As its name indicates, security validation is a process or a technology that validates assumptions made about the actual security posture of a given environment, structure, or infrastructure.
In the digital world, there are a plethora of defensive cybersecurity tools, each providing specific services aimed at protecting the virtual infrastructure from attacks by malware or any kind of infection from viruses. The combined actions of these defensive tools and the environment’s architecture security controls provide the infrastructure with overall security, also known as security posture.
To draw a parallel with what happens in the physical world, it’s like securing a household against potential intruders or against viruses hitching a ride on otherwise welcome visitors.
When viruses are concerned, we’ve seen since the beginning of the pandemic that it is not always easy to evaluate precisely what prophylactic measures are the most efficient.
Securing the Environment
The most efficient measure would have been to lock 100% of the people at home, 100% of the time, preferably with one person per room, forever. This would effectively eliminate the Covid virus but people would die from hunger so it’s not really an option. Managing the pandemic required walking a tightrope between implementing effective defensive measures and letting people be free to live their lives and go about their business. Too much freedom could end up disrupting the entire ecosystem through excessive infection rate, disabling crucial societal functions whereas excessive limitations would harm society’s ability to function and individuals’ earning potential and mental health.
Back to the digital world, cyber defenders also must walk a tightrope between preventing disruption from attackers and viruses, and enabling the enterprise, business, institution, or organization they are tasked to defend to function effectively.
Practically, that means (as the only way to provide hermetic security is to ensure total paralysis) some level of insecurity is inherent to any living entity, including enterprises, businesses, institutions, and organizations.
As a consequence, the efficacy of security measures will always be limited. Practically, this implies that all defense tools used to secure the infrastructure and environment will be structurally partially flawed.
Defense tools, such as email or web gateways, web application firewalls, endpoint protection and more, are not the only way a digital infrastructure protects itself from unwanted intrusions.
The infrastructure itself includes several security, control and privilege access parameters that restrict access to specific departments or databases through well-tuned configuration. These restrictions ensure that even if an intruder manages to find an undefended point of entry, multiple obstacles will still prevent that intruder from accessing the coveted valuables – data, intellectual property, operating center, or other.
Yet, even these added measures might not be enough, so the last line of security defense should be in place to prevent a skilled intruder who manages to reach the coveted valuables from getting away with them. Specific measures and tools should be implemented to prevent this data exfiltration from happening.
With all these independent layers of defense, each with its own strengths and weaknesses, evaluating the actual overall security posture is a complex endeavor.
To complicate that evaluation even further, the very nature of security implies that it consists in proving a negative.
In other words, the value of security only becomes apparent when it is breached, and by then, it is too late.
Detecting the Threats
Until a breach takes place, the tools to evaluate the actual efficacy of the
implemented security measures are little more than educated guesses based on
detection tools.
The detection tools find weaknesses, spot intruders, and raise alerts. They
provide some level of information about the security posture but that
evaluation is entirely based on what is observed.
This raises a few immediate problems. In the digital world, the threat landscape
is evolving fast and new threats are popping up all the time. Yet, detection tools
are built on databases. This means that a new offensive tool or method will not
be included in these databases until it has been analyzed,
reported, and integrated into the database. Once that happens, they still need to be
integrated into the detection tool operating system. Then the detection tool user
needs to update it for its own version in order to detect the new vulnerability.
To go back to our pandemic metaphor, those databases are like the ICTV
(International Committee on Taxonomy of Virus) or the EVAg (European Virus
Archive Global). In the connected virtual world, the main organization providing
the public database on viruses, malware, and vulnerabilities (known
collectively as Common Vulnerabilities and Exposures or CVE), are NIST, MITRE
ATT&CK, and CIS. Typically, they also provide recommendations and standards.
Evaluating Security
The infrastructure’s security used to be evaluated exclusively by detection tools. This, however, raises more than one concern:
• Detection tools can only detect known threats
• Any threat that is not spotted by the detection tool but penetrates the environment is not tabulated in the security posture scoring
• Detection tools cannot evaluate the amount of damage an intruder can cause
In view of these shortcomings, compliance bodies introduced requirements for regular cybersecurity testing.
Cybersecurity testing consists of emulating (or simulating) cyber-attacks and checking how well the defenses in place are faring, thus validating the security defenses.
The different processes of security testing fall under the general umbrella name of Security Validation.
To keep up with the proliferation of cyber-attackers’ offensive tools, the resulting expansion of their capabilities, and the proliferation of attacks, security validation has evolved from manual security validation such as pen testing and red teaming to continuous security validation.
Automating attack emulation campaigns and scenario exercises in production environments is the most advanced technology available to manage security posture. There are various continuous security validation modules such as Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), Automated Purple Teaming, and more, each with specific functions suited to the level of validation required. Extended Security Posture Management is the highest level of security validation. It includes implementing all the continuous security validation modules, collating, correlating, and analyzing the respective findings, and applying fixes.