Cloud CISO Perspectives: How security validations can help organizations stay secure

Welcome to the second Cloud CISO Perspectives for November 2023. This month, Mandiant Consulting’s Earl Matthews discusses Security Validation, a vital tool that can give CISOs better information for making security decisions, and can help organizations understand their true security posture and risk profile.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

Don’t trust, validate: How security validations can help organizations stay secure

By Earl Matthews, managing director, Cloud and Consulting Programs, Mandiant Consulting

In today’s complex and ever-evolving threat landscape, businesses need to be able to demonstrate the effectiveness of their security programs. While protecting sensitive data and preventing breaches is part of that equation, it’s also about maintaining operational competency, financial stability, and brand reputation.

Validation is based on real attacks (not simulations) and is informed by threat intelligence, which means testing defenses against the latest threats. The information that security validation offers security and business leaders can help craft a more complete picture of an organization’s security posture.

Below are important areas where security validation delivers capabilities that BAS tools may lack, enabling CISOs and their teams to gain a holistic view of security performance across people, processes, and technology.

Real attacks matter

Controls may “see” a breach and attack simulation but not alert security teams that it’s an actual attack, which can create a false sense of security.

Security validation emulates attacks across the entire attack kill chain — the sequential, mapped-out stages of a cyberattack — and delivers a comprehensive, accurate picture. CISOs should look for validation solutions that emulate real attacks for a few reasons:

When executed in a safe manner, real attacks provide proof of how controls perform when an actual attack takes place, giving CISOs more confidence in results.Attack emulations provide a before-and-after exploit picture across the entire attack kill chain, leaving no stones unturned when it comes to identifying vulnerabilities.Simulated or reverse-engineered binaries may cause machine learning and AI solutions to learn the wrong behaviors and render them less effective.

Testing across security infrastructure delivers a more accurate picture

Traditional BAS solutions offer some integration, but do not support the full range of systems — meaning they offer only a partial view of what is happening in a company’s IT environment. For example, many BAS providers only support testing of endpoint controls and cannot reveal if other threat vectors are points of entry. This is like evaluating the security of a home by checking doors but not windows.

To gain a comprehensive view of security controls’ effectiveness, CISOs should look for security validation solutions that support testing both across the full attack lifecycle and of the entire security infrastructure, including the network, email applications, cloud systems and endpoints. In this way, they gain a holistic understanding of performance and where vulnerabilities exist — in the same way that looking at all points of ingress into a home offers a more complete picture of its overall security.

Complete attack libraries identify relevant threats

Testing solutions are based on content in the vendor’s attack library, which is informed by threat data — and results are only as reliable as the threat data that is used. BAS solutions do not incorporate timely, actionable intelligence about the most current tactics, techniques, and procedures (TTPs) attackers are using, so security teams cannot determine which threat actors are the most important to test against.

Additionally, if a BAS tool lacks content supporting attack frameworks like MITRE ATT&CK and NIST, it will be harder for the organization to identify and contextualize risks. An overall lack of threat intelligence can generate inconsistent test results and lead to an inaccurate view of the organization’s true security posture and risk profile.

Instead, CISOs should consider security validation solutions that provide threat intelligence about what attackers are doing right now. When based on a full library of attack behaviors and TTPs, security teams can prioritize testing against the threats that are most relevant.

Test detection and response

In today’s relentless threat landscape, security testing and validation have become an invaluable instrument for Security Operations Centers (SOCs) and Detection and Response teams. Testing and validating allows security teams to emulate real-world attacks and expose hidden risks that many organizations miss.

Security validation tools can be used to mimic the behavior of sophisticated attackers, such as those who use social engineering and spear phishing techniques. These tools can help your SOC teams to identify and respond to these threats before they can cause damage. It also allows the team to test detection and response to the attacks.

Automated testing is essential for modern SecOps because both threats and business evolve at a rapid pace. It’s more effective and now technologically feasible to move from occasional manual testing to continuous automated validation.

Monitoring environmental drift strengthens defenses

IT environments continually change as systems are added or reconfigured, new devices enter the network or patches and upgrades are automatically introduced. These changes can impact how security controls behave, yet without ongoing monitoring of IT environmental drift, the impact on security can occur without the security team’s awareness. BAS tools do not perform this type of ongoing monitoring and alerting so teams are unable to remediate as needed. This can ultimately degrade security infrastructure health.

When evaluating security validation, security teams should look for three key capabilities related to the IT environment. It should:

Perform automated, continuous monitoring of environmental driftAlert team members when changes are detectedProvide guidance on how to remediate the situation

Minimize risk and achieve operational competency

True security validation requires the above capabilities to gain accuracy and integrity in test results. Without them, companies can remain uninformed about their security posture and can be vulnerable to an attack.

Unlike many BAS deployments, security validation is automated and continuous, comprehensive and holistic, and based on timely, actionable threat intelligence — all of which give CISOs and business leadership quantitative evidence of the efficacy of security controls across technology, process and people. This ultimately minimizes a company’s risk posture and helps maintain operational competency.

Security validation tests are only as good as they are current and representative of the real world. You can read more here about how Mandiant can help organizations continuously measure and validate security effectiveness against today’s adversaries.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

DHS Sec. Mayorkas talks cybersecurity with Kevin Mandia: DHS Sec. Alejandro Mayorkas shares his thoughts on cybersecurity trends and defender partnerships with Mandiant CEO Kevin Mandia. Read more.Google Cloud’s approach to trust and transparency in AI: Gen AI has emerged as a disruptive technology with tremendous potential. We believe that the only way to be truly bold in the long term is to be responsible from the start. Read more.Singapore and Google partner to protect citizens from scams: The Singapore government has partnered with Google Cloud Security’s Web Risk to protect its citizens from online scams and enhance the security of web users. Read more.Google Cloud sponsors CyberGreen Institute to aid cyber public health research: Cyber Public Health embraces lessons from the development of public health and applies them to cybersecurity. To help advance this goal, Google is becoming an official sponsor of the CyberGreen Institute. Read more.Beyond GovClouds: Building a secure, AI-enabled government: To thrive in this AI-driven era, the public sector needs a modern cloud partner offering unmatched scale, features, and timely innovation that GovClouds cannot deliver — but Google Cloud can. Read more.U.S. government workers want more choice in tech, worry about cyber attacks: To do their jobs better and more securely, government workers and private sector employees are overwhelmingly united in wanting more choice in the tech they use, according to a new Google Cloud survey. Learn more.Google researchers discover ‘Reptar,’ a new CPU vulnerability: We detail the findings of Reptar, a new vulnerability that impacts several Intel desktop, mobile, and server CPUs — and how we patched it with Intel. Read more.Protecting your remote workforce with context-aware data loss rules and URL filtering: We’ve added two secure enterprise browsing capabilities in Google Chrome to help implement strong, low-overhead data controls in tools already in end-users hands. Read more.GKE Enterprise, the next evolution of container platforms, is now GA: GKE Enterprise is now generally available to help organizations increase development and deployment velocity, securely run their most important business-critical workloads, and reduce total cost of ownership. Read more.Gain access visibility and control with Access Transparency and Access Approval: Google Cloud’s Access Transparency and Access Approval can help you achieve your security, compliance, and regulatory goals. Read more.Introducing ransomware and threat detection for Backup and DR in Security Command Center: Powerful new rules in Security Command Center Premium can help customers quickly identify and remediate threats to backup and recovery infrastructure. Here’s how.

News from Mandiant

How to hunt for and detect insider threats: Organizations that understand the different types of insider threats are in a better position to hunt for and detect related activity, and ultimately reduce risk. Here’s what you need to know. Read more.How Sandworm disrupted power in Ukraine, just before the missiles began to fall: New Mandiant investigation reveals the details of an ICS/OT attack that relied significantly on living-off-the-land techniques. Read more.The CTI process hyperloop: A practical implementation: Cyber threat intelligence can be very valuable to organizations, when they know how to best use it. Here’s how to implement the CTI Process Lifecycle on both tactical and strategic levels. Read more.Flare-On 10 challenge solutions: To celebrate 10 years of Mandiant Flare-On contests, our goal this year was to make the most difficult Flare-On challenge ever. Here’s the solutions for this year’s puzzles. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

Taming the AI beast: Threat modeling for modern AI: Are we behind on securing AI systems? Dr. Gary McGraw, founder of the Berryville Institute of Machine Learning, analyzes the key differences and similarities between securing AI and securing a traditional, complex enterprise system, with hosts Anton Chuvakin and Tim Peacock. Listen here.Safe to use? Building trust with canned detections: Whether you call them default, out-of-the-box, or canned, pre-built detections can provide organizations with more than just an educational foundation. Yet making them production quality takes effort, so Google Cloud Security’s John Stoner and Dave Herrald pop the lid on that challenge with Anton and Tim. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.