June 28, 2021 - Breach Attack & Simulation (BAS) is an emerging security tool with providers assuming different approaches in testing and simulating attacks on an organisation’s environment that creates market confusion. Irrational and inconsistent marketing didn’t help and further blurred the lines how it’s differentiated from incumbents. But what remain are industry perennial bugbears that go unresolved. So the key question to answer in uncovering a hidden gem is first whether the tool understands and tackles the critical issues that matter most to security practitioners when there is a perceived acceptance of incumbent status quo.

Why BAS matters
1. Cybersecurity investments grew significantly but pre-breach security has been underrated and underinvested.
The common industry punchline is there are only 2 types of companies, those who know they are hacked and those who do not know they are hacked. This mindset shifted investments for years towards post-breach tools which, whilst necessary, is suboptimal and insufficient. The optimal way against costly disruption and reputation loss from data breaches must surely be a non-event through prevention. Effective protection will also ultimately contribute outsized influence downstream to reduce alert fatigue and manpower dependencies; structural gaps that have inordinately attracted post-breach security investments without significant returns yet. So rethinking protection efficacy helps augment detection efficiency and improve overall security readiness. Here, BAS becomes pivotal to empower security professionals to measure the likelihood and impact of risks in advance to triage effective prevention.

2. What gets measured gets done but not all metrics are actionable.
One of the biggest security value trap has been the knowing-doing gap. Identification of vulnerabilities is often rendered inconsequential by delayed or non-remediations due to cost and capability constraints to follow up on complex findings. Thwarting the entrance to the organisation’s infrastructure as early as possible will always significantly improve security posture but remains illusive. BAS bridges this last mile through automated remediation backed by clear, actionable insights from validated assessment of an organisation’s security posture.

3. Can’t protect what you can’t see but protection needs to go beyond visibility to validation.
Security efficacy, in spite of the best industry efforts, remain largely nebulous in the absence of real world validation (except in the case of a real breach!). The industry relies on PoCs or manual and expensive tests but these lack coverage and consistency to give the required confidence that security controls will work as intended. BAS can deliver on demand assessment with constant real world attack updates to validate that critical assets are protected and potential attack routes to these assets are secured. Organisations gain valuable validation and confidence to automate remediation which will ultimately reduce alert fatigue and overwhelm in security operation teams.

Why BAS matter even more now – Change, Complexity & the CISO.
1. Change is the new constant.
Security posture is continually changing with shifting boundaries in the wake of digitalisation, cloud adoption and WFH trend. In a Nov ‘20 survey by Ponémon Institute, 70% of security professionals recognised the need to validate security controls frequently against evolving threat tactics, 61% said continuous validation is needed to identify new gaps from constant changes in IT architecture and 59% acknowledged with constant change to security implementations, continuous testing is a priority to identify risk exposure from human error. Periodic manual testing with limited network coverage at a single point in time is akin to security teams searching in the dark with a flashlight. Operations can benefit from BAS’s floodlight approach that empowers continuous monitoring of all real time changes and give organisations confidence in their security posture.

2. Complexity becomes a problem of plenty as more is less.
More security doesn’t mean better security. In an effort to keep up with growing digitalisation demands, an excess of tools to increase security, unfortunately however well intentioned, can create even more complexities and exposures. Latest technologies, each bought as the promise of a silver bullet to specific challenges, lack an integrated holistic view which leads to security blind spots to be exploited. Organisations also often purchase new security tools that are not well understood due to time constraints or lack of skills which makes intended security suboptimal while increasing exposures from human errors. As a result, increased spending instead increased risks and alerts without sufficient context to understand each tool’s efficacy and the overall security posture. BAS cuts through the fog of complexity with “out of the box” algorithms and operations purpose built metrics to simplify and prioritise remediation.

3. CISO changes role means doing more with less.
As boards give more scrutiny to cybersecurity, they are becoming less confident in their organisation’s security posture and the quality of cyber-risk information provided to them by management. This stems not just from increasing cyber incidents disrupting businesses or changed regulations necessitating board assurance, but a foundational disconnect between security and the business. The CISO is now expected to become a business enabler, going beyond providing information and protection to speak to cybersecurity risks in a business context that’s relevant to stakeholders. To support conversations that shift towards risk oriented and value driven exercises, the CISO needs to be armed with real time metrics on security posture that can drive cybersecurity decisions base on business-relevant prioritisation and investments. Whilst conventional wisdom welcomes increased visibility of cyber-related risk at the business level to usher in more support for resources, the empirical data shows the CISO’s budget has stagnated over the last 3 years (Cyberdefence Report 2021 by CyberEdge) with marginal increase only to buffer built in inflation in existing contracts. Doing more with less to deliver optimal security readiness will be a key thrust for the CISO to establish rapport at the business level. Identifying and eliminating exiting security tools which have overlapping capabilities or are no longer fit for purpose can be established by BAS providers validating security tool efficacy and relevance through real world attack simulations.

How BAS works
Not all BAS providers are the same but they should be anchored on an automated, continuous, simple, and effective methodology to assess security posture drift in real-time. BAS establishes clear business relevant key performance indicators backed by actionable insights that enable CISOs and security teams to keep their finger on the organisation’s security pulse in real-time without compromising critical production environments. They are an alternative to traditional security posture assessment mechanisms such as penetration testing, red team exercises, security audits, and vulnerability assessment with the following differentiating value proposition:

1. Mitigation Speed – Most BAS tools validates and triage remediation that can be integrated into a SIEM or SOAR to facilitate follow up. Traditional pen testing reports require security expertise to review and validate findings that slows down remediation.

2. Continuous Coverage – BAS maps changing, complex networks continuously and run attack simulations across the entire network simultaneously overcoming limitations of sectional network testing with point in time snapshot that coincides with regulatory compliance.

3. Consistent Capabilities – BAS vendors have threat intelligence researchers and expert in house red teams who design and update out of the box attack simulations. These assessments reduce manpower dependencies and eradicate skills inconsistencies, empowering security teams to launch security with minimal expertise and effort.
4. Rigorous, real time assessments – BAS tools run exhaustive scenarios, checking every possible attack pathway via automated attack campaigns that safely test against hacking tools and techniques within the production environment to expose attack vectors and compromised assets without disruption. In manual pen testing, the probability for disruption or damage is relatively higher, leaving a trail for attackers to exploit.

5. Ease and elasticity of use – BAS can be implemented within hours with light weight agents and out of box security policies and playbooks. It automates most of the security operations process and integrates to other security tools (SIEM, EDR, XDR) to offer a holistic view of the SOC performance. The process automations and integrations empower scalability even for the most complex and frequently changing network topologies.

6. Intelligent Investigation – Threat intelligence-led assessments enable security analysts to correlate threats with operational activity data to take the guesswork out of their analysis. Security teams can triage base on asset criticality, business impact and compensating security control effectiveness. This ability to quantify risk exposure to threats in real-time helps security teams effectively optimise resource utilisation.

The last word: Why now
Arguably the hardest and most important factor for startup success is timing. All data are wrong but some may be useful and we can liken startups to canaries in a mine providing early signals o market shifts. Today, BAS market size is conservatively projected to be only circa $50m with 35% CGAR growth to 2025 (Frost and Sullivan), with early adoption limited to organisations with high security maturity for robust testing and validation. But when we look at blue ocean market adjacencies (OT-IoT security), potential for disruption (pen testing, red/blue teaming, MDR, SIEM, SOAR) and overlapping capabilities (cloud security posture management), BAS presents a significant total addressable market size. What may also have gone unnoticed is that BAS, with its automated, out of the box offerings, can pioneer a new market segment for SMEs with zero touch, self service security testing augmented by service partners.

By current market sizing, BAS can also be adjudged to be in its infancy with questionable product market fit. Anecdotally, customers share they are looking for more frequent security testing and alternatives to current manual and costly options. Regulations have started to join the bandwagon and are reviewing replacing pen testing with BAS in the near future. Any market growth will attract competition and we have to consider how BAS will eventually stand up to competitive pressures from adjacent security markets (EDR, XDR). What deters competition is the investment needed for a multi-discipline, platform approach with eventual network effect from ingesting multiple operational and threat data telemetries in real time and at scale (own the data, own the customer). BAS is also taking a unique approach to winning the information war, to know your enemy by becoming your enemy (attack simulations) and fighting fire with fire (AI-powered automation) which optimises value capture from technology, process and people. Interestingly, some of the Israeli BAS startups share that they are seeing near zero churn for the last 3 years. What may also not be common knowledge is the top 3 BAS startups already have more than half the market share today and not surprisingly, originated from Israel. We are likely to be looking at the first BAS unicorn from the startup nation in the not so distant future, so late majority and laggards ignore at your own peril!

Primary research through interviews with startup founders and investors. Secondary research through startups’ public domain information and analyst reports from CyberEdge, Frost and Sullivan, Gartner, IDC & Ponemon Institute. Startups covered: CyCognito, CYE, Cymulate, Guardicore, Pentera, Safebreach & XMCyber.