Gartner Blog Network


The Bane of All Security Tests: Acting on Results

by Anton Chuvakin  |  January 11, 2018  |  2 Comments

Want to hear a penetration testing joke? No, not this one:

pen-tester

…but this one:

Q: Do you need a pentest done?

A: Not sure … will it make us secure?

On a more serious note, the biggest challenge with tests of anything is of course how you act on the results. It seems that any pentester worth his … ahem … his pen … has seen clients who simply file their reports, and then do nothing until the next year’s test. Guess what the test typically reveals next year? Oh, the mysteries of the Universe … or at least the same mysteries as last year :–)

As we explore the breach and attack simulation (BAS) [sometimes also called threat simulation] tools and ponder broader questions around testing security posture, we encounter mysteries related to acting on the findings of simulations and tests.

For example, lets imagine you used a shiny new BAS tool and it revealed that one can utilize an ICMP tunneling to exfiltrate a file out of your network, without you noticing. Let’s assume this happened despite the fact that you have configured available security tools (firewall, NTA, DLP, etc) in an optimal manner (whatever that means…but let’s not dwell on this here).

So:

  • How do you prioritize this finding vs other security action items?
  • What is your additional risk due to this finding?
  • How do you act on this if your existing tools have just been proven to not stop/detect it?

 

Indeed, it may be that testing is [relatively] easy, but deciding what to do is hard. BTW, if you recall, some of the same logic applies to threat intel: you may get an advance warning, but can you act on it, do you have the capability or agility to quickly build such capability to act? After all “intelligence does not win wars”

 

Blog posts related to testing security research:

Category: security  testing  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on The Bane of All Security Tests: Acting on Results


  1. […] The Bane of All Security Tests: Acting on Results […]

  2. […] The Bane of All Security Tests: Acting on Results […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.