Can We Automate Security Testing?
Author: Jeff Anderson, VP Marketing, XM Cyber
More than 3,800 data breaches were reported between January and June of 2019, exposing over 4.1 billion records, according to the 2019 MidYear Data Breach Quickview Report.
That’s a record high in just the first two quarters. Compared to midyear of 2018, the number of reported breaches was up 54 percent and the number of exposed records was up 52 percent.
The volume of IT threats and the surprisingly unsophisticated means to wreak damage are putting unprecedented pressure on security teams.
With limited time and manpower, they need the right combination of visibility, intelligence, and context to find threats in real time and remediate them. Consequently, cyberattacks have reinforced the need for security testing across every industry. The best practice is to build a comprehensive automated security testing strategy and secure your organization’s critical assets, your “crown jewels.”
Automation: A ‘Must-Have’
Automation is a must-have, according to the CIOs, CTOs, IT VPs, and directors who responded to the 2019 High-Fidelity Security survey. Nearly 90% of them believe that the automation of tasks, actions, and/or analysis to achieve network security program goals for breach detection is either “important” or “very important.” However, only 40% have already implemented automated processes.
Over 68% of organizations believe they need more frequent security control testing, with those performing tests more frequently than annually being the biggest proponents of doing so, according to the same survey. Additionally, did you know that more than one-third of security professionals’ defensive blue teams fail to catch offensive red teams? That’s what the recent Exabeam Study revealed.
Advanced persistent threats (APT) are sophisticated and in many cases mimic the behavior of legitimate users, making them hard to detect. To defend against an APT, the best approach is to mimic the APT. This is done in red team exercises, where a group of ethical hackers are working just like real hackers targeting your critical assets and helping you find the security gaps and improve.
It is common to think that this human process cannot be automated. After all, the creative thinking, the learning of the environment, choosing the right techniques and all is a very “delicate” process. And if so, how can we scale security testing?
Welcome to Breach and Attack Simulation (BAS)
A new category of solutions has emerged to add some spice to the matter. Breach and Attack Simulation (BAS) solutions represent a new and emerging market and are directly adjacent to vulnerability assessment, according to the Market Guide for Vulnerability Assessment.
They automate security testing. Some challenge the existing security infrastructure and some model attack chains to identify the most-likely path an attacker would use to compromise an environment. BAS products are becoming more mainstream and have begun transforming the security testing landscape. They are definitely among the best automation tools for security testing.
The increased vulnerabilities, the indication of the value of business interruption and the commoditization of the attack methods tools, made the industrial networks a prominent target and the first cases were soon to follow. Penetration testing is conducted by security experts, ethical “white hat hackers” who apply their knowledge of how to breach defenses to the task of penetrating an organization’s networks. BAS tools automate the testing process, performing the cycle of scan, exploit and repeat.
“If this can now be done with the simple click of a button, why would you use a human to do it? The tools can ensure consistency, provide better reporting and do the work faster,” said Gartner’s research VP Augusto Barros. “These tools provide a lot of insight on security holes and can greatly decrease the manual effort required during testing,” SC Magazine wrote.
Harness the Power of Purple Team Automation
Companies in any industry can benefit from a highly realistic red team-blue team exercise. But is this enough to fight cybercrime today? To what extent can organizations’ red and blue teams operate effectively in addition to fulfilling their everyday tasks with efficiency and continuity?
As many red and blue teams have worked very much in silos, there is the added danger that they can get out of sync with each other. By mimicking enemy tactics, organizations’ red teams make the blue teams better at defense. The red/blue approach fits well with a structured, episodic win/lose paradigm of defense—like an air battle. One side attacks, the other defends. Then, it’s over and there’s a discussion of what worked and what didn’t. The blue team gets busy improving their defenses for next time.
A new approach known as purple teaming has emerged as a middle ground solution. A purple team blends the activities of both red and blue teams. The purple team enables both attack and defense to exchange ideas, observations and insights more productively than is possible with the “us vs. them” ethos of the red/blue battles. An automated purple team truly accelerates the advantage of this approach: it can continuously simulate attacks such as APTs.
This automated platform also provides a remediation plan to thwart an attackers’ path(s) to critical assets. It never stops performing the red/blue cycle and helps augment the team’s tool kit.
This is helpful, given the constant changes in user activity, network infrastructure, network settings, and patches that characterize IT in real life. Vulnerabilities open and close round-the-clock. It’s best to detect and respond to them in a timely fashion. It is inhuman to do this manually, but machines and software (built correctly) can and should perform these tasks to aid in the fight against APTs.
“HaXM is the next logical evolution of automated pen testing programs. Not only does it offer continuous scanning that is easy to configure, it also provides advice to help fix problems. The HaXM program from XM Cyber aims to make automated penetration testing more reliable and accessible by improving on the current state of similar programs in several ways,” read a review by CSO Online in July 2019.