SANS is seeking some quick feedback on how security practitioners handle testing your security controls. Please take our poll here, https://www.surveymonkey.com/r/SecurityTestingPoll.
Security has been likened to a game of catch-up: as soon as security pros identify a threat or attack, the attackers move on to another, different or more sophisticated attack. To prevent such attacks, security practitioners often use perimeter vulnerability scanning, pen testing, managed security services and red teaming, all of which have benefits — but are only as useful as their scope and frequency. And in many cases, security has been reactive, not proactive.
SANS believes that threats don't care about scope, and threats play to all of your vulnerabilities — not just the ones you think you have tested.
One solution out of this troubling scenario is to first examine how you handle testing security effectiveness, and how to improve testing your security controls, according to SANS Analyst Matt Bromiley, in an upcoming SANS Analyst Paper. (Register for his webcast about his research paper here)
Organizations should start by asking these three significant questions:
- What is the state of your security controls testing?
- How much of your organization can and has been tested?
- And are you acting on the data that comes from the testing?
He then recommends evaluating the strengths and weaknesses of testing approaches, including vulnerability scans, pen testing, and threat simulation.
"One advantage security pros have is that they can shift their security testing from a point in time to a more proactive one, including proactively testing continually, rather than at set points," he says. "This helps avoid getting caught in a patch cycle mindset and helps identify threats that might otherwise be missed."
Please join Matt's Oct. 22 webcast, in which he will share data as well as provide specific guidance on evaluating security controls and implementing a more effective approach.