In a few short years, AI transformed from a marketing gimmick to a legitimately useful technology for enterprise IT. AI has been introduced into several enterprise-grade tools, including platforms that are purpose-built for IT security teams. One such security platform segment that's making tremendous use of AI is penetration testing. More specifically, the term breach and attack simulation, or BAS, is used when referring to AI pen testing products.
BAS technologies enable security administrators to run automated penetration attack simulations whenever and wherever they choose. This is opposed to the traditional pen test's snapshots in time that are performed a few times each year. The addition of AI to detect vulnerabilities can increase accuracy, while reducing the number of hours security administrators spend investigating and validating holes in their current security posture.
Let's review the benefits of AI pen testing and then explore how your IT security staff might use these types of tools in a production environment.
From pen test to BAS to AI-infused automated scanning
Historically speaking, companies typically hired an external security firm to perform pen tests internally and externally. The partner would provide the results of the tests to the customer. Based on this information, the in-house IT security staff would track down the most critical vulnerabilities and remediate the issue as best they could. However, to be certain the implemented fix worked, the business would require yet another pen test. This process of identifying, fixing and verifying security holes proved to be slow and extremely expensive.
These limitations spurred the development of BAS platforms in the market. These tools could be purchased and run by the in-house IT security team with the benefit of being able to run or rerun pen tests whenever the team saw fit. In many cases, security admins can continuously run tests as long as they are certain the risk of running the attack simulation will not cause an unforeseen impact to daily business activity on the network.
While automated BAS platforms were a step in the right direction, they placed a heavy burden on the in-house security team. Not only were teams responsible for maintaining the BAS platform so that it operated properly, but they still had to deal with tracking down and fixing all discovered vulnerabilities. This creates tremendous time sinks for security administrators if they must rely on manual processes. Fortunately, these are also areas where AI can help take on the management and analysis burden.
Benefits of AI-backed pen testing
One way AI can be used to reduce the amount of time spent researching a discovered vulnerability deals with identifying the entire attack vector.
When a pen test identifies a vulnerability, AI can help figure out the potential effects of the threat based on what the platform understands about the whole of the infrastructure. This added analysis can put threats into better context in terms of what services are at risk and to what extent. That means that prioritization of threats can be adjusted based on what the AI knows about the infrastructure, what other security tools are in place, and what apps, services and devices the business determines to be mission-critical.
AI can also be used to automatically generate and display vulnerability remediation steps. This eliminates much of the time spent by security administrators having to research the vulnerability to come up with remediation steps on their own. It also helps speed up time to resolution for many known vulnerabilities as the administrators can quickly learn what steps must be taken and immediately begin implementing them.
How admins are using AI pen testing tools
While AI is great, security professionals are still essential to keep on staff. It's better to think of AI-capable pen test tools as a way to eliminate some of the repetitive processes administrators were previously required to perform. For example, admins are often tasked with digging into discovered and prioritized vulnerabilities and must make their own judgement on which threats would be considered important from a business risk perspective. Pen tests provide, among other things, a critical means for uncovering vulnerabilities. A well-tuned AI pen testing platform can provide tailored vulnerability threat rankings based on what it learns about the network and the business priorities configured into the system. Thus, admins will likely focus some time fine-tuning the AI system to provide the most accurate threat prioritization results.
Even with the added intelligence, security admins will have the final say in terms of figuring out what vulnerabilities should be remediated first and exactly how to accomplish that remediation.
While AI pen tests will rank threats and provide remediation steps, admins may have additional knowledge that the AI platform does not. Added intelligence is a great way to get a quick opinion on how to deal with identified vulnerabilities, but security administrators have the last word regarding what steps are actually taken.