Listen to this article

Companies are spending more – a lot more – on cybersecurity, according to multiple reports. But even though total worldwide outlays have gone up some 70% in the last four years and are projected to reach $215 billion in 2024, many companies are questioning the return on their spending.

Proactive organizations, however, work with IT support services providers to conduct validation exercises that can ensure their cybersecurity investment pays off. This generally involves simulated cyberattacks, security testing, and continuous monitoring. These kinds of activities can help organizations identify and prioritize their security gaps while also allowing them to improve their security posture and comply with regulatory compliance.

Manufacturers, for example, increasingly rely on data, information and “smart,” internet-connected devices and other technologies to run their operations efficiently. Defending these assets from disclosure, modification, disruption or improper use is a critical aspect of operations and of demonstrating compliance with a host of technical, legal and corporate regulations.

The regulatory landscape began exploding in 2018, starting in the EU with the General Data Protection Regulation. The U.S. soon followed suit as multiple states passed such data protection laws as the California Privacy Rights Act. Nationally, the Sarbanes-Oxley Act mandates formal data security policies for any publicly traded company, and the Federal Trade Commission Act requires companies to demonstrate that they have a plan in place to keep data safe and dispose of it securely. Additionally, small, medium and large businesses across industries are subject to compliance and other regulations under the Payment Card Industry Data Security Standard, which imposes requirements on the transfer of credit card data.

Different cybersecurity validation strategies have their own benefits and limitations, so a variety of assessments may be deployed. Three common ones are breach and attack simulations, red teaming and penetration testing.

Breach and attack simulation

BAS involves continuously testing the security posture of an organization by using automated tools to simulate realistic cyberattacks. This process helps to identify vulnerabilities, gaps, and misconfigurations in a company’s security controls and processes. It also provides actionable recommendations and remediation guidance to improve the security posture.

Performed continuously or periodically, BAS covers the entire attack surface of an organization and, as such, is useful in identifying common vulnerabilities and maintaining a baseline security posture. The process is highly automated and typically requires minimal interaction with a company’s security team.

For example, a BAS might simulate a malware infection or data exfiltration, and the resulting report will detail the success rate of defense against attacks. Once the security team makes adjustments to controls and procedures, another BAS will provide quantitative measurement of the updated defenses.

Penetration testing

Penetration testing involves ethical hackers who conduct authorized attacks on specific systems, networks, or applications using the same tools that an adversary might use. Performed occasionally, it involves moderate interaction with a company’s security team, and has proven to be particularly useful in validating the security of specific systems as well as in identifying complex vulnerabilities.

While more time-consuming and expensive than a BAS, penetration testing involves greater scope, depth, and accuracy. Many organizations use BAS to monitor their security posture and then use Penetration Testing to perform a deeper analysis, identifying and fixing vulnerabilities.

Red teaming and purple teaming

BAS and penetration testing take a wide view: aiming to identify as many vulnerabilities as possible. A supplemental approach, called “red teaming,” has a narrower but still-crucial focus: targeting a specific objective – such as disrupting a particular service or compromising a specific account – using a group of ethical hackers who mount offense efforts.

To counter this, a “blue team” devises defensive cybersecurity strategies. So, while the red team launches simulated attacks against the target, the blue team monitors and responds to the incidents. Both team tactics provide valuable feedback on the effectiveness and resilience of an organization’s security defenses and incident response, but they require careful planning and communication, and should only be performed by qualified professionals who have the necessary skills and experience.

These and other kinds of cyber security assessments, coupled with effective security awareness training, can help to ensure that organizations are getting the best return on their Cyber Security investments.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken.