Stop Spending, Start Validating: How to Achieve an “Assume Breach” Mindset


Brett Galloway, CEO at AttackIQ, shares how security leaders can build a comprehensive defense-in-depth strategy so they can confidently report to their boards, auditors and leadership teams on the strength of their security posture.

Would you leave for vacation without ensuring that your alarm is set and ready to alert the authorities of a potential intruder? Of course not. Yet that’s what happens in cybersecurity all the time. Every day, security teams invest in defenses, and every day intruders break through. A full 82%Opens a new window of enterprise breaches should have been stopped by existing, installed security controls but were not. Why? Untested security controls falter constantly, and when they do, they fail to prevent data theft and destruction. 

Contrary to popular belief, breaches don’t happen due to a new savvy adversary tactic. Adversaries often use the same operational techniques repeatedly, altering the order or means of ingress but largely hewing from a basket of known procedures. Nor do breaches occur because companies fail to invest in security. Companies spend money on defenses. Breaches succeed because security controls — comprised of people, technology and process — are untested, and because they are untested, they fail regularly and silently when the adversary attacks. If you leave it to an intruder to test your security, you might as well be leaving your door unlocked and unalarmed. 

Security teams need data-driven visibility into what’s working across an entire security program. The best way to generate that data is to exercise security controls continuously against known threats.

See More: 5 Ways to Prevent a Physical Breach from Compromising Network Security

Improve Effectiveness with a Threat-Informed Defense

There are many strategies that organizations might deploy to defend their critical assets. According to a CISO Effectiveness SurveyOpens a new window from GartnerOpens a new window , 78% of CISOs have 16 or more tools in their cybersecurity portfolio; 12% have 46 or more. Yet, for many organizations, it is unclear how effective their security controls actually are and what gaps require additional investment. This is because existing security controls are often not configured correctly or integrated well with the security stack.

So, how can security teams change the story to improve their cybersecurity effectiveness? Rather than starting out by trying to close every vulnerability, security teams should focus their teams on ensuring effectiveness against known threats that are most likely to attack. From there, they should validate that their cyberdefenses actually work. Focusing on threats first allows teams to prioritize which data to defend and which security controls to test first. Then, teams can begin to prioritize which vulnerabilities to patch first on the basis of known and likely threats. 

This all sounds simple in practice, but security teams have lacked an easy means of determining where to begin for years. All of that changed with MITRE ATT&CK, a free, globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Since it was published in 2015, MITRE ATT&CK has become instrumental in both the public and private sectors to validate defense effectiveness, including serving as the foundation for alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA)Opens a new window to communicate about adversary behavior like the SolarWinds intruder. 

The SolarWinds intrusion demonstrated that it is not a question of if but when an intruder will break past the moat-like perimeter defense of a network. Under an “assume breach” mindset, the U.S. government and leading organizations all over the world have adopted a zero-trust strategy that requires a robust internal defense to prevent lateral movement inside a network. Once robust investments are made, senior leaders and boards will soon ask: “So you have invested – are we actually prepared? Is our security program really going to defend us against the next SolarWinds?” Security teams can answer these questions by adopting a threat-informed defense that emulates known adversary behaviors and generates granular visibility into security program effectiveness. 

Foster a Stronger Relationship Between Red and Blue Teams

To put a threat-informed defense into practice, security teams should adopt a “purple team” operational construct with MITRE ATT&CK at the center. Purple teaming combines a threat-focused “red” team with a defensively-minded “blue” team to ensure that the entire organization is focused on mitigating the right threats. Purple teams help ensure that defensive teams have the adversary knowledge they need to validate their defenses quickly. 

Never Trust. Always Validate.

CISOs need to prepare their security teams to assume breaches and ensure optimal readiness. By practicing continuous security validation, organizations can automatically emulate the full attack and kill chain against an enterprise’s infrastructure using software agents, virtual machines, and analytic tools to measure security program performance data. Automating adversary emulation is a controlled way to test whether your security program is configured correctly and validate that your security systems perform as expected. This method provides a suitable balance between continuous testing, detailed insights on potential gaps, and support to keep up with ongoing threats. Automation also enables the use of complete attack taxonomies such as MITRE ATT&CK to ensure comprehensive threat coverage. 

The real-time performance data provided by continuous testing gives security teams visibility into what is working across their entire system and prioritizes the improvements that matter most. As a result, security teams can accurately report on the strength of their security posture, leaving boards and senior leaders with a deeper confidence in their approach and overall effectiveness.

How are you ensuring an assume-breach mindset to upgrade your security posture? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .


Image Source: Shutterstock