Continuous Enterprise War Gaming

Back in 2013, I thought it would be fun to celebrate the thirty-year anniversary of the movie War Games by asking Matthew Broderick to come speak to a bunch of security geeks at a small conference. While things didn’t exactly work out budget-wise with his agent (ahem), I still maintain that that darn movie brought more people into our field than any other popular culture contribution – perhaps ever.

For many of you, the idea of running a real war game in your enterprise would seem about as likely as having Mathew Broderick come host your next Friday lunch-and-learn. But I’m here to report that you have some new options – and this is good news, because war gaming an enterprise network is supremely valuable, especially if you find weaknesses. And my experience is that you most certainly will.

I’ve been corresponding for the past six months with a new pen pal, Simon Naldoza, who serves as a Vice President at SafeBreach, a cyber security company situated in Silicon Valley and Tel Aviv. Over the course of several notes and conversations, Simon has introduced me to a new form of continuous enterprise war gaming, one that looks like a winner in terms of detecting problems unlikely to be uncovered otherwise.

Here’s the idea: SafeBreach has created a platform that simulates an adversary sitting smack dab in your infrastructure (and yes, I already made the joke to Simon that this bad situation probably doesn’t need to be simulated.) Nevertheless, the SafeBreach software manages the mechanized hacking inside your network, with emphasis on the familiar Big Three methods: Endpoint infection, lateral traversal, and data exfiltration.

Backed by a team of security researchers, the SafeBreach approach is to exercise advanced breach methods right there in your network, with the hope of beating real hackers to the punch. “Our goal is to create and manage an entire distributed system of simulated hacking agents,” Simon explained. “We create scenarios that do a good job of uncovering exploitable vulnerabilities in the enterprise.”

The deployment of this solution looks straightforward: Simulators are dropped into designated segments of the local endpoint, network, or cloud environment. A SafeBreach management server is then set-up to control the war gaming, which involves unique use of simulator pairs to attack and defend a given breach. The result is continuous simulation based on a hacker playbook. Results are integrated via connectors to your SIEM or related console.

Now I’ll be honest: At first, I expressed minor concerns with some of the marketing collateral I’d seen from the company. I shared my worry with Simon that a subset of the videos seemed to imply that the simulated hacking would prove the absence of problems, rather than confirm their existence. But after some deeper inspection of the platform and discussion with Simon, I’ve concluded that this proactive control creates great value to the defense. I like it.

Even if the idea of simulated hacking in your enterprise has never crossed your mind, and even if you have a supremely modest budget (perhaps you work in an SMB), I’d still recommend that you contact the SafeBreach team and listen to their story. While they might not be able to bring Matthew Broderick to your next team meeting, my guess is that they’ll have some good advice for you on improving your overall posture.

Let us know how you make out.