Traditional security validation is a complex task that involves a series of tests to determine if controls are working as they are meant to do. It is a meticulous process that can serve the intended purposes. However, at the rate cyber attacks are increasing and evolving, organizations cannot afford to settle with what is traditional or conventional.
There is no scarcity of bad actors that will keep trying to defeat the security systems. Every day new attacks are launched particularly zero days and attempts to exploit vulnerabilities, misconfigurations, loose access rules, bugs in software updates, and other weaknesses. This is why there is a need for continuous security validation.
What continuous security validation means
As the phrase implies, continuous security validation entails a virtually unending testing of security controls. It does not mean that the process keeps running every second of the day, though. “Continuous” here is more of a contrast to a one-time or periodic security testing routine.
Continuous security validation includes many of the components of traditional validation, but it takes things a notch higher by assuming the perspective of a persistent cyber attacker. Hackers and other cybercriminals ceaselessly attempt to break through security defenses, so continuous security validation is there to provide an effective counteraction.
The continuous security validation process
Continuous security validation is the step that follows after an organization has already established its security system, hired security professionals or a third-party solution provider, installed monitoring devices and security tools, produced control libraries, and trained IT employees and other related personnel. It focuses on knowing if the security controls are working and finding out what parts of the security system require improvement or replacement.
Without security validation, organizations would not know if their systems work as intended unless an attack actually happens. Likewise, they would not know if tweaks, adjustments, or changes are needed if no attack is detected and dealt with. As such, testing and simulations are undertaken.
In the case of continuous security validation, the tests do not stop with a single or a few sets of tests and results. The process is repeated to continuously keep track of the state of security controls. This meticulous and repetitive task results in the measurement of threats. It provides security professionals a better grasp of the security situation.
How to undertake continuous security validation
As mentioned, continuous security validation is all about testing security controls and determining if changes are needed to improve a weak system or plug vulnerabilities. Companies can do these by developing their bespoke systems from the ground up. They can source information about the most recent threats and then formulate commands to simulate attacks and other potential cyber threats.
Also, there’s the easier option to use a third-party continuous security validation solution. Several cybersecurity companies offer easy-to-deploy and ready-to-use systems to allow organizations to perform security validation without having to through all the technical matters.
These continuous security validation systems are available in software-as-a-service (SaaS) or on-premises versions. SaaS systems require no installation and tedious configurations. All the tools can be readily accessed by simply logging in to the SaaS platform. In contrast, on-premises solutions necessitate the installation of a client software on the devices that will be subjected to the testing.
Regardless of the system used, there is a crucial component that all continuous security validation systems should have: the information about the threats. Organizations can regularly visit open source threat information resources or they can turn to automated systems that readily present the latest threats along with tools to initiate quick assessments. Those that use third-party solutions may have access to automatically updated threat intelligence.
Cymulate’s Immediate Threat Intelligence dashboard
Continuous security validation can use automation, but human involvement is often needed to oversee the whole process. Even with SaaS-based security validation platforms, someone has to interact with the dashboard and direct the simulation and testing.
In a webinar on breach and attack simulation, Larry Ponemon, Chairman and Founder of Ponemon Institute, said that 60 percent of organizations implement daily or weekly changes to their security controls, while 67 percent consider it important to do a test to determine if the changes made have resulted in security gaps.
Continuous security validation is something many organizations are already doing. However, as the Ponemon webinar reveals, only 22 percent rate their level of confidence on their security system as high. It would help to know best practices to achieve a certain degree of confidence.
One of the best practices enterprises should consider is the adoption of MITRE ATT&CK™, a leading framework for implementing and executing security validation. Through this framework, it becomes easier to take on the mindset of an adversary that is trying to breach the cyber defenses of an organization through multiple attack vectors. The framework provides a comprehensive library of information and resources on real-world cyber attacks.
Continuous security validation is not easy, but there are already existing tools that can make the job less cumbersome. MITRE ATT&CK™, for one, provides a multitude of techniques with which organizations can build customizable attack simulation templates and conduct reliable tests.
Another practice that merits consideration is the use of customized and automated security validation. Organizations do not have to develop their own custom validation systems from scratch, though. They can use enterprise solutions like the Purple Team module developed by Cymulate. This MITRE ATT&CK™-aligned module simplifies the process of creating, executing, and analyzing security assessments.
Screenshot of Cymulate’s Purple Team module
Avihai Ben-Yossef, Co-Founder and Chief Technology Officer at Cymulate, says the use of an open platform “provides the simplest route to test the most sophisticated cyber attacks found in the wild on production environments in an extremely cost-effective manner.” This is something the Purple Team module delivers without necessitating skilled security experts to manage the tool’s operation.
Benefits of continuous validation
Why should companies undertake continuous security validation? Is traditional validation not enough? Unfortunately, it is necessary to go beyond conventional security validation given the accelerating frequency and complexness of cyber threats.
Continuous validation provides the benefit of increased cyber resiliency through frequent testing. Additionally, it is generally more effective in preventing specific and more recent attack vectors. Because of the frequency of testing involved, the newest vulnerabilities, attacks, and weaknesses rarely escape detection.
Moreover, continuous security validation helps in the development of an organizational cyber threat model that is focused on higher risk areas and crucial information assets. The process facilitates a methodical analysis of security observations to yield insights that support the development of robust threat models and effective simulations.
Continuous security validation provides compelling benefits that are not possible with traditional security testing. It does not necessarily make conventional testing obsolete, but it offers several advantages that make it the logical choice for businesses and organizations. Also, with the help of a new framework, continuous security validation can become even more effective and efficient