Digital transformation is a phrase that gets bandied about often enough to almost qualify for the “buzzword” category. Yet scratch below the surface and you’ll see a weighty concept that articulates one of the most urgent challenges today’s organizations face. Namely, how to keep pace and evolve in a world that is digitalizing at breakneck speed.
Users, data, devices and networks are expanding exponentially both in the cloud, on-premises, and hybrid. Established manual processes are constantly being reconceptualized for the digital age across virtually every industry.
In this article, we’re going to take a closer look at one specific example of digital transformation within the cybersecurity space: The automation of penetration tests and red team exercises, two critically important security practices.
Updating Manual Tests and Exercises for the Digital Era
A penetration test seeks to identify as many vulnerabilities as possible within a network, system or application. A good pen tester probes to see where and how an adversary might attack, how defenders would respond and how much damage could ensure.
Red team exercises follow a similar path but are typically more targeted and tactical. Rather than take a scattershot approach, a red team will pose as ethical hackers and employ stealth and subversion to find weaknesses and test how defenders respond — ultimately seeking to develop a keen understanding of risk.
Pen testers and red teams are often staffed by talented and experienced security specialists. Red teams, in particular, are often large and highly coordinated affairs that may take place over weeks or months. A red team may study its target for an extended period and even collect intel on-premises to facilitate a successful attack.
As you might imagine, this process is extremely labor-intensive and often quite expensive. It may also be somewhat disruptive to normal business operations, given the scale and the highly manual nature of the work. Additionally, not all pen testers and red teamers are experts, and the resulting skills gap can create some uncertainty as to the rigor of the exercise or test.
The drawbacks don’t end there. Given the resource-intensive nature of testing, many organizations only perform this work once or twice annually. This creates long stretches where enterprises don’t have visibility into the state of their security. Some organizations may lack the budget or internal expertise to even conduct significant regular manual tests, which puts them at a competitive disadvantage relative to better-resourced rivals.
Given these inherent limitations, manual security testing is a ripe target for digital transformation. Yet creating a digital alternative that could replicate the impact of a skilled team of security professionals while removing the limitations of that model is no small task.
How Breach and Attack Software Has Made a Privileged Perspective Accessible
The challenge of digitally replicating the skill and expertise of a red team was finally met with the development of breach and attack simulation (BAS) technology. These tools are digitalized red teams. They work by launching simulated attacks along likely attack paths, emulating the tactics and techniques of advanced adversaries. Like a red team, a BAS platform identifies threats, shows how they can be exploited, illustrates possible damage and offers guided remediation. A BAS platform also allows defenders to see their environments through the eyes of an attacker, and play defense by offense. This is an invaluable perspective formerly only available to those who could afford sophisticated manual testing.
The result? A much deeper understanding of current risk and a stronger security posture.
Unlike manual testers, BAS platforms are automated. This means that there are no long gaps between tests, no skills gaps among testers, no disruption to production, no crushing expenses that make testing unaffordable to smaller firms. What formerly took weeks to stage now can be done in hours.
Digitalizing the security testing process democratizes it. With access to tools such as BAS platforms, smaller players can develop a more robust security posture based on the principle of continuous improvement through continuous protection. This also creates a more level playing field. Savvy attackers know that smaller enterprises can’t afford frequent manual testing — and they target these firms as a result. By integrating BAS technology, this competitive disadvantage is sharply mitigated.
The expensive, time-consuming and expertise dependent nature of pen testing and red teaming has always created a “haves” and “have nots” division among security teams. If your organization had the resources for regular expert red teaming, it gave you privileged insight into how well your defenses would hold up in the event of an attack. You could adopt the mindset of the adversary and evaluate your own systems through that perspective.
The digital transformation of security testing has automated a manual process and democratized access by doing so. Now, the power to develop a security posture based on continuous improvement is within the grasp of almost any organization.
And that’s a transformation that all of us — minus threat actors — can appreciate.
Gus Evangelakos is Director of Field Engineering, XM Cyber