2021 was a record year for newly-discovered common vulnerabilities and exposures (CVEs) – to be precise, 20 137 new vulnerabilities were identified, topping the 2020 record of 18 325.
This makes the defender’s job even more difficult and leads to burnout among cyber security professionals.
So says Oren Kaplan, senior director of sales for MEA & APAC at Pentera, who will be presenting on “Four steps to knowing your exploitable attack surface”, at the ITWeb Security Summit 2022, to be held at the Sandton Convention Centre from 31 May to 2 June, and at Century City in Cape Town on 6 June.
“Traditional validation practices such as manual penetration testing and vulnerability management don’t align with the dynamic nature and sophistication of today’s threat landscape,” he says.
Enterprises need an automated approach to testing all aspects of the attack surface and all layers of the information security defences. The modern approach distills the risk-bearing vulnerabilities the organisation faces, allowing for optimal use of remediation resources.
Kaplan says it’s clear that the security industry is no longer willing to compromise security readiness for assumptions and is shifting to a continuous exploit-centric approach based on attack-based validation of security posture.
True security risk
The question that needs answering, he says, is whether you know your organisation’s true security risk at any given time.
“Do you know where the organisation’s weakest links are so they can be remediated or mitigated before an attacker leverages them towards an attack?"
Security validation needs to be as dynamic as the attack surface itself, he urges. Periodical and manual tests are no longer enough to challenge the changes that businesses undergo. Security teams need to have an on-demand view of their assets and exposures, and the only way to get there is by automating testing.
“The growth in digitalisation and cloud adoption, remote work, ransomware threats, and recently Log4Shell vulnerability are just a few examples of how important continuous validation is for security teams to properly defend their organisations,” Kaplan explains.
Automated security validation
During his talk, Kaplan will explore a new approach to understanding the organisational attack surface.
He will cover how to gain the adversarial perspective of the attack surface, how to enable a full scope of potential attacks, as well as the importance of incorporating automation in security.
Finally, he will discuss how to align validation methods to MITRE ATT&CK and OWASP Top Ten.
“The revolution of automated security validation is an advanced approach to testing the integrity of all cybersecurity layers, combining continuous coverage and risk prioritisation for effective mitigation of security gaps.”
Kaplan adds that Pentera has over 500 customers globally, including quite a few customers in SA, Nigeria and Zimbabwe, and now have a local team to expand its presence in the region.
Delegates will have the opportunity to see Pentera in action during the summit at the company’s booth, and interact directly with its expert red team to better understand the best practices of continuous security validation and how it can help to improve security readiness against the latest threats and attack techniques.
Share