Cybersecurity exists until you are breached. That makes it difficult to be sure you’re doing the right things and it’s a drastic consequence to pay for being wrong.
For exactly that reason there’s a buzz around the security industry at the moment about breach simulation products. It’s a way of knowing how well your security defenses will stand to an intrusion without having to risk an actual breach. There are quite a few of these out there that offer this but really there are only a few ways that these products should work if they are to work right.
This is Part One of my exploration into the how, what, and why of breach simulation technologies on cybersecurity.
The first thing a breach simulation product should do is factually answer the question: “Can that attack get through our defenses and breach us?” After all, since it’s a breach simulation tool, it better be able to tell us if we can be breached.
Before we go any further, something you should understand about attacks is that they often require the right environment to be successful. Something in the company needs to be vulnerable or exploitable to get in. Then the environment needs to be conducive to lateral movement to get to the assets. Finally, there needs to be a way out with assets or a way to avoid detection.
The main thing many companies do to offset cybersecurity risk is to reduce their vulnerabilities so attacks don’t have so many ways in. This is generally known as “getting rid of the low-hanging fruit.” And it’s done through vulnerability scanning or automatic patching. That helps to minimize attack success but unless it’s frequent and continuous, it will still leave a gap.
How much gap is hard to say. The more systems on the network, the more employees in the company, the bigger the gap. But the size of the gap isn’t that important to breach security, because any gap can lead to a 100% breach success. Breach risk can ponder all it wants if that gap will be found and abused by an attacker, but cybersecurity defenders know that it’s not if but when.
This puts small and medium-sized businesses at a disadvantage because it takes skilled people and resources to keep that gap as close to zero as possible. It’s relentless, thankless work that shows no results leading to low job satisfaction and employee burnout.
Meanwhile, a large company will be able to afford the skilled people required and the automation to maintain the brutal scanning and patching momentum required. Their skilled cybersecurity staff will have a lower turnover rate because they’ll be offloading the monotonous work on products. An ever-vigilant Security Information and Event Management (SIEM) will keep them aware of all new devices and movement on the network. A strong vulnerability analysis and patch management solution will assure all those devices have no known vulnerabilities. This will keep their vulnerability level as low as systematically possible. But is it low enough?
Maybe, but they won’t know until breach o’clock hits. Then what?
The truth is, it’s not enough. A good rule of thumb is that every person on your network is equivalent to one vulnerability. People don’t always follow rules or else they’d be called Programs. People bring new applications and new devices into the network. Many of your SIEM or your staff may not recognize them properly because they’re so new. Also, many of the new devices don’t have robust patching processes and even if they did, you wouldn’t necessarily have control over patching an employee’s personal device like a mobile phone. There are just too many inconsistencies in how people behave and how new devices and applications integrate with your cybersecurity.
If that’s not enough, take a look at all the cybersecurity solutions out there. There’s so many. And each one of them exists to respond to some gap in security, no matter how small. That’s a lot of gaps! So chances are you have no idea if you even have any of those gaps that those solutions exist to fill. You may have no idea that these risks even exist. Of course some of them may not apply to your network now, but it only takes one employee to bring it in to use before you’re ready to deal with that particular security gap.
Which is why breach simulation is such a hot concept now. It’s not because we just now figured out we need it but that only now, in the last 5 years, have we learned how to do it well. We can find comments as far back as 1996 that continuous penetration testing could provide assurance and a baseline metric, but back then it wasn’t practical or affordable. At best, really large organizations did it weekly. But it was costly.
In Part Two we’ll continue to look at what a breach simulation solution needs to do to work properly, how to choose the right one for you, and what you can expect from it.