Why Offensive Security Should Be a Top Priority, Not Just a Check-the-Box Compliance Requirement

The following is a guest blog by Lisel Newton, Executive Director, Information Security, Risk & Compliance at Gossamer Bio.

When it comes to cybersecurity, too many companies treat offensive security measures, such as Red Team exercises and penetration testing, as mere compliance checkboxes. Gossamer Bio, however, prioritizes offensive security as an integral component of our proactive defense strategy rather than just a regulatory requirement.

Offensive testing is critical to ensuring our systems and cyber tools are as secure as we believe them to be, identifying potential gaps we may not see clearly. It serves to continuously improve our posture, defending against ongoing and evolving threats.

Gossamer Bio is a San Diego-based clinical-stage biopharmaceutical company focused on the development and commercialization of Seralutinib for the treatment of pulmonary arterial hypertension and pulmonary hypertension associated with interstitial lung disease.

Integrating Offensive Security into Gossamer's Geographically Diverse Environment and Workforce

At Gossamer Bio, our offensive security strategy isn't just about running isolated tests to meet an annual requirement—it's about value-aligning those efforts with our complex environment and diverse workforce. Cybersecurity is a balancing act between tightly securing our environment while ensuring a seamless and friendly user experience. This balance becomes even more crucial when employees work remotely and access resources from various locations around the globe.

Traditional penetration tests, which can include test procedures such as tailgating into an office, don't provide high-value outcomes when your workforce is geographically dispersed and dependent on cloud services, rather than physically presenting to an office building each day. Our offensive security efforts focus on real-world, meaningful test scenarios, curated with the knowledge of the threats Gossamer faces. Examples include vetting the scenario where a remote employee performs login attempts from a country with a high cybersecurity risk, and separating that detection of a legitimate login scenario from true indicators of threat or compromise. By putting business-relevant attack scenarios to the test, we're then able to identify potential vulnerabilities that could impact our globally distributed team members.

The Importance of Experienced Third-Party Testing

While our internal security team plays a necessarily critical role in upholding day-to-day operations and defenses, third-party offensive security testing provides invaluable insights our team may not otherwise identify.

At Gossamer Bio, we partner closely with external experts, as they bring a fresh, unbiased, and independent perspective, as well as an expansive expertise and skillset amassed from years of exposure to various organizations and industries.

Our in-house team, myself included, is deeply embedded in our internal environment. Even with active participation in cybersecurity community conferences, professional organizations, and ongoing industry training, environmental familiarity, while vital to daily operations, can also lead to missed opportunities to creatively expand our controls. Third-party visibility offered by offensive security testing is critical in uncovering previously unidentified risks.

Third-party teams like Trustwave offer a broad view of the threat landscape, applying techniques and insights accumulated from exposure to other industries and organizations, allowing the team to test our defenses in ways we may not have considered. Competent and reputable external validation carries significant weight with our executives, offering an independent assessment that deepens trust in the performance of our security program.

C-Suite Engagement: Driving Proactive Security

A key reason our offensive security program has been successful is the active involvement of our C-suite. Cybersecurity, at times, can struggle to receive the necessary visibility and prioritization at the Executive level. At Gossamer, our leadership is highly engaged and incredibly supportive of security initiatives, keenly aware of the importance of cybersecurity in this day and age.

We've established a Cybersecurity Oversight Committee, bringing together leaders from various departments—Finance, Clinical Operations, Business Development, Quality Assurance, and more. This Committee goes beyond high-level updates, delving into the technical aspects of our security program. The Committee holds us accountable, as well as establishes cyber-accountability across the organization – security is everybody’s responsibility.

Findings and insights from our offensive security tests are shared transparently with the Committee and Executives, fostering a culture of continuous improvement. The balance of security and ensuring a seamless user experience, referenced previously, is bolstered by sharing cyber program initiatives openly with this group.

Aligning Offensive Security with Risk Management

Our offensive security efforts are deeply integrated with Gossamer Bio's broader risk management strategy. Risk evaluation is ongoing and iterative, and insights gained from this process help identify areas where offensive testing is most needed.

For example, maintaining close relationships with key technical experts allows us insight into industry-specific threats, where there have been successful breaches. If we have comparable technology products or processes, we then incorporate this threat intel into our offensive testing agenda. Conversely, the results from offensive security tests feed back into our ongoing risk considerations, creating a dynamic feedback loop that ensures our security posture evolves with emerging threats.

The SFTP Test: A Real-World Example

One instance that highlighted the importance of offensive security involved an SFTP environment. While SFTP is generally secure, it can become a vulnerability if not properly managed or monitored. Decentralized access management can lead to potential risk, as well as the potential risk of less-than-secure end-user behaviors such as storing plaintext passwords.

Hearing about a significant breach involving SFTP from a key business advisor prompted us to act. We engaged our offensive security partner to test this specific area, gathering key insights that allowed us to strengthen our controls. This proactive approach based on threat intel ensured we addressed a potential blind spot before it could be exploited.

Types of Red Team and Penetration Tests We Run

Our offensive security program employs a multifaceted approach, targeting a range of potential threats. Partnering closely with Trustwave’s experts, threat mapping of key attack scenarios allows for tailored, effective use of offensive security testing timelines, dedicated to focusing on our specific environment.

Phishing and brute-force attacks targeting end-user credentials are among the most common threats we face daily. Our offensive testing is structured to include social engineering tactics or assumed breach scenarios, simulating the event where such an attack is successful.

Once inside, testers attempt to elevate privileges, exfiltrate data, and move laterally within the network—mimicking real-world attacker behavior. This comprehensive and tailored approach ensures we're prepared for a variety of attack vectors, from ransomware to insider threats.

The Biggest Takeaway from Offensive Security

The greatest value of our offensive security program lies in the validation and continuous improvement it brings to our security posture. It's not just about identifying vulnerabilities—it's about receiving an external, independent, and unbiased perspective that helps us refine and strengthen our defenses over time.

For our executives, third-party validation offers reassurance that our security program isn't just internally approved but is externally vetted. For the technical team, it provides actionable insights that help fine-tune our security stack and stay ahead of evolving threats to the extent possible.

Why Every Company Should Invest in Offensive Security

If your company isn't actively investing in and wholeheartedly participating in offensive security testing with a genuine curiosity, you're leaving yourself vulnerable to unknown threats. It's easy to feel a sense of security when you've implemented industry-standard controls, name-brand technology products, and have followed best practice guidelines. However, without testing your controls under real-world conditions, you can't be certain they'll hold up against a determined attacker.

Offensive security isn't a luxury—it's a necessity. It requires the humility to admit no program is perfect in its entirety. It requires the interest, desire, and commitment to continuously improve. By soliciting external expertise and feedback, as well as rigorously testing your defense strategies, you're not just protecting your systems—you're working to safeguard your company's future.

If you're sleeping peacefully at night without offensive security as a key component of your program, there's a great chance your easy ‘Zs’ are because there’s something you're missing. In cybersecurity, ignorance isn't bliss—we must always work to deconstruct any false sense of security we may be gripping onto. Using offensive testing only as a check-the-box exercise to achieve compliance, or lacking it entirely, is too great a risk.