The challenges of defending against cybersecurity breaches have become more complex as the threat landscape continues to evolve, threat vectors have expanded, and attackers’ tools and methods used to launch attacks have become increasingly sophisticated. Combine the expanding threat landscape with the inherent challenges managing security in a distributed hybrid/multi-cloud architecture that relies heavily on reliable, high speed connectivity for people and things, and the challenge of cyber defense is even more daunting.
IDC estimates that enterprises globally spend over $100 billion in security products and services to help protect against cyber threats. Demonstrating the effectiveness of cybersecurity spend is a priority for corporate executives and board of directors, however, quantifying and justifying the appropriate level of spend is still a challenge for most enterprise security teams. Seeking incremental dollars to continue building a robust security posture is difficult against the backdrop of an increased number of cyber breaches that have caused significant reputational and financial damage to companies across a variety of industries.
As organizations look for ways to demonstrate the effectiveness of their security spend and the policies and procedures put in place to remediate and respond to security threats, vulnerability testing can be an important component of a security team’s vulnerability management activities.
Traditional Approaches to Vulnerability Management
Most enterprises have adopted some form of process for managing vulnerabilities across their environment. After a thorough assessment of cyber risk is performed to better understand where the highest (or most impactful) cyber risks to the business exist, investments in security controls are made, policies and processes are developed to manage the risk. Vulnerability management testing is typically the next step taken to validate the efficacy of the security controls put in place to manage cyber risk.
It should be noted that while the efficacy of security technology is a central focus, a broader approach to testing that includes the human element (policies and procedures) provides a more holistic and realistic evaluation of an organization’s security posture.
There are several testing approaches that organizations use as part of their vulnerability management practices. Four of the most common are listed below:
- Penetration testing (aka Pen test) – is a common testing approach used by enterprises to detect vulnerabilities across your infrastructure. A Pen test involves highly skilled security experts using tools and attack methods employed by actual attackers to achieve a specific pre-defined breach objective. The pen test covers networks, applications, and endpoint devices.
- Red Teaming – A red team performs “ethical hacking” by mimicking an advanced threat actor using stealth methods, subverting established defensive controls, and identifying gaps in the organization’s cyber defense strategy to better understand how an organization detects and responds to real-world attacks. The results from a red teaming exercise help identify needed improvements in security controls.
- Blue Teaming – is an internal security team that defends against both real attackers and red team activity. Blue Teams should be distinguished from standard security teams because of the mission to provide constant and continuous cyber defense against all forms of cyber-attacks.
- Purple Teaming – the objective of the purple team is to align red and blue team activities, and leverage insights from these activities to provide end-to-end and realistic APT experience and prioritized vulnerabilities to the organization.
Although these vulnerability testing approaches are commonly used by organizations, there are several challenges associated with them. First, these approaches are highly manual and resource intensive, which for many organizations translates to high cost and a lack of skilled in-house resources to perform these tests. While the outcome of these vulnerability tests provides vital information back to the organization to act on, they are performed infrequently due largely to the cost and lack of skilled resources mentioned previously.
Lastly, all of these methods provide a point-in-time view of an organization’s security posture which is becoming less effective for companies moving to a more a dynamic cloud-based IT architecture with an increasing diversity of endpoints and applications. As a result, traditional vulnerability testing approaches yield very little value because the security landscape and enterprise IT architectures are dynamic and constantly changing.
Enter Breach Attack and Simulation (BAS)
While BAS offerings encompass much of what traditional vulnerability testing includes, it differs in a very critical way. At a high level, BAS primary functions are as follows:
- Attack (mimic real threats)
- Visualize (see exposures)
- Prioritize (assign a severity or criticality rating to exploitable vulnerabilities)
- Remediate (address gaps)
Where BAS differs from traditional approaches is in the use of closed loop automation that allows IT/security teams to evaluate an environment for threat indicators and attack behaviors, unprotected assets, misconfigurations, human errors, log gaps, and basic IT hygiene issues. Armed with this information, security personnel can take the recommended actions to close gaps, fix misconfigurations, strengthen credential management.
The other key differentiator for BAS is in the variety of way a vulnerability test can be performed. Testing options include on-demand, continuous, or set intervals. This gives security teams much greater flexibility in the frequency in which they can conduct vulnerability tests.
IDC believes that BAS gives enterprises a robust set of features and functionality that not only help validate the effectiveness of the security controls put in place but also enable a more proactive approach to cyber defense by utilizing automation. This has become a common theme in security services, where the goal of becoming cyber resilient is predicated on the ability to continuously monitor the environment for threats in a proactive way and accelerate the time to remediate issues in order to minimize the impact to the business. Subsequently, we believe that BAS will become an important component of an enterprise’s cyber defense strategy.
Note: Please see IDC’s upcoming PlanScape document, “IDC PlanSCape: Breach Attack Simulation Continuous Security Control Testing” for more detailed analysis of the BAS market.