CyPerf is an interesting approach to load-based security testing. Partly it’s a response to the way applications are written today. They’re a lot more distributed, which means the network traffic is also a lot more distributed. Pointing a network load tester at a single part of the network is still useful, but it doesn’t give you as clear a test.
Environments are also a lot more dynamic. Elastic scaling in public cloud creates a far more complex set of testing scenarios. It simply adds a lot more variables that can change, and figuring out how to test it is tricky. CyPerf can handle quite complex testing scenarios that mirror the way applications have become more complex as they move from on-site to cloud.
Keysight has a rich testing history courtesy of Ixia, which it acquired in 2017. I used Ixia devices way back in the late 1990s for network load testing at the telco I worked for. They were expensive, but really excellent, and I had a particular fondness for the Ixia packet generator.
But the part that I found most interesting during Keysight’s #TFD25 presentation was how CyPerf can add security testing to your load testing. This is less about penetration testing (such as using tools like Metasploit or Cobalt Strike) but about how your systems’ security changes when under load.
Can your network cope if it’s being hit with a bunch of malware? It might cope fine with denial-of-service attacks, which is a well studied problem that has pretty good mitigations now. But how would it handle an attack acting as a kind of decoy, overloading the system so that it falls back to a less-secure mode in order to preserve a low-latency user-experience? Could malware then sneak through the lowered defenses?
Or perhaps a security flaw only becomes exposed when a system dynamically reacts to increased load. Perhaps a firewall is misconfigured, but you don’t notice under normal conditions because traffic flows in a different way. But during increased load, the systems scales up and starts routing traffic through the misconfigured device, and all of a sudden your data is at risk. Wouldn’t it be better to detect this yourself before an attacker figures it out and exploits it?
These are fairly sophisticated scenarios, and you don’t really need to worry about them if you haven’t addressed the basics, like network segmentation, access restrictions, patching, and so on. A sophisticated alarm system doesn’t help you if the disable code is written on the keypad.
Most organisations need to spend more time on those basics first, and don’t need these fancier features of CyPerf. But there are customers that do, and CyPerf would still be useful for testing how well you’re doing the basics. Essential hygiene doesn’t stop once you’ve done it once, it has to be maintained. Something like CyPerf could help you ensure you’re not forgetting to wash your hands while you’re distracted by the complex, gee-whiz features.
I can also see CyPerf helping to provide assurance that things are secure not just when everything is neat and tidy and performing under normal circumstances. The real world is complex and messy, and we need tools that can help us cope with that complexity. We want to be able to rely on our systems when our human capacity to deal with lots of things happening at once is stretched to the limit, and tools like CyPerf might well help us to do that.
Pingback: Keysight CyPerf for Security Under Stress - Tech Field Day