Cybersecurity Today: Think Strategically
To combat cyberattacks, organizations develop policies and procedures to help safeguard their systems from these malicious attacks. It is common, however, to deploy cyber security measures that focus too much on compliance adherence.
Organizations can adopt one of two general philosophies. They can put all their efforts into protecting against an attack and hope that they will never suffer a breach. Or they can assume that a breach will occur at some point no matter what they do, and have in place procedures to minimize the effects of the breach.
In response to the increasing sophistication and frequency of cyberattacks in recent years, seasoned security teams are embracing the second philosophy, which is the notion of cyber resilience.
What is Cyber Resilience?
The National Institute of Standards and Technology (NIST) defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” This means that to embrace cyber resilience you take every precaution to protect your system from a breach, but you also put in place protections and procedures to continue mission or business objectives that depend on the affected cyber resources should a breach occur.
Achieving Cyber Resiliency
Cyber resiliency is not a monolithic term with a simple benchmark test. What it takes to be cyber resilient depends on how your organization is configured and what your business model is. But all cyber resilient organizations will have both proactive security procedures in place to guard against a breach and incident response procedures in place to mitigate or reduce the effects of a breach and then recover from it. In this article we are focusing on the security side.
Suffice it to say that incident response procedures include provisions such as having a well-trained incident response team in place, plans for protection of business critical software, data and infrastructure to minimize damage as much as possible and rapid notification of relevant parties.
Today, just like the cyber criminals who have an array of tools available to them, security teams have an assortment of tools available to help them achieve the highest possible level of protection. The challenge is to choose the right tools.
The Synergy of Pentesting and Vulnerability Disclosure Programs (VDPs)
The ultimate goal of pentesting and a VDP is essentially the same: check for vulnerabilities in a system before they can be exploited by bad actors. But they employ different approaches. Think of it as going wide vs. going deep.
Cast a Wide Net with a VDP
With a VDP, the organization deploys a formal policy enabling individuals among the public, as well as independent security researchers, to report vulnerabilities they detect. This is an effective way to attract a wide array of people with varying levels of knowledge, sophistication and reliability to examine your system and inform you of vulnerabilities so you can fix or otherwise mitigate them. Often there is no limit to the number of people who can participate in the program, and most programs are open-ended.
Once a vulnerability is reported the organization needs to triage it, check that it hasn’t already been reported, assess it for criticality, develop a resolution or mitigation plan and make any necessary changes. With a managed VDP, a third party security company, like Synack, can do all that for you so the organization can concentrate on resolution or mitigation.
Test Deep with Pentesting
Penetration testing, by contrast, is a structured test, carried out by experienced and vetted security researchers, for a defined period. They dig deep into the organization’s infrastructure and applications to ferret out vulnerabilities across the entire attack surface. And they use attack methods similar to what a cybercriminal would use to breach their system.
Often there is a stated goal, such as breaching a particular database, or gaining unauthorized access to a particular system. A good pentesting program includes vulnerability triage, risk assessment, comprehensive reporting, resolution or mitigation recommendations, and patch follow-up.
Pentesting and Voluntary Disclosure Programs: A Powerful Combination
Both penetration testing and VDPs contribute to providing proactive protection against a breach. Vulnerabilities reported through VDPs tend to be of lesser criticality while vulnerabilities detected by qualified penetration testers tend to be more critical and impactful to the organization. Together, having access to speedy and consistent reporting from regular penetration testing as well as VDPs is critical for boards or executives—and such reports often go hand in hand. The cyber-resilient organization will do both continuously in addition to having plans for incident response and recovery.
Penetration testing uncovers weaknesses before they are exploited by malicious actors, reducing the presence of vulnerabilities across the attack surface. VDPs help contain threats by providing a mechanism for responsible disclosure and remediation. Integrating the two approaches not only detects vulnerabilities, but also assesses their impact, evaluates the effectiveness of security controls, and drives remediation efforts.
Together, these approaches provide comprehensive and robust risk mitigation, contributing to the organization’s cyber resilience.
To learn more about how Synack can help your organization achieve cyber resilience with penetration testing and a managed VDP, click here.