Validate Your Security Model

Validate Your Security Model

Amid growing threats, organizations must evaluate the holes and weaknesses in their systems

As security threats grow in complexity and scale, organizations are spending major resources to address the threats and minimize risk, including hiring top security talent and purchasing sevenfigure security solutions. But how do teams know their overall security model is working and that they are reducing the business risk?

Every organization’s security environment is dynamic and therefore, to keep up with the latest threats, must be continually evaluated. Doing so is complicated because of “vendor sprawl,” which refers to the growing number of often redundant and sometimes underused security solutions that end up in an organization’s technology stack. Businesses may be eager to address threats, but do not have the expertise necessary to decide which products will accomplish their goals.

When these disparate tools and processes overlap or leave gaps in a security model, organizations are left vulnerable to the very threats the products are designed to protect against, particularly when it comes to the increasing complex cyber threat landscape facing small and large businesses alike.

Fortunately, advances in attack simulation tools have made it possible for organizations to truly validate their security model across all solutions through continuous, automated testing.

By following a few best practices and knowing what to test for, organizations can ensure their holistic approach is truly keeping them secure.

Attack Simulation Basics

Attack simulation software mimics real-world threats to show organizations where they have gaps in their security systems and to enable them to improve their security controls and prepare incident response plans.

The simulations can include a variety of techniques and tactics that an adversary may use when compromising endpoints and applications. The testing operates under the assumption that most hackers and malicious actors are using a similar set of tools to try to penetrate networks and take advantage of either inexperienced business owners or their over-taxed IT providers, whether those are in-house or outsourced.

Attack simulations can include functions like penetration tests and vulnerability scanning, but on a more automated, non-intrusive, benign and continuous basis.

In addition to testing exploitation techniques, they can include machine learning and automation of the various steps in an attack chain, such as command and control, lateral movement and resource access and exfiltration.

Simulations can be customized to mimic threats targeting various surface areas and multi-vector attacks. Reporting and postsimulation visualization show security teams how the attacks were conducted and handled.

Building a Foundation for Attack Simulations

A good attack simulation strategy should start by covering the basic attack factors that do not change. For example, you know that at your office you have a door, lock, camera and other controls.

There are a million ways someone can break into your building, but do you need to try to stop all of them? No. You focus on controlling your environment — being able to see when someone gets in and how, and how you will be alerted so you can respond immediately.

Attack simulation tools should test what we know is true about attacks and attackers. Attackers need to get from point A to point B for a network attack. When they’re in your host system, we know they need to follow a certain path and how you can follow them.

You need to identify what attackers are going to do in any breach or other type of attack. There is a myth that most attacks are really sophisticated and complex, but in reality many attacks do the same things using the same techniques— and that’s what you can test for.

An attack simulation should cover the entire attack chain from network intrusion to system and network reconnaissance, payloads and behaviors such as creating user accounts, collecting and archiving data, encrypting data and exfiltration, as well as escalating privileges and “living off the land” to hide in plain sight with built in tools like Powershell.

Organizations should first figure out what is normal versus abnormal behavior in your network. You can’t account for all variables in a cyber attack — do the basics super well, and 9 times out of 10, you’ll be successful.

Four Ways to Validate Your Security Solutions Holistically

In order to bring your security model from zero to hero, you need to identify what tools you have and how to leverage them most effectively.

You also must be able to test all of your solutions to ensure they detect and mitigate the risk that threats pose to the network. Here are four main technology issues that attack simulation tools enable you to test for:

Misconfigurations. Organizations often have major difficulties stemming from a suite of security tools that are not configured properly. For example, many teams are so inundated with false positives that they end up turning off or ignoring their alerting from certain sources to their SIEMs.

This can lead to breaches going undetected, which increases adversary dwell time. If security teams can replicate the breaches and finetune the systems beforehand with attack simulation, they can prevent or quickly discover future attacks.

Security decay. Just as new cars lose their ability to function properly over time, security posture can suffer from efficacy decay too. Over time, as systems continue to function without being patched and new malware and exploits are developed, the systems and network security posture decays much like wear and tear on a new car.

In information security, the problem is that there’s no way to measure security posture decay, including that of software within an organization’s technology stack, unless you’re testing for it. Attack simulation tools can diagnose and prevent security decay because they allow teams to constantly test systems to ensure they are up-to-date and remain secure.

Overlap. Another vendor sprawl challenge comes from tools that duplicate capabilities. Companies end up spending resources on tools they don’t need because they can’t measure the coverage they have.

By using attack simulations, companies can see the overlap and reduce the cost of their product spend. For example, organizations can utilize the MITRE attack framework to map coverage of mitigation for attack techniques, which can show capability overlap.

Tools That Don’t Work in Your Environment

Every organization has a unique security environment they must account for. Not all tools will work effectively. Thus, it’s important to validate potential tools in your own environment before making the purchase instead of only testing them in the vendor’s lab environment.

Use attack simulations to set up your tools under normal working conditions and test common attack techniques. This is the best method of ensuring that your network is adequately prepared for the common attacks perpetrated by a growing amount of hackers operating across the globe.

For example, simulate a network attack to make sure the device can respond, whether it’s signature or anomaly-based attacks. To simulate an endpoint attack you can imitate a hacker on the box to ensure that the solution effectively blocks and responds.

Attack simulations are vital tools that can help an organization see if its security model has holes or weaknesses. But don’t wait to start testing.

Too many organizations get breached, and then find that it’s the first time they ever looked at their logs or discover that key security tools aren’t working properly. Every organization has the capability to do this – there is no such thing as “we’re not ready.” In this way, attack simulations are the great security equalizer.

This article originally appeared in the March 2020 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3