Does your contact center have an AI assistant? Does the provider of your call center AI assistant perform independent third-party audits for more than five different security compliance frameworks? Do they patch vulnerabilities like the HTTP/2 Rapid Reset attack within four hours of patch release? Do they go beyond the standard penetration test and battle test their security and detection capabilities by sophisticated and determined attackers, such as a red team?
If not, your organization’s security may be vulnerable—that’s a bigger (and more costly) problem than ever before.
Third-party risk management: Quantifying the importance
With Verizon referencing 953,894 incidents and 254,968 data breaches in their new annual Data Breach Investigations Report (DBIR) and IBM reporting a new all-time high of $4.45M for the average cost of a data breach—increasing 5% year-over-year since 2020—it’s clear that security is growing increasingly vital in third-party risk management.
Verizon additionally reports the mean time to patch critical vulnerabilities is 49 days and that number has barely changed over the past years. For reference, Cresta aims to fix critical vulnerabilities much faster, like the HTTP/2 Rapid Reset attack, which we patched in less than 4 hours following patch release. This is to say, a seven-week wait time to patch critical vulnerabilities may be standard, but it’s not unavoidable; there are key steps that can be taken to drive security and compliance above and beyond the standard measures.
Taking security to the next level
In the current environment where costly data breaches proliferate and critical vulnerabilities take a month or more to address, security and compliance efforts beyond third-party audits, penetration tests, code/design reviews, vulnerability scans, phishing tests, security awareness training, patch management, and the like are required to adequately protect customer data. Most companies still rely exclusively on tightly scoped and time-boxed penetration tests to evaluate the security posture of their products.
Unfortunately nothing is “out of scope” for sophisticated attackers, and determined threat actors do not set a time-boxed attack window for themselves. Penetration testing is like boxing where red teaming—engaging a team of determined attackers to simulate malicious actors and test security—is like mixed martial arts.
With this in mind, Cresta engaged Calif.io for an objective-based assessment (a red team engagement) to battle test our defenses against realistic determined attackers.
Cresta’s commitment to security in action
Cresta’s red team engagement with Calif.io ran over six weeks and nothing was off limits, including a real-world simulation by experienced, competitive, award-winning attackers (Pwn2Own & Pwnie Award winners).
Calif left no stone unturned and numerous attacks surfaced over multiple weeks. After three weeks of unsuccessful attempts, an initial foothold was gained by determining a password used in the staging environment. Our security team was able to detect Calif’s access to our infrastructure in less than 24 hours.
According to IBM’s Security® Cost of a Data Breach Report 2022 it takes 207 days to identify a compromise on average. We were pleased to see our detection capabilities vastly outperforming the industry standard—but that was just the beginning.
Immediately after receiving the report, we mitigated the kill chain and started implementing additional hardening measures. We removed the initial access vector and added additional controls to prevent and detect similar attempts.
The red team engagement provided us invaluable insights to further harden our environments against determined threat actors. The exercise allowed us to not only test and improve our security posture as a company but also our detection capabilities.
Cresta believes in security as a competitive advantage; in an increasingly dangerous threat environment, we aim to continue pushing the standards to innovate and protect our customers. As you engage in any vendor selection process, be sure to ask about their security measures and choose a provider who demonstrates a clear commitment to security.
