Editor’s note: The following is a sponsored blog post from A-LIGN.
Maintaining a strong cybersecurity posture is an ongoing effort and not something you can truly ever check off your to-do list. It’s more than just adhering to a framework or purchasing and deploying security endpoint solutions: threat actors are constantly evolving and finding ways to work around those existing controls and endpoint security solutions.
Pursuing an active and continuous approach to finding and addressing evolving threats is critical. While this is not a new concept, we’ve recently seen popular cybersecurity standards and best practices evolve to acknowledge and account for ongoing threat intelligence.
Standards and best practices are shifting focus to encourage organizations to:
- Gather information about ongoing threats
- Develop a plan for how information is analyzed and used internally
- Regularly evaluate new tools and processes to address security gaps as a response to threat trends and observed tactics
To stay ahead of the curve, take note of changes and create processes to manage ongoing threats.
H2. ISO 27001
ISO 27001 is the world’s leading information security standard and a great example of a standard that is evolving to focus on evolving security dangers. The newest version of ISO 27001, introduced in 2022, includes an entirely new control around "Threat Intelligence" (ISO27001 Annex A 5.7 / ISO27002: 2022 Clause 5.7 Threat Intelligence).
This control requires organizations to continually gather and analyze information about security threats to proactively mitigate risk.
It’s a relevant change that represents how ISO and other leading voices in cybersecurity are addressing exposure. It speaks to the idea that threats are ever evolving. Reducing risk is a continuous process, not a “one-and-done” task.
H2. OWASP Top Ten
OWASP (Open Source Foundation for Application Security) Top Ten is an awareness document for application developers, addressing threats to application security. Not only do developers use it, but the document is heavily referenced to develop penetration testing models—which simulate breach tactics to discover vulnerabilities within an organization’s systems and processes. Many security tools, such as static code analysis tools, utilize rule sets that reference the OWASP Top Ten.
An update introduced a new category: Insecure Design. This category focuses directly on architectural flaws within applications and calls for more use of threat modeling, secure design patterns, and secure reference architecture.
OWASP describes secure design as “a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods. Threat modeling should be integrated into refinement sessions (or similar activities); look for changes in data flows and access control or other security controls.”
The description touches on the idea of constant threat evaluation. Similar to the update we saw in ISO 27001:2022, the goal of this new category in OWASP Top Ten is to raise awareness about the importance of proactive threat management.
How to Protect Your Organization
Whether you are setting up an information security management system using ISO 27001:2022 standards, testing your applications against the OWASP Top Ten, or something else entirely—integrating a function to evaluate ongoing threats to your organization is critical. Hackers are constantly evolving and changing their tactics, and a single audit (or a yearly penetration test) is simply not enough to identify all weak points because they do not account for the time after the audit or test.
These standards and checkups should be considered a foundation upon which to build. It’s best to integrate a robust strategy that combines adherence to the leading cybersecurity standards, ongoing penetration testing (at least once per quarter), and a culture of proactive threat analysis and management.
