Acting on Results Provided By Breach and Attack Simulation
Product
"SectionTestimonialsSlider",Are Augusto Barros and Anton Chuvakin the hardest-working analysts at Gartner?
Recently, they’ve issued a call to action on threat simulation, dived into Breach and Attack Simulation technologies, and asked many relevant questions in their multiple blogs. In case you missed it, we’ve responded with our perspective. Our first blog compared Breach and Attack Simulation to Pen Testing, Red Teaming, and Vulnerability Management. Our second blog discusses how real simulations should be to actually validate security controls.
In Augusto and Anton’s third blog “The Bane of All Security Tests: Acting on Results”, they posed an important question - “How do you actually act on results provided by Breach and Attack Simulation?
This is indeed a critical issue. For far too long, we’ve seen security teams deploy new security products, only to be overwhelmed by the results. (Some of our favorite CISO customers call it “red dot hell.”) As reiterated by one of our very early customers -- “Don’t just tell what I’m doing wrong, I hear that from my wife every day. Tell me what I need to do to fix issues.”
There are some key considerations when we think about prioritization and actionable results:
Prioritize Results
Based on the considerations above, how do our customers prioritize the findings we provide? There are various choices provided which is essential to cater to the varied security preference and/or maturity of the security teams. They may analyze the results as follows:
What happens if a security organization has detection policies configured instead of prevention policies? When that occurs, SafeBreach pulls SIEM data that shows whether an alert was triggered on the security control.
Remediate Issues
Workflows already exist for remediation. Once findings are prioritized per the above, tickets can be created, and results automatically sent to ticketing systems (i.e JIRA, ServiceNow) or Automation/Orchestration platforms (i.e. Phantom) for remediation. The blue team receives these cases and remediates. Many teams send the findings to their SIEM as well.
Once issues are remediated, simulations are automatically re-run to a) validate the effectiveness of the remediation and b) ensure that no new risk was introduced by the changes.
It seems today that all too often, security product teams forget that we all need rescuing from “red dot hell.” WIth the right Breach and Attack Simulation platform, the red dots should decrease, and thus overall security should increase.