One way of determining whether your corporate network is secure is to hire someone to try to hack into it. Having a cybersecurity expert simulate an attack on your network and try to breach its defenses can reap big benefits by exposing vulnerabilities and uncovering misconfigurations in your IT infrastructure, systems and software. It can also pose risks however, for example if the expert accidentally breaks something or leaves your network in a compromised state afterwards.
This kind of “white hat” approach to strengthening network security has been around for a while now, but it’s mostly been implemented manually with “red teams” of outside cybersecurity experts working in close conjunction with your organization’s own “blue team” IT security staff as the outsiders conducted simulated network attacks on your infrastructure. Around the beginning of last year, however, something new began to appear, namely software solutions that automated these kinds of attacks and generated reports of any vulnerabilities or misconfigurations detected. Gartner even invented an acronym for these solutions, calling them breach and attack simulation (BAS) products and defining them as tools that “simulate a broad range of malicious activities (including attacks that would circumvent their current controls), enabling customers to determine the current state of their security posture.”
Because any kind of simulated attack carries the inherent possibility of also causing some collateral damage to your infrastructure if something goes wrong, many businesses and organizations are reluctant to engage in using the tools and services offered by vendors of automated BAS solutions. To assess whether the risks involved are real and how one can find a BAS vendor you can really trust, I reached out to several vendors of BAS software with a series of probing questions. One of the vendors I reached out to was XM Cyber and Maya Schirmann was happy to respond to my questions. XM Cyber provides the first fully automated breach and attack simulation platform to continuously expose attack vectors, from breach point to any organizational critical asset. This continuous loop of automated red teaming is completed by ongoing and prioritized actionable remediation. In effect, XM Cyber’s platform operates as an automated purple team, combining red and blue teams’ processes to ensure that organizations are always one step ahead of the attack. XM Cyber was founded by top executives from the Israeli cyberintelligence community and has offices in the U.S., UK, Israel, and Australia. Be sure to check out their blog and you can also follow them on Twitter @XMCyber.
MITCH: BAS sounds like a great idea, but aren’t there risks involved in allowing a simulated cyberattack against your company’s business assets?
MAYA: It depends on the technology and how the simulation is being conducted. If the simulation performs only “non-dangerous” actions, then there is no risk. However, if the simulation is running real exploits on the business assets, this presents a risk. So it is very important to select a BAS solution that, on one hand, simulates accurately and in the most realistic way attack techniques and methods and, on the other hand, runs safely without affecting network availability or the user experience.
MITCH: How can one be confident one can trust a vendor’s BAS platform?
MAYA: First, the BAS vendor has to be fully transparent about how the technology works. The vendor should also provide a platform that looks at the organization’s environment with the eyes of the attacker, leveraging security vulnerabilities but also IT hygiene and users’ activities. This enables the simulation to be accurate and actually expose the most critical issues that are on the critical paths to the business’s crucial assets. The simulation also has to run safely without affecting the environment in any way, and the organization should be able to run the exploits on demand. And finally, the BAS vendor should provide customer references and testimonials.
MITCH: What types of businesses and organizations would benefit most from using BAS to better secure their IT infrastructure?
MAYA: Large enterprises with complex and dynamic networks and sensitive data would definitely benefit from using a BAS platform. Also, if they employ red teams (internally or outsourced), the BAS platform can augment them by running multiple attacks continuously, automatically and simultaneously, thus enabling them to focus on other strategic tasks. Midsized organizations would also benefit from a BAS platform, because it would enable them to focus their resources on the most critical issues to be fixed.
The benefits of XM Cyber’s BAS platform include the following:
- The platform continuously exposes attack vectors, from breach point to any organizational critical asset, so that organizations always know the attack vectors to their crown jewels.
- The continuous loop of automated red teaming is completed by ongoing and prioritized actionable remediation of security gaps, so that organizations know how to focus their resources on the most critical issues to improve their security posture.
- The platform addresses real user behavior, poor IT hygiene, and security exploits to expose the most critical blind spots, so that organizations continuously improve their IT hygiene and practices.
MITCH: What level of expertise in cybersecurity does a business need in order to properly utilize XM Cyber’s BAS platform?
MAYA: XM Cyber’s platform is very easy to use and works in three steps:
- Identify the targets for the attack simulations, which are the critical assets in the organization.
- The platform automatically runs the cyber-attack simulations, exposing attack vectors to the assets.
- A prioritized, actionable remediation report is presented with the most critical issues to be fixed, on the critical path to the most crucial assets.
The level of expertise required to use the platform is minimal.
About Maya Schirmann
Maya Schirmann is chief marketing officer at XM Cyber and has a proven track record in creating markets and guiding technology corporations to market leadership positions in the telecom and cybersecurity industries.
Featured image: Shutterstock