It's one thing to put a security validation program in place. It's another thing to ensure that your threat detection systems identify sources of potential breaches and their business impact and stop them before they take hold. Threat detection has been in the news following several major data breaches, like this summer's WannaCry attack. But why are defenders always playing catch up?
This is where security validation comes into play. Security validation means doing the due diligence to ensure that security defenses, technologies, processes and teams are effective enough to reduce the incidence of attack and avoid catastrophic impact. It is important to think about how both internal and external factors impact an organization's security posture and take active steps to plug the holes. Internally, an enterprise's largest attack surface is its employees who depend on computers and connected devices to do their jobs. Employees are the most likely and easily exploited threat vector today.
An enterprise must consistently test and validate the security of its products, tools and software that employees use to enable operations. Some of those components are suites like Microsoft Office, but also include all of the security products and solutions an enterprise employs. It's also critical to evaluate the performance of the security team itself — how effective is the team at monitoring, detecting, responding, restoring and remediating operations when there's an incident?
As the connected world becomes increasingly flat, the risk profile of enterprises has changed drastically from what we once understood it to be. We give external partners trusted access to resources and data. We integrate our network infrastructure with external vendors.
Validating the risk posture of a business and the performance of its security team and solutions make a significant impact on its ability to protect its critical assets. Once an enterprise is able to ascertain where potential vulnerabilities exist, it needs to look at the potential targets of the attacks – especially if it's a cloud-based organization. One of the top attack targets are cloud networks. How can an enterprise ensure its data is safe if it cannot actually put hands on the infrastructure where its data resides?
A common issue companies face today is the requirement to bring their own security to the cloud. However, that protection must be layered on – an enterprise cannot actually test the provider's own security on the infrastructure where its processes run. Most cloud service providers hire third-party assessment firms to test their services via a representative environment that allows for simulated tests that do not affect production servers and customers. It's critical that potential cloud users looking at hybrid or public/direct cloud service providers ask to see the results of such assessments. Question the providers on the level that they go to on those assessments and how often assessments happen. Not all assessments, are created equal and an automated scan is not the same thing as a directed penetration test.
After a year of major breaches, it feels like we are returning to the computing environment of the 1990s. Back then the Internet was very flat - when a virus was released, it spread like wildfire infecting entire swaths of users. Today we have more complex and robust defensive capabilities. But the threat landscape is moving just as quickly as it was more than 20 years ago during the infancy of the cybersecurity industry we know today.
We already see an increase in the availability of sophisticated weaponized code to the general public. The code is very well built by a handful of professionals that have the skill set to create powerful attacks. We will see that many enterprises are not prepared and their defenses insufficient. The attacks that hit might not target a specific payload. An organization just has to have enough overlap with the intended target – an application or type of data the attack is targeting - that it becomes collateral damage. Validation can play a critical defensive role in this scenario.
The WannaCry attack is a perfect example. It suddenly hit transportation and logistics organizations and took down hospitals and healthcare networks with great speed and efficiency. Some experts believe it was weaponized code that had gone beyond its original intent. But what's most worrisome in the wake of this attack is that future threats will not be as obvious. It is becoming more important for enterprises to ensure that they lock down vulnerabilities as quickly as possible. You cannot foresee every attack, but you can take action to prepare for tomorrow's threats.