Pentesting has attracted a workforce filled with intensely creative and highly curious technical minds. Ironically, however, we see vulnerability management programs advance and accelerate when creativity is paired with a framework that drives quality and consistency. Is this an indication that our industry has matured to the point that the level of innovation is diminishing? Far from it. In fact, the best cybersecurity programs and providers incorporate and embrace both innovation and consistency.
Innovation Remains Mission Critical
First, it’s important to understand that there are a couple ways to define innovation. The first, of course, is through the lens of creativity and disruption. Attackers don’t have any boundaries when it comes to figuring out how to exploit a program or system; neither should cybersecurity teams. Finding new ways to break things is a critical part of the job.
A second way to define innovation is more pragmatic. While companies need to address large volumes of vulnerabilities and develop strategies to remediate them, most security teams are faced with doing more with less due to budget restrictions, lack of resources, and other constraints. The only way to accomplish this is to adopt some level of automation. Moreover, automation is critical for handling mundane or repetitive processes to free up time for humans – pentesters, developers, and others – to exercise their creative minds. As in any industry, automation enables people to perform at their highest potential, and when used correctly, it becomes a force multiplier.
Consistency Plays a Vital Role, Too
As partners to large corporations and other organizations that have extensive testing programs, we must have consistency in our testing approach. When we find a new vulnerability within one client’s environment, our consistent, systematic process enables us to add that one vulnerability to a checklist for each and every test we do in the future, regardless of the individual tester. This process frees up time for our team of pentesters to be more innovative in finding ways to exploit a program or system, while also ensuring as much coverage as possible.
Another way to approach consistency is through more regular testing for vulnerabilities instead of performing a pentest on your network as an annual compliance tool that results in static PDF reports with out-of-date vulnerability information. As a best practice, vulnerability management measures should employ continuous monitoring, with real-time reporting that enables companies to remediate vulnerabilities as quickly as possible. This new paradigm, known as Penetration Testing as a Service (PTaaS), employs both automated scanning and manual tests that dive deeply into applications and networks.
Striking a Balance Between Innovation and Consistency
How our industry maintains the balance between innovation and consistency should start with our people. While it may seem easier to screen for skills versus personality, the goal is to look for people that can not only think like an attacker, but also excel within a framework that supports individual agility, and leads to a consistent and high quality outcome. A tip? Search for individuals who have an interest in information sharing and bettering the larger security community; those who develop new tools (or improve existing tools) and participate in continuous learning in their free time typically have the capability to be extremely innovative. With a well-rounded workforce and mindset, organizations can gain an edge on their competition, disproving the notion that who you get determines the quality of the services delivered.
To be successful in the world of vulnerability management and pentesting, it’s critical that providers offer a balance between creative disruption and methodical, systematic structure. Together, both right-brained and left-brained talent and solutions result in the very best tests that help organizations stay ahead of ever-changing attack surfaces.
On Mar. 9, 2020, NetSPI President and COO Aaron Shilts was featured in Banking Dive.
The next level of self-hack is conducted at a more enterprise level, called red team testing.
There are a few variations of the approach. In one, red-team testers adopt the tactics of a specific, known threat actor and try to achieve a specific objective against a chosen target.
Red teaming is typically done by banks that are at a higher level of security maturity overall, said Wong.
The value of penetration testing over simply using scanning software is that you’re adding humans to the mix, said Aaron Shilts, president and COO of vulnerability assessment firm NetSPI.
“If we were bad guys, you know, what would we use to get in?” Shilts told ABA. “How could we get in? What do their defenses really look like? With limited information, it’s kind of a good way to simulate how accessible the crown jewels are from the outside.”
Read the full article here.
We just returned from RSA Conference, and like every year, it did not disappoint in meeting its charter: “to be a driving force behind the world’s cybersecurity agenda… the place that provides a forum for innovation and partnership… as cybersecurity has become more relevant across all aspects of our daily lives.”
While there was much talk about automation, artificial intelligence and of course, technology, Rohit Ghai, president of RSA, emphasized in his keynote address a point that we, at NetSPI, support day in and day out — valuing the critical importance of people in this complicated and ever-evolving world of vulnerability management.
From the stage, Ghai asked the audience if humans in cybersecurity will matter once technology advances. He argued that, yes, the human element will always matter and what differentiates humans from machines is our ability to tell a story. “We, as cybersecurity professionals, need to change the story of cybersecurity and turn the narrative toward ‘cyber-resilience,’” Ghai said. Bob Keaveney, managing editor of BizTech concurs. He wrote, “Human activity will continue to be the indispensable difference between successful and foiled hacks.”
Considering the importance of the human touch in cybersecurity, we observed these three prevalent themes during RSA:
Takeaway 1: CISO Leadership Must Be in the Boardroom
We are confident that no organization wants to impede its infosec programs, yet as we pointed out in this blog post, many problems can be traced back to miscommunication and misunderstanding of a technical topic by people who do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your infosec program is critical — starting in the boardroom.
As the individual most responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, the Chief Information Security Officer (CISO) will serve as the bridge between the highly technical language inherent in infosec, vulnerability, and data security management programs to other C-suite executives and board members who are more financially, operationally or innovation focused.
Speaking of the human touch in cybersecurity, read this short case study about how Equifax faces a new day in cybersecurity by emphasizing cultural change as a solution.
Takeaway 2: Intelligence Sharing and Cyber Defense Go Hand in Hand
Infosec experts are creative thinkers. They are constantly coming up with new ways to “break things” in a dogged determination to stay ahead of the vulnerabilities their company may face from hackers and manage the remediation of potential (or actual) breaches.
At NetSPI, this new thinking manifests in our commitment to developing open-source tools that strengthen the infosec community. We publish our open source projects and write a blog specific to best practices and information sharing.
Fortunately, we aren’t alone in our belief in the importance of supporting the entire infosec community. In fact, BankInfoSecurity coined threat intelligence and sharing a top theme of the show. Further, when analyzing the abstracts from would-be speakers at RSA, event organizers noted, “We saw an increase in submissions that documented the inherent weaknesses and challenges of machines, with some deeply technical and wonderfully detailed submissions digging into the specifics and providing guidance and best practice considerations,” says Britta Glade, the RSA Conference’s director of content and curation.
Takeaway 3: Automation as a Tool, Not the Be All and End All
Automation has a clear role in helping organizations with pentesting for enterprise security management. In fact, as this BizTech article states, closing the cybersecurity skills gap is a perennial problem that automation may help solve. Our concern? Automation alone only exacerbates the plethora of information that CISOs are inundated with daily without, as RSA noted, “the human element – the experts who can turn those stacks of static reports into real-time accessible reporting as vulnerabilities are found.”
And we aren’t alone in this thinking. In its RSA coverage, CRN.com associate editor Michael Novison advocates for a more pragmatic approach to handling risk than traditional vulnerability management, one that would place both automation and remediation front and center. Unisys CTO Vishal Gupta concurs: “Being presented with a list of hundreds of thousands of problems doesn’t do a CISO much good given the amount of digital assets and software in an organization. Continuously telling businesses what’s wrong is more of a risk identification strategy than a risk mitigation strategy and doesn’t provide them with any better handle on the problem.”
Organizations with a mature security program understand that moving past just a point-in-time vulnerability management program to a continuous model delivers results around the clock, enabling infosec professionals the ability to manage vulnerabilities more easily and efficiently. In fact, the concept of continuous monitoring should be baked into the development process from the start. In its RSA coverage, TechBeacon notes that in the DevSecOps model, infrastructure as code allows continuous code and security scanning to handle infrastructure configurations, and that removes the security team from potentially blocking development with time-consuming tests.
In an interview with NCC Group’ Research Director Clint Gibler, TechBeacon writes that infrastructure as code is essential. “For developers, a key advance is the increasing use of infrastructure as code and continuous deployment. When networking and server configuration are part of the application configuration, the settings can be checked for weaknesses in the same way as other application components,” said Gibler. “You can run security checks on your infrastructure code before it is even deployed. And it makes it easy to avoid any drift over time, and get back to a pristine state.”
Continuous Pentesting Coupled with “the Human Element”
In the spirit of these three RSA takeaways, NetSPI introduced its new Penetration Testing as a Service (PTaaS) powered by the Resolve platform at the conference. PTaaS puts our customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, and orchestrate quicker remediation, with the added ability to perform always-on continuous testing. We believe that key to its success is the integration of our team of expert, deep-dive manual pentesting employees who use enhanced automation to uncover an organization’s vulnerabilities. We believe that while automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.
Want to read more about the future of cybersecurity? Read RSA’s 2020 trend report here.
On Mar. 2, 2020, NetSPI President and COO Aaron Shilts was featured in ABA Banking Journal.
Aaron Shilts, president and COO of NetSPI, a vulnerability assessment firm based in Minneapolis that works with large financial firms, says the value of penetration testing over scanning software is “that you’re adding humans to the mix,” he says. “With red teaming you act as an outside adversary.” In designing a test for a client, Shilts asks some basic questions.
“If we were bad guys, you know, what would we use to get in?” he asks. “How could we get in? What do their defenses really look like? With limited information, it’s kind of a good way to simulate how accessible the crown jewels are from the outside.” Red team projects with NetSPI typically would last about a month, Shilts says.
Read the full article here.