One of the fundamental challenges facing any organization is how to gain a solid handle on its cyber exposures. Cyber exposure refers to the vulnerabilities and risks associated with an organization’s network, systems, and data. Knowing its cyber exposure helps an organization better understand its security posture relative to cybercrime, data breaches, and other threats. In short, it informs the organization of what threats it faces and where the biggest risks lie.
Organizations understand that implementing a set of security controls (firewalls, identity and access management, anti-virus, etc.) is necessary but insufficient for understanding risk and exposure. The controls must also be tested in the most comprehensive and realistic way possible. This is the concept of taking an “attackers eye view” of the infrastructure – giving the organization an understanding how and where they are prone to being successfully attacked. Every programmer knows they cannot be sure their code works until it is thoroughly tested. In the same way, IT security personnel know they cannot be sure their security controls are working without fully testing them.
The Limits of Manual and Automated Penetration Testing
This is an area where the cyber security industry has failed to deliver a comprehensive solution. The first iteration was penetration testing, which is still widely used and often a requirement for security audits. Penetration testing is typically targeted at specific IT services and controls, so it does not provide a comprehensive (or holistic) view of cyber exposure. Pen tests are also expensive to carry out and intrusive, so they can only be done infrequently.
The next iteration was breach and attack simulation (BAS). BAS tools aim at automating manual pen testing. To a large extent they can do this, but they still leave major gaps in determining cyber exposure. Like manual pen tests, they focus on specific security controls and don’t deliver a holistic picture of cyber exposure. They can show the weaknesses in one silo (e.g. firewalls) but don’t deliver a true view of how attackers can move from one silo to the next. They also work most realistically when aimed at production environments rather than lab environments, but this can cause outages or slowdowns. As a result, tests are limited in when and where they can be done – and some tests should not run on production systems because of the potential for disruption.
A Holistic Approach to Testing Security Controls
What is needed is a comprehensive means of testing security controls across the entire IT estate in a way that is realistic, holistic and non-invasive. That is what Orchestra Group has been building. The key requirement is a way to comprehensively test an entire IT estate without impact on production services. Lab environments are not the answer because they do not fully replicate production environments. To solve this, Orchestra Group has developed the Digital Cyber Twin. The Digital Cyber Twin is a proprietary approach from Orchestra Group that uses advanced network discovery to build a virtual replica of an enterprise network. The Digital Cyber Twin includes the hosts, network gear, applications, software versions, patch levels, configuration information and security controls. The Orchestra Purple platform uses the Digital Cyber Twin to conduct comprehensive, simulated attacks (Attack Path Scenarios) across the entire infrastructure. This provides a holistic view of the cybers exposures and risks across the entire IT estate. Most importantly, it identifies the most efficient and cost-effective measures needed to mitigate the risks and reduce overall cyber exposure.
The Digital Cyber Twin a key component of our risk and resilience platform, but there is much more to it than that. Check out the blog from our CTO, Jacob Ukelson for more information on how we are leveraging AI and attack path simulation to build the industry’s first comprehensive risk and resilience platform.