Download our in-depth report: The Ultimate Guide to IT Security Vendors
Despite having deployed multiple solutions to create a defense in depth and having followed all the industry best practices, some of the very best IT security directors will confess that they have a very fundamental problem: They don't really know how well their cybersecurity defenses are working.
Until recently, enterprises have had limited capabilities for assessing the damage that a cyberattack could do to their systems. They might have conducted penetration testing, vulnerability assessments, security audits, red team testing or threat hunting, but each of these approaches have limitations that prevent it from providing a comprehensive, ongoing picture of an organization's overall security posture.
To fill this need, vendors have stepped up with a new type of tool called breach and attack simulation (BAS). This terminology started gaining attention in the last year or so, so it's still in the early stages of development. In its 2018 Hype Cycle for Threat-Facing Technologies, Gartner places BAS at the beginning, in the "on the rise" portion of the cycle.
However, because the need for this type of service is so great, the market for BAS tools could become huge very quickly. In its report on the automated breach simulation market, the Cyber Research Databank predicted, "The market for automated breach and penetration and simulation [could] reach the size of $1B by 2020. This includes internal developments and open-source tools."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
With that sort of potential, breach simulation is clearly something IT security managers need to learn more about.
What is breach and attack simulation (BAS)?
In its paper "Utilizing Breach and Attack Simulation Tools to Test and Improve Security," Gartner defines breach and attack simulation solutions this way: "BAS tools simulate a broad range of malicious activities (including attacks that would circumvent their current controls), enabling customers to determine the current state of their security posture."
BAS tools run simulated attacks to measure the effectiveness of a company's prevention, detection and mitigation capabilities. For example, the software might simulate a phishing attack on a company's email systems, a cyberattack on the company's web application firewall (WAF), attempted data exfiltration, lateral movement within networks, or a malware attack on an endpoint.
Because this technology is very new, the solutions on the market vary widely. Some focus more on breach simulation, primarily attempting to break through network defenses. Others offer more comprehensive attack simulation with the ability to measure an organization's responses in the exploitation and post-exploitation stages of a cyberattack. Some run in the cloud; some run on-premises. Some require agents, others are agentless. Some rely on artificial intelligence and machine learning; others do not.
In short, the market is still evolving to define what exactly constitutes a BAS solution and how it differs from other products on the market.
Breach simulation vs. penetration testing
Some of the confusion around the definition of BAS concerns its relationship to penetration testing. Breach simulation and penetration testing are very similar, but they aren't exactly the same. Usually penetration testing is conducted by a security expert, a "white hat hacker," who applies his or her knowledge of how to breach defenses to the task of penetrating an organization's networks. This approach is very effective because it relies on people who have the same set of skills as the criminals who are conducting cyberattacks.
However, on the downside, penetration testing tends to be very expensive and it only offers a snapshot of an organization's defenses at a particular point in time. When organizations improve their defenses or as new attacks are seen in the wild, security managers often have no idea how the changes actually affect their security posture unless they pay for more testing. While some very large enterprises have gotten around these disadvantages by hiring in-house cybersecurity experts who can perform pen testing on a regular basis, this isn't an option for most organizations.
Breach simulation automates the testing process and performs it continuously. While these tools may not have the same creativity and ingenuity as human white hats, they can test all the time across a broad spectrum of different kinds of attacks.
Gartner has noted that BAS tools also have a slightly different scope than pen tests. It wrote, "Penetration testing helps answer the question 'can they get in?'; BAS tools answer the question 'does my security work?'"
Complicating matters, some tools combine breach simulation with penetration testing capabilities. Time will tell whether these remain distinct categories or if the two types of solutions conflate.
Why deploy breach and attack simulation technology?
The primary reason organizations would want to deploy BAS is because they want an answer to that fundamental question: whether their systems are secure. Even careful security teams sometimes find that some of their security tools have been inadvertently shut down or are not performing as desired because of configuration errors. Breach and attack simulation can help organizations identify these problems early as part of their proactive security efforts.
In addition, most large organizations use many different security tools that may or may not be operating as intended or working together properly. According to Gartner, "Large enterprises report having 30 to 70 security vendors." In that type of environment, security tools will be changing almost constantly as vendors update their tools to adapt to the evolving threat landscape. The only way to know with any level of certainty that a company's networks and systems are secure as they go through those changes is with some sort of cyber attack simulation testing. And BAS tools represent the most cost-effective way to do that testing on a continual basis.
Of course, it's not just security tools that are changing constantly. Thanks to the rise of cloud computing and the Internet of Things (IoT), enterprise networks themselves are evolving all the time. Large enterprises may be using computing resources that are scattered all over the globe, and testing this type of environment on a regular basis is difficult with other types of security tools.
Gartner concluded, "BAS tools are the best option when consistent, systematic and frequent tests of production security controls are required."
Potential disadvantages of breach and attack simulation technology
While BAS tools offer a lot of benefits, they also carry some potential risks. They include the following:
- Prioritization difficulties: In some cases, BAS tools identify so many different vulnerabilities and problems with the security systems that it can be difficult for security teams to know where to begin.
- Lack of support for zero-day attacks: While human pen testers may come up with a novel approach that no one has ever tried before, automated systems are limited to known attack and threat simulations.
- Potential system disruption: Although BAS tools are meant to simulate an attack, it is sometimes difficult to distinguish a simulated attack from a real one. Organizations face the very real possibility that actions taken by their breach and attack simulation solution could knock production systems offline or slow performance.
- Alert overload: Overworked security personal are already struggling to sort through the deluge of security alerts they receive on a daily basis. Adding BAS to the mix could turn up the volume on this noise, making it more difficult to distinguish the really important alerts from those that can be safely ignored.
- Difficulty in choosing a vendor: Because the BAS offerings on the market vary so widely, it can be very difficult for organizations to compare products and services. They need to be very clear about their needs and carefully vet each product they consider, without making assumptions about what the products will be able to deliver.
Key breach and attack simulation vendors
Most of the vendors in the BAS market are startups, and many are headquartered in California or Israel. Some of the most notable vendors include the following:
- AttackIQ — Founded in 2013, AttackIQ is headquartered in San Diego, California, and has raised $14.3 million in funding, according to CrunchBase. The company promises to help companies put on an "offensive defense" with its FireDrill platform. It's an agent-based system that "requires minimal setup time, and few resources to implement." It includes a dashboard for monitoring your ongoing security posture and a project section for running specific attack scenarios.
- Cronus Cyber Technologies — Based in Israel, this startup offers a product called Cybot that it describes as a combination vulnerability management and penetration testing solution. It offers three versions of the product, a standard "pro" version, plus one for enterprises and one for managed security service providers (MSSPs). It was founded in 2014 and has raised $5.7 million in venture funding.
- CyCognito — Founded in 2017, CyCognito is one of the youngest BAS vendors. It offers a SaaS solution that is said to "think like an attacker to uncover and eliminate security blind spots." It attempts to identify the path of least resistance, those that attackers are most likely to exploit. The company is headquartered in Silicon Valley.
- Cymulate — One of several Israel-based startups on the list, Cymulate was named a Gartner Cool Vendor for 2018. It claims that its cloud-based BAS tool takes just five minutes to deploy and starts returning insights two minutes later. Its capabilities include immediate threat alerts, email security, Web gateway, Web application, hopper—lateral movement, endpoint, data exfiltration, phishing and SIEM/SOC assessments.
- GuardiCore Infection Monkey — GuardiCore's primary product is a microsegmentation platform designed for hybrid clouds, but the company also has an open source BAS tool called Infection Monkey. It's a free download, and enterprises can run it continuously if they choose. Building on GuardiCore's area of expertise, it is especially good at detecting lateral movement and assessing the security of hybrid clouds.
- Picus Security — Picus calls itself the "pioneer of breach and attack simulation technologies" and boasts "many large multinational corporations and government agencies" as customers. It includes modules for continuous HTTP/HTTPS, endpoint and email testing. The company was founded in 2013 and is headquartered in San Francisco with offices in London and Ankara, Turkey (where many of its executives are from).
- SafeBreach — SafeBreach holds multiple patents for breach and attack simulation technology and has won multiple awards, including being named a Gartner Cool Vendor for 2017 and a BlackHat Most Innovative Startup in 2016. It offers cloud, network and endpoint simulators that can detect infiltration, lateral movement and data exfiltration. Founded in 2014, it is headquartered in Silicon Valley.
- ThreatCare — Founded in 2014 by a U.S. Navy veteran who worked in cryptography, this Texas firm claims to be "the leader in breach and attack simulations." It promises to make BAS easy, and unlike many of the other BAS vendors, it is upfront about pricing, which starts at $50 per month. The solution deploys as a standalone app with optional agents available for testing multiple networks simultaneously.
- Verodin — Based in the Washington, D.C. area, Verodin is on a mission to "help organizations remove assumptions and prove cybersecurity effectiveness with evidence-based data." It calls its BAS product a Security Instrumentation Platform (SIP) and promises to be able to test the defenses for networks, endpoints, email and the cloud. It was founded in 2014 and earlier this year closed a $21 million funding round.
- WhiteHaX/IronSDN — This Silicon Valley startup is somewhat mysterious as details about its headquarters and founding are difficult to find on its website or CrunchBase. It claims to be "the only solution which allows the IT Security team to conduct automated internal verification of their own security infrastructure defenses without impacting any production servers or endpoints." It has versions available for networks, endpoints, PVC (cloud) and MSSPs, as well as a Lite version.
- XM Cyber — Headquartered near Tel Aviv, XM Cyber was "founded by the highest caliber of security executives from the elite Israel intelligence sector." Its product is called HaXM, and the company says it is "the first APT simulation platform to simulate, validate and remediate attackers' paths to your critical assets 24×7." It has won multiple awards, including a 2018 Cybersecurity Breakthrough Award, Startup of the Year 2018, 2018 World Economic Forum Technology Pioneer and more.
In addition to the vendors offering the full-featured products mentioned above, a few other organizations have released open source software that offers some limited breach and attack simulation capabilities. They include Uber with its Metta adversarial simulation tool, AlphaSOC with its FlightSIM tool for generating malicious network traffic, Endgame with its Red Team Automation scripts, and Red Canary with its Atomic Red Team tests.
San Diego, Calif.
"AttackIQ delivers continuous validation of your enterprise security program so you can find the gaps, strengthen your security posture and exercise your incident response capabilities."
Cronus Cyber Technologies
"CyBot is a next-generation vulnerability management tool as well as the world’s first automated pen testing solution, that continuously showcases validated, global, multi-vector, Attack Path Scenarios (APS), so you can focus your time and resources on those vulnerabilities that threaten your critical assets and business processes."
Palo Alto, Calif.
"CyCognito’s SaaS platform continuously simulates sophisticated attackers' actual reconnaissance and examination processes across live infrastructure and network assets to provide comprehensive attack surface analysis in real-time."
Rishon Le Zion, Israel
"Cymulate comprehensively identifies the security gaps in your infrastructure and provides actionable insights for proper remediation."
Tel Aviv, Israel
"The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement."
San Francisco, Calif.
"Independent from any vendor or technology, the unparalleled Picus Platform is designed to continuously measure the effectiveness of security defenses by using emerging threat samples in production environments."
"Our unique software platform simulates adversary breach methods across the entire kill chain, without impacting users or your infrastructure."
"We help build, measure, and maintain your cybersecurity through powerful breach and attack simulations so you can scale your business."
"Verodin is a business platform that provides organizations with the evidence needed to measure, manage and improve their cybersecurity effectiveness."
"WhiteHax is a unique multi-appliance, pre & post-infiltration, security-breach simulation platform to allow IT security teams to test the effectiveness of their already deployed security infrastructure."
"XM Cyber provides the first fully automated APT Simulation Platform to continuously expose attack vectors, above and below the surface, from breach point to any organizational critical asset."