The Importance of Planning, Testing, and Training in Security Posture Management

Featured article by Jeff Broth

Image: Unsplash

Over the years, the cyber threat landscape has changed, and it’s not for the better. Cyberattacks have become so complex and aggressive that it is becoming more difficult to combat them. According to the Allianz Risk Barometer 2022, cyber risks are considered to be the top threats to businesses this year, along with business interruptions and natural disasters.

Moreover, cybercrime has become more than a criminal act. More than simply being committed by those who seek to disrupt or steal from a company’s operations for profit, cybercrime is now also a threat to people and sovereignty. Cybercriminals are now offering their expertise and services to those looking to attack particular organizations, governments, or individuals.

It does not help that the barrier to entry for conducting attacks has become so low–such that “as little as a $40 subscription and little technological knowledge” can get a cybercriminal or criminal organization started on ransomware attacks, according to the Allianz study.

Thus, it is not enough for organizations to be passive about their cybersecurity stance. For businesses, utilizing necessary extended security posture management will involve careful planning, the use of automated security validation tools, and inclusive participation for everyone in the organization.

Incident management plan

It is still possible for sophisticated cyberattacks to be able to penetrate highly secured networks of organizations. Companies must have a well-planned incident management plan. A coordinated, systematic approach must be taken to respond to successful attacks. This is especially important when dealing with controlling their impact and preventing any further loss.

The SANS Institute cites six steps in properly handling cybersecurity incidents: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

– Preparation: First, find out if there is a policy in place that details how security incidents will be handled. This policy should outline who is authorized to conduct interviews, make requests and review sensitive data. It also needs to coordinate communications.

– Identification – Initial response aims to verify that an incident occurred, find out which attacks were used in order to gain access, identify the systems and data accessed by the intruder, and determine the actions of an intruder after they have gained access. This involves analyzing all available information to identify an intrusion. This stage may also include the MITRE ATT&CK framework as well as other security validation frameworks, such NIST.

– Containment: Once the threat is identified, it should be stopped. It may be necessary to disconnect resources, services, and devices to prevent malware from spreading further or limit the ransomware encryption coverage. This could also help to halt ongoing data theft.

– Eradication – Once the problem has been contained, it is easier to identify and eliminate the threat. To avoid aggravating the issue (e.g., files being corrupted or encrypted, or applications malfunctioning), eradication must be done after containment.

– Recovery – Once the threat is properly eliminated, recovery can be initiated. This stage involves restoring files from backups (if they were corrupted, encrypted, or deleted) and restoring online services. Recovery may involve the forced resetting of passwords of customers (as well as employees) in order to prevent accounts from further being accessed and misused maliciously.

– Lessons Learned – You can improve your security postures and even incident management by learning from past attacks or vulnerabilities that were exposed by cyberattacks. Incident reports should also include whether there is an inability to confidently identify how the system was compromised. This allows management to determine the next best courses of action. This might include hiring security forensics specialist teams or engaging law enforcement, among other courses of action.

Security validation and continuous testing

Security policies and controls are halfway toward ensuring a secure system. Continuous testing is essential to ensure that security controls and measures work as they were intended. Continuous security validation or testing is essential if organizations want to ensure that they have effective enterprise security management.

This can include a variety of methods, such as continuous automated Red Teaming, breach-and-attack simulation (BAS), and purple teaming (a collaborative effort between Red and Blue teams). The goal of security control optimization is breach and attack simulation.

Continuous automated red teaming allows for prompt detection, identification, and mitigation of threats or attacks. Meanwhile, by using purple teaming, security testing does not only take place from the perspective of the defense or the blue team. It also emphasizes that security testing must be conducted from an adversarial perspective in order to anticipate attacks and to determine how they will retool their attacks to break security controls they cannot penetrate.

Security validation is critical in incident response. It systematizes how organizations look at potential weaknesses in their controls. There are many issues that can impact other parts of the security posture. It is essential to trace their source and fix them appropriately. This allows you to identify whether control problems can be fixed by updating their configurations or having them replaced entirely.

This also becomes vital in change management. Continuous security validation ensures that controls work properly even after changes in security policies, configurations, or modifications in software and hardware. Otherwise, any changes can prove to be very risky, especially if the same security system is used across branches or offices.

Security validation is also necessary when creating or implementing new processes, especially with the potential impact of these new processes on existing controls and policies. This is also essential when there is a need to streamline operations, consolidate business units, and any activity that will require new systems and processes. Unchecked and untested, these changes can negatively impact the organization’s security posture.

Inclusive participation and adequate training

People are the weakest link in the cybersecurity chain. An organization’s employees – even going up to the C-suite – can fall victim to social engineering. Such deceptive techniques lead to vulnerabilities, such as backdoors or deactivating security controls that employees may not be aware of. They could even send login credentials and sensitive information directly to the threat actors.

Organizations mostly invest heavily in hardware and software security. However, most don’t do the same with their human resources. To illustrate, a recent study by EY in Canada found that 39% of respondents consider “careless or unaware employees as their top vulnerability to a cyberattack.”

Everyone needs to understand the basics of security posture management in order to ensure high-quality security management. This includes their role in protecting cyber defenses and not becoming unwitting instruments for cybercriminals.

Training and seminars in cybersecurity are highly recommended for all employees. Organizations should never simply leave cybersecurity decisions up to AI-driven or automated systems. People need to be aware of their risks and responsibilities. While it is relatively easy to program software and configure machines, it is not possible to expect people to adhere to all security rules and protocols of an organization. They will be more likely to support and follow security goals if they are aware of them being a part of it.

The takeaway

Improving an organization’s security posture involves three key things: planning, continuous testing, and people. A failure to implement and optimize in any of these areas can prove to be very dangerous, especially in the light of growing threats to cybersecurity for organizations of all sizes.