SMBs! Forget Retainer-based Security Assessments: Demand Funded POCsA New Delivery Model Surfacing for Various Assessment Services, but Best for SMBs?
Penetration tests are top of mind for security decision-makers wondering how their defenses stack up against vendor solutions and threat actors’ tactics alike. Providers of pen testing services are eager to help (read, sell you their services) - but the scope is, and the costs are, highly variable.
See Also: AWS Security Foundations: For Dummies
Not coincidentally, other providers pushing managed services offerings were well represented at conferences like BlackHat. I’m not talking about MSSPs, but other new-paradigm acronyms like MDR (or EDR, or XDR, or MXDR… or whatever other flavor of detection and response capabilities is deemed acronym-worthy next).
A new delivery model is surfacing for various assessment services - one that is going to be bad for SMBs, whose options were already limited.
SMBs will have trouble finding out how their under-resourced security programs perform, until they are in a real-world test (which tends to be too late to make improvements).
I recently blogged about how Detection and Response service vendors were offering assessments, some of which deliver comparable outcomes to pen tests (again, they vary tremendously in scope, so take this with a grain of salt); at least, the types that SMBs would consider.
A new delivery model is surfacing for various assessment services - one that is going to be bad for SMBs, whose options were already limited. Do not accept retainer-model assessments from managed security vendors; insist on funded POCs that deliver real outcomes, quickly.
Typical Security Assessments: Outcomes, Features, and Timelines
Variability notwithstanding, usually you can expect outcomes across a few standard functional areas, including vulnerability exploits, control audits, and assessing for existing breaches. The names/types of providers change, but by looking at their processes and outcomes, you’ll usually see assessments that resemble these archetypes:
The Classic Pen-Test Exploit Scan (5-10 days)
The more traditional pen test scans for vulnerabilities within your environment and has security analysts or dedicated red-teamers try to exploit them. This can be specific to particular applications (OWASP / Web App vs. Mobile, etc.). Typically consulting companies will sell these, but you’ll also see versions offered by “continuous scanning” vendors, who may offer a limited time POC. Outcomes are whether they were successful or not, and a short explanation of why they could gain access.
Compliance Controls Assessment (1-5 days)Auditors execute a questionnaire, and report collated answers, as well as other evidence captured. Governance- Risk and Compliance-tool vendors or resellers may offer these gratis, often specific to a given framework (see our webinar recording in collaboration with Intigrow for a Zero Trust Network Access assessment). Outcomes are a roadmap or gap analysis on tools or procedures that need to be augmented.
Breach Assessments (4-6 weeks, depends on size of org)
Providers scan for indicators of attack that may exist in your environment. Typically, a tool is installed on your endpoint(s), or scans across the network or cloud environments. A report on whether the threat hunts find something or not is provided at the end, potentially with (often generic) advice on how to mitigate such risks moving forward.
MITRE Controls Assessment (5-10 days, or 4 hours with ActZero)
Sometimes called Red/Blue/Purple Team exercises, this assessment compares controls in place against the attack stages detailed in the MITRE ATT&CK framework. This is the most similar to our own Ransomware Readiness Assessment, which includes elements from each of the types described above.
Mileage may vary as most vendors may offer limited time or simple evaluations to test and won’t be very comprehensive and may not be using real-world techniques…such assessments are usually called breach simulation and attack detection (or BSAD). Outcomes here should focus on detection or block-rate, dwell time for the attacks and how much signal vs. raw data to find the attacks.
The Elephant in the Room: Cost
Some vendors are charging money for what is effectively a proof-of-concept, either through professional services fees for their assessment, or by charging a retainer for a block of hours which are then deducted as the assessment progresses.
Such assessments should, at minimum, deliver value… but time to value can vary significantly. You must demand that such assessments be funded by the vendors offering them.
Conclusion: Demand a Risk-free, Cost-free, Assessment Model
Spending your time on an initiative like this could yield nothing if the wrong vendor is engaged. However, if they deliver on what they say, it’s a compelling business case to adopt their services moving forward, absorbing the risk and cost of the assessment.