Having sold and performed assessments and pentests for nearly 20 years, I’ve had plenty of opportunities to hone my strategy and messaging. One common challenge I hear is, “our Board of Directors requires us to rotate vendors” or “our examiner wants us to get a new set of eyes”. This article will explain why I think that could be a big mistake.
Let’s first assume that you’ve done your due diligence and selected a qualified pentest firm with experienced consultants and actionable advice. It’s likely that you’ve tried multiple firms before knowing that you’re working with the firm that best fits your company’s needs. So why change pentest providers once you’ve found the one that’s right for you? Below are my practical responses to these well intended practices.
We Need to Rotate Pentest Firms
While there could be worthy arguments for rotating pentesters, rotating pentest firms is risky. If you’ve found a great provider, continue to build that partnership rather than taking risks by starting over with a new firm each year. A good pentest firm can ensure depth and consistency, and they may even help get you out of a jam. By depth, I mean that pentesters thrive and do their best when they collaborate with a team. There’s too much to research, too many blogs, and too many tweets to keep up with everything. When you have a pentester who’s part of a team, you get the combined value of that team. A good pentest firm will also hire and retain sufficient experienced pentesters so you don’t need to worry about the individual pentester on your next engagement.
Consistency is important because a good firm can offer you new pentesters over time while using the same metrics for assessing and reporting risks. The pentesting firm owns the reporting and finding templates, and ensures that all members of the pentest team meet a standard of excellence. Using the same firm for multiple engagements also allows prior notes and findings to be handed off to the next consultant, making subsequent tests more efficient. At SynerComm, we’ve also come to the rescue and helped numerous clients get out of a jam or fill a last second request because of the partnerships we’ve built. It helps to know who you’re going to call when you need help.
We Need a New Set of Eyes
This (perhaps poor) advice hinges on the assumption that your current pentester is missing something or will fail to report a vulnerability in the future. If you think that’s the case, then it’s probably time to find a better pentesting partner. The reality is that good pentesters are always researching the latest vulnerabilities and integrating them into their testing methodologies. When a pentester is part of a team that collaborates and shares with each other, the thoroughness and capability of the team grows much faster. If you need a new set of eyes, you really only need a pentest firm with enough qualified and experienced pentesters to offer new resources over time.
That said, I can make strong arguments for using the same pentester several years in a row. Much like an attorney, doctor, or accountant, your pentester should quickly earn a position of high trust. It’s their job to become intimately familiar with your information security strengths and weaknesses. Having the same consultant on a series of engagements is more efficient because they can build on their prior understanding and pick up where they left off. This can provide more depth and more breadth in subsequent projects. It’s common for SynerComm’s clients to request that the same pentester be assigned to multiple engagements, especially with our adversary simulation services (see note at bottom).
Our Policy Requires Us to Change Vendors
Standards and policies are important right up until they start providing bad guidance. For over 20 years, password aging (expiring passwords after a certain amount of time) was considered an important security control. Despite knowing better, even NIST continued to publish security standards stating that passwords should be set to expire after 90 days. For years companies and government agencies required users to frequently change their password and the result was weaker passwords that are easier to guess. My point is that if you’re only switching vendors because you have a policy that says to do so, then this is a good time to reassess that policy. For all the reasons I just described, most companies will make the greatest security improvements by partnering with a great firm staffed with great people.
Tldr;
The next time you find yourself in a position where your policy, board of directors, or examiner tells you to rotate vendors, start a conversation about effective risk management. Finding a great pentesting partner can be a challenge and there is much greater risk in changing firms than sticking with a partner you can trust. A good firm should have sufficient staff and work history to ensure that you can still get a new set of eyes without losing consistency or efficiency. Imagine how much more you can accomplish each year when you’re not interviewing several new vendors, negotiating new contracts, going through legal reviews, and onboarding new vendors. Just like your attorney or accountant, partner with a firm that you can trust to deliver consistent, high-quality engagements over time.
A Note on Adversary Simulations (AdSim): SynerComm uses the term adversary simulation to describe a unique pentesting service we provide to clients. Rather than only presenting and providing a written report, SynerComm’s pentesters offer live demonstrations of common attacks on our client’s networks. Our adsim sessions are 100% collaborative between our client’s defenders and our pentesters. Both sides get to share their screens and ask questions. Our pentesters show how attack tools work and our clients show evidence of their controls generating logs and alerts. When controls are not effective at detecting or preventing attacks, the adsim can be used to retest until they can be tuned or corrected. The adsim also provides invaluable training for defensive teams to see what their controls look like when detecting real attacks.
Our first adsim is always a “pentest replay”, meaning that it’s content is based on lessons learned from a recent external to internal penetration test. The focus is on methods of command and control, privilege escalation, and lateral movement, but always specific to the last pentest. The adsim highlights both attacks that were prevented as well as those that weren’t. Following an initial pentest replay adsim, many clients schedule several additional adsim sessions to further evaluate their controls against specific threats and APTs.
For more information, check out https://www.synercomm.com/cybersecurity/adversary-simulation/