Security teams have a wide range of tools in their arsenal to combat cybersecurity threats, but the expanding attack surface and the sheer number of tools can make their jobs more difficult to manage. As we enter this new era of cybersecurity, security and risk management, leaders are focused on validating the efficacy of their security investments, improving ROI, and taking a more programmatic approach in order to enhance their efficiency.
At our 2024 Validate Central user conference, Garet Stroup, Associate Vice President (AVP) of Threat Management & Response at Humana, discussed the important role that breach and attack simulation (BAS) plays in creating that efficiency and cohesiveness that security teams need. Below, we outline key takeaways from his presentation, including why BAS matters, what it can help you accomplish, and how you can expand your BAS program.
Why Breach & Attack Simulation Matters
For Garet and his team, there are four major areas where SafeBreach’s BAS capabilities bring the most value. He refers to them as the four Cs:
- Cost. Labor is expensive, particularly when it comes to offensive security. BAS not only enhances what your security experts can do, but it allows them to automate low-level tasks so they can focus on solving the problems that only a human can solve.
- Controls. Enterprise environments are complex and constantly changing, and so are the controls you need to secure them. BAS ensures that your controls are working as intended and identifies areas where you may have gaps or overlap.
- Complexity. Especially when it comes to enterprises, security teams are faced with a dynamic and expanding attack surface. Being able to continuously test with BAS gives teams the ability to stay ahead of current threats, while accommodating their ever-changing environments.
- Culture. This is a lesser known “secret weapon” when it comes to BAS capabilities. Historically, red and blue teams may have had a difficult partnership. BAS can help fill the gaps in communication between offensive and defensive teams, allowing them to shift from competitive to more collaborative. And, approaching BAS from a programmatic lens, rather than just a tool, lets security teams take a very threat-focused approach.
What BAS Isn’t
Before diving into BAS best practices, it’s important to understand a few things that BAS is not.
It isn’t just for enterprises.
SafeBreach can be deployed at any size company—and it doesn’t have to be complex to manage. While there’s a positive correlation between how many controls and networks you have in your environment and the complexity of managing BAS, smaller organizations can still leverage its full capabilities with low-barrier activities like out-of-the-box scenarios.
It’s not a one-time activity.
The SafeBreach BAS platform is not something you set and forget. While there are certain scenarios or simulations you can build and run in a continuous manner, it’s not a static, point-in-time exercise. Its continuous and dynamic nature means that it will grow and change along with your environment.
It doesn’t replace your offensive security function.
BAS is designed to balance speed, cost, and quality in order to steer your team in the direction needed to identify and remediate threats. According to Garet, SafeBreach does “a beautiful job of giving you that balance—of having a US-CERT, FBI Flash alert, and other simulations deployed very quickly at a high fidelity and a cheap cost, which is difficult to do.”
This does not replace an offensive security function; however, it does influence and help elevate many aspects of offensive security and even defensive capabilities.
Setting a Strong Foundation with SafeBreach
As previously mentioned, BAS is a program that can grow along with any security approach—even as part of a larger program like continuous threat exposure management (CTEM). Here are some of the key places to start:
C-Suite Inquiries
Being able to show value to the board and C-suite—be it qualitative or quantitative—is absolutely important to ensure that there is sufficient funding to continue to grow and improve security programs. The more value you can show, the easier it is to make the business case to obtain the funding to grow your team and toolset.
Ransomware Testing
A number of high-profile threat groups have been targeting critical infrastructure as of late. We’ve seen notable breaches in headlines where companies are held hostage by ransomware. With BAS, teams can quickly run attack scenarios to understand the performance of defensive controls against ransomware. While this would otherwise be difficult to quantify to the company, BAS makes it easy for executives to understand when presented as, “We have x percent coverage against the documented TTPs of this threat actor that we know is or will be targeting us.”
Incident Response Trainings on Common Scenarios
Within the defensive world, there’s a lot of attrition. BAS Ensures that new analysts are properly trained on scenarios that they’re going to see day-in-and-day-out, giving them a strong baseline of knowledge for how to execute the playbooks. This alleviates some of the lift when it comes to onboarding and ensures that these operations can run with minimal interruption.
Establish Purple Team & Detection Validation
Detection validation and custom detection validation are excellent ways to quantify returns on investment. While it would be nice if all security activities were preventative, the reality is that things will inevitably break through. Security controls aren’t perfect. There are always going be variations to the TTPs to subvert those controls. To adjust for that, security teams build custom detections—but they need to know that those custom detections are going to work.
Validating those detections manually can be extremely slow, costly, and labor intensive, especially for large enterprises who may have five hundred, seven hundred, or a thousand custom detections. Manually validating those with any type of frequency can become expensive.
Instead, teams can automate almost all of that with SafeBreach by building a detection-as-code pipeline and integrating with SafeBreach as new custom detections are built. That provides the confidence that if this scenario is seen, the SOC will be alerted and then they can test those playbooks.
Control Validation & Comparison
Security control validation is one of the most common use cases for SafeBreach—ensuring controls are operating effectively. Through this process, security teams have discovered that they can leverage these same features to evaluate new controls to see what is more effective in their particular environment.
For example, if you’re evaluating different EDR technologies, it’s ideal to know which is going to be most effective based on the TTPs you’re most concerned about. And the SafeBreach BAS platform can help you figure that out.
Expanding on Your BAS Foundation
Once a BAS program is in place, there are a number of ways it can grow as your organization’s maturity increases.
Next-Level Control Validation
Once there is a regular process for custom detections, Garet recommends that teams expand into canary or deception programs. This might include honey tokens, honey pots, or canaries employed throughout a network. Similar to custom detections, it’s possible to automate that workflow with SafeBreach.
A More Custom, Environment-Specific Approach
Teams can also build on their BAS foundations by taking a more custom, environment-specific approach to those activities. Large enterprises have very specific threat actors that their intelligence teams might be tracking, which include those that might not be known advanced persistent threat actors (APTs). It could even be an internal red team. Being able to build custom simulations based off of that intelligence is a great next step. Training your incident response team on some of those very environment-specific scenarios is also a great way to expand on the existing program.
Branching or Conditional Logic
We know that threat actors don’t work linearly. They’re evaluating at every step of their kill chain and might pivot and change their TTPs to be more successful. With conditional logic and branching in the SafeBreach platform, teams can bring many simulations together based off of environmental factors encountered throughout that kill chain. This streamlines or simplifies the scenarios and also makes it much more realistic.
Bringing It Together: A Programmatic Approach
If security leaders can’t show a return on investment, they’re unlikely to receive the necessary funding from the larger organization needed to grow and solidify security programs. BAS has the power to bring together many security functions that were historically siloed and isolated. SafeBreach can help enhance the whole security life cycle.
It’s important for security and risk management leaders to increase confidence in control effectiveness continuously. Many organizations are still working with point-in-time assessments, which are slow, expensive, and ultimately have gaps. If you can automate that, which you can with BAS, there’s tremendous value there.
But security controls are only one part of an overall program. When you’re in a high-attrition domain, ensuring that your staff is trained consistently and has a strong knowledge base is key. Furthermore, the industry has really struggled for many many years with getting offensive and defensive teams to be more cohesive. By leveraging BAS, teams can work from the same playbook and be able to work together to discover and highlight the control changes that need to be implemented.Ultimately, the more cohesive and collaborative your security program is, the more effective it will be. If you want to learn more about how a BAS program can benefit your security program, schedule a personalized demo with SafeBreach experts to get started.