Replacing pen testing and red teaming exercises with continuous security validation solutions is the single most efficient step to harden and extend the management of your organization’s security posture.
There are different levels of continuous security validation, from the modular Breach and Attack Simulation (BAS) package that validates security controls of the selected vectors to the full Extended Security Posture Management (XSPM) suite that includes comprehensive BAS, Continuous Automated Red Teaming (CART) and Advanced Purple Teaming Framework.
All these modules should be running production-safe attacks campaigns and scenarios on the production environment itself instead of running on tests or simulated environments. This has the double advantage of reducing the workload by removing the need to create a test-specific environment and extrapolate findings to run patches in the production environment.
Selecting the right level of continuous security validation protection is an exercise that requires matching the security requirements of the organization with the available resources in terms of staff, existing detection and response tools stack, and other factors that can vary between industries and organization size.
Regardless of the selected level, optimizing security validation requires implementing it appropriately.
There are a few steps common to all continuous security validation suites.
Adding the Agent to the Environments to Validate
As continuous security validation solutions run on production environments,
they require the addition of at least one agent in each environment.
Ideally, even when implementing the complete security posture management
approach with all its components, there should not be more than one agent
per environment and that agent should be light, with low resource
requirements and minimal footprint.
Integrating with SIEM and SOAR
Evaluating your environment’s security posture implies checking which of
the attack campaigns and scenarios launched by the continuous
security validation solutions have been caught by the SIEM and SOAR tools, at what
stages of the emulated attack they were stopped, and what automated
mitigation actions were taken to stop them.
Before running the first set of campaigns and scenarios, SOC teams might
run bets on the percentage of attacks that will get through their risk-based
defense line and then compare the expected level to the reality.
After running attack scenarios and campaigns, the next steps are checking the entry points and escalation paths of the successful emulated attacks and listing the vulnerabilities used in these attacks by order of criticality.
As it is based on the environment itself, the resulting streamlined patching list is both most efficient in effectively hardening the security posture and implementable by the IT teams than patching schedules based on vulnerabilities risk scores such as CVSS.
Rationalizing and Optimizing SIEM and SOAR
The information yielded by launching attack scenarios and campaigns is not limited to identifying critical vulnerabilities, it also shines a beacon of light onto the functionality of each respective SIEM and SOAR tool.
While some attacks evade detection altogether, others are spotted by more than one tool. When more than one detection and response tool do spot the attack, the comprehensiveness of each tool’s response might vary considerably.
Evaluating the effectiveness of each individual tool based on real-time data in order to eliminate overlaps and redress shortcomings is foundational to rationalize the detection and response tool stack and prevent tool sprawl.
Customizing Report Templates
Automated report generation is a minimal standard for any continuous security validation tool. However, the default template options might not be suited to the requirement of your organization.
As a rule, two sets of default templates should be available: a technical template for the SOC and IT teams and an executive template for the executives.
Customizing these templates to include all information relevant to the stakeholders in your organization both saves time (as no follow-up questions are redirected to the SOC team) and increases efficiency.