How can security teams keep pace with ever-evolving organizational IT changes and ever-expanding attack surfaces?

According to The State of Pentesting 2024 Survey Report, nearly 7 out of 10 organizations in Asia Pacific report changes to their IT environments on a quarterly basis, or even more frequently.

However, only 39% report pentesting as often, which leaves many organisations open to risk for extended periods of time.

Meanwhile, the average annual security budget for organizations in APAC is US$1.4 million, larger than the $1.27 million worldwide average.

Yet, despite an average of 54 security solutions per organization in the region, half of APAC organizations still reported a breach in the past 24 months.

CybersecAsia discussed some key findings from the Report with Jay Mar-Tang, AVP, Field CISO, Pentera, as well as the future of pentesting and security validation.

Enterprises are investing in an average of 54 security solutions, but they rarely stress test these solutions for delivering on the promised protection. As security professionals, to effectively defend our organizations, we need to understand how the threat actor sees our attack surface and what attack vectors they can exploit.

We found that 69% of enterprises in APAC report changes to their IT environments at least quarterly, however only 4 in 10 report pentesting at the same frequency. We need to start shrinking this gap and begin testing more often.

What other key findings in the Report do you find significant from a global and regional perspective?

Mar-Tang: There are two findings that I would like to highlight.

The first is the growing importance of proper prioritization of tasks and time. We found that over 68% of enterprises in APAC report a minimum of 500 security events for remediation per week.

With so many security solutions in their stack, security teams are absorbing a lot of information and alerts. They are limited in how many tasks they can perform and how many vulnerabilities they can address; with the rapid evolution of our modern IT environments becoming “patch perfect” is an unrealistic target.

Instead, security professionals must be able to prioritize effectively and concentrate their remediations on addressing the most critical security gaps.

The second idea is that cybersecurity is fast becoming a focal point both inside and outside of the cybersecurity teams. Over 52% of CISOs reported that they share the results of pentest assessments with their leadership teams as well as their Boards of Directors (BoDs).

With high-profile breaches in the news, management teams and BoDs are increasingly interested in understanding their organizational resilience, and the potential impact of cyberattacks to their operations and business. I think that this will continue to be the case as the increasing costs of successful attacks threaten the bottom line.

Is understanding how threat actors can exploit an organization critical for cyber-defense? How does it help security teams proactively — instead of reactively — tackle rising cybersecurity challenges?

Mar-Tang: The key here is that having the hacker’s perspective removes the assumptions from cybersecurity. When you test your security against the real tactics, techniques, and procedures (TTPs) that threat actors are using in the wild, you no longer need to guess if a certain vulnerability is dangerous to your organization, you have confirmation.

This allows organizations to be far more proactive in their security because they can actively focus on closing their most dangerous security gaps before threat actors have a chance to exploit them.

Security Validation, and understanding the attacker’s perspective, is a core component of the Continuous Threat Exposure Management (CTEM) framework that is fast becoming a focal point for security teams. The overall goal of this framework is to enable organizations to continuously assess and proactively prioritize exploitable risk within their environments. Without effective security validation, identification and prioritization of real security gaps is not possible.

What are the latest advances in pentesting? How can organizations benefit from them, and why are organizations hesitant to embrace them?

Mar-Tang: Traditional pentests represent point-in-time assessments of your security posture. During an assessment, 3rd party teams, usually of one or two pentesters, try to hack your IT environment over the course of a few days. Within the following days, the pentesters generate a report on their findings for the organization to remediate.

These manual tests are often limited in scope, covering only a small subset of your organization’s IT assets. With automated security validation organizations can test the effectiveness of their security controls at-scale against the latest tactics, techniques and procedures (TTPs) in use by threat actors today. This allows them to maintain a consistent view of their risk posture from threat actors.

The biggest barrier to greater adoption of pentesting overall, and by extension automated pentesting software is the perceived threat to business continuity. Security teams are tasked with ensuring that IT environments are safe and that business operations are uninterrupted. Security leaders are cautious around pentesting as many have experienced network downtime due to pentesting in the past.

CISOs want to work with the most experienced pentesters who provide the highest level of validation to their security, while also posing the least risk to operations. They are often hesitant to believe that software exists that can replicate the talent of quality pentesters, without risk to their environment.

I’m happy to say that slowly we are eroding this fear. Globally, Pentera has over 950 customers in production, and our automated security validation software has never caused a network outage.