“No Thanks." The phone is picked up, “We have a service that does that” says the 5th CISO that day. Welcome to my life. I’m an Inside Sales Representative, at Cymulate, and I speak to dozens of InfoSec Execs a week, and the first thing I hear is that some form of testing is being done, whether it’s vulnerability scanning or pen testing, with no more services required. My challenge is to convince them that it’s worth their while to learn about a new and better approach to security testing.
Everyone is testing these days, which is great. A new age threat requires an agile InfoSec team, and now that companies are spending more than ever on cyber security, InfoSec managers want to know BEFORE an attack if it’s all working the way they expect. Very rarely will I reach out, to find out that no sort of validation is being done.
Here are the three ways most folks are currently testing their security posture:
Vulnerability Scanning is a widely used tool for IT auditing, using an application that checks for known vulnerabilities or weaknesses that have previously used by Cyber Criminals. Thousands of different security vulnerabilities are scanned. It’s fast, easy and can be cost effective to schedule and checks for thousands of vulnerabilities in networks and host systems. Its largest downside is that it produces a high rate of false positives (between 30 to 60 percent) and just takes a snapshot, without giving full insight to any issues it may find. It could also stress the production environment which may cause downtime.
Penetration testing is performed by expert testers that go deeper than a vulnerability scan. They try and evaluate how far they can penetrate through the security infrastructure of an organization. It’s great for selected high-risk weaknesses and for using the reports to help mitigate the issues. Unfortunately, pen testing is only as good as the skill of the individual tester. Since pen-testing is scoped, it does not provide 360° insight and worst of all, it can take weeks for the report to be ready. That’s like trying to plan next weeks’ vacation based on last month’s weather report. Many companies are required to do some form of pen testing, some do on a quarterly or semi-annual basis, some more often as companies realize that more frequent testing gives them better insight into their cyber risk.
Red and Blue Teaming
The method that’s gaining popularity is red/blue teaming, which tests the organizations security posture and its capabilities to detect and respond to a targeted attack . With the ability to detect unknown issues in unknown locations, the red team uses the same methods used by many hackers, helping simulate a real-world attack. Multi-step attacks are used to simulate various types of adversaries, and for identifying gaps in the information security controls. It also measures the organization's readiness to detect, contain and mitigate the attack in addition to evidence gathering, internal and external communications and reporting. Since an effective red/blue team exercise is resource intensive it cannot be conducted regularly.
Breach and Attack Simulation (BAS), the Cymulate approach.
New technologies are not the easiest to grasp, and breach and attack simulation is no exception. Usually, when discussing BAS, InfoSec folks tell me it’s too good to be true, and for good reason. It’s a completely new way of looking at security validation and that takes an open mind. CISO’s are also constantly barraged by salespeople with all sorts of great solutions, making it a challenge to get their attention.
Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to test, measure and optimize the effectiveness of your security controls any time, all the time. With just a few clicks, Cymulate challenges your security controls by initiating thousands of attack simulations, showing you exactly where you’re exposed and how to fix it—making security testing continuous, fast and part of every-day activities.
Fully automated and customizable, Cymulate challenges your security controls against the full attack kill chain with thousands of simulated threats, both common and novel. But it doesn’t stop there. Red teams use Cymulate in order to uncover a wide set of vulnerabilities and launch customized attacks. Through integration with SIEM vendors, Cymulate correlates attacks to events and alerts enabling security (blue) teams to validate that their SIEM systems are setup properly. And integrations with vulnerability scanners provides context to the vulnerabilities, showing how they are exploited in real attack techniques used by threat actors, providing a realistic vector to prioritizing the mitigation efforts.
At the end of the day, telling InfoSec teams about what we do is fun and rewarding, because it allows them to fix problems they did not know they had the ability to fix. Try the platform out for yourself with a 14-day free trial.