A great lament for the death of conventional Penetration Testing went up to the cyber heavens yesterday:
Penetration testing is to all intents and purposes, dead. It has been killed by an industry driven by profit, and end customers not driven by quality but by cost. The demands for metrics, for compliance, for the quantification and qualification of risk, have not only sounded its death knoll but abused its corpse.
Like a pack of jackals providers suck the last of the marrow before they are inevitably replaced by an automated set of tools placed into the hands of functional testers. Spreadsheets and management briefings have removed the wonder from the world.
The penetration test report (or vulnerability scan) said we are okay. We only have a few issues to fix. We only have a few issues to add to the risk register. And the rates were more than reasonable for assuaging the auditors. And without fail, the penetration testing company raises the flag of “point in time snapshot” when their clients are targeted.
Overall, this piece is a grim and brutal reflection on the IT security industry and is certainly not without some merit. Three factors are highlighted as primary in the demise of Penetration Testing; namely: Automation, Compliance and Standards.
However, even in depths of the author’s slough of despond, flickers of hope still pop up.
I think there is a space for a new model.
And there is. But that model is not about throwing away everything from the old model.
Enter Stage Left: Neira Jones a powerful and persuasive advocate of PCI DSS and ISO 27001 standards:
Did you spot it?
The DSS is a very good set of security controls, a very good set of data security controls; having said that, the DSS is a minimum requirement, it’s about establishing a baseline.
The other thing that organisations should realise is that they shouldn’t be looking at the DSS in isolation and they shouldn’t be looking at it as a compliance venture. After all, we’ve all seen the Target data breach, we’ve all seen that they were supposedly certified compliant at the time of the breach.
But a report on compliance is only a snapshot in time.
So, all in all, the PCI DSS should be looked at part of an overall risk management framework.
Neira is at pains to point out, compliance and standards are enormously valuable and serve a vital purpose, but are only part of the overall IT security picture and posture, not its entirety.
So what would complete the picture?
The new service I speak of has a number of names. Adversary Simulation is one name. Threat Emulation is another. Red Team-lite is a term my friends and I use to joke about it. The concept is the same. An offensive professional exercises security operations by simulating an adversary’s actions.
Put simply, real-world scenario testing of our defences.
And who are leading the way in this approach? Microsoft.
To help combat emerging threats, Microsoft employs an innovative Assume Breach strategy and leverages highly specialized groups of security experts, known as the Red Team, to strengthen threat detection, response and defense for its enterprise cloud services. While these practices have been in place for many years, most customers are unaware of the work being done behind the scenes to harden the Microsoft enterprise cloud. A whitepaper, released today, sheds light on how Microsoft uses Red Teaming to simulate real-world breaches, conduct continuous security monitoring and practice security incident response to validate and improve the security of Microsoft Azure and Office 365.
Red Teaming has become one of the most essential parts of developing and securing Microsoft’s cloud infrastructure, platform, and services. The Red Team takes on the role of sophisticated adversaries and allows Microsoft to validate and improve security, strengthen defenses and drive greater effectiveness of our entire cloud security program. Red Teams enable Microsoft to test breach detection and response as well as accurately measure readiness and impacts of real-world attacks.
Rumours of the death of conventional Pentesting are premature. Throwing away and blaming compliance, standards and automation is folly. We need all of these things, but if we are really serious about IT security, we also need the Red Team to complete the picture.
That is the new model.
Long live the Pentest! And Standards and Compliance and Automation and the Red Team!