When It Comes to Security Validation, BAS Is Not Enough
FireEye Stories 2021-06-02
Incomplete testing of security controls could have devastating consequences on an organization’s security posture, brand reputation and bottom line. We hear concerns almost daily from customers and prospects who have come to the realization that Breach and Attack Simulation (BAS) technologies are just scratching the surface of testing security effectiveness.
In this blog post we share are a few reasons why BAS is not enough to demonstrate cyber readiness and why organizations are instead choosing Mandiant Security Validation to safely emulate real attacks, proving true security effectiveness against today’s most relevant threats.
Simulation Is Not as Effective as Emulation
BAS tools merely simulate an attack, which is far less effective than the emulation of a real attack, achieved by safely executing real attack binaries. Contrary to executing dynamic attack behaviors, simulated attacks are incomplete, reverse-engineered, manufactured or fake. As a result, they are often not recognized by security controls as a threat. Rules detecting but not alerting on simulated attacks is common and detrimental to a security program as this creates a false sense of security. AI and machine learning will only exacerbate this scenario. Organizations have difficulty optimizing their security controls without using real attack binaries based on active attacker tactics, techniques, and procedures (TTPs) and without visibility of the full attack lifecycle.
Simulations Only Focus on Post-Exploit Attacks
Simulations performed by BAS technologies are limited to the phases of operation once the attack has compromised the system. As a result, these simulations do not provide complete attack lifecycle/kill chain visibility, which is critical to analyzing security effectiveness across the entire security infrastructure and optimizing controls proactively.
Testing Is Only as Good as the Data Used
The validity of attack libraries inherent in today's BAS solutions is in question as they cannot keep pace with the threat landscape. BAS solutions lack the real-time threat data and breach intelligence that reveal what threat actors are doing right now. That lack of timely intelligence—providing insights into the current TTPs used by attackers—limits an organization’s ability to identify and defend against the most relevant threats.
Lack of Remediation for Environmental Drift
Critical to validating controls is the ability to monitor and remediate changes to the IT environment that otherwise remain unseen by the security team. These gaps can cause regressions in security controls effectiveness and ultimately cause massive opportunities for attackers. BAS solutions lack automated processes to detect and respond to IT environmental drift and ensure ongoing integrity of the security infrastructure.
The use of continuous monitoring or simulation is distinctly different from the automated detection and remediation of IT environmental drift. Drift or changes in digital environments can also impact IT policies, tools, topologies, segmentation and more—which are not flagged in BAS solutions. Automating the process of monitoring and remediating IT environmental drift assures the health of the security infrastructure resulting in integrity and accuracy in test results.
Ongoing Proof of Security Effectiveness
Mandiant Security Validation gives teams ongoing proof of security effectiveness across people, processes and technology, providing them with:
- The latest global threat intelligence and adversary visibility
- Emulation of real attack binaries
- Safe execution of destructive malware and ransomware
- An automated process to monitor and remediate IT environmental drift
Security Validation and BAS technologies have many perceived similarities, but despite claims of comparable functionality, the distinction remains clear: simulation and yesterday’s data are no match for emulation using real-time threat intelligence.