Cyber-risk management is about to get easier

Cyber-risk management is more difficult at organizations today than it was two years ago. So say 73% of security professionals in a recent ESG research survey. (Note: I am an ESG employee.) Why? Survey respondents point to things like the growing attack surface, the rising number of software vulnerabilities, and the increasing technical prowess of cyber adversaries. 

How can organizations mitigate growing cyber risks? One common way is to get a better handle on the strength of existing cyber defenses through exercises such as red teaming and penetration testing. 

Many organizations already conduct penetration testing or red teaming and use the resulting data to measure security team performance, review results with IT leaders, and reassess security controls and processes – all worthwhile outcomes.

But here’s the problem: Most organizations undertake such exercises once or twice a year. Furthermore, ESG research indicates that penetration testing and red teaming efforts last only two weeks or less at 75% of organizations. While valuable, penetration testing and red teaming can be expensive, and few organizations have the dedicated staff or advanced skills to conduct these exercises themselves or increase frequency using third-party services. 

In a dynamically changing IT environment, two weeks of poking at security defenses simply isn’t enough. 

Continuous automated penetration and attack testing can help

Fortunately, there is a new and promising cybersecurity technology market segment that ESG calls continuous automated penetration and attack testing (CAPAT). Rather than hiring skilled penetration testing or white hat hackers, CAPAT emulates attacker behavior through techniques such as simulated phishing emails, social engineering, or application layer exploits to flush out weak links in the cybersecurity chain. 

Unlike humans who tend to follow static attack patterns, CAPAT tools can be constantly updated to include the latest adversary tactics, techniques, and procedures (TTPs), so organizations can assess their defenses against current attacks – not just the tried-and-true tool sets of ethical hackers. Some tools use machine learning to modify attacks slightly as they scan and learn the idiosyncrasies of an organization’s network. Vendors in this space include AttackIQ, Cymulate, Randori, SafeBreach, Verodin, and XM Cyber. 

Used correctly, these tools can truly help organizations improve cyber-risk measurement/management. In other words, CISOs can see where they are vulnerable and prioritize remediation actions. This can also help improve ROI on cybersecurity spending by enabling security teams to dedicate budget dollars in high-priority areas based upon data rather than educated guesses.

Benefits of using CAPAT tools

As you may be able to tell, I’m bullish on this technology and believe that enterprise organizations will test, pilot, and deploy tools within the next 18 to 24 months. As they do:

• CISOs will finally have timely cyber-risk metrics for sharing. CFOs understand the need to increase cybersecurity budgets but can’t seem to get an answer to an obvious question: “What do I get for my money.” CISOs will use CAPAT tools to capture metrics and then share risk and financial management data with executives and corporate boards to help improve decision making and finally answer CFO money queries. 
• Red and blue teams can turn purple. In my experience, red and blue teams often have trouble collaborating due to different skill sets, tools, and processes.  CAPAT tools can provide common data to unify these teams. 
• CAPAT may usurp penetration testing. Penetration testing tends to end once testers find a vulnerable system or entrance point. CAPAT has the potential to democratize advanced red teaming. As this happens, CAPAT will push past penetration testing to demonstrate how attacks move beyond network penetration to all phases of the kill chain. This alone will be extremely valuable for security operations.
• CAPAT becomes part of SOAPA. Security operations tools such as security incident and event management (SIEM), endpoint detection and response (EDR), and network traffic analysis (NTA) tend to focus on threat management rather than risk management. CAPAT data will become an important input into these tools, as well as a more integrated security operations and analytics platform architecture (SOAPA) to help balance threats and vulnerabilities. When new threats are discovered in the wild, the SOC team can consult CAPAT tools to understand if they are vulnerable to similar attacks. CAPAT data will also be combined with things such as the MITRE ATT&CK framework, helping the SOC teams characterize simulated attacks and guide them through logical investigations.