The term “security control validation” is used frequently across frameworks, security vendors, and more. What does it mean to validate security controls? And why is it often easier said than done?
What Is Security Control Validation?
Security control validation is the process of testing individual controls or a set of controls to ensure they are effectively protecting against a variety of cyber risks. A classic example of security control validation is ensuring firewalls are implemented and that they prohibit malicious inbound web traffic.
Now, a firewall is just one control. The average security organization has a dozen or more technical controls — including endpoint protection, secure web gateways, identity and access management, anti-phishing technology, and more. That represents a small sample of all the many controls documented in NIST 800-53.
What Do I Get Out of Security Control Validation?
So much attention is given to which security products to purchase, but deploying and maintaining products are areas often overlooked and underinvested.
Security control validation helps to uncover three areas of risk:
- Missing security controls: Many companies purchase a certain amount of end-user licenses, only to realize that controls aren’t deployed everywhere they should be. This leads to a larger attack surface and a potential lack of visibility.
- Misconfigured security controls: Many security controls need to be tuned according to the environment they’re deployed in. Some controls may produce too many alerts out of the box, while some may not detect threats outright. But, beyond tuning, misconfiguration can also mean the controls aren’t functioning completely, or they’re outdated and running unsupported versions — potentially vulnerable to attacks themselves.
- Security control efficacy: Even when security controls are deployed and configured per requirements, that doesn’t guarantee they’ll protect against known attack methods. That’s where testing security controls through adversarial attacks and simulations becomes very important. MITRE ATT&CK is one common standard to evaluate how security controls hold up to known threat actors and attacks.
How Security Control Validation Is Performed
Security control validation is typically a byproduct of point-in-time assessments: penetration tests, red teaming exercises, audits, and more. These exercises present a great option to understand how well security controls are working. Since these exercises are conducted with knowledge of the company’s network, they can be extensive and very productive. But, as these exercises are point-in-time, the validation of these controls can only carry so much weight.
Many technologies now claim to provide “continuous security control validation”, usually through an external lens that observes vulnerabilities, malware infections, application security, network security, and more. These platforms often require minimal work and overhead for security teams, presenting a good option to evaluate a certain subset of security controls.
However, since these platforms often lack the “inside-out” view, there are many security controls that can’t be validated properly. This could be due to either the controls — or the assets themselves — not being seen or assessed outside the network.
Security Control Validation: Start With Cybersecurity Asset Management
Like most things in security, having an accurate and up-to-date asset inventory allows for more accurate and comprehensive security control validation. Cybersecurity asset management platforms integrate with all your security controls, showing how they relate to all of your IT assets into one central view.
Furthermore, cybersecurity asset management not only validates whether security controls exist and are working correctly for all assets — it can also validate controls on a continuous basis.
Organizations looking for better security control validation should first ask whether they’re confident in their asset inventory. If the answer isn’t a resounding yes, cybersecurity asset management should be a prerequisite.
