-independent approach providing CISOs and incident response teams with impartial data on the current level of effectiveness of the company’s security controls against various cyber threats.

Breach and Attack Simulation tools provide this kind of impartial data by safely simulating offensive attack methods (often, mapped to MITRE tactics, techniques, and procedures) on a continuous basis, to provide information security and risk assurance teams with data showing in reality, how effective their defences are at protecting, detecting and responding to cyber threats.

Elasticito are specialists in validating security control configurations using breach and attack simulation.  If you feel that you could be considering security validation in your information security strategy, please get in touch with us to discuss the options available to you.