As a managed security service provider (MSSP), you are probably offering your clients managed firewall, intrusion detection, virtual private network, vulnerability scanning, antivirus services, 24/7 SOC, and much more. But most of your clients probably also need an annual penetration test, which can be manpower-intense, expensive, and an overall headache for you as the MSSP.
Penetration tests do more than keep your clients compliant. They check for vulnerabilities and misconfigurations in your clients’ environments that your team may be blind to as the defensive side of their security. Because your team is creating the defense, it is important to have a third party conduct the offense.
However, at the end of the day, compliance is probably the number one concern for most clients, so let’s look there first.
Organizations such as governments, law firms, hospitals, banks, financial firms, and many more are required to secure their data and assets from malicious hackers by following a framework. There are several frameworks that companies follow depending on their unique requirements, as shown below:
Some of these compliance frameworks are fairly lengthy and can span several hundred pages of documents. The table below highlights some of the sections pertaining to the vulnerability management and penetration testing side of the compliance framework.
|SOC2||CC3.2||The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.||Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties — The entity’s risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity’s information systems.|
|SOC2||CC4.1||COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.||Considers Different Types of Ongoing and Separate Evaluations — Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications(for example, ISO certifications), and internal audit assessments.|
|SOC2||CC7.1||To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.||Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.|
|HIPAA||Risk Analysis||Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.|
|NIST||CA-8||The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].||The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing.|
|NIST||RA-5||a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;|
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
|(1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / (3) VULNERABILITY SCANNING | BREADTH / DEPTH OF COVERAGE (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS (6) VULNERABILITY SCANNING | AUTOMATED TREND ANALYSES (7) VULNERABILITY SCANNING | AUTOMATED DETECTION AND NOTIFICATION OF (8) VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS (9) VULNERABILITY SCANNING | PENETRATION TESTING AND ANALYSES (10) VULNERABILITY SCANNING | CORRELATE SCANNING INFORMATION|
As shown, most major compliance frameworks require some sort of vulnerability management, vulnerability assessment, or penetration testing to be in compliance. This type of testing is used to uncover potential vulnerabilities, misconfigurations and other security holes within the target environment so they can be properly patched and fixed.
Red Sentry for MSSPs
Red Sentry is a next-gen automated vulnerability management/penetration testing platform used to uncover exploits 24/7, 365. As an MSSP, you can use Red Sentry to satisfy the vulnerability scanning/pentesting portion of a compliance framework. You can even take it a step further by enabling continuous scanning, essentially giving customers year-round security instead of the traditional pentest which is typically performed once a year.
What’s better than the compliance and frequency is the ROI. If you currently do penetration testing for your clients in-house, you’re probably using a lot of manpower. If you’re outsourcing them, it is expensive. Because our platform is automated and continuous, your clients will pay less for unlimited continuous penetration tests than they would for that one-time annual test for compliance. So whether you are reselling the penetration test to your clients or offering it as part of your security package, the return on investment is a no-brainer.
To get started, all you have to do is type in a domain, IP, or CIDR range and the platform will take care of the rest. We completely automate the reconnaissance, fingerprinting, and exploitation phase of a security assessment, allowing you to focus on other things.
Red Sentry is scalable, automated, agentless, easy, and can be used to help meet your clients’ compliance requirements, while offering you a huge return on investment at the same time. Instead of wasting time and money, you can click a button and have a penetration test in 30 minutes. If you would like to see a demo of our platform, please reach out to [email protected].