In 1819 Washington Irving penned a story of a man named Rip Van Winkle, who, after drinking some liquor offered by some mysterious men, falls asleep for 20 years. When he wakes up, he finds his musket rusted out and he has a long gray beard. He returns to town not recognizing anyone, and learns that he has slept through the American Revolution. The picture of King George III in his pub has been replaced by one of George Washington.
I’ve been working in information security for around 20 years. If 20 years ago, I entered a slumber and woke up today with a rusted out Motorola StarTAC phone and hipster beard, the world would be very different. However, I would be very comfortable doing security assessments. There is very little difference in how security audits and assessments are done in the present day compared to how they were done back then. What other business process in any industry has been so stagnant over 20 years? Would you go to a hospital that had the same diagnostic capability as they had 20 years ago?
Now, keeping the status quo might be fine if we were able to say we’re doing a pretty good job in information security. But I don’t think anyone thinks we’re doing a very good job at it right now. I also don’t think anyone would say that the cyber threat hasn’t changed much in the last 20 years.
Organizations spend around $22 billion per year for security consulting services. And we’re getting basically the same product that we did 20 years ago. Meanwhile, the threats today are much more sophisticated. Almost a third of security consulting spending goes to the Big 4 accounting firms. We audit security controls like we audit financial controls, but the two things aren’t comparable at all. We perform compliance activities (SOX, HIPAA, NIST, etc.) and pretend we are evaluating security posture.
Scott Galloway, a professor of marketing at New York University, said, “COVID-19 is really more of an accelerant than it is a change agent, and that is, the future’s just happening, playing out the same way; it’s just being pulled forward faster…” Traditional security audits and assessments via control catalogs and “maturity levels” have been slowly on their way out, but their demise is accelerating as their cost/benefit cannot be justified in the current economic environment. That is one reason why non-traditional players like cyber insurance companies and even Mastercard are getting into the security consulting game by leading with risk-focused vs. compliance-focused services.
The key limitation of using controls-based assessment approach is that while you can verify a control is in place, you can’t necessarily tell whether it is effective. And the only way to test whether it’s effective is to test the control against a real-world attack. For example, the way to really test your missile defense system is to fire a missile against it and see if you can intercept the target.
Fortunately, now there is a way to test controls in both an automated and consistent way. MITRE ATT&CK is a taxonomy of threat actor tactics and techniques. It is based on data collected from real-world cyber attacks. It is open and freely available to everyone. MITRE ATT&CK is really a simple concept but it has very big advantages. First, you can directly tailor your assessments based on techniques the bad guys use. Contrast that with the way we traditionally do assessments, which is taking a generic control catalog and checking off as to whether controls are implemented. Audits and assessments based on MITRE ATT&CK actually tell you if your controls are effective. For the security consulting industry that is, unfortunately, a revolutionary concept.
MITRE ATT&CK facilitates continuous, automated security audits and assessments, tailored to my specific threats in your industry. It enables automation, so it facilitates quantitative, repeatable results. And the automation makes it less expensive than labor-intensive controls assessments.
It’s time to get out of the dark ages and adopt security audits and assessments that really provide insight into security program effectiveness.