Today we continue our BAS 101 educational journey with a look at the ways an advanced BAS solution will help security leaders and their teams share their validation results and metrics with key stakeholders. If this is your first time joining the class—welcome! And be sure to check out previous lessons on the SafeBreach blog.

For BAS to be effective beyond its core security audience, it must clearly communicate findings and impacts. To do this, a BAS solution must make it simple to create a wide variety of report types and structures with charts, tables, and graphs. BAS should also enable admins to create automated reports that either fire off when triggered or with weekly or monthly data. 

Advanced BAS must not only have strong reporting and dashboarding inside the product, but also make it simple to export findings and data to other security solutions—hence, the need for a flexible API and out-of-the-box integrations with leading security solutions. Continue reading to learn more about how BAS can help with your reporting process.

Reporting BAS Basics 

Because BAS can act as a “before-and-after” viewpoint for control changes and other remediations, it is a natural provider of metrics on security control improvement initiatives. BAS should also be flexible enough to serve, if needed, as a key reporting and metrics tool for security teams to monitor and evaluate security-control management and responses to BAS findings. To fulfill all of the above, BAS must:

• Convey a clear picture of the organization’s security posture with dashboards, charts, and reports
• Allow for configurable views tailored to specific stakeholders
• Communicate real security posture trends and trackable metrics
• Detail the security posture against specific threat groups, threat types, and playbooks or TTPs
• Support requests for changes in security control configuration, budget allocations, or resource shifts
• Track progress (or lack of progress) over time to build accountability

Key Risk Indicators

Risk indicators help to track your organization’s progress, validate that your security posture is indeed improving, and understand trends over time. Communicating the status of key risk indicators is an essential value of BAS. The types of risk indicators tracked should reflect what your organization cares about most. For example, overall attack surface is measured as the percentage of attack attempts which pass through defenses.

Another indicator might be the success rate of defense against attacks, measured as the percentage of MITRE framework attacks that are blocked. An organization may want to calculate risks against its critical segments, or elevate the risk value of services that involve financial transactions or store financial data and personally identifiable information (PII). 

BAS should make it easy to select, calibrate, and then measure against these indicators. Additionally, BAS should be able to calculate the exposure time from discovery of a breach until it is resolved, as well as the success rate of remediation, in order to track:

• The efficiency and responsiveness of a security team
• The effectiveness of improving security posture
• Trends over time of reductions (or increases) in critical security gaps or attacks blocked as a percentage

Integrate Communications Where Appropriate

Because not everyone consuming BAS data will have a BAS seat or even understand how the tool works, it’s important to design communications to fit into the workflows of the stakeholders. 

• For IT teams and those in charge of patch management, BAS communications should populate help-desk tickets
• For blue teams and security operations, BAS data should be automatically pushed into their primary workspaces (e.g., SIEM or SOAR)
• For red teams, BAS data may be added to customized dashboards or consoles that incorporate their chosen penetration and analytical tooling
• For non-technical stakeholders, BAS reports can populate common dashboarding programs like Tableau or Looker, or be sent out as emails or links to BAS dashboards

Your BAS-Reporting Checklist

To recap what we’ve covered in today’s lesson, here’s a short, simple checklist of key elements to look for when assessing a BAS platform’s reporting capabilities:

• Create a grid of stakeholders and communications they should receive
• Discuss and define your key risk metrics to shape communications
• Make sure you utilize charts and graphs to convey large volumes of data in digestible formats
• Enable stakeholders to create reports that serve their needs
• Design communications to integrate into existing workflows and tooling rather than forcing everyone to log into the BAS solution

Stay Tuned

Until next time, class is dismissed. For all you overachievers, feel free to work ahead of the lesson plan by downloading our new white paper: The Four Pillars of BAS. 

Want to learn more about why leading organizations—like PayPal and Netflix—have chosen SafeBreach’s industry-pioneering BAS platform to support their continuous security validation programs? Connect with a SafeBreach cybersecurity expert or request a demo of our advanced BAS platform today.