For the uninitiated, “security validation” is the testing of security controls. Testing is used to determine if controls are working based on what they are designed to do. It’s a process that requires meticulous organization, attention to detail, and expertise in cybersecurity principles and threats.
When done right, security testing significantly reduces the chances of falling victim to disruptive cyberattacks.
Cybersecurity will never be perfect. There is no assurance that it will be 100 percent effective in detecting and preventing attacks. However, this is definitely not a reason to do nothing about it. Failing to undertake security validation is both misguided and dangerous.
Security validation and cybersecurity are complex. They cannot be reduced to a simplistic dichotomous concept. There are nuances to take into account. Getting the most out of it requires a thorough understanding of how it works and what it should achieve. Listed below are four things to keep in mind.
1. Periodic testing is not enough.
The pace of cyberattack evolution is dizzying. Cyber defenses that work now may no longer work a few months, weeks, or even days later. Cybercriminals constantly find creative ways to bypass security measures or exploit vulnerabilities.
A report from the Government Accountability Office (GAO) warns the U.S. government about grave and rapidly evolving threats in cyberspace. You know the situation has become critical once the government has become involved.
Acknowledging the seriousness of the rapid cyber threat evolution, security firms have developed advanced solutions to cover their bases in real-time. They have developed and implemented more sophisticated security testing systems that include continuous security validation. These systems scan for attacks, detect them promptly, and make sure that they are contained or mitigated to avoid aggravation.
Continuous testing can be resource-intensive and time-consuming. However, with new cybersecurity processes such as automated penetration testing, the testing process becomes highly efficient with minimal human involvement. Many systems now rely heavily on machine learning and AI such that the detection of malicious activities and signs of a possible attack is automated. Continuous monitoring by a human cybersecurity analyst becomes unnecessary.
It does not take long for a lot of damage to occur between security checks. One cybersecurity study examined cyber threat possibilities and revealed that a minute is long enough to compromise 16,172 records. It boggles the mind to consider what can happen when attacks are undetected and faults in the security controls remain hidden.
2. Testing also addresses human behavior.
Bad actors do not exclusively create new technologies or methods to beat cybersecurity solutions. They also take advantage of human behavior. Many companies still become victims of phishing and other social engineering attacks because of human error.
Sensible security validation must pay attention to the human factor.
Cybersecurity training sessions are important, but they are not enough. Just because employees have completed their cybersecurity orientation or seminars does not mean that they are unlikely to fall for deceptive cyberattacks. Security controls involving phishing, baiting, scareware, ransomware, pretexting, and other similar or related attacks need to be fully tested to make sure they serve their purpose.
For example, an employee might fail to exercise caution and decide to turn off the web application firewall. They might open a specific port to enable access to a supposedly harmless web service. At that point, security validation procedures can red flag such an incident. IT security managers have the tools they need to respond at once.
3. Cyber threat intelligence is crucial.
Security validation relies on dependable and up-to-date cyber threat intelligence. This information guides the system in identifying threats and implementing remediation and mitigation actions. As such, it’s crucial to choose a security validation from a reputable security firm. They must have a proven track record for detecting issues and collecting the latest updates about threats and attacks.
It helps when a security testing platform also integrates the MITRE ATT&CK framework. This is a globally accessible knowledge resource on adversary tactics and techniques derived from real-world observations as contributed by various cybersecurity professionals, companies, and institutions. The framework helps security teams in detecting, identifying, and responding to cyberattacks.
It’s not necessary for businesses to operate their respective comprehensive cyber threat intelligence teams. What’s important is that they keep abreast with the latest threat and attack information. Security personnel must subscribe to authoritative security update sources. These should include government agencies, major security firms, open-source knowledge bases, and cybersecurity sharing groups and forums.
4. Unifying security testing and controls leads to greater security visibility.
Companies that use security solutions supplied by the same vendor are extremely rare. The use of different kinds of solutions from different security firms is the norm among industries worldwide. This diversity of security controls can be positive as it avoids the possibility of losing everything due to the failure of one security provider.
However, this diversity also creates weaknesses. The use of several security solutions brings with it the potential for problems.
For example, it can be difficult to monitor all of the security solutions employed in an organization. This leads to the possibility of not updating some of the software or failing to see security incident alerts. Also, the security software itself can harbor security issues. Quality analysis software is often the main culprit.
Security validation helps address these problems by unifying security solutions under a single dashboard. This allows security teams to comprehensively examine and monitor security events and respond to them accordingly. A unified view of security alerts and testing results allows security teams to troubleshoot or improve defenses with a clear view of the problems and possible solutions.
Security Validation Is Constantly Evolving
In the past, traditional penetration testing such as red teaming or blue teaming was considered adequate for testing the efficacy of security controls. Those days are over.
Given the overwhelming volume and sophistication of new cyberattacks, organizations have to take on the perspectives of both red and blue teams, a.k.a. “purple teaming.” It also seems inevitable that we need to take advantage of AI and automation to undertake efficient continuous security testing.
Security validation methods conducted a decade ago are no longer suitable to current cybersecurity challenges. Believing otherwise is not only counterintuitive. It is also dangerous and costly.