Moving Towards a Continuous Security Model

If you deal with technology and security, you are most likely bombarded and possibly overwhelmed with the number of security solutions available. There are so many interesting technologies in the security space that deal with emerging threats. You could buy products all day long to address real and perceived threats. However, you start adding up the cost of all the solutions and that cost starts to get pretty big. So, you start evaluating what you have and what your risks are, not knowing exactly how effective all these solutions truly are. In the end, many of these products are insurance policies. We don’t want to be compromised so we make our best effort to address the ever-expanding threat landscape. 

It is fairly common to implement vulnerability assessments and penetration tests to understand the gaps and to test our defenses. Some of us may be running these programs to address regulatory and compliance requirements. This is all great but think about it. If you run one penetration test per year, what happens the other 364 days? Would you like to wait a year to find out you had a gap that may have been discovered a week after you ran your test? This does not sound like an ideal situation.

I was reading an article by Domain Tools (www.domaintools.com) that discusses the “Continuous Security Model (CSM)”. They claim that the traditional model, which separates prevention, detection, response, and remediation has created gaps and inefficiencies. The CSM model seeks to unite these functions from a point-in-time sequence into a continuous cycle of prevention and response. Adversaries operate in a fluid and agile way and their attacks on us are continuous so why would we test quarterly or once a year?

It is time to address security from the adversary’s viewpoint. Adversaries are relentless in attacking networks until they find a way in. We should begin to think like them. One solution is continuous testing. There are new technologies coming out that look at security from an offensive perspective. Companies like Randori, Synack, Verodin, XM Cyber, and Cymulate are some of the vendors that are developing platforms that operate on a continuous security model. These companies are developing platforms that automate attack simulation and testing. For some of these vendors, their goal is to create a continuous “Red Team” exercise. Wouldn’t you rather find your security gaps before the adversary does by testing the effectiveness of your security controls?

Moving towards the “Continuous Security Model” will provide visibility into your security gaps and provide directions to close these gaps. It will also provide data to understand the effectiveness of your current security goals. It will also provide insight to understanding whether or not the investments you have made in technology are working. Do you want to gain a better understanding of your security posture and whether or not you are investing in the proper tools? I know I do.