The Expert View: strengthening cyber-security with continuous testing

Vulnerability testing can demand significant time and resources, which is why most organisations don’t do it frequently. However, a growing trend is for automated continuous monitoring to increase security without draining resources.

Security teams are expected to frequently answer a lot of vague questions from C-level executives, said Matthew Fox of Cymulate, opening a recent Business Reporter virtual roundtable. He told the audience of senior cyber-security experts that managers often ask questions such as “How secure are we?”, or “Are we vulnerable to a ransomware attack?”

Answering such questions is not an easy task. Meaningful risk-measurement requires classifying data and systems then balancing their potential vulnerabilities with the potential consequences of an attack. It is vital to identify your “crown jewels” and protect them, but it might be reasonable to leave another vulnerability untouched if it is in a part of the estate where the potential for damage is low.

Sporadic testing

This is further complicated by the fact that situations do not remain static. New vulnerabilities emerge and new attack methods are created. Likewise, every organisation regularly adds new endpoints to their estate, connects new systems together and makes other changes that can increase risk. This is where continuous testing can be advantageous, said Fox.

But for most organisations, security testing still tends to be sporadic. Attendees at the roundtable said they carried out regular penetration testing, perhaps as often as a couple of times a year, and assess security risks if they install a new system. Several attendees said they also used “red teaming” from time to time, but it is too expensive to use often.

Identifying vulnerabilities can be complicated by the split between on-premises systems and cloud services. Any solution organisations employ to identify weaknesses must be able to cover both and not miss links in the chain.

Stretched resources

Another problem that often arises is a disconnect between the company’s theoretical security posture and how it operates in practice. Infrequent penetration testing often focuses on the theoretical posture, whereas continuous monitoring examines how the organisation is operating in real time.

Similarly, tests need to be run against the latest attacks as they are seen in the wild, rather than against a theoretical exploit. Fox also emphasised the importance of identifying vulnerabilities that could be a problem, compared with those that would be a problem. The former might not cause any issues at all, whereas the latter will be damaging in the event of a particular attack.

Attendees noted that when a vulnerability is identified, it can be difficult to find time and resources to fix it. One attendee said his company had recently worked with Microsoft to assess the security of its Office 365 installation. The survey found 10 high-risk and 40 medium-risk situations. Fixing those took three months – and that was just one part of the estate.

Real-time monitoring

Resources are stretched for every IT team, which is why continuous vulnerability testing can seem unrealistic. A system such as Cymulate’s, however, automates much of the process, so it can run in the background and simply alert people when there is a problem. It is still necessary to prioritise, of course.

This kind of system doesn’t replace people, but it does free up busy experts so that they can work on tasks with a higher priority. There will be less emphasis on searching for vulnerabilities, but it’s likely that IT staff will still have to manage the fixes.

Even so, there’s little doubt that it is better to have a continuous, real-time update on vulnerabilities across the estate. It will put you in a position to properly manage your resources to address threats before they spark an emergency. It also means that the IT team has more information with which to answer those vague questions about their organisation’s overall security posture.