Continuous Assurance is the future
Updated: May 4
Security testing is a common security assurance tool that has been used for many years. Yet, despite countless expensive tests, systems continue to be compromised.
This is hardly security assurance, which is indirectly acknowledged in the disclaimers that preface a typical testing report.
Of course the testing will be claimed a success because it will invariably identify a misconfiguration, missing patch, or exploit that has caught the tester's particular interest. However, the overwhelming evidence points to a real-world systemic failing provided by this type of testing.
While these findings are valid, at best they offer occasional assurance that is only valid at that point in time and against the testing criteria. A vulnerability or exploit unknown to the tester may remain, or is discovered immediately after the test.
On April 14 2017 a large number of previously unknown exploits were released to the public. These exploits went on to be used in the large ransomware attacks of 2017. Imagine if you had paid for security testing on April 13...
It is highly likely that many, if not all of the organisations affected by these exploits had undertaken security testing, to then be compromised.
Our preferred testing model, is Continuous Assurance. This is a process of ongoing real-world security testing. It combines the best threat hunting, detection and prevention with in-depth system hygiene monitoring, and where possible real-time vulnerability assessment.
Let's identify how the criminals are really attacking you rather than the theoretical or contrived findings of a security tester.
Our clients are updated on their security assurance each month, or more urgently if required.
Separation of Duties
We highly recommend a separation of duties between the security administration provided by a security provider and security assurance management. Our Continuous Assurance programme provides our clients ongoing comfort about the security of their environment. A important side effect, is we provide visibility into the security administration provided by their service provider.
Please contact us for a no obligation discussion about how you can reduce your security testing expenditure and achieve a higher level of security assurance.