Thought Leadership

Apr 25, 2024

Architecting Cyber Resilience: Building Your Breach and Attack Simulation Program

At SafeBreach’s 2023 Validate East Summit, security experts discussed their approaches to developing a successful BAS program.

In recent years, breach and attack simulation (BAS) has gained significant traction among enterprises, emerging as a crucial component in fortifying proactive security by automating the ongoing testing of threat vectors. It empowers organizations to verify potential threats, enhance security controls, identify vulnerabilities in critical assets, and prioritize remediation efforts to bolster cyber resilience. However, to achieve optimal outcomes, it’s imperative to recognize that BAS is more than just a tool. Enterprises who gain the most value out of BAS approach it as a comprehensive program. At SafeBreach’s 2023 Validate East Summit, security experts discussed their approaches to developing a successful BAS program. 

Panelists included:

Choosing to implement breach and attack simulation (BAS)

Across the board, the panelists agreed that the goal of implementing a BAS program was to derive efficiency gains and reduce manual processes. As Garet Stroup, Associate VP of Threat Incident and Response at Humana, pointed out, implementing a BAS solution was never meant to replace red teaming, purple teaming, or penetration testing within their security organization; instead, the goal was to allow them to significantly increase the scalability of all of those activities—not just in their corporate environment, but in the subsidiaries as well. As a result, they had the ability to evaluate their posture across all companies under the Humana umbrella. 

Nathan Collis Coelh, Senior Security Engineer at Experian, agreed that the ability of BAS to validate security controls in a continuous way allowed their security team to work more quickly, accurately, and efficiently, beyond the capabilities of traditional security testing. He noted that with BAS, “You don’t need to run a pen test every time you have a change in the firewall or any secure control.” 

Conveying the value of BAS to the organization

For each of the organizations included on the panel, the value of BAS (and specifically of SafeBreach) could be seen plainly in the numbers. Garet noted that in many cases, red and blue team activities could take months at Humana. “Now we’re able to do the dev work within SafeBreach, deploy it, have a lot of triage done automatically, and understand the results in a matter of weeks.”

The Senior Manager of IT Security at a Fortune 500 pharmaceutical enterprise noted that their CISO already understood the value of BAS as part of their security testing and as a supplement to their penetration testing, so they focused on educating end users. Again, it came down to efficiency. “We know [the team uses] multiple firewalls and multiple security levels. If those are effective, we can reduce risk.” This efficiency would reduce the amount of time spent patching and manually testing those patches. “So, that was really getting the buy-in to try to quantify the effectiveness of our security controls.”

How well are your security investments working?

Security teams often own and operate dozens of tools to protect and defend their enterprises, but misconfiguration or drift over time can mean they’re no longer effectively protecting against attacks. SafeBreach validates that each security control is operating optimally, both individually and in orchestration with the other tools in your stack.

Learn More →

According to Vladlen Rotshteyn, Associate Manager of Information Security at Regeneron, the BAS rollout at Regeneron went beyond traditional IT. “Initially, we went with just the IT side of the house,” he explained. “We later expanded it to the OT [Operational Technology] side. It’s all the manufacturing equipment—and it’s a much more isolated environment.” He noted that SafeBreach allowed the team to identify gaps in their OT environment, where security was even more critical.

Putting together the right team

Because of the potential impact of implementing a BAS program, it wasn’t difficult for Humana to justify allocating a dedicated staff position to focus on BAS. They chose an individual who had development experience, as well as experience in operations security (OpSec) and “all things blue,” said Stroup.

The Experian team took a different approach. They were able to leverage the robust functionality of SafeBreach to expand the capabilities of existing team members. “We were able to take the technical leads for the blue team,” who had interest in red-team activities, said Nathan, and “turn them into a purple team through SafeBreach.” 

Since Regeneron had both IT and OT security folks using the platform, their team also looked different. Because their team is relatively small, Regeneron did not select a dedicated team member to manage their BAS program—instead, each team member plays multiple roles, many of which involve using the SafeBreach platform for a number of functions, including cloud security, reporting and metrics, and configuration drift. They were able to leverage SafeBreach-as-a-Service, a program that provides on-going strategy and support from SafeBreach experts, to get both their IT and OT team up and running with BAS. 

Keeping up with the changing threat landscape

For Garet at Humana, there has been plenty of access to strategic and operational threat intelligence that pertains to the organization, “but making that actionable has always been a challenge.” One of his team’s first big milestones after launching a BAS program was being able to create and test complex ransomware within their environment safely through SafeBreach.

Nathan at Experian noted that collaboration and communication with different teams is what allows their BAS program to be successful on this front. “It’s all about connection, right? It’s about communication with the different teams, what data you have, and how you can better access the environment using that data. So if you can interact with the stakeholders from the different teams, you can have the empowerment for that, which actually plays a key in this process.”

Communicating Security Risk to the Board

Gain insights on communicating cybersecurity risk to leadership and business stakeholders from public and private sector experts with over 50 years of industry experience.

Learn More →

As executive leadership becomes more aware of cyber threats, security teams are getting asked more and more often if the organization is protected against the latest high-profile threats. “It used to be just security folks that would have to find out [about new threats],” noted the Senior Manager of IT Security at the Fortune 500 pharmaceutical company. “Now it’s the executives asking that question of the CISO as well. Are we protected against this? Are we protected against this latest ransomware?” SafeBreach’s 24 hour SLA to add new US-CERT and FBI Flash alerts to the platform has allowed the Regeneron team to quickly convey risk against the latest threats to executive leadership. “We can say yes or no, we are affected,” they said. “And we ran a test against it.”

Experian takes it even further, leveraging SafeBreach’s API’s to develop our custom simulations from those CERT alerts and reporting back to their deputy CISO.

Tracking security posture and measuring success 

Like their colleagues at Regeneron, the team at Experian pays close attention to configuration drift when it comes to monitoring their security posture and the efficacy of their security programs. “We would like to identify if we are changing for the better, or if it’s worse after every change. And the changes are not just in our environment, the changes can come from the vendors, or the cloud…” 

Simplify security solution
bake-offs 

Identify technologies that actually solve your security problems by testing competing solutions side-by-side against real-world threats in your unique environment. 

Learn More →

Humana’s team focused heavily on increased efficiency and reduced cost. As a result, Garet noted, their reporting was built around their ability to scale and the time to deliver and repeat security testing exercises. “[With SafeBreach] we’ve seen a 95% reduction in time to re-perform a given scenario versus what it was in our manual processes.” Given that Humana had just launched their BAS program and reached their first milestone, Garet noted that he expected their metrics and reporting to shift over time as their priorities change and their organization matures.

In addition to posture and configuration drift, Regeneron leverages SafeBreach to assess the return on investment on other security tools in their stack.

Looking to the Future: BAS as the basis for a proactive cybersecurity or CTEM program

One key take away from this discussion is that BAS implementation can and should be as diverse and unique as the individual environment of the organization. What’s important is to understand the organization’s specific needs and goals, draw from the experience of others in this cutting edge space, and have the means to validate and clearly communicate the organization’s posture and risk to security and business leaders. 

Support from colleagues and leaders in the cybersecurity community continues to be one of the best ways to discover and enhance an organization’s approach to a BAS program. With proactive security becoming the industry standard, organizations need a solution that is flexible and robust, offers a support team that acts as a true partner, and has a robust community that can share insights to support growth and education. 

That’s the vision behind the SafeBreach Validate Summit—to create an event that regularly brings together experts in the security community to discuss challenges, best practices, and key considerations for building a proactive security program. SafeBreach’s next Validate Summit will be held on May 22, 2024, at The Star in Dallas—request your invitation to the event today.

Get the latest
research and news