There is perhaps no better example of how critical effective cyber security is than for a global company whose core business is storing and protecting its customers’ data and digital assets.
Headquartered in the eastern region of the U.S., the company relies on Google Cloud, Azure and AWS for its cloud-based business continuity and information storage and management offerings. The combination of rigid data privacy regulations with a steady increase in ransomware and malware attacks against businesses across multiple industries pressured leadership to demonstrate the value and effectiveness of their security stack—including people, processes and technology—to their stakeholders.
Starting With a Breach and Attack Simulation (BAS) Tool
The CIO turned to a leading BAS provider, expecting to receive evidence that security controls were working as they should, or find gaps in protection with guidance on remediation. Soon after deploying the BAS solution, the CIO realized that his team would not get the results necessary to prove their security controls were effective.
A few challenges emerged quickly with the BAS deployment. First, given the siloed nature of the organization’s infrastructure to separate and secure each customer’s assets, implementing the BAS system required installing more than 100 actors (i.e., agents used to simulate victim systems) across its environment—an enormous footprint that meant many hours of configuration and a performance drain on production systems. Additionally, the system could not detect the entire attack kill chain and could only see activity post-exploit—a standard limitation of most BAS solutions. If there had been a truly malicious attack, detecting its presence after the attacker penetrated the company’s systems could cause untold damage and harm to the company and its reputation.
In addition, the BAS tool deployed was not able to integrate sufficiently with the cyber security platforms and systems the team needed to test, requiring a relatively high level of sophistication among security team members to write code and build out their content library. The BAS tool left them feeling as much in the dark as they were before they started.
Beyond BAS With Mandiant Security Validation
After several months of not being able to realize the expected return on investment (ROI) with their BAS investment, the CIO turned to Mandiant Security Validation. Initial easily identifiable strengths became apparent to the company’s security team and CIO:
- Mandiant Security Validation required no coding, configuration or separate server.
- Mandiant Security Validation was seamlessly deployed out of the box, integrated through native APIs with cloud, email, network and endpoint solutions without affecting the performance of any existing production systems in operation.
- Mandiant deployed only ten actors and was able to cover the entire attack lifecycle, including malware detonation, lateral movement and reconnaissance activities.
The team quickly recognized that Mandiant could deliver comprehensive testing of their entire security stack with greater flexibility and a much smaller footprint. Immediately after deployment, an area of weakness within the security stack was detected, revealing that the company’s firewalls were not appropriately configured within each cloud environment and were therefore allowing malware to penetrate systems. In the case of a real attack, this could cause significant damage that would have remained undetected until it was too late.
As is the case with every customer we serve, Mandiant’s goal was to help the client maximize the return on their security investments through our controls-focused approach to automated, continuous testing of people, processes and technology. Seven days after deploying Mandiant Security Validation, the company CIO declared that we had delivered twice the value they had received after one year of using their old BAS.
Following the project completion, a Mandiant sales engineer was embedded into the organization’s internal team and became a trusted advisor. The company also chose to deploy Mandiant’s Threat Actor Assurance Module linked to their existing threat intelligence platform to incorporate threat intel feeds into the validation process.
The Mandiant Difference
One of the most significant advantages of Mandiant Security Validation when measured against BAS is our ability to safely execute real malware in a protected theater without impacting an organization’s environment. As many BAS users discover, the live attack binaries enacted by the Mandiant Security Validation Platform are highly effective at demonstrating where controls are working and where vulnerabilities exist. The weakened attacks executed by simulation tools are more likely to be missed because they are not real and therefore not recognized as a genuine threat. Consequently, they do not effectively depict whether or not the controls in place are effective.
With Mandiant Security Validation’s continuous validation and emulation of real attacks, companies get a reality check on whether their security vendors deliver on their promises, and receive much needed evidence that demonstrates when they are not. Through accurate remediation and reporting of quantifiable results, our users instill confidence among business leaders that their risk profile does not exceed the level acceptable to key stakeholders while protecting the organization’s brand reputation and financial posture.