PODCAST: The case for ‘pen’ testing as an essential security layer

By Byron V. Acohido

The Equifax debacle has a lot to teach us about how – and how not to – handle a data breach. The massive breach resulted in hackers accessing the social security numbers, birth dates, home addresses and driving license numbers for up to 143 million Americans and the credit card numbers for about 209,000 Americans.

While the breach occurred between mid-May and July, according to Equifax, the company says  it didn’t discover the hack until July 29. It then took a further six weeks to report the breach. But Equifax isn’t alone in this; a study by data erasure business Blancco found that 5 percent of the IT professionals surveyed only detected a threat when notified by external parties.

While the US performs better than European firms in terms of the dwell time between compromise and detection, US firms still average a dwell time of 146 days. This metric can and would drop  significantly if penetration testing were was more widely and wisely deployed, pen testing vendors assert.

Insufficiency of  locked doors

The traditional approach to identifying network and software vulnerabilities is to undertake penetration testing.  During a pen test, your own teams, or hired third parties, will try to penetrate your network or applications in order to identify potential vulnerabilities.

I sat down with Stephen Newman, Senior Vice President for Products, Core Security at Black Hat 2017 who told me that the threat landscape is evolving so quickly, this traditional approach is no longer enough. He likened pen testing to checking your home’s doors and windows to see which might allow an attacker access. “But if they do gain access, once they are inside they can move inside the house freely and find where you might be storing things in the safe,” says  Newman.

The contents of your safe being, in this analogy, the intellectual property and the personal identifiable information held by your organization. If we consider that, on average, an attack won’t be discovered for 146 days, the limitations of this approach become clear.

Instead, argued Newman, your security measures need to include testing to understand how an attacker would move around your network once they have gained access. Only by doing this is it possible to properly understand the threat.

Vulnerability triage

Organizations leading the way in security management are trying to answer this question by running vulnerability management and vulnerability assessments on a regular basis. However, Newman argued that this raises a new problem.

The company then ends up with thousands to hundreds of thousands of potential vulnerabilities. He says , “You then need to figure out how to prioritize them; usually based on which ones are actually exploitable and which ones could lead to your critical data. In other words, could the attacker work out how to move across these vulnerabilities through your network to reach critical data?”

Acohido and Newman

The solution to this, according to Newman, is two-fold.  First, a vulnerability management solution, which will enable you to prioritize which vulnerabilities are critical, that is, the ones you need to patch first and foremost. Second, thinking like an attacker.

One of the most important pieces to understand is the type of information an attacker would want to get to. This will help you understand what the attacker is going to want to do post-infection.

Newman says : “If you break it down, they want to do their reconnaissance to find out which systems they can pivot and use to move laterally across your network.

They are trying to figure out which of these systems have identities they can steal in order to access critical data.  Even if they can move across your network, they can’t access critical data without the right credentials being associated with the identities they have stolen.”

A key piece of the puzzle is, therefore, understanding which identities pose a threat across these attack paths. Who has privileged access? Which identities will an attacker be searching for? This shouldn’t be restricted to the identities of people, but should also extend to machine identities, as my recent interview with Jeff Hudson of Venafi explored.

Supporting a forensic approach

The key benefit of understanding the behavior of an attacker once they have gained access to your network, is the potential this offers for adopting a more forensic approach. This way, you can maximize the efficacy and minimize the operational disruption of your security response.

Instead of shutting down a device, machine, or part of the network, security professionals can remove the entitlements of “at risk” identities.

Core Security is focusing on this approach to attack management. Newman explained: “The old way is to shut down your machine, but you won’t be able to do your job. Now, we can remove entitlements so you can do 99% of your job, just not the stuff that involves critical data. Or we can do what’s called adaptive authentication – so instead of the two steps you had to do before to get to critical data, you now have to take four and those extra steps require data or information an attacker simply wouldn’t have. . . Taking this kind of surgical approach to blocking attackers is incredibly powerful because it allows your business to continue with its business.”

Locking down identities and devices within the network in response to changing threats is a good way to minimize damage but, ultimately, it too rests on the foundation of threat detection. As a result, it is vital that all organizations view threat detection as a dynamic and continual process.

Newman points out that if businesses are only doing scans once a quarter, then they are only secure once a quarter. Organizations need to be doing threat detection, vulnerability management, identity analytics, and monitoring continuously, and need to be able to automate their responses and take action on that identity layer at any time. For a deeper drill down, please listen to the accompanying podcast.

(Editor’s note: Last Watchdog has supplied consulting services to Core Security.)






Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone