Continuous test execution is not enough to detect environmental drift. A complete analysis of test results compared to a known-good baseline is needed. Customers need to know more than if a threat is still being blocked or not. They need a full analysis of what it takes for defenses to be successful:
Visibility > Prevention > Detection > Event Flow > Alerting
Automated and continuous analysis of this Effectiveness Validation Process (EVP) compared to the known-good baseline across a customer's business zones is exactly what AEDA does. Think of AEDA as a "team of engineers in a box," constantly analyzing the environment for drift and proactively bringing it to your attention before it is too late.
One challenge defenders face is that IT typically owns and controls endpoint images. This results in defenders not being able to easily answer questions like, "Is our endpoint security tool configured to block ransomware 123?" Verodin SIP's Protected Theater module enables defenders to quickly test their IT images with real malware to determine what threats their endpoint controls will and will not block. Protected Theater is not required for testing endpoint controls, but it offers the ability to safely perform potentially dangerous and destructive tests on customers' endpoint defenses.
Verodin SIP's Email Theater enables the validation and tuning of email security tools, such as Proofpoint, Symantec, Mimecast and Ironport. It leverages a dedicated email account to send threats, like malware and spearphising links, into the enterprise and send sensitive information, like PII and PCI data, out of the enterprise. Email Theater supports Office 365, Microsoft Exchange and other standard email platforms.
Verodin SIP's Cloud Theater module is a Verodin-hosted, external Actor. It provides quick and easy access to an external Actor that can be used for ingress and egress tests like malware download, C2 traffic and data exfiltration. There is no requirement to use Cloud Theater -- some organizations choose to host their own external Actors, while others use a mix of Cloud Theater and their own hosted Actors.
Is the Protected Theater module required to test endpoint controls?
No. Verodin SIP’s Actor software can be installed on any production host to test endpoint controls without needing the Protected Theater module. Any Endpoint Actor can test “non-destructive” behaviors, which include things like privilege escalation from mimikatz, data exfiltration and much of the content derived from the MITRE ATT&CK framework. Only potentially destructive use cases require Protected Theater.
What is the use case for the Protected Theater module?
SOCs have a basic challenge of being ultimately responsible for defense, but needing to rely on the broader IT team for many tasks. This challenge often impacts the SOC’s visibility into how endpoint defenses are ultimately configured. As executives ask questions like, “Will we block ransomware 123 or attack XYZ?”, analysts are not always sure how the endpoint defenses are configured and if they are even up-to-date.
The Protected Theater enables SOCs to quickly test their endpoint defensive gold images against REAL malware to determine if the defenses are configured to detect and block the threat at the endpoint. Protected Theater enables analysts to quickly answer questions about what will and what will not be blocked on endpoints.
What is the difference between AEDA and Continuous Validation?
The primary difference is that “continuous” simply implies that an action can be run over and over again – whether this is manually or on a schedule. There is nothing intelligent about “continuous”.
What customers want is to understand if the environment has changed and broken their defenses. Customers want to continuously compare to a known-good baseline and intelligently understand if something has changed in controls visibility, prevention configuration, detection events generated, event flow and configuration and, ultimately, if an alert will fire at the event’s final destination.
Verodin SIP’s Advanced Environment Drift Analysis (AEDA) module is like a "team of engineers in a box", continuously comparing your control environment against your known-good baseline and alerting if any aspect of the Effectiveness Validation Process breaks down. AEDA is critical in combating environmental drift.
Can Email Theater test Office 365?
Yes. Any email system supporting POP3 or IMAP for receiving and SMTP for sending can leverage Verodin SIP’s Email Theater module. SSL and/or TLS are both supported for sending or receiving.