A Call for Tangible Outcomes
In the wake of faltering defenses and escalating threats, change is no longer an option but an inevitability. Michael Levin, a trailblazer in Security Design and Innovation at the U.S. Department of Health and Human Services, advocates for a new epoch. It’s not about ticking checkboxes for safety but pursuing measurable security performance data. “How can I be safe?” echoes louder than the outdated notion of “I did all you told me to, so I’m secure,” he asserts.
In lockstep with Levin’s views, recent years have introduced a breadth of new standards spanning a wide range of global regulatory entities, with automated testing, penetration testing, and 24-hour breach notifications standing as common denominators across many of the mandates. The catalyst for this transformation stems from pivotal breaches, such as the watershed 2015 medical data breach of Anthem Inc., now Elevance Health, which affected nearly 78.8 million individuals. This catastrophe triggered a global regulatory overhaul, birthing a new era that emphasizes evidence and outcome-based security methods.
Penetration testing is an excellent starting point in implementing recent outcomes-based methods of cybersecurity due to its ability to provide tangible results and drive actual outcomes. This proactive approach allows organizations to simulate real-world cyber assaults, identifying vulnerabilities and fortifying systems, networks, and applications. It transcends theoretical vulnerabilities, providing tangible evidence of security measures’ effectiveness and enabling focused enhancements.
Momentum in the Regulatory Landscape
The seeds of this revolution were sown in 2014 when the Bank of England introduced “CBEST,” revolutionizing the British financial sector with its intelligence-led assessment framework. This groundbreaking approach mirrors cyber attackers’ strategies, setting a precedent for subsequent regulatory actions emphasizing security testing and collaboration.
From the vibrant hubs of finance in Hong Kong to the tech-savvy landscapes of Singapore and the intricate systems of Saudi Arabia, the domino effect has spread. In 2016, the Hong Kong Monetary Authority recommended intelligence-led cyberattack simulation testing in production, followed by the Singapore Banking Association recommending frequent attack simulations using adversarial tactics, techniques, and procedures for the Singaporean financial sector in 2018. The Saudi Arabian Monetary Authority (SAMA) took similar strides in intelligence-based testing in 2019, outlining ethical red teaming recommendations for financial institutions. These regions have adopted intelligence-led cyberattack simulation testing, aligning with a global move toward fortified cybersecurity.
Global Adoption of Evidence-Based Security Approaches
Considering the volatility and exponential sophistication of cyber threats, turning recommendations into actions and measurable goals tends to be a slow crawl in the regulatory landscape. In an effort to create security program dynamicity, the European Central Bank and national banks adopted the TIBER framework in 2018 to provide detailed guidance on how organization’s blue teams, red teams, and threat intelligence providers can collaborate to test and improve the cyber resilience through controlled attacks. The TIBER EU framework harmonizes threat intelligence-based red-teaming to enable mutual growth through joint expertise and experience, and then applying this communication to reveal the strengths and weaknesses of the tested entity.
The regulatory focus on outcome-based security testing, showcased by the TIBER framework, has gained traction. Recent strides have followed—CISA, since last November, consistently advocates for automated testing using MITRE ATT&CK in US-CERT alerts. The UK, Australia, and Canada have aligned with the US in endorsing this approach, echoing insights from the O’Reilly guide on Evidence-Based Security, emphasizing the need for scientific program evaluation and collaborative learning to bolster decision-making, a pillar that the MITRE ATT&CK Framework and AttackIQ stand on.
January 2023 saw the launch of the European Commission’s Digital Operational Resiliency Act (DORA), solidifying this regulatory momentum. DORA mandates financial entities in the EU—banks, insurers, investment firms—to prioritize cybersecurity, transcending compliance to achieve concrete security outcomes. It urges continuous cyber testing, ensuring ongoing assessments to fortify security postures and adapt proactively to emerging threats. DORA sets a benchmark for outcomes-based cybersecurity, emphasizing continuous testing, and underscores the necessity for a proactive, adaptable cybersecurity approach within the financial industry.
AttackIQ’s Role in Intelligence-Driven Decision Making
Amidst this regulatory crescendo, AttackIQ emerges as a pivotal player, empowering organizations to translate regulatory visions into actionable security strategies. Leveraging AttackIQ’s Security Optimization Platform alongside the MITRE ATT&CK framework, red and blue teams collaboratively fortify security controls, enhancing resilience against cyber threats and manifesting real-world security outcomes.
As the regulatory landscape braces for a paradigm shift towards performance-driven security, the emphasis on continuous testing and proactive fortification stands as a beacon of hope in an increasingly complex cyber landscape. The era of genuine security outcomes is dawning, beckoning organizations to embrace a new frontier of cyber fortification.