Cybersecurity expert Amital Ratzon calls it the next step in proactive security. This is a new movement in the cybersecurity field, where automated security checks and systems hardening are integrated in every software development and deployment stage. It is called SecValOps and is expected to follow the footsteps of the DevSecOps movement,
“Just as DevSecOps integrated security into the start of the high-speed development of DevOps, SecValOps goes a step further, adding testing and validation to ensure that an organization’s security strategy can stay effective against today’s sophisticated cyberattacks,” Ratzon says.
Organizations are slowly acknowledging the importance of continuous security testing as they deal with the increasing aggressiveness and sophistication of cyber threats. SecValOps is new, but it appears to be the way to go given the undeniable necessity for meticulous cybersecurity and continuous security validation and collaboration among cybersecurity teams.
SecValOps: The basics
SecValOps is a new approach for a new set of threats. With cybercriminals becoming more resourceful and peskily more unrelenting than ever, it is not enough to simply integrate security in the DevOps process. It is also crucial to test the security controls baked into software projects or installed in an organization. Hackers and other bad actors only need a few minutes of vulnerability to introduce ransomware and other malware in a network or inject malicious scripts into vulnerable codes.
SecValOps embodies the idea of continuous security testing, much like how continuous security validation enhances organizations’ cybersecurity posture. Its goal is to remove virtually all security gaps or instances of vulnerabilities in security controls. It reduces attack surfaces and helps ensure effective attack surfaces and cyber risk management.
Shaping up as a foundation for security operations, SecValOps makes it clear to organizations that they need to put in place automated and continuous security testing before, during, and after changes happen in an organization in view of the latest developments in the cyber threat landscape.
Changes such as security policy modifications, IT hardware and software replacement and updating, management and personnel changes, switching to a new cloud provider, and organizational protocol and procedural updates can have an impact on IT resources. Checking for security controls efficacy only at certain points is too inadequate for the threats organizations face nowadays.
SecValOps best practices
What do organizations need to adopt SecValOps? Nothing out of the ordinary. Most companies are already acquainted with these cybersecurity strategies, namely continuous penetration testing, purple teaming, and a collaborative approach in dealing with cyber threats.
Continuous penetration testing or continuous red teaming is something many companies already use as part of their security validation programs. Of course, this would be extremely costly if they have to hire white hats to do continuous pen-testing ceaselessly, so they turn to automated solutions. This does not mean relying entirely on automated pen-testing, though.
There are instances when manual red teaming is important. A recent survey of IT security managers finds that organizations acknowledge the limitations of manual pentesting, but it also notes that pen testing still provides “a valid way to surface some vulnerabilities in specific, scoped portions of an attack surface at a single point in time.” However, it makes perfect sense to utilize continuous automated penetration testing and strategically apply manual tests to specific cases.
Purple teaming supports continuous penetration testing by adding an adversarial perspective to the whole security validation process. It entails some extent of cooperation between the red (attack) and blue (defense) teams to accelerate the process of security testing by helping each other figure out how a defense can be strengthened or how an attack can be bolstered.
Instead of letting the attack and defense teams work in silos, purple teaming enables some degree of collaboration in figuring out how the defense team managed to make something impenetrable or how the attacking team tweaked their way into defeating the blue team’s cyber defenses. By doing this, the different teams are not left to figure out things on their own, hence more scenarios get tested, and security improvements are implemented more rapidly.
The cooperation in purple teaming does not mean that the red and blue teams know everything each other does. They do not share information on how they designed each other’s attack or defense, let alone spoonfeed each other with everything there is to know. They only usually collaborate after testing outcomes are determined.
On the other hand, collaboration in security validation is about sharing information and insights on the latest cyber-attacks and threats. This is something many already do through the MITRE ATT&CK framework, with which IT teams or cybersecurity groups share the latest details on adversarial tactics and techniques to help organizations identify and block them. It is also useful in guiding organizations on how to mitigate the impact of recently developed cyber-attacks.
Many security firms that provide security validation solutions also embrace the MITRE ATT&CK framework. They integrate this in their purple teaming modules or as a component of their security testing platforms to automate the process and help ensure threat-updated continuous testing. It provides a massive boost to security testing
These three best practices are not either/or options. They complement each other and should be implemented together. SecValOps calls for security testing that is continuous and threat-informed (adversarial perspective). It also acknowledges the importance of harnessing the advantages of collaboration among cybersecurity firms, teams, and experts worldwide.
Why do organizations need SecValOps
In today’s fast-paced way of doing things, changes in organizations are inevitable and can happen all too quickly. The security controls that worked before for a specific setup and set of hardware, software, and digital assets may no longer work the way they used to. There’s a need to continuously keep track of these controls to ensure that they remain effective in detecting or preventing emerging threats.
“The typical organization today has undertaken five major firm-wide changes in the past three years — and nearly 75 percent expect to multiply the types of major change initiatives they will undertake in the next three years,” says Gartner. When organizations shift from brick-and-mortar to e-commerce operations or merge with another business, for example, changes unavoidably take place and affect cybersecurity policies and controls.
There is no guarantee that existing security systems remain effective without testing. If organizations do not get used to taking cybersecurity into account whenever they encounter changes, the likelihood of becoming vulnerable to the latest threats is very high.
SecValOps is like an offensive way of establishing a defense. It is mindful of the risks and anticipates the attacks or threats. It is what companies need to embrace as they bring their cybersecurity up a higher level to keep up with the greater complexities and relentlessness of creative and sometimes state-backed cybercriminals.