By Michael Diehl, Technology Editor
Security testing is a task challenging enough that many professionals don’t even try to learn how to do it themselves. Nevertheless, it is extremely vital to your security posture - most compliance standards require organizations to perform security testing on a regular basis. But taking the various network components, systems and applications that make up your corporate infrastructure through their paces can be extremely time-consuming. With technical staff trained in the arts often coming at a premium price, do you bite the bullet and hire a team, outsource to a specialized firm, or just do nothing?
Tools in this space can greatly reduce the total cost of performing regular security tests. They can perform hundreds of tests a day, making them much more effective than outsourcing for one time. They focus on testing from different network segments and across multiple attack vectors to provide a complete view of the gaps present in your security plan. They also are updated frequently to include new vulnerabilities, attack patterns and malicious files to keep simulations as real as possible.
The solutions are very easy to deploy and require very little setup. They can be centrally managed and can cross multiple network segments – making them quite effective for organizations with small security teams. They aim to automate many of the traditional red team activities into a few software packages that are installed across the organization as well as in the cloud. Some come with prebuilt playbooks to get your testing up and running in a few quick clicks, while others feature more robust customization to allow fine-tuning of simulations. While these are just simulations, they do still provide valuable information on the potential weaknesses in your security portfolio that can greatly increase your teams experience and proficiency during all phases of the security lifecycle as well as incident response.
Something New
On occasion, our Products Review Team addresses emerging technologies and markets. The purpose is to look at segments in the information assurance space that represent new technologies, needs and capabilities. In those emerging areas there always are new entries and old pros that want to expand into the space. We will be looking at both – and bringing you the companies and products that we believe will shape the future.
The focus this month is on the emerging Breach and Attack Simulation (BAS) products that are becoming more mainstream. These solutions first appeared four to five years ago and have begun transforming the security testing landscape. The team here at SC Labs was anxious to get a firsthand look at these tools and see if they lived up to the hype.
The tools allow an organization to answer some of the more elusive security questions: How secure are we? Are we alerting on the right conditions? If we get an alert, will our staff respond? Can we respond to an attack and contain it effectively?
Since the solutions are still fairly fresh to the space, you may wonder how they work. The tools we looked at all used simulations to test network security in a risk-free environment. While this may limit what they are capable of simulating, these tools provide a lot of insight on security holes and can greatly decrease the manual effort required during testing.
At first glance their limitations are obvious, but they do offer a few different use cases that they are uniquely suited to handle – controls, staff and product testing.
Controls testing is typically done on a case by case basis and generally requires some sort of manual interaction. These tools, though, can perform hundreds of attack simulations per day that are extremely useful, – letting you perform simulations as part of your risk assessments when making changes to your security technologies. With the rise in popularity of managed service providers, BAS tools can be used to validate third-party controls as well.
Understanding if the correct items are being monitored and the appropriate level of alerting is enabled is key to any security operations center. BAS software can be used to simulate an attack and assess whether your technology is properly generating alerts. Not only can this tune up SIEM technology, but the toolsets also let you test how long security operations analysts take to respond to attacks and understand if they are following proper protocols.
While this is an interesting use case, it is often overlooked. But as the tools become more prevalent in the security space, this use case will be one that should be targeted and showcased.
Finally, most of these tools will allow organizations to assess whether security products are capable of doing all that they claim. Can you be certain your email filter is catching advanced attacks? Are your network segmentation practices keeping your crown jewels safe? BAS tools can take the guesswork out of this analysis.
While all the products showcased capabilities across these three use cases, they took different approaches in their development lifecycle to make their products stand out. The reviews team really thought the ability to understand which technologies were present inside the environment and provide real remediation guidance was useful. While this is a fairly unique feature – we understand the development work that went into it – we truly would like to see it in all sorts of technologies. Having a toolset provide relevant guidance on how to make firewall changes or around how to implement remediation recommendations will greatly reduce the time needed to take corrective action and will strengthen infrastructure security.
All tools reviewed focused on automating the security testing activities, but each tool targeted a different audience. Some keyed in on automating red-team activities, while others trained their attention on blue teams. Some provided information for security analysts and others seemed bent on delivering information to security professionals inside the decision-making process.
We’ve been following these tools for some time now, but not everyone may be as familiar with this space. Take some time and look at these products and this space.
While they haven’t been around long, they are doing great things and will most likely be a staple in the toolbox rather soon.
For a look at the Emerging Products click below:
SafeBreach Breach & Attack Simulation Platform