Five ways to lock down security control validation

SC StaffNovember 12, 2020
An S3 bucket misconfiguration last summer caused Twilio users to load an extraneous URL on their browsers that has been associated with the Magecart attacks. Today’s columnist, Chris Kennedy of AttackIQ, offers tips for how security pros can use security control validation to offset misconfigurations or process problems. (Credit: CC BY 2.0)
  1. Fine-tune existing security controls. A cybersecurity program consists of a complex ecosystem of people, processes, and technologies that work on detection and security operations. Our research has found that 82 percent of enterprise breaches should have been stopped by existing security controls but weren’t. Security fails because of misconfigurations or user error, and four out of five successful attacks leverage control failures or process problems at the victim organization. Successful security requires continuous validation; absent continuous validation, the program won’t work. Especially as threats evolve. 
  2. Periodic compliance audits and red-team tests are insufficient; what’s needed are regular automated security control tests.  Historically, organizations have invested in compliance audits and red team testing to validate their security effectiveness. Companies can’t rely on a  once-a-year process focused on checking certain boxes to meet compliance requirements and determine security effectiveness. Irregular audits and manual tests cannot achieve the scale and scope required to provide real performance data and achieve optimum cybersecurity. Instead, security teams should aim to conduct regular, automated security control tests across the organization to ensure that security controls work consistently as intended. Each organization will have its own specific requirements depending on its risk tolerance, but an automated testing platform can validate security controls as frequently as the organization requires. This includes hourly or more. 
  3. Take advantage of the MITRE ATT&CK framework. For years the security community held back on sharing threat information either because of intelligence classification or competitive constraints. The MITRE ATT&CK framework changed all of that in 2015 by offering the cybersecurity community a single repository of threat actor behavior. The ATT&CK framework operates as a globally-available, free, open framework of known adversary tactics, techniques and procedures. It offers a clear baseline of adversary behavior, eliminating fear, uncertainty, and doubt. Security professionals leverage MITRE’s insights to simulate attacker behavior in real-world scenarios and evaluate their security effectiveness against known threats. Governments all over the world use the framework to focus cyberdefenders on the threats that matter most. 
  4. Deploy automated breach and attack simulation tools. Manual red-teaming demands significant time from highly skilled staff, too much to occur at the frequency required for true security effectiveness. That’s why breach and attack simulation tools have grown in popularity. The best products automate scenario-based security testing to find weaknesses and control failures in the security infrastructure. If a new application or a configuration unexpectedly opens a gap in the company’s defenses, security teams can discover it in a timely manner through regular testing. Once the security team becomes aware of such a weakness, they can take steps to eliminate it. 
  5. Look for tools that scale and work in a production environment. A strong platform needs to deliver visibility into people, process, and technology effectiveness throughout a security organization. What does that demand from a product? First, it needs to scale across an enterprise. Second, the product needs to work in a production environment; a lab setting never functions as a precise replica of the actual systems the company needs to protect. Third and finally, security teams need an open and adaptable platform for new testing content as the company incorporates new threat information (from internal intelligence or external threat feeds). Absent any of these criteria, the investment will falter.