Continuous security testing is the practice of challenging, measuring and optimizing the effectiveness of security controls on an ongoing basis, using automated testing tools, in order to continually identify new security gaps as they emerge, so they can quickly be fixed.
Also called “security effectiveness testing,” the objective of continuous security testing is to find out how effective an organization’s current security controls are, uncover new security gaps as soon as they arise, and repeatedly and frequently reduce an organization’s attack surface to constantly optimize its security posture. Using automated alerting and reporting, security teams can get the immediate actionable insights they need to take corrective measures.
Continuous security testing is performed using automated technology such as breach and attack simulation tools, with 28% of security professionals currently using BAS to test their security controls, according to a recent SANS Institute poll.
The Advantages of Continuous Security Testing
Echoing a general move from binary, point-in-time security decisions to a more continuous and adaptive approach to implementing information security strategy, continuous security risk assessments have emerged to address the reality of IT environments that are in constant flux, alongside a malscape that requires greater focus and resources on early detection and response, rather than relying primarily on prevention (see Gartner’s CARTA model).
By implementing continuous security effectiveness testing, organizations can better address the following:
- Daily emergence of new strains – New variants of ransomware, Trojans, cryptominers and cryptostealers surface every day, requiring preventive controls to be updated with the latest indicators of compromise (IoCs). Manually checking that these controls can block the latest phishing sites, infection points, C2 servers etc. is time consuming and not practical for larger organizations with distributed security estates. Continuous simulations of the latest threats’ IoCs means security teams can defend against them faster.
Figure 1: Continuous security testing helps defend against the latest threats faster
- Evolving stealth techniques – Preventive IoC-based controls are useless against signature-less and fileless attacks, making behavior-based detection tools, such as deception honeypots, EDRs and EUBA tools essential for their detection. But how do you know if your machine learning and AI-based solutions are effective against these threats? By continuously testing their effectiveness against simulated cyber attacks, organizations can continually fine tune these tools’ configuration settings to enable their faster detection.
- Frequent changes to the IT environment – Every day, IT environments change, whether it’s through deliberate network policy changes, the use of unvetted shadow IT, employees joining or leaving a company, or new software, hardware or virtual environments being deployed. Assessing the impact these changes may have on an organization’s security posture ahead of time, removes blind spots that may be discovered as unpleasant surprises.
- Limited manpower and budget – Continuous security effectiveness testing helps security leaders get the most out of their limited headcount and budget. By continually identifying gaps and prioritizing remediation efforts according to where exposure is highest, security teams can get more security for fewer dollars and man hours. Plus, by having the tools and knowhow to improve their security posture, organizations can start reducing their reliance on manual pentesting engagements, limiting them to conducting pinpointed exercises or regulatory compliance audits.
- State sponsored threat actors – Dozens of APT groups have been identified working for nation states for financial, political, and military gains. Equipped with zero-days that are found through research or purchased from private brokers, these groups have the money, time and skill required to carry out sophisticated, persistent attacks. By continually challenging security controls against techniques these groups are documented to have used, organizations can better position themselves for timely detection of these threats.
Figure 2: Continuous testing enables tweaking controls against state-sponsored APT groups
- External touchpoints and supply chain attacks - Consumer-facing portals, health information exchanges (HIEs), financial services interconnected through payment gateways and ACHs, and enterprises using shared collaboration tools—all present a measure of security risk to an organization’s security posture. Configuration testing, including testing controls, such as WAFs (to prevent a CapitalOne-style breach), email gateways, infrastructure controls that limit lateral movement, and others, is critical to reducing the cyber risk created from these touchpoints and preventing supply chain attacks.
How It Works
So how do continuous security posture assessments work? Using automated breach and attack simulation, security teams:
- Simulate cyber attacks across the full kill chain.
- Evaluate controls based on identified gaps.
- Remediate exposures using actionable insights.
- Repeat hourly, weekly, daily or whenever.
Figure 3: Continuous Security Testing in 4 Steps
Continuous Testing Against Continuous Threats
The latest string of ransomware hold-ups, business email compromises and state-sponsored APT campaigns require a shift in cyber security strategy. By continually challenging your security controls, uncovering their weak spots and tweaking them to improve their effectiveness, security teams can continually shrink their attack surface and improve their organization’s overall security posture.
To learn why organizations are moving to continuous security effectiveness testing, get your complimentary copy of Gartner’s report, titled How to Respond to the 2019 Threat Landscape.
Ready to explore automated security risk assessments using breach and attack simulation technology? Download the brochure, read about Testing Security Effectiveness with the MITRE ATT&CK™ solution brief, or sign up for a free trial today.