Trustwave Managed Security Testing
Identify Vulnerabilities Before an Attacker Does
DON'T GUESS. TEST.
Trustwave Managed Security Testing reveals your vulnerabilities and alerts you to the consequences of exploitation. Data security teams need to know what they’re protecting and what they’re protecting it from to make good risk management decisions and technology investments. Security testing helps businesses identify their network-connected assets, learn how those assets are vulnerable to attack, and understand what could happen if those assets were compromised.
Businesses use Trustwave Managed Security Testing as a single platform for all of their managed vulnerability assessment, database security testing, network penetration testing, and application penetration testing needs.
WHAT IS PENETRATION TESTING OR "ETHICAL HACKING"?
A penetration test or "ethical hack" evaluates an application's or network's ability to withstand attack. During a penetration test, you authorize an expert (or "ethical hacker") armed with the same techniques as today's cybercriminals to hack into your network or application. Such an exercise will open your eyes to vulnerabilities you didn't know existed and the effects of exploitation.
HOW DOES PEN TESTING DIFFER FROM VULNERABILITY SCANNING?
Vulnerability scanning evaluates a system for potential vulnerabilities or weak configurations, is largely automated and can only ever find a subset of security issues. Penetration testing, on the other hand, is a manual process performed by a human. A penetration tester will use tools as a part of their work, but they apply their human ingenuity to exploit vulnerabilities and illustrate what an attacker might be capable of when targeting a particular system.
Overview:
The right security test at the right time through one vendor without the hassle.
Managed Security Testing from Trustwave SpiderLabs® allows IT and information security teams to take a programmatic approach to vulnerability management through managed vulnerability scanning across databases, networks and applications, as well as, in-depth manual penetration testing of networks and applications.
Now more than ever, businesses realize the need for pro-active security testing, and budgets are increasing as a result. Still, planning for and procuring security testing presents a number of challenges:
- Anticipating future testing needs
- Conducting testing in a timely manner
- Making testing an efficient, business-as-usual initiative rather than an obstacle
- Getting high quality testing across multiple asset types
- Standardizing repeatable testing/reporting across asset types
- Fulfilling compliance requirements
- Effectively managing multiple tests, and re-testing, over the course of the year
Managed Security Testing menu of services
| Managed Scanning | Penetration Testing | ||
|---|---|---|---|
| Databases | Compliance Scanning Best Practices Scanning |
As discovered in penetration testing | |
| Networks | Best Practices Scanning | Internal Network
|
External Network
|
| Applications | Compliance Scanning Best Practices Scanning |
|
|
Four levels of testing
Trustwave SpiderLabs designed four levels of penetration testing to align with four levels of threats to your network. Depending on your budget and the business-value you assign to the assets you intend to test, you will choose one of the following levels of testing for applications or internal or external networks:
| Basic Threat | Simulates the most common attacks executed in the wild today. This class of attacker typically uses freely-available, automated attack tools. | |
| Opportunistic Threat | Builds upon the basic threat and simulates an opportunistic attack executed by a skilled attacker that does not spend an extensive amount of time executing highly sophisticated attacks. This type of attacker seeks easy targets (”low-hanging fruit”) and will use a mix of automated tools and manual exploitation to penetrate their targets. | |
| Targeted Threat | Simulates a targeted attack executed by a skilled, patient attacker that has targeted a specific organization. This class of attacker will expend significant resources and effort trying to compromise an organization's systems. | |
| Advanced Threat | Simulates an advanced attack executed by a highly motivated, well-funded and extremely sophisticated attacker who will exhaust all options for compromise before relenting. |
Benefits:
Keep pace with business demands
Data security leaders know that if security is an obstacle, the business will find ways around it. Trustwave's 2014 Security Pressures Report states that four out of five IT professionals report being pressured to roll out IT projects despite security concerns. Adapt quickly to change and keep up with business demands without leaving security considerations behind. Managed Security Testing's flex-spend model allows you to earmark budget for testing, and then consume testing funds at a moment's notice.
Make budget planning easier and operationalize testing costs
Many IT security professionals know that they will need security testing throughout the year, but not exactly how much. Managed Security Testing's pre-scoped scans and tests, cost transparency and flex-spend consumption model make planning easier and more precise. You define your security budget and then allocate it as you see fit. With quarterly payments, penetration testing becomes a predictable operating expense that can be built into your budgets.
Get testing right when you need it, minus the hassle
Avoid lengthy negotiations and contracts held up in legal with Managed Security Testing's flex-spend model. Enroll a target in testing in minutes and schedule a test with just two weeks' lead time in fewer than five clicks.
Re-test and validate fixes at no extra cost
Maintenance tests included with any penetration test will re-evaluate findings, wherever possible, to provide evidence of remediation and mitigation actions and support fulfillment of compliance requirements.
Standardize scalable, repeatable scanning and testing
You'll know exactly what to expect from Managed Security Testing across your databases, networks and applications with clear pricing and pre-defined scoping. Consolidate management and reporting with a single pain of glass, rather than juggling multiple inconsistent report formats and tracking spreadsheets.
Establish or maintain compliance
Standards, such as the PCI DSS, require vulnerability scanning and penetration testing of in-scope network environments and applications. Managed Security Testing helps fulfill PCI DSS requirements, such as 6.6 and 11.3, and provides ongoing evaluation of the security of your networks or applications to support HIPAA, Sarbanes-Oxley (SOX), FISMA and GLBA/FFIEC compliance efforts.
How It Works:
You identify your testing budget and allocate it as you see fit. Your account balance depletes with each database, network or application you enroll, and you can refill your account at any time.
- An initial balance is credited to your account
- You enroll a database, network or application target and choose the level of testing
- Your account balance is debited according to predefined pricing
- You schedule your tests for the enrolled network or application
- A SpiderLabs expert conducts the test
- Dynamic reporting is made available in the portal
- You view and manage reporting within the portal
- If desired, you then schedule maintenance testing to re-evaluate findings where possible
Trustwave's online reporting portal delivers real-time access to detailed, actionable results. Unlike static reports, the portal makes it easy to take action on your information, track results, manage progress and remediate vulnerabilities from a single source.
Attack Sequences
Illustrates how multiple vulnerabilities can be linked to execute a successful attack.
Online Reporting and Metrics
Take advantage of multiple views of risk, remediation status, compromised data and status, across projects or tests. Historical views of test results allow for trend analysis and insight into your organization's security posture over time. Review personalized reports by risk, finding status, projects, custom fields, individual tests, and test types, and export in multiple formats including: PDF, Excel, XML, CSV and HTML.
Document Locker
Delivers secure file storage for the safe exchange of test notes, documents and other files.
Detailed Findings
Discover vulnerability evidence, images and videos. Slideshow walkthroughs quickly explain vulnerabilities to key team members.
Centralized Dashboard
Drills down to at-a-glance views of project, test status and vulnerability findings.
Real-Time Notifications
Stay on top of the latest changes in test status with instant email alerts.
Fresh Results
Verify security fixes have been correctly implemented with maintenance tests that re-evaluate any findings uncovered in prior tests where possible.
Documentation:
Download the Trustwave Managed Security Testing Service Levels Spec Sheet (PDF).
Download the Trustwave Managed Security Testing Description data Sheet (PDF).