Dan Williams wrote this amazing piece on Network Security Assurance in CyberDefense Weekly.

Pricing Out Cybersecurity: The Cost of Assurance

Pricing Out Cybersecurity: The Cost of Assurance

By Dan Williams
Contributor, InCyberDefense

Staying one step ahead of threat actors by assessing the state of network security is definitely not a chore for the faint of heart. The activities involved to ensure that our security policy is aligned with pragmatic, emerging threats can be accomplished by either internal security departments or by third-party teams.

When it comes to regulatory compliance, some organizations do not get to choose whether or not they can hire a third-party to test their infrastructure. Achieving minimum standards of compliance has created a “good enough security” culture that leaves organizations exposed to risks that fall well outside what they are prepared to deal with.

Leadership’s desired strategic vision and the operational actuality of their production environments are often two very different things.

Evaluating Peace of Mind

Budgetary constraints are inarguably one of the greatest obstacles to sufficient assessments of the IT infrastructures organizations rely on to support their business. Attempts to justify the cost of an external team to conduct a rigorous assessment often fall on deaf managerial ears.

When executive leadership chooses a reactive security strategy as opposed to a proactive one, it is only a matter of time before a data breach occurs; sometimes the breach results not only in big fines but also a decline in revenue due to clients’ loss of confidence. These post-breach effects will leave any corporate leader thinking that due diligence would have prevented the sudden collapse of the business.

Eventually, even the most expensive security controls fail: Zero-Day exploits are utilized, misconfigured services are circumvented, and humans make mistakes. This is where the importance of detecting a security breach can compensate for anticipated failures of security controls. However, resources may be stretched too thin as they are, so we need a viable solution.

Homegrown Heroes

Adequately training and empowering Personnel with the skills necessary to assist in network defense can prevent that next big security incident. Yet, training personnel costs money. This is a great opportunity to remind leadership what famed management consultant Peter Drucker once said, “If you think training is expensive, try ignorance.”

Especially wise words when cybersecurity is the topic. Supporting the idea that “every employee is on the Incident Response team,” extends the range of skills of existing IT personnel.  It also keeps them involved with security efforts and creates a cost-effective solution for organizations when contending with operational risk.

Ultimately, however, deputizing IT personnel as the first line of defense on the cyber battlefield is not going to provide effective results overnight. Hosting tabletop exercises and whiteboard sessions that give personnel a direct perspective into a threat agent’s methodologies can educate those who do not fully understand modern offensive capabilities for compromising networked information systems.

Even when expert guidance in operations that support information security goals is not available, there are activities that can assist less experienced personnel achieve these goals.

Scenario development and incident response training can be conducted using strategies that tie into the tabletop board game market. One example is Black Hills Information Security’s popular Incident Response card game “Backdoors & Breaches.”

Working through the various stages of a security incident while exposing personnel to common techniques, tactics, and procedures (TTPs) can initiate novice IT personnel into a meaningful role as supporting players of an organization’s security strategy.

Start Small, Think Big

An in-house team that performs security Testing, as well as monitors for potential breaches, can set it apart from an external third-party. The contextual enrichment of internal personnel adds value to security testing because they know the intimate details and well-worn footpaths of their organization’s infrastructure.

An external engagement that may require these teams to spend weeks or even months conducting assessments can be terribly expensive. This is where knowing the various types of testing methodologies and their benefits come in handy when determining what approach to take.

Often used interchangeably, vulnerability assessments, penetration tests, and Red Team Engagements are three very different methods, each with its specific goals that set it apart from the others. So what are the differences?

Vulnerability Assessment – A wide-scoped, often automated scan of nodes on a network for common vulnerabilities and poorly configured services. This may be an effort to identify:

• Depreciated or unpatched versions of services
• Open ports that can allow easy access to a threat actor
• Default passwords used on administrative accounts
• Any inadequacies that can be built out into tests in the scan

Vulnerability assessments are the high-level, superficial overviews of the current state of a network, and are meant to be a broad, but shallow attempt at identifying conditions that open an organization to attack.

Penetration Test – A more hands-on way to validate not only discovered vulnerabilities but also the impact they can have in terms of operational risk in a proof-of-concept fashion. Penetration testing goes a step beyond a mere vulnerability assessment, which indicates only vulnerabilities that security teams need to be remediated. By presenting leadership with scenario-driven test cases uncovered through penetration testing increases situational awareness; the test cases display practical threats themselves rather than fear-mongering based on theoretical assumptions.

Red Team Engagement – Even more refined and specific than a penetration test, a Red Team Engagement consists of a group of skilled operators who test the people, processes, and supporting technologies of an environment in an effort to simulate an actual cyberattack. Unlike vulnerability assessments or penetration tests, a Red Team Engagement can test the effectiveness of a security policy from top to bottom. This means challenging the administrative policies in place, the individuals that the organization relies on to carry out their duties, and the systems that provide the backbone of daily operations using a myriad of TTPs to achieve a specific testing goal.

Understanding the differences in these testing types can be a major asset when leadership needs to be convinced of what steps an organization needs to take to improve its security posture from the inside out.

It is also important to understand these testing types when deciding on internal security teams and assessing their reactiveness and effectiveness to threats. Everything in cybersecurity comes at a cost, but satisfactorily training a security team will likely be much less expensive than a companywide cybersecurity breach.