At SafeBreach’s 2023 Validate Summit—a yearly event that brings together experts in the security community to discuss challenges, best practices, and key considerations for building a proactive security program—we asked attendees to share why they began using a breach and attack simulation (BAS) tool like SafeBreach. One of our customers had a straightforward answer: people, time, and money.
In this installment of our Voices from Validate blog series, we revisit this panel discussion to highlight additional insights from our customers about how they’re leveraging BAS to overcome challenges like resource constraints, inefficient processes, and ensuring that they’re using the right tool for the job.
- Zac Fletcher, CISO at Service Corporation International
- Tim Dawson, former Group CISO at UBS
- Mick Brons, Manager of Cyber Security Assurance at Southern Company
- Francisco Najera, Sales Engineering Manager at SafeBreach (Moderator)
1. People: Resource Constraints and an Ever-Changing IT Environment
Change is constant in enterprise IT systems. With people and technologies always shifting, it’s difficult to keep track of all of the security tooling that exists to defend the network, let alone each tool’s features, potential use cases, and level of efficacy. Meanwhile, security teams are stretched thin trying to address the new attacks and vulnerabilities that appear every day , while also trying to maintain disparate pieces of security infrastructure.
Panelist Mick Brons, Manager of Cyber Security Assurance at Southern Company, noted that security tools and members of security teams come and go for various reasons. “We’re always bringing in new stuff. We have new people coming; we have old people leaving; we have old people doing things a different way.” This constant shifting in personnel means new employees are at risk of repeating previous mistakes. “Just because you learned a lesson once doesn’t mean that everybody learned it, or that they didn’t make the same mistake again.” For Brons, this reinforced the need for Southern Company to continuously validate their security controls.
Another panelist had to grapple with the challenge of having too few experts to perform red team exercises. His organization had attempted to build an in-house red team, but progress was slow, manual, and woefully understaffed due to constraints in budget and conflicting priorities. One of his team members had multiple responsibilities, spending “maybe 25% of his time” on red teaming.
When first looking at SafeBreach, a lightbulb went off. “As we started looking at the tool, we realized that if this guy still spent 25% of his time doing this [with SafeBreach], he could actually run thousands more simulations and tests in the course of a given year.” He added that after the initial POC, choosing SafeBreach “was a no brainer.”
2. Time: Architecting for Efficiency and Using the Tools You Already Have
When he first started using SafeBreach, Zac Fletcher, CISO at Service Corporation International, was trying to address a common challenge. “We invested in a lot of great tools, but how do I know they’re working or configured properly?” Misconfigurations were a common priority among all the panelists, who each ranked it as a top use case when using BAS technology.
Tim Dawson, former Group CISO at UBS, noted that part of the value of BAS—and the SafeBreach platform specifically—is having the ability to catch these types of straightforward issues that might otherwise go unnoticed or take time to uncover. “Think about proxy misconfigurations. You’ve got 30 proxies, one is now different. Well, realistically, we’re probably not going to find that unless we can do those continuous monitoring checks every couple of minutes, every couple of days.”
How well are your security investments working?
Security teams often own and operate dozens of tools to protect and defend their enterprises, but misconfiguration or drift over time can mean they’re no longer effectively protecting against attacks. SafeBreach validates that each security control is operating optimally, both individually and in orchestration with the other tools in your stack.
By testing continuously, SafeBreach helps security teams quickly identify misconfigurations and other issues that are easy to fix, but traditionally hard to find.
With so many solutions available in the market, some vendor capabilities will inevitably overlap. When making the most of the organization’s security investments, it’s important to be able to have a tool like BAS to help validate and assess what the team already has access to, what may be unnecessary, and what may not be in use at all.
Plug security holes and eliminate redundancies.
Simulated attacks help identify critical gaps in your security coverage, optimize configurations, pinpoint tool inefficiencies, and ensure that you aren’t over-investing in redundant protection.
For Fletcher at SCI, “It’s not always about [security vendors] fixing a problem you find. It’s also [asking], is there a better way we can use your tool to solve these gaps that SafeBreach is identifying? …Go back to your vendors and say, ‘Hey, how can I solve this problem with something I already own?’”
“We all know this sort of scenario,” said Dawson, “There’s an SME that brought that tool in five years ago, and that’s theirs, and it has to stay, and it’s the best ever.” He stressed that it’s important to take an evidence-based approach, rather than simply relying on opinion and preference. “We had a solution in place that was detecting 90% of the samples that we pushed through. We have another solution in place that actually wasn’t turned on, although it was there. We turned that on and we got 98% efficacy. That’s a data point to take into consideration.”
3. Money: New Security Investments
Knowing that onboarding a new tool requires significant investment of resources beyond the act of a purchase, Dawson’s team has a procedure in place before new cybersecurity purchases. “So the challenge back to my team is, before we asked for additional funding for tooling, are we consistent with what we have? Are we configured correctly? Are we in the right logs? Is it monitored? Is it done in the right time? Do we have agreement from a technology level and an SME level?” Only when those questions are answered sufficiently can the process begin.
Once a team decides it requires a new solution, it’s time to convince leadership to allocate the budget. Dawson noted that when requesting more budget from company leadership, pushback often includes requesting proof that previous investments were effective and well spent. “Having that scale and that ability to go test your environment, quickly, frequently, rapidly and comprehensively, puts you in that position to the board to say, ‘No, we are maximizing the value of the investments we’ve made historically, this is why we need more.’”
Brons also looks at the environment as a whole. “Once you get to the point where you’re getting actual data from a tool like SafeBreach, you can use that to drive the hardening or configuration of your own security stack. Then at that point, you can justify your expense on multiple tools.”
Once the budget has been approved, it can be a challenging process to choose the right vendor. One panelist plans to leverage SafeBreach in their search for a new endpoint, detection, and response (EDR) solution. “Rather than having our ten, eighteen, thirty use cases, I think we’re planning on running a hundred or a thousand simulations against the top three [vendor choices]. Being able to have that quantitative data at that volume is definitely going to help us in that process.”
Simplify security solution
Identify technologies that actually solve your security problems by testing competing solutions side-by-side against real-world threats in your unique environment.
Looking to the Future: Cyber Resilience
With regulators starting to hone in on the idea of continuous validation and cyber resilience, executive stakeholders may not be the only ones interested in whether or not an organization’s security controls are working as intended. While in recent history, the cybersecurity industry and regulatory bodies were focused on implementing certain types of security controls, it is becoming more apparent that these controls must be tested to ensure that they’re working as intended—especially as threat actors are starting to focus their attacks on security vendors. Continuously testing controls doesn’t just allow individual organizations to be more efficient and better use their tools; it prepares them for a near future when they might be required by governing bodies (or cyber insurance providers) to show proof of resiliency. The more proactive an organization can be—when optimizing their existing tech stack, when evaluating new tools, and when keeping their board and leadership informed—the more prepared they are for the world ahead.