With much excitement, we are announcing the release of our “magically awesome” ™ papers on security testing methods and Breach and Attack Simulation (BAS) technologies (Gartner GTP access required). Here they are:
- “Utilizing Breach and Attack Simulation Tools to Test and Improve Security” focuses on BAS tools. “Security testing is so challenging for technical professionals focused on security operations that many don’t try it. Breach and attack simulation tools help make security postures more consistent and automated. Gartner has evaluated [A.C. – not in the lab, but based on available data from clients and vendors] these tools to provide guidance for implementation and operation.”
- “Threat-Oriented Approaches to Test Security in Production” sheds the light on the overall picture of testing security. “Organizations purchase and deploy many security technologies and make complex security architecture decisions. Technical professionals focused on security must understand the options available to test security and obtain evidence of the performance and effectiveness of the implemented controls.” – this paper is very fun as a frame-setter for how to evolve security from its “luck-based” roots to its evidence-based and test-based future.
Here are some fun quotes for you (from both papers – go read them both!):
- “Some BAS tools help prioritize the findings, and some assume you know your risks and can map findings to them. BAS findings prioritization is a key challenge for many tool users.”
- “An interesting paradox has emerged in information security. Penetration testing has been part of the information security lexicon for nearly a quarter of a century. However, most organizations — even some with nine-figure security budgets — have no idea how operationally effective their security technologies are. Has penetration testing just been done badly, or it is the wrong tool for the job?”
- “Penetration testing helps answer the question “can they get in?”; BAS tools answer the question “does my security work?””
- “Specifically, it’s worth questioning whether these tools present a good way to test real-world security controls, if all they do is simulate real threats. So, how real should such simulations be?”
- “This research focuses on tests used to verify the current status of production environments, obtaining evidence directly from them. These tests are also threat-focused, that is, they use methods or look for data used by threat actors during their attacks. This research is also technology-focused. It does not include tests such as phishing exercises and social engineering that are oriented toward the human component of security.”
- “Test for things only when you are prepared to act on the results. Test findings may be used to inform other security processes about existing risks, but even then there must be a process and people assigned to deal with the test results.”
- “Typical automated testing methods include VA, BAS, DAST and SRS. Manual testing methods include pentests, internal or external red team or crowdsourced security testing, and “bug bounties.””
Please provide feedback if you read them via https://surveys.gartner.com/s/gtppaperfeedback
Blog posts related to this project:
- How Much of Your Security Gear Is Misconfigured or Not Configured?
- Security Testing: At What Level?
- On Negative Pressure or Why NOT Objectively Test Security?
- The Bane of All Security Tests: Acting on Results
- Threat Simulation – How real does it have to be? (by Augusto)
- New Research: How to Actually Test Security?
- Threat Simulation Call to Action for 2018
Posts related to paper publication:
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE! (our updated security use cases paper publishes)
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.