Until
recently, the critical task of security testing was primarily performed through
time-consuming, costly and laboriously manual penetration testing.
Organizations understood that, despite its expense and inefficiency, testing
was – and still is – extremely important to security posture. The best security
tools in a company’s arsenal mean nothing if they are improperly configured or
underutilized. And, these days, most compliance standards mandate regular
security testing, impractical for most organizations given the expense and time
each test takes. Still, doing nothing is no longer really an option either
Enter,
Breach and Attack Simulation Technologies, which, through safe and continuous,
cost-effective, automated simulations, answer the questions that manual
penetration testing previously addressed. These tools can test across multiple
attack vectors to provide a comprehensive view of where breaches could occur in
an environment and the critical assets potentially affected. Because testing is
conducted safely and continuously, doing hundreds of tests daily is both
cost-effective and far more efficient than a one-time penetration test.
The
solutions are easy to deploy and manage, requiring minimal setup and offering
central management capabilities. Ease of use makes them suitable for
organizations of all sizes, including those that have smaller security teams.
With many out-of-the-box options available for the simulation of Red Team
practices, several solutions also offer customizable capabilities for
simulations that are specific to an organization so it can test exactly what it
wants.
The products
are well-suited for organizations looking to capitalize on security tools
they’ve already invested in and those that require a tool for controls testing
and staff testing purposes. those looking to capitalize on security tools in
which they already have invested, controls testing, and staff testing purposes.
BAS tools are safe because simulations
of attacks are conducted within production environments without actually
rolling out malware. Anything that is changed as the result of the simulations,
which provide valuable insight into potential vulnerabilities and attack
vectors, is immediately rolled back and reverted to its previous state. Some
BAS tools even take insight a step further and provide analysts with
remediation suggestions and guidelines. The capabilities of and information
provided by BAS tools can boost security teams’ experience and efficiency while
simultaneously helping them get the most from their other security tools in all
phases of the security lifecycle.
This month
we revisit the still-emerging space of Breach and Attack Simulation (BAS)
technologies that aid in the security testing process by conducting continuous
automated attack simulations within a network. They have continued to become
more mainstream and transform the process and approach of security testing.
Organizations
typically have performed security testing through penetration testing, a costly
and time-consuming method that makes repetition virtually impossible. Results
of a penetration test show organizations current security posture, response
time and other relevant information that they then can use to adjust their
security tools and remediate risks and vulnerabilities. Ideally, organizations
then retest to see if those changes had yielded improved security. However, the
cost and time incurred for each penetration test makes retesting difficult.
The
difficulty of retesting has given rise to Breach and Attack Simulation (BAS)
tools that leverage automation to conduct continuous testing on an environment.
The tools we looked at this month use automated simulations to expose and
exploit vulnerabilities from a breach point to a critical asset, essentially
putting the security measures in an environment through a workout using
simulations that test security controls. This decreases the cost and time
associated with otherwise manual security testing and organizations can run the
tools safely and continuously, providing output reports that give visibility
into potential attack vectors. Analysts can see networks from an attacker’s
perspective and have actionable data at their fingertips for bolstering
security posture.
We see three
main case uses for BAS tools – controls, staff and product testing.
BAS tools
are obviously well-suited for controls testing, which can be conducted as part
of risk assessments and auditing purposes to ensure controls are properly
configured. Organizations can even leverage BAS tools to validate third-party
controls.
Staff
testing, while extremely important, is often overlooked. Having the best and
most effective security tools in the world means nothing if the analysts
responsible for security do not efficiently use data from those tools to secure
the environment. BAS tools can help determine whether alerts are configured at
the appropriate levels and whether security analysts respond to those alerts
quickly, efficiently and in accordance with protocol.
Finally, BAS
tools really sing when it comes to product testing. Frequently, companies
invest insecurity tools that are either underutilized or improperly configured.
Through safe and continuous testing BAS tools provide analysts with insight
into where weaknesses are to ensure organizations get the most out of their
security investments and efficiently protect their digital crown jewels.
Although all
the products offer very similar services, each has its own approach,
methodology and target audience. Some products put their focus on Red Team
capabilities while others key on Blue Team capabilities. Still others combine
the two and focus on Purple Team capabilities. The most helpful feature we saw
was remediation guidance following simulated attacks, something more products
are starting to implement. We would love to see that continue. Guidance on how
to make changes to configurations helps analysts use the information they get
from the tools in their arsenals and bridges the gap between gaining visibility
into vulnerabilities and subsequent remediation. Since Breach and Attack
Simulation technology still falls in the arena of emerging products, we
strongly suggest exploring their capabilities. The tools are still on track to
become staples in any security toolset and are already transforming the
security landscape.
For a complete run down on the Emerging Products please see the list below:
AttackIQ Platform v2.15Cymulate Breach and Attack Simulation Platform 3.30.16Picus Security Platform v2402SafeBreach Platform 2019Q3.7XM Cyber HaXM 1.0First look: Pulse Secure Software Defined Perimeter