eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Every enterprise has unique security requirements and standards based on its risk profile and tolerance. in fact, according to Gartner, 78% of organizations use 16 or more security tools and spend more than $150B on information security every year.
Despite these tools and spending, it remains very difficult to assess how secure and protected organizations are against constantly evolving cyberattacks.
However, here is a range of methods to assess your enterprise’s security posture.
Security Scoring
Key performance indicators (KPIs) can be used to assess your cybersecurity posture across all security configurations and controls. KPIs are one way to answer the question of how secure an organization may be either as an absolute, based on its historical levels, or as compared to organizations of similar size, geographies, or business. Whether internally developed or established by industry available tools, using KPIs can provide a relative assessment that can be considered reasonable. But simply being better than the average, or improving over time, does not necessarily mean that your security is adequate for your level of risk.
Penetration Testing
Engaging a red team of ethical hackers to attempt to bypass your security configurations, controls, and teams can be very effective in understanding your enterprise’s risk of breach. These groups are experts in the latest tools, techniques, and tactics. They act like cybercriminals and attempt to breach your defenses, which is an excellent way to stress test every aspect of your security, including employee awareness. This approach helps you determine which defenses are strong and which are weak. A key limitation is that it is dependent on the expertise of the red team and it only occurs at a single point for a defined scope of the attack.
Breach Attack Simulation
Breach attack simulation (BAS), similar to penetration testing, attempts to assess the totality and effectiveness of your defenses, but it uses automation tools to seek entry, rather than human experts. BAS can be run regularly and broadly, rather than at a single point in time or scope. However, the attacks are more programmatic, so they may be less sophisticated or customized than penetration testing.
Independent Effectiveness Testing
Alongside organization-specific assessments of overall security, expert labs run independent tests of specific security tools. These tests often benefit from a larger sample set of attacks, as they are relevant to a broad set of organizations, and in many cases, will provide comparative scoring for security tools of the same type. The common downside is that they operate in a lab, rather than the real world where conditions may vary from those of your organization, particularly over time. These assessments also typically focus on just one type of control, such as network security, email security, or endpoint security. They rarely test combinations of controls.
MITRE Engenuity ATT&CK Evaluations
MITRE Engenuity’s ATT&CK Evaluations are another useful tool. These evaluations test a range of security tools that are typically in the same security category and expose them to a single or small number of sophisticated cybercriminal campaigns. These campaigns are comprised of a series of tactics and techniques that are designed to accomplish a defined cyber mission. The key benefits of this approach are that enterprise security teams gain visibility into the inner workings of security controls. They can understand not only what the solution detects but also why and how it does so. Seeing their operation can give teams more confidence in the type of protection they deliver. The evaluation goes beyond a single attack, sample set, point in time, or control. Evaluation results also can be combined across controls for a more comprehensive view of coverage or exposure.
The primary drawback is that cybercriminals’ attack tactics and techniques evolve over time and the evaluation results are constrained to the timeframe in which the campaigns are run. They also focus only on detection (and/or blocking) of the attack technique, with no ability to assess what else (including legitimate operations) might be flagged by the control.
Conclusion
Enterprises have a range of options to assess their security posture, based on individual control or as a whole. If the objective is to do more than the average organization, security scoring is a great tool. If your goal is to push security posture to higher levels, penetration testing and/or breach attack simulation are great aids. For granular assessments of individual security controls at points of exceptional risk, independent effectiveness testing can help. Lastly, for planning and implementing a rigorous and resilient defense based on capabilities across controls in aggregate, the MITRE ATT&CK Evaluation is a valuable tool.
Learn more about Fortinet’s FortiEDR solution and how it has the unique ability to defuse and disarm a threat in real-time, even after an endpoint is already infected.