The CISO’s Guide to Enterprise Penetration Testing

Executive Summary

Today’s threat landscape presents unparalleled challenges to the modern CISO. Cyber criminals are using more sophisticated tactics and technology than ever before, including artificial intelligence (AI) and machine learning (ML). Ransomware-as-a-service and other commercially available tools are making it easier for cyber criminals to attack organizations at will.

In this difficult environment, businesses are expected to keep innovating at scale. But scaling introduces yet more challenges. As organizations build products and services, onboard new employees, and expand their global footprints, they risk broadening the attack surface beyond the visible. Shadow IT creates even more opportunities for attackers to cause problems, while making it more difficult for organizations to secure their assets. Cloud, hybrid, and on-premises
environments add to the complexities of building secure products that scale at the same time.

To stay secure, security leaders must increase their visibility into their environments. Investing in routine penetration testing is one simple way to do that. But many security testing vendors, including traditional pen testing providers, are expensive, unscalable, and don’t offer additional benefits beyond the actual pentest.

Yesterday’s legacy approach to penetration testing is no longer adequate to proactively manage today’s cybersecurity risks.

Penetration Testing-as-a-Service (PTaaS) provides a new path forward for DevOps teams that want to reduce the risks that can cause a costly data breach—without adding extra work for the Security Operations Center (SOC). PTaaS allows organizations to get the best of both worlds: the expertise of human security testers combined with the speed and precision of AI.

In this guide, you will learn how to build an enterprise-grade penetration
testing program that is fast, ready to scale, and proven for your organization.

The Impacts of Digital Transformation on IT Security

Digital transformation has moved beyond a buzzword. Now, it’s a must-have. Organizations face mounting pressure to quickly deliver digital goods and experiences. As a result, security has taken center stage. In today’s world, security can be the difference between turning a record-breaking profit and experiencing a headline-making data breach. And consumers are watching closely. In fact, 80% of customers want better security for their personal data.
(Consumers Want Better Personal Data Security, 2022)

Twitter, Uber, LastPass… Some of the most devastating data breaches of the past five years had one thing in common: they were caused by high-risk vulnerabilities that could have been remediated if they had been discovered in time. (Goodin, 2023) Each of these enterprise organizations lacked the mature security posture they needed to patch these vulnerabilities before they were exploited. The results speak for themselves: lost revenue, bad press, and dissatisfied customers.

Why has it become so difficult for organizations to secure their data at scale? There are a few key factors influencing today’s threat landscape.

1. Attackers are savvier.

The good news: cyber criminals are not getting smarter. The bad news: they don’t have to be.

The rise of commercially available tools and offerings like automation, dark web data, ransomware-as-a-service, and initial access brokers has democratized cyber threats. Even inexperienced cyber criminals can wreak havoc by exploiting undetected vulnerabilities they have discovered by simply scanning the internet.

2. Attack surfaces are larger.

The “attack surface” encompasses every point where a cybercriminal can try to gain unauthorized access or extract data. Every time an organization adds technologies, tools, and apps to its tech stack, the attack surface expands. For security teams, the number one goal is to minimize the attack surface. But that gets harder as the organization grows.

Remote and hybrid work have made this an even more complicated task. It’s difficult for security teams to monitor employees who are working from home. Employees and teams may install apps, software, and virtual machines in the cloud without the security team’s approval. This phenomenon of “shadow IT” can lead to data breaches down the line.

3. Connections are tighter.

Devices, applications, networks, systems, and businesses are more tightly connected than ever before. The number of connected internet of things (IoT) devices grew to over 12 billion in 2021. (Sinha, 2022) Some of these are commercial devices like smart refrigerators and wearables, but others provide critical services at hospitals and factories. If a cybercriminal breaches one of these devices, they can cause a host of major problems—from impacting patient care to
exposing personal health information (PHI), putting the organization at risk of non-compliance with HIPAA.

Digital connections between organizations and third-party vendors can open up the business to a host of new risks, such as API attacks or web application vulnerabilities that expose regulated data. Often, organizations lack visibility into their vendors’ security posture, so it’s hard to anticipate the cyber risks vendors may be introducing into shared systems.

But attackers can easily gain access to an organization’s systems and sensitive data by attacking its vendors in the supply chain, as was the case in the devastating Colonial Pipeline attack. (Turton & Mehrotra, 2021)

4. Customers are warier.

Today’s customers have high expectations. On the one hand, they want delightful digital products and experiences delivered on demand. On the other hand, they want their data to remain private and secure.

But doing it all—providing fast, secure service, while also meeting regulatory and compliance goals—is an expensive endeavor. Many companies find it difficult to scale their security in tandem with the organization. Constantly layering on another tool or hiring a larger team can deliver diminishing returns without a strategic foundation in place. Instead, organizations need an entirely new approach to prevent security breaches.

5. Regulations are thornier.

Even as the attack surface evolves, the regulatory and compliance landscape is changing just as quickly. Organizations that can’t keep up with new federal, state, and local regulations face costly fines and potential interruption to business operations. Business partners, customers, and clients are constantly sending out updated vendor assessments and surveys that require third parties to conduct more rigorous testing and routine validation to demonstrate security.

The Enterprise Problem with Today’s Pen Tests

A lot of organizations already conduct regular pen testing to check for vulnerabilities. Meanwhile, not all pen tests are the same. It’s critical for CISOs
and internal stakeholders to understand the types of pentests they need and the ones they do not.

Within the enterprise organization, the Central Penetration Testing Team provides the core function of delivering bulk penetration testing. This requires
non-stop vetting of qualified security pentesting providers, while internal demand for pentests creates a backlog that builds up over time, resulting in delayed launches (and realized revenue).

Once providers are vetted and approved, they often have their own timelines and scheduling with their pentesters, who may be freelancer hackers or contracted bug bounty hunters. These issues actually increase risks that Enterprise CISOs will not allow for central pentesting teams. Vendor selection is critical to ensuring the Central Pentesting team can get their organizational requests met on time and within budget.

The Centralized Penetration Testing Team

Centralizing the penetration testing needed for bulk penetration testing is a smart move for the enterprise. To support this, Centralized Penetration Testing teams have emerged to fulfill the organization’s full pentest requirements. These are governance teams – not actual pentesters themselves. This team hires pentesting firms and ethical hackers as needed. However, these teams are overburdened and time strapped.

Hence, most legacy approaches today actually cause delays for enterprise penetration testing teams – for two fundamental reasons:

  1. Legacy penetration testing companies and consultants are unable to deliver the speed or scalability that organizations need to fulfill the internal stakeholder demands for bulk penetration testing.
  2. Legacy penetration testing providers do not use the latest technology to accelerate their testing processes, which can introduce problems when trying to test a high volume of assets and full-stack systems while minimizing false positives.

Inside the Enterprise: Penetration Testing Challenges

Broadly speaking, enterprises with bulk pen testing requirements use two types of pentesting models:

The Consultant-based model:

An organization hires security experts to assess their systems and assets, like how someone might consult with a lawyer or an accountant. Traditional pen testing falls into this category, as does red teaming, which pits human experts against an organization’s cyber defenses.

The Software-driven model:

Organizations leverage automated tools to evaluate their systems and assets for vulnerabilities. Automated tools might leverage artificial intelligence or machine learning to search for bugs.

Consultant-Based Model: Expensive and Unscalable

The consultant-based model can be effective because it allows organizations to take advantage of human creativity. However, it is expensive and difficult to scale for enterprises that have varying levels of demand for bulk penetration testing.

The modern enterprise maintains a high volume of assets that contribute to a rapidly expanding attack surface. Bulk pen testing requires teams to interface with many stakeholders across the organization, including product owners, governance, risk, and compliance (GRC), CISOs, and developers. With numerous stakeholders, most central pen testing teams are working at maximum capacity to meet the demands, which often conflict with one another. This dramatically delays the entire security testing process, impacting product launch timelines and overall security maturity.

As a result, traditional pen testing vendors are constantly working through a massive list of clients. It can take weeks or months for them to complete a test, which presents several problems. For one, the faster an organization finds a vulnerability, the faster they can fix it. As it stands, organizations take an average of 46 days to fix and find vulnerabilities such as Authentication Bypass and Hard-Coded Credentials. High-risk findings take an average of 80 days. The larger an organization grows, the longer it takes to find and resolve vulnerabilities. (BreachLock 2022)

On top of that, organizations often must meet pen testing requirements by a certain date to remain in compliance. Companies often find themselves working with a variety of different vendors through enterprise penetration testing teams. This is an expensive, unwieldy way of approaching security, and may introduce compliance issues later down the road, as different service providers will deliver varying levels of quality in their final pentest reports. Concurrently, this situation produces inconsistent findings that introduce more risk.

Using external contractors may cause compliance problems, especially if a pentest is being conducted by an external contractor. Ideally, a pentesting firm is providing in-house, certified employees to conduct pentesting. This is a solid approach to hire a proven provider that also meets your third-party security and compliance requirements at the same time.

Many pentesting solutions today offer the ability to hire freelancer pentesters to work on your regulated systems; however, these individuals are not full-time employees. They may not have background checks on file with the third-party provider.

It’s important that Enterprise Pentesting Teams do not introduce more risks when they can instead use vendors with in-house, certified security researchers. This selection pays off with streamlined testing and reduced risks from bad actors posing as ethical hackers.

Further dating the legacy pentesting approach – human consultants cannot manually find all of the vulnerabilities caused by shadow IT. Shadow IT makes it harder for security teams to discover and detect vulnerabilities, since applications and virtual machines may not be visible on the company network itself.

To scale faster, some businesses are turning to crowdsourced security testing. Crowdsourced testing providers cover a much wider net of testers, often opening the organization’s assets to scrutiny by anyone on the internet who wants to take a look at it. However, this model can be unreliable. Organizations can’t risk opening up their critical web apps—which might contain personally identifiable information or present a bridge to production networks—to an unvetted group of hackers.

Many crowdsourced security providers also don’t offer re-testing. Once hackers surface a vulnerability, it falls on the organization’s internal team to remediate the vulnerability themselves and then conduct their own re-testing to make sure it’s actually fixed. This hinders the remediation process, giving cyber criminals more time to exploit vulnerabilities.

Automated Tools: Too Noisy and Unreliable

While automated tools are an efficient way of getting an overall view of your security posture, they can be noisy, unreliable, and difficult to maintain.
Automated scanners only check for known weaknesses at predetermined intervals.

There are two main problems with this approach: “known” and “predetermined.” Most enterprise companies contain unknown vulnerabilities. Routine activities, like product launches and software updates, introduce code risks into the production pipeline. And in an environment of continuous integration and continuous development (CI/CD), security should be continuous, too.

Moreover, commercial vulnerability scanners today are passive and do not offer visibility or remediation guidance to minimize risks in an evolving threat landscape. A security team that relies on automation must deal with thousands of unprioritized alerts, many of which are false positives. Furthering the problems, automated scanners may be delayed in detecting an emerging threat with a proof of concept (PoC) in the wild.

Finally, scanners generate noisy results that are difficult to interpret. DevOps teams don’t have time to parse a complicated report that doesn’t specify which vulnerabilities pose the greatest threats to the business; they need a prioritized report that contains only the information they need to do their jobs. The more time they spend interpreting results and removing false positives, the less time they must resolve a vulnerability before a hacker exploits it.

A New Solution: Pen Testing as a Service (PTaaS)

Pen Testing-as-a-Service (PTaaS) bridges the divide between the consultant-based model and automated scanning. PTaaS automates key parts of the penetration testing process to cut down on manual overhead, while also leveraging the power of human pen testers. That way, you get the best of both worlds: the intelligence of human experts and the scalability of technology.

A proven PTaaS solution can reduce the total cost of ownership (TCO) in the security program. Security leaders can eliminate duplicative technology and processes by replacing them with the on-demand testing and scanning capabilities that PTaaS offers.

What Does PTaaS Do?

The benefits that a centralized penetration testing team can realize with integrating a proven Penetration Testing as a Service provider are significant when compared to legacy options and other pentesting alternatives mentioned earlier.

When considering a trusted, proven PTaaS partner for bulk pentesting, the following advantages are significant factors to use in your final vendor selection.

The Benefits of PTaaS

Provides an accurate view from the adversary’s perspective

Automated scanners and audits offer a narrow, point-in-time snapshot. By contrast, PTaaS relies on human hackers who specialize in pen testing and offensive security and whose skills are augmented by AI. Using creativity and technical acumen, these experts know how to safely simulate attacks like an outside adversary would, providing valuable insights into potential weaknesses in a company’s security infrastructure and policies.

This gives security leaders visibility to “see” the adversary’s potential attack paths. With early remediation guidance included in the service, PTaaS technology outlines the most critical security vulnerabilities that must be managed first in initial findings and throughout the lifecycle of the penetration test.

Delivers better ROI

Continuous security testing turns security into a strategic differentiator. With continuous testing, CISOs can gain access to metrics across categories like average time to remediate, cost-benefit analysis vs traditional pentesting, IT staff improvements, maturity of defenses, year-over-year trends, contextualized historical data, and more.

CISOs can also categorize findings and map results to their preferred compliance standards, like HIPAA or PCI-DSS, and industry-accepted frameworks, like MITRE ATT&CK.

Frees up in-house teams

DevOps and SOC teams are swamped. In the context of CI/CD, they don’t have time to deal with new security incidents in production due to a lack of CI/CD security testing.

  • PTaaS gives product owners and developers the ability to test early and often before any new code is launched into production.
  • Furthermore, a specialized PTaaS provider can extend DevOps and SOC capabilities, which in turn frees up in-house teams to focus on their routine Activities, work streams, and daily tasks.
  • Meanwhile, the central pentesting team can get their bulk pentesting completed on time without hiring temporary resources.
  • Finally, and most importantly, pentest reports are audit-ready and meet all the requirements set by the Governance, Risk, and Compliance (GRC) department and the CISO.

Provides interactive reporting

Business priorities shift all the time. Organizations should be able to conduct pen testing on demand.

PTaaS leverages enterprise penetration testing teams at scale with in-depth reporting that can be used for both security and compliance validation. This gives organizations the capabilities they need to adapt and scale the business.

Prevents unexpected breaches

Too many organizations treat their quarterly or yearly pen test as a box they need to check off. But waiting until next year’s pen test to uncover new vulnerabilities is dangerous. PTaaS provides continuous security testing and validation, which limits exposure times and closes gaps in the organization’s security infrastructure.

Regularly scheduled PTaaS can help identify and address vulnerabilities before they can be exploited by attackers. Using a third-party provider provides an extra layer of objectivity that strengthens risk management, removes bias, and maintains impartiality throughout the process.

Fulfills multi-test compliance requirements

Keeping up with changing regulatory and compliance
requirements, like PCI and HIPAA, is extremely difficult. Central pentesting teams are constantly on deadline. If their roster of trusted pen testing vendors is booked out a year in advance, the risk for non-compliance arises.

Continuous testing makes it easier to meet regulatory requirements, especially with comprehensive reporting that allows teams to generate a report or attestation quickly and seamlessly for all stakeholders, including auditors, directors, and board members.

Provides cost-effective testing for IT Operations

Security is expensive. Good security is cost-effective. PTaaS can save the business time and resources, which in turn reduces downstream risks for the entire security program. Continuous testing enables the organization to collaborate with the work streams involved. This type of DevSecOps approach helps those
working on the frontlines in IT operations get their jobs done smoothly and efficiently.

By proactively reducing the likelihood that security professionals won’t have to triage preventable security incidents that could have been discovered during code testing, organizations save time and money in the short- and long-run. Utilizing PTaaS can also enhance an organization’s incident response capabilities by providing a realistic testing environment for tabletop exercises.

Augments and extends your staff’s knowledge

Pen testing is a great way for security and IT teams to learn more about the environment they manage. But traditional pen testing is not designed for knowledge transfer. Legacy pen testing vendors offer inconsistent results based on the methodology and technology used, and the human pentester(s) involved.

PTaaS enables the internal team to form a close relationship with security testers, as they receive a consistent level of quality in reporting, security validation, and customer support for remediation.

Mitigates shadow IT

Most enterprise businesses are grappling with shadow IT. Without visibility or a complete asset inventory detailing the organization’s
systems, security leaders and the SOC are operating in the dark.

Regularly scheduled pen testing enables the organization to stay on top of security threats before they create problems,
quickly responding to vulnerabilities that arise outside the security team’s immediate field of view.
This is especially vital
for cloud security, as in-house developers may deploy virtual machines and leverage open-source code in rogue, unmonitored cloud environments. With PTaaS, a CISO can log into their portal to gain unparalleled visibility to manage vulnerabilities across their full stack of tested systems within a single pane of glass.

Enables better collaboration

Security requires tight-knit collaboration. Mitigation, triage, and remediation requires integrated workflows between stakeholders. Since traditional pen testing is a black box, collaboration is difficult and typically not possible.

PTaaS can improve communication and collaboration between security teams and other departments. With PTaaS, testing status and activities provide real-time and historical data that offer point-in-time context for in-depth analysis.

Offers unlimited re-testing

Legacy penetration testing, which uses central penetration testing teams, suffers from a major problem: once the pen testing team has surfaced a list of vulnerabilities, and the organization has remediated them, internal teams must perform retesting themselves. Teams that lack the time or resources to conduct retesting are neglecting this vital practice.

With PTaaS, an internal security team member can retest a patch to validate it’s working. If the patch fails, the SOC can send a remediation ticket for their DevOps team directly from the client portal. A trusted PTaaS provider can integrate remediation using their client’s preferred ticketing system.

Adapts to your organization’s maturity model

A startup and an enterprise corporation have entirely different security testing needs. While that seems intuitive, it’s an often-overlooked challenge for companies choosing a security vendor. Smaller companies ultimately must choose a new vendor as they scale.

But onboarding new pen testers can be costly and time-consuming – and they may introduce new risks or threats if not onboarded correctly or given excessive permissions.

PTaaS adapts as the company matures. Start with basic external testing and work towards full-scope red team exercises with a proven provider.

Enable Centralized Pentesting Teams with PTaaS from BreachLock

The threat landscape is evolving at an unprecedented speed. The rate that threats can now take down an enterprise is unlike ever before. Enterprise penetration testing needs to evolve to enable centralized pentesting leaders to proactively test their defenses and stop preventable breaches before it’s too late.

Unfortunately, a lot of organizations are deprioritizing cybersecurity without even realizing it. They believe security is a one-and-done approach rather than a continuous process. Executives either invest in a single tool or platform that they leave untouched for years, or they layer on tool after tool until they have too many vendors to track.

At the same time, the attack surface is growing daily. Customers and employees expect robust digitization. But digitization requires digital transformation – which introduces opportunities and challenges for any organization.

The more software and hardware you build or buy, the more that’s required to secure your assets.

Fortunately, there are a few simple steps the modern CISO can take to accelerate their penetration testing program and secure the enterprise against preventable security breaches.

Enterprise Penetration Testing Step Diagram

Discover Penetration Testing as a Service from BreachLock

BreachLock offers the world’s first full-stack penetration testing as a service solution that covers all attack surfaces, including networks, cloud and multi-cloud environments, web apps, internal and external networks, APIs, internet of things (IoT), and social engineering. With a global team of security researchers and enterprise clients around the world throughout all industries, BreachLock offers Enterprise CISOs a streamlined solution to conduct penetration testing and security validation for all their digitally connected systems delivered in half the time at half the cost of alternative pentesting solutions. For more information, visit www.breachlock.com

Sources

  1. Consumers Want Better Personal Data Security. (2022, June 7). PYMNTS.com. Retrieved March 6, 2023, fromhttps://www.pymnts.com/fraud-prevention/2022/the-data-point-consumers-want-better-security-for-their-in-demand-personal-data/
  2. Turton, W., & Mehrotra, K. (2021, June 4). Colonial Pipeline Cyber Attack: Hackers Used Compromised Password. Bloomberg.com. Retrieved March 6,
    2023, from https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
  3. Newman, L. H. (2023, January 6). Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You. WIRED. Retrieved March 6, 2023,fromhttps://www.wired.com/story/twitter-leak-200-million-user-email-addresses/
  4. Sinha, S. (2022, May 18). State of IoT 2022: Number of connected IoT devices growing 18% to 14.4 billion globally. IoT Analytics. Retrieved March 6, 2023,
    from https://iot-analytics.com/number-connected-iot-devices/
  5. Goodin, D. (2023, February 28). LastPass says employee’s home computer was hacked and corporate vault taken. Ars Technica. Retrieved March 6, 2023,
    from https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/
  6. BreachLock, Annual Pen Test Report, https://downloads.breachlock.com/annual-pentest-report/

Industry recognitions we have earned

reuters logo cybersecurity_awards_2024 logo winner logo csba logo hot150 logo bloomberg logo top-infosec logo

Fill out the form below to let us know your requirements.
We will contact you to determine if BreachLock is right for your business or organization.

background image