Acting on Results Provided By Breach and Attack Simulation

"SectionTestimonialsSlider",Are Augusto Barros and Anton Chuvakin the hardest-working analysts at Gartner?

Recently, they’ve issued a call to action on threat simulation, dived into Breach and Attack Simulation technologies, and asked many relevant questions in their multiple blogs. In case you missed it, we’ve responded with our perspective. Our first blog compared Breach and Attack Simulation to Pen Testing, Red Teaming, and Vulnerability Management. Our second blog discusses how real simulations should be to actually validate security controls.

In Augusto and Anton’s third blog “The Bane of All Security Tests: Acting on Results”, they posed an important question - “How do you actually act on results provided by Breach and Attack Simulation?

This is indeed a critical issue. For far too long, we’ve seen security teams deploy new security products, only to be overwhelmed by the results. (Some of our favorite CISO customers call it “red dot hell.”) As reiterated by one of our very early customers -- “Don’t just tell what I’m doing wrong, I hear that from my wife every day. Tell me what I need to do to fix issues.”

There are some key considerations when we think about prioritization and actionable results:

• SOC analysts typically have a preferred tool in analyzing results -- a breach and attack simulation platform should support as many of these options as possible.
• Analysts want to deep dive into details of a simulated breach - as much information about the simulated breach method should be provided as possible.
• Workflows already exist for remediation - a Breach and Attack Simulation platform should integrate into existing ticketing systems.
• Companies may have a combination of detection and prevention security policies - while simulations are the same regardless of whether we trigger detection or prevention policies, the response from the security controls is different (block versus alert)

Prioritize Results

Based on the considerations above, how do our customers prioritize the findings we provide? There are various choices provided which is essential to cater to the varied security preference and/or maturity of the security teams. They may analyze the results as follows:

• Risk Trend Dashboard - For day to day validation, our dashboard shows trends, as well as top changes/findings since the last simulations. Customers can click on either to drill directly to the built-in Simulation Analyzer.

• Breach Explorer for Kill Chain View - Many customers use this view to identity the easiest place to break the kill chain (typically where the fewest successful breaches were executed) and then use that to winnow findings to a prioritized level. SafeBreach recommends customers revisit this view on a weekly basis.

• Deeper Analysis and Filtering of Findings - The choices below depend on the size and maturity of the teams:
  • Built-in Simulation Analyzer (Typical) - This tool allows customers to analyze and filter findings and results of simulations -- customers prioritize their findings based on attack type, sophistication of the attacker, segment of the network, amount of data exfiltrated, etc.
  • SIEM Integration (organizations with SIEM-centric SOC) - Findings can be integrated into existing alerting or action workflows to validate specific controls and alerts.
  • Business Intelligence Integration (organizations with data science teams) - Customers can use their existing tools like Kibana and Tableau to correlate and analyze data.

What happens if a security organization has detection policies configured instead of prevention policies? When that occurs, SafeBreach pulls SIEM data that shows whether an alert was triggered on the security control.

Remediate Issues

Workflows already exist for remediation. Once findings are prioritized per the above, tickets can be created, and results automatically sent to ticketing systems (i.e JIRA, ServiceNow) or Automation/Orchestration platforms (i.e. Phantom) for remediation. The blue team receives these cases and remediates. Many teams send the findings to their SIEM as well.

Once issues are remediated, simulations are automatically re-run to a) validate the effectiveness of the remediation and b) ensure that no new risk was introduced by the changes.

It seems today that all too often, security product teams forget that we all need rescuing from “red dot hell.” WIth the right Breach and Attack Simulation platform, the red dots should decrease, and thus overall security should increase.