There are multiple reasons why an organization fails a penetration test (a simulated attack on an organization’s computer systems to check for security gaps and vulnerabilities) and some are more scary than others.
- No one cared in the past about the actual pentest, it was just a formality for compliance purposes
- There had been little-to-no budget allocated for additional security capabilities
- There are no dedicated security resources to help implement detection tools
- There is a lack of expertise to know where to focus efforts to improve detection capabilities
Organizations have been failing pentests for years with incremental improvements, or, in some cases, little-to-no change in detection capabilities. So what’s changing now?
After a failed pentest, one organization admitted they perceived that SIEM (security incident and event management) systems were far too difficult to implement and manage, so they historically took no action and did nothing afterwards.
Executives are taking security more seriously. They are hearing the horror stories of the impact of ransomware when their peers at other organizations get hit. Their boards are asking them how they are prioritizing security as part of their business continuity plans. It’s starting to show that any business, regardless of size and industry, has to step up and take security seriously.
So I failed my pentest, what should I do now?
With dwell time of attacks increasing in 2020 to 280 days, it’s key to have detection capabilities to detect the most common techniques and tactics used by attackers looking to get a foothold in your environment (Ponemon/IBM). The challenge with this is that most solutions require expertise and an extensive project that requires care and feeding. These solutions were designed for large enterprise organizations with a dedicated security operations center (SOC) w/ 10+ dedicated security experts. This is a team most organizations could only dream of and would never be able to afford.
The reality is, the industry is in need of simple, easy-to-use detection capabilities that can be deployed and administered in hours with only the most basic IT skills in order to address the detection gaps present in most organizations. They need visibility into the top techniques and tactics used, and they need to worry less about the zero-day advanced persistent threats (APTs) that are out of their control. They need to focus on getting the basics right to prevent, detect and respond to the most common attacks, and they need to do it immediately.
Working with several organizations recently after their failed pentest, Blumira was engaged to help provide security coverage that would detect an attacker across multi-cloud environments. Customers face the challenges now of needing to protect both their on-premises and cloud environments, with highly-targeted applications such as Office 365, Microsoft Azure, Google for Workplace, Okta and more.
Within hours of engaging Blumira, these customers were able to get the broad detection coverage needed to detect common techniques and tactics across their multi-cloud environment. The results after the implementation demonstrated the ability to quickly detect the pentester. Blumira’s platform was able to catch a large majority of attacker techniques and tactics used, providing the customer with a way to detect and respond to the simulated pentester attacks.
If you look at some of the more common threats, ransomware is a prime example of the many techniques and tactics an attacker uses. Ransomware is all about leveraging easily accessible techniques and tactics to gain a quick foothold and deploy. Attackers commonly look for externally exposed RDP/SMB on Windows servers, out-of-date hosts that can be compromised using publicly available exploits and then begin moving laterally across an organization’s environment. They also might use password spraying to gain access to remote access or hosts within the environment.
By deploying Blumira, a customer is able to detect these techniques and tactics and enable an organization to respond early in an ransomware attack, which can prevent ransomware from ever being deployed in their environment. Ultimately, this visibility provides early detection that not only prevents risk but demonstrates the ability to stop an attacker – which is exactly the intention of the pentest.