His confusion was understandable and, in fact, is common among many of the IT professionals I encounter in my work as a CDW security solution architect. I’d like to take a moment to clarify the differences between three different security assessment services: vulnerability scanning, penetration testing and red teaming. Each of these plays a different role in the security professional’s arsenal and can be tailored to the specific needs of any organization.
You can think of these services as forming an inverted funnel. Vulnerability scanning sits at the top of this funnel, with a very broad scope but shallow depth. Penetration testing dives deeper into an organization’s vulnerabilities while still remaining somewhat broad. Red teaming, on the other hand, is a depth-first approach, diving very deeply into specific issues but sacrificing breadth. Let’s explore each one of these.
Vulnerability scanning uses automated tools to rapidly scan an organization’s IT environment for vulnerabilities. Scanners rely on a database of known issues and probe networked systems and applications for the presence of these issues. At the conclusion of the scan, the client receives a report that lists all of the vulnerabilities the scanner detected. This approach is fast and inexpensive, but it may produce false positive reports that require further investigation. I usually recommend that my customers configure these automated scans to take place on a weekly basis, reporting new vulnerabilities that arise each week.
Penetration testing begins with vulnerability scanning, but goes deeper by using human security experts to validate the results of the scan. These experts play the role of an attacker and attempt to exploit the vulnerabilities detected during the scan to verify that they actually exist. These simulated attacks provide deeper insight into your organization’s security posture and also serve as a test of your existing security controls. I advise my clients to conduct penetration tests on a periodic basis ranging from annually to quarterly, depending on the size and complexity of the organization.
Red teaming is the most sophisticated type of security assessment, and I generally recommend it for only organizations with a high level of cybersecurity maturity. Red team testers take a specific threat actor that is targeting an industry and emulate its style to launch a narrowly focused attack against the target organization. This tests the cybersecurity team’s ability to rapidly detect and monitor the attack and provides insight into the organization’s defensive posture. I normally recommend that mature security teams conduct red teaming exercises on an annual basis, or as needed to assess and benchmark their capabilities.
Vulnerability scanning, penetration testing and red teaming each play a vital role in an organization’s security program. It’s important that technology leaders understand the different roles they play so they may combine them in the manner most effective for their organizations.