Between the time it takes to stand up a new security tool in an IT environment, the resources needed to continually train personnel to effectively use each tool, and the raw cost of the solution itself, enterprise security teams invest quite a lot when introducing new security controls. Solutions that have been in place for a long time have likely grown with the team’s needs, and are well trusted within the organization.
But configuration drift and shifting teams or focus over time can result in security controls that no longer effectively prevent attacks. With such an investment, it’s important to test and validate these tools regularly to ensure they’re still working as intended—and not leaving the door open for adversaries to exploit. Advanced security organizations are solving this issue with breach and attack simulation (BAS), which allows them to safely execute continuous, automated attack simulations across a variety of controls, including endpoint, email, network inspection, network access, container, and cloud.
One SafeBreach customer, a leader in network and cloud security, understands the importance of security control validation; not only do they leverage our BAS platform to continuously test their own security controls, but they use it to strengthen their own product and support their customers as well. This customer recently shared their approach at SafeBreach’s 2023 Validate Summit, a yearly event that brings together experts in the security community to discuss challenges, best practices, and key considerations for building a proactive security program. In this installment of our Voices from Validate series, we’ll take a look at how they leverage SafeBreach for security control validation in their organization and with their customers.
“SafeBreach is a very critical partner from our perspective—not only how we use them with our customers, but also with our products.”
What is security control validation?
Security control validation is the continuous process of assessing how effective existing security solutions are at detecting and preventing attacks. This proactive process strengthens an organization’s security posture, allows leaders and practitioners to assess the efficacy of their tools, and enables organizations to make informed decisions when it comes to new cybersecurity purchases.
Breach and attack simulation (BAS) can serve as a powerful tool for security control validation by allowing organizations to orchestrate simulated attacks against their environment to identify coverage gaps. With BAS, organizations can execute continuous, automated attack simulations based on the tactics, techniques, and procedures (TTPs) used by malicious actors across a variety of controls—from web, endpoint, and email to network inspection, network access, container, and cloud.
How This Cybersecurity Vendor Leverages SafeBreach
Like many organizations, this company leverages our BAS platform across a number of areas: in the field with their customers, as a part of their red/blue/purple team exercises, in their own corporate environment, and on their product team. Below is a high level overview of how their security teams leverage the SafeBreach platform.
- Security control validation and assessment in the field. As part of their services offering, the company works with their customers to strengthen their security programs. In addition to proactively validating customers’ security controls with the SafeBreach platform, they run table-top exercises with customers using Safebreach attack simulations and perform cyber risk assessments. In some instances, they even leverage SafeBreach to test their own tooling in comparison with another vendor’s, giving the customer the ability to choose the solution that is most suitable for their environment.
- SafeBreach for red, blue, and purple teaming. When the company’s security team looks at their entire operation, they want to make sure they have the ability to anticipate, recover, adapt, and then learn. Though SafeBreach is one of the many tools used by their red, blue, and purple teams to test their resilience against attacks, they pointed out that our BAS platform is “one of the preferred tools compared to the others that we use within the SOC today.”
- Validating controls in their corporate environment. Some of the organization’s engineers are focused solely on security posture—their job is to continuously validate the company’s corporate security controls, which “happens around the clock, on a regular basis.” When these engineers find issues, they leverage SafeBreach’s integration with Palo Alto Network’s Cortex XSOAR to automate the remediation of control issues.
Red teams use BAS to automate and streamline testing processes and allow them to focus on new ways to attack, while spending less time probing for flaws to exploit.
Blue teams use BAS to validate security control effectiveness, prioritize remediation requests to security engineers, and target rapid response exercises.
Security operations use BAS to validate, monitor, and improve SIEM and security operations center (SOC) detection capabilities.
- Enhancing detection and threat intelligence capabilities. Not only does this organization use the SafeBreach platform to test their internal environment, but they are able to leverage the BAS platform to increase the efficacy of their own product. “We do the validation on our product, but we also look at the environment that our customers have… and we work with SafeBreach to run new TTPs and things of that nature. We take all those indicators and then we build detections.”
“SafeBreach is one of the tools that we use very, very religiously.”
This network security provider gets the most from SafeBreach by ensuring that each team recognizes the platform’s benefits and value. They also take full advantage of integrations with other security tools to improve efficiency in their processes, including the security orchestration, automation, and response (SOAR) platform, CortexTM XSOAR.
Security Control Validation Using SafeBreach and Palo Alto Networks Cortex XSOAR
Through this integration between SafeBreach’s BAS platform and Palo Alto Network’s Cortex XSOAR, teams can:
- Discover security gaps with BAS
- Reduce dwell time of attack simulations that have been validated to breach the environment
- Unburden SOC analysts by fully automating the remediation of low-level, non behavioral indicators of compromise (IOCs)
- Orchestrate remediation of behavioral IOCs (BIOCs) for endpoint and network security controls
- Maximize effectiveness of existing security controls
The power of this integration can be illustrated with an example of how the organization leverages the integration for security control validation on an endpoint.
- The security team starts atomic tests for their environment, which take the TTPs used in the entire chain of an attack and split it into different modules for testing purposes. Once complete, they utilize SafeBreach to run the attacks in their entirety to mimic a real-world attack scenario.
- Next, they analyze attack simulation results, which for they include a list of the following categories:
- Detected – not blocked, but logged
- Stopped – blocked, not logged
- Prevented – blocked and logged
- Inconsistent – contradictory status
- No result – flawed execution
In a typical non-automated SOC, a security team would leverage these results to create action items to address the identified issues. But this is where the joint solution comes in.
Through SafeBreach, they map the results to the MITRE framework and run playbooks for the typical, more straightforward IOCs. Through the XSOAR integration, the team can write an auto remediation, running the process to take care of the low hanging fruit.
3. Once the bulk of the security issues have been addressed, their SOC analysts are able to focus on just the BIOCs, which are far more complex. This balance of automation and human power not only creates maximal efficiency, but also ensures accuracy in their remediation process.
While the example given is their process for endpoints, the organization uses a similar process for network, cloud, and so on.
Correlate Results with Controls
Identify which controls blocked, detected, or missed attacks, so you can pinpoint ineffective settings, underperforming tools, and incident response gaps. Understand your overall risk score, identify the top exploited protocols and ports, and map attack simulation results to the MITRE ATT&CK® framework to visualize how your defenses performed.
Seeing the Big Picture
“The end goal is to enhance your security. The end goal is to make the customer successful. Working with a company like SafeBreach affords us that opportunity.”
Combining our security control validation capabilities with robust integrations and the capabilities of our technology partners serves one purpose: to enhance our customers’ security and ensure their success.
When it comes to cybersecurity, it can be easy for practitioners to get caught in the weeds. SafeBreach helps organizations see the bigger picture by testing and validating security controls across their network and by ensuring that integrations work for them, rather than creating more work for their teams. To learn more about breach and attack simulation and how SafeBreach can help improve SOC efficiency, we invite you to schedule a demo.
“In my opinion, not only does [SafeBreach] make us better as a company on the corporation side and help our customers, but it also makes the community better.”