If you want to protect a valuable asset against threats, it’s essential to identify where vulnerabilities exist. This is a core concept in cybersecurity and part of the daily mission of defenders.
Yet the most effective approach for risk and vulnerability management has shifted in parallel with larger changes in computing. The evolving nature of penetration testing is one telling example of this phenomenon.
Penetration testing remains a core cyber defense strategy for many organizations. While vulnerability scanners can help identify threats and facilitate patching of security gaps, penetration tests can identify highly complex attack vectors and illuminate the damage that could be done if the identified threats were exploited.
In other words, penetration testing is an active strategy that allows one to assume the mindset, tactics and techniques of attackers, identify threats and game out the consequences of inaction. It’s a great way to vigorously vet the resiliency and strength of an organization’s security posture.
However, conventional pen tests (at least as part of a standalone testing strategy) are out of step with the dynamic nature of today’s security environments — and not up to the challenge of effectively identifying evolving threats.
THE LIMITS OF CONVENTIONAL DATA PENETRATION TESTING
Let us give you an example of the limits of manual testing:
- Company X hires a well-known consultant to perform manual penetration testing on a yearly basis.
- Skilled cybersecurity personnel conduct thorough tests/audits and uncover several key vulnerabilities.
- A few weeks later, a penetration testing report is issued by the consultant.
- The vulnerabilities are addressed and the CISO of Company X reports that the exercise has greatly strengthened organizational security.
Superficially, this sounds like a success story. A group of experts rooted out critical problems and those problems were remediated. Yet upon closer inspection, you can begin to see the problems with this picture.
First, Company X may not have the expertise to gauge the reliability of the consultant’s results or the skills of its experts. It must rely on reputation. Yet even more importantly, the test — even if executed brilliantly by a team of pros — is a snapshot of a long elapsed point in time. A report issued weeks after a test may have been acceptable practice years ago, but it is wildly outmoded today. It’s the cybersecurity equivalent of reading last month’s newspaper for insight on what’s happening today.
So what has changed to make point-in-time testing much less useful? It’s simple: Computing today is all about speed and agility, as enterprises need to develop and deliver new products and services quickly. The dynamism of cloud and hybrid environments means that the only thing constant is change — and testing needs to reflect that reality.
Which brings us to automation.
WHY AUTOMATED PENETRATION TESTING IS THE RIGHT TOOL FOR TODAY’S CHALLENGES
Automation allows us to retain the very real benefits provided with pen testing while closing the two most significant flaws of manual tests: Their lack of timeliness and their expense.
Breach and attack simulation (BAS) software is designed to act much in the same way as a traditional pen test or red team penetration testing. A BAS platform identifies vulnerabilities by continuously launching simulated attacks against an organization’s defenses, then providing remediation guidance once security gaps are discovered. It’s the same process used by a manual pen test, but radically accelerated. Instead of weeks, vulnerabilities can be identified and addressed within the same day.
XM Cyber’s industry-leading BAS solution is the only automated penetration testing tool in the market optimized for hybrid environments — making it the perfect choice for organizations seeking to comprehensively upgrade their security.
When used in conjunction with standard detection tools and episodic manual tests, automated testing can help provide the foundation for an extremely robust security posture that is aligned with the dynamic nature of modern computing.
We urge you to consider moving beyond the limitations of point-in-time testing — and to reap the benefits of automated breach simulation.
Tamir Shriki is Customer Operations Manager, XM Cyber