The case for Continuous Security Validation

To achieve cybersecurity readiness, an organization should be able to make decisions on the basis of real data and evidence of security outcomes. Too often, security controls are misconfigured, poorly integrated with monitoring systems and/or the people and processes surrounding them break down.

After decades of spending on cybersecurity teams and technologies, from next-generation firewalls to MDR, the entire industry is transitioning away from a period of hyper-focus on investment and towards a focus on outcomes and metrics in security effectiveness. This transition was driven by two distinct events: the escalating threat in cyberspace, from the Russian government’s intrusions into critical infrastructure to ransomware attacks on civil infrastructure, and the second but related feeling that the investments made over the last decade were failing to stop intruders. Even as security teams invested in the people and technologies required to stop breaches, intruders kept breaking through.

Data Study

The findings from an ATTACKIQ study revealed that on average, the EDR controls in their customers’ environments only stopped the top seven adversary techniques 39 percent of the time in 2021. This high degree of failure is not the fault of security providers, as their controls stop the top techniques. Nor is it the fault of customers, who are some of the most advanced cybersecurity teams in the world. The problem is embedded in the system itself.

Complex organisms and organisations need data to understand how well their inner workings are performing. Like car engines, the human body, or the U.S.military (which has for years conducted multi-factor analyses of its “readiness” to perform key missions), security controls of people, processes, and technologies need to be assessed constantly against real threats to validate their effectiveness. A car engine has a check engine light. The human body goes to regular check-ups and now human beings wear wearable devices to track their pulse, exercise and steps taken, and oxygenation. The U.K. military trains constantly on land, air, sea, space, and cyberspace to prepare for potential conflicts. cybersecurity teams have until now lacked a means to exercise, measure, and report on their health. The result is a mismatch. Even the most effective technologies and the most effective teams will fail to stop the adversary part of the time if they do not test and train. if teams are not continually trained and tested to defend the battlespace then the failure rate will never improve.

The good news is -

The issue is that organizations aren’t testing enough. Information technology, like the human body, is not static. Misconfigurations, infrastructure changes, and team transitions all lead to degraded security control performance over time. Only by testing controls against known threats can teams generate the data they need to understand performance, tune up, get battle hardened and improve effectiveness.

Security teams can improve their cybersecurity readiness through continuous testing and security control validation, running assessments aligned to the MITRE ATT&CK framework against the total security program. Embedding Continuous Security Validation into your own Security Governance and Assurance architecture is where the true value will be realised and as it matures, organisations can then to pivot towards measuring their security operations Return On Investments, Value for Money and focus on the key metrics that defy so many Cyber Defence teams, ‘Mean Time To Detect’ and 'Mean Time To Remediate' security incidents.

Why Alchemmy?

At Alchemmy, we understand that a lack of confidence in situational awareness in Cyber Security teams has been a problem for over a decade and we can help organisation's security teams to shift the dial from dealing with overwhelming 'alert noise' of very little value to a proactive SOC team that is focused on the correctly calibrated alarm signals on the SOC console. We use the ATTACKIQ Breach Attack Simulation platform to train and calibrate SIEM/EDR analytics engines, identify gaps in configuration and tease out process failures in security incident management.

However, whilst deploying a Breach Attack Simulation platform such as ATTACKIQ to calibrate the security controls is one requirement, there is more to it than just a tool. Planning and embedding a continuous security validation process requires an organisational shift toward high performance Purple teaming. This is where your more maverick penetration testers (Red Teams), diligent Threat intelligence team and time constrained security operations analysts (Blue Teams) all interlock to build a Threat informed Defence who are constantly alert to the threats that the organisation faces (who's coming after us?) and more confident in the tools that alert them to a threat and the processes that enable a rapid response (Time to Detect/Respond). In other words separating the signal from the noise.

We have a shared passion to bring all this together for our clients to enable a shift away from the broken model of tooling that is ineffective, poorly configured and integrated and processes that are reacting on assumptions rather than evidence based. We want to grow a community that shares our passion and wants to join our mission!

?Conclusion

Both the UK’s?NCSC?and the US’s?CISA?recommend continuous, automated security testing and we also think this is most useful when aligned with MITRE ATT&CK framework. This is why Alchemmy use the ATTACKIQ platform to evaluate security effectiveness and demonstrate the impact of the real risks facing organisations. Armed with this evidence, we’re then able to help prioritise the right actions to improve resilience and show Boards where to invest to stay current with the evolving cyber threat. In order to bring this to life we engage with CISO's, SOC leaders, lead analysts and incident responders to join all the dots for a successful outcome.