A prominent mortgage company worked extensively to establish a well-secured environment so it could ensure protection of its client data, reputation and overall brand. Not only did the company understand the value of—and want to perform—standard penetration testing, but it also needed a better way to understand how its controls and countermeasures were performing. The additional request was prompted by company executives and board members who asked for proof that their cybersecurity investments were effective.
At the time the company engaged CBI’s Advanced Testing Services (ATS) team, CBI had recently evolved its methodology to perform more than just traditional penetration testing. The company agreed with CBI that, “the days of only identifying and exploiting vulnerabilities as part of a penetration test were over.” CBI worked collaboratively with the company to better evaluate and enhance the effectiveness of its controls. CBI relied on the improved methodology to identify significant gaps in both the company’s endpoint security product and its SOC capabilities.
Working alongside key stakeholders and SOC resources during the entire engagement, CBI helped the company enhance its overall awareness of advanced malicious techniques and tactics. CBI’s improved methodology allowed the company to showcase a detailed control effectiveness metrics in the report, which was based on the MITRE ATT&CK framework. The comprehensive report armed the company’s CISO with the quantitative data needed to demonstrate to the board of directors where investments were most and least effective. The company now had visibility into its cybersecurity spend—allowing it to make cost-saving and security-enhancing changes wherever needed.