Comparing and Contrasting Cymulate Security Posture Validation Solution with SafeBreach
Learning from the Past
In this blog, we will compare the evolution of Cymulate and SafeBreach from the first generation of security posture validation solutions to their current iterations.
Initially, first-generation solutions called breach attack simulation platforms were a series of unconnected penetration testing routines.
In a meeting with both executive and cybersecurity practitioners, we found a common theme that plagued legacy solutions in the field.
From a business perspective, executives felt frustrated at these testing solutions’ inability to optimize existing security posture nor to prove the value of cybersecurity spending. They found this legacy solution’s inability to visualize and explain risk in a business fashion disheartening.
For the practitioner, these legacy methods were complex, arduous to run, and resource-intensive; requiring months and vendor/third-party consulting services to set up and run. Most required highly skilled staff to run with coding and advanced cybersecurity skill sets. They were incomplete, missing critical portions of the cyber security kill chain here. Concerns over downtime and safety led many of these solutions to only be run in an extremely limited fashion or worse, in lab environments far from the real production environment. The overall manual nature of these solutions made it impossible to run them in a continuous security validation fashion and therefore were only mere snapshots in time in an era where the enterprise landscape and its attackers changed daily. As new threats occurred, these solutions lacked capability of turning newly found TTPS (threats, tactics, and procedures) and IOC’s (indicators of compromise) into actionable, testable routines.
These lessons have led to a new generation of security posture assessment that offers better end-to-end comprehensiveness and capabilities. One which makes the solution valuable to red and purple teams, that provides the capability to visualize, measure, and explain risk to management and which provides the utmost capability to prove cybersecurity investments are optimized.
In this manner I would like to spend some time comparing Cymulate’s security posture validation solution with a solution from SafeBreach.
Testing in Production is Critical
Fundamental to Cymulate is our ability to run safely in production environments on real workloads. In working with enterprises,(along with state, local, and national government agencies) over the years, I’ve learned an important lesson. The only way to truly know if your defenses will hold up against attackers and in enterprise is to test in the environment you want to protect – production. No matter how sophisticated a lab environment was it never even came close to mirroring a production environment – the environment you needed to protect.
Add to that fact today’s enterprises with DevOps best practices, cloud-hybrid compute, SaaS are more complex and change in a faster, dynamic fashion than ever before. With vulnerabilities, environment security drift, attackers, and other changes occurring daily there is no way a lab environment can ever keep up nor accurately visualize and measure real risk.
SafeBreach, while their old best practices recommendations were to test only in lab environment, have changed their tune. Currently, as with Cymulate, SafeBreach also values testing where the testing matters most – production.
Constantly Updated, Actionable Threats Intelligence Added to Testing Automatically
Where most solutions have some sort of threat intelligence feed, most do not update their testing tools to include them automatically. This is a critical mistake Cymulate did not fall into. In fact, one of the greatest powers of Cymulate is its staff of lab researchers who constantly keep the solution up to date, with new TTPs (Tactics, Techniques, Procedures) and IoCs (Indicators of Compromise) being added daily 24×7 365 days a year to our testing templates. It means that by the time most of our practitioners learn about a new threat – they find out they have already run Cymulate testing against that new threat.
For legacy solutions, best practices was not to update testing against latest threats but through professional services and training teach staff to code, QA (Quality Assurance) check, and add their own updates. Where some threat intelligence occurs, it is not the primary focus of these solutions. While most companies have no ability to do this themselves, even the ones who can find it too high a resource cost, with their highly skilled staff being too busy to sit down, research, code, QA, and test. Not adding these automatically means they are not tested against, and you fall prey to security drift overtime, in which the solution becomes less and less effective at being able to measure, visualize and protect against threats.
While SafeBreach has a threat intelligence feed and they, like Cymulate, now add TTPs and IoCs to their solution, there are differences. Cymulate adds TTPs and IOCs not only based on US CERT advisories but based on various industry and intelligence feed updates as well. In some cases, this is a critical advantage for Cymulate. For example, both companies covered the MS Exchange attacks but Cymulate also made sure to include the variety of the copy-cat APT and FIN attacks that occurred after the initial attack.
Importance of Coverage, Chain/Compound and Atomic Testing
As covered in my other blogs, Cymulate is the most comprehensive solution today for several reasons. It works natively across your entire enterprise environment from premises to cloud, from legacy to virtualizations and even containers. It ties into all sorts of third-party security controls such as vulnerability management GRC (Governance Risk and Compliance), SIEM (Security Incident and Event Management), EDR (Endpoint Detection and Response) (Endpoint Detection and Response) and SOAR platforms. Cymulate also has two distinct and critical delineators. While simulating a real attacker, Cymulate has the ability to chain/compound tests across the kill chain sequentially and atomic testing capabilities that allow it to reach a dead end, then pivot and try alternative techniques to keep testing/moving.
This is where the contrasts between the two solutions become greater. SafeBreach, like other legacy solutions, have only finite individualized tests that are not truly working sequentially across your environment to test it nor make atomic decisions to move like real attackers.
The Most Comprehensive Solution
The greatest way Cymulate is more comprehensive than past legacy solutions is in its full coverage of the entire cybersecurity kill-chain.
-
Reconnaissance – Ability to scan the internet and Darknet for information that an adversary can find and use before launching an actual attack
-
Phishing Campaigns – Phishing campaigns test your employee security awareness through simulated phishing campaigns to detect weak links in your organization and training your staff against such attacks.
- Email Gateway – Email Gateway tests key capabilities of your email security defenses, e.g., malicious payload detection, true file type/file obfuscation, embedded malicious links, C & C communication detection and credential theft.
- Web Gateway – Web Gateway tests the effectiveness of dynamic URL filtering capabilities, content filtering, malicious payload detection, and protection against ransomware by accessing real IPs and URLs that are associated with Ransomware, botnet C & C and other distribution and payment sites.
- Web Application Firewall – Web application firewall tests include SQL injection, CSS (Cross-site scripting), command and XML injections as well as other vulnerabilities and exploits.
- Endpoint – Endpoint allows you to deploy and run simulations of ransomware, Trojans, worms, and viruses on a dedicated endpoint in a controlled and safe manner. The comprehensive testing covers all aspects of endpoint security, including but not limited to: behavioral detection, virus detection, and known vulnerabilities. It also includes a wide variety of PowerShell, registry, scripting, and other exploit testing.
- Lateral Movement – Rigorous lateral movement testing includes opportunistic and atomic testing and credential mechanisms to assist like Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), DNS collection among many others. Active Directory credential theft, pash the hash, password spraying, 3-party credentials harvesting, SSH/SFTP attempts, Kerberoasting and brute force utilized.
- Data Exfiltration – Data exfiltration tests inbound and outbound flows of data (such as personally identifiable (PII), medical, financial, and confidential business information) to validate that those information assets stay indoors.
SafeBreach has a solid endpoint testing regimen although missing atomic, chaining, and new threats testing. Like other legacy solutions, it lacks critical reconnaissance, phishing campaign, web application firewall and lateral movement testing. While it does have some Web, Email, and some data exfiltration capabilities they are lackluster. Truly neither end-to-end nor as comprehensive as required.
Ease of Use and Quick Time to Value
Cymulate is a SaaS (Software as a Service Platform), it is automatically updated and managed for you. It requires only a single agent per environment and no professional services engagement nor heavy training to implement and run. Most enterprises are looking at their first testing results within one hour of installation ensuring a quick time to value for the solution. Even more importantly, as there are shortages of skilled cybersecurity professionals globally, Cymulate as designed is accessible to all cyber security maturity levels and skill sets. It can be effectively run by novices learning as they go with the MITRE ATT@CK Framework and Cymulate education as they go. For experienced professionals, Cymulate provides important automation of mundane tasks so they could focus on the more advanced.
SafeBreach Requires months of professional services and training to manage and run.
Investment in Open Cyber Community & Education
Working on the global shortage of professionals – Cymulate has decided to give back to the community, supplying technical and managerial education for free, online. This is vendor agnostic training done in a neutral place where you can improve your skills through course and lab work on everything from Cybersecurity management, purple teaming skills, MITRE ATT&CK framework and more. It includes courses and labs, and successful completion comes with 8 ISC CPE credits.
While one legacy vendor, AttackIQ, has a nice series of online courses too, unfortunately SafeBreach does not.
In summary, while SafeBreach does a better job than most legacy solutions it still pales in comparison to Cymulate.
Cymulate and SafeBreach Comparison Chart
Cymulate | SafeBreach | |||
Testing in Production on Real Enterprise Workloads | As designed. Tests where it matters most on real enterprise workloads. | While in the past their best practices were for use in lab environments, they now consult to use in production environments. | ||
Constantly updated, actionable threats intelligence added to testing automatically | Tests against a continuous feed of latest threats updated. From a pre-exploitation, exploitation, and post exploitation. Across the entire Kill-Chain. | While they have an intelligence feed it’s not as comprehensive. | ||
Coverage, Chaining/Compound and Atomic Testing | All testing includes chaining and compounding capabilities. In red and purple team, testing can live off the land. When it reaches a dead end can explore like a real attacker and move on. | All testing are simple finite tests. No chaining/compound testing. No Atomic testing. | ||
Comprehensiveness | Works across entire kill-chain from Reconnaissance, Phishing campaigns, Wed Email, WAF, Endpoint, Lateral Movement and Data Exfiltration stages. | No Reconnaissance, Phishing Awareness, WAF testing, or Lateral Movement testing. Limited Data Exfiltration testing. Some Web, Email and Data Exfiltration capabilities. | ||
Useable by all cyber-maturity levels | Requires zero coding or advanced cybersecurity training. | Requires adversarial skills and prior knowledge of coding, cybersecurity techniques and tactics. Requires an FTE (Full Time Equivalent) to operate. | ||
Time to Value | Deploys within an hour, full value on the first day. Assess risk post M&A in a day! One agent per environment. | Months. Requires professional services, new lab environment and proprietary vendor emulation images and training. | ||
Investment in Open Cybercommunity and Education | Cymulate eCademy, vendor agnostic courses, labs, exams and even 8 ISC CPE credits upon successful completion. | None offered. |