Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
The Future of Penetration Testing in 2022 and Beyond
By Todd Salmon of GuidePoint Security
As the number, frequency, and sophistication of cyberattacks has grown over the last year, so have organizations' needs for increased, on-demand visibility into their attack surfaces and vulnerabilities. Traditionally, the model for achieving this visibility has relied on a tiered approach starting with vulnerability scanning, moving to penetration testing, and finally engaging in red teaming. However, as the number of vulnerabilities reported daily continues to climb, it's become clear that a purely human-driven effort to identify vulnerabilities in an environment and test against them is a losing battle.
To meet the organizational need to simplify operations and reduce costs in an increasingly complex and expensive cybersecurity landscape, I believe that penetration testing will evolve beyond the traditional, point-in-time approach. Organizations and providers will move towards a continuous penetration testing model that offers an automated framework to test an environment and validate controls, all while maintaining the human expertise associated with more traditional testing.
By leveraging automation, continuous penetration testing can rapidly identify and test for vulnerabilities as they are disclosed, giving organizations and businesses the data they need to remediate swiftly. As we move into this new mode of operation, I believe it will change the cybersecurity profession in the following ways over the next year and beyond:
1. Integrations with patch validation and remediation tracking
As more security teams turn to continuous testing to supplement their existing pentesting cadence, continuous penetration testing providers will build their platforms as extensions of existing security frameworks, integrating deeper into other security tools and practices. For example, by integrating with systems for vulnerability management, continuous penetration testing platforms will be able to identify vulnerabilities associated with existing patch levels, immediately test against those vulnerabilities on the relevant systems, and recommend appropriate actions to mitigate anything that could be exploited. By testing and reporting against this information, these platforms will also be able to offer real-time remediation tracking and patch validation so organizations can focus on the most critical vulnerabilities in their environment.
2. Integrations with SIEM, GRC and Helpdesk systems
As continuous penetration testing becomes more integrated with patching procedures and systems, it will also be tied into overall SIEM, GRC, and helpdesk operations and serve to consolidate separate teams into a larger cybersecurity unit. By integrating with these systems, the work of requesting other teams' assistance with remediating vulnerabilities will be automated and streamlined. When a vulnerability is discovered, whether it's with an outdated piece of software or a specific system, notifications and workflows will automatically trigger to inform the responsible teams and suggest remediative actions. When the problem is fixed, the continuous
penetration testing platform's ties into remediation tracking will inform the cybersecurity team that they can take that fix off the to-do list and move on to other tasks.
3. Addressing resource shortages and staffing challenges
In my mind, this is one of the most drastic impacts that continuous penetration testing will have on the industry as a whole.
The global shortage of security professionals has hit every corner of the industry hard, and pentesting, in particular, has been impacted due to the levels of technical expertise and knowledge required. Increased adoption of continuous penetration testing will alleviate the enormous pressure currently put on penetration testing teams around the world by handling the low-hanging fruit in the process, freeing pentesting experts to chase severe vulnerabilities and issues that make better use of their skills. Additionally, continual security testing will reduce the time required to scope a traditional penetration test because penetration testers will have access to a trove of data and reports from throughout the year.
However, continuous penetration testing will also help alleviate staffing shortages in organizational security and IT teams. As work is streamlined through the integrations I mentioned above, teams will be able to shift their focus back to the highest priority tasks on their plates. While this certainly won't lead to a sudden disappearance of the overall shortage, every bit of work that can be taken off of existing cybersecurity professionals' shoulders helps. Even a small reduction in our chosen career's overall stress can help reduce burnout and turnover, meaning a reduction in staff brain drain and an increase in organizational security.
4. Justifying security investment
"You have to spend money to make money" is just as accurate in cybersecurity as it is in any other business, but instead of angling for profit, we're fighting for budget. And unfortunately for cybersecurity teams, there often isn't much to spend. Traditional pentest results have long been used as justification for budget to fix the issues found, but every practitioner knows you have to pick and choose your budget requests carefully. Continuous penetration testing will help teams advocate for investment in improving cybersecurity in two key ways: by providing a more extensive sample set of data over time and allowing requests for funds to be broken up over the
year instead of in a single, large push after a traditional penetration test.
Like 2020 before it, 2021 was a record year for breaches. As that trend is sure to continue in 2022 and beyond, organizations will need to adopt a more holistic and continuous approach to not just penetration testing, but cybersecurity as a whole. If we want to keep up with the rising tide of malicious actors and threats to our organizations, it's imperative that we find ways to give our experts and defenders room to breathe. To this end, the community has already begun embracing automation in other sectors of cybersecurity in order to do more with less. I believe that penetration testing is the next area ready for change, and that continuous, automated
penetration testing is that next stage of evolution.
##
ABOUT THE AUTHOR
Todd Salmon, Practice Lead - Threat & Attack Simulation, is a veteran cybersecurity executive with a multitude of experience leading professional services organizations focused on information security and technology, spanning all of the vertical markets. Todd’s prior experience includes having served as the Chief Information Security Officer for one of the largest global technology distributors in the world. In this role he had global responsibility for the organization’s entire information security program to include; Security Engineering & Operations, Policy & Procedure, Compliance and Physical Security.Todd’s primary focus at GuidePoint Security is the development of next generation technical offerings for the Threat and Attack Simulation Practice.
Prior to GuidePoint, Todd held executive leadership roles with notable technology industry leaders including British Telecom, Avaya, Lucent-INS and General Dynamics. Todd also had his own start-up company, StackTitan which provided bespoke technical assessments to enterprise clients. Todd’s primary area of focus for the past twenty years has been in the offensive security space where he’s built large consulting teams that delivered technical security assessments such as Penetration Testing, Vulnerability Assessments, Red Teams, Social Engineering and other bespoke engagements for clients ranging from the SMB market up to Fortune 1 Corporations.
Todd earned his Bachelor of Science degree in Applied Management from National-Louis University and was also a Pre-Law undergrad prior to changing his major. Additionally, Todd attended Harvard University’s School of Management’s Executive Leadership Course and has participated in numerous Boards and technology councils.