Thought Leadership

Jun 6, 2024

Security Posture Drift: Tracking & Managing Security Posture Over Time

Security posture drift is inevitable, but proactively managing it can save organizations millions and increase the ROI on their security controls. 

Given the high level of complexity in securing enterprise IT systems, it can be extremely difficult to keep track of changes in the organization’s overall security posture. It’s even more complicated to ensure that the dozens of security controls in place to protect the organization’s IT (and OT) assets are functioning properly and configured securely.  

Tracking security posture is a crucial aspect of organizational security in order to proactively assess the effectiveness of cybersecurity controls. Doing so helps enterprises understand and share the impact of their overall cybersecurity program in an ever-changing threat landscape. The last thing any security leader or team wants is to discover that their security controls aren’t working properly after a breach has occurred.

Below, we’ll discuss the causes of security posture drift and how to track and manage changes in security posture over time. We’ll also highlight the ways that teams can leverage the SafeBreach platform to identify macro-and micro-level drift, track and report on resilience against specific threats, and identify ways to improve the effectiveness of their security program.

What is security posture drift?

NIST defines security posture as “the security status of an enterprise’s networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.”

In other words, security posture helps organizations understand not only what IT assets they currently own, but also how well they are protected against cyber threats based on the efficacy of the security tools and processes in place to protect them. Understanding your overall attack surface and your organizational weaknesses to advanced threats can help organizations:

  • Create a realistic baseline for organizational readiness to cybersecurity threats.
  • Identify security gaps and understand their downstream effects on organizational processes.
  • Have a realistic understanding of the advantages and shortcomings of existing security tools.
  • Improve detection and remediation processes.

Security posture drift (also referred to as “security drift” or “posture drift”) is what happens when your security controls and processes move away from established organizational security baselines or standards over time. Drift occurs as a natural result of an ever-changing IT environment. Enterprise IT organizations are constantly acquiring new technologies, upgrading hardware and software, reconfiguring tooling, and a number of other day-to-day changes that have the potential to affect the posture of the organization. 

Furthermore, the threat landscape is also changing at a rapid pace. Even without changes to an IT system, the effectiveness of an organization’s security controls may change based on existing and new threats that can be leveraged against it. 


Download the white paper: The Skeptic’s Guide to Buying Security Tools


Tracking and managing security posture over time

While security posture drift may be a normal and inevitable occurrence in enterprise IT systems, security teams must still be able to track, monitor, and make adjustments in order to ensure that these everyday changes don’t leave the organization open to ransomware, security breaches, and other threats. Breach and attack simulation (BAS) solutions have quickly become a key technology for security teams looking to enable automated, continuous defensive posture assessments to manage drift. BAS solutions leverage the tactics, techniques, and procedures (TTPs) used by cyber adversaries to mimic real attacks, so organizations can discover gaps, prioritize the highest risks, and effectively remediate. 

SafeBreach Security Posture Drift

In addition, BAS enables security teams to:

  • Test the efficacy of security controls and help prioritize future investments.
  • Find likely paths that attackers can take to navigate through the organization and gain access to highly sensitive assets.
  • Improve the maturity of their defenses by testing the effectiveness of current detection capabilities and incident response playbooks.

Setting a baseline

In order to identify changes and abnormalities in the way your security controls function, you must first gain an understanding of what it means for those controls to behave as expected. Enterprise security organizations have made significant investments in security controls; the first step is to determine whether or not they are working.

The SafeBreach BAS platform continuously executes advanced attacks against an organization’s security and cloud controls, allowing security professionals to test the efficacy of their controls and establish a baseline security posture. They have the flexibility to run these attacks either through individual attacks or via built-in baseline scenarios. This is great for practitioners who may be uncertain where to start. It’s also easy to create custom scenarios, allowing for the flexibility to cater to the specific IT environment.

These scenarios provide a benchmark for the expected security posture for various activity types within your organizational network environment. Once a baseline is established, security teams can run these scenarios at regular intervals to determine the improvement or degradation in their posture over time. The wide variety of baseline scenarios within the SafeBreach platform can help teams determine a truly comprehensive initial starting point against which they can compare themselves.

SafeBreach baseline attack scenarios

Continuous, automated testing

As the adage goes, “you don’t know what you don’t know.” With the high volume of security controls in any given environment—each with their own set of configurations, users, patches, and so on—it’s impossible for any team to keep track of the near-constant changes without any kind of automated process. 

BAS can help their teams identify gaps in their security posture more effectively and prioritize security initiatives more efficiently. Identified gaps can be remediated to ensure that future attacks can be effectively detected, prevented, or remediated. Compared to point assessments like penetration testing, which tend to be carried out on an annual basis, this continuous approach offers significant improvements in visibility.

Once you run your baseline scenarios, it’s important to schedule regular tests to run automatically in order to see if there are any improvements or deteriorations of any kind and understand where you may have gaps or where issues have occurred. Once you have identified and resolved these issues, you can then re-run the test to ensure that you are once again at your original baseline.

Visualizing macro and micro posture drift

While it’s valuable to see the organization’s security posture at a high level, it is also important to be able to drill down into more specific results to gain a more granular understanding of where and why drift is occurring. For example, if a new threat emerges, you may want to track how resilient your environment is to that threat and ensure that you remain protected as time goes on. 

Macro-Level/ Environment-Level Drift: To help determine overall organizational posture, security teams want to assess the overall efficacy of specific security controls against evolving threats. Tracking the effectiveness of specific controls over time not only ensures that they are configured properly and working as intended, but can also allow organizations to see which controls are more effective if there is any overlap in functionality between separate tools. SafeBreach’s Security Posture Optimizer distills your attack results about security control performance into a high-level snapshot of the organizational security program’s efficacy to:

  • Quantify security posture with a clear score
  • Track improvements and identify control performance gaps
  • Analyze attacks and optimize remediation efforts
SafeBreach Security Posture Optimizer

Test-Level Posture Drift: While it is helpful to constantly validate security controls against today’s changing threat landscape to ensure a comprehensive level of protection, it is prudent to remember that network or security control configuration changes can potentially introduce a minor drifts in security posture that can give rise to potential security gaps. The SafeBreach platform offers drift and trend analysis so that security teams can identify trends over time and optimize resources by focusing on changes in security posture that may occur when a control’s configuration updates cause misconfigurations in other controls.. Each specific test summary now displays a test score and a score trend to help teams better understand program performance between specific tests.

SafeBreach Manage security posture drift

View the on-demand webinar: Fortifying Cyber Defenses: How to Leverage Breach and Attack Simulation to Select an EDR


Tracking security posture on a macro- and test-level scale with SafeBreach

To better understand how to track macro- and micro-level security posture drift with the SafeBreach platform, check out our webinar, Tracking and Managing Posture Drift to Prepare Against Advanced Threats

Ready to see how the SafeBreach platform can help your organization manage and improve your security posture? Connect with a SafeBreach expert today.

Get the latest
research and news