By David Finger | Republished from the Fortinet Blog

According to Gartner, 78% of organizations use 16 or more security tools and more than $150B is spent on cybersecurity every year. Further the Gartner hype cycles for cloud, network, application, and endpoint security cover more than 60 products.

Despite all of these security solutions and spending, it remains difficult to definitively answer a key question: “How secure is our organization?” Let alone, “Are we protected from [the latest] cyber attack?” Here are some ways to start answering those questions.

Security Scoring

Whether internally developed or established by industry available tools, key performance indicators (KPIs) can be used to assess your cybersecurity posture across all security configurations and controls. KPIs are one way to answer the question of how secure an organization may be either as an absolute, based on its historical levels, or as compared to organizations of similar size, geographies, or business. Using KPIs can provide a relative assessment that can be considered reasonable. But simply being better than the average does not necessarily mean that your security is adequate for your level of risk.

Penetration Testing

To understand your real risk of an incident, you can engage a red team of ethical hackers to attempt to breach your security configurations, controls, and teams. These groups are experts in the latest tools, techniques, and tactics. They act like cyber criminals and attempt to breach your defenses, which is an excellent way to stress test every aspect of your security, including employee awareness. This approach helps you determine which defenses are strong and which are weak. A key limitation is that it is dependent on the expertise of the red team and it only occurs at a single point and defined scope of attack.

Breach Attack Simulation

Breach attack simulation (BAS) is similar to penetration testing. Like penetration testing, it attempts to assess the totality and effectiveness of your defenses, but it uses automation tools to seek entry, rather than human experts. BAS can be run regularly and broadly, rather than at a single point in time or scope. However, the attacks are more programmatic, so they may be less sophisticated or customized than penetration testing.

Independent Cybersecurity Effectiveness Testing

In addition to the organization-specific assessment of overall cybersecurity, expert test labs run independent assessments of specific security tools. These assessments often benefit from a much larger sample set of attacks, since they are relevant to a broad set of organizations. And in many cases, they can provide comparative scoring for security tools of the same type. The common downside is that they operate in a lab, rather than the real-world. The conditions may vary from those of your organization, particularly over time. The assessments also typically focus on just one type of control, such as network security, email security, or endpoint security. They rarely test combinations of controls.

At Secure Cyber Defense, we value the insights driven by the CIS Top 20 Controls evaluation. Prioritization is a key benefit to the CIS Controls. They are designed to help organizations define the weak points of their cyber defenses, direct their scarce resources on actions with an immediate and high-value payoff, and then focus their attention and resources on additional risk issues that are unique to their business or mission and where to plan for further investments. Secure Cyber Defense recently became CIS SecureSuite Members which provides us with additional tools for cybersecurity evaluation as well as tools our clients can utilize throughout their plan upgrades and to assist in their future cybersecurity planning process.

MITRE Engenuity ATT&CK Evaluations

MITRE Engenuity’s ATT&CK Evaluations are another useful tool. The evaluations test a range of security tools that are typically in the same category and expose them to a single or small number of sophisticated cybercriminal campaigns. These campaigns are comprised of a series of tactics and techniques that are designed to accomplish a defined cyber mission. The key benefits of this approach are:

  • Enterprise security teams to see the inner workings of cybersecurity controls. They can understand not only what the solution detects but also why and how it performed. Seeing the process can give teams more confidence in the type of protection they have. The evaluation goes beyond a single attack, sample set, point in time, or control. Evaluation results also can be combined across controls for a more comprehensive view of coverage or exposure.
  • Security vendors get an independent assessment of their product’s capabilities through the lens of the cybercriminal and a real-world campaign. They also have a collaborative community that can help them continuously improving the capabilities of their security products.

The primary drawback is that tactics and techniques evolve over time and the evaluation results are constrained to the scope of the campaigns that are run. The also focus only on detection of the attack technique, with no ability to assess what else (including legitimate operation) that might be flagged by the control.

Conclusion

Answering tough questions like “How secure are we?” or “Are we protected from [fill in the blank]?” requires considering a range of resources. If your objective is to do more than the average organization, security scoring is a great tool. If your objective is to push your security posture to higher levels, cyber security assessments, penetration testing and/or breach attack simulation are great aids. For granular assessments of individual security controls at points of exceptional risk, independent effectiveness testing and configuration analysis can help. And for planning and implementing a rigorous and resilient defense based on capabilities across controls in aggregate, the MITRE ATT&CK Evaluation is a valuable tool. Finally, if you have questions that relate to a specific cyberattack or campaign, you should talk to your security vendor to get the answers you need.