How Security Validation and Breach and Attack
Simulation (BAS) Solutions Differ
and attack simulation (BAS) solutions are widely used to test
how security controls respond to specific exploits. They generate a
binary pass/fail output that you can use to begin diagnosing how your
controls are performing. And, while many BAS vendors label these
solutions ‘security validation,’ the reality is that they are not.
Why? Because the methodology for companies in the BAS category is to
blast the environment with simulated - not real - attacks to generate
binary pass/fail ratings. This approach does answer the important
question, “Is my environment susceptible,” but the challenge is that,
once you know that, you’re going to want to know “How did it get
inside? How did my controls behave? Where and what can I do to fix
it?” Breach and attack simulation or BAS products can’t tell you that
because they don’t focus on how and what to do about your security controls.
Alternatively, security validation goes
beyond a simple pass/fail rating by providing you with detailed
information about how your controls behaved during the attack across
the entire attack lifecycle, what happened, and what you need to do to
fix it. And, it doesn’t stop there. Only security validation allows
you to continuously measure if your security posture is regressing or
improving over time and, again, what to do about it. Validation is a
continuous, necessary practice that every security team should adopt.
Security Validation allows you to leverage threat intelligence
to assess the effectiveness of controls against specific types of
attacks. In short, security validation is intelligence-led,
autonomous, and automated, something no BAS solution can offer today.