Spoiler Alert

Better prepared, Right!? Companies are investing a significant amount of resources in building and improving their cybersecurity posture. As the threat landscape continues to evolve and expand, this investment continues to rise dramatically. Per a report by Cybersecurity Ventures, worldwide spending on information security products and services will exceed $1 trillion between 2017-2021.

While preventive and detective controls are important, validation of these controls is indispensable. Security testing is said to be one of the areas fueling this rapid growth and the sector itself could well become a $4 billion market by 2025.

Cyber needs testing like everything else

It’s simple math. Every security system with configuration nobs has a probability of human error and misconfiguration. Every application or operating system introduces vulnerabilities as it evolves. As IT networks grow and expand, the probability for misconfigurations of controls and vulnerabilities increases, as does their operational complexity.

Although CIOs and CISOs acknowledge the need for security validation, they are also requested by regulators to perform vulnerability scans and penetration tests on a regular basis by independent third parties.

A choice between two imperfect alternatives

Vulnerability assessment (VA) and management (VM) solutions are software-enabled solutions that suffer from a major drawback around prioritization of the found vulnerabilities. They present you with thousands of potential vulnerabilities, but in reality, a large percent are false alarms. Out of those “real” vulnerabilities, only 5 percent are exploitable. And out of those, only a few may lead to an attack on critical assets.

Simply said, the only way one can ascertain if a vulnerability is critical is by exploiting it and proving it’s part of a full “kill-chain”.

Service-based penetration testing does just that, testing your defenses while correlating the triage of vulnerabilities with existing exploits lacking a compensating security control. Some pen-testers indeed shine a light on major deficiencies that can be chained to a deadly attack vector. However, penetration testing as it stands today cannot scale — its expensive, talent dependent and is limited in time and scope. With these constraints, pen-tests are typically performed on a small segment of the infrastructure deemed most business-critical, leaving most of the attack surface invalidated.

The Overhype of Breach and Attack Simulation (BAS)

Breach and attack simulation (BAS) technology came to our lives three years ago with a great promise of continuous security control validation. It sounded great at the time, but early adopters found themselves with a system that adds yet another agent in the network, limits its scope to controls validation only and requires specific playbook scenarios to be maintained.

More importantly, users found themselves back in the realm of simulation.

In other words, BAS is about collecting security control data and performing offline risk modeling analysis then deducing what would happen in real-life rather than testing for it! Once again users are faced with false alarms and misguided prioritization jointed with the burden of managing yet another system. Even the modern BAS systems that send phishing emails and attempt to download payloads if opened struggle to surpass the value one can get from Checkpoint’s Checkme free utility.

If you want to test, test. Don’t simulate

True security validation is really about challenging your security from a hacker’s perspective and techniques all the way to the endpoint and ranging all your network. What if we could have a penetration test that runs fully automated with no agents, no manual playbooks, no simulations, and no false alarms? What if we could have a system that acts as a hacker and challenges everything — security controls, vulnerabilities, credentials, and privileges? What if the same system could look for passwords and credentials in shared folders and office documents?

What we’re really looking for are vulnerabilities correlated with exploits that are lacking a compensating control. We’re looking to attempt to exploit these weaknesses, at scale, without malicious intent or harm. And we need to do it at a budget that allows for a daily or weekly penetration test. Sounds like a tall order, right?

Automated pentesting goes the next step

Here is the cutting edge: technology that takes on the tall order of harnessing the power of software to perform the ethical hacker task of penetration testing at scale. This technology starts with nothing but network access and performs every action a hacker would — scanning, reconnaissance, sniffing, spoofing, cracking, (harmless) malware injection, file-less exploitation, post-exploitation, lateral movement and privilege exploitation all the way to data exfiltration.

Information security professionals’ routines are actually changing as they use this technology as frequently as a weekly pen-test. Reducing dependencies of third party consultants and focusing on the 1 percent of remediation that matters is becoming within reach.

It’s a matter of choice

It’s time for cybersecurity risk validation. Either you settle with vulnerability management, experiment with BAS or go at it with automated penetration testing. You’re better off being proactive about improving your cyber resilience rather than being target practice for any new malware that’s out there. You can have separate tools and service providers do the job or do-it-yourself with a modern pen-testing platform. The important element is to propel forward and be able to converse the security risk in business terms with upper management, receive the budgets necessary, and ride the continuous improvement curve towards cyber resilience.

Written by: Amitai Ratzon
Show all articles by Amitai Ratzon
Learn more about automated security validation
Resource center
Get blog updates via email
Trending
Four steps the financial industry can take to cope with their growing attack surface
Four steps the financial industry can take to cope with their growing attack surface

The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic accelerated the widespread use of mobile banking apps, chat-based customer service, and other digital tools. Adobe’s 2022 FIS Trends Report, for instance, found that more than half of financial services and insurance firms surveyed experienced a notable increase […]

The elephant 🐘 in the cloud
The elephant 🐘 in the cloud

As much as we love the cloud, we fear it as well. We love it because cloud computing services of Amazon, Azure, and Google have transformed operational efficiency and costs, saving us money, time, and alleviating much of the IT burden. We also fear it because as companies moved to the cloud, they found that […]

A new era of tested Cloud Security is here
A new era of tested Cloud Security is here

Cloud computing has fundamentally changed how we operate. It’s efficient and scalable, but it’s not without some problems. Security is the biggest. As we’ve shifted to the cloud, we’ve exposed ourselves to new risks that can’t be ignored. The IBM Cost of a Data Breach 2023 Report points out that 11% of breaches are due […]

Learn more about our platform
Platform