As our SOAR research project is nearing completion, a reasonable question of
“what other esoteric stuff deployed only by the top 1% we can research next?” “what other usable insight on new technologies we can provide?” 🙂
We (Augusto and myself) decided to tackle a ***BIG*** problem: how to actually test organization’s security, entire security? We are going to look beyond pentesting, red teaming, application testing, maturity assessments [well, the last item is not really a test per se], etc to the meta-challenge of testing your overall security. Won’t it be fun!!!
We will describe what we have in mind on the blog(s) later (we need to gather our thoughts first), but as a part of this effort we want a closer look at so-called “Breach and Attack Simulation” (BAS) technologies. The vendors I’ve heard of in this space include Cymulate, SafeBreach, ThreatCare, and Verodin (listed alphabetically; Gartner documents may mention other vendors that compete with these). In fact, this part of the research may result in a separate paper, just on the usage of these technologies.
As we understand it, these tools promise to pretend to perform things similar to what the attackers will do (such as lateral movement, exfiltration, privilege abuse, perhaps exploitation, etc) in order to test how well your security controls (prevention, detection, response) work. Naturally, if you are not able to act on the findings, these tools will not do you any good, just like the pentests people [occasionally] ignore.
So…. our CALL TO ACTION:
- If you are vendor of threat, attack or breach simulation tools, please schedule a Vendor Briefing with Augusto and myself [and, no, you do NOT need to be a Gartner client for this!]
- If you have used such tools and have a happy/sad story to tell about your experience, please share [if you are a Gartner client, this may be covered by Gartner client NDA].
P.S. Note that our Vendor Briefing lead times are becoming longer, so schedule a VB now … and get it for early February.
P.P.S. Yes, I read that report already, thanks for sending it.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.