The increase in attack surfaces coupled with the rise in sophistication of cybercriminals is creating technical debt for security operations centers (SOCs), many of which are understaffed and unable to devote time to effectively managing the growing number of security tools in their environment.
Yet regardless of these challenges, SOC teams are tasked with continuously evolving and adapting to defend against new, sophisticated threats.
There are several major players in the BAS market that promise continuous automated security control checks. Many can replicate specific attacker behavior and integrate with your telemetry stack to verify that behavior has been observed, alerted, and blocked.
But as the BAS market continues to evolve, there is also an opportunity to address shortcomings. In the new year, we expect to see several incremental improvements to the BAS solution, with these four themes.
Simplified product application to reduce costs
Many fully automated security control verification solutions include hidden costs. First, they require up-front configuration for their on-premises deployment, which may also require customization to ensure everything works correctly with integrations. In addition, BAS solutions need to be proactively maintained, and for enterprise environments this often requires dedicated staff.
As a result, we will see BAS vendors work harder to streamline the deployment of their products to help reduce overhead costs for their customers through methods such as providing more SaaS-based offerings.
Increased customizations and integrations
Many BAS tools are designed to perform automated security control checks. Most have an extensive library of automation modules that can simulate specific threats and malicious behaviors on endpoints, networks, or cloud platforms. BAS providers tend to compete in the market in this way.
However, many vendors do not offer the ability to create or customize modules in a meaningful way. For example, some do not provide the user with a way to chain attack procedures together, which can be essential when trying to simulate an emerging threat that uses common tactics, techniques, and procedures (TTP).
In addition, most attack modules do not provide much insight into what they are doing, making it difficult for the SOC analyst or red team using the platform to understand exactly what is being triggered, what artifacts are expected, and how they should build detections. . Most platforms seem to lack robust modules for simulating flexible command and control, email stacks, and attack procedures on a native cloud platform.
To support automated security control checks, most BAS providers include integrations with endpoint detection and response, antivirus, network devices, vulnerability management tools, ticketing systems, and SIEM (security information and event management) providers.
Having been exposed to a large number of SOC teams and their telemetry stacks over the last decade, I can safely say that every environment is unique. For this reason, integrations have become a significant way to compete in the BAS software market. However, in many cases they still require quite a bit of customization.
Going forward, we will see an increase in adaptive innovation that will help streamline these processes and integrations.
Reduced validation inconsistencies and improved reporting features
The challenge is to verify that each attack module powered by the BAS platform has been delivered, executed, and successfully completed its task. However, it is even more difficult to determine exactly whether an action was blocked (and by what), determine whether an alert was generated, and verify that the alert triggered the creation of an appropriate response ticket. We’ve seen some incremental improvements with suppliers over the past year, but there’s still some work to be done.
Many BAS solutions on the market do not offer meaningful data insights that allow companies to track their detection coverage over time or identify trends that may impact security control investments. In fact, very few solutions support exporting raw results in a format like JSON or XML that other business processes can use. In the short term, most of them integrate with ticketing apps like ServiceNov and Jira, but this usually comes at an additional cost. This is another area that is changing based on customer demand for better optimization and cost efficiency.
Practical professional guidance and services
BAS remains a relatively new market. Organizations value one-on-one interaction with offensive security experts when deploying solutions, especially for first-time BAS users. Most solutions on the market today do not offer this.
Attack modules that include detailed educational material can be valuable for motivated security teams, but there is no substitute for human ingenuity. Many customers today prefer to be walked through each module with an expert who knows the material, trains staff on how to use the BAS, shows how the modules work under the hood and can answer questions and provide insight into the telemetry of the environment that the SOC team may not already have . We expect to see many more companies pairing human services with BAS products in the future, as organizations simply get more value from the experience.
As the need for BAS solutions becomes even stronger, providers must also address these pain points in order for customers to remain competitive. Providers need to strike a balance between improving their products and expanding their service capabilities. As a result, we will see the BAS market continue to move into 2023 and beyond.