Earlier this year, SafeBreach held its first-ever Validate Summit at Levi’s Stadium in Santa Clara, California. This in-person event brought together top cybersecurity leaders and innovators to discuss the changing requirements to build and optimize a proactive security organization.
Deloitte’s Andrew Douglas, managing director of cyber risk services; Andrew Rafla, principal of cyber risk services; and Sam Rassam, specialist master, discussed how SafeBreach has become a critical element of their offensive security program and attack surface management (ASM) lifecycle—both for their clients and for Deloitte itself.
Amid ongoing cyber threat escalation and rising geopolitical tensions, Deloitte has seen a boom in demand for more effective ways to evaluate endpoint security controls. Armed with SafeBreach’s industry-pioneering breach and attack simulation (BAS) platform, Deloitte has helped its clients take an increasingly proactive, “shields-up” approach to stress-testing their security environments—before an actual attack occurs.
In this edition of our Voices from Validate series we revisit Deloitte’s presentation on the multitude of use cases and successful outcomes they’ve experienced leveraging SafeBreach to proactively respond to cyber escalation.
BAS – The Security Force Multiplier
“We’re bullish about including BAS as part of the attack surface management lifecycle to help our clients better understand their environment, inform risk prioritization, and validate remediation activities. SafeBreach is more than a single solution. It becomes an extension of your security team’s capabilities.” – Andrew Douglas, Deloitte
Deloitte’s security leaders began their Validate session with an overview of the ongoing benefits and outcomes they’ve experienced with SafeBreach over the years. They recalled quickly seeing SafeBreach as a technology partner that aligned with their highly risk-averse approach to serving client security needs. SafeBreach’s safe-by-design process for executing real-world attack simulations has been especially reassuring for sensitive verticals like life sciences that require full assurance their data is guarded at all times.
Deloitte noted the unique value SafeBreach delivers across enterprises to answer a range of security questions for diverse parts of the organization—not just IT and security, but also for compliance, legal, finance, and more. Deloitte also appreciates that SafeBreach constantly evolves the attacks in its comprehensive Hacker’s Playbook to help clients clearly identify gaps based on the latest attack methods and back up the findings with empirical data.
Many Deloitte clients choose to leverage BAS to augment time-consuming, manual tasks like penetration testing and red-teaming with continuous automation. SafeBreach enables red teams to focus on higher-gain activities, rather than basic testing. Many organizations lack the resources to scale up their red team, let alone be able to evaluate the scope, effectiveness, and coverage of their testing operations. With SafeBreach, they can confirm their red team generates successful outcomes and provides business value by using the data provided to ensure they spend time efficiently and effectively.
Ransomware concerns tend to top the list for Deloitte clients—for which SafeBreach provides comprehensive coverage—but there are many other use cases and threat vectors where SafeBreach has proven to be a versatile and reliable platform. Other common benefits Deloitte has experienced with SafeBreach include:
- Evaluating technology-purchasing decisions to determine which tools are more effective than others and inform smarter investments
- Applying BAS as a training tool for security teams and using the results to reward accomplishments
- Using BAS as the “tip of the spear” for mergers and acquisitions (M&A) risk assessment
- Determining if gaps are being missed by overworked teams to evaluate the extent of burnout and cyber mental health issues
- Improving storytelling at the executive level to explain the data behind identified risks and determine where to spend scarce remediation resources
How Deloitte Deploys BAS
“A lot of our clients think they’re protected, but then we run SafeBreach simulations and actually show them how they can be exploited and what specific tactics and techniques can be used to move laterally in their environment, and they have an ‘aha’ moment.” – Andrew Rafla, Deloitte
When deploying SafeBreach with a client, Deloitte will first use the technology to provide an up-front risk assessment of the security environment and controls in place. They find it most effective to start small then continue to add value as clients grow comfortable with the system and the data it provides. Deloitte’s typical BAS engagement consists of three phases:
- Understand the client environment and threat landscape.
Deloitte works with organizations to create a customized security profile through threat modeling exercises to identify the latest adversarial tactics, techniques, and procedures (TTPs). This threat-driven approach will inform the configuration of a custom playbook of breach simulations within the SafeBreach platform that consider which risks are likely to have significant impact on the organization. They also facilitate the configuration and placement of BAS simulators (e.g., cloud, network, endpoint) and the type of sensitive data to simulate.
- Simulate real attacks in a safe environment.
After the simulators and management console have been provisioned, Deloitte will leverage the SafeBreach platform to safely execute real-world attacks in the client’s production environments. Simulated TTPs can be stitched together to visualize how an attacker may infiltrate, move laterally, access sensitive data, and exfiltrate within an environment. SafeBreach simulators execute real attacks solely between simulators in this closed-loop environment using simulated data. Executing attacks safely in this manner reduces false positives and helps security teams enhance their situational awareness of control effectiveness without introducing risk to critical systems or actual production data.
- Report actionable results and repeat the process.
In addition to SafeBreach dashboards and reports, Deloitte has developed a number of reporting accelerators to synthesize the significant amount of raw data generated during a BAS exercise with industry-leading views such as the Cyber Kill Chain and MITRE ATT&CK framework. They develop a roadmap of prioritized remediation activities to help address potential gaps, based on the criticality of findings and the organization’s specific threat profile. Recommendations may include the implementation of new controls and/or tuning of existing controls. Once the organization’s remediation plan has been completed, they then re-run BAS simulations to identify the efficacy of the newly implemented controls and corresponding gaps.
How Deloitte Measures BAS ROI
Deloitte has found that the cost of a BAS investment can be offset by realized risk reduction and bottom-line savings to provide a measurable return on investment (ROI) in a number of ways, including:
- Decommissioning Ineffective or Duplicative Controls – SafeBreach helps highlight security controls with less-than-effective value relative to the cost/threat reduction, allowing organizations to make data-driven security investment decisions.
- Reducing Time to Discovery of Threats – SafeBreach prioritizes threat hunting activities and informs intelligence requirements based on the TTPs demonstrated to be exploitable within an organization’s environment. The solution also helps reduce risk exposure by prioritizing meaningful remediation activities.
- Streamlining Red Teaming, Penetration Testing & Tabletop Exercises – SafeBreach’s automated and repeatable BAS approach allows traditional testing methods and tabletop exercises to be more streamlined and targeted.
- Making Better Use of Data & Analytics – SafeBreach increases analytics capabilities and orchestrates security controls based on the weaknesses of current controls, ultimately reducing the attack surface and potential for future breaches.
To learn more about how BAS solutions help enterprises like Deloitte proactively respond to cyber escalation, contact SafeBreach today.
Wish you could have attended SafeBreach’s Validate summit? Well, our second-annual Validate summit is coming up in May of 2023 at The Star in Frisco—headquarters of the Dallas Cowboys. Registration will soon be open, but seats will be going fast, so be sure to save your spot early to join in on this exciting event and important conversation.