Due to rampant cyberattacks, companies are upping their cybersecurity investments. Worldwide security spending is expected to grow by 2.4 percent and hit $123.8 billion this year. However, despite the wider adoption of security tools and solutions, many organizations still have yet to adopt security testing as a core element in their security strategies.
Security testing helps check if the security controls actually work. But the costs of conventional testing methods such as penetration tests are often prohibitive, preventing most organizations from performing them on their networks.
Fortunately, breach and attack simulation (BAS) has started to change this by effectively lowering the barriers to testing. BAS platform Cymulate, for instance, allows organizations to repeatedly and continuously simulate attacks on their own networks using easily operated interfaces. By making tests more feasible to perform, the company believes that it can make testing a routine practice for information technology teams.
“Companies are increasing spend on security solutions that protect across the cyber kill chain. However, it’s important to test the set-up and effectiveness of these solutions frequently because things can quickly change in technology. It’s possible for gaps to appear in your defenses unexpectedly and it only takes one opening for hackers to get into your network. Continuous security validation leaves nothing to chance” Cymulate CEO and cofounder Eyal Wachsman said.
Why Testing Matters
There is no shortage of security solutions in the market today. Organizations have plenty of choices on which antimalware, firewall, access management, endpoint protection, and even training programs to use. Many providers are also shifting to cloud-based delivery models, making solutions convenient and affordable to adopt.
The problem with this availability of tools is that they can lull organizations into a false sense of security wherein they believe that they will gain adequate protection simply by deploying these solutions. However, even the most popular and industry-leading security solutions can fall short due to bugs and faulty integration.
Hackers are also getting craftier in their methods. They now probe the entire expanse of an organization’s attack surface for these vulnerabilities. With access to more powerful and complex attack tools, they can quickly exploit any gap they find. As such, organizations should be able to find out these gaps first and plug them before they fall victim to attacks. The ideal way to find out if these issues exist is to test security controls.
Testing has been conventionally done through methods like vulnerability scans and penetration tests, but these have their limitations. Most scans only list potential vulnerabilities and don’t really test the performance of security controls. Penetration tests have to be done by specialist white-hat hackers. The scope of the test would often be limited by the tester’s own capabilities. These can be quite expensive to perform. Most organizations do not have such high-level resources readily available, leading them to defer testing or even skip it altogether. By then, things may be too late.
How Cymulate Helps
BAS essentially overcomes these issues by improving upon the capabilities of vulnerability scans and penetration tests while simplifying the process to enable even non-white hats run these attack simulations doable even by non-white hats.
Cymulate, for example, allows users to launch simulated attacks across the various security tools that are deployed by an organization. It can test the effectiveness of web application firewalls, email filters, and endpoint security. It also has a phishing simulation feature to test actual staff members if they can identify and avoid social engineering attacks via email. The tests can also check if security policies and controls are properly configured and if they can prevent lateral movement and data exfiltration.
The simulations use what are basically hacking tools and malware to check how well the target system’s controls work. The methods used by these simulations mirror those used in actual cyberattacks although BAS tests are designed not to cause real harm. Cymulate’s tests are drawn from the MITRE ATT&CK knowledgebase of actual techniques and tactics used by real threat actors.
As a software-as-a-service (SaaS) platform, Cymulate can be set up in just minutes. Users only need to install a client on a representative machine within the network. This would already enable them to launch tests using a web interface. The results are presented in easy-to-interpret scores and also provide key insights on how to remedy issues should they be found. In contrast, penetration tests can take days to schedule and even weeks to get the full report from the tester.
Cymulate also allows tests to be scheduled so that organizations can continuously evaluate their security posture. Once set, the platform automatically runs the tests and sends feedback. It can even provide notifications to administrators to run tests should emerging threats arise.
“Validation is vital in cybersecurity. Organizations shouldn’t wait for an actual cyberattack to find out if their controls are capable of defending their infrastructure or not. Through our platform, we provide leaders with comprehensive and timely insights about the state of their security controls. We enable them to improve their security
posture quickly and decisively using accurate information” Wachsman added.
Testing as Standard Practice
For organizations, it is only a matter of time before they actually get hit by a cyberattack considering how active threat actors are today. Because of this, implementing a comprehensive security strategy is a must. But crucial to this is ensuring that their controls function properly in mitigating and responding to cyberattacks.
Through its platform, Cymulate provides organizations the means to check their security posture at any time. BAS tests can be run practically on-demand, overcoming the limitations of traditional penetration testing. BAS tests can be done repeatedly and provide immediate results, making it an amazingly cost-effective option.
As testing becomes more feasible for a wider range of organizations, it should ultimately become standard practice among organizations. The stronger security postures are, the better protected everyone is from cyberattacks.
Brian Wang is a Futurist Thought Leader and a popular Science blogger with 1 million readers per month. His blog Nextbigfuture.com is ranked #1 Science News Blog. It covers many disruptive technology and trends including Space, Robotics, Artificial Intelligence, Medicine, Anti-aging Biotechnology, and Nanotechnology.
Known for identifying cutting edge technologies, he is currently a Co-Founder of a startup and fundraiser for high potential early-stage companies. He is the Head of Research for Allocations for deep technology investments and an Angel Investor at Space Angels.
A frequent speaker at corporations, he has been a TEDx speaker, a Singularity University speaker and guest at numerous interviews for radio and podcasts. He is open to public speaking and advising engagements.
Only if you weren’t aware of how very widespread that attitude is in industry.
Careful, one could mistake that as a dig at Musk.
Better than the alternative,
I see one problem with software system’s security as a whole: as the complexity of systems grow, the possibility of untested interactions and thus, security gaps grows beyond our ability to control.
This has no single solution, just a lot of partial palliative ones. A good one is to have the discipline for controlling a system’s code complexity and code coverage, but even that only serves to control the possibility of security problems within your single system, and it does nothing with the combinatorial explosion that results from joining many systems in a networks, like in ‘the Cloud’.
And most companies simply don’t have the necessary discipline to even try to control complexity, bugs and security problems in their code, releasing products made following the least effort approach, with little validation beyond basic functionality (‘it runs, ship it!’).
The fact that software companies produce new software versions apparently on a daily basis makes the problem much worse.
This reads a bit like an advertisement, though I suppose it is only based on one since Brian said nothing about it being sponsored. As a developer, I am a bit concerned that organisations will adopt this kind of methodology and simply trade one false sense of security for another — after all, a simulation is never the real thing, and if it is affordable then it is not comprehensive, and a black hat will probably spend more resources on a real-world attack than a simulated and generic vulnerability test.