Much is said about the importance of security testing, regardless of what we call them, be it Pentest, Ethical Hacking, Red Team or whatever. This is a process that all security teams must have and perform regularly, if not continuously. Its benefit for companies is proven because it brings visibility of possible vulnerabilities and risk situations that are in our environments and need to be somehow mitigated.
By Glauco Sampaio, CISO, Cielo
We usually use this type of test with a focus on systems or new technologies, but how do we ensure that our legacy, what is already in production continues to work as planned and implemented? This is a question that must torment our minds and be the object of our efforts. It’s utopia to think that once implemented, the controls will be 100% functional with all the changes that the company makes in its environment, as a result of new initiatives or necessary adjustments. We cannot have the illusion that we will be able to have the complete and preventive visibility that allows us to know all the impacts and side effects of these changes.
Thinking about how to ensure the continuous operation of controls and processes is important, to ensure the security of our environments. It also helps us to avoid unpleasant situations such as an audit note on a situation that had already been mitigated.
The use of tools classified as Breach and Attack Simulation (BAS) has been widespread in the market is very interesting and mainly adds to this testing process a greater capacity to perform the validations. However, we must expand our testing horizons, also validate the associated processes that support the security operation, in addition to the particularities of our environments, which is not the main focus of these solutions.
Test an end-to-end process:
- It is possible to run without being blocked
- The log generated is correct and sent to the monitoring system
- The monitoring system generates the alert as it should, within the defined SLA
- If you have an automated response, it would be carried out as it should
- The incident response team handles the case within the defined SLA and as described in the playbook for that particular event
This is just an example of a possible “complete” test script, this can and will vary according to the level of security maturity and the characteristics of each company. What we should keep in mind is that the life cycle of that scenario is the test objective, to ensure that all steps are being carried out as planned and agreed as the result.
The visibility generated by this type of test also helps in the management of operational teams, regarding the fulfillment of defined SLAs. In the incident response process, time is precious, and handling an alert within the expected timeframe can be vital to containing an incident, and prevent it from taking on greater proportions.
Often, stages of the incident response process are performed outside the security team or by service providers. Measuring the effectiveness of these actions has always been a challenge. The approach of continuous and complete tests is a tool for us to have inputs and be able to charge these third parties the level of effectiveness, defined through SLAs. Showing practical cases, helps us in the discussions or even in possible contractual penalties for outsourced services.
The results of these tests must be shared with all those in charge, or involved, in the incident response processes, as well as with the company’s executives. It can also be a security indicator that shows the effectiveness of the existing controls or where we need to reinvest money and efforts.
It seems utopian to think that we will be able to test 100% of the security controls continuously. For this issue, the automation tools or even the use of internally developed scripts can help us giving scale. Even so, planning is necessary so that we do not cause overwhelm in our response team by the test alerts. The classification and prioritization of the tests must be made based on the importance of the target control. Critical controls must be tested with greater frequency against those of less importance.
It’s important to have a Chinese Wall so that those responsible for the tests have the freedom to run them freely. It’s also important for security managers to have the maturity to understand that the purpose of these tests is to be preventive and help us to not be caught off guard by an incident.
In summary, continuous tests give visibility to our controls and guarantees against faults already identified and mitigated previously. We can start small by testing the most basic and simple controls, not necessarily with an end-to-end vision. But we have to start and define an objective within a feasible horizon to achieve this maturity. I guarantee that the most basic tests will give results and help us a lot!
About the Author
Glauco Sampaio is a Chief Information Security Officer (CISO) at Cielo, where he is in charge of the security strategy for the largest Brazilian credit and debit card operator. Sampaio has been working for 20 years as information security professional in Brazil in media companies such as iG and Editora Abril, and also in financial institutions such as Santander Bank, Votorantim Bank and Original Bank.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article