By Tamir Shriki, Customer Operations Manager, XM Cyber
In the context of cybersecurity, if you want to protect something, you need the ability to test its defenses. It’s the only way to maintain visibility into the true state of your security posture.
The key question, however, is this: How does one get the best and most comprehensive test results? Poor testing may offer little more protection than no testing at all.
For most organizations, it boils down to two choices: Manual tests and automated tests. The former is conducted by people, and the latter by machines. Both have their relative strengths, and both can work together to create a sum that is greater than its individual parts.
How Manual and Automated Tests Differ
Manual security tests often take the form of red team exercises or penetration tests. Let’s take a closer look at these two concepts:
- Penetration tests are designed to uncover any and all vulnerabilities and configuration issues within a computer system. While a vulnerability test or assessment simply identifies security gaps, penetration tests go a step further and exploit these newfound vulnerabilities to discover the full range of impact a breach could have on the system or organization.
- Red team exercises are similar in nature but go beyond the scope of a penetration test. During these exercises, a red team of security professionals (acting much like ethical hackers) will attempt to penetrate a computer system and exploit any vulnerabilities they find. The red team often faces off against the second team of security professionals (dubbed the “blue team”) who are tasked with countering the red team and protecting the security environment. Red team exercises often last longer and are greater in scope than penetration tests, with red team members employing social engineering and other techniques to mimic advanced adversaries.
Following manual testing, reports are compiled and detailed remediation or mitigation guidance may be offered.
Automated testing, on the other hand, is typically done with a wide range of tools and applications. Let’s take a minute to review two of the most common: Vulnerability scanners and breach and attack simulation platforms.
- Vulnerability scanners are a widely used tool that helps identify and classify security gaps within a network, application, equipment, etc. These automated tools can be run quickly and efficiently to spot vulnerabilities that match those listed within its database.
- Breach and attack simulation (BAS) platforms also identify vulnerabilities but take things a step further by also exploiting the vulnerabilities they find (with no impact to production) to fully understand the risk these vulnerabilities pose. A BAS platform acts much like an automated red team, launching continuous simulated attacks and providing prioritized remediation guidance once security issues are identified.
Is One Approach Superior to the Other?
Manual and automated testing are not in opposition and often work well together. Each approach described above does have its own characteristics that may or may not make it the right fit for each environment, however.
Penetration tests and red team exercises go well beyond the scope and mandate of a conventional vulnerability scanner. These manual tests, which may be staged over weeks and include top-level cybersecurity talent, are typically much more rigorous and more likely to uncover vulnerabilities that are not widely known or cataloged. In addition to detecting a much narrower range of vulnerabilities and offering a much more limited window into the current security posture, a vulnerability scanner will often return many false positives — contributing to a phenomenon called alert fatigue, which is one of the more common reasons why breaches succeed.
There is, however, one significant edge a scanner possesses: It’s automated and costs little in the way of resources, relatively speaking. As vigorous and in-depth as a good pen test or red team exercise may be, it is also time-consuming and expensive. Most organizations can only afford to stage them quarterly or yearly. This creates a problem, as any changes that occur during the periods between manual tests can create new vulnerabilities. Because manual tests are a snapshot of a point-in-time, they are inherently unable to provide ongoing visibility into the strength of one’s security posture.
One solution to this problem is to merge person and machine, using scanners to augment pen tests and provide coverage during periods between manual testing. Doing so can help overcome the innate limitations of both approaches. However, the aforementioned BAS platforms also provide an elegant solution to this longstanding problem.
That’s because BAS platforms offer the best elements of both approaches: The precision and depth of a manual pen test combined with the continuous coverage of a vulnerability scanner. By constantly probing for new threats (based on the world’s most comprehensive threat directory, MITRE ATT&CK), and simulating the most likely techniques and attack paths used by adversaries, an advanced BAS platform acts a permanent, hyper-vigilant red team — one that never needs a day off or takes a break.
Manual and automated testing differ in many key respects, yet they both can work together effectively to ensure that an organization’s security posture is sufficiently robust. By incorporating advanced vulnerability scanning — and cutting-edge new solutions such as BAS platforms — organizations no longer have to make compromises. Instead of opting for deep but infrequent coverage (manual tests) or shallow but continuous coverage (conventional automated scanning), it’s possible to have the best of both worlds — and enjoy the peace of mind afforded by thorough and ongoing security testing.
About the Author
Tamir Shriki is a Customer Operations Manager at XM Cyber. Tamir has held various positions in the cybersecurity industry and managed major customer escalations. He has a strong background in network security, virtualization, AV, IPS, sandboxing, BYOD, mobile access technologies, and encrypted communication protocols.