Threat Detection And Response

Interview: How Breach & Attack Simulation Can Help Organizations Assess Their Cyber Risk

Yotam Ben Ezra, Chief Product Officer at SafeBreach, discusses how organizations can assess their cyber risk, the benefits of attack simulation and adversary emulation, and the most common shortcomings in an organization’s cybersecurity posture.

Expert Insights Interview With Yotam Ben Ezra Of SafeBreach

Yotam Ben Ezra is the Chief Product Officer at SafeBreach. Ben Ezra has been in the cyber space for over ten years, holding research, development and leadership positions at Check Point Software and Radware before joining SafeBreach in 2018. In his current role, Ben Ezra leads SafeBreach’s team of innovation experts as they research, define and build new technologies and products, reaching into different markets.

At RSAC 2022, we spoke to Ben Ezra to discuss how organizations can assess their cyber risk, the benefits of attack simulation and adversary emulation, and the most common shortcomings in an organization’s cybersecurity posture.

Could you give us an introduction to SafeBreach, your typical customers, and the main challenges that they are facing?

SafeBreach is the pioneer in Breach and Attack Simulation, and has been around for over eight years—it was founded in 2014, and we’ve raised over $106 million USD in funding so far. The problem we solve for organizations is around the fact that about 95% of successful breaches are a result of an attack for which an organization already has the tools to stop. 

So, this means somebody made a mistake, things are moving too fast, or that organizations are just not using their tools as they would like to. The simple solution that we provide for that is to bring the attack into an organization with an automated, safe, continuous approach—before the attackers do it. 

This helps organizations to understand where they are, understand their security posture in terms of risk, and then find the gaps and understand what they need to prioritize to remediate.

How does the SafeBreach platform help organizations identify vulnerabilities within their security infrastructure?

It starts with attacking the environment, and that’s very simple. We don’t use machine learning or AI or anything like that, we simply use real attack methods to safely attack an organization’s production environment. 

The systems we attack are configured with full security controls and the entire ecosystem of security.  We run the threats across the entire kill chain, from the infiltration of the organization, to utilizing or exploiting vulnerabilities on the host level, and then moving laterally and exfiltrating data and so on. 

Once that’s done, we also integrate into your security ecosystem in order to contextualize that data for you. Once we have run the attack, we integrate with your security tools automatically—whether it’s the actual controls protecting the environment, or the SIEM platform where the operation happens.

One of the important things to understand is that, it’s not only interesting to see whether the attack was successful or not, but also to understand what type of visibility the organization has. Was there a detection? Was it detected correctly? Is the information in your organization flowing in the right direction, and will someone in the SOC respond to that? 

That entire picture is a picture we paint. 

Why is it so important for businesses to simulate attacks and test their incident response processes like this?

The world we live in is pretty confusing. Think about the pace at which change is happening in the environment. People are moving about from one place to another, they’re working from home, then they are working in offices. The level of noise out there is really, really high. So, having a data-driven approach to strategizing around the next step in your security program is something that is really important to organizations. That’s one aspect of it. 

The other is making sure that your defenses are effective against the next imminent threat. Every time there is an outbreak of a new very high-profile vulnerability, or a new threat alert in the market, an executive wants to know, “What is our security posture?” Many organizations will pick up the phone and call their vendors to try and figure out what’s happening and understand if they have protection.  

SafeBreach customers are essentially able to click a button and get a full view of how effective they are with regards to the important threat at that moment and understand whether they are protected. And they aren’t protected, they can find out what they need to do in order to get there. 

Are there any common issues or shortcomings that SafeBreach detects when working with organizations in this way?

In principle, our platform is very wide, and it spans across the various security controls out there. There are a few things which we find that are very critical for organizations right now. 

The main one is the cloud. Everyone is at some point making some sort of transition to the cloud. We hear a lot about how, by this year or that year, 95% of our services will be in this or that cloud. The ability to facilitate that transition is really important. 

Security teams are often in a position where they don’t know a lot about what’s happening in the cloud. It’s different to what they used to manage. And the business, on the other hand, is pushing to move to the cloud. So, the visibility into what actually works, what’s actually exploitable, and what represents an opportunity to the attacker, doesn’t only help them to strategize, but also enables them to say yes where many times they would have said no.

At what stage in their security journey are most of the organizations coming to you? Do they typically have a more established security architecture, are they trying to align security and compliance to ensure they aren’t just ticking boxes?

Yes, our typical customers are Fortune 1000, larger enterprises. They would have a security team and an elaborate security operation. This would include loads and loads of technologies which they are trying to make sense of. 

Understanding the pitfalls or the choke points within that ecosystem by having a really simple approach of actually running the attacks is something that really resonates. 

Once you have run these attacks and worked out where the shortcomings are, how can the organization take that information and improve?

We provide various tools on two levels. The first one is to visually understand where you are, whether it’s across your business units, or your security controls, or however you want to approach your security program. One example of this is that we produce an automated MITRE heat map, which—if you’re working with the MITRE framework—will give you your risk in that form. 

But we don’t stop there. We understand that, once you run a program like ours successfully, you end up attacking the organization with hundreds, or thousands, or maybe millions of attacks per month. And we don’t want organizations to have to shift through those results line by line to understand what’s happening. 

So, we developed an analytics layer, which analyzes the results automatically and aggregates them into what we call “Insights.” These Insights are things that you can do in order to remediate the gaps that we find, and they are categorized by security controls. 

You could have Insights for your network protection, or Insights for your endpoint protection, and so on. They’re also prioritized by the attack surface they present. So, if a certain Insight pertains to a large number of simulations of attack, they will be prioritized higher. 

Finally, what steps can organizations take to get a better idea of their cyber risk and build a more effective cybersecurity strategy?

The most important step is to understand your business and to understand what types of incidents or events are impactful to your business. And that can then be mapped into the actual threat scenarios that you can then run and validate across.  What this means for an organization is that it generates alignment between the higher business levels and the operational levels. It creates a consistency across the different parts of an organization that the operational level is pushing in the directions which actually enable and facilitate business. That’s the best advice I can give.


Thank you to Yotam Ben Ezra for taking part in this interview. You can find out more SafeBreach’s attack simulation solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.