Imagine walking into a board meeting with a tool that shows your board exactly how protected the organization is, based on the investment they have allowed you to make.
Or, imagine getting a call from your CEO, who saw something on X (formerly Twitter) about the “threat of the day,” and being able to show immediately how protected the organization is from that threat with the resources you have in place.
These capabilities can give boards and CEOs confidence, from a governance perspective, that there is coverage. But more important at this time with security budget constraints, is the ability to see if your defensive stack is up to the task. And if not, show what steps the team can take to optimize defenses and the resources needed – people, processes, and technology.
How can you make these scenarios a reality?
Staying Ahead of the Biggest Threats
Gartner talks about continuous threat exposure management (CTEM) as a strategy to prioritize whatever most threatens your business, and estimates the approach can help organizations reduce breaches by two-thirds over the next two years. With more than 70% of organizations feeling they’ve wasted 25-100% of their cybersecurity budget, it makes sense that CTEM is one of the top five cybersecurity trends for 2024. CTEM is comprised of multiple processes and capabilities like Breach and Attack Simulation (BAS) and Threat-Informed Defense (TID) that work together to advance your CTEM strategy.
BAS tools provide an important baseline function because they test and validate that your security controls are working against threat intelligence available in MITRE ATT&CK®. They are higher fidelity than purely analysis-based evaluation and have broader coverage than human-powered penetration testing and red teaming. BAS tools automate the process to provide faster, more accurate results and can be run repeatedly with dashboards and analysis for reporting of test results.
Illustrating Security Team Value and Investment Justification
Testing tool efficacy provides a critical function within CTEM, but you can’t stop there. To bring those boardroom and CEO scenarios to fruition, Threat-Informed Defense comes into play to help you optimize defenses and strategically manage exposure to threats.
Here are four steps security leaders can take with a TID approach to show how well the organization is protected, and what’s needed for improvement.
- Build on testing. Your test results may indicate what you tested is working, but you still may not have everything you need to secure the organization because threat actor tactics, techniques, and procedures (TTPs) are changing rapidly. Recent examples include Scattered Spider’s shift to SaaS and new techniques that came out of left field, the use of APT40 in new campaigns and new geographic regions, and Black Basta’s adoption of unusual TTPs to trick users into using a Window feature to compromise the system. And what about the tools you didn’t test and those that didn’t pass?
- Keep up with evolving threats. TID tools complement testing to help you assess your threat exposure across your entire defensive stack, not just select tools. Automatically mapping your existing security stack against a knowledge base that includes threat intelligence in MITRE ATT&CK, and other threat intel sources that are updated more frequently, provides a complete picture of how protected you are against the threat of the day.
- Understand your optimization options. Using insights derived by continually tracking different tools’ capabilities and how you have them deployed, coupled with intel on threats that matter most to your organization, a TID tool will provide recommendations for what to do next to optimize your defensive posture. You may learn that you can optimize what you already have with configuration changes or by adding internal resources to create a new custom rule or detection. Perhaps upgrading a security tool to a new version will provide the capabilities you need. Or you may genuinely have a gap you need to fill by adding a new tool to your arsenal.
- Complete the picture. As you make changes to your program, go back to testing. Validate that what you have done to optimize the organization’s defensive posture is working as planned and delivering the outcomes you want. Closing the loop will build momentum for your CTEM program and confidence in your team.