Trust does not exclude control!
by Olivier Daloy, CISO at Faurecia
Companies often spend a lot of money and energy on prevention of cyber threats, they spend more and more on detection and reaction to them, but they usually don’t spend enough on control. They tend to trust too much in their capacity to detect all threats that are not prevented, which is a major strategic mistake, for multiple reasons.
First, the lack of occurrence of an incident does not mean that such incident cannot occur. Understanding the precise level of exposure of an Information System to cyber attacks is key to define the right strategy to protect it.
Second, the Executive Management needs to know “what could go wrong”, also known as the company’s “Security Posture”. Simply listing the incidents that have been detected or that occurred is not a sufficient answer. It usually results in the management asking: “Does the fact that you haven’t reported any major incident to us mean that nothing actually happened or that you were unable to detect it?!”. Without any clear answer, the Execs would turn to Internal Audit in order to investigate and report… And still quite few companies hire CyberSecurity professionals experimented in audits within their Internal Audit team, which does not help to get the full picture.
Third, because providing evidences of the level of protection through the activity of internal control enables to build and keep trust in the activity of CyberSecurity teams. It enables to request additional budget and headcount, support for key projects and vision. Today, more and more partners and customers don’t believe in statements, they request evidences. Above internal (and even sometimes external) audit reports and pentests, either regular or permanent, CISOs are considering Breach Attack Simulation vendors and solutions such as SafeBreach, XM Cyber, Cymulate, etc. You may want to take a look at the following URL for further reading: https://www.esecurityplanet.com/products/breach-and-attack-simulation-bas-vendors/ . Though it is also called “continuous automated pentesting”, it aims at discovering the complete impact of a vulnerability by digging into all possible attack paths. In other words, it’s the answer to the so-called “So what?” question of the management, every time a vulnerability or audit finding is reported. It usually makes good use of artificial intelligence and machine learning.
Of course, implementing Breach & Attack Simulation solutions will generate a huge amount of work for the CyberSec teams, in order to address the findings reported. Hence, it’s important to get appropriate budget and sponsorship prior to starting such project.
Another interesting evolution of CyberSec control is related to code review. Plain old pentests approaches in black box mode turned to white box mode, code reviews (with so-called Static Application Security Testing, SAST, or Dynamic Application Security Testing, DAST solutions, like Snyk, Coverity, SonarQube, Checkmarx, etc.) by professionals and now bug bounty activity.
Public and customers don’t trust anymore what *others* have tested, they want to reduce the time to disclose any potential backdoor or vulnerability in the code that they use by exposing such code publicly. Every component needs to be permanently inspected – including libraries and binaries – at development phase, at delivery and in production – even though nothing wrong has been detected yet. Of course, it’s a bit challenging for developers and product managers to change their habits, but it’s also highly impacting brand reputation when poor quality of code is exploited…
With the emergence of IoT, more and more code will be produced and accessed by an ever-growing number of “users”, and hence such permanent cybersecurity validation methods shall drastically grow. So to conclude, get ready to address their findings!