BAS 101: Why Even Regulated Industries Need BAS Solutions

A Cymulate customer recently approached us with the following question, “I’m in a regulated industry and do penetration testing once a year for compliance. Why would I also use Breach and Attack Simulation?”

The need for Breach and Attack Simulation (BAS) solutions like Cymulate do not diminish when you are in a regulated environment. In fact, the need for BAS becomes even stronger when you perform pen-testing once a year for regulatory compliance. Here are two reasons:


You Only Pen-Test Once a Year

While pen-testing is a great way to get a snapshot of the defensive capabilities of an environment; pen-testing is exactly those two things – a snapshot (point-in-time) and only of the defensive capabilities of a specific set of systems in a specific environment under the specific circumstances presented by the pen-tester.  This is by no means invalid information, quite the opposite.  Pen-testers are security professionals that can guide the course of a test to get around security controls that have any form of weakness. They can also leverage tactics like real-time social engineering and alternate attack pathing to find different ways to get into the same target systems, but there are significant limitations brought up by this methodology.

First, pen-testers are constrained by specific Rules of Engagement (RoE’s). Since the actions of a pen-tester can involve forcing reboots, crashing services, or accidental or purposeful destruction of data; most companies will enforce RoE’s to limit the potential damage that can be done during a testing period in order to ensure that the business itself doesn’t suffer downtime or damage as a result of the test itself. These RoE’s protect from unexpected downtimes and loss of revenue events, but also mean that some techniques that are known to be used by threat actors will not be used during a pen-test if they violate the RoE’s themselves; creating the potential for gaps to go undiagnosed and leaving the organization at risk. RoE’s can also mean that some systems are declared “off-limits,” meaning those systems do not get the level of scrutiny they need in the testing process.

Secondly, since automation of actual pen-testing protocols can be quite dangerous unless very strict restrictions are put in place and even further limitations are placed on the types of techniques used; pen-testing remains a human-run operation in the majority of cases.  While a pen-tester will be thorough in their operations if they find a way to bypass a security control they will use it. They will most likely not continue to attempt to try each of the other methodologies that might have been used and that might have discovered additional security gaps that must be closed. The reasons for this are two-fold. First, the time factor of human-run pen-test operations limits how many methods could possibly be performed within the given amount of time allowed for the test. Second, a pen-tester’s goal is to reach a specific point in the systems themselves, or specific cache of data, or another specific set of objectives. Extra testing with other methods doesn’t forward this progress when they have already found a viable pathway to that goal.

BAS solutions are designed to operate in production environments without disruption or destruction. By breaking down complex methods and techniques into their component parts, and then creating executions that can test if the method is viable without performing actions that would take servers down or delete information in file systems, databases, etc.; BAS platforms can provide effective testing of thousands of methods and techniques which do not put the organization at risk of downtime. With the ability to safely automate, all of these methods and techniques can be attempted in a reasonable time frame even if one or more have already been found effective.  Because of this, BAS solutions can be run without extensive RoE restrictions, allowing for significant and safe automation of these solutions, and exploring more systems with much more depth than traditional pen-testing could possibly allow. This allows tools like Cymulate to run in more areas of the organization and to run more often than pen-testing would be viable. It also allows tools like Cymulate to discover all of the actual security gaps present across any given set of systems, by using automation to remove the limitations of manual pen-testing.

In this whitepaper, get a more in-depth comparison of automated penetration testing vs breach and attack simulation.


Regulatory Reports Can Become Public Information

If we were to look at one regulatory compliance agency as an example, we can examine the policies of the Health and Human Services (HHS) Administration of the United States. This group is responsible for HIPAA (the Healthcare Information Portability and Accountability Act) regulations and regulatory compliance. While regulatory reporting under HIPAA is generally confidential, the HHS documentation on the subject is very clear that if a Freedom of Information Act (FoIA) request is executed against these records, HHS will release the relevant information[1]. This means that the information regarding what security gaps exist within the organization that was brought to light during the annual pen-testing reports can become public information; leading to a reputation hit to the organization and even the potential for any uncorrected gaps to be leveraged by threat actors who read the now-public reports once they become available.

Different regulatory bodies operate under different, and sometimes quite complex, protocols; though many may be subject to the same disclosure requirements if provided a FoIA request that is found to be valid and upheld. The same situation could also occur if the regulatory compliance reports become part of public records through judicial action (such as if subpoenaed as evidence in a trial that does not seal said records). This means that compliance reporting can become a source of public relations nightmares, loss of revenue, and future attacks all in one.

BAS solutions allow for testing on a continuous basis, allowing the organization to close security gaps over time and well before the officially-recorded pen-test occurs. This means that the pen-test that will become part of compliance statements will at the very least show that all standard and reasonable security controls are in place to avoid the potential for incursion and breach. If such a compliance pen-test report were to become public knowledge, it would become a boon to the organization as it shows that the company takes the appropriate amount of care to control access to sensitive and/or Personally Identifiable Information and data. Cymulate, for example, can easily be set to perform testing with updated methods and techniques on a weekly or monthly basis; providing a continually updated set of remediation recommendations to allow for gradual correction of any security control gaps well in advance of regulatory pen-testing.  The IT and Cybersecurity staff can then correct those issues before the annual pen-test by correcting them over time throughout the year. When the auditors schedule the regulatory pen-test, the organization will be able to rest assured that the testers – while they may possibly find a way to get in – will not find that the security controls would be considered inadequate in any way.



BAS solutions and regulatory pen-testing go together very well.  BAS platforms work throughout the year to identify and aid in the remediation of security gaps; keeping the organization safe and also keeping it prepared for the regulatory pen-test each year.  Not only do IT and Cybersecurity staff have the time they need to correct each issue, but should the regulatory reports become public, they will show exactly what your customers expect them to – that you have taken the right steps to safeguard their data and information at every step of the way.

Regulatory pen-testing is a single tool – and a powerful tool to take advantage of. That doesn’t mean that it should be the only tool in your toolbox when it comes to securing your environment.  Too much information can become public, and too few methods and techniques can be tested during a single pen-test operation, for you to rely solely on the annual audit pen-test as your primary security testing strategy.

Test Cymulate’s BAS solution today with a 14-day free trial.

Free Trial