Continuous Assessment as a Mindset
A Top-down Approach to a Better Security Posture
by Nick PopovichPlexTrac Hacker in Residence
Change for the sake of change is not usually helpful. Disrupting the efficiencies you and your organization have worked hard to achieve needs to have a rationale. There should be savings recognized, enhancement to a process, more oversight, dangers avoided; the list of reasons could go on and on. However, being averse to the idea of looking at enhancements to the status quo simply because change is hard is just as dubious an idea. Identifying aspects of a certain process or incumbent “way things are done” that could add more value or be more efficient should be a natural part of any security teams’ lifecycle.
The cadence to which you perform security assessment and testing is something that many organizations have not taken a look at in many years, perhaps even decades. A project-based, point-in-time assessment that is done annually as a health check is how it’s been done, perhaps with some augmented monthly automated scans to try catch any outliers. Is this the right move?
This blog will discuss the merits and use cases of continuous assessment and testing, as a force multiplier to point-in-time assessments, not a replacement.
PlexTrac exists to help security teams become more efficient and effective so organizations can become more proactive and, ultimately, more mature. Interested in seeing how PlexTrac could support continuous assessment in your environment? Book a personalized demo.
Now let’s look at the combination of approaches related to security testing cadence.
The Benefits of Point-in-time Testing
Point-in-time testing, also known as traditional or project-based testing, is a snapshot of a system or network’s security posture, at a fixed point in time. This can include a single penetration test or vulnerability scan, typically performed at a specific point in time, such as before or after a major update or upgrade. A familiar example could be annual penetration tests or quarterly penetration tests. You know the routine: establish your project scope, get on a kickoff call, talk out expectations and deliverables as well as methodologies and project blockers, agree upon a timeline, and an escalation path. Then, the penetration test begins, and at a set point in time, determined by budget or goals, the engagement is finished. The status of the entity undergoing assessment (e.g. an application, a network, a business unit) is detailed in the report that is the artifact from the pentest.
This more traditional, project-based pentest still offers a lot of value. Experts leverage both automated and manual activity to identify flaws and can also see how well organizations are prepared to deal with a cyber attack. The results of these tests are very valuable: helping to triage and identify flaws, insecure systems, and gaps in protection, and allowing organizations a chance to remedy the observed flaws, once they are known.
However, what happens in between these annual tests? Also, when testing is expected, is the environment truly being operated as business as usual? What about when newly discovered, high impact/high risk issues arise?
These questions lead me to suggest that another type of testing could provide value, in addition to project-based, point-in-time assessments. Assessing at a regular cadence, continuously, as an augmentation to the baseline that point-in-time testing affords, is where I’ve landed as the appropriate one-two punch to have the most value in a security testing strategy.
Why Continuous Assessment Is Important
Determining your testing strategy based solely on what questions you anticipate having to answer from leadership is not the only factor to take into account, but there is no harm in using that as a gauge for the types of questions you should want to be able to answer. If a CISO or director of technology security is asked by the C-Suite or other stakeholders things like, “What is the state of our security posture, today?”, or “Are we vulnerable to this recent flaw that is getting all the media attention?”, having ready, truthful, accurate answers seems like a no brainer. Without a system or process that is constantly probing, inventorying, assessing, and categorizing it can be very difficult to attest to the genuine security posture based solely on the results of a traditional pentest. You can see what flaws were present and what flaws have been fixed, in a sense. But what about changes? What is the state now, that day?
That is where continuous testing comes into focus. Continuous testing refers to the ongoing and regular testing of a system or network to identify vulnerabilities and assess the effectiveness of security measures. The goal of continuous testing is to identify and address vulnerabilities rapidly, almost real-time. Strategies vary for how to achieve the most robust and reliable continuous assessment paradigm.
In most cases these strategies include expertly configured and tuned automation systems that gather, inventory, categorize assets to be paired with systems that further identify flaws and vulnerabilities. These systems are configured in iterative loops to continue finding additional threat landscapes (assets) while analyzing for vulnerabilities. Expert manual analysis is usually applied, along with emerging technologies like enhanced machine learning or artificial intelligence algorithms. The idea is to have automated mechanisms continuously bubbling up items for manual review and action.
Continuous assessment not only allows you to be able to answer the earlier questions posed by leaders, but it can also afford you oversight and insight, as well as peace of mind in-between your traditional assessments.
Traditional Pentesting and Continuous Assessment: Why Not Both?
The precise application of automation should not be abused or overly trusted; these automation engines need care and feeding, as well as a baseline to start from. That is why it is my opinion that continuous testing be employed, in addition to occasional point-in-time assessments.
Old school testing can be baseline, and perhaps add more depth or expertise to the test. This data can feed continuous assessment systems and be the foundation for the tests, as well as a litmus test for the discovery strategy used by the continuous testing system(s).
Experts Agree: Continuous Assessment Is Legit
But don’t just take my word for it. Continuous assessment is a solid strategy supported by many respected educational and governing organizations in the cybersecurity industry.
OWASP (Open Web Application Security Project) recommends continuous testing as part of their software security verification process. The SANS Institute, a well-respected organization in the information security field, also emphasizes the importance of continuous testing in their “Top 20 Critical Security Controls” guideline.
The Center for Internet Security (CIS) includes continuous testing as a critical control in their “CIS Critical Security Controls for Effective Cyber Defense” framework. The National Institute of Standards and Technology (NIST) also recommends continuous testing in their “NIST Cybersecurity Framework” as a means to identify and mitigate vulnerabilities in a timely manner.
Finally, Gartner, a leading research and advisory company, also recommends continuous testing as a best practice for organizations to identify and remediate security vulnerabilities.
The PlexTrac Solution
The PlexTrac platform can be used as an aid in measuring the maturity and efficacy of offensive security testing efforts and teams. It is designed to provide data on findings’ status, allow teams to collaborate effectively, and provide analytical insights into trends on the data derived from the testing efforts. PlexTrac is the solution for managing the data produced in automated continuous testing efforts to ensure you make real progress in improving security posture.
PlexTrac is a force multiplier for offensive security programs. Book a demo to learn how PlexTrac can accelerate your path to maturity.