Security Solutions | 12 mins
Event-driven testing balances continuity and intrusiveness
Continuous security validation is increasingly viewed as a necessary aspect of any security strategy. As attacks by cybercriminals become faster and more advanced, industry standard shotgun approaches simply cannot keep up. However, while continuous security gives the impression of being constant, there is still a need to be thoughtful about how tests are run. Too much testing at high speeds is not only intrusive, but can overwhelm and degrade company IT infrastructure.
At Hadrian, continuous security uses an event-driven architecture which limits intrusion. Contextualization allows for only relevant tests to be run, and only when there is a change in the system. Such a system results in credible threat intelligence which balances the necessity for constancy with a lack of intrusion.
What is continuous security validation?
Continuous security validation strategies verify that already enabled security controls are working effectively and correctly. In contrast to traditional point-in-time assessment of IT infrastructure, continuous security validation is consistently checking security protocols work as intended.
Continuous security validation technologies are quickly becoming a common weapon in companies’ security arsenals due to the endemic shortage of hacker skill. Previously continuous testing relied on manual pentests to probe assets at set times. However, in 2021 3.12 million hacker jobs went unfulfilled. The talent required to continuously test external attack surfaces was simply not available.
As well, traditional pentesting strategies can't compete with the rapid growth of cybercriminal’s tool stacks. Cybercriminals are now running thousands of attacks in parallel. As well, increasing internet speed means they can get in and out of company IT networks even faster.
Rapid expansion of cloud sharing providers and Internet of Things devices have also created more access points for cybercriminals to exploit. As attack surface management becomes more difficult, validating defensive security protocols is important for a strong security posture.
What are the benefits of continuous security validation?
-
Allows for more effective security budgeting
-
Helps you to optimize your detection and response tool stack
-
Helps to bring visibility to your IT infrastructure and quantify risks
-
Allows for more effective protection of sensitive client information
Allows for more effective security budgeting
Continuous security validation tools, especially automated tools like Hadrian, help reduce company security costs. As a result of these tools there is less need to hire specialist penetration testers, and existing talent can dedicate their time to more creative attacks.
As well, continuous security validation tools help to prevent attacks which hurt company finances, such as ransomware attacks. Ransomware attacks have increased 239% since 2019 and the cost to recover from an attack has increased by 228%. Consistent risk assessment ensures proper protocol is in place to defend attacks.
Helps you to optimize your detection and response tools stack
In order for security teams to best optimize their tool stack they need to know where that optimization should take place. While detection tools can find potential threats they are focused on attack vectors which they are already configured to detect.
As a result, emerging threats and new vulnerabilities in software and applications go undetected. There is often a time gap between when a new threat is made public to cybercriminals and when company detection tools are updated. In a recent report by Palo Alto’s Network security arm the speed of attackers was apparent. Data shows that attackers start scanning the web for vulnerable endpoints roughly 15 minutes after a CVE is disclosed. Testing scheduled at monthly or yearly intervals cannot keep up. Such a lag significantly weakens security posture.
Helps to bring visibility to your IT infrastructure and quantify risks
Continuous security validation tools attempt to emulate the mind of a potential attacker. By taking the same paths an attacker would to exploiting vulnerabilities, continuous security validation helps to quantify your risk tolerance. By measuring resistance to attacks, security teams can better understand if their defensive strategies are working.
In comparison to traditional pentesting continuous security validation provides tests more frequently. The collection of more data allows for informed decisions regarding defensive security protocols.
Allows for more effective protection of sensitive client information
Increasingly customers are encouraged to put sensitive personal identifying information on the internet. In early 2022 investigation by the New York State Office of the Attorney General found that 1.1 million online customer accounts had been compromised. At 17 well known businesses credential stuffing had been used to steal PII.
In January web skimming attacks allowed for the skimming of credit card numbers and other PII. These attacks injected malicious code into imported videos. The attacks were deployed by cloud video hosting services and compromised hundreds of real estate websites.
Continuous security validation tools keep up to date on the newest attacks. Thus, they are quicker to identify when a defensive security protocol is redundant. As a result continuous security validation allows companies to better protect sensitive client information, increasing brand reputation and trust.
The challenge of intrusion in continuous security validation
While continuous security validation is hugely beneficial to strengthening security posture, there are aspects which can be intrusive.
Continuous security validation can be an intrusion on company IT infrastructure overall. Constantly running tests, especially at high speeds, can put a burden on servers and the system. The memory and bandwidth required to process such high rates of incoming requests can cause server exhaustion. If the attack surface is not actually changing then these extra tests are unnecessary.
Finally, constant testing can lead to alert fatigue that overwhelms defensive security teams. Desensitization to alerts can lead to not all alerts being properly dealt with. Without proper contextualization, this intrusion into a security team’s workflow can actually hinder defensive security.
Speed in event-scheduling balancing intrusion and continuity in Hadrian’s event-driven architecture
At Hadrian we believe we have struck the balance between continuity and lack of intrusion. Through modular testing and speed in event scheduling we collect continuous threat intelligence without being a burden on your system.
Modular infrastructure
Hadrian's continuous security validation platform is an event-driven model. Event-driven architecture relies on a modular infrastructure. Complex exploits are broken up into smaller tests and probes to guarantee speed and flexibility. Different modules are triggered in response to a previous event. Ranging from new insights and new data to new external threats, modules allow for easy simulation of multi-stage attacks.
These modules run in parallel to each other and create subsequent events which in turn propagate more modules. Currently, each script at Hadrian generates 8500 events per day, on average. Thousands of these event-chains allow for the simulation of complex exploits. Hadrian currently executes 40 thousands scans per day, meaning on average 4 thousand scans per customer per day.
Event-driven architectures strike a balance between intrusion and continuity by only running tests when it is necessary. Hadrian’s event-driven architecture is especially good at doing this because of its context-based testing. Data collected during earlier stages of asset discovery ensure that tests run are relevant to the initial event and have specific targets. While tests are still complex and deeply accurate, time and energy aren’t wasted running random tests on the whole system.
Hadrian's event-driven architecture
Speed in event-scheduling
Speed in terms of event-scheduling ensures that time from initial event to propagation of an event-chain is short. When a new vulnerability arises in a system it is vital that Hadrian finds that vulnerability as fast as possible. The longer the time-gap between event and discovery the more opportunity there is for a malicious attacker to compromise the customer.
Our eventing-framework has a script execution time of on average a few seconds after an event is registered. For new customers the results are available within a few minutes and Hadrian can present a strong overview of the system within 15 - 30 minutes. The result is faster vulnerability detection than periodic scans would allow.
However the event-driven system also helps to reduce the level of strain on the infrastructure of the client. Scans are only run when useful, reducing stress on a client’s network. Speed is not compromised, but rather moderated through an event-driven architecture that ensures Hadrian is no burden to company infrastructure.
Overall continuous security validation, and speed within continuous security validation is important to keep up with the changing security landscape. However, tests still need to be targeted, relevant and contextualized. In comparison to traditional methods, Hadrian’s event-driven architecture balances fast, consistent testing with a lack of intrusion.