Breach & Attack Simulation
Security is point-in-time. It’s not a matter of if you get hacked, but when. Why not simulate hacking yourself to get better at attack detection and response?
Terms You Might Also Hear
Continuous Security Validation
Security Posture Validation
For attackers, there is a high upside to a breach and a low chance of consequences.
Companies have a hard time detecting breaches and successful attacks.
The average time to detect and contain a data breach is 280 days. Attackers can take what they want from who they want when they want.
Enter Breach & Attack Simulation (BAS) platforms.
Compliance frameworks and risk assessment methodologies are subjective. Let technology tell you where your real risks are instead.
Continuous threat assessment and security control validation by way of simulated attacks. Test controls, test processes, and test people.
Map the efforts to an attacker playbook or MITRE ATT&CK framework, and you’ve got “Attacks as Code (AaC).”
A few players:
Here is my Airtable list that I try to keep updated. If I'm missing a company, let me know!
There will be an industry shift from “vulnerability management” to “exposure management.”
Focused patching will take on a new meaning. Vulnerabilities are not created equal. Solutions like this can help you better focus your patching efforts on what matters.
Security risks from mergers and acquisitions can get added context using this technology.
Monte Carlo"what-if" simulations can become a popular exercise among top executives. Have fun trying to come up with crazy scenarios to detect and defend against.
Strengthen the supply chain. Companies will use this kind of technology to find out which partners measure up and which ones do not.
Simulate “famous” attack scenarios. Attempt to do a malicious code injection into your CI/CD pipeline a la SolarWinds. Deploy fake ransomware like the Colonial Pipeline ransomware event.
Put context around vendor management programs and third-party vendor security. Stop relying on subjective, point-in-time questionnaires. Start surfacing legitimate and real threats to your business and supply chain.
Supplement your threat modeling. It all comes back to context, risk, and likelihood of a given solution. Make sure the controls you’re implementing add value.
Improve security architecture patterns. This should go without saying, but learn from these systems. Identify patterns of weakness in your architecture patterns and remediate them going forward.
Don’t forget the human side. Technology continues to evolve, but this can't replace skilled pen testers (if any vendors tell you this, run the other direction!). Using humans and tech is the way to go here.
Use this technology to reduce your biggest threats and patch vulnerabilities that matter.
Hone in your security investments. Technology like this can help you buy the right things for your security program and company. Defense-in-Depth doesn't work if it's not focused.
Improve your audits. You can now go beyond paper-based questions and get to the heart of the matter of your security risks.
Frameworks aren’t enough. Frameworks help build out core capabilities, but they can’t tell you how secure you are from real threats. Automated testing makes frameworks tangible.
What type/size/stage company should leverage these platforms?
Startups - especially for cloud-first startups, this kind of solution is great for you. If you need an ad-hoc or recurring scan or pentesting for SOC 2 or regulatory compliance, this is where to look. Do it (Just in Time) JIT style when your customers need it at this stage. The cloud makes using this kind of platform a no-brainer.
SMBs - This kind of tech is important and affordable for your customer-facing applications. Make this a habit as you build up your internal capabilities.
Larger Companies - This should be an essential part of your enterprise security strategy if and only if you are well-practiced at patching and incident response processes. Most large companies have too many risk acceptances and process exceptions to really mitigate their biggest risks, so a tool like this might not be as effective unless you change priorities and expectations on mitigating exposure over just patching.
What makes one of these platforms “good?”
Prioritization of identified threats.
Context around vulnerability data and exposure of weak points to the Internet.
Visualized attack paths so you can under the “how.”
Out of the Players listed, who are the top to consider?
Thanks for reading this far!
This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer.
If I missed something (or am just wrong), let me know!
This is not a paid post, and none of the companies listed above paid for placement. I just pick a few companies at random when I write. Also, at the time of writing this post, I have no active investments in any of the companies mentioned above.
If your company is looking to get more of a highlight, consider sponsoring the Security, Funded newsletter.