In times such as these, there is no resting on one’s security laurels.
Encouraged by the lucrative nature of ransomware and other malware scams, cybercriminals work tirelessly to find new ways to break into IT systems. Hence, organizations must constantly assess their risk profile and find any possible weak spots before the bad actors find them.
Here are some of the top trends in security assessment:
1. Automated security testing
Jagjit Dhaliwal, VP and global CIO industry leader at UiPath, emphasized the critical nature of security testing as part of enterprise security assessment practices to detect issues before they disrupt the business.
He noted, though, that due to the tedious and time-consuming nature of such work, many enterprises are streamlining their testing processes with automation. Automated testing with robotic process automation (RPA) combined with omnichannel testing capabilities can accelerate scaling through continuous testing, cross-enterprise collaboration, and a consistent approach to create and deploy automations.
“With security personnel already strained, automated testing benefits practitioners who create automations and stakeholders who depend on automations, including transformation leaders, business users, customers, and partners,” Dhaliwal said.
2. Prioritization of remediation
Some hope that security assessments will eventually find that there are no more vulnerabilities to plug, no more potential weaknesses to remediate, and no more patches to deploy. This nirvana, however, is unattainable.
“The remediation time of complex cybersecurity problems varies for each industry and their proprietary business operations,” said Davis McCarthy, principal security researcher at Valtix, a Santa Clara, Calif.-based provider of cloud native network security services.
“This has created a growing need for security assessments that help prioritize remediation based on an organization’s subjective threats.”
The correct viewpoint for management teams, and one they are starting to embrace, is something that security professionals have echoed for years. It is not if a breach will occur, but when. Thus, assessments are becoming more proactive and are prioritizing remediation actions, instead of just trying to tick all the boxes showing areas where there might be a potential weakness.
3. Penetration testing
Andrew Obadiaru, CISO at Cobalt, expects the internet of things (IoT) device market and ransomware-as-a-service markets to mature in 2023.
Therefore, patching and identifying threats will be critical for organizations to remain safe and protect valuable, sensitive, and personal information.
He recommends that security teams routinely use pen testing to check every possible access point to ensure they are not current — or future — victims of an attack. The OWASP “Top 10” and SANS “Top 20,” he added, are key tools helping organizations prevent malicious attackers.
“Without turning to reliable and credible sources, there is great risk of exposed vulnerabilities,” Obadiaru said.
4. Insider threat assessment
There is rising recognition in the industry that not all security threats originate from outside the organization or come via internet connections.
There are also threats from within the perimeter and an even greater threat from trusted insiders. Think of a system administrator who feels mistreated or an accounting manager with gambling debts, said Frank Scavo, president of Avasant Research, based in Los Angeles.
Therefore, an organization’s security program should include an assessment of insider threats. At a minimum, a formal set of policies and procedures is needed, such as immediately terminating system access when an employee is let go.
In addition, Scavo recommended tools and services that can automate parts of the assessment by aggregating information from internal and external sources. Internal HR systems, for example, might provide data on excessive absenteeism or disciplinary issues. Access control systems, too, might log attempts to download confidential data. And external data sources might gather data on lawsuits or credit scores, just as might be done during a new hire background check.
“These tools look for a combination of factors to identify employees who may represent a higher risk so an investigation may be performed if warranted,” Scavo said.
“In highly secure environments, these types of tools can be an important part of the solution.”
5. SecOps automation
Automation was a recurring theme among the experts interviewed. This is driven by the need to secure an increasingly complex and expanding attack surface.
“To manage this workload, successful organizations are investing in SecOps automation solutions to dramatically enhance the output and prioritization of their limited human capital,” said Christopher Perry, director of technology, office of the CTO, BMC.
Simply knowing that there is a vulnerability is not enough, he added. Is the vulnerability on a forward-facing application? Running a critical business service? Does it have compensation controls?
“Tooling that provides business criticality and insight allows SecOps teams to prioritize efforts and further reduce organizational risk beyond a standard security assessment,” Perry said.