In 2017, a category called Breach and Attack Simulation (BAS) tools made its first appearance on the Gartner Hype Cycle for Threat-Facing Technologies, positioned as a technology on the rise. Since then, these tools have been gaining momentum because they allow security teams “to have a consistent way to continuously test your controls, from prevention to detection (and even response)”, as described by Gartner. But as anyone who has been in the security industry for even just a few years knows, with momentum comes confusion around a technology’s capabilities, role in the security stack, and benefits. Here’s my take at dispelling some misconceptions and providing clarity to help you, as a security professional, derive the most value from these tools.
BAS is part of the evolution we’re seeing in detection capabilities. Fact.
With the recognition that breaches are happening with increased volume and velocity, we’ve shifted from a focus on prevention to include detection, response, and automation. Examples of this evolution include the proliferation of tools like Endpoint Detection and Response (EDR), the popularity of the MITRE ATT&CK framework, and the emergence of Breach and Attack Simulation tools. By incorporating automation, BAS tools allow you to conduct more simulations faster, continuously test the efficacy of control points, and help make your security posture more consistent despite a dynamic threat landscape.
BAS tools are next-generation vulnerability scanning and management solutions. Fiction.
BAS tools are a great way to augment your vulnerability management program, but they don’t replace vulnerability scanning or penetration testing solutions. These tools don’t look directly at an asset and try to find vulnerabilities in that asset. Instead, BAS tools take a more holistic, campaign-based view to measure overall security effectiveness. They continuously, automatically, and simultaneously run simulations of end-to-end attack scenarios. This allows you to more quickly find gaps in your network and systems that make you vulnerable to various tactics, techniques, and procedures (TTPs) threat actors employ throughout the lifecycle of an attack so that you can take immediate steps to close those gaps.
Finally, we have a “silver bullet” technology solution with BAS. Fiction.
Whenever a new technology category emerges, the “silver bullet syndrome” creeps in. But no one technology can solve all our cybersecurity challenges. The threat landscape is too complex and dynamic. The attack surface is always expanding and changing. And, in response, security technologies and strategies must continually evolve. BAS tools are an important step forward, augmenting manually conducted attack simulations, but they are only one component in your security stack, and you can’t “set it and forget it”. You still need humans to configure and customize attack simulations for your environment, identify priority use cases given your organization’s threat landscape, and interpret the results of the simulations.
BAS tools are useful for Red Team/Blue Team and Purple Teaming exercises. Fact.
The practice of breach and attack simulation is what Red Team/Blue Team and Purple Teaming exercises are all about. Red Team/Blue Team models pit “attackers” against defenders in exercises that can take weeks or months to complete and learn from. Purple Teaming is more collaborative and iterative so that organizations can improve their security posture during the exercise to capture immediate and ongoing value. Whichever model you use, BAS tools help these exercises scale through automation, providing the ability to run more simulations faster than with manual methods. But Red and Purple Teams should exercise caution when using BAS tools, because they can provide a false sense of security if relied on exclusively. The simulations are prescriptive, out-of-the-box scenarios that don’t consider the nuance of each organization. You need to make intelligent choices about which simulations to run. This requires people with skills to enrich or change simulations based on intelligence about threats targeting your organization and industry, an understanding of the specific assets your organization needs to protect, and the expertise to make sure detection and prevention is working as intended.
BAS tools offer quantitative metrics relevant to management. Fact.
Organizations make significant investments to protect their assets. By 2022, IDC projects worldwide security spending will exceed $133 billion. But are these technologies and tools working as they should? BAS tools offer an efficient and consistent way to measure the effectiveness of existing security detection capabilities and operations. Findings from the simulations can help guide product investment and configuration decisions to close security gaps, but they can also be used to help bridge the cybersecurity knowledge gap with enterprise leaders. You can use the information to engage in discussions about risk management and answer questions from your board and senior executives, like: Can threat actors bypass our defenses and do so undetected? What is our applicable risk? What kind of impact can they have? This puts you in a position to influence near-term investment decisions, engage in long-term security planning, and report on improvement in security operations in business terms.
BAS tools are an important addition to your arsenal of defenses. However, as with any security investment, you need to understand the strengths and limitations of the technology to derive the most value. BAS tools aid in maintaining a fundamental level of security assurance more quickly and cost effectively than traditional approaches. What’s more, when combined with the right expertise, they can also help you play a strategic role in the overall success of the business.