Breach & Attack Simulation
Security is point-in-time. It’s not a matter of if you get hacked, but when. Why not simulate hacking yourself to get better at attack detection and response?
Terms You Might Also Hear
- Attack Simulation
- Automated Red-Teaming
- Breach Simulation
- Continuous Security Validation
- Security Posture Validation
- Threat-Informed Defense
Problem Statement
- For attackers, there is a high upside to a breach and a low chance of consequences.
- Companies have a hard time detecting breaches and successful attacks.
- The average time to detect and contain a data breach is 280 days. Attackers can take what they want from who they want when they want.
Market Solution
Enter Breach & Attack Simulation (BAS) platforms.
- Compliance frameworks and risk assessment methodologies are subjective. Let technology tell you where your real risks are instead.
- Continuous threat assessment and security control validation by way of simulated attacks. Test controls, test processes, and test people.
- Map the efforts to an attacker playbook or MITRE ATT&CK framework, and you’ve got “Attacks as Code (AaC).”
Players
This is not an exhaustive list. If I'm missing a company, let me know!
Predictions
- There will be an industry shift from “vulnerability management” to “exposure management.”
- Focused patching will take on a new meaning. Vulnerabilities are not created equal. Solutions like this can help you better focus your patching efforts on what matters.
- Security risks from mergers and acquisitions can get added context using this technology.
- Monte Carlo "what-if" simulations can become a popular exercise among top executives. Have fun trying to come up with crazy scenarios to detect and defend against.
- Strengthen the supply chain. Companies will use this kind of technology to find out which partners measure up and which ones do not.
Opportunities
- Create a new business model. Red, blue, and purple team testing-as-a-Service businesses could launch from these platforms.
- Simulate “famous” attack scenarios. Attempt to do a malicious code injection into your CI/CD pipeline a la SolarWinds. Deploy fake ransomware like the Colonial Pipeline ransomware event.
- Put context around vendor management programs and third-party vendor security. Stop relying on subjective, point-in-time questionnaires. Start surfacing legitimate and real threats to your business and supply chain.
- Supplement your threat modeling. It all comes back to context, risk, and likelihood of a given solution. Make sure the controls you’re implementing add value.
- Improve security architecture patterns. This should go without saying, but learn from these systems. Identify patterns of weakness in your architecture patterns and remediate them going forward.
Key Insights
- Don’t forget the human side. Technology continues to evolve, but this can't replace skilled pen testers (if any vendors tell you this, run the other direction!).
- Use this technology to reduce your biggest threats and patch vulnerabilities that matter.
- Hone in your security investments. Technology like this can help you buy the right things for your security program and company. Defense-in-Depth doesn't work if it's not focused.
- Improve your audits. You can now go beyond paper-based questions and get to the heart of the matter of your security risks.
- Frameworks aren’t enough. Frameworks help build out core capabilities, but they can’t tell you how secure you are from real threats. Automated testing makes frameworks tangible.
Pro Positions
What type/size/stage company should leverage these platforms?
- Startups - especially for cloud-first startups, this kind of solution is great for you. If you need an ad-hoc or recurring scan or pentesting for SOC 2 or regulatory compliance, this is where to look. Do it (Just in Time) JIT style when your customers need it at this stage. The cloud makes using this kind of platform a no-brainer.
- SMBs - This kind of tech is important and affordable for your customer-facing applications. Make this a habit as you build up your internal capabilities.
- Larger Companies - This should be an essential part of your enterprise security strategy, if and only if, you are well-practiced at patching and incident response processes. Most large companies have too many risk acceptances and process exceptions to really mitigate their biggest risks, so a tool like this might not be as effective unless you change priorities and expectations on mitigating exposure over just patching.
What makes one of these platforms “good?”
- Prioritization of identified threats.
- Context around vulnerability data and exposure of weak points to the Internet.
- Visualized attack paths so you can under the “how.”
Out of the Players listed, who are the top to consider?
- If you’re a startup/SMB that is cloud-first, check out Detecitfy and XM Cyber.
- If you’re a larger enterprise, Cymulate is the up-and-coming leader in this space and one you should strongly consider.
References
- What is Deception Technology? Tools and Solutions
- 10 Hot Breach And Attack Simulation Companies To Watch In 2021
- What Is The Average Time To Detect Data Breaches?
Thanks for reading this far!
This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer.
If I missed something (or am just wrong), let me know!
This is not a paid post, and none of the companies listed above paid for placement. I just pick a few companies at random when I write. Also, at the time of writing this post, I have no active investments in any of the companies mentioned above.
If your company is looking to get more of a highlight, consider sponsoring the Security, Funded newsletter.