Picus’ client, a subsidiary of a large multinational energy firm, wanted to enhance its cyber readiness to ensure its critical infrastructure is continuously protected against current and emerging threats.
With The Picus Complete Security Control Validation Platform, the company can safely test the strength of its defenses 24/7 and respond rapidly when coverage gaps are identified.
The Challenge
As a large energy firm that is responsible for producing, processing and exporting oil and gas as well as petrol and petrochemical products, Picus’ client is highly aware of the consequences of a cyber attack on its operations and reputation. Providers of critical infrastructure are attractive targets of cybercriminals, including Advanced Persistent Threat (APT) groups. As a result, the company is keen to ensure that it maintains a proactive approach to security at all times.
To safeguard its assets, including specialist industry control systems (ICS) and operational technology (OT), the company uses a broad range of security tools. However, despite commissioning regular penetration testing, its in-house security teams lacked assurance that all deployed network, email and endpoints technologies were functioning as expected. New threats arise on a daily basis and the company is keen to ensure its defenses are working optimally.
Also highly mindful of the need to comply with the latest regulatory standards, the organization’s risk and information security leaders were keen to evidence security effectiveness to business leaders and auditors. However, they lacked up-to-date metrics to be able to do this effectively.
The Solution
After researching the market, Picus’ client identified the need for a Breach and Attack Simulation (BAS) platform to help address its security challenges. The Picus Complete Security Control Validation Platform immediately stood out as the solution capable of meeting its requirements most comprehensively.
By simulating real-world cyber threats, The Picus Platform enables the company to measure the ongoing effectiveness of its security controls and identify improvements.
One of the key features that immediately drew the attention of the company’s security was the extensiveness of Picus’ Threat Library. Researchers at Picus Labs conduct extensive research to ensure that the solution is capable of simulating the latest threats as soon as they emerge. Among the techniques the platform can simulate are those used by APT19, APT33 and Darkside - threat actors known to target organizations in the energy sector.
Another key factor behind the company’s decision to choose The Picus Platform was the mitigation recommendations it provides. This includes vendor-specific insights and prevention engineering content that helps minimize the effort required to keep security controls, including firewalls, web application firewalls, email gateways and EDR tools, optimized.
As a BAS Solution that can be deployed on-premises and in air-gapped networks, The Picus Platform also met the company’s strict technical requirements.
The Results
How The Picus Compete Security Control Validation Platform has helped this global energy company to become more proactive and threat-centric.
Greater threat readiness
The rapidly evolving landscape means that both identifying new threats and taking action to defend against them was a severe time and resource burden for the company’s security team. By simulating the very latest threats, The Picus Platform operationalizes threat intelligence, making it more actionable. When business leaders ask whether the organization is protected against a particular threat, security personnel can now answer with confidence.
Reduced time to mitigate gaps
Prevention engineering to address misconfigured and under-optimized security controls used to be time-consuming. The company's security team now addresses gaps quickly by leveraging the vendor-specific mitigation recommendations provided by The Picus Platform.
No risk of downtime
Unlike penetration testing which can cause accidental downtime, The Picus Platform is safe to run at all times and pose no risk of disruption. This means that Picus’ client can confidently perform ongoing testing in its production environments with confidence.
‘When business leaders ask whether the organization is protected against a particular threat, security personnel can now answer with confidence and evidence.’
Better risk visualization
Using the Picus Platform’s real-time dashboards and executive reports, the company’s security team is able to enhance risk awareness. Automated MITRE ATT&CK Framework helps visualize threat coverage and guides decision making about where to focus mitigation efforts.
More reliable reporting
By generating a security score for each of the company’s controls, as well as a total score to assess the performance of controls collectively, The Picus Platform enables the company’s security leaders to more accurately gauge its current security posture and measure improvements over time.
Enhanced compliance
As a provider of critical infrastructure, the company must comply with a wide range of information and data security standards. The Picus Platform helps prove adherence with the latest government and industry mandates by providing evidence that controls and processes are operationally effective.
Learn more about The Picus Complete Security Control Validation Platform