What are Breach and Attack Simulation Technologies?
This week, SafeBreach was named a "Cool Vendor" by Gartner. In the same report, Gartner highlighted the concept of Breach and Attack Simulation Technologies, saying that “Simulating attacks and activities resulting from a breach can highlight gaps in the security posture, prioritize new investments, and can also verify that existing security controls work as expected.”*
I think that Gartner hit some pretty compelling use cases in this one sentence, and it’s worth breaking this concept down into its three parts to better understand this new space, and the value that Breach and Attack Simulation Technologies can provide to help combat today’s security solution overload.
Highlight gaps in security posture
I talk to a lot of CISOs and other security team leaders. (How many, you ask? Well I count roughly 170 over the last year… and I know I am missing some business cards.) They typically have smart, talented teams. But with so many different layers of security, so many products, and so much configuration, even the best teams have to overcome incredible odds to stay in sync.
This is the dark world of the “unknown unknown,” and until now, it’s been tough to test. Attack simulation is critical to finding unknown issues, in unknown places. It’s way more than just NMAP and scanning for vulnerabilities, it’s actually searching out and verifying communication across machines. Between networks. Onto hosts. And then it’s seeing if data can actually be sent out.
Prioritize new investments
One silver lining of all of the recent “Breach hype” in mainstream media, is that in some cases budget has been freed up a bit around security. Overall market spend has increased to all time highs as well. But are we spending on the right stuff? Heck, do we even need to invest more at all?
Until now, there was no way to know if security investment was working. Companies were either breached, or not breached. Security teams were assumed to have 100% success, or 100% failure.
By actually simulating attacks on your environment, across the entire kill chain, IT can now effectively prioritize investment, and have the data present to exec staff and boards when justification is required.
Verify that existing controls work as expected
Another theme I have heard from Security leaders is that environments have grown so complex, and security controls are so sprawling, that there’s often a gap between what was designed and the actual outcome. This usually takes the form of conversation about how best to respond when an auditor asks:
“How confident are you that your existing controls will protect [name your critical data] against theft?”
Now, I had it easy. When I was in IT, auditors used to ask my team things like:
“What controls do you have to protect [sensitive data] from theft? How do you test those controls? How often do you test? What do you do with findings?”
That’s easy enough to answer. But asking about confidence level is a real kick in the pants. I pity the poor CISO that has to respond:
“How confident am I? Uh, Is pretty confident a good answer? I am relatively confident that it all will work like I planned it to. My team told me it would, and they seem… pretty confident…”
And this, for me, gets to the most important value of Breach and Attack Simulation Technologies. After designing and implementing defenses, you can literally unleash thousands of attacks upon it. Over and over. In production. Without risk to your data, hosts, users, config, etc. You can now absolutely know whether or not the plan worked. Acheivement "Confidence" unlocked!
Our customers do this daily. They see exactly where configuration needs tweaking. Where networks can be traversed in ways no one expected. Where the outsourced IT team forgot to update config on the small branch office firewall, which opened a path right back into the heart of the datacenter. Breach and Attack Simulation Technologies can show all of this and more.
Now that auditor can get the right response:
“How confident am I? I am very confident, and here’s the data to back it up. I ran this test an hour ago, and yesterday, and last week…”