4 key shifts in the breach and attack simulation (BAS) market

The increase in the number of attack surfaces along with the rise in cybercriminal sophistication is generating technical debt for security operations centers (SOCs), many of which are understaffed and unable to dedicate time to effectively manage the growing number of security tools in their environment.

Yet, regardless of these challenges, SOC teams are tasked to continuously evolve and adapt to defend against emerging, sophisticated threats.

There are several major players in the BAS market that promise continuous automated security control validation. Many can replicate specific attacker behavior and integrate with your telemetry stack to verify that the behavior was observed, generated an alert, and was blocked.

But as the BAS market continues to evolve, there’s also an opportunity to address shortcomings. In the new year, we expect to see several incremental improvements to BAS solutions, with these four themes leading the charge.

More streamlined product deployment to reduce costs

Many fully automated security control validation solutions include hidden costs. First, they require up-front configuration for their on-site deployments, which may also require customizations to ensure everything works properly with the integrations. Additionally, BAS solutions need to be proactively maintained, and for enterprise environments this often requires dedicated staff.

As a result, we’ll see BAS vendors work harder to streamline their product deployments to help reduce the overhead cost for their customers through methods such as providing more SaaS-based offerings.

Increased customization and integrations

Many BAS tools are designed to conduct automated security control validation. Most have an extensive library of automation modules that can simulate specific threats and malicious behaviors on endpoints, networks, or cloud platforms. BAS vendors tend to compete in the market this way.

However, many vendors don’t offer the ability to create or customize modules in a meaningful way. For example, some don’t provide the user with a way to chain attack procedures together, which can be essential when trying to simulate an emerging threat that uses common tactics, techniques, and procedures (TTPs).

Additionally, most attack modules don’t provide much insight into what they’re doing, making it harder for the SOC analyst or red teamer using the platform to understand exactly what is being run, what artifacts are expected, and how they should build detections. Most platforms also appear to be missing robust modules to simulate flexible command and control, email stack, and native cloud platform attack procedures.

To support automated security control validation, most BAS providers incorporate integrations with endpoint detection and response, antivirus, network devices, vulnerability management tools, ticketing systems, and SIEM (security information and event management) vendors.

Having been exposed to quite a few SOC teams and their telemetry stacks over the last decade, I can confidently say that each environment is unique. For that reason, integrations have become a meaningful way to compete in the BAS software market. However, in many cases, they still require a fair bit of customization.

Moving forward, we’ll see an increase in customizable innovations that will help streamline these processes and integrations.

Decreased validation inconsistencies, and improved reporting features

It is a challenge to verify that every attack module run by a BAS platform was delivered, executed, and completed its task successfully. However, it’s even harder to accurately determine if the action was blocked (and by what), determine if an alert was generated, and verify the alert triggered the creation of a proper response ticket. We’ve seen some incremental improvements with vendors over the last year, but some still have a way to go.

Many BAS solutions in the market don’t offer meaningful data insights that enable companies to track their detection coverage historically over time or identify trends that can influence security control investments. In fact, very few solutions support the export of raw results in a format like JSON or XML that other business processes can consume. For the short term, most of them integrate with ticketing applications like ServiceNow and Jira, but that usually comes with additional costs. This is another area destined to change based on customer demand for better optimization and cost efficiency.

Hands-on expert guidance and services

BAS remains a relatively new market. Organizations value one-on-one interaction with offensive security experts when using solutions, especially for those using BAS for the first time. Most solutions in the market don’t offer this today.

Attack modules that include detailed educational material can be valuable to motivated security teams, but there is no substitute for human ingenuity. Many customers today prefer to be walked through each module with an expert who knows the material, train the personnel how to use BAS, show how the modules work under the hood, and can answer questions and provide insights into the environment’s telemetry that the SOC team may not already have. We expect to see a lot more companies pairing human services with BAS products in the future, because organizations simply get more value from the experience.

As the need for BAS solutions becomes even stronger, providers must also address these pain points for customers to stay competitive. Providers need to strike a balance between improving products and expanding their service capabilities. As a result, we’ll see the BAS market continue to shift into 2023 and beyond.