A penetration test can uncover hidden security vulnerabilities and exposures on your network. It can also help you verify that your prevention and detection controls are working as intended and identify areas you might need to strengthen.
Integrating a penetration test's results directly into your SIEM can help enhance the value of the pen test's report in multiple ways.
There are several reasons why a group within your organization might conduct a pen test. Someone might need it to get signoff on a project. It could be part of a regulatory or compliance requirement, or a business group might conduct a penetration test to assess the risk associated with a new service.
Pen test reports are expensive pieces of information. Ordinarily these reports are paid for as part of a project, and the information normally just sticks within a particular area. But if the report is shared with the security operations center (SOC) and integrated into the SIEM, the benefits can be enormous. Here are the five biggest ones.
1. It improves your triage
A pen test result tells you which hosts are vulnerable and how they can be compromised. Adding that information to your SIEM can help when you are running correlation and doing triage against an event.
You can look at the hosts that were involved in the event and see whether pen testers were previously able to exploit a vulnerability on them. Pen test reports provide information that can help you make more informed decisions on the priorities to apply when triaging an event.
2. It verifies your alerting logic
You can use pen test data to verify that your correlation rules are firing as they should and that you are really catching all the activity that you want to catch.
If you create rules that look for certain activity, and if the pen test has done that activity and none of the rules fire, then you are not catching the issues you want caught.
Say, for instance, people can walk through your front door, but need to meet certain requirements to access a secure area in the same building. If you haven't written a rule for that particular use case, the alarm won't go off, even if you have set it up.
Because we have our pen test report, we know a blind spot exists for us in our alerting logic and that we need to create some new rules or customize existing ones to catch that activity. Adding pen test results to your SIEM allows you to check and confirm that what you think should be happening is actually happening.
3. It allows for attack replays, demonstration, and training
SIEMs help organizations aggregate and analyze log and security event data from hardware and software systems. One of their main roles is to generate alerts on any activity that runs afoul of predetermined security rules.
Adding pen test results to your SIEM can help you mimic what an actual attack would look like. You can replay the events in the pen test and observe them in real time to see how your rules, alerts, and processes hold up.
This can be useful, especially from a training and demonstration standpoint. You can replay the events from a specific pen test offline to verify whether your SOC analysts are keeping their eyes on their consoles. You can also determine if your analysts have the skills to identify the alerts and events.
4. It can show gaps in your SIEM feeds
Pen test results can help you confirm that the log and event data feeds that you have inside your SIEM are really helping you track the sort of activity you should be tracking. Sometimes you might have rules for alerting on certain activity. But a pen test might show them as not firing because you don't have the log data you need in your SIEM to spot it.
Test results can be used as a business case to management to show that you need logs from additional firewalls, or that you need logs from additional applications to ensure a certain rule will now fire and that you can catch this activity again in the future.
5. It provides better vendor management
Adding pen test results to your SIEM can be useful in vendor management. Pen tests are valuable, but can be expensive. To get the best value from them, ensure that your penetration-testing vendor is not running the same pre-defined set of exploits in your environment with each engagement.
You want to ensure that you are learning from each one, and that the vendor is not reusing the same kind of cookie-cutter tests each time. When you identify the exploits used in a pen test—and change the rules so you can detect them next time—the vendor can't run the same test again.
Take the strategic view
Ideally your pen tester should be doing several things. If the vendor is not including new exploits from, say, 2018 and 2019, then you are paying for a pen test that tells you nothing about how you would be affected by the most recent exploits.
You also need to make sure that you are getting a strategic view of the gaps in your detection and that you know the places where your security posture is very strong.
You can realize all of these are benefits by integrating pen test results into your SIEM platform. Options for importing pen test data directly into your SIEM get your team actionable information for correlation and triage within hours instead of days.
The benefits are clear. Make it happen in your organization.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.