Reviewed by Matthew Hreben & Michael Diehl

Vendor:  SafeBreach

Product:  Breach & Attack Simulation Platform

Price:  Depending on the size of the deployment.

Contact:  safebreach.com

What it does:  Attack simulation platform that focuses on multiple attack vectors.

What we liked:  Breach Explorer module inside the dashboard has a lot of power and could be used to quickly identify areas of potential compromise.

SafeBreach offers a BAS platform that combines a deep playbook of breach methods based on actual attacks, active investigations and unique research with deployed simulators that play the role of a virtual hacker. These simulators are deployed in critical segments of the network, in the cloud and on endpoints for a kill chain operation – infiltration, lateral movement and exfiltration of data. 

The orchestrated breach simulation is a patent-pending technology designed to illustrate in concrete terms the gaps in a security stack as a means of validating the effectiveness of security controls. Arguably the most critical design element in this space, the testing methods do not impact users or upset the system’s infrastructure. Rather, the platform leverages the results of the simulation in order to allow users to quickly take corrective action. The platform correlates and analyzes all breach methods and outcomes, showing risk trends over time and drilling down into specific findings. Remediation can also involve SafeBreach, which makes recommendations based on the findings.

The SafeBreach platform is seated onto a network in two phases. First, the platform’s management server console can be deployed on-premises or in an enterprise cloud infrastructure. The next phase involves deploying the simulators, software agents with a light-weight footprint, per the physical layer’s form factor and OS to virtual machines, endpoints and data center servers.

Three different types of simulators are supported. Most environments can make use of host-based simulators supported on Windows, Mac OS X and Linux operating systems and deployed as lightweight agents on endpoint or server systems. Network simulators are deployed as virtual machines on VMware, Citrix or Hyper-V servers and run network breach methods. A third class is the cloud simulators. They act as infiltration and exfiltration points, located in the enterprise cloud infrastructure and are more focused as they participate in network breach methods only.

For example, a simple application of the solution involves a perimeter use case to validate secure web gateways or email security gateways. The user deploys one simulator in the cloud acting as the infiltration and exfiltration node and a network or host-based simulator within the environment. Note the simulators only need connectivity to the management console. No other changes are required on any security controls, making the deployment very simple.

The more common deployment method is a combination of network, cloud and host-based simulators. For example, to validate a PCI segmentation, an organization might deploy a cloud simulator acting as the infiltration/exfiltration node, along with network simulators in PCI, corporate and production segments. 

SafeBreach can be easily integrated with SIEMs, ticketing systems, threat intelligence feeds and automation/orchestration vendors.  Two levels of support are offered  – Basic and Premium.