Breach & Attack Simulation

Terms You Might Also Hear

• Attack Simulation
• Automated Red-Teaming
• Breach Simulation
• Continuous Security Validation
• Security Posture Validation
• Threat-Informed Defense

Problem Statement

• For attackers, there is a high upside to a breach and a low chance of consequences.
• Companies have a hard time detecting breaches and successful attacks.
• The average time to detect and contain a data breach is 280 days. Attackers can take what they want from who they want when they want.

Market Solution

Enter Breach & Attack Simulation (BAS) platforms.

• Compliance frameworks and risk assessment methodologies are subjective. Let technology tell you where your real risks are instead.
• Continuous threat assessment and security control validation by way of simulated attacks. Test controls, test processes, and test people.
• Map the efforts to an attacker playbook or MITRE ATT&CK framework, and you’ve got “Attacks as Code (AaC).”

Players

This is not an exhaustive list. If I'm missing a company, let me know!

Predictions

• There will be an industry shift from “vulnerability management” to “exposure management.”
• Focused patching will take on a new meaning. Vulnerabilities are not created equal. Solutions like this can help you better focus your patching efforts on what matters.
• Security risks from mergers and acquisitions can get added context using this technology.
• Monte Carlo "what-if" simulations can become a popular exercise among top executives. Have fun trying to come up with crazy scenarios to detect and defend against.
• Strengthen the supply chain. Companies will use this kind of technology to find out which partners measure up and which ones do not.

Opportunities

• Create a new business model. Red, blue, and purple team testing-as-a-Service businesses could launch from these platforms.
• Simulate “famous” attack scenarios. Attempt to do a malicious code injection into your CI/CD pipeline a la SolarWinds. Deploy fake ransomware like the Colonial Pipeline ransomware event.
• Put context around vendor management programs and third-party vendor security. Stop relying on subjective, point-in-time questionnaires. Start surfacing legitimate and real threats to your business and supply chain.
• Supplement your threat modeling. It all comes back to context, risk, and likelihood of a given solution. Make sure the controls you’re implementing add value.
• Improve security architecture patterns. This should go without saying, but learn from these systems. Identify patterns of weakness in your architecture patterns and remediate them going forward.

Key Insights

• Don’t forget the human side. Technology continues to evolve, but this can't replace skilled pen testers (if any vendors tell you this, run the other direction!).
• Use this technology to reduce your biggest threats and patch vulnerabilities that matter.
• Hone in your security investments. Technology like this can help you buy the right things for your security program and company. Defense-in-Depth doesn't work if it's not focused.
• Improve your audits. You can now go beyond paper-based questions and get to the heart of the matter of your security risks.
• Frameworks aren’t enough. Frameworks help build out core capabilities, but they can’t tell you how secure you are from real threats. Automated testing makes frameworks tangible.

Pro Positions

What type/size/stage company should leverage these platforms?

• Startups - especially for cloud-first startups, this kind of solution is great for you. If you need an ad-hoc or recurring scan or pentesting for SOC 2 or regulatory compliance, this is where to look. Do it (Just in Time) JIT style when your customers need it at this stage. The cloud makes using this kind of platform a no-brainer.
• SMBs - This kind of tech is important and affordable for your customer-facing applications. Make this a habit as you build up your internal capabilities.
• Larger Companies - This should be an essential part of your enterprise security strategy, if and only if, you are well-practiced at patching and incident response processes. Most large companies have too many risk acceptances and process exceptions to really mitigate their biggest risks, so a tool like this might not be as effective unless you change priorities and expectations on mitigating exposure over just patching.

What makes one of these platforms “good?”

• Prioritization of identified threats.
• Context around vulnerability data and exposure of weak points to the Internet.
• Visualized attack paths so you can under the “how.”

Out of the Players listed, who are the top to consider?

• If you’re a startup/SMB that is cloud-first, check out Detecitfy and XM Cyber.
• If you’re a larger enterprise, Cymulate is the up-and-coming leader in this space and one you should strongly consider.

References

• What is Deception Technology? Tools and Solutions
• 10 Hot Breach And Attack Simulation Companies To Watch In 2021
• What Is The Average Time To Detect Data Breaches?

Thanks for reading this far!

This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer.

If I missed something (or am just wrong), let me know!

This is not a paid post, and none of the companies listed above paid for placement. I just pick a few companies at random when I write. Also, at the time of writing this post, I have no active investments in any of the companies mentioned above.

If your company is looking to get more of a highlight, consider sponsoring the Security, Funded newsletter.