Measure your security posture to make defensible decisions

By Alchemmy’s Phillip Aitchison

The sprawl of security tooling makes it hard for Boards to understand the overall performance of their security investment. When security controls fail, they tend to fail silently because assets aren’t fully integrated with monitoring systems, settings are misconfigured, or the data made available by these assets doesn’t provide sufficient insight into what is really going on.

Security teams are locked in a constant struggle to identify and resolve these failures before a cyber adversary does. Taking control of this situation requires organisations to understand their security posture and judge the effectiveness of existing security investments. This is hard because measuring security performance needs end-to-end measurement and judgement of value to the overall business. Getting ahead of the threat requires organisations to invest more to react and recover from attacks across their supply chain.

To do this, CISOs must make defensible decisions based on real data and evidence of security outcomes. This can be achieved through continuous testing and validation of security controls. Alchemmy use the ATTACKIQ platform to assess security capability against the MITRE ATT&CK framework to visualise how your organisation can defend itself against specific threats. We do this by showing how your adversary can target your business with real-time performance data to help you make threat-informed decisions about your security priorities.

A recent study by the analyst firm IDC of existing AttackIQ customers found that verifying the effectiveness of their security investment resulted in:

• 47% more efficient SecOps teams
• 44% reduction in potential costs of breaches and
• 35% less impactful breaches overall.

When asked why this was the case, one customer said, “Business risk has been reduced, because with AttackIQ we can measure where things work well. If something isn’t working, we can take steps to address that”.

Both the UK’s NCSC and the US’s CISA recommend continuous, automated security testing and we think this is most useful when aligned with MITRE ATT&CK. This is why Alchemmy use the ATTACKIQ platform to evaluate security effectiveness and demonstrate the impact of the real risks facing organisations. Armed with this evidence, we’re then able to help prioritise the right actions to improve resilience and show Boards where to invest to stay current with the evolving cyber threat.