Wednesday, July 23, 2025
Latest:
The Register

Three questions you should always be able to answer about your security environment

TH Author

Partner content We’ve all seen those seemingly straightforward security questions that snowball into multi-day research projects across dozens of consoles, spreadsheets, and manual queries. The reality is that even the most fundamental security questions are notoriously difficult to answer with certainty.

Here are five foundational questions every security leader should be able to answer immediately, why they’re harder than they appear, and practical pathways to find reliable answers.

1. Do I have full visibility into all the devices accessing my environment?

This is a fundamental question for any security team. Per NIST: “Physical devices and systems within the organization are inventoried.” Not only does it directly map to compliance, but the principle is simple: You can only secure what you know about. Yet most organizations struggle to maintain an accurate, real-time inventory of their entire device ecosystem.

Why it matters

Untracked or unknown devices represent some of the highest-risk attack vectors in modern environments. They’re typically unmanaged, unprotected, and unscanned, creating blind spots that attackers can actively exploit without your knowledge. In fact, Microsoft reports 90% of successful ransomware attacks start with unmanaged devices, highlighting just how critical comprehensive visibility has become.

Why it’s hard to answer

The challenge isn’t a lack of asset management tools, it’s that device data lives scattered across multiple systems, each with its own perspective and gaps:

  • MDM tools like Intune or Jamf only see enrolled devices
  • EDR platforms like CrowdStrike only track devices with active agents
  • Network monitoring catches devices that connect, but may miss cloud-only resources
  • Identity logs from Okta or Azure AD show sign-ins, but not the full device context
  • CMDB systems often contain stale or manually-maintained data

Shadow IT, personal devices in BYOD environments, and remote work have exponentially increased the complexity. A device might appear in your identity logs but never be enrolled in your MDM. Conversely, decommissioned devices might linger in your CMDB long after they’ve left the building.

Real-world discrepancies of 10-15% between asset inventories are common, even in well-managed environments. These gaps occur because different tools have different perspectives on the same environment, creating blind spots that only become visible when data is properly aggregated. This is one of the fundamental challenges we’ve been addressing at Prelude.

How to find out

  • Correlate multiple data sources: Cross-reference device logs from MDM/EDR tools with identity sign-ins and network connection logs from platforms like Meraki or Fortinet
  • Automate continuous reconciliation: Implement processes that automatically flag outliers, such as devices seen in Okta but not in Intune, or network connections from unrecognized endpoints
  • Establish authoritative sources: Define which system serves as your source of truth for different device types and contexts

2. Are all users protected by MFA and scoped with the right access controls?

Identity and access management remains a thorn in the side of security teams. Even the smallest exceptions in access controls can create disproportionately large risks.

Why it matters

NIST CSF guidelines PR.AC-1 and PR.AC-7 emphasize enforcing identity verification and least-privilege access. The statistics are compelling: Microsoft reports that 99.9% of account compromises occur on accounts without MFA. Yet the challenge isn’t just enabling MFA, it’s ensuring consistent enforcement and proper access scoping across your entire user base.

Why it’s hard to answer

MFA and access control policies are rarely as comprehensive as they appear in admin consoles:

  • Conditional access gaps: Policies often exclude service accounts, guest users, or newly integrated applications
  • Inconsistent enforcement: MFA might be required at login, but not for sensitive operations or across all platforms
  • Policy complexity: Multiple overlapping policies can create unexpected gaps or conflicts
  • Entitlement creep: Manual provisioning and role changes accumulate over time, leading to over-scoped permissions
  • Service account sprawl: Automated accounts often lack proper oversight and may bypass standard controls

The challenge is compounded by the fact that identity platforms show you what’s configured, not necessarily what’s being enforced in practice.

How to find out

  • Audit sign-in logs: Use your IAM tool’s sign-in logs to identify logins without MFA or from unmanaged devices
  • Test policy effectiveness: Run “What If” simulations to validate how policies behave across different user and device conditions
  • Implement access reviews: Establish periodic reviews of role assignments and RBAC configurations to prevent privilege creep
  • Monitor service accounts: Catalog and regularly audit service accounts for proper scoping and security controls

3. If a new attack technique emerged today, do I know if my tools would stop it?

This forward-looking question examines whether your defenses are tested against current threats, not just misconfigurations or past vulnerabilities. It’s about validation, simulation, and understanding how your controls map to relevant compliance frameworks or MITRE ATT&CK.

Why it matters

NIST CSF guidelines DE.DP-4 and RS.CO-2 promote detection validation and response testing. Control effectiveness can’t be assumed. Novel attack techniques routinely bypass static signatures and untested rules. Security control validation is emerging as a critical best practice, and evaluation frameworks like MITRE exist specifically for this purpose.

Why it’s hard to answer

Most organizations rely on vendor claims, compliance checklists, or incident response to validate their defenses, none of which provide proactive assurance:

  • Vendor claims vs. reality: Security tools often promise broad protection, but real-world configurations may not align with marketing materials
  • Detection drift: Rules and signatures become less effective over time due to environmental changes and threat evolution
  • Configuration complexity: Small misconfigurations can completely undermine detection capabilities
  • Limited testing expertise: Safe adversary simulation requires specialized knowledge and tools that most teams lack
  • Resource constraints: Regular validation testing competes with operational priorities for time and attention

The challenge is compounded by the fact that many attack techniques are designed specifically to evade common detection methods.

How to find out

  • Implement adversary emulation: Use offensive security practices or simulations to evaluate the responsive behavior from your controls
  • Automate detection testing: Deploy safe simulation tools that can regularly test whether your controls trigger as expected
  • Map threats to controls: Maintain an understanding of which controls protect against which attack techniques
  • Regular purple team exercises: Combine red team simulation with blue team validation to test end-to-end response capabilities

How Prelude is working to make answering these questions easier

Answering these questions traditionally requires extensive manual effort across multiple consoles and complex data correlation. Our team at Prelude has been working to change this by automatically aggregating data from identity platforms, endpoint management, vulnerability scanners, and other disparate security controls into a unified view.

Instead of logging into multiple systems and running manual queries, teams get real-time answers from a single dashboard. The platform continuously monitors for gaps, misconfigurations, and coverage issues, with automated alerting when drift occurs. Beyond monitoring, Prelude validates control effectiveness through safe adversary simulation, ensuring your defenses actually work when tested.

Security teams are inundated with priorities from awareness training to very real incident response. Answering fundamental questions about your security posture shouldn’t be this complex.

Contributed by Prelude.

READ MORE HERE