It’s a dark time for defenders. Companies are upping their spending on security, but over 48% of CISOs lack basic confidence in their cybersecurity strength. The gulf between a security posture that works and one that doesn’t has never been more glaring.
Fortunately, more enterprise security teams are waking up to this problem. Among the companies we talk to, the majority now say that testing security systems and attack perimeters are a near-future priority. Today, over 63% of organizations are doing some sort of testing on at least a weekly basis. With IBM putting the cost of a breach at over $4 million in 2021, it’s evident that proactive security processes like penetration testing, BAS, and even red teaming have never been more necessary. Many firms are moving to a risk-based approach too, and 46% of companies are doing testing to look at overall cyber risk.
This is all positive news. However, the truth is that even highly proactive organizations are not testing enough. Bounded by hard limits of economic rationale and resource availability, the frequency and scope of most testing programs fall short of what’s needed. While security teams might think that their testing program is giving them greater insight, most testing methods only deliver a limited, point-in-time snapshot of what’s exposed. With threat actors able to see 100% of your external attack surface whenever they want, looking at your attack surface through a monocular is not ideal.
Traditional Testing Often Misses the Picture
Testing, however limited, is a worthwhile investment. But to get more than just a false sense of security from their testing programs, defenders need to quickly grasp the limitations of common security testing methods.
Consider penetration testing. To start with, pen tests are expensive. Depending on factors like the scope of a test and the period covered, the average pen test can cost anywhere between $10,000 and $30,000. This high price tag puts regular pen testing beyond the reach of most organizations.
Pen tests also typically only cover a small percentage of an organization’s IT assets, leaving large blind spots untested. An Informa Tech study of enterprises that use pen tests regularly found that over 60% are worried about the level of coverage pen-testing gives them, while almost half report that pen testers only detect known assets. As a time-bound method of assessing security controls in a compliance and remediation-focused way, pen testing is a powerful tool. But irregular pen-testing does not give defenders a holistic picture of their entire program.
More cost-effective than pen testing, Breach and Attack Simulation (BAS) tools are used by many defenders to validate specific controls. BAS is a great way to test whether particular solutions like a web application firewall (WAAF) are installed correctly or confirm that controls are working as they’re supposed to. But again, BAS solutions do not provide a holistic security picture. They also do not give defenders any idea of what might happen in the case of a real-life cyber-attack.
Red teaming is the obvious solution to the limited viewpoints other security testing methods give defenders. Made up of real human beings, red teams are trained to think and act like threat actors. Starting from inside or outside networks, red teams can systematically probe defenses, exploit vulnerabilities, and report their findings. Ultimately, red teaming is the only solution that gives defenders a comprehensive idea of their IT suite’s security. Unfortunately, red teams have one major problem: they are prohibitively expensive.
In a time where cybersecurity skills are facing record-high demand, attracting and retaining talent is far from easy. To deploy an in-house red team, organizations generally have to start by hiring new security team members. Once onboard, red teams need to be armed with the right security tools and managed programmatically. None of this is straightforward or cost-effective to do, especially for organizations with smaller budgets.
Continuous Testing Is Vital
Security testing has its limitations, but it has never been more necessary. This is highlighted by the fact that almost 70% of organizations saw their attack surfaces grow last year. With defenders scrambling to reassess the existing and emerging vulnerabilities that attack surface expansion creates, the current cadence of security testing is simply unable to keep up.
Undergunned and overburdened, most organizations cannot deploy and sustain the round-the-clock red teaming they need. Aware of the security challenges they face, 34% of organizations have told us they want to perform security testing more often but lack the budget to do so.
At the same time, threat actors are doubling down on innovation. In 2021, the number of new exploits spotted in the wild was double the previous year’s total. As more threats evolve evasive capacities like the ability to persist in device memory, poorly deployed threat detection solutions are being bypassed. Among the complex web of on-premise, hybrid, and cloud assets that make up modern digital estates, it’s only getting easier for threat actors to find and exploit misconfigurations and compromise targets.
CART Brings Read Team Benefits to More Companies
Continuous automated red teaming (CART) technology gives organizations the benefits of a well-equipped and highly skilled red team without the massive overheads and management burdens.
By making continuous security testing possible, CART ensures that defenders have an up-to-the-minute view into how their attack surface is evolving. As a result, security teams can confirm which assets are exposed, prioritize vulnerable entry points, and validate the controls to protect them all in real-time.
Dramatically better value alternative to employing a red team, CART does not replace targeted pen-testing. Instead, as a next-generation visibility solution, CART transforms the perspective defenders get on their environments.