Pages

23 October 2021

Testing Cybersecurity Effectiveness: The Importance Of Process Validation

Brian Contos

Understanding the effectiveness of your company's security stack is critical when it comes to strengthening cyber defenses. This is best achieved by validating security controls through emulation of real attacks, not simulations, based on intelligence showing which threats are most relevant to your organization. To gain a complete picture of security effectiveness, validation efforts must be aimed at three areas: technology, people and process.

I've written about validation of technology performance in the past. I've also written about how validation of people, when applied to hiring and training, can help close the cyber security skills shortage by giving you a better understanding of an individual's relevant experience and skills beyond looking at just their years of experience and list of accomplishments.

Testing the effectiveness of process is also critical. Processes are the backbone of any corporate security program and tie together how technology and people perform. Testing how processes work in light of technological changes, such as moving from on-premises to the cloud or application updates and environmental drift, is critical to ensuring the organization's cyber readiness.

From War Games To Real Attacks: Intelligence-Led Validation Informs The Right Action

Traditionally, internal processes came from meeting once or twice a year and playing war games on a whiteboard. This is like trying to tell the whole story after seeing only one scene of a movie. Modern security validation technology, when automated and performed continuously to protect against changes in the environment, provides a full understanding of how processes keep the security program running as it should.

Process validation may reveal that new processes are needed to address certain shortfalls. For example, you may need to create a process for implementing short-term, rapid response changes such as adjusting system configurations or adding steps to account for missed security events or alerts that can have a critical impact on the organization. In other cases, you may need to formulate a longer-term, strategic process for implementing needed changes, such as determining if new technology investments are needed, how they should be budgeted or if your incident response team needs more significant training or resources.

In either case, as you consider the new processes that need to be built, ask:

• Whose input do I need if I'm going to change existing processes or build new ones?

• Who needs to be involved in how those changes are carried out?

• What business units will be affected by new processes or steps we create?

• Who will need to be informed of these changes, and how will I communicate to them?

• Are there new automation technologies or outside experts that I should consider implementing to help keep things running smoothly?

• Do we have budget for adding new processes or technologies — if not, are there short-term, less costly solutions I can leverage? Or, are there overlapping technologies I can eliminate to free up funds?

Once your new processes are in place, you'll want to validate them to see if they're effective — and then decide if even more changes are necessary.

Below are four areas where validating processes is useful.

1. Incident Response

As part of security validation, you need to test how your incident response team performs after an event like data exfiltration occurs. Your internal process relies in part on technology like a next-generation firewall to block this type of attack — if it doesn't, then an intrusion detection system would alert your team. The validation process will determine if this process works as designed by examining:

1. Did the firewall block the attack? If not, why?

2. Did the alert happen? If not, why?

3. If the alert did happen, why didn't the security team respond to it?

4. What needs to change on the technology side to block the attack and send an alert?

5. What needs to change on the team's side if an alert happens?

2. Change Management

When core infrastructure changes, security controls configuration and processes will likely need to be adjusted. Validation of both the technology and process will reveal:

1. When an attack occurs, is the security information and event management (SIEM) still operating as it should? If not, why?

2. Are all our systems still talking to each other as they should?

3. At what point do we bring in human action?

4. Where do our systems fail, and how do our processes prevent us from seeing such failures?

3. Building New Processes

New processes are often needed to address increasingly sophisticated threat tactics or as part of a major company change like a merger or acquisition. As you develop new processes, validation helps you test their effectiveness and answer such important questions as:

1. Based on timely threat intelligence, are my processes and controls capable of protecting us against threats that are most likely targeting us?

2. With known and unknown infrastructure changes, are processes still relevant?

3. Do our security processes encompass a diverse set of business leaders such as those from IT, legal, HR, PR, investor relations, etc.

Measuring Frameworks

Security validation should give you greater context for how processes succeed against frameworks like MITRE, NIST and others and enables you to discover how processes may need to be altered by answering the following:

1. Do processes enable us to accurately test against and align with NIST, MITRE and other frameworks?

2. Do we have the right technology and human resources in place to scale our framework validation processes?

3. Can our processes incorporate additional frameworks, or are changes needed to support a multi-framework approach to security validation?

Build, Refine And Trust The Foundation Of Your Security Program

When you validate technology, people and processes, you ensure that all the components of your security program are aligned, well-integrated and performing as expected. We can't automate people, nor can they operate at machine speed. But with the right processes and training, they will know the right action to take as revealed through proper testing and validation. You can then create new and refine existing processes to ensure that the foundation of your security program is solid.

No comments:

Post a Comment