We’re all familiar with the expression ‘Trust but verify.’ Unfortunately, when it relates to protecting their networks, most organizations rely on trust but don’t verify that their security solutions are working as they should. A recent survey (PDF) of security operations effectiveness found that just 37 percent of security professionals have hard evidence to verify their security products are configured and operating correctly. And this lack of testing and validation leads directly to organizations experiencing a damaging security breach.
Half of the survey’s respondents stated they had discovered that one or more security solutions were not working as they expected only after the organization had been breached. With these vulnerable points in their network defenses, it is not surprising that 75 percent of respondents stated their organization had experienced a breach (such as an unauthorized intrusion, malware infection, or hack) in the past year. 47 percent had been breached three or more times in the last three years.
It’s critical that organizations implement an in-depth testing strategy to close these security gaps and cut the risk of being breached, rather than simply trusting and hoping their security products are performing as expected. But what should that strategy consist of?
The three Ps of testing
When developing an effective security testing strategy, there are three ‘P’s to consider:
• Products, covering the security tools that are deployed across the organization’s networks and their configurations.
• Processes, which covers how those security products or services are installed and maintained, including how patches and upgrades are managed.
• People, which focuses primarily on the ability of IT and security teams to respond to and remediate cyber incidents, but also includes the organization’s employees.
Testing security products
Testing products includes evaluating the performance of each security tool or service, to ensure it is delivering the expected levels of throughput, filtering and blocking of traffic. It involves checking that there are no misconfigurations (such as an unchanged factory default password) that a hacker could identify and exploit. It should also include evaluating any possible functional overlap between solutions.
In the company sponsored security operations effectiveness survey, two-thirds of respondents stated that the functions of their security tools overlap with each other, and 41 percent said this overlap was unintentional. In other words, organizations sometimes add products to their security fabric without properly evaluating if they are needed or checking whether existing solutions are configured and working correctly.
This tool sprawl leads to wasted security budgets, increased management time for IT and security teams, and expands the organization’s attack surface. 79 percent of survey respondents stated they would remove a security product from their network if they could prove it was not effective. Product testing strengthens an organization’s security posture and helps make efficient use of budgets and resources.
To ensure you are not leaving any easy-to-find back doors into your network, it is critical to manage and maintain your security products efficiently with a regular cycle of checking for and applying new software patches and updates. This should be done on a monthly basis at the very least, as new threats and new malware variants are continually emerging.
According to the vulnerability analysis resource CVE Details, 2019 saw over 12,000 new vulnerabilities emerge, with over 1100 of these rated as severe. That’s an average of over 90 per month – so keeping products updated, and regular testing cycles will help to close holes developing in the company’s security fabric.
No organization has fully-automated security: IT security teams need regular practice on how to deal with a range of situations so they can be part of the solution, rather than inadvertently becoming part of the problem. Yet the security operations effectiveness survey showed that less than 50 percent of those surveyed said that they regularly practice how to remediate and recover from breach incidents. Teams need active practice against realistic cyber-incident scenarios, to ensure that the response to a genuine incident is as efficient as possible. Training should also extend to organizations’ staff, covering issues such as how to recognize malicious emails or phishing attempts, and how to protect account credentials.
In conclusion, robust security can never be taken for granted. Cybercriminals are continually investing in new exploits and weapons. Organizations need to ensure they keep pace with those developments. That means regularly putting security products, processes and people to the test – but the reward is better, more efficient protection against attacks.