Picus Security – CyberSecurity Confabulation

By Dr Suleyman Ozarslan, Picus Security Co-founder and VP of Picus Labs

Like a short blanket that covers the wearer’s head or feet, but never both at the same time, security teams can only dedicate their time, money, and resources to so many problems at once. The short blanket dilemma is a perennial issue in IT security. Teams deploy their budgets and resources to cover one exposed spot, but this inevitably leaves other areas out in the cold. A perfect example is the choice organizations face between preventing and detecting threats. Unfortunately, it is very rare for organizations to excel at both.

Picus recently conducted an analysis of 14 million cyberattack simulations performed by our platform in the first half of 2023, revealing the extent of this short blanket problem. Our Blue Report highlights four ‘impossible trade-offs’ that hinder organizations’ readiness to defend themselves against the latest threats.

1. Choosing which attacks to prioritize

With unlimited time, resources, and knowledge, security could be an easy job. In reality, however, every security team must choose which attacks to prioritize and which to de-prioritize based on their own time and resource constraints.

Our simulation data shows that, on average, organizations’ security controls (such as next-gen firewalls and intrusion prevention solutions) will prevent 6 out of every 10 attacks. However, some types of attacks are prevented far more effectively than others. For instance, organizations can prevent 73% of malware downloads but only 18% of data exfiltration attacks.

There are also wide variations in organizations’ ability to prevent specific threats. For example, more than a third of organizations can prevent Black Basta and BianLian ransomware attacks but only 17% can prevent Mount Locker. This is despite Mount Locker’s emergence in 2021, long before the other two malware types. It suggests that security teams are having to prioritize and deprioritize their defense against different ransomware groups over time.

2. Choosing which vulnerabilities to remediate

The Blue Report also reveals the limitations of security teams’ approach to managing common vulnerabilities and exposures (CVEs). Some organizations focus on fixing long-standing vulnerabilities first, but others will actively prioritize more recent vulnerabilities over older ones.

Today, the majority of organizations remain exposed to several critical and high risk CVEs that have been known for years. Some CVEs discovered in 2019 remain a threat to more than 80% of organizations. With limited resources, vulnerability management teams must choose to remediate some CVEs over others – at their peril.

3. Choosing to optimize prevention or detection controls

The data shows that the better an organization is at preventing threats, the weaker it is at detecting them, and vice versa. For instance, globally, healthcare is the least effective sector at preventing attacks but is twice as successful as the average organization when it comes to detecting them. North American organizations are almost twice as successful at preventing attacks as they are at triggering alerts to detect attacks in progress.

Different organizations, sectors, and even regions all have a reason to choose between a prevention or detection-first approach to security. However, the data shows in black and white that most organizations struggle to be proficient at both.

4. Choosing to log or create an alert

Organizations leveraging security event and incident management (SIEM) solutions also face decisions about how much to invest in attack detection. In most cases, organizations will prioritize logging over alerting, but do neither very well. Simulation data shows that, on average, organizations log 4 out of 10 attacks but only generate alerts for 2 in 10 attacks.

Faced with a trade-off in time and resources, organizations are prioritizing logging over alerting – but both areas require improvement.

The short blanket problem solved

Since preventing and detecting every threat is practically impossible, security teams will always have to prioritize some aspects of security more than others. It may not be possible to ask the board for a bigger blanket. However, it should be possible to ensure that it is always applied where it is needed to fit the needs of its wearer.

The goal for CISOs is to consistently make the best decisions for their organization’s specific needs. They need real-time data to prove where there are gaps in their defenses at any given moment. They need to be honest about which parts of the business are out in the cold, so that they can determine the level of risk they are prepared to accept.

This requires being proactive rather than reactive, and discovering the potential for security incidents before they happen. Indeed, CISOs are increasingly following the principles of continuous threat exposure management (CTEM) to achieve a more holistic view of their risks. By adopting a more unified approach that incorporates insights from attack simulations combined with attack surface and vulnerability data, security teams can allocate resources efficiently and effectively to address their most critical exposures. As a result, they can simultaneously improve their ability to prioritize their attention in the areas that will have the greatest security impact.

The post How a data-driven approach to threat exposure can fix ‘the short blanket problem’ appeared first on Cybersecurity Insiders.

New cloud platform strengthens organizations’ cyber resilience

by making real-world threat simulation easier and more accessible

San Francisco, US, 9^th November 2022 – Picus Security, the pioneer of Breach and Attack Simulation (BAS), today announced the availability of its next-generation security validation technology. The new Picus Complete Security Validation Platform levels up the company’s attack simulation capabilities to remove barriers of entry for security teams. It enables any size organization to automatically validate the performance of security controls, discover high-risk attack paths to critical assets and optimize SOC effectiveness.

“Picus helped create the attack simulation market, and now we’re taking it to the next level,” said H. Alper Memis, Picus Security CEO and Co-Founder. “By pushing the boundaries of automated security validation and making it simpler to perform, our new platform enables organizations even without large in-house security teams to identify and address security gaps continuously.”

The all-new-and-improved Picus platform extends Picus’s capabilities beyond security control validation to provide a more holistic view of security risks inside and outside corporate networks. It consists of three individually licensable products:

Security Control Validation – simulates ransomware and other real-world cyber threats to help measure and optimize the effectiveness of security controls to prevent and detect attacks.
Attack Path Validation – assesses an organization’s security posture from an ‘assume breach’ perspective by performing lateral movement and other evasive actions to identify high-risk attack paths to critical systems and users.
Detection Rule Validation – analyzes the health and performance of SIEM detection rules to ensure that SOC teams are reliably alerted to threats and can eliminate false positives.

A global cybersecurity workforce gap of 3.4 million professionals^∗ means automated security validation is now essential to reduce manual workloads and help security teams respond to threats sooner. Recently, the US’s Cybersecurity and Infrastructure Security Agency (CISA) and UK’s National Cyber Security Centre (NCSC) published a joint advisory recommending organizations test their defenses continually and at scale against the latest techniques used by attackers.

“Insights from point-in-time testing are quickly outdated and do not give security teams a complete view of their security posture,” said Volkan Erturk, Picus Security CTO and Co-Founder. “With the Picus platform, security teams benefit from actionable insights to optimize security effectiveness whenever new threats arise, not once a quarter. With our new capabilities, these insights are now deeper and cover even more aspects of organizations’ controls and critical infrastructure.”

On 15^th November 2022, Picus Security is hosting Picus reLoaded, a free virtual event for security professionals that want to learn more about its platform and how to leverage automated security validation. Register to attend and hear from thought leaders from Gartner, Frost & Sullivan, Mastercard, and more.

H. Alper Memis has also published a blog to announce the release to Picus customers.

About Picus Security

Picus Security is the pioneer of Breach and Attack Simulation (BAS). The Picus Complete Security Validation Platform is trusted by leading organizations worldwide to continuously validate security effectiveness and deliver actionable insights to strengthen resilience 24/7.

Picus has offices in North America, Europe and APAC and is supported by a global network of channel and alliance partners.

Picus has been named a ‘Cool Vendor’ by Gartner and is cited by Frost & Sullivan as one of the most innovative players in the BAS market.

For more information, visit www.picussecurity.com

∗The (ISC)² Cybersecurity Workforce Study 2022

The post Picus Security brings automated security validation to businesses of all sizes appeared first on Cybersecurity Insiders.