Three ways legacy security testing tools compromise your security posture

Identifying and managing security risks by piecing together data together in spreadsheets can overburden your already short-staffed security team. Yet 73% of organizations report that spreadsheets play a key role in security hygiene and posture management.

Lori Cornmesser, Vice President of Worldwide Channel Sales, CyCognito

IT risk management has become more challenging than ever. The increasing pace and complexity of business combined with the cloud computing explosion, an increase in third-party vendors, and the growing remote and hybrid workforce during the pandemic, have created a perfect storm for risk exposure. As if that weren’t enough, we’re also dealing with a cybersecurity skills shortage. In short, what this means is that your security team is facing more risk than ever while being understaffed. In such challenging times, how can your organization better address these growing challenges?

Here are three areas where automation can help shift the balance back in your favor:

  • Contextualize risk. One of the biggest problems with legacy vulnerability scanners is that they overwhelm security teams with too many common vulnerabilities and exposures (CVEs). Over time, this constant stream of “high priority” or “critical” alerts can desensitize the team’s responsiveness.

The core issue with these legacy technologies is that they ignore critical contextual aspects such as an asset’s importance to the business, the kind of data potentially at risk, and how discoverable or exploitable an asset is when determining the severity. For example, the difference between an exploitable mainframe and an “empty” apache server makes a world of difference from a business perspective. Yet, the IP addresses for both can look identical to a legacy CVE scanner. 

Security teams must leverage technologies that help them associate IT assets—previously unrelated IP addresses, devices, apps and certificates—with specific organizations that are part of the extended IT ecosystem. Having this context helps teams prioritize their lists. This also helps with efficiency and builds trust between internal teams that need to come together to identify and then remediate risks: security, IT, engineering, and management.

  • Validate your security hygiene. With so many cyber threats to defend against, how can a business know that its cyber defenses are up to par? The answer to this question is security hygiene, which includes testing security configurations to ensure they’re designed and working appropriately. For instance, this might involve validating that a web application is built or configured according to a company’s standards. Unfortunately, due to the time required to perform security testing, most organizations only test a fraction of their environment. For example, a large organization with 100+ web apps might only test ten of those apps. The problem with this approach is twofold:
  1. It can create a false sense of security. Recalling the example above—just because 10% of a company’s web apps are secure doesn’t mean the other 90% are as well.
  2. Threats and systems change constantly. An application that was secure yesterday may no longer be effective at mitigating a danger today.

The only way to truly affirm your security effectiveness is through continuous security testing, leveraging industry best practices such as MITRE ATT&CK for Enterprise (ATT&CK). This framework takes the perspective of an adversary trying to hack into a company using various known attack vectors. In addition, it provides a library of real-world hacking activities for companies to simulate in their networking environment.  

However, without automation, obtaining this level of security validation is impossible. Automation gives red teams (e.g., penetration testers, ethical hackers) the ability to run exercises and test enterprise security hygiene and posture. Automation also gives blue teams (e.g., the security defense group) the ability to continuously validate that defenses are configured correctly and that they can prevent or defend against any attack. 

  • Connect the dots more quickly. Besides using tools and solutions that provide contextual awareness, help prioritize your “to do” list, and validate your cybersecurity effectiveness, you also need to automate the remediation process. For example, consider the process of discovering a dangerous vulnerability in a web app. Security personnel must run multiple scans and consult asset management databases to determine app owners and authorized users. Using legacy application security testing tools, these processes can take days to perform. Not only is this costly, but it gives attackers more time to expand their attack surface and explore additional vulnerability points. Automation tools can help security teams more quickly connect the dots, accelerating the time-to-remediation from months or weeks to days or hours. 

Final Thoughts

One thing that the security topics of prioritization, validation and remediation have in common is time and its relationship with the other principles of surface attack management. Solid processes, automated at scale, help eliminate material risk faster for significantly stronger security. Focus on these three things as you work to reduce your process times:

1.     Identify your top 10 security gaps. For most organizations, their external attack surface—assets exposed to the internet—is their biggest weakness. It can take several months (sometimes years) to learn about unknown or unmanaged networks, cloud environments, and acquired subsidiaries without good visibility.

2.     Decrease your MTTR. The mean-time-to-respond (MTTR), repair or remediation is a key indicator of a security team’s ability to control and reduce risks in a timely fashion. If your MTTR is measured in months, slow attack surface mapping and risk prioritization are usually the key culprits. Focus on decreasing the time it takes to find networks, applications and cloud environments—especially those you don’t manage—and find ways to contextualize assets and risks.

3.     Empower your security team. Chances are your security team is already stretched thin; they can’t accommodate more manual security tasks without compromising the ones they’re already working on. So instead, empower your team with automated solutions that can reduce their burden and enable them to use their expertise in other mission-critical areas.

Lori Cornmesser is Vice President of Worldwide Channel Sales for CyCognito, a company focused on solving one of the most fundamental business problems in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure.