Until recently, the critical task of security testing was primarily performed through time-consuming, costly and laboriously manual penetration testing. Organizations understood that, despite its expense and inefficiency, testing was – and still is – extremely important to security posture. The best security tools in a company’s arsenal mean nothing if they are improperly configured or underutilized. And, these days, most compliance standards mandate regular security testing, impractical for most organizations given the expense and time each test takes. Still, doing nothing is no longer really an option either
Enter, Breach and Attack Simulation Technologies, which, through safe and continuous, cost-effective, automated simulations, answer the questions that manual penetration testing previously addressed. These tools can test across multiple attack vectors to provide a comprehensive view of where breaches could occur in an environment and the critical assets potentially affected. Because testing is conducted safely and continuously, doing hundreds of tests daily is both cost-effective and far more efficient than a one-time penetration test.
The solutions are easy to deploy and manage, requiring minimal setup and offering central management capabilities. Ease of use makes them suitable for organizations of all sizes, including those that have smaller security teams. With many out-of-the-box options available for the simulation of Red Team practices, several solutions also offer customizable capabilities for simulations that are specific to an organization so it can test exactly what it wants.
The products are well-suited for organizations looking to capitalize on security tools they’ve already invested in and those that require a tool for controls testing and staff testing purposes. those looking to capitalize on security tools in which they already have invested, controls testing, and staff testing purposes. BAS tools are safe because simulations of attacks are conducted within production environments without actually rolling out malware. Anything that is changed as the result of the simulations, which provide valuable insight into potential vulnerabilities and attack vectors, is immediately rolled back and reverted to its previous state. Some BAS tools even take insight a step further and provide analysts with remediation suggestions and guidelines. The capabilities of and information provided by BAS tools can boost security teams’ experience and efficiency while simultaneously helping them get the most from their other security tools in all phases of the security lifecycle.
This month we revisit the still-emerging space of Breach and Attack Simulation (BAS) technologies that aid in the security testing process by conducting continuous automated attack simulations within a network. They have continued to become more mainstream and transform the process and approach of security testing.
Organizations typically have performed security testing through penetration testing, a costly and time-consuming method that makes repetition virtually impossible. Results of a penetration test show organizations current security posture, response time and other relevant information that they then can use to adjust their security tools and remediate risks and vulnerabilities. Ideally, organizations then retest to see if those changes had yielded improved security. However, the cost and time incurred for each penetration test makes retesting difficult.
The difficulty of retesting has given rise to Breach and Attack Simulation (BAS) tools that leverage automation to conduct continuous testing on an environment. The tools we looked at this month use automated simulations to expose and exploit vulnerabilities from a breach point to a critical asset, essentially putting the security measures in an environment through a workout using simulations that test security controls. This decreases the cost and time associated with otherwise manual security testing and organizations can run the tools safely and continuously, providing output reports that give visibility into potential attack vectors. Analysts can see networks from an attacker’s perspective and have actionable data at their fingertips for bolstering security posture.
We see three main case uses for BAS tools – controls, staff and product testing.
BAS tools are obviously well-suited for controls testing, which can be conducted as part of risk assessments and auditing purposes to ensure controls are properly configured. Organizations can even leverage BAS tools to validate third-party controls.
Staff testing, while extremely important, is often overlooked. Having the best and most effective security tools in the world means nothing if the analysts responsible for security do not efficiently use data from those tools to secure the environment. BAS tools can help determine whether alerts are configured at the appropriate levels and whether security analysts respond to those alerts quickly, efficiently and in accordance with protocol.
Finally, BAS tools really sing when it comes to product testing. Frequently, companies invest insecurity tools that are either underutilized or improperly configured. Through safe and continuous testing BAS tools provide analysts with insight into where weaknesses are to ensure organizations get the most out of their security investments and efficiently protect their digital crown jewels.
Although all the products offer very similar services, each has its own approach, methodology and target audience. Some products put their focus on Red Team capabilities while others key on Blue Team capabilities. Still others combine the two and focus on Purple Team capabilities. The most helpful feature we saw was remediation guidance following simulated attacks, something more products are starting to implement. We would love to see that continue. Guidance on how to make changes to configurations helps analysts use the information they get from the tools in their arsenals and bridges the gap between gaining visibility into vulnerabilities and subsequent remediation. Since Breach and Attack Simulation technology still falls in the arena of emerging products, we strongly suggest exploring their capabilities. The tools are still on track to become staples in any security toolset and are already transforming the security landscape.
For a complete run down on the Emerging Products please see the list below:
AttackIQ Platform v2.15
Cymulate Breach and Attack Simulation Platform 3.30.16
Picus Security Platform v2402
SafeBreach Platform 2019Q3.7
XM Cyber HaXM 1.0
First look: Pulse Secure Software Defined Perimeter