Trust but verify is an age old security adage.
An adage passed down from the original cavemen security engineers, whose passwords were series of grunts, data storage was drawings on cave walls, and threat hunting involved literal mammoths.
It is a principle that drives a huge number of security policies within a modern organization.
Here's a few examples of how this principle is implemented today:
When we work with vendors, we trust that they are doing the right things.
But we still put legal clauses in place, vet their security controls, and follow up with them regularly to ensure compliance.
When we work with development teams, we trust that they are building secure services and applications that won't have vulnerabilities.
But we still integrate security experts throughout the development lifecycle, specify security requirements, perform security unit tests as well as source code analysis, vulnerability scanning, and even penetration testing.
When we implement a new automated process that will improve our efficiency and work quality, we trust that it won't be compromised to perform malicious activities or to access unauthorized resources.
But we still configure the process with the minimum permissions necessary, give it a secure password, and monitor its activity to ensure expected behavior.
The same principle applies to our security controls.
The question, though, of course is...
How do we validate security controls?
Security controls are designed to detect malicious traffic and hacking attempts. So, naturally, that is how we test them.
This type of traffic can come from penetration testing, targeted vulnerability scanning, or other automated tools designed for this purpose.
At Craft Compliance, we actually built one such tool—a Splunk app called Purple Yenta.
It automatically generates hacking traffic using the free tool nmap and then compares that traffic against expected security monitoring logs to identify gaps in security coverage.
Feel free to reach out to us on our contact page if you have questions about testing your security controls.
As they say, trust but verify.