Cloud computing and other advances have introduced flexibility and dynamism into information technology that would have stretched the imagination even a generation ago. Yet this progress comes with a price: When your computer systems are rapidly changing, they become that much more vulnerable to attackers. Each new change can create fresh vulnerabilities to be exploited.
I know what you're thinking: That's why we have an army of highly skilled defenders, including cybersecurity penetration testers. And there is truth in that: Penetration tests and red team exercises have long played an indispensable role in securing computer systems and the "crown jewel" assets organizations must protect at all costs.
Yet manual testing isn't perfect. In fact, it carries some very real limitations -- and those limitations have never been more exposed, thanks to the dynamic nature of modern computer systems.
Fortunately, we have an obvious solution to this problem: The use of automated security testing.
How automated tools shine a light on manual pen test blind spots
Manual pen tests are valuable because of their scope and rigor. They have a tremendous capacity to root out complex attack vectors and expose the kind of vulnerabilities that are simply beyond traditional scanning. It can provide a clear roadmap for addressing these problems and developing a more resilient security posture.
Yet manual tests are only often staged once every quarter or once every year. Organizing and coordinating these tests is no small task and only the most well-resourced organizations can afford to run them with great regularity.
The result of this periodic application of testing? Lots of blind spots. Organizations are left in the dark during periods between testing. Compounding the problem, reports generated by third-party manual pen testers often lag the actual tests by weeks, making the information long out of date.
While these blind spots can create significant jeopardy by endangering critical assets, introducing automation into the mix can solve the problem of point-in-time coverage. With enterprise IT configurations in a persistent state of flux, it's become imperative to make testing forward-looking, rather than backward-looking.
Let's take a closer look at some examples of how this is accomplished via automated security testing.
Forms of automated security testing
Traditional vulnerability scanning
These tools play an important role in assessing risk across just about any component of an IT system by scanning for known vulnerabilities across a cross-referenced database. It's fast, efficient and relatively inexpensive. However, it's not perfect. Conventional vulnerability scanning discovers problems, but it doesn't take the next step and exploit those security gaps to map out the possible damage that could occur. These tools are also can create false positives or a flood of low priority vulnerabilities without an attached exploit.
Bug bounty programs
If you want to uncover gaps in your security, paying white hat hackers to do so is one option. This can be thought of as a more casual or decentralized take on red team exercises, and it's a useful tool for those seeking to take the measure of their security environment through the eyes of outsiders.
Breach and attack simulation (BAS) platforms
We just mentioned the benefit of gaining the perspective of an outsider. When you can see through the eyes of a potential attacker, it opens a valuable new perspective. Breach and attack simulation platforms allow organizations to adopt this perspective by launching continuous attack simulations against security environments with no risk to production. These tools take the power of automated vulnerability scanning and extend it by adding the "exploit and remediate" element offered by manual pen-testers or purple teams. In this way, BAS platforms can be said to merge aspects of manual and automated testing, building on the strengths of both approaches while avoiding their innate limitations.
The benefits of integrating automation
Now that we've covered some of the more common varieties of automated testing and how they differ, let's discuss the specific advantages this approach offers:
When done properly, automated testing allows you to root out vulnerabilities and/or simulate the real methods and attack paths adversaries will use to target your systems. You can do this in a way that eliminates the blind spots that arise from episodic manual testing, which offers a point-in-time snapshot.
This form of forward-looking, continuous coverage is perfectly suited for today's IT environments, where the only thing that's constant is change. If you take a purely static or manual approach, you are simply out of step with the real conditions at play.
Automated testing tools can also help address existing problems in the fastest manner possible. Instead of waiting for a manual pen tester to issue a report (containing information that may be seriously outdated), BAS platforms offer immediate prioritized guidance for remediation and mitigation.
While these benefits are certainly profound, this doesn't mean that manual and automated testing need to be mutually exclusive. The two approaches can complement each other to form a highly rigorous and comprehensive approach to vulnerability and risk assessment. The right human team can offer an invaluable perspective -- it just needs to be supported with the power of automation and continuous monitoring.
In today's world, one seemingly trivial change can unleash a gaping vulnerability that leads to a critical data breach -- and extraordinary financial or reputational damage. The best tool we have for avoiding this scenario is the power of automated testing. No other approach can eliminate blind spots and offer ongoing visibility into the state of organizational security -- a significantly lower your odds of being the victim of an enterprising attacker.
Shahar Solomon is a Customer Operations Manager at XM Cyber