Challenge
This regulated financial services provider has over ten European entities and branches worldwide. Each entity has its own IT environment, tools, security teams, and processes, making it difficult for the organization to understand its security comprehensively. The company ran about 25 ethical hacking exercises a year, but they were manual, focused, point-in-time, and did not extensively cover each entity’s controls and environments.
The organization wanted better visibility of its security posture and to understand its level of risk across all its entities. Because there were so many entities involved, the company knew it needed a way to automate its security validation and wanted a cost-efficient solution that could also provide:
- Out-of-the-box assessments based on best practices that are continually updated
- Continuous control validation and quantification of risk
- Metrics to benchmark and improve security resilience
The Cymulate Solution
The information risk management (IRM) team chose Cymulate because it fulfilled all its requirements for a continuous security validation platform.
“Cymulate is a top-ranked BAS solution, easy to implement and measure risk, and all for a for reasonable price.”
– Information Risk Officer
The company’s IRM officer explained that the team uses Cymulate for:
- Information security risk measurement
“Cymulate enables us to ensure all our security controls are working as expected. We worked step by step with each control and tested each one with Cymulate Breach and Attack Simulation (BAS) until we were happy with their performance. We then tested our controls more extensively with Cymulate BAS Advanced Scenarios.” - Visibility of security posture
“Cymulate allows us to understand the level of our control effectiveness—we can validate our controls and policies, understanding which attacks would be prevented and which would be detected. We utilize the Cymulate expertise and continuously updated test scenarios.” - Tuning internal security defenses
“The Cymulate assessment results and detailed reporting enable us to fine-tune and improve our defenses, mitigating risk. Sometimes, there are situations where, for business reasons, the mitigation is not possible, but at least Cymulate enables us to be aware of the risk involved in those circumstances.” - Vulnerability prioritization
“Cymulate enables us to prioritize our vulnerabilities and focus on the most severe risks in our environments.”
Benefits
Automation
The organization automates security validation to cover every control across all environments, on-prem and in the cloud.
Customization
The teams can customize and build their own chained assessments to test specific areas in their environments. These assessments can be shared and used across all the organization’s entities.
Modularity
The organization can choose product modules that fit their needs with an option to easily add additional modules in the future.
Increased coverage
By mapping assessments to the NIST and MITRE frameworks and testing against the latest threats, the security team can evaluate its security posture against a broader range of known threats and improve its overall security resilience.
Strong customer support
Cymulate’s product updates are frequent, and its service desk is available and responsive to address operational issues. Cymulate’s customer support also provides a knowledge base and user community forum with information about product setup and usage. The organization sees the Cymulate customer success team as a partner in its cybersecurity strategy.
Real-time visibility
The security team no longer needs to wait for penetration tests to understand how its security is performing and where it needs to invest its resources to reduce risk.
Security drift management
The security tools and infrastructure team can easily track its security controls’ performance with Cymulate. The platform automatically informs the team of security drift so it can take action immediately if its controls are not performing as expected.
