ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Continuous Security Validation

Continuous Security Validation

Berk Algan, CISA, CGEIT, CRISC, CIPP - Sr. Director of Global Services Governance at Silicon Valley Bank (US)
| Posted at 2:59 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (2)

Berk AlganNo corporate executive should feel secure.

Every day, we keep hearing about yet another company getting hacked or losing sensitive data. Many enterprises do not even realize their systems are compromised until they receive an unexpected notification from an external party. Cybersecurity remains a top risk for companies and a hot topic for boardrooms.

To fend off cyber threats, most companies focus on:

  • Hiring security professionals or third parties with expertise in various security domains
  • Establishing processes such as patch management and asset management
  • Implementing various security tools and monitoring devices
  • Creating control libraries in alignment with regulations and industry standards
  • Establishing security training and awareness programs

But, how do we know our cyber defenses actually work?

Traditional Security Validation includes testing individual controls or a set of controls to ensure that they are designed appropriately and working effectively. For example:

  • Validating that a firewall is configured according to a company’s configuration standards is considered testing of a singular control.
  • Testing a set of relevant controls to verify whether the company is in compliance with the Payment Card Industry Data Security Standard (PCI-DSS) would be considered testing a set of controls.

While testing security controls in a traditional way could serve its intended purposes, the company should not feel secure solely based on traditional point-in-time control testing. The reality is that threats and an organization’s systems change on a daily basis, and a traditional control test that was effective yesterday may no longer be effective in mitigating a threat today.

Adversaries will always look for any weakness in a company’s environment, ranging from misconfigured systems to overly permissive access rules. New threats, vulnerabilities and zero-days are identified every day.

The only effective way to combat this is to think and act like an adversary.

Continuous Security Validation allows an organization to take cyber attackers’ perspective and stress-test its security stance.

While it includes elements of traditional validation methods described above, it focuses more on walking in hackers’ shoes. The chart below depicts key characteristics of Continuous Security Validation:

To implement and execute on Continuous Security Validation, a company could leverage industry best practices. A leading framework in this area is MITRE ATT&CK™ for Enterprise (ATT&CK).

ATT&CK for Enterprise is a framework that takes the perspective of an adversary trying to hack into a company using various known attack vectors. This framework provides a library of real-world hacking activities for companies to simulate in their own networking environment.

In its simplest form, an organization could pick a relevant attack vector (e.g. exfiltration over alternative protocol) from the ATT&CK Matrix and test its cyber defenses to validate that it could withstand that particular attack. They can then review and prioritize mitigation of identified gaps.

It’s important to note that internal red-teaming (an internal group taking hackers’ perspective) is a core component of this approach whereby these teams can use real scenarios and test the actual response and detection capabilities rather than just testing controls.

Continuous Security Validation will help a company: 

  • Increase its cyber resiliency by frequent testing and validation
  • Test the effectiveness of its security controls and tools in preventing specific attack vectors
  • Develop an organizational cyber threat model to focus on higher risk areas and key information assets
  • Methodically analyze identified security observations

At the 2019 GRC Conference in Fort Lauderdale, Florida, USA, to take place 12-14 August, I will further explore Continuous Security Validation and describe how a company could use it to reduce its cyber exposure. We will also review key elements of ATT&CK for Enterprise and discuss how it can be leveraged to stand up and operate a Continuous Security Validation process.

About the author: Berk Algan is a risk management executive who takes pride in building exceptional Governance, Risk and Compliance (GRC) functions and developing high-performing teams. He currently leads the Technology & Security Risk Management group at Silicon Valley Bank.


Continous Verification using the Att&ck for Enterprise Framework

How can this be performed in a laboratory setting with medical devices as end-points on the segmented corporate LAN?
ArminT at 7/10/2019 5:04 PM

Simple Use Case Example

To ArminT's question "How can this be performed in a laboratory setting with medical devices as end-points on the segmented corporate LAN?"

Let me see if I can help at a high level.

First, you need to determine what type of medical data you are protecting and where it resides. For argument's sake, let's assume you have protected health data subject to multiple regulations in LAN Segment X and you care less about the data in all other LAN segments because they have public information. 

Second, evaluate what type of attack scenarios Segment X would be a likely target to. It could be an internal bad actor trying to exfiltrate protected health data and sell it for profit. For instance, you can try out '" and measure its success. If it's successful, use the mitigation options MITRE suggests.

Then you can repeat for different type of applicable attack vectors.

Berk Algan at 7/20/2019 3:35 PM
You must be logged in and a member to post a comment to this blog.