Active breach and attack simulation does not gain credibility by exposing more problems; it gains it by contextualising them and continuously testing attack paths.
Let’s start by taking a bird’s-eye view of what the global breach and attack simulation (BAS) market looks like.
The market for automated breach and attack simulation is being pushed by an increase in cyber security challenges, as well as the usage of digital platforms and services, according to Market Research Future. It notes the benefits of automated BAS, such as consistent attacks with the use of an automated system, attack methods and tools, and a fully controlled environment, are likely to add to worldwide market growth.
Therefore, it’s clear the global market is judged to be expanding rapidly, owing to a growing need for the transformation of customer experiences for the solutions and services offered. Frost & Sullivan anticipates adoption to improve further and forecasts a compound annual growth rate of 35% between 2020 and 2024.
In 2021, a comprehensive research report by Market Research Future, “Global automated breach and attack simulation market information by deployment, by components, by application and region – forecast to 2027”, estimated the market size to grow at a compound annual growth rate of 27.6%, surpassing $3.5 billion revenue by 2026.
So, while sources may differ on percentage growth figures, all appear to agree the competitive landscape for BAS as an emerging market presents exciting dynamics.
Growth is also being driven by the fact that BAS is relevant for multiple exposure assessment use cases, including, but not limited to:
Security posture assessment: Companies with mature security programmes use these technologies primarily to ensure a consistent security posture over time and across multiple locations.
Security control assessments: Some BAS tools integrate with security control technologies, through management APIs or by reading alert logs, enabling security configuration management and improving the visibility of defence gaps.
Sources appear to agree the competitive landscape for BAS as an emerging market presents exciting dynamics.
Moreover, the deployment of BAS technologies is often endorsed by IT and business stakeholders as they perceive it as a safer way of assessing the competency of current security controls and their configuration. External attack surface management, or advanced custom scenario engines, can expand BAS use cases.
BAS facilitates repeated testing, whenever needed. More importantly, if there are any weaknesses discovered anywhere, companies can find the information they need to remediate the problem and close the gap quickly and completely.
What’s the business impact of BAS? The answer is that it empowers companies with visibility into potential attack paths that can lead to the loss of critical assets. If organisations know how and where it is going to happen, they can remediate it to ensure that door is closed to threat actors who are ready and willing to exploit the smallest vulnerability to gain access to enterprise networks.
The next question is should organisations be considering a BAS platform when running advanced vulnerability scanners with prioritisation filters, and is there any point in them doing so?
In response to this, I would say that vulnerability scanners do a great job of uncovering common vulnerabilities and exposures (CVEs). In fact, the more they find the more credibility they get. They are also excellent at providing priority remediation guidance to ensure businesses prioritise CVEs and deal with the critical ones first.
However, context is a problem. For example, if you were in charge of a tall building's physical security and discovered there was a crack in a window on the 17th floor. Would you panic?
In the vulnerability scanner world, the cracked window would be considered a critical CVE, usually based on a misconfiguration or patching requirement. But in the BAS world, the cracked window would be seen contextually −identification of the cracked window and noting it will need attention at some point; however, there is no reasonable indication that the building will collapse due to it.
From a BAS perspective, it is assessed and adjudicated that nobody is about to scale 17 floors of a building to take advantage of a perceived flaw. However, some initial action will be needed to ensure this defect is not repeated.
The point of this analogy is that many companies expend a huge amount of what may be limited resources remediating out-of-context critical CVEs and are thus finding it difficult to live with exceptions.
This issue is exacerbated by the fact that many businesses are not afforded the time to understand the potential attack path in order to grasp the context of the exploit. In other words, if the security controls in steps one, two and three of the attack path are secure but there are potential flaws in step four – you have to ask yourself, are you not still secure? The window is cracked (step four) but the front door is guarded, locked and the building is purposefully too slippery to scale (step one, two and three).
BAS does not gain credibility by exposing more problems; it gains it by contextualising them and continuously testing attack paths, resulting in smarter use of skills and resources.
In a nutshell, less reactive remediation and more planning make security measures more effective. Companies need to understand that vulnerability scanners tell them what ‘could’ happen – BAS tells them what ‘would’ happen, thus removing speculation from the equation.
By Luke Cifarelli, Security software sales leader, iOCO Tech.