How security theater misses critical gaps in attack surface and what to do about it

The classic ‘security theatre’ (yes, UK spelling) you can see any day at an airport near you. Most of what you see makes little difference to your safety but is designed to reassure travellers. I’ve had discussions with CISOs that want tools that show how ‘compliant’ they are in reports to the board. I’ve come at the problem in terms of IT asset management, particularly discovery of unknown or misconfigured assets, they’ve often been looking instead for platforms that measure the performance of everything they already know. That’s a good example of security theatre…:

[…] Even well-established practices such as penetration testing, vulnerability assessment and security ratings result in security theater because they revolve around what is known. To move beyond theatrics into real effectiveness, security teams need to develop new processes to uncover the unknowns that are part of their IT ecosystem. That is exactly what attackers target. Few organizations are able to do this type of discovery and detection today. It is not viable either because of the existing workload or level of expertise needed to do a complete assessment. In addition, it is common for bias based on the pre-existing perceptions of the organization’s security posture to influence the search for the previously unknown.

The process of discovering previously unknown, exposed assets should be done on a regular basis. Automating this process—particularly due to the range of cloud, partner and subsidiary IT that must be considered—makes it more viable. While automation is necessary, it is still important for fully trained researchers to be involved to tune the process, interpret results and ensure its proper scope.

[…]

Original article here