Gartner Blog Network


Threat Simulation Call to Action for 2018

by Anton Chuvakin  |  December 20, 2017  |  8 Comments

As our SOAR research project is nearing completion, a reasonable question of “what other esoteric stuff deployed only by the top 1% we can research next?” “what other usable insight on new technologies we can provide?” :-)

We (Augusto and myself) decided to tackle a ***BIG*** problem: how to actually test organization’s security, entire security? We are going to look beyond pentesting, red teaming, application testing, maturity assessments [well, the last item is not really a test per se], etc to the meta-challenge of testing your overall security. Won’t it be fun!!!

We will describe what we have in mind on the blog(s) later (we need to gather our thoughts first), but as a part of this effort we want a closer look at so-called “Breach and Attack Simulation” (BAS) technologies. The vendors I’ve heard of in this space include Cymulate, SafeBreach, ThreatCare, and Verodin (listed alphabetically; Gartner documents may mention other vendors that compete with these). In fact, this part of the research may result in a separate paper, just on the usage of these technologies.

As we understand it, these tools promise to pretend to perform things similar to what the attackers will do (such as lateral movement, exfiltration, privilege abuse, perhaps exploitation, etc) in order to test how well your security controls (prevention, detection, response) work. Naturally, if you are not able to act on the findings, these tools will not do you any good, just like the pentests people [occasionally] ignore.

So…. our CALL TO ACTION:

  • If you are vendor of threat, attack or breach simulation tools, please schedule a Vendor Briefing with Augusto and myself [and, no, you do NOT need to be a Gartner client for this!]
  • If you have used such tools and have a happy/sad story to tell about your experience, please share [if you are a Gartner client, this may be covered by Gartner client NDA].

P.S. Note that our Vendor Briefing lead times are becoming longer, so schedule a VB now … and get it for early February.

P.P.S. Yes, I read that report already, thanks for sending it.

Category: announcement  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Threat Simulation Call to Action for 2018


  1. Carl Wright says:

    Anton, I sent in a request for AttackIQ. Looking forward to the briefing. R/ Carl

  2. […] I alluded here, we [Augusto and me] will be starting an epic new research project on testing security [BTW, should […]

  3. Hi Anton, Circumventive would be interested in briefing you on our BAS solution. Will be great to catch up. It has been a while.
    Thanks,
    Matthew

  4. […] we explore the breach and attack simulation (BAS) [sometimes also called threat simulation] tools and ponder broader questions around testing […]

  5. […] we ramp up our research on SOAR and start looking at some interesting tools for automated security testing, something crossed my mind: Why are we only seeing security operations automation and security […]

  6. […] question came up as we are ramping up our testing security and breach and attack simulation tools research projects. Just how motivated are organizations to test whether they have done a good job […]



Leave a Reply to Carl Wright Cancel reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.