What is Security Control Failure?
Over the past two decades, businesses have spent increasing amounts of money on their cybersecurity controls. This spending spree looks set to continue, with global cybersecurity spend expected to exceed $1.75 trillion over the five-year period from 2021 to 2025.
This trend makes sense. Business is becoming more digital by the day, driven by advances in everything from cloud computing and artificial intelligence (AI) to blockchain and the Internet of Things (IoT). With increasing volumes of sensitive data and systems now in the digital space, protecting them from cybercriminals is a growing priority, particularly as these criminals are becoming increasingly sophisticated and tenacious.
However, even as enterprises spend big to protect their data, there is always the chance that their security systems won’t do the job expected of them. Security control failure is just that: the moment when a cybersecurity system fails to stop an attack it should have been able to prevent. Security control failures can lead to a range of damaging consequences for organizations including unauthorized access and / or use of corporate systems, denial of service attacks, the transmission of malicious code such as ransomware, and data exfiltration.
The prospect of security control failure is of major concern to business leaders, as security breaches can cause significant brand damage and lead to punitive regulatory fines. According to Gartner’s Emerging Risks Monitor Report from 2021, security control failures were deemed the top emerging risk by senior executives from around the world.
Our own research on the subject reveals that executives are right to be concerned. AttackIQ’s analysis of customers’ security control performance against seven key MITRE ATT&CK® techniques found that endpoint detection and response (EDR) controls only stopped them 39% of the time (EDR tests were chosen because they are the industry’s most widely adopted controls).
When measuring businesses against these seven common techniques, AttackIQ found that:
- 0% prevented 100% of the techniques
- 1% prevented 76% – 99% of the techniques
- 25% prevented 51% – 75% of the techniques
- 20% prevented 26% – 50% of the techniques
- 21% prevented 1% – 25% of the techniques
- 33% prevented 0% of the techniques.
Why do security controls fail?
It is important to note that the high degree of security control failures experienced by organizations is not the fault of security system vendors. As part of our research, we tested EDR controls in a laboratory environment, where they stopped all the top seven MITRE ATT&CK techniques. Nor is it the fault of the businesses using these systems, many of which have in place highly advanced cybersecurity teams. So, why do security controls fail?
The answer lies in the system itself. Complex organisms and organizations need data to understand how well their inner workings are performing. For example, people go for regular medical check-ups to understand the condition of their bodies. Many people also wear devices that monitor their pulse and oxygenation levels for further feedback on how their physiology is performing.
Until now, cybersecurity teams have lacked a similar means to exercise, measure, and report on their health. As a result, a mismatch has occurred. Without the ability to test and train against real-world adversary behaviors, even the very best technologies and most effective security teams have been unable to stop adversaries every time. As an example, a soccer team that has not prepared for its opponents is unlikely to win the match, no matter how good its players.
Every deployment of security controls will have gaps and weaknesses that cybercriminals can exploit. The best way to uncover these gaps is to get inside the mind of the attacker and mimic their techniques.
How to prevent security controls from failing
The traditional approach to testing for potential security control failures is to conduct a penetration test using a red team to attack. This approach has limited value. For one, it can only provide a point-in-time reference: it tells you about the state of your security controls today, not what they will be like tomorrow.
Second, the approach can’t scale to the entire enterprise. Even the largest companies lack the time and staff to test all their controls regularly. Finally, red teams often rely on the expertise of the “attackers” rather than referring to real-world threats that are most pertinent to the business in question. As a result, the tests can fail to find the weaknesses and gaps that carry the greatest risk.
Fortunately, enterprises now have a much more effective approach at hand. Breach and attack simulation (BAS) platforms, like AttackIQ’s Security Optimization Platform, leverage automation to enable continuous testing and security control validation, running assessments aligned to the MITRE ATT&CK framework against the total security program. The platform enables security teams to test their controls with specificity and realism, using Attack Graphs to test advanced cyberdefense technologies against multi-stage attacks.
During testing, the AttackIQ Security Optimization Platform generates real-time performance data that security teams can use to measure the effectiveness of security controls over time or at a single moment in time to make data and threat-informed decisions about security program performance.
Significantly, by using intelligence from MITRE ATT&CK and the data from the BAS tests, organizations can prioritize their remediation of security control failures according to the type of attacks most likely to target their industry, and the areas of their controls most at risk. Gaps can thereby be filled, and weaknesses remediated, to ensure that controls are configured correctly and performing as required.
The approach works. According to independent analysis by IDC, AttackIQ customers achieved a 47% efficiency gain with their security operations teams, a 44% reduction in potential costs of security breaches, and 35% less impactful breaches overall because of continuous security control validation.1
By deploying a threat-informed defense strategy for continuous security control validation, businesses can therefore generate real-time data to elevate their security program effectiveness and keep intruders out. The days when security control failure keep executives up at night are coming to an end.
1 “The Business Value of the AttackIQ Security Optimization Platform,” IDC, July 2022.