Modern security organizations are utilizing a range of security validation methods and technologies as they seek out more efficient ways to test and validate their security posture. Each method has different strengths, weaknesses, and optimal use cases—in many instances their functions can overlap. With so many options available, it’s important for security practitioners to understand the differences between each of the methods and how the technologies work within different contexts.
To help you choose the right tools for your use case and IT environment, we’re launching a new blog series: “Demystifying Security Validation Technologies: What You Need to Know.” In it, we’ll identify and define a number of security validation methods available today, provide the strengths and weaknesses of each, and explain how each functions in different IT environments. Our first post covers manual penetration testing. But before we jump in, it’s important to know what we mean when we say “security validation.”
What is security validation?
Simply put, security validation is the utilization of a technique to determine what would happen if an organization were to experience a cyberattack or breach. This is done by testing an attack in a controlled environment to confirm whether or not that attack would be prevented by the security ecosystem an organization has in place. While historically, organizations have approached cybersecurity by shoring up defenses and reacting to attacks that break through, security validation enables security teams to more proactively test their defenses in advance of an actual attack to understand where vulnerabilities exist and take meaningful remedial action.
What is a penetration test (pen test)?
Pen testing is a widely respected and used form of security validation. To perform a pen test, security analysts mimic the tactics used by hackers to mount a simulated cyberattack against working, in-production computer systems. As a result, they are able to discover potential vulnerabilities and points of exploitation.
In order to compromise the network in a non-damaging way, modern pen testing uses both automated tools, such as scanners and password crackers, and manual penetration tactics, such as buffer overflow, SQL injection, and Javascript manipulation.
Before an exercise, pen testing teams work with admins to designate ground rules and included/excluded devices. The goals of pen testing are to identify and quantify:
- Potential attack vectors for threat actors
- Exploitation and impact of vulnerabilities
- Overall risk to the client environment(s)
Pen testing strengths and weaknesses
When compared to more automated tools, pen testing shows a more complete picture of whether a vulnerability can actually be exploited. Because it’s driven by human activity, pen testing doesn’t usually generate the number of false positives you’d find with automated tools. For example, while an automated scanner will indicate a theoretical weakness, it doesn’t test if an internal security control or a path sanitization technique actually blocks the potential attack vector.
Other pen test strengths include the fact that they:
- Are easy to customize and focus
- Have a robust set of manual tools
- Provide evidence to support compliance requirements
- Enable deep testing of a selected environment
These days, pen testing is often performed for compliance reasons rather than for security reasons. From a security perspective, pen testing is no longer sufficient when it comes to conveying proper protection and continuous security.
One huge disadvantage of pen tests is that they are point-in-time exercises that don’t operate at scale. They require a tremendous amount of time and effort from security teams and are costly to perform. They usually require days or weeks of work and can’t effectively cover the ever-changing IT environment of a medium or large-sized organization.
Pen tests focus primarily on finding a way to breach systems and to access critical assets, and are based on identified weaknesses. They don’t simulate entire attacks to exfiltrate data or adversely impact systems.
Additional pen test weaknesses include the fact that they:
- Can’t be fully automated
- Require considerable planning and coordination
- May have limited testing abilities in production based on the required rules of engagement
- Can’t run continuously
- Can’t perform full lifecycle attacks at scale
- Are very manual—tools are stitched together and there is no automated export of findings to security management infrastructure
- Are generally not integrated with existing security management infrastructure—requires significant manual inputs for remediation steps
- Have a narrow focus
When should I use a pen test?
On-premise environments
Pen testing was originally designed for on-prem environments and it is still a useful collaborative exercise in those environments today. There are many useful—and often open-source—tools available for pen testing in on-prem environments.
On-prem environments tend to be smaller than cloud or hybrid environments, so the lack of automation and focus on manual inventory work is less of an impediment. Pen testing is also highly customizable, which works well for on-premise environments (where granular variance based on machine firmware is likely high).
While on-prem may be the ideal environment for pen tests, they are still expensive, time consuming, require manual planning, and aren’t effective in highly dynamic internal environments running more modern container orchestration platforms and deploying modern API management systems.
When should I consider a different security validation technology?
Cloud environments
Pen testing in the cloud is challenging. Cloud service providers (CSPs) generally don’t want to risk impacting other clients in their multi-tenant environments, where thousands of companies share data-center hardware. In these cases, full-stack pen testing could potentially cause outages that can cost CSPs significant chargebacks if SLAs are violated.
Additionally, cloud services are tightly linked via API to compute instances. Stress testing or scanning external-facing services can impact other users unless the IP address range is perfectly controlled. While some pen-testing tools and services built specifically for the cloud have emerged, they haven’t been widely adopted and aren’t nearly as useful as pen-testing activities in on-premise environments.
Larger organizations with dedicated infrastructure inside of a public cloud or managed private cloud can more easily perform pen testing, but even this has to be tightly coordinated with the CSPs, who exercise veto power.
Hybrid Environments
Since hybrid environments include both cloud and on-prem or private cloud, all of the above considerations for the two types of environments still hold true for hybrid environments. Furthermore, hybrid environments are likely to move towards more cloud and away from on-premise over time; therefore, longer-term environmental trends favor cloud-effective solutions over on-prem effective solutions.
Security teams working in hybrid cloud environments should use a blended approach to vulnerability testing and security control validation. They will need to determine and prioritize the business value and risks for what is running on-prem versus what is running on cloud and allocate resources to address those risks.
Understanding other security validation technologies
Pen testing is likely the most familiar method when it comes to cyber security validation. As our IT systems have evolved, so too have our methods of proactively identifying their weaknesses. Stay tuned as we continue to delve into each security validation technology, including:
- Automated penetration testing
- Attack surface management
- Breach & attack simulation
In the meantime, if you’d like a full comparison of each approach, take a look at our white paper Six Methods to Test Your Organization’s Resilience to Cyberattacks.
