Many years ago, when I was learning to be a software developer, I was taught that if you find yourself doing the same thing time and time again, automate it. Fast forward 20 years and automation is bringing an increased set of benefits to organisations, both broadly in technological terms and specifically for us, in the cyber security sector.
In some areas, automation has evolved such that Artificial Intelligence and Machine Learning can be used to run models across large datasets to analyse and surface conclusions rapidly. This is increasingly useful in areas such as anti-malware, network anomaly detection & response, and also user & entity behavior analytics.
In other areas, automation has evolved by simply automating manual use-cases and this is what Pcysys has achieved with PenTeraTM, the world’s first automated penetration testing platform. While this can be thought of as a disruptive technology, it is at the same time a simple evolution of existing and mature processes that organisations have built
and run for some time.
In our discussions with customers, their pain points fall into two main areas, which we’ll step through.
An inability to cope with the volume of noise produced by Vulnerability Assessment tools
Vulnerability scanning tools are very useful for identifying static vulnerabilities when they are run against a range of assets. The pain is in the remediation, as many organisations are finding they do not have the time or headcount to fix the volume of issues being surfaced. Where to even start used to be enough of a challenge until the tools introduced prioritization by both CVSS and tool-specific weightings. Even then, however, the number of issues is the same, the order in which they are prioritized changes. It’s worth noting that only around 5% of vulnerabilities have an exploit associated with them, so organisations waste cycles patching vulnerabilities that are not exploitable.
We often find that PenTera may achieve a high severity exploit with an initial entry point using a vulnerability of say, CVSS level 3; a vulnerability that is way down the remediation list and may take a long time to fix, left on a backlog or indeed, treated as an acceptable risk.
The logistics and cost of point-in-time manual penetration testing
Customers recognize manual penetration testing is a point-in-time activity, whether it is mandated by regulatory requirements or whether it is due to internal security policy. Booking external penetration tests is subject to delay due to availability, consistency of testing across providers, even individual testers, and is expensive for a point-in-time activity. Often, the report takes time to arrive, by which time it is already stale. If you run your own red teams they are also hard to get time with and if you follow a formal system delivery and deployment methodology requiring a penetration test before go-live, these often backup and cause delay to system roll-outs, impacting the very benefits the new system was designed to deliver.
When the problems of vulnerability assessments and manual penetration testing are laid out, automation seems an obvious next step. The question then is what value and benefit does automating the penetration testing process deliver?
The benefits of an Automated Penetration Testing Platform
First of all, you need to automate the process using exactly the same methodology a malicious actor would follow. If you don’t do this, you’re not penetration testing, you’re simulating something in a way a real attacker would never do and the value of the whole exercise diminishes.
Once you are penetration testing properly in an automated way, the value comes in a number of different areas. It comes from carrying out the full attack lifecycle, from sniffing network traffic and cracking passwords to identifying both static and dynamic vulnerabilities allowing for exploits to be run to advance an attack to completion, all in a completely safe manner.
Value also comes from identifying remediation activity based on what can really be achieved, not what vulnerabilities exist, exploitable or not. This increases value through efficiency improvements.
Finally, value comes from being able to do all of this as often as you like, increasing the cadence of testing to suit your operational model, improve your cyber resilience and ultimately drive cost savings and shorten risk reduction time.
The surprising thing is why it took this long to bring automation to penetration testing. Admittedly, there was a technology gap, that prevented automation of these complex tasks; a gap that has now been closed.