For those in the cybersecurity industry, it should be quite comforting to see how organizations now acknowledge the threat of cyberattacks. They’re now taking the matter much more seriously, implementing security strategies and measures, and investing in tools and solutions to protect their respective infrastructure. Security spending has been rising yearly and is expected to reach $124 billion by 2020.
But the big question in many business leaders’ minds is: Do our measures actually work? Surely, no one wants to face an actual cyberattack in order to find out if their deployed solutions can actually stop hackers from breaching their networks and make off with their precious data. This is where testing and security validation come in.
Conventionally, vulnerability scans, penetration tests, and red and blue team exercises are conducted to check how well the organization’s defenses perform. For some organizations, however, these tests can be difficult to run due to the costs and skill and resource requirements that are needed to execute them well. In addition, given how dynamic computing environments can be, continuous risk assessment is needed to ensure that controls constantly work rather than mere occasional checks.
Because of this, breach and attack simulation (BAS) has gained traction as an approach to security testing as it allows organizations and security teams to run security validation tests conveniently. So what exactly is BAS and how does it simplify testing for organizations?
Security testing tries to find the weak points of an infrastructure and is conventionally performed using these methods:
- Vulnerability Scanning. Specialized scanning software is used to take inventory of the devices, appliances, and applications connected to a network. It then identifies which ones are affected by potential exploits.
- Penetration Tests. These tests are typically performed by white hat hackers who would attack the network, emulating tactics used in real-world cyberattacks.
- Red Team vs. Blue Team. This method works just like a war game where the “red team” takes on the role of attackers trying to penetrate the network and the “blue team” takes on the defensive role and works on mitigating and responding to the attacks.
Despite the availability of these methods, some organizations are likely to forgo testing. With the exception of vulnerability scanning, these methods can be difficult to perform due to the following reasons:
- High skill requirement. For penetration tests to be effective, the tester should be highly-skilled and tests security using a variety of methods in order to pinpoint the gaps in the defensive perimeter. As it is, the cybersecurity space suffers from the lack of qualified professionals.
- High costs. Costs of a single penetration test can run anywhere from $5,000 to over $100,000, depending on the professional or security firm performing these tests. Smaller operations typically work with limited budgets. With their security spending typically earmarked for acquiring security tools and solutions, it’s understandable why testing often becomes overlooked.
As the name suggests, BAS tests an organization’s security by simulating data breaches and other cyberattacks against its controls. It looks to address these two key barriers by allowing users to run tests using easy-to-use interfaces. A BAS platform may only require users to install a client on one endpoint or workstation on their network, and they would already be able to run tests across the network using a cloud-based portal.
BAS provides several key advantages over conventional methods, including the ability to:
BAS platforms offer preconfigured attack scenarios that can test multiple potential attack vectors. For example, it can test web applications against SQL attacks, email servers against phishing messages, and endpoints against malware execution. By doing so, the controls deployed to protect these vectors such as firewalls, filters, antimalware, and endpoint protection are also tested.
The attack scenarios that BAS platforms simulate are based on tactics and techniques used by actual threat actors. Using a combination of these scenarios, organizations can even mimic complex attack campaigns that are being used by threat groups. Hackers use a combination of techniques in order to successfully commit a data breach. For example, they use phishing to gain access, deploy malware to take control over devices and scan for data, and exfiltrate the data to an external destination. This full kill chain can be simulated through BAS.
BAS also allows for continuous testing. Users can simply select the tests to run and schedule them. The platform will then automatically run the simulated attacks. Penetration tests and red vs. blue team exercises are often impossible to perform at regular intervals. BAS tests can be run every time there are new changes made to the infrastructure. For instance, checks can be made whenever new solutions are deployed or when software and application patches are rolled out.
Another advantage BAS offers is that it makes test results readily available to organizations. Reports from penetration tests and red team exercises can take time to be compiled and submitted. BAS simplifies this by providing visualizations of test results, scores, and insights on how well the security controls perform. By making the information actionable, organizations can quickly mobilize their IT teams to make the necessary defensive adjustments.
By simplifying testing, BAS allows security checks to be done on a wider scale. Enabling organizations to validate their security controls and measures can result in them having more robust defenses against actual cyberattacks. Everyone will surely benefit if they are able to better secure their networks. Wider testing can also challenge security firms and providers to improve upon their solutions to consistently withstand both simulated and real attacks.
BAS solutions may be relatively new in the cybersecurity space with the segment only formally labeled as such by Gartner in its 2017 Hype Cycle. However, BAS has already gained traction in adoption. The BAS market is growing and is expected to reach over $1.6 billion by 2027.
As with most innovation involving automation and empowering end users, security professionals may think that the availability of BAS might adversely affect them. On the contrary, the emergence of these solutions should come as a welcome development for security professionals. BAS should lessen the burden on them to manually perform continuous testing and enable them to focus on other high-value activities.
BAS simplifies security testing by helping organizations overcome the barriers of expertise and costs. Organizations can perform tests using their existing resources and minimize the need to involve experts to perform routine tests. While not exactly cheap, BAS allows IT teams to perform multiple tests repeatedly which is more cost effective compared to conventional testing methods. Ultimately, simplified testing empowers organizations to improve on their security by knowing how well their measures and controls actually perform.