In today's interconnected world, organizations navigate an increasingly dynamic and complex digital landscape. This ever-changing environment demands a persistent and vigilant approach to security. As the threat landscape constantly evolves with new tactics, techniques, and procedures (TTPs), organizations can't afford to rely solely on traditional assessment methods. The rise of Automated Security Control Assessment (ASCA) solutions addresses this pressing need, providing continuous evaluation of security controls in response to emerging threats. This shift towards automation ensures that organizations remain resilient and proactive in their defense strategies.
This blog delves deep into the nuances of ASCA, offering insights into its importance, functioning, and comparative advantages over traditional techniques.
A Security Control Assessment (SCA) is a systematic cybersecurity process used to evaluate the effectiveness of security controls implemented in an information system to ensure that they are functioning as intended and adequately addressing the security requirements for the system.
A prevalent challenge in an organization's security posture is the underutilization of existing security controls. It's not that the products lack detection or prevention capabilities; rather, human errors or a lack of experience and knowledge often inhibit the full use of a security system's potential. Security control assessments help organizations assess the effectiveness of their security controls, identifying security gaps that need remediation and mitigation.
Figure 1. NGFW Prevention Success Assessed by Picus Complete Security Validation Platform.
For instance, in the figure above, we see that an organization assesses the effectiveness of its two Next-Generation firewalls against specific attack actions. This assessment yielded a 77% success rate. This suggests that it's not the security controls that are malfunctioning, but rather a lack of corresponding prevention signatures for the attack actions.
Automated Security Control Assessment (ASCA) is an advanced security assessment approach that runs automated and non-destructive real-life attack simulations to continuously evaluate the effectiveness of preventative and detection layers of security solutions within an organization's IT infrastructure.
Figure 2. Attack Simulations on Prevention and Detection Layer Security Controls by Picus Security.
Instead of relying solely on traditional vulnerability management practices, automated security control assessment solutions provide real-time insights by automatically running attack simulations that mimic the tactics, techniques, and procedures (TTPs) of adversaries that mainly target your region or industry against existing security controls, making it an essential tool in today's fast-paced and ever-evolving threat landscape.
This method not only enhances an organization's security posture but also helps in identifying vulnerabilities or inefficiencies in security controls swiftly and efficiently.
In the "Hype Cycle for Security Operations, 2023" report by Gartner [1], there's a clear emphasis on the significance of Automated Security Control Assessment (ASCA) solutions. These technologies are paramount in pinpointing and addressing misconfigurations in security controls, enhancing an organization's security resilience amid a rapidly changing threat environment.
Meeting this essential demand, Picus provides a robust Complete Security Control Validation platform, granting users an advanced automated security control assessment solution with vendor-based mitigation solutions. Emphasizing the continuous evaluation and correction of security controls, Picus is in line with the emphasis Gartner places on ASCA, equipping organizations to not only identify vulnerabilities but also to counteract them proactively.
In the "Hype Cycle for Security Operations" report by Gartner, the Picus Complete Security Validation platform offers its customers Breach and Attack Simulation (BAS), Penetration Testing as a Service (PTaaS), Automated Penetration Testing and Red Teaming Technologies, and Automated Security Control Assessment (ASCA) practices.
By integrating automated security control assessment (ASCA) solutions, organizations can stay a step ahead, ensuring that their security measures are always up-to-date and resilient against both known and emerging threats.
In a digital era where threat actors continuously come up with evolving tactics, techniques, and procedures (TTPs) and introduce new stealthy malware families that bypass traditional or even advanced security controls, automated security control assessment approach stands out as a proactive solution. It offers timely and effective security assessments, ensuring organizations are always prepared and protected with a continuously updated threat library. This allows organizations to act on the gaps in their security posture and suggest mitigation actions before adversaries can exploit them.
Automated security control assessment solutions, while valuable, don't replace red teaming practices. Red team exercises inherently embody an attacker-like mindset, adjusting tactics in real-time based on the data gathered, which emulates a genuine threat. However, the strength of automated assessments lies in granting organizations continuous, data-driven insights into their security posture.
Red teaming, while invaluable due to the expertise of red team professionals in offensive security, is often a costly security practice. As a result, it's typically conducted only once or twice a year. The effectiveness of red teaming, therefore, primarily draws from its results, given the investment involved. Red team professionals focus on identifying a singular, impactful attack path to the organization's most precious assets, often overlooking a broad spectrum of endpoints and various security controls. Their primary aim is to determine a path with the maximum impact, even if it means intense efforts on just one route.
Figure 3. Trying to Find the Most Business-Critical Attack Paths Like a Red Team Professional.
While automated security control assessments might not delve deep into an organization with an attacker-centric perspective, like red teaming does, they compensate by offering consistent evaluations. This is crucial because the results of a red team exercise remain relevant only for the duration of the test. With the ever-evolving complexities in IT environments, roles and privileges can become ambiguous over time, potentially introducing new vulnerabilities and reducing an organization's security posture.
Thus, for a truly resilient defense, the continuous assessments offered by automated solutions are essential. While they don't replace red teaming, they certainly complement it, acting as an additional layer of protection.
Automated Security Control Assessment (ASCA) vs. Traditional Assessment Techniques
Criteria |
Automated Security Control Assessment (ASCA) |
Red Teaming |
Penetration Testing |
Nature |
Automated and non-destructive attack simulation using a comprehensive threat library on identified scope. |
Full-scope, real-world attack simulation. |
Targeted effort to find exploit vulnerabilities. |
Feedback |
Provides data-driven visibility on security posture and immediate vendor-based mitigation suggestions. |
Strategic feedback on overall organization readiness. |
Technical feedback on specific vulnerabilities. |
Frequency |
Can be continuous or very frequent due to automation. |
Often conducted annually or biannually. |
Conducted periodically, often quarterly or yearly. |
Scope |
Broad coverage due to a comprehensive threat library. |
Broad, encompassing various attack vectors. |
Focused on specific systems or applications. |
Depth |
Tests the effectiveness of security controls against various threats. |
In-depth, simulating advanced threat actors. |
Deep dive within the specified scope. |
Flexibility |
Limited to the threat library, but updated regularly. |
Highly adaptive, changes tactics on-the-fly based on the information gathered during the process. |
Adaptable based on initial findings. |
Outcome |
Detailed validation report with mitigation steps. |
Holistic view of security posture and potential improvements. |
Report detailing vulnerabilities and exploitation methods. |
Human Element |
Mostly automated, by allows users to run custom-based scripting |
Highly human-centric, requires years of specialized expertise. |
Requires human expertise for execution and analysis. |
This table provides a clearer understanding of ASCA in the context of security control validation compared to other methodologies.
Why Do You Need an Automated Security Control Assessment Solution?
In today's complex IT environments, the integration of various security products, software, endpoints, and public-facing servers exposes organizations to significant risks. Even IT and security giants aren't immune, frequently discovering vulnerabilities in their products.
Further complicating matters is the overwhelming number of applications on devices. Many organizations, in their rush to stay current, lose sight of their assets and the state of their software—whether patched or vulnerable. The vast array of applications and the different operating system versions make it tough for IT and security teams to keep up. This complexity translates to startling statistics: For Windows 10 endpoints, small companies take an average of 149 days to patch, while larger enterprises can take up to 158 days.
Figure 4. Windows 10 Patch Age by [1]
The repercussions are evident. CISA's joint advisory AA23-215A further underlines this, showing the most routinely exploited vulnerabilities in 2022. The advisory shows nothing but the bitter truth, all these vulnerabilities were old, with a patch available. Hence, we see that many organizations still use old, unpatched systems, which adversaries readily exploit using publicly available PoCs, some even shared on platforms like YouTube.
We observe that attackers gravitate towards these older vulnerabilities because they provide a low-cost and high-reward impact to access sensitive information. The reasons organizations persist with outdated software range from a lack of a vulnerability management program to simply being unaware of their business-critical risks. While some organizations try to implement temporary measures like multi-factor authentication, limiting VPN access, etc. However, these are not long-term solutions. Moreover, even when patches are applied, as seen with the CVE-2022-1388 and CVE-2022-22954 vulnerabilities in CISA’s advisory, skillful attackers can still find ways around them with reverse engineering on the available patches.
The compelling narrative is clear: organizations must employ security assessment solutions to gauge the resilience of their implemented security controls against both old and emerging vulnerabilities.
The outcome of a security control assessment solution remains valid only for the time it's conducted. Given the ever-evolving threat landscape and the dynamic nature of intricate IT environments, organizations need to continuously execute security assessment programs. Since relying solely on human resources for this task is untenable, automation becomes vital both for cost-effectiveness and the success of these assessments.
Utilizing automated security control assessment solutions enables organizations to identify the gaps in their security posture and address vulnerabilities before adversaries can exploit them. Embracing these solutions ensures an improved cyber readiness and security posture, adeptly navigating away from looming threats.
There are five stages to an automated security control assessment program defined as the following.
Figure 5. Life-cycle of an Automated Security Control Assessment Program.
a. Planning and Preparation
Planning and preparation consists of two sub-phases such as scope definition and tool selection.
Scope Definition: This process involves accurately pinpointing the system or application's boundaries for assessment. By determining these boundaries, organizations can isolate the areas of focus and better understand the potential vulnerabilities. Furthermore, by defining the security controls for assessment, organizations ensure they're looking at the right protective mechanisms and the risks associated with them.
With the Picus Complete Security Control Validation platform, users can set the parameters of an attack simulation using customized scoping. The platform's custom configuration lets users specify which attack types will be executed against the Picus Agent, which is strategically positioned in the lab environment where the simulation will take place.
Figure 6. Agent Configuration for Scope.
For instance, the figure above indicates that an Agent is configured in a customer environment, and it's only permitted to run a “Network Infiltration Attack”.
Tool Selection: Here, organizations choose the automated tools best suited for their specific assessment needs. Since there's no one-size-fits-all solution in cybersecurity, selecting tools tailored to the specific security controls ensures precision and efficiency. This customization allows for a more targeted approach, enhancing the assessment's accuracy and reducing false positives.
With Picus Complete Security Control Validation platform, users are freed from researching for automated tools that will cause the least disruption and provide the best return on investment. The platform itself, allows users to continuously run attack simulations selected from Picus Threat Library. This library is constantly updated by our red team engineers through intense cyber threat intelligence (CTI) research.
In fact, for more simplicity and user-friendly experience, Picus Complete Security Validation platforms provide users ready-to-run attack templates that are carefully constructed around certain attack campaigns that we are seeing in the wild. We carefully give responses to, for instance, the latest CISA alerts. By choosing these templates, users can easily plan and prepare the attacks that are going to be run.
Figure 7. Ready-to-Run Emerging Threats Templates by Picus Complete Security Validation Platform.
Together, these steps ensure that the automated assessment is well-targeted and equipped with the right tools for optimal results
b. Configuration and Execution
The "Configuration & Execution" phase is pivotal in optimizing and deploying automated security control assessment.
Configuration & Customization: This stage focuses on adjusting the chosen security assessment tools to fit the organization's specific environment. Before diving into assessments, it's essential to ensure that the tools reflect the unique nuances and needs of the system. This customization can include inputting organization-specific security policies, adjusting tool settings, or even creating tailored scripts. The goal is to ensure the output from these tools is accurate, relevant, and actionable for the organization.
With the Picus Complete Security Control Validation platform, users configure their Agents during the scoping stage. However, even after the Agent has been set up, users can reconfigure their agents using a specific protocol and assign new permissions.
Execution: Once the tools have been configured, the next step is to launch the automated assessments. Here, the tools are run to perform their designated tasks: conducting vulnerability scans, checking system configurations, or other assessments tailored to the organization's needs. This proactive approach efficiently identifies potential security lapses, helping organizations maintain a robust defense against cyber threats.
The execution step is akin to conducting an attack simulation using the Picus Complete Security Control Validation platform. At this stage, the selected threats are executed against the pre-configured Agents. If the attacks manage to bypass the in-place security controls, they are deemed successful. Conversely, if attack actions can't reach the Agent, the attack is considered blocked. Furthermore, if an attack is successful, indicating that the preventative controls failed to block it, we then assess how effectively the detection layer products respond to the attack.
c. Data Handling and Analysis
The third phase of an automated security control assessment consists of three main sub-phases including data collection, analysis and prioritization.
Data Collection: This phase involves accumulating the outputs generated from the executed assessments, which can be in the form of logs, detailed reports, and alerts. It's crucial to organize and store this information systematically for a streamlined analysis process.
Figure 9. Integrating SIEM Products to the Automated Security Control Assessment
The core functionality of the Picus Complete Security Control Validation platform is to conduct attack simulations on an organization's established security controls to evaluate their response to an attack. In addition to testing the efficacy of preventative layer solutions, we also assess the responsiveness of the detection layer solutions to attack actions.
For this purpose, the Picus Complete Security Control Validation platform aids customers in integrating their established SIEM solutions. Thus, even if an attack is successful, organizations can be confident that the attack was appropriately logged and alerted. This ensures preparedness for potential real-life attacks in the future, enabling a proper incident handling process.
Analysis: Here, experts delve into the collected data to interpret and decipher the results. By understanding the vulnerabilities, configuration gaps, and anomalies, organizations can derive meaningful insights on potential weak points in their infrastructure. Proper analysis aids in comprehending the nature and severity of these vulnerabilities.
Figure 10. Analyzing the Results of an Attack Simulation with Picus Complete Security Control Validation Platform.
For instance, examining the example above, we observe that for one of the high critical threats undergoing simulation, even if the attack wasn't blocked, two of the SIEM integrations successfully logged the attack.
Prioritization: Given that not all vulnerabilities possess the same threat level, this stage is about ranking them based on their potential impact and associated risk. Factors like exploitability, data sensitivity, and system criticality are considered, ensuring that the most pressing issues get addressed first, optimizing the use of resources in mitigation efforts.
This step is especially crucial since human resources are among the most valuable and costly assets for organizations. To use them effectively, it's essential to prioritize the identified security gaps and vulnerabilities based on their impact on business-critical operations.
Figure 11. High-Critical Threat Result of an Arbitrary Attack Simulation
d. Recommendation and Remediation
Fourth phase of the automated security control assessment process involves recommendation and reporting, and remediation actions based on the prioritized business-critical risks.
Recommendation & Reporting: After analyzing the data, the next step is to create a structured documentation of the findings. This includes detailing the vulnerabilities and anomalies found, and providing potential solutions to mitigate them. The report often acts as a roadmap, guiding teams on where and how to focus their mitigation efforts.
Remediation: Based on the recommendations provided, this phase involves the actual implementation of solutions to address and rectify the identified vulnerabilities and issues. Remediation can range from patching software to reconfiguring system settings or even implementing new security controls, ensuring the organization's infrastructure becomes more secure and resilient against potential threats.
Figure 12. Vendor-based Prevention Signatures for Various Vendors by Picus Complete Security Control Validation Platform
After simulation is completed, Picus Complete Security Validation platform provides a comprehensive report, pointing out the gaps in the both prevention and detection layer solutions. For unblocked attack actions, our Mitigation Library provides the corresponding vendor-based prevention signatures which are carefully collected and written by our dedicated blue team engineers.
e. Review and Continuous Monitoring
The final step is to verify the addressed vulnerabilities and monitoring.
Verification: Once solutions have been implemented, it's essential to re-assess the environment to ensure that the vulnerabilities have been effectively addressed. This step isn't just about checking previous issues but also ensuring that no new vulnerabilities were introduced during the remediation process. By doing so, organizations can be confident in the efficacy of their security adjustments.
Continuous Monitoring: Cyber threats are continuously evolving, and new vulnerabilities can emerge at any time. Hence, it's pivotal for organizations to routinely conduct automated assessments. This continuous monitoring approach aids in real-time vulnerability detection, ensuring that security teams can promptly address and mitigate emerging threats, keeping the environment secure and updated against the ever-changing threat landscape.
Certainly, the efficacy of Automated Security Control Assessment solutions in detecting zero-day vulnerabilities hinges on the presence and maintenance of an updated threat library. When a zero-day vulnerability emerges and a proof of concept is made available online, the dedicated threat library's red team engineers swing into action. They craft a threat that mirrors the exploitation attack behavior specific to that zero-day vulnerability.
With a promptly updated library, organizations are empowered to run these exploitation attack simulations. This proactive approach allows them to gauge their vulnerability and assess if they are susceptible to potential real-world attacks stemming from that zero-day flaw.
Picus Complete Security Control Validation platform stands out in this regard. Their platform boasts a comprehensive library maintained by dedicated red team engineers. With their swift response time and ongoing commitment to staying abreast of emerging threats, organizations using Picus are better positioned to safeguard themselves against evolving vulnerabilities.