Skip to main content

Who is this blog for? 

This blog is for professionals who want to learn how to prevent security drift. Security drift is the gradual erosion of an organization’s security posture over time, due to changes in the IT environment, new threats, and human error. 

Even though organisations have security measures in place, this blog from our technology partner Cymulate highlights the need for ongoing monitoring to prevent security drift and potential breaches. CSV can help to prevent security drift by continuously testing an organization’s security controls.  

This blog discusses the importance of CSV and how it can be used to prevent security drift. 

Read time: 2 minutes 30 seconds 

American visionary computer scientist, Alan Curtis Kay, once said, “The best way to predict the future is to invent it.” 

This statement holds true today as IT infrastructures continue to expand and evolve rapidly and now routinely span across various data centres, workforces, and multiple clouds, and interacts with numerous third-party software suppliers.

This results in need for regular adjustments to support internal users and enable product improvements. Ad-hoc updates can create inconsistencies within or between technology systems. When those result in system failures or outages, there are immediately noticed, and the IT team will scramble to fix them as rapidly as possible to minimize the related costs.

However, what is typically missed is the not-yet exploited threat exposure that sneaked in unnoticed and is likely to remain so until a cyber attacker uses them to launch a successful attack.

Spotting a Security Drift in Time

One way a security drift is undetected is when it hides behind the misplaced sense of security relying on last quarter’s penetration test result, which leads to complacency. Another main security drift avenue is the creation of a new type of attack that might be undetected by EDR (Endpoint Detection and Response), gateways, and firewalls until it is identified, and their database is updated, leaving infrastructures unprotected in the interim time.

But the main source of emerging security drift is some minor oversight by the IT team during routine tasks or configuration changes due to modifying ongoing projects or launching new ones.

To protect its infrastructure against these hidden risks, shifting from identifying exposure instead of protecting against known risk is a best practice approach now recommended by Gartner as Continuous Threat Exposure Management.

At Cymulate customer success, we often see first-hand how newly emerging exposure can be spotted and mitigated in quasi-real time by applying continuous security validation methods such as Breach and Attack Simulation (BAS). BAS allows organizations to consistently ensure that their security controls are efficiently configured and capable of effectively protecting the organization.

Contrary to traditional security assessments that aim at finding one way to break in and progress within an infrastructure, Continuous Security Validation (CSV) methods not only identify security gaps once, but they also continue evaluating the resilience of live operating environment with set security baselines. CSV goal is to ensure that detection and response mechanisms are effective and to avoid an unnoticed security drift by continuously challenging the security controls’ efficacy. This monitors security not from an operational point of view, but from an efficacy verification perspective.

Instead of talking about the theory, let’s have a closer look at a recent example from an anonymized Cymulate customer.

Examples of Security Drift

Web Gateway

In this example, we will look at an investment company located in EMEA and employing 1,200 people.

The organization initially used Cymulate BAS to establish a baseline that blocked all file downloads. Once that phase was completed, the organization switched to weekly assessments that continuously validated that their security controls remain effective.

One of these weekly assessments registered an unexplained spike in the web gateway’s risk score, from 0 to 100.

The subsequent investigation uncovered that a separate project run by the IT department was at the root of this sudden risk score spike. In order to run one of their projects, the IT team had modified the files download policy on the web gateway, allowing all the users in the organization to openly download files, causing a significant risk to the organization.


The second example is taken from a manufacturing EMEA company with 7,000 employees.

This manufacturer runs two network environments – IT and OT. 

In both environments, a local endpoint security management server forwards all the logs and events to the organizational SIEM (Security Information and Event Management) solution.  

To validate both endpoint security posture and detection rate, the organization has set a weekly endpoint security assessment with SIEM integration enabled that worked seamlessly for months. 

Then, suddenly, the SIEM events/alerts stopped appearing on the OT environment’s assessments.  

The security analysts investigated the reasons behind this unintended silence. They discovered that the IT security team had upgraded the endpoint security server in the OT environment to a new one. Though this upgrade was planned and approved, the IT security team had forgotten to configure the new server to send SYSLOG events into the SIEM, effectively blinding the SIEM to any event, intrusion, or other, in the entire OT environment. 

Those two cases are exemplative of the myriads of ways normal, well-intentioned activities in an organization can affect the infrastructure security and, in the absence of continuous security validation, lead to an unnoticed security drift.

“These are great examples of how continuous security validation processes are effective in drawing attention to newly appearing security drifts and help fix them in time to pre-empt breaches,” notes Keith Archer, Commercial Director ‑ Babble Defence. “To keep ahead of cyber-attacks, it’s vital that IT departments move from relying on out-of-date security test data to ongoing monitoring.” 

This blog was written and shared by Cymulate and originally published on their website on 23 March 2023.