Cybersecurity Exists Until You’re Breached, Part 1

Cybersecurity exists until you are breached. That makes it difficult to be sure you’re doing the right things and it’s a drastic consequence to pay for being wrong.

Breach and attack simulation tools are gaining attention across cybersecurity because they show how well your defences stand up to real attacks without risking an actual incident. Many vendors claim to offer this capability, but only a few approaches are truly effective.

This article is Part One in a series on the how, what, and why of breach simulation.

A breach simulation platform must first answer a simple question with evidence: can this attack bypass our defences and breach us?

Effective testing also reflects real attack conditions. An intrusion needs a vulnerable entry point to gain access. The internal environment must allow lateral movement to reach valuable assets. Finally, the attacker needs a path to exfiltrate data or evade detection.

The main thing many companies do to offset cybersecurity risk is to reduce their vulnerabilities so attacks don’t have so many ways in. This is generally known as “getting rid of the low-hanging fruit.” And it’s done through vulnerability scanning or automatic patching. That helps to minimize attack success but unless it’s frequent and continuous, it will still leave a gap.

How much gap is hard to say. The more systems on the network, the more employees in the company, the bigger the gap. But the size of the gap isn’t that important to breach security, because any gap can lead to a 100% breach success. Breach risk can ponder all it wants if that gap will be found and abused by an attacker, but cybersecurity defenders know that it’s not if but when.

This puts small and medium-sized businesses at a disadvantage because it takes skilled people and resources to keep that gap as close to zero as possible. It’s relentless, thankless work that shows no results leading to low job satisfaction and employee burnout.

Meanwhile, a large company will be able to afford the skilled people required and the automation to maintain the brutal scanning and patching momentum required. Their skilled cybersecurity staff will have a lower turnover rate because they’ll be offloading the monotonous work on products. An ever-vigilant Security Information and Event Management (SIEM) will keep them aware of all new devices and movement on the network. A strong vulnerability analysis and patch management solution will assure all those devices have no known vulnerabilities. This will keep their vulnerability level as low as systematically possible. But is it low enough?

Maybe, but they won’t know until breach o’clock hits. Then what?

The truth is, it’s not enough. A good rule of thumb is that every person on your network is equivalent to one vulnerability. People don’t always follow rules or else they’d be called Programs. People bring new applications and new devices into the network. Many of your SIEM or your staff may not recognize them properly because they’re so new. Also, many of the new devices don’t have robust patching processes and even if they did, you wouldn’t necessarily have control over patching an employee’s personal device like a mobile phone. There are just too many inconsistencies in how people behave and how new devices and applications integrate with your cybersecurity.

If that’s not enough, take a look at all the cybersecurity solutions out there. There’s so many. And each one of them exists to respond to some gap in security, no matter how small. That’s a lot of gaps! So chances are you have no idea if you even have any of those gaps that those solutions exist to fill. You may have no idea that these risks even exist. Of course some of them may not apply to your network now, but it only takes one employee to bring it in to use before you’re ready to deal with that particular security gap.

Which is why breach simulation is such a hot concept now. It’s not because we just now figured out we need it but that only now, in the last 5 years, have we learned how to do it well. We can find comments as far back as 1996 that continuous penetration testing could provide assurance and a baseline metric, but back then it wasn’t practical or affordable. At best, really large organizations did it weekly. But it was costly.

In Part Two we’ll continue to look at what a breach simulation solution needs to do to work properly, how to choose the right one for you, and what you can expect from it.

Breach simulation products are designed to assess how well security defenses can withstand intrusions without experiencing an actual breach. They simulate attacks to determine if defenses are effective.

Small and medium-sized businesses often lack the skilled personnel and resources needed to continually minimize cybersecurity gaps, unlike larger companies that can afford automation and skilled staff.

New devices and applications can introduce inconsistencies and vulnerabilities into a network, as they may not be properly recognized or patched, leading to potential security gaps.

Breach simulation has gained popularity because recent advancements have made it more practical and affordable to conduct continuous penetration testing, providing better assurance and metrics for cybersecurity.

Companies reduce cybersecurity risks by minimizing vulnerabilities through vulnerability scanning, automatic patching, and maintaining a strong security information and event management (SIEM) system.

Cybersecurity solutions are designed to fill specific security gaps, responding to potential vulnerabilities in networks to enhance overall security posture.