Continuous security (or control) validation helps me explain network security with one of my favorite analogies. Network security is like jiu-jitsu. You have no idea how strong your defenses are if you’re not rolling (sparring) regularly.
Let’s take a closer look at continuous security validation, and explain why, just like jiu-jitsu, you need to keep your system in practice to keep it sharp.
What is continuous security validation?
Continuous security/control validation is a method of repeatedly testing security controls within an organization to validate they work as intended, and then proactively address any vulnerabilities.
Today, organizations have plenty of security tools in place. From firewalls, to IPS, to endpoint protection, every tool promises to somehow improve your overall security posture. But, a patchwork of tools alone doesn’t mean your network is secure. In fact, taken too far, tool sprawl can create an increased attack surface, and opportunity for misconfigurations that can lead to a breach. Case in point: an IBM study conducted by the Ponemon Institute found that organizations with 50+ security tools ranked themselves lower in their ability to detect and respond to attacks than organizations with fewer tools.
Additionally, with the dynamic nature of cybersecurity, what’s secure today isn’t necessarily secure tomorrow. That means “point in time” security validations—such as compliance audits or annual penetration tests—don’t guarantee your network is secure outside those testing dates like they once did.
Continuous security validation provides organizations a method to solve the problems of tool sprawl and point-in-time security validations by continuously testing the integrity of the security measures you have in place. The process is simple:
- Find the vulnerabilities in your infrastructure before the bad guys do
- Patch and address them
- Repeat
By adopting a continuous security approach with continuous validation, organizations move away from simply checking boxes on a list of best practices and begin (to use our favorite word!) proactively verifying what they’re doing works to prevent real-world attacks.
The benefits of continuous security
So we know what continuous control validation is, but why bother with it? What business benefits does continuous security validation bring? Here’s the shortlist:
- Faster vulnerability detection and remediation. Without continuous security monitoring, you’ll find out about vulnerabilities one of three ways: when a point-in-time check catches them, when you are notified of a fix, or when an attacker exploits them. All of these happen at a later date. By taking a proactive and continuous approach to detecting issues, you’ll catch them much, much faster.
- Improved network visibility. Done right, continuous control validation will force you to look at your security posture holistically, improving your overall visibility. This can expose gaps if you have a patchwork of tools, and coupled with proactive network monitoring, can help shift your IT operations from a reactive break-fix approach to a proactive one.
- Validation that your network is secure today. Modern networks are dynamic. An ISO certification and successful compliance audit from six months ago are great, but they don’t tell you if an attacker can breach your network today. By constantly testing your defenses in the same way a malicious attacker would, you can become more confident your network security is where it needs to be.
- Stronger security posture. Continuous validation forces you to iterate and improve. Following best practices only goes so far. Misconfigurations and implementation-specific nuances are often the root cause of data breaches. With continuous validation, you’re more likely to improve over time. As a result, your security posture improves well beyond what it would if you simply kept up with security patches (but please, keep up with your security patches!).
Granted, plenty of tools, technologies, and buzzwords make similar promises. So, what’s the secret sauce with continuous security and continuous control validation? Let’s get back to the jiu-jitsu analogy to explain.
Performing under pressure
One thing that sets jiu-jitsu apart from many martial arts is an emphasis on sparring (often called “rolling”). Practicing is essential in jiu-jitsu, but nothing prepares you for real-world attacks like going up against an opponent.
Rolling helps jiu-jitsu students test their skills under pressure from an unpredictable attacker. That person is trying to exploit the weakness in your technique. Over time, the practitioner shores up those weaknesses, and they’re better for it. Had their partner never exposed those weaknesses, they’d never even known they were there. Only if someone exploited them in a more serious environment (like full-contact competition).
With network security, sourcing and configuring security tools is like learning and drilling techniques alone. It’s essential, but you won’t know how well you can stand up to an attacker until you’re attacked. Continuous security with continuous control validation ensures you’re “rolling” every day, and testing your network security against the pressure of an attacker. It’s much better for your security posture if your internal sparring partner (e.g. a red team) finds a weakness than if a malicious attacker does.
Continuous security control vs zero trust: What’s the difference?
Cybersecurity is ripe with buzzwords, so we wouldn’t blame you for asking the question. Is anything different between continuous security control and zero trust (ZT)?
In a word, yes.
Continuous security practices—such as continuous control validation—are methods for checking your security. Zero trust is a security model focused on protecting individual access, and implementing the principle of least privilege across a network.
For example, if an organization designed its network using the zero trust architecture defined in NIST’s SP 800-207, it would be a zero-trust network. However, without testing of the zero trust controls put in place, whether the network is actually secure still isn’t clear.
Engaging in continuous control validation would allow the organization to put its fancy new zero-trust access model to the test and prove, repeatedly, that it’s working as advertised.
The key takeaway here is continuous control validation and zero trust are not mutually exclusive. In fact, you can, and should, use both to improve your overall network security.
Methods for continuous control validation
Now that we know the what and the why, let’s look at the how. At a high level, any method of security validation that continuously tests your security controls fits the bill. In practice, the most effective methods are those that leverage human ingenuity, artificial intelligence, and automation. Here are 3 of the most popular ways to implement continuous control validation.
1. Regular threat assessment
Network security is all about risk management. Regular threat assessment entails quantifying the severity, probability, and exposure to threats across an organization. Some frameworks, such as ISO 27001, have specific requirements for risk assessment. If you’re an MSP looking for a place to get started with threat assessment, check out Using the NIST Cybersecurity Framework to Assess Your Clients’ Network Security.
Regardless of the specific method you use, the key is finding an approach to threat assessment that works for your organization and being disciplined about performing it. Network perimeters, IT assets, and techniques attackers use to breach networks change regularly, and that means your risk does as well.
2. Red team testing
Red team testing brings human ingenuity into the mix. In cybersecurity, the red team proactively attempts to breach and compromise network security in the same way a malicious attacker would. Red teams use a combination of automated tooling, manual testing, and human expertise that is almost impossible to simulate using other methods. As a result, red team testing is one of the most effective continuous security practices you can adopt.
In short, the red team is your sparring partner. They shouldn’t take it too easy on you, but you’d much rather the red team finds a vulnerability than a truly malicious attacker.
“Continuous” is the keyword here. Third-party pen tests and security audits are great, but they are NOT a substitute for continuous security testing.
3. Breach and attack simulators
A breach and attack simulator (BAS) is an intelligent security platform that automates the process of exploiting weaknesses in organizational security controls. Often, BAS tooling will leverage known exploits from the MITRE ATT&CK database , as well as enable custom scans. BAS platforms may also automate the process of recommending remediation steps when an issue is detected.
For example, a breach and attack simulator may automatically try to exploit network security hacks or place simulated malware on an endpoint. If your firewall or antimalware solution doesn’t detect or prevent the breach, you have a problem you need to patch.
Continuous security validation is an important part of modern network security. It doesn’t replace architectural design methodologies like zero trust or eliminates the need for network security tools. However, it does help you ensure all the effort you’re putting into security works when needed.
Simply put, iron sharpens iron. Your continuous control validation efforts can force you to improve your security controls. In turn, your continuous control validation efforts will need to improve to find more vulnerabilities, and you now have a positive feedback loop for your overall security posture.
Roll on.