You’ve come to the conclusion that quarterly pen tests, monthly vuln scans and annual red teaming are great, but they’re still not enough. You need to know if you’re truly secure, and you need to know it right now. You’ve recently heard about breach and attack simulation (BAS) and how it can help.
So what should you look for when evaluating BAS solutions? Here are our thoughts.
Validation of both Internal and External Controls
Many BAS solutions focus solely on challenging your internal network and endpoint controls. This lets you simulate cyber attacks on your endpoint security solutions (such as EDR, EPP, AV and NGAV), test your Windows Domain Network policies against lateral movement, and verify your Data Leak Prevention (DLP) product is preventing the exfiltration of sensitive data. But what about challenging external network security controls, or perimeter security?
Taking a stance that you will be breached, and it’s just a matter of minimizing damages, these solutions do not challenge perimeter security to reduce the overall attack surface. Examples include sending malicious payloads to your email security solutions (sandbox, CDR, email gateway) and launching XSS, SQL injections and other attacks to test the efficacy of your web application firewall, which sits behind sensitive consumer applications (e.g. online banking portal) or enterprise applications.
And what about protecting employees against unsafe websites that may execute drive-by-downloads and install command-and-control botnet clients? By challenging your web gateway with a simulation of easy-clicking employees, you can determine if it is properly configured to secure your company against unsafe browsing habits.
Ease of Use and Management
The easier it is to test your security, the more frequently you’ll test and fine-tune it, and the safer your company will ultimately be.
A few things to consider are:
- Repeatability – Is it easy to repeat the same set of simulated attacks? Again, you need an automated way to challenge security controls, without having to re-engineer the attack simulations.
- Customization – Are attack simulations simple to customize, so that you can narrow down a simulation to test for specific variables? Examples include narrowing down an email security assessment to include only certain file types or limiting a simulated attack on a WAF to XSS, SQL or command injections only.
- Scheduling – Can you easily set attack simulations to run on a daily, weekly or monthly basis? Is it easy to schedule simulations at predefined times?
- Multi-Site Support – If you have several offices, is there a convenient way to manage attack simulations for all of them from a single console?
- On-prem vs. cloud – Do you have the bandwidth to manage an additional solution on-premises? If not, cloud-based BAS may be the way to go.
Actionable Insights and Reporting
An attack simulation is only as effective as the corrective steps taken after it completes. When reviewing simulation results, check whether they provide these points:
- Remediation and Mitigation Guidelines – Are guidelines provided to help you address gaps across your security arsenal. Depending on the vector tested, these may cover email gateway, endpoint security, web gateway security, windows domain network policies, DLP configuration, and others.
- KPI Metrics – By ensuring you have quantifiable security posture benchmarks, you gain an immediate, objective understanding of where you are most vulnerable and the extent of the exposure. Metrics also provide a way to measure security controls performance over time and compare yourself to others in your industry.
- Prioritization – Do you have an easy way to prioritize efforts and budget according to where your most critical security gaps lie. Prioritization should take into consideration the criticality of target assets, the impact of a potential cyberattack, and the probability of encountering specific threats.
- Executive and Technical-level language – Conveying potential risks to the board, or executive managers who have limited technical background, is never easy. Reports with clear metrics and simple layman’s terms are useful when presenting to management or proving effective spending. Conversely, the IT security team needs all the technical details required to fine-tune current security solutions, so they perform at their best and reduce your attack surface.
Cymulate’s solution allows you to assess your current security posture while providing a repeatable, continuous process that can be performed by anyone on your security team. To learn more, download our Cyberattack Simulation vs Pen Testing vs. Vuln Scanning White Paper. Or experience cloud-based BAS for yourself, by contacting us for a demo, or getting started with a free trial.