When it comes to enhancing cyber defenses, understanding the efficacy of your company’s security stack is important. This is best accomplished by verifying security measures by simulating real-world assaults rather than simulations, based on intelligence indicating which risks are most relevant to your company. To obtain a comprehensive picture of security efficacy, validation efforts must focus on three areas: technology, people, and process.
I’ve already written on technology performance validation. I’ve also written on how, when applied to recruiting and training, validation of individuals may assist bridge the cyber security skills gap by providing a deeper understanding of an individual’s relevant experience and abilities beyond just their years of experience and list of accomplishments.
It is also important to test the process’s efficacy. Processes are the backbone of every business security program, connecting how technology and people work together. Testing how processes perform in the face of technical changes, such as migrating from on-premises to the cloud, application upgrades, and environmental drift, is essential to maintaining the organization’s cyber preparedness.
From war games to real-world attacks, intelligence-led validation informs the best course of action
Internal procedures were traditionally developed by gathering once or twice a year and playing war games on a whiteboard. This is like attempting to explain the entire plot after just viewing one scene of a movie. When automated and done continually to defend against changes in the environment, modern security validation technology gives a complete picture of how procedures maintain the security program functioning as it should.
Process validation may show that new procedures are required to solve certain gaps. For example, you may need to develop a strategy for adopting short-term, quick reaction modifications like modifying system configurations or adding processes to account for missed security incidents or warnings that can have a significant impact on the company. In other situations, you may need to develop a longer-term, strategic approach for making essential changes, such as deciding if new technology investments are required, how they should be financed, or whether your incident response team needs additional training or resources.
In any scenario, when you evaluate the new procedures that must be developed, consider the following:
- Whose opinion do I need if I’m planning to alter or create new processes?
- Who should be involved in the implementation of these changes?
- Which business divisions will be impacted by the additional processes or procedures we develop?
- Who will need to be notified of these changes, and how will I notify them?
- Is there any new automated technology or outside expertise that I should think about using to assist keep things operating smoothly?
- Is there a budget for introducing new processes or technology, and if not, are there any short-term, less expensive alternatives I can use? Or, are there any overlapping technologies that I can get rid of to save money?
Once your new procedures are in place, you should validate them to determine if they are successful — and then decide if more modifications are required.
The four areas where verifying processes is beneficial are listed below:
You must test your incident response team’s performance following an occurrence such as data exfiltration as part of security validation. Your internal process relies on technology such as a next-generation firewall to prevent this sort of assault; if it fails, an IDS (intrusion detection system) will notify your staff. The validation procedure will assess whether or not this method performs as intended by looking at:
- Was the attack foiled by the firewall? If not, why not?
- Did the alert go off? If not, why not?
- Why didn’t the security team respond to the warning if it occurred?
- What technological changes are required to stop the assault and provide an alert?
- What has to be changed on the team’s end if an alert occurs?
When fundamental infrastructure changes, it is probable that security controls configuration, as well as processes, will have to be modified. Validation of both the tech and the procedure will disclose the following:
- Is the security information and event management (SIEM) system still operational after an attack? If not, why not?
- Are all of our systems still communicating with one another as they should?
- When do we introduce human action?
- Where do our systems fail, and how do our practices keep such errors from occurring?
Building New Processes
New processes are frequently required to respond to more sophisticated attack strategies or as part of a major corporate shift such as a merger or acquisition. Validation assists you in testing the efficacy of new procedures and answering critical issues such as:
- Are my procedures and controls capable of defending us against attacks that are most likely to target us, based on timely threat intelligence?
- Are processes still applicable in the face of known and unexpected infrastructural changes?
- Do our security processes include a wide group of business executives, such as those from legal, IT, HR, investor relations, public relations, and so on…
Security validation should provide you with more context for how processes perform against frameworks such as MITRE, NIST, and others, and that should allow you to identify how processes may have to be adjusted by answering these questions:
- Do our procedures allow us to test against it and align with NIST, MITRE, and other frameworks?
- Do we have the necessary technological and human assets to scale our framework validation processes?
- Can we include other frameworks into existing procedures, or do we need to make adjustments to accommodate a multi-framework approach to security validation?
Build, fine-tune, and rely on the foundation of your security program
When you verify technology, people, and processes, you guarantee that all of your security program’s components are aligned, well-integrated, and functioning as intended. People cannot be automated, nor can they function at machine speed. However, with the correct protocols and training, they will be able to choose the best course of action based on thorough testing and validation. You may then develop new procedures and improve current ones to guarantee that the basis of your security program is robust.