Make a virtual model of your IT environment, existing or not, for attack simulation purpose
securiCAD will analyze your IT environment’s security situation by running simulations emulating an attacker’s expected behavior. These simulations will not be run on your actual equipment, but instead on a model of it.
Since simulations are run on a model, and not the actual environment, you can create a model that entirely match your environment or you might as well create a model that is depicting a variation of it or a completely different one.
No need to model your entire environment
When creating the model, you don’t need to include everything in your environment. It even isn’t recommended when starting an analysis. The reason is that securiCAD is using a probabilistic approach when running simulations. In other words; simulations consider both the model being simulated and aspects that are not specifically detailed in the model.
For instance, when the virtual attacker is reaching a server in the model, the simulations consider the possibility that there are additional services, i.e. open ports, running on the server, that we didn’t bother include or even didn’t know of when creating the model.
Of course, if you know and detail every service running on a certain server, this feature can be disabled for that particular server. Similar considerations are taken into account for other parts of the model as well, like firewall rules, patches and so on.
In the architecture map above, we see some areas where both low and high level of detail have been used.
The “NZ: Test”, “NZ: Prod” and so on are examples of areas where it is possible to know all details or gather much information about the architecture.
On the contrary, the boxes “NZ: System Provider” and “From Information Highway” are areas where we don’t or can’t know much about what is in there. (The “NZ: System Provider” box represents a third party company which has several other customers as well and the “Information Highway” box, in this example, represents a mutual communication channel between power distribution companies.)
However, we can still analyze their impact on our IT environment.
Additional details are preferably added when needed
The level of detail doesn’t have to be equal throughout the entire model. Instead, it is recommended to increase the level of detail by adding more information to the model in areas where we see a particular interest in how the attacker would emerge.
Such areas might for instance be close to particularly important services, systems or data assets, close to the attacker’s entry point or if we want to take a closer look at how the attacker would go from one network zone to another.
Alter your model to see the security impact of different IT environment changes
Since simulations are run on a model, with variable and optional level of detail, the model might represent your existing IT environment or a variation of it.
This gives the opportunity to analyze not only the current situation but also what the security status would be after altering security properties or the entire structure.
You can analyze what impact future changes will have. Such changes might be adding new security equipment, increasing or decreasing patch level, opening or closing communication paths, interconnecting systems and zones or splitting them.
Most changes will have different impact depending on where in your architecture they are located.
Third party data sources can be interfaced to extend the model
In some cases, you might want to include all available information about a certain area in the model. This might be the case in a production or DMZ zone, where the concentration of important assets is higher than for instance in an office zone.
Therefore, securiCAD is capable of importing data from third party sources such as network scanners, vulnerability scanners, asset management systems and so on. If a certain interface is not available, you can create your own tailor made one by using a simple programming library.
Updated over 1 year ago