Seeing Through Security Snake Oil by Brian Contos - Security Boulevard

Seeing Through Security Snake Oil by Brian Contos

There are great security products and security products that suck. There are thousands of security products today and unfortunately, some are snake oil – built atop inflated claims, false promises, and lies. That’s why understanding the efficacy of your security products has never been more important.

So you don’t waste time, money and resources and more importantly you don’t put your organization at risk by depending on a security product that you “assumed” would work, it’s critical to understand the efficacy of that solution before you buy it, implement it, integrate it, and most importantly – depend on it.

You need to know if your existing security products and products you’re evaluating do what you need – in your environment, leveraged by your team, and integrated with your processes. This is where security instrumentation solutions like Verodin help.


Verodin safely instruments security on your enterprise network, dynamically assessing the cumulative effectiveness of your entire security portfolio. With Verodin, you can observe and adjust real responses to real attack traffic without ever putting production systems in danger.

Verodin lets organizations see how security controls will respond to attacks in advance, so defenses continually improve and measurably mature over time. Verodin quickly finds weak spots, eliminates costly uncertainties and builds stronger, smarter and more valuable security teams. Verodin dramatically improves the return on your security investments and gives you the empirical data you need to make better decisions down the road.

Network Actors

When you are evaluating new or existing network security products with Verodin the process is quick and simple. You deploy Verodin Network Actors (HW, SW, VM, Cloud) in your various network zones such as your DMZ, critical server network, user network, partner network and cloud.

Verodin Network Actors execute attack behaviors against other Verodin Network Actors. By doing this you are able to see if your security products are blocking, detecting and alerting the way you need them to. If they aren’t, the Verodin results can help you tune them. It can also tell you if you have security products or are evaluating security products that are more snake oil than value.

Endpoint Actors

Verodin also has Endpoint Actors. Endpoint Actors work the same way as Network Actors, but as the name says, they are used for testing your endpoint security products.

Endpoint Actors can execute destructive and non-destructive attacks. In the case of destructive attacks, you’ll deploy the Endpoint Actors on lab systems to verify gold images for example.

Executing attacks with Endpoint Actors yields information similar to Network Actors by addressing questions like: are my endpoint security products blocking, detecting and alerting the way I need.


With Verodin you can execute any number of endpoint and network attacks to evaluate your security products. Verodin ships with a substantial attack library that is frequently updated and you have to ability to add your own attacks from pcaps repositories (check out this process in Verodin, it’s really pretty awesome), threat intelligence services or even write your own.

Remember that attacks are only between Verodin Actors regardless of their form factor (HW, SW, VM or cloud), this allows you to run real attacks, safely and on your production network, while quickly and easily getting evidence-based results about the effectiveness of the security products you’re evaluating.

Consider this simple network architecture in the image below. Let’s say you have Verodin Actors on three different network segments – desktop zone, Internet zone, and server zone.

Each segment is separated from the others through a dedicated interface on the firewall. Each segment is also being monitored by the IPS. Both the IPS and firewall send logs and alerts to the SIEM.

With Verodin Actors you can evaluate your security products by running multiple attack sequences that measure how your firewall and IPS respond during attacks. These attacks are coordinated through the Verodin management console – also called the Verodin Director which can reside locally or in the cloud.

The Verodin Director also communicates with the SIEM, typically through an API, to glean relevant Verodin Actor attack details such as – did the SIEM receive the logs and alerts, were those logs and alerts correctly parsed and did those logs trigger an alert from the SIEM to notify the security team.

Consider this common, four-step attack sequence that can be run in an ad hoc, scheduled or continuous monitoring approach.

  1. The desktop zone accesses the Internet zone to download a malware dropper
  2. The desktop zone beacons out to the Internet zone, fetches, and installs remote control malware
  3. Malicious traffic moves laterally from the desktop zone to the server zone
  4. Finally, there is data exfiltration from the server zone to the Internet zone

Through this process, Verodin can see what the firewall and IPS allowed and blocked. Verodin controls the state of the attack because Verodin is the attacker and target. Verodin has integration with the SIEM. Because Verodin knows the source and destination IPs, ports, protocols and time, Verodin can determine if the attack made it into the SIEM and further determine if the SIEM created metadata such as rules firing or notable events.

Empirical evidence

Did these security products block any portion of the attack sequence? If the security products didn’t block the attack, did they detect it? If they detected it, did they generate an alert that the SIEM received? And if the SIEM received the alert, did the SIEM create metadata and alert your security team?

Best of all, you now know if your products rock, if they are just okay, if they need tuning, or if they’re snake oil.

Learn more at

*** This is a Security Bloggers Network syndicated blog from Verodin Blog authored by Verodin Blog. Read the original post at: