Now that we’re well into 2019, it’s clear that 2018 was by far the worst year for announced data breaches. While many ask the obvious questions (how, why, who, etc.) my team and I are focused on how to this reverse this troubling trend. One area that we seem to be encountering is how to improve threat identification and mitigation in an effective and timely way. It’s a big topic given that the bad guys seemingly are always at least one step ahead of the good guys – stop me if you’ve heard that one before. One can argue that while security technologies have improved (thankfully), a major issue is choosing the appropriate one for your current and future needs from literally hundreds of options. On average mid-size organizations have 1-2 dozen different security technologies in their environment and none of them communicate with each other. Consequently, it’s no surprise the good guys are at a disadvantage. So how can this be reversed?
Like most things in life, the answer is not quick & easy, and it often requires looking at things differently. “We can’t solve problems by using the same kind of thinking we used when we created them.” Immortal and insightful words from Albert Einstein. With that in mind here are my three items that can help make your security posture better in 2019 and beyond:
1. Why Penetration Testing / Vulnerability Assessments are Not Enough
2. Integration, Integration Integration
3. Automation, Automation, Automation
And a bonus one for those in application development:
4. Security Development Operations (SecDevOps)
This post will focus on #1 while the remaining items will be covered in subsequent postings. The first one is one of the areas I consider to be low hanging fruit that organizations can start asap. Penetration (pen) Testing is expected to identify areas of openings in an environment which could allow an attacker to execute nefarious activities. Most of you reading this have likely been involved in a pen testing and have reviewed the output and generated mitigation plans. What I am suggesting be changed is to rethink your pen test approach to see it in a different perspective. 2018 was the worst year for compromised data and yet most, if not all, of those targeted organizations more than likely performed pen tests yet still were breached. It’s my belief that the industry has treated pen testing as a a ‘check box’ diminishing its value.
Security professional’s opinion on penetration (pen) testing vary depending on approach, methods, targets, process and lastly, how to mitigate discovered openings, etc. While many regulations, groups and best practice guidelines require regular pen tests be performed, what EXACTLY is being ‘tested’ and what is being done with the data that is generated? How often are pen test being performed? Wouldn’t it better to also test the efficacy of your existing security posture? Meaning, wouldn’t you like to know how would your AV, IPS, NGFW, UEBA systems handle a real-world attacks without exposing your data? This would greatly improve your awareness to potential openings for attackers it would also test the effectiveness of your security posture. Isn’t that better?
In conclusion, as good guys, let’s start looking at the same problems differently and maybe, just maybe, we can truly change the game against the bad guys. I guess Albert was a pretty smart guy – even before the Internet.