The phrase “you’ve got to walk before you can run” is something that we’ve all heard and rolled our eyes at least once in our lives after we’ve attempted an advanced skill before mastering the basics. The saying is unfortunately very accurate when it comes to cybersecurity. Maturing your vulnerability management program is a process that must be done thoughtfully, ensuring you have a proper foundation laid before moving to the next level.
Penetration testing has become increasingly common in recent years, so much so that there is often a misconception that this is where you should start when incorporating proactive security strategies into your program. However, in order to get the most out of your pen tests, other tools and techniques need to be in place first. In this blog, we’ll go over what’s needed before running your first pen test.
Though security teams are always aware of the importance of cybersecurity, that doesn’t necessarily mean everyone in the organization shares their concerns. Unfortunately, without the buy-in of decision-makers, security programs are often stuck in the early stages of security maturity. However, the one silver lining in the near constant news stream of cyberattacks is that security has become a top priority for more organizations than ever before, with CISOs becoming more common and gaining additional responsibilities. Organizations with security focused leadership are much more likely to help plan and approve initiatives to advance security maturity to the point where they can incorporate practices like pen testing.
Security Team Skills and Characteristics
Security teams have an incredibly difficult job—keeping on top of security for even a small organizational infrastructure is never ending. Pen testing, while a critical part of security strategies, is not the sole assignment of a security team. It’s important to appropriately assess whether your team has what it needs in order to take on the task of pen testing. Consider the following criteria:
- Size—The size of your team is somewhat relative to the size of your organization. That said, even at a small organization, a team of one or two is likely unable to add pen testing to their plate. Typically, you’ll need a medium to large team in order to have the bandwidth to consider running your own security assessments.
- Skills—Smaller teams tend to have more generalist roles that can cover a broad range of standard security tasks. As security teams grow, specialists can be brought on board to focus on certain areas of security that require more expertise, like network security or vulnerability management. This also demonstrates that your vulnerability program is maturing enough to have a more structured strategy, which can include proactive security techniques. Since there are so many types of specialists, discussion may be required to determine which role should be filled first. While it’s common for pen testers to be considered a key role, not having one on staff doesn’t preclude you from running a pen test. This will be discussed in more detail below.
- Strategy—How does your security team operate? In the early stages of maturity, most security teams are concentrating on keeping the lights on, performing ad hoc tasks, and reacting to problems as they find them. Pen testing works best as part of a broader security strategy that is able to work more proactively, reducing risk before problems arise. There is no point in knowing what your security weaknesses are if you aren’t in position to fix them. If your focus is solely on putting out fires, you’ll first need a little more structure, either through additional tools or staff, before you’re ready for a pen test.
Other Solutions in Place
Penetration testing is a fantastic way to better understand what security vulnerabilities are putting you most at risk. However, the remediation process takes time, so it’s important to have reactive solutions in place to provide coverage in the meantime. For example, firewalls and antivirus can help reduce the damage of a potential breach through detection and by providing additional obstacles.
On the proactive side, vulnerability management solutions, like Frontline VM, are ideal for giving you a detailed picture of what vulnerabilities exist in your environment. Since they can be fully automated and easy to use, such tools can frequently run scans to enable security teams stay up to date on the state of the infrastructure. Vulnerability management solutions are also an ideal bridge to penetration testing tools because they can often work together. For example, with the pen testing tool Core Impact, vulnerability scan data can be uploaded and validated to prioritize risk.
Pen Testing Services or Solutions?
Once you’ve answered the question “are you ready for a pen test” with an enthusiastic “yes,” “yep,” or “yeah,” you’ll be faced with another question: should you use services, solutions, or both? While you may have advanced your security enough for pen testing, there is a difference between being ready to run a pen test yourself and being ready to have a pen test run by a third-party. A third-party vendor can perform sophisticated tests and provide an objective, novel, and expert view of your security posture.
Penetration testing teams can be in-house when organizations have the ability to invest in their vulnerability management program with more consistent initiatives. In-house teams can also help to quickly follow through on any remediation measures. However, third-party services can also be used in lieu of or in tandem with in-house teams.
Many organizations use penetration testing tools as a way of running pen tests without the need for a full in-house team. Automated pen testing tools are ideal for those beginning a pen-testing program, since they can be used by security team members who may not have an extensive pen testing background for tests that are easy to run, but essential to perform regularly.
Oftentimes, combining a pen testing tool with the periodic usage of third-party services is particularly effective. These services can be used for things like initial tests that may be complex to set up, but can then be repeated for remediation validation by an in-house security team. However, organizations should be sure to carefully research pen testing service providers, as many simply use similar testing tools, while others have advanced expertise suited for more complicated tests.
Maturing Your Security at the Right Pace
Vulnerability management programs are not a race—skipping steps won’t get you to the finish line any faster. In fact, rushing to add more mature practices like pen testing and red teaming will ultimately set you back, as you won’t have to staff or strategies in place to appropriately react to their findings. By determining where you are in your security journey, you will better be able to plan next steps that are both manageable and effective, eventually allowing you to incorporate and see the full benefits of penetration testing.