Since cyber-attacks are constantly evolving, security testing needs to evolve in response. But that rapid change can sometimes lead to confusion. To help organizations better understand security testing techniques, and how they can be used to help safeguard organizations, Mark Whitehead, Global Vice President, SpiderLabs Consulting, recently led his team in the creation of a new e-book, Once and Future Threats: What Security Testing Is and Will Be.
To learn more about what insights organizations and cybersecurity decision makers can glean from this book, we interviewed Mark.
Q. What led to the creation of this new e-book?
Mark: As we were creating the 2020 Trustwave Global Security Report, which is very data focused, I realized that the story that data sometimes doesn’t tell is about the risk that organizations have struggled to quantify for years. Especially the risk that large organizations face that can’t be automated away – and can’t always be prevented as part of a traditional security program.
So, we saw that there was an opportunity to talk to some of our top testers and our biggest clients to look at a whole body of work from over a year. That enabled us to tell a story from almost an attacker mindset on things that organizations should keep in mind when they’re evaluating what solutions they’ll need to put in place.
Q. What is the biggest misconception about security testing?
Mark: You can automate certain things – but no one has been able to out-automate a persistent attacker that wants to go at your organization day and night, 365 days a year. Some organizations invest in a certain technology and then feel like they can check the “mission accomplished” box -- but when you look at examples of attacks, some of which have been around for a long time – someone still needs to find the vulnerability.
There’s an art to finding vulnerabilities… and I think many organizations don’t always realize that. We tried to illustrate that with some examples in the e-book, so that we could help decision makers gain a clearer picture of why security testing is so important.
Q. What are the trends in security testing that you think people should be aware of in 2020?
Mark: There’s going to be a lot of emphasis on Open Source Intelligence (OSINT). There’s a lot of information out there that attackers can still use, and as more data is getting pushed out, especially with the increase in social media, there are more chances of major slip ups.
You’ll also start to see a lot more focus around cloud testing – and one thing I like to remind organizations of is that your cybersecurity company should be able to do security testing in the cloud, as it’s not that different from on-premises testing.
Internet of Things (IoT) and non-traditional form-factor devices will be another big area of concern — especially as they begin to intersect with 5G technology. Anytime new technologies come online, they bring with them new risks. A lot of organizations haven’t begun to think about the power of a phone or a TV stick that’s attached to their network. They should have prepared for that years ago and not in 2020 as even more diverse form factors enter enterprise networks.
Q. How can organizations create an integrated approach to their security management? Are there any key services or solutions that can help?
Mark: Everyone is starting to realize that there is no silver bullet. But when you look at the keys of security management, I always go back to the National Institute of Standards and Technology (NIST) security framework.
When I look at what makes a good security program, I believe organizations who incorporate a framework like NIST into their approach are more successful – because it helps them define what their program is working towards. Can your security help your organization Identify, Protect, Detect, Respond and Recover? If not, what are you wasting your time on? Testing services and solutions are huge – because they help organizations know their assets and find out where those assets are vulnerable.
Environments have become so big that organizations realize they need to focus on critical assets, to ensure they are able to respond and recover from the inevitable breaches that will take place. When you talk to many CISOs across industries, the newer CISOs are staying awake wondering when a breach will happen. Experienced CISOs assume that a breach is happening and focus on how to quickly identify and respond to it.
I think that’s the mind-shift that can help organizations as they build out their security management – assume that attacks will happen. Then ensure you have both the proactive and reactive services to handle it, in addition to finding ways to automate very simple things.
Q. What is the key takeaway from this book that you think would be helpful to other cybersecurity leaders?
Mark: The reason we wrote the e-book is there’s a lot of confusion out in the market. For example: Does a vulnerability assessment do a penetration test? Is a penetration test a red team? This e-book will help cybersecurity leaders understand and define those kinds of concepts, so they can better utilize them to help their cybersecurity.
Another takeaway I hope people take from the book is a better understanding of what Trustwave SpiderLabs does and how we align with some of the other cybersecurity firms out there. Because by better defining the industry nomenclature, we can collectively create a better understanding of what we all do, and help our customers better understand how we create value for them.
Download the complimentary e-book, Once and Future Threats: What Security Testing Is and Will Be, to learn more about security testing techniques and how they can be used to benefit your organization.
Evan Sharenow is the content marketing manager at Trustwave.