Aaron Shilts

Aaron is a proven cyber security leader focused on creating strong teams that deliver an exceptional client experience. In his 20+ years of industry leadership, Aaron has a track record of building innovative and high-performing organizations. Before NetSPI, Aaron was EVP of Worldwide Services at Optiv where he led one of the industry’s largest mergers. He is also co-founder of “Change Starts With Me,” a Minneapolis non-profit, and advises several global firms. Aaron earned his B.S. from St. Cloud State University and proudly served in the Army National Guard.
More by Aaron Shilts
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "66"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "66"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "66"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "66"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "66"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "66"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "66"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "66"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
			SELECT   wp_posts.*
			FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
			WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{33dfa6ae21a8e62f3fbcf6155314310a4c59d93dc05dff6ea22af989d0f624a4}\"66\"{33dfa6ae21a8e62f3fbcf6155314310a4c59d93dc05dff6ea22af989d0f624a4}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{33dfa6ae21a8e62f3fbcf6155314310a4c59d93dc05dff6ea22af989d0f624a4}\"66\"{33dfa6ae21a8e62f3fbcf6155314310a4c59d93dc05dff6ea22af989d0f624a4}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
			GROUP BY wp_posts.ID
			ORDER BY wp_posts.post_date DESC
			
		
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 29121
                    [post_author] => 66
                    [post_date] => 2023-01-10 09:00:00
                    [post_date_gmt] => 2023-01-10 15:00:00
                    [post_content] => 

Today, we’re happy to announce that NetSPI has acquired nVisium to continue building upon our suite of offensive security testing solutions. We sat down with NetSPI CEO Aaron Shilts and nVisium CEO and Founder Jack Mannino to learn what this means for their mutual clients and the greater cybersecurity community.

Why nVisium/NetSPI?

Aaron Shilts: The nVisium team brings an impressive track record in cloud and application pentesting, and we’re incredibly excited to welcome them to NetSPI. Coming together, we will unlock great potential in meeting the increasing demand for quality pentesting solutions and reinforce our commitment to growth and innovation. It took months of research, discussions, and interactions to come to this decision, but one thing is for sure, we were always convinced the nVisium team will be the perfect complement to our DNA and culture we’ve built at NetSPI.

Jack Mannino: We’ve competed with NetSPI in the past, and I’ve always respected what Aaron and his team have built. Agreeing to an acquisition is not a small decision, but as soon as we started talking with the NetSPI team, it was clear that both organizations were extremely aligned from a culture, delivery, and people perspective. They care deeply about their people and maintaining a culture of collaboration, plus, we have the same high standards for security testing as they do. With this acquisition, nVisium employees and clients will be presented with a wide array of new opportunities. I’m eager to see what we can accomplish together.

How will this acquisition impact mutual clients and the greater security community?

Aaron: This news follows our recent announcement of KKR’s investment in NetSPI’s future and its promise to continue to bring positive impact to the security community. By joining forces with nVisium, we can move faster, offer clients access to an incredibly talented team of offensive security professionals, and double down on our promise for innovative, platform driven, and human delivered offensive security solutions.

Jack: By joining forces with NetSPI, nVisium has a massive opportunity to expand the breadth and depth of solutions we deliver, improve the client experience, and introduce new growth opportunities to our employees. We have built strong enterprise relationships and we are eager to support them in new ways and, at the same time, build on our capabilities within cloud and application security testing.

Notably, NetSPI’s penetration testing as a service (PTaaS) delivery model has made an incredible impact on its clients, enabling them to test continuously, digest results in a dynamic way, improve vulnerability management efforts, and increase manual testing and triaging. nVisium and NetSPI together will amplify the PTaaS model and allow us to increase our capacity to help more organizations.

What’s next for the combined companies?

Aaron: This acquisition is proof that we are committed to staying true to our mission, disrupting the penetration testing industry by attracting and retaining top talent, and setting the highest standards in the penetration testing market. Over the next few months, we will be focused on integrating the nVisium team to help deliver high-caliber pentesting solutions to more enterprises, globally.

Over the next year, you will see an emphasis on NetSPI’s R&D, particularly with our cloud, IoT, and blockchain solutions. We’ve recently formed an official NetSPI Labs team, who will lead the development and expansion of new offensive security solutions and tools.

Jack: The industry can expect continued growth, innovation, and quality pentesting from NetSPI and nVisium – with no signs of slowing. The power of our combined teams will certainly be a force to be reckoned with.

[post_title] => NetSPI Acquires nVisium – Q&A with the CEOs [post_excerpt] => Hear from NetSPI CEO Aaron Shilts and nVisium CEO Jack Mannino on why they are joining forces and what the acquisition means for the cybersecurity industry. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => nvisium [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:09:56 [post_modified_gmt] => 2023-01-23 21:09:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29121 [menu_order] => 11 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 28667 [post_author] => 66 [post_date] => 2022-10-17 09:00:00 [post_date_gmt] => 2022-10-17 14:00:00 [post_content] =>

On October 17, NetSPI CEO Aaron Shilts was featured in the eSecurity Planet article called NetSPI Lands $410 Million in Funding – And Other Notable Cybersecurity Deals. Read the preview below or view it online.

+++

NetSPI, a top penetration testing and vulnerability management company, recently announced a $410 million funding round, a huge amount in a year in which $100+ million rounds have become a rarity. The investor was KKR, one of the world’s largest alternative asset firms.

KKR previously invested $90 million in NetSPI in May 2021, so NetSPI has demonstrated considerable traction since then.

That the funding round occurred in a difficult environment makes it all the more impressive. According to data from Crunchbase, the total amount of investments in cybersecurity startups came to $2.6 billion in the third quarter. This was the lowest since the same period in 2020.

The number of deals for this year’s Q3 was only 124. This is a level not seen since 2014.

Filling the Cybersecurity Talent Gap

Of course, the drop-off has been widespread across the tech sector. With a bear market, high inflation, rising interest rates, and concerns of a recession, investors are certainly getting more conservative – and generally focusing on top-notch deals.

As for NetSPI, it fits into this sweet spot. Founded over 20 years ago, the company’s vision is “technology powered, human delivered.” This involves sophisticated penetration testing for some of the world’s largest financial institutions, cloud operators, and healthcare organizations.

For the past five years, revenues have spiked by 5X. Organic growth was 50% in 2021 and 61% thus far in 2022.

“We combine human ingenuity from our 400 global offensive security professionals with our innovative technology platforms – a unique combination that ensures quality, consistency, transparency, accountability, and efficiency across all NetSPI assessments,” said Aaron Shilts, CEO, NetSPI.

A key focus is on hiring top talent in ethical hacking and adversary simulation and leveraging NetSPI’s three technology platforms, which include Resolve, ASM, and AttackSim.

“Additionally, the scarcity of talent is still one of the biggest issues in the cybersecurity industry,” said Shilts. “Investors are aware of this and have become acutely focused on acquiring organizations with a concentration on hiring the best talent globally and who offer programs to fill the talent gap.”

NetSPI plans to use the capital for investing in R&D, hiring, and global expansion. Part of the money will also be to recapitalize the equity investment of an early investor, Sunstone Partners.

You can read the full article at eSecurity Planet!

[post_title] => eSecurity Planet: NetSPI Lands $410 Million in Funding – And Other Notable Cybersecurity Deals [post_excerpt] => eSecurity Planet covers NetSPI's $410 million in cybersecurity funding from KKR plus other commentary from NetSPI CEO Aaron Shilts. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => esecurity-planet-netspi-lands-410-million-in-cybersecurity-funding [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:06 [post_modified_gmt] => 2023-01-23 21:10:06 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28667 [menu_order] => 35 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 28555 [post_author] => 66 [post_date] => 2022-10-05 21:00:00 [post_date_gmt] => 2022-10-06 02:00:00 [post_content] =>

On October 5, NetSPI CEO Aaron Shilts and VP of Business Development and Strategic Alliances Lauren Gimmillaro were featured in CRN's article called KKR Invests Another $410M In Fast-Growing Security Firm NetSPI. Read the preview below or view it online.

+ + +

Private equity powerhouse KKR obviously likes what it’s seen since it first invested in cybersecurity firm NetSPI last year.

The New York-based KKR, which led a $90 million funding round for NetSPI in 2021, is now investing an additional $410 million in the penetration testing and attack surface management firm, NetSPI said on Wednesday.

The massive growth investment will be used to support NetSPI’s product development, talent hirings, possible company acquisitions and aggressive expansion of the firm’s channel program, said NetSPI chief executive Aaron Shilts.

Much of the money will also be used to effectively buy out previous majority owner Sunstone Partners, Shilts told CRN.

As for the channel, Shilts said less than 10 percent of the private company’s current revenues come from the channel. But NetSPI, which recently hired a new channel chief and launched a new partner program in August, is determined to boost its sales via various players within the channel, he said.

“It was the right time for us to double down on channel investment,” said Shilts, whose company was founded in 2001 but only received its first outside investment in 2017, led by Sunstone Partners.

Shilts said the firm decided to wait a bit after its first equity investment five years ago before moving from mostly direct sales to channel sales.

“We wanted to ensure that we had the maturity and the growth,” he said. “I think the worst thing that we could do is not have that [initial sales] mastery in place. It was just a matter of maturing over several years before we were ready.”

You can read the full article at CRN!

[post_title] => CRN: KKR Invests Another $410M In Fast-Growing Security Firm NetSPI [post_excerpt] => NetSPI CEO Aaron Shilts and VP of Business Development and Strategic Alliances Lauren Gimmillaro were featured in CRN's article called KKR Invests Another $410M In Fast-Growing Security Firm NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => crn-kkr-invests-410m-in-netspi [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:11 [post_modified_gmt] => 2023-01-23 21:10:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28555 [menu_order] => 48 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 28565 [post_author] => 66 [post_date] => 2022-10-05 09:00:16 [post_date_gmt] => 2022-10-05 14:00:16 [post_content] =>

On October 5, NetSPI CEO Aaron Shilts was featured in the VentureBeat article called Need for secure cloud environments continues to grow, as NetSPI raises $410M. Read the preview below or view it online.

+ + +

In an era of cloud computing and off-site third-party services, traditional network-based security approaches simply aren’t effective. With research showing that large organizations maintain an average of 600 software-as-a-service (SaaS) applications, the modern attack surface is too vast to manage without a purpose-built attack surface management solution.

Attack surface management solutions provide a tool to automatically discover public-facing assets located outside the perimeter network, and identify vulnerabilities in shadow IT assets and misconfigured systems that hackers can exploit.  

As the need to secure cloud environments increases, these solutions are beginning to pick up more interest, with penetration testing and attack surface management vendor NetSPI today announcing that it has received $410 million in growth funding from global investment firm KKR.

The new funding demonstrates that vulnerability management is giving way to the broader, automated and decentralized approach of mitigating exploits across the entire attack surface

NetSPI’s answer to cloud vulnerability sprawl 

The writing on the wall is that enterprises need an approach to managing vulnerabilities that can scale to address exploits across the entire attack surface. For NetSPI, that comes down to offensive security. 

“As we look forward to this next chapter, NetSPI will continue to challenge the status quo in offensive security,” said Aaron Shilts, CEO of NetSPI. “With KKR’s support, we are well positioned to amplify our success building the best teams, developing new technologies, and delivering excellence, so that the world’s most prominent organizations can innovate with confidence.”

In effect, NetSPI provides enterprises with a solution to scan for assets in real-time, 24/7/365, using Open Source Intelligence (OSINT) and other methods. 

You can read the full article at VentureBeat!

[post_title] => VentureBeat: Need for secure cloud environments continues to grow, as NetSPI raises $410M [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the VentureBeat article called Need for secure cloud environments continues to grow, as NetSPI raises $410M. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => venturebeat-netspi-raises-410m [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:08 [post_modified_gmt] => 2023-01-23 21:10:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28565 [menu_order] => 41 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 28553 [post_author] => 66 [post_date] => 2022-10-05 09:00:00 [post_date_gmt] => 2022-10-05 14:00:00 [post_content] =>

On October 5, NetSPI CEO Aaron Shilts was featured in the Bloomberg article called KKR Backs Cybersecurity Firm NetSPI With $410 Million Funding. Read the preview below or view it online.

+ + +

KKR & Co. has agreed to provide cybersecurity firm NetSPI Inc. with an additional $410 million in growth equity, according to a statement reviewed by Bloomberg.

The deal, slated to close by the end of the fourth quarter, is KKR’s second investment in the company, bringing the private equity firm’s total commitment to $500 million. KKR led a $90 million investment last year.

As part of the deal, existing investor Sunstone Partners will exit its position, according to NetSPI Chief Executive Officer Aaron Shilts.

“We’re now just focused on this next phase of growth that’s gonna require investment, focus and we’ve got some exciting plans for the next three-four years,” Shilts said in an interview. “We have really enjoyed the last 18 months of our relationship with KKR. I think we’ve had some really good, just strategic discussions on how to approach the market.”

Founded in 2001, NetSPI is a provider of penetration-testing and attack-management services for clients including Microsoft Corp. and the US Air Force, according to its website. That means its products simulate cyber attacks, which helps businesses and organizations prepare for real threats. 

Shilts said NetSPI is approaching $100 million in revenue this year following good growth since a “breakout” 2020. The company has operations in the US, Canada, UK and India.

Cybersecurity remains a coveted sector for KKR’s technology-growth team. It’s a market that the private equity firm has been tracking “well before” investing in NetSPI, according to KKR Director Ben Pederson.

“If you step back in terms of what we’re looking for broadly in this time of uncertainty, it’s companies that are going make it through the next five plus years regardless of what’s happening in the short term here on the macro side,” Pederson said. 

You can read the article at Bloomberg!

[post_title] => Bloomberg: KKR Backs Cybersecurity Firm NetSPI With $410 Million Funding [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the Bloomberg article called KKR Backs Cybersecurity Firm NetSPI With $410 Million Funding. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => bloomberg-kkr-backs-cybersecurity-firm-netspi [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:12 [post_modified_gmt] => 2023-01-23 21:10:12 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28553 [menu_order] => 51 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 28556 [post_author] => 66 [post_date] => 2022-10-05 09:00:00 [post_date_gmt] => 2022-10-05 14:00:00 [post_content] =>

On October 5, NetSPI CEO Aaron Shilts was featured in the Crunchbase article called KKR Invests $410M In Cyber Firm NetSPI. Read the preview below or view it online.

+ + +

Although venture funding in cybersecurity has taken a slight dip this year—as it has in most sectors—that does not mean large growth rounds do not exist.

Minneapolis-based cybersecurity company NetSPI locked up a $410 million growth investment from private equity giant KKR. The company provides enterprise penetration testing and attack surface management by simulating cyber attacks for large enterprises and helping businesses defend against them.

KKR initially invested $90 million into NetSPI in May 2021. This new round of funding will recapitalize Sunstone Partners’ stake in the company and allow the firm to exit.

“As we look forward to this next chapter, NetSPI will continue to challenge the status quo in offensive security,” said CEO Aaron Shilts in a release. “With KKR’s support, we are well positioned to amplify our success building the best teams, developing new technologies, and delivering excellence, so that the world’s most prominent organizations can innovate with confidence.”

Founded in 2001, NetSPI has now raised $500 million. It has grown its revenue fivefold and is seeing 61% revenue growth in 2022 to date, according to the company.

Cyber funding

Funding to VC-backed cybersecurity startups is not on pace to hit last year’s high of more than $23 billion, as it was at about $10.3 billion through the first six months of the year, according to Crunchbase data.

That is not surprising considering venture capital as a whole has seen a slowdown. However, it is worth noting cyber startups saw more funding in the first half of the year than in all of 2020, which saw $8.9 billion invested in the industry.

The NetSPI deal also shows KKR’s continued interest in cybersecurity. In May, the firm led a $200 million Series C for Hoboken, New Jersey-based Semperis, an enterprise identity protection provider.

You can read the article at Crunchbase!

[post_title] => Crunchbase: KKR Invests $410M In Cyber Firm NetSPI [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the Crunchbase article called KKR Invests $410M In Cyber Firm NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => crunchbase-kkr-invests-410m-in-netspi [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:12 [post_modified_gmt] => 2023-01-23 21:10:12 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28556 [menu_order] => 50 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 28562 [post_author] => 66 [post_date] => 2022-10-05 09:00:00 [post_date_gmt] => 2022-10-05 14:00:00 [post_content] =>

On October 5, NetSPI CEO Aaron Shilts was featured in the StarTribune article called Minneapolis cybersecurity firm NetSPI raises $410M to expand globally. Read the preview below or view it online.

+ + +

A New York investment firm is injecting $410 million in fresh capital into Minneapolis cybersecurity firm NetSPI to fuel the company's global expansion, a move that reinforces investor confidence in the company's rising profitability.

The investment from KKR is nearly five times the amount NetSPI raised last May, when it piled up $90 million in growth funding from investors, including KKR, the firm's first investment in the cyber company. It also is one of the largest this year in Minnesota.

NetSPI will use the money for hiring and further development of its technology, according to a release from KKR. In addition to personnel in Canada, NetSPI is expanding its footprint in Europe, the Middle East, Africa and India.

NetSPI, based in Minneapolis' North Loop with more than 400 security professionals on payroll, develops offensive security tools that other companies use to test their cyber defense systems against various threats to uncover gaps and reduce security breaches. The list of clients includes financial institutions, cloud providers and health care organizations.

"We're both grateful and proud of the industry disruption we drove during our partnership with Sunstone Partners," said Aaron Shilts, CEO at NetSPI. "With KKR's support, we are well-positioned to amplify our success."

The company secured its first outside investment in 2017 from Sunstone Partners, an investment firm based in San Mateo, Calif. NetSPI officials did not share the company's value following the recent funding round, which puts it its total of outside growth capital at or above $500 million since its founding in 2001.

Following the company's $90 million raise in 2021, Shilts told the Star Tribune he anticipated the company would finish the year with about $50 million in 2021 sales. So far in 2022, the company has experienced a 61% increase in revenue, year over year.

The funding round by NetSPI is one of the largest by an investor-backed, Minnesota private company this year.

"We are excited to double down on our investment in NetSPI to help build a differentiated leader in offensive cybersecurity," Jake Heller, partner and head of KKR's technology growth team in the Americas, said in a statement. "We have been very impressed by the performance of the company and the exceptional execution by Aaron and his team over the past 18 months. We believe this is just the beginning of what we can accomplish together."

You can read the article at Star Tribune!

[post_title] => Star Tribune: Minneapolis cybersecurity firm NetSPI raises $410M to expand globally [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the StarTribune article called Minneapolis cybersecurity firm NetSPI raises $410M to expand globally. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => star-tribune-netspi-raises-410m [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:09 [post_modified_gmt] => 2023-01-23 21:10:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28562 [menu_order] => 44 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 28587 [post_author] => 66 [post_date] => 2022-10-05 09:00:00 [post_date_gmt] => 2022-10-05 14:00:00 [post_content] =>

On October 5, NetSPI CEO Aaron Shilts was featured in the ISMG article called Pen Test Firm NetSPI Gets $410M Boost From KKR to Fuel M&A. Read the preview below or view it online.

+ + +

Rising offensive security star NetSPI has received a massive follow-up investment from KKR to pursue acquisitions and expand the offensive cybersecurity vendor's technological and geographic footprint.

The Minneapolis-based penetration testing and attack surface management vendor says the private equity giant's $410 million growth investment comes on the heels of 50% organic revenue growth in 2021 and 61% year-over-year sales growth thus far in 2022. The latest investment comes just 18 months after KKR led a $90 million growth round to expand the company's security and client experience teams (see: Hatem Naguib on Charting Barracuda's New Course Under KKR).

"We're really challenging the status quo in our segment of cybersecurity," NetSPI CEO Aaron Shilts tells Information Security Media Group. "Growth is paramount, especially given the market volatility."

Automation Takes Center Stage

NetSPI was founded in 2001 and employs 400 people, up roughly 50% from a year earlier, according to Shilts. A chunk of the $410 million will be used to recapitalize Sunstone Partners, which brought Shilts in as CEO in 2017, along with an investment. Sunstone Partners is now exiting its position in NetSPI, and with its latest investment, KKR is now the majority owner of NetSPI, he says.

You can read the full article at ISMG Network!

[post_title] => ISMG Network: Pen Test Firm NetSPI Gets $410M Boost From KKR to Fuel M&A [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the ISMG article called Pen Test Firm NetSPI Gets $410M Boost From KKR to Fuel M&A [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ismg-network-netspi-gets-410m-boost [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:09 [post_modified_gmt] => 2023-01-23 21:10:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28587 [menu_order] => 42 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 28485 [post_author] => 66 [post_date] => 2022-10-05 08:00:00 [post_date_gmt] => 2022-10-05 13:00:00 [post_content] =>

Today I’m thrilled to announce that the global investment firm KKR is to invest $410 million in NetSPI. This growth investment marks one of the largest private equity deals in cybersecurity this year – a massive accomplishment for Team NetSPI.

https://youtu.be/nEkDsgmoy90

We didn’t become the leader in offensive security by checking boxes or sticking to the status quo. We got here by hiring the best talent in the business, innovating without limits, and creating a workplace culture of excellence. This is where our focus will remain as we double down on our investments to build strong teams, develop our technology stack, and expand our offensive security services globally.

In May 2021, KKR made a $90 million investment in NetSPI, with participation from Ten Eleven Ventures. Over the past 18 months, they’ve been a dedicated partner who believes deeply in this team. This growth investment is further proof that hard work pays off as we near the end of another record year of growth and celebrate our recent accomplishments including, the continued adoption of our PTaaS delivery model, our acquisition of Silent Break Security, the introduction of Attack Surface Management, our global expansion to EMEA, our NetSPI University training program, and more.

We are much more than a penetration testing company. We’re a group of incredibly talented ethical hackers, vulnerability researchers, project managers, and strategic partners who ultimately want to help our clients innovate with confidence. We’re a company that understands how to develop and leverage technologies to create efficiencies at a time where resources are limited, empowering people to focus on what matters most.

To ensure the security of today’s most prominent organizations and keep pace with the evolving attack surface, we must challenge the status quo in offensive security. With KKR’s support, we will continue doing just that. I, for one, am excited for this new chapter in NetSPI’s story of growth, disruption, innovation, and dedication.

Aaron Shilts, CEO at NetSPI

[post_title] => What KKR’s Growth Investment Means to NetSPI [post_excerpt] => Learn what KKR’s growth investment in NetSPI means to the penetration testing company. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => kkr-growth-investment [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:13 [post_modified_gmt] => 2023-01-23 21:10:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28485 [menu_order] => 53 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 27790 [post_author] => 66 [post_date] => 2022-05-24 08:00:00 [post_date_gmt] => 2022-05-24 13:00:00 [post_content] =>

Technology cannot solve our greatest cybersecurity challenges. At least not on its own. 

Last month, NetSPI held its 2022 Employee Kickoff event in-person after a long two-year hiatus. Nearly 300 employees from across the globe came together in the North Loop neighborhood of Minneapolis, just steps from NetSPI headquarters.  

The day was buzzing with great energy from the get-go as we reunited with our friends and colleagues, met people in-person for the first time, and got to experience firsthand what an incredible workplace culture NetSPI has. 

Amidst the keynotes, build-your-own lego Scan Monster races, and live 90’s rock band, one thing became abundantly clear: the power that comes from bringing people together face-to-face to form relationships, share ideas, and collaborate is unmatched

All too often in the high-growth cybersecurity industry, we view technology as the ‘silver bullet’ against today’s threat actors. But at the end of the day, it’s people who will solve the greatest challenges we face. 

Reflecting on the day, I wanted to share four takeaways that highlight the importance of the human impact in the tech industry.

The cyber arms race can only be won through the intersection of technology and talent 

We cannot rely solely on technology to win this cyber “arms race” we’re experiencing today. We often find ourselves myopically focused on technology to solve difficult problems. And while technology and automation are critical, our industry will not thrive on tech alone.  

The only way that the good guys will come out on top is through the intersection of technology and talent. 

Technology should enable humans to do their job in a more effective and efficient way, and we should remember to view it through this lens. For example, during the NetSPI Employee Kickoff Event, we revealed a couple of Resolve updates to our security consultants who use the vulnerability management and penetration testing platform. We updated notification settings to be more customizable and created a portal for all project kickoff documentation and tracking. These are fairly simple and administrative updates, but it nearly resulted in a standing ovation for our product and development teams. 

Again, technology enables humans to do what they do best. In this case, we found a way to limit notifications and streamline a mundane process to free up our pentesters’ time, enable them to do the work they enjoy, and ultimately find more business-critical vulnerabilities for our clients. 

As we’re all aware, recruiting and retaining a team with the right cyber talent is incredibly hard in a market where unemployment is 0%. But simply assembling a team with the right technical skills is far from enough. It is vital to tackle cybersecurity with empathy, curiosity, and creativity – all traits that only humans can possess. 

“Culture eats strategy for breakfast” 

Peter Drucker stated, “Culture eats strategy for breakfast.” And he was right. 

Culture and values define who you are. They drive innovation in technology, how teams collaborate, and the service clients receive and how they perceive you. 

NetSPI Chief Revenue Officer Alex Jones said it well in his keynote, “Values represent whatever is important to YOU.” Work is important... and so is everything else. Employees should get to spend time doing what they enjoy in and outside of the workplace. Once organizations recognize this, it becomes much easier to embrace a values-driven culture. 

A strong culture requires teams working authentically and in concert with each other, a task that became increasingly difficult during a global pandemic that sent most organizations, including NetSPI, to operate fully remote. 

I believe we have underestimated the power of in-person, human connection. Bringing 300 people together in-person certainly had its risks, but it was immediately evident how valuable the human connection was in driving collaboration and building relationships – and in turn improving the customer experience and the team's performance. 

Collaboration and diverse perspectives are key to solving the most difficult challenges 

In cybersecurity and at NetSPI, we solve client challenges every day, often for the largest organizations in the world. We succeed at solving the most difficult of these challenges when collaboration and diverse thoughts reign. 

One thing I noticed at the event was that sales didn’t cling to their sales peers, services didn’t cling to their services peers, leadership didn’t cling to their fellow leaders. Although it can be difficult, breaking down departmental silos within an organization can cultivate idea sharing and welcome new perspectives across the organization. This event helped us make big strides toward that goal. 

Allowing everyone to have a seat at the table and feel comfortable speaking up and sharing their ideas is something that we value greatly at NetSPI. After all, diverse thought fuels innovation. 

In-person events can help you uncover the Purpose that your team will rally around 

After the event, I challenged myself to think hard about what my employees really care about. What can I do as a leader to deliver on that purpose and adhere to my employee’s values? Am I creating a workplace environment that allows them to adhere to their values? 

These events tend to be a wakeup call around a greater mission. And a presentation from our philanthropic partner, the Masonic Children’s Hospital, did just that. 

The Director of Development at the Hospital, Nicholas Engbloom, shared a powerful story about Minnesota Gopher placeholder Casey O’Brien and his journey battling cancer. For those unfamiliar with Casey, I’d encourage everyone to listen to his story.  

It was clear how much the story and our partnership with the Masonic Children’s Hospital resonated with and empowered our employees. It showed me how powerful it is for our employees to rally around a greater sense of Purpose and give back to the community. I’m excited to ramp up our philanthropic activities with the hospital and other organizations this year. 

Investments that you make as an organization to bring your team members together have incredible Return on Investment (ROI) – and that’s just the ROI we can measure. To other cybersecurity business leaders considering an all-employee in-person event, I couldn’t recommend it more.  

People are the key to solving the world’s biggest cybersecurity challenges. And the organizations that are enabling employees through tech and creating a values-driven workplace culture will be the ones leading the charge. 

I’ll leave you with some incredible dance moves, courtesy of the NetSPI team. Check out this video recap for highlights from the NetSPI 2022 Employee Kickoff:

https://youtu.be/ChoDh29GMNo

Want to join us next year? NetSPI is hiring!

Love where you work! NetSPI is Hiring!
[post_title] => Technology Cannot Solve Our Greatest Cybersecurity Challenges, People Can [post_excerpt] => Read this article by NetSPI CEO Aaron Shilts on why people are the greatest asset to the cybersecurity industry. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => technology-cannot-solve-cybersecurity-challenges [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:37 [post_modified_gmt] => 2023-01-23 21:10:37 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27790 [menu_order] => 112 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 27738 [post_author] => 66 [post_date] => 2022-05-03 14:06:11 [post_date_gmt] => 2022-05-03 19:06:11 [post_content] =>

On May 3, 2022, Aaron Shilts was featured in the Business Journals article 21 Twin Cities Executives Named Regional Finalists for EY's 2022 Entrepreneur of the Year Award. Preview the article below, or read the full article online.

+++

Twenty-one leaders of Twin Cities companies are finalists for Ernst & Young's 2022 Entrepreneur Of The Year award for its seven-state "Heartland" region.

The Minnesota executives dominated EY's recently unveiled list of 28 finalists from a region that also includes North Dakota, South Dakota, Iowa, Nebraska, Kansas and Missouri.

EY will name the winners in June, then pick national winners in the fall.

The Heartland region finalists, with titles gleaned from LinkedIn and company websites, are:

Nominees for the award are evaluated based on six criteria: entrepreneurial leadership; talent management; degree of difficulty; financial performance; societal impact and building a values-based company; and originality, innovation and future plans.

Other finalists from elsewhere in the region are Byron Whetstone of American Direct, based in Lenexa, Kansas; Greg Siwak of CareVet, based in Clayton, Missouri; Josiah Cox of Central States Water Resources, based in St. Louis; Jay Kim of DataLocker, based in Overland Park, Kansas; Todd Keske of Foam Supplies Inc., based in Earth City, Missouri; Brian Weaver of Torch.AI, based in Leawood, Kansas; and Austin Mac Nab of VizyPay, based in Waukee, Iowa.

[post_title] => The Business Journals: 21 Twin Cities Executives Named Regional Finalists for EY's 2022 Entrepreneur of the Year Award [post_excerpt] => On May 3, 2022, Aaron Shilts was featured in the Business Journals article 21 Twin Cities Executives Named Regional Finalists for EY's 2022 Entrepreneur of the Year Award. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minneapolis-finalists-2022-ey-entrepreneur-of-the-year-award [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:39 [post_modified_gmt] => 2023-01-23 21:10:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27738 [menu_order] => 118 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 27700 [post_author] => 66 [post_date] => 2022-04-24 09:16:00 [post_date_gmt] => 2022-04-24 14:16:00 [post_content] =>

On April 24, 2022, Aaron Shilts was featured in the Authority Magazine article, Cyber Defense: Aaron Shilts of NetSPI On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack. Preview the article below, or read the full article online.

+++

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Aaron Shilts, CEO of NetSPI.

As President and CEO of NetSPI with 20+ years of industry leadership, Aaron Shilts is known for his honest, open, and energizing leadership and his undeniable focus on corporate culture, collaboration, and business growth. Under Aaron’s leadership, NetSPI has experienced 35% and 50% Organic Revenue Growth in 2020 and 2021 respectively. In addition to his work at NetSPI, Aaron is the co-founder of “Change Starts With Me,” a Minneapolis non-profit, and advises several global firms. Aaron earned his B.S. from St. Cloud State University and proudly served in the Army National Guard.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

In today’s evolving threat landscape where cybercriminals have become more sophisticated and motivated than ever before, cybersecurity is now everyone’s responsibility. In fact, the weakest link within any organization is typically its employees. Everyone working for, or with, the business should understand that security is everyone’s business — from the CEO down to the seasonal intern, and even the third-party contractor.

For this reason, organizations should implement frequent, hands-on security training, and regularly test the effectiveness of such training with simulated attacks to determine if more work needs to be done. After all, it only takes one accidental click on a malicious link to cripple an entire organization and its assets.

Read the full interview online.

[post_title] => Authority Magazine: Cyber Defense: Aaron Shilts of NetSPI On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack [post_excerpt] => On April 24, 2022, Aaron Shilts was featured in the Medium article, Cyber Defense: Aaron Shilts of NetSPI On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 5-ways-to-shield-your-business-from-cyberattacks [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:42 [post_modified_gmt] => 2023-01-23 21:10:42 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27700 [menu_order] => 126 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 27664 [post_author] => 66 [post_date] => 2022-04-14 11:16:00 [post_date_gmt] => 2022-04-14 16:16:00 [post_content] =>

On April 14, 2022, NetSPI President and CEO, Aaron Shilts, was featured on the CyberWire Daily podcast. Listen to the interview (begins at 11:00) to hear Aaron's insights on:

  • Proactive public-private sector security collaboration
  • How legislation like the Strengthening American Cybersecurity Act of 2022 enables the overall industry to be better at reporting cyberattacks
  • The complexity of reporting cyberattacks while maintaining federal and state regulations
  • Recommendations on building intentional relationships between organizations in the private and public sectors

[post_title] => NetSPI CEO Aaron Shilts Featured on the CyberWire Daily Podcast [post_excerpt] => On April 14, 2022, NetSPI President and CEO, Aaron Shilts, was featured on the CyberWire Daily podcast. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-ceo-aaron-shilts-featured-on-the-cyberwire-daily-podcast [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:42 [post_modified_gmt] => 2023-01-23 21:10:42 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27664 [menu_order] => 127 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 27525 [post_author] => 66 [post_date] => 2022-03-22 07:00:00 [post_date_gmt] => 2022-03-22 12:00:00 [post_content] =>

Four Tips to Proactively Improve Your Security Posture

Is cyber warfare in your crisis management plan? If not, it’s time to revisit your incident response plans and get proactive with your security as tensions rise in Eastern Europe. 

Recently, several Ukrainian government and bank websites were offline as a result of a massive distributed denial-of-service (DDoS) attack. Shortly following these attacks, a new “wiper” malware targeting Ukrainian organizations was discovered on hundreds of machines to erase data from targeted systems.  

Experts believe both security incidents were carried out by Russian cybercriminals or nation-state hackers, creating a new digital warfare environment that affects organizations worldwide.  

Now, on the heels of the Biden administration issuing new sanctions against Russian banks, the U.S. government is advising public and private organizations to heighten cybersecurity vigilance related to ransomware attacks carried out by the newly identified wiper malware. In fact, New York recently issued an “ultra high alert” as the state faces increased risk of nation-state sponsored cyber attacks.  

As cybercrime escalates and tensions mount, business leaders can take the following four steps to bolster security measures and remain better protected against potential risk: 

1. Evaluate Your Current Security Posture

Before implementing any new initiatives or overhauling existing measures, it’s important to evaluate the organization’s current security posture. This means taking a closer look at its attack surface, customer environments, vendor relationships, and other partnerships to understand an organization’s true exposure to malicious actors.  

Businesses that have proactively developed an incident response playbook are best prepared to evaluate their position, and large organizations likely have policies that cover geopolitical unrest. However, with the threats still unclear, even late adopters can allocate resources to strengthen their security posture in weeks or even days. 

2. Refer to CISA’s Shields Up Initiative  

The Cybersecurity and Infrastructure Security Agency (CISA) recently launched Shields Up, a free resource that features new services, the latest threat research, recommendations for business leaders, as well as actions to protect critical assets.  

Whether an IT security professional, or a top C-suite leader, all roles within an organization should familiarize themselves with Shields Up and the actionable advice recommended by CISA.  

Such advice includes reducing the likelihood of a damaging cyber intrusion; taking steps to quickly detect a potential intrusion; ensuring that the organization is prepared to respond if an intrusion occurs; and maximizing the organization's resilience to a destructive cyber incident. 

3. Prioritize Proactive Offensive Security Measures

Proactive cybersecurity testing is oftentimes an afterthought for business leaders when evaluating breach preparedness. In reality, enterprise security testing tools and penetration testing services that boost an organization’s cybersecurity posture from the onset should be a top priority, now more than ever before.  

While many tend to focus on the physical disruption nation-state attacks can cause, popular cybercriminal tactics like distributed denial-of-service and ransomware can be mitigated through proactive offensive security activities like Penetration Testing as a Service (PTaaS), red team, breach and attack simulation, or attack surface management. 

4. Understand that Security is Everyone's Responsibility

The weakest link within any organization is its employees. Everyone working for, or with, the business should understand that security is everyone’s business – from the CEO to the seasonal intern, and even the third-party contractor.  

For this reason, organizations should implement frequent, hands-on security training, and regularly test the effectiveness of such training with simulated attacks to determine if more work needs to be done. After all, it only takes one accidental click on a malicious link to cripple an entire organization and its assets. 

During times of unrest, cybercrime skyrockets as individuals become distracted and increasingly vulnerable. It’s important to remain vigilant while the current attacks continue, even if an organization does not directly work with Ukraine or Russia.

Connect with Team NetSPI to learn more about our testing capabilities.
[post_title] => Cyber Attacks on Ukraine Signal Need for Heightened Security [post_excerpt] => Protect the security of your organization with these four cybersecurity measures. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyber-attacks-signal-need-for-heighted-security [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:47 [post_modified_gmt] => 2023-01-23 21:10:47 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27525 [menu_order] => 139 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 27424 [post_author] => 66 [post_date] => 2022-02-22 02:42:00 [post_date_gmt] => 2022-02-22 08:42:00 [post_content] =>

On February 22, 2022, Aaron Shilts was featured in a Twin Cities Business article titled, The Malware Pandemic. Preview the article below, or read the full article online here.

+ + +

In the information technology world, Log4j could become the equivalent of a particularly virulent Covid variant—and for businesses, a potentially bigger danger.

Log4j is an open-source, Java-based utility that logs error messages in software applications. In early December, a cybersecurity staffer with the Alibaba Cloud service in China discovered a vulnerability—a flaw—in Log4j that could open millions of businesses and other organizations to cyberattacks. A second flaw was found shortly afterward.

Compared to a data breach releasing sensitive information of millions of retail customers, the dangers of Log4j’s flaws are harder for non-IT people to understand. But as a cybersecurity threat, Log4j could become a disaster of pandemic proportions. That’s because innumerable organizations have the utility in their IT networks—and many don’t even know it’s there. Log4j could allow cybercrooks worldwide to steal data, encrypt servers, shut down factory floors, deceive companies into wiring them money, and demand thousands, even millions, of dollars in ransom.

Lurking in the shadows

Every software program inevitably and unavoidably has vulnerabilities. Over time, most bugs get fixed. But as in the case of Log4j, a tiny flaw in a widely used software component can explode throughout networks worldwide.

A flaw could be something that isn’t visible, notes Aaron Shilts, CEO of Minneapolis-based cybersecurity firm NetSPI, which specializes in network penetration testing and “attack surface management” for its business clients. More than 50 percent of NetSPI’s work involves testing applications—which Shilts terms “the lifeblood of any enterprise” —for vulnerabilities. 

[post_title] => Twin Cities Business: The Malware Pandemic [post_excerpt] => On February 22, 2022, Aaron Shilts was featured in a Twin Cities Business article titled, The Malware Pandemic. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => tcbmag-malware-pandemic [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:52 [post_modified_gmt] => 2023-01-23 21:10:52 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27424 [menu_order] => 151 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 25805 [post_author] => 66 [post_date] => 2021-06-29 15:00:00 [post_date_gmt] => 2021-06-29 20:00:00 [post_content] =>

On June 29, 2021, NetSPI President and CEO Aaron Shilts was featured in an article from Minne Inno and Minneapolis/St. Paul Business Journal:

 

Ransomware attacks have recently made headlines as everything from meat suppliers to schools and hospitals are falling prey to the unforgiving data breaches.

Minneapolis-based NetSPI, a network security firm, is now offering a ransomware attack simulation service to help companies protect themselves.

The service works by emulating real-world ransomware attacks to find and fix vulnerabilities in a companies cybersecurity defenses.

"The DNA and the way we deliver our work lends itself well to helping companies with ransomware," said NetSPI CEO Aaron Shilts." … We act as a ransomware attacker, using the same attacks, same tools and show them where their weakness would be." 

Shilts said the simulation not only illuminates where a breach can be made, but how the companies systems responded to the attack.

"That's a big part of it. If you can detect something soon, you can usually protect it before they take out the entire network," he said. "If you don't have the detection capabilities, it will spread very quickly. 

With tens of millions of dollars funneling towards the attackers, many of whom are backed by foreign governments, it seems like a daunting task to stay on pace with the attackers.

However, out of NetSPI's 225 employees, 150 of them are cyber security experts that research and familiarize themselves with the latest attack patterns.

Shilts said the team is incredibly sharp and "lives and breathes" cybersecurity.

As far as who would benefit the most from the company's service, Shilts said any operating business is a target to the attacks. 

NetSPI's work gravitates more towards heavily regulated financial services that store personally identifiable data. But less regulated industries such as K-12, state and local government are high targets because they're easier to pick-off.

 

To learn more, read the full article here: https://www.bizjournals.com/twincities/inno/stories/news/2021/06/29/netspi-ransom-ware-attack-simulation.html

[post_title] => Minne Inno & MSP Business Journal: NetSPI adds ransomware attack simulation to its penetration testing portfolio [post_excerpt] => On June 29, 2021, NetSPI President and CEO Aaron Shilts was featured in an article from Minne Inno and Minneapolis/St. Paul Business Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minne-inno-msp-business-journal-netspi-adds-ransomware-attack-simulation-to-its-penetration-testing-portfolio [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:52:00 [post_modified_gmt] => 2022-12-16 16:52:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25805 [menu_order] => 235 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [16] => WP_Post Object ( [ID] => 25421 [post_author] => 66 [post_date] => 2021-05-17 07:00:37 [post_date_gmt] => 2021-05-17 07:00:37 [post_content] =>

On May 17, 2021, NetSPI President and CEO Aaron Shilts was featured in a Forbes article.

So it is perhaps not a coincidence that, just five days after the Colonial attack, KKR led a $90 million growth investment in a cybersecurity company called NetSPI. “The reality is that cyber security attacks today are inevitable and put organizations at grave risk,” the company’s CEO, Aaron Shilts, said in a statement. “At NetSPI, we strive to stay one step ahead of hackers, breaches and bad actors.”

In the years to come, NetSPI will have plenty of changes to prove its worth—and hopefully help prevent other instances of infrastructure-crippling bitcoin blackmail.

Now, onto the rest of the things you need to know from the past week in private equity, M&A and beyond…

Read the full article here: https://www.forbes.com/sites/kevindowd/2021/05/17/how-private-equity-factors-in-to-the-colonial-pipeline-hack/?sh=2725b64f5262

[post_title] => Forbes: How Private Equity Factors In To The Colonial Pipeline Hack [post_excerpt] => On May 17, 2021, NetSPI President and CEO Aaron Shilts was featured in a Forbes article. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => forbes-how-private-equity-factors-in-to-the-colonial-pipeline-hack [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:50:51 [post_modified_gmt] => 2022-12-16 16:50:51 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25421 [menu_order] => 249 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 25364 [post_author] => 66 [post_date] => 2021-05-13 06:00:35 [post_date_gmt] => 2021-05-13 06:00:35 [post_content] =>

On May 13, 2021, NetSPI President and CEO Aaron Shilts was featured in the Minneapolis/St. Paul Business Journal.

Cybersecurity company NetSPI has raised $90 million in growth funding, it announced Wednesday.

The round was led by New York City-based investment firm KKR. Cybersecurity-focused venture capital firm Ten Eleven Ventures also participated.

Read the full article here: https://www.bizjournals.com/twincities/news/2021/05/13/netspi-raises-90-million-cbersecurity.html

[post_title] => Minneapolis/St. Paul Business Journal: Cybersecurity company NetSPI raises $90 million from KKR, Ten Eleven [post_excerpt] => On May 13, 2021, NetSPI President and CEO Aaron Shilts was featured in the Minneapolis/St. Paul Business Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minneapolis-st-paul-business-journal-netspi-raises-90-million-from-kkr-ten-eleven [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:50:51 [post_modified_gmt] => 2022-12-16 16:50:51 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25364 [menu_order] => 251 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [18] => WP_Post Object ( [ID] => 25356 [post_author] => 66 [post_date] => 2021-05-12 06:00:56 [post_date_gmt] => 2021-05-12 06:00:56 [post_content] =>

On May 12, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune.

NetSPI, which works with companies to thwart cyberattacks, has raised $90 million in minority investments from KKR and Ten Eleven Ventures.

The new infusion of capital will help the 225-employee software firm develop and improve products, add clients and hire more people, NetSPI CEO Aaron Shilts said in an interview Wednesday.

Read the full article here: https://www.startribune.com/netspi-a-minneapolis-cyber-security-firm-raises-90-million-new-investors/600056465/

[post_title] => Star Tribune: NetSPI, a Minneapolis cyber security firm, raises $90 million from new investors [post_excerpt] => On May 12, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => star-tribune-netspi-raises-90-million-from-new-investors [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:50:52 [post_modified_gmt] => 2022-12-16 16:50:52 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25356 [menu_order] => 253 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [19] => WP_Post Object ( [ID] => 21948 [post_author] => 66 [post_date] => 2021-02-14 07:00:03 [post_date_gmt] => 2021-02-14 07:00:03 [post_content] => On February 14, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune.
Many cybersecurity firms hit the brakes quickly and laid off workers when the pandemic hit last year, throwing the country into recession. Their revenue was disrupted as corporate and government customers put off spending decisions and adjusted to new ways of work, with most employees logged in from home. But the work-from-home model just as quickly presented them new opportunities, and many were staffing up by summer to stay ahead of demand. "Our business ended up growing and we did great," said CEO Aaron Shilts of Minneapolis-based NetSPI. "Some of our smaller customers slowed. But our Fortune 1000 [clients] never stopped growing. "In some ways it accelerated our business," he added. "We used to have wait a month for a sales meeting. Now everybody can jump on a telemeeting. I do worry about long-term effects on collaboration. Humans need to work together to maximize the results." NetSPI, an enterprise-security tester and system-vulnerability manager, said it grew sales 35% for a fourth year in a row and is approaching revenue of $50 million. Its employs more than 200 workers around the country and expects to add up to 50 more this year. The firm works with large banks and several units of the Department of Defense. Like its clients, NetSPI had to adjust to remote work. "Internally, we try to over-communicate and stay in touch," Shilts said. "People do lose energy when they're just on Zoom. Most would like to be in the office some. But they mostly got the job done from home. I think the future is probably more flexibility." Read the full article here: https://m.startribune.com/growth-accelerates-for-twin-cities-cybersecurity-businesses/600023160/
[post_title] => Star Tribune: Growth accelerates for Twin Cities cybersecurity businesses [post_excerpt] => On February 14, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => star-tribune-growth-accelerates-for-twin-cities-cybersecurity-businesses [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:00 [post_modified_gmt] => 2022-12-16 16:51:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21315 [menu_order] => 273 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [20] => WP_Post Object ( [ID] => 20805 [post_author] => 66 [post_date] => 2021-01-05 07:00:36 [post_date_gmt] => 2021-01-05 07:00:36 [post_content] => On January 5, 2021, NetSPI President and COO Aaron Shilts was featured on the podcast, One Take CEO Interviews with Dale Kurschner. Cybersecurity business leader Aaron Shilts discusses how he is leading his employees through the stresses and changes brought on by Covid-19, organic growth and a recent acquisition. He also shares three things your business should do if it hasn’t already done so to avoid a devastating cyberattack. Shilts is president and COO of Minneapolis-based NetSPI, the industry leader in enterprise security testing and vulnerability management. NetSPI works with eight of the top 10 U.S. banks, three of the world’s five largest health care companies and the largest cloud providers. In December, it acquired Utah-based Silent Break Security to create a complete package for offensive cyber security and attack surface management. Other points covered in this One Take CEO Interview interview include:
  • How Covid-19 affected NetSPI's workforce
  • Nothing connected to the Internet is safe, so what can you do?
  • How much cyber security can affect mergers and acquisitions
  • What he anticipates his greatest challenge will be in 2021
  • The upsides of working through a pandemic
Listen or watch the full interview on Spotify or YouTube - or visit the MN Perspectives website. [post_title] => One Take CEO Interviews: How NetSPI is Growing Despite Covid-19, PLUS 3 Things to Do Now to Protect Your Data [post_excerpt] => On January 5, 2021, NetSPI President and COO Aaron Shilts was featured on the podcast, One Take CEO Interviews with Dale Kurschner. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => one-take-ceo-interviews-how-netspi-is-growing-despite-covid-19-plus-3-things-to-do-now-to-protect-your-data [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:28:26 [post_modified_gmt] => 2021-04-14 05:28:26 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20805 [menu_order] => 284 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [21] => WP_Post Object ( [ID] => 20716 [post_author] => 91 [post_date] => 2020-12-15 09:41:57 [post_date_gmt] => 2020-12-15 09:41:57 [post_content] =>

As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week. We know now the breaches have been linked back to a supply chain attack on the SolarWinds Orion Platform, a software platform that manages IT operations and products for over 300,000 organizations, including over 425 of the Fortune 500, all ten of the top U.S. telecommunications companies, all five branches of the U.S. Military, all five of the top U.S. accounting firms, and many, many more.

While FireEye, the U.S. Treasury, and National Telecommunications and Information Administration (NTIA) were the first to report a security breach, the breadth of SolarWinds’ customer base is an indicator that the breaches are seemingly the tip of the iceberg.

For the sake of information sharing, here is an overview of the attacks, immediate steps you can take to identify whether you have fallen victim, and tips for protecting your organization as communicated by FireEye, SolarWinds, and NetSPI. For the full technical deep-dive, we highly recommend the FireEye blog post.

Overview: SolarWinds Orion Manual Supply Chain Attack

On December 13, SolarWinds issued a security advisory alerting to a manual supply chain attack on its Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.

FireEye discovered the attack and suggests it is a state-sponsored global intrusion campaign by a group named UNC2452 - though many industry experts are attributing the attack to APT29, a group of hackers associated with the Russian Foreign Intelligence Service.

  • Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
  • How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
  • Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.

Known breaches include:

FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.

U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.

Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:

  1. First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
  2. SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
  3. Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.

Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.

[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now? [post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:03:39 [post_modified_gmt] => 2021-05-04 17:03:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20716 [menu_order] => 289 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [22] => WP_Post Object ( [ID] => 18904 [post_author] => 66 [post_date] => 2020-09-22 07:00:06 [post_date_gmt] => 2020-09-22 07:00:06 [post_content] =>

You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. And you’ve committed to building an ongoing and continuous vulnerability management program to guard against the potential threats to your assets. Now what?

Putting a successful vulnerability management program in place needs careful consideration up-front to ensure your organization is set up for success to remediate vulnerabilities for each application and system you have. For a quick overview of the process, our Best Practices for Your Vulnerability Management Program tip sheet can be used as a guide. The following checklist breaks the best practices process down and provides you with a planning roadmap to getting the most value out of a penetration testing and vulnerability management program.

Penetration Testing Program Plan of Attack

Deliverable

Elements of Success

Requirements

Step One:
The Plan

Develop a plan that puts structure and strength around cybersecurity to include continuous vulnerability testing and patching, incident response plans, and training and security awareness programs. The ultimate goal? Decrease time to remediation and to close security gaps in your network.

Clearly define the scope, objectives, identification of testing, and the order in which they are to be performed.

Build a vulnerability management team. This could include both in-house talent as well as industry analysts or consultants. When choosing a pentesting service provider, ask about the credentials of their pentesting team, beyond technical competencies. Will your team be comprised of a dedicated work group or an outsourced group who haven’t previously worked together, for example. Team structure has implications on streamlined communications and in knowing who is inside your network.

Augment with careful preliminary risk planning with contingency plans should any services be unintentionally disrupted.

Types of penetration testing:

□  Develop a high-level vulnerability management plan – be sure to include non-negotiables such as scalability and continuous testing

□  Present your case to business leadership; gain agreement on budge

□  Refine plan and define ownership and scope of your program to include personnel and their roles and responsibilities

□  Develop policies, standards, and procedures

□  Determine merchandising strategy – to bring visibility to the program’s successes

Step Two: Scanning and Assessment

Layer in automated scanning functions that deliver results that can be easily sorted and acted upon with human capital to find and fix vulnerabilities.

Create an enumeration (list and count) of suspected vulnerabilities that are enumerated only after using multiple automated tools over time, not just one single tool.

Build in further analysis of suspected vulnerabilities using specialized tools and manual techniques as required.

□  Identify all assets you want to scan

□  Define vulnerability landscape:

  • Common vulnerabilities and exposures (CVEs)
  • Common configuration and enumeration (CCEs)
  • Architecture
  • Design

□  Define actionable reporting structure of vulnerabilities

□  Deploy automated vulnerability scanning, use authenticated mode to scan high-value resources

□  Prioritize pentesting cadence, beginning with an external network penetration test followed by internal network testing

□  Commence manual pentesting

Step Three: Preparing for Risk-Based Remediation

Develop a risk-based remediation plan commensurate with your program’s maturity level and appetite for business risk.

Employ a comprehensive verification of high-risk vulnerabilities including but not limited to safe exploitation of these vulnerabilities using both automated and manual processes, including the injection of malicious code when called for.

□  Rank vulnerabilities through an established remediation timeline. For example:

  • Critical = 7 days
  • High = 2 weeks
  • Medium = 1 month
  • Low = Patch driven updates

□  Assign application and system remediation owner

□  Build in business leadership approvals for long lead remediations

Step Four: Ongoing Reporting and Improvement

Automate your vulnerability management program as much as possible: spreadsheets, emails, and document sharing portals are insufficient for most organizations, large ones in particular. Automation enables 24/7 pentest report visibility with business leadership and continuous improvement.

Find a penetration testing reporting platform that is engaging and customizable to showcase what is most important to your business, one that can track and compare data over time.

Learn about the NetSPI Resolve™ platform.

□  Build a reporting framework – for the pentesting team and for business leadership

□  Identify continual improvement opportunities

□  Use comparison data to showcase progress over time and highlight successes

All organizations should aspire to have the people, processes, and tools necessary to effectively execute an ongoing vulnerability management program. Failure to do so may result in poor tool selections, testing mistakes, and faulty interpretation of vulnerability scanner and pentest results that often lead to a false sense of security and could put the enterprise at risk. By building out a vulnerability management plan, as depicted above, you can dramatically increase the security of your enterprise and can be better assured to reach your ultimate goal: to decrease time to remediation and close any security gaps in your network.

[post_title] => Checklist: Getting the Most Value Out of Penetration Testing and Vulnerability Management [post_excerpt] => You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => checklist-getting-the-most-value-out-of-penetration-testing-and-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2022-02-15 19:02:48 [post_modified_gmt] => 2022-02-16 01:02:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18904 [menu_order] => 316 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [23] => WP_Post Object ( [ID] => 19475 [post_author] => 66 [post_date] => 2020-09-08 07:00:16 [post_date_gmt] => 2020-09-08 07:00:16 [post_content] =>

The term ‘red teaming’ is said to be overly used in the cyber security industry, which is why the concept is often misunderstood and unclear. But for the right cyber security pro, red teaming can be an exciting profession. Red teaming assessments are objective based assessments of an organization’s security posture. Assessors are allowed to use any technique that they deem appropriate to try and determine if the objectives, defined upfront, can be accomplished. Typically, a red team’s goal is to gain unauthorized access to an organization’s environment while avoiding detection and then maintaining access for a pre-determined period of time to test an incident response team’s ability to identify and respond to threats.

Red teaming is not a job for the faint of heart as it involves travel and many hours, even days, of thinking strategically and reacting quickly to the situation at hand. Nevertheless, it’s a critical component of every vulnerability testing strategy and can help organizations accurately assess threats to IT assets, benchmark current security capabilities, justify security investments, sharpen the skills of the team and improve detective controls. Given the importance of red teaming engagements, the industry should also understand the people behind the engagements and how they operate in order to get the most value out of the engagement. I talked with NetSPI Managing Director Nabil Hannan for an inside look at red teaming culture.

Aaron Shilts (AS): Who is drawn to red teaming work?

Nabil Hannan (NH): Although having solid technical skills to be able to circumvent security controls in the software, network or infrastructure may be an important skill to have, ultimately, the personalities who are most attracted to this type of work, and end up being most successful at red teaming engagements, are people who are clever and can think outside the box. Having the ability to think quickly on one’s feet and solve problems on the fly are important attributes for people who perform these assessments.

AS: Penetration tests and red teaming assignments can cause stress and anxiety, how does this affect professionals?

NH: Although red teaming engagements can be stressful, typically the personalities who do these engagements enjoy, and even thrive on, doing this type of work, and – from my experience – rarely consider this as true “stress.” Red teaming engagements really allow assessors to go above and beyond and truly think outside the box on how to circumvent security controls in creative ways to successfully complete objectives. These creative methods can range from being able to create phishing emails (that generate excitement and make victims fall for the attack and click/respond to the phishing attack) all the way to physical security attacks where you can use condensed air cans or even something as simple as a balloon to trigger motion sensors and get access to parts of a building which require special access or clearance.

AS: What kind of tools do red teams have at their disposal?

NH: Red Teaming assessments can leverage any existing information they have at their disposal regarding vulnerabilities and weaknesses in the systems and environments they are trying to compromise. This may include penetration testing reports, automated scan reports (e.g. static application security testing (SAST), dynamic analysis security testing (DAST), interactive application security testing (IAST), network scanning), video surveillance feeds, user guides, documentation around access controls, and more. There are also many tools and gadgets that can be purchased for fairly low cost to do reconnaissance and exploits with things like WiFi antennas with extended range, RFID sniffers, and USB mice with flash storage inside them.

AS: How can leaders help balance the demands of the job while creating a sense of camaraderie among their teams?

NH: Most red teaming engagements are performed in teams of two or more. It’s important for the team to work cohesively together and help complement each other’s strengths. Building a team with a good mix of both technical and non-technical skills is important for success. Successful leaders will assign specific roles for each team member focused on harnessing their strengths, and also ensure that the team works together to brainstorm and create plans and strategies on how to accomplish specific objectives outlined in the engagement.

AS: What background or qualifications are beneficial for a red team professional?

NH: Professionals with military and law enforcement backgrounds are a valuable addition to a team because they can help navigate the legal and physical security aspects of an engagement. And it’s critical to have professionals on the team who have the resources and technical expertise to be able to identify and exploit vulnerabilities in software systems to find ways to circumvent security controls and accomplish the objectives of the engagement.

AS: Is there risk for red teams to get in trouble with the law while participating in an engagement?

NH: There have been some incidents, but they are very rare. Typically, during Red Teaming assessments, the assessors are provided with a “get out of jail free” letter that they are required to carry throughout the engagement. These letters have details provided regarding the engagement, who the sponsor is, and contact information of the client to call and confirm the rules of engagement and scope of the assessment by law enforcement. The cyber security community typically isn’t worried about their assessors getting arrested and facing criminal charges, because they were performing the work on behalf of an organization, and they have contractual languages that protect them.

Red teaming professionals certainly have their work cut out for them, as cyber security adversaries continue to evolve and find new ways to access sensitive systems and data. Let this article be a reminder to thank red team assessors next time you see them – and talk with them about how IT and security leaders can better enable them to work collaboratively, use all available resources, and use their creative, yet technical, minds to help organizations assess security threats and ultimately improve their security posture.

click here to read our technical blog
[post_title] => Q&A with Nabil Hannan: An Inside Look at Red Teaming Culture [post_excerpt] => The term ‘red teaming’ is said to be overly used in the cyber security industry, which is why the concept is often misunderstood and unclear. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => qa-nabil-hannan-inside-look-at-culture [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:51:01 [post_modified_gmt] => 2021-04-14 00:51:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19475 [menu_order] => 318 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [24] => WP_Post Object ( [ID] => 18984 [post_author] => 66 [post_date] => 2020-08-18 07:00:45 [post_date_gmt] => 2020-08-18 07:00:45 [post_content] =>

No industry is safe from a cyberattack and last year’s long list of breach victims is testament to that. Within the first six months of 2019, 3,800 breaches were reported, exposing 4.1 billion records. The impact of a breach continues to grow, and the wide-ranging threat landscape continues to shift – thus, our network security testing strategies should evolve in tandem.

Penetration testing has been around for decades and has remained at the foundation of vulnerability testing and management programs. But as the modern enterprise continues to evolve, and attack surfaces become much more complex, pentesting has remained relatively unchanged. Following a pentest, security and IT teams are typically left with an immense amount of vulnerability data that ends up in PDFs with limited context, making it challenging to process and collaborate with development teams for vulnerability remediation. In addition, many organizations struggle with the breadth of their security testing coverage and lack the time or financial resources to adequately pentest all of the applications and systems in their environment – and they can’t remediate all the vulnerabilities from each test. According to Gartner, once a company discloses a vulnerability and releases a patch, it takes 15 days before an exploit appears in the wild.

To ensure critical assets are secure and their entire attack surface has some level of pentesting coverage, today’s modern enterprise requires a more continuous and comprehensive penetration testing process.

Enter Penetration Testing as a Service, or PTaaS: a hybrid approach to security testing that combines manual and automated ethical hacking attempts with 24/7 scanning, consultation and streamlined communication and reporting delivered through a single platform. By delivering pentesting “as a service,” organizations receive a broader, more thorough vulnerability audit year-round instead of relying on point-in-time pentests, which are typically executed just once a year.

Point-in-Time Pentesting Versus PTaaS

While an important starting point, point-in-time penetration testing has its limitations. Once a test has been completed, how can one be sure that no new vulnerabilities arise during the remaining 364 days of the year? To better understand the impact of PTaaS, here are four core differences between point-in-time penetration testing and PTaaS. PTaaS gives organizations:

  1. Visibility and control. Through PTaaS, organizations are put in control of the pentest. Security teams gain the ability to request and scope new engagements, see the progress and status of all open engagements, easily parse the vulnerability trends, and work to understand and verify the effectiveness of remediations, all within a single online platform.
  2. Paths to quicker remediation. The penetration testing reports, often static PDFs, created after a standard pentest leave much to be desired when it comes to vulnerability remediation. On average, it takes 67 days to remediate critical vulnerabilities. PTaaS platforms allow findings to be actionable as they can be sorted, searched, filtered, and audited. As the vulnerability or exploit evolves over time, the data related to it will be updated, not remain unchanged in a document. Additionally, PTaaS provides development teams with the most up-to-date and relevant information for remediation, with assistance and consultation from the team of pentesters who found the vulnerability.
  3. More security testing possibilities. Due to both the cost savings of automation and the efficiency provided for remediating vulnerabilities, companies are able to do more with their budgets and internal resources. The faster vulnerabilities are found and remediated, the quicker the company can move on to protect itself from the next vulnerability.
  4. Prioritized, actionable results. PTaaS platforms, like NetSPI’s Resolve will aggregate and correlate the findings, eliminating manual administrative tasks while providing a result set that drives the right set of actions in an efficient manner for all organizations. According to Gartner, one of the most common ways to fail at vulnerability management is by sending a report with thousands of vulnerabilities for the operations team to fix. Successful vulnerability management programs leverage advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.

What’s fueling the desire for an “as a Service” model for penetration testing?

Businesses, no matter the industry, are constantly changing and are on the lookout for technology that can scale with them. Because of the constant flux that businesses remain in today, whether from engaging in a merger or acquisition or integrating a new software program, there is a desire to uncover the most efficient way to maintain an always-on vulnerability testing strategy, while also ensuring capacity to remediate. PTaaS is scalable, so that organizations of all sizes and maturity can use it to maintain a small part of their security testing program – or the entire program.

Further, heavily regulated industries – such as financial services, healthcare, and government – benefit greatly from an “as a Service” model, given the level of sensitive data stored and pressures of maintaining compliance. With PTaaS, organizations can consume their data, on-demand, in many formats for their various regulatory bodies and gain the visibility to know what is happening in their security testing program, and what actions need to be taken.

PTaaS is the new standard for vulnerability testing and remediation as security teams recognize that annual testing does not enable a proactive security strategy. Pentesting engagements are no longer a once-a-year tool for compliance and have evolved into a critical part of day-to-day security efforts.

[post_title] => Four Ways Pentesting is Shifting to an “Always On” Approach [post_excerpt] => No industry is safe from a cyberattack and last year’s long list of breach victims is testament to that. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => four-ways-pentesting-is-shifting-to-an-always-on-approach [to_ping] => [pinged] => [post_modified] => 2022-02-15 19:04:32 [post_modified_gmt] => 2022-02-16 01:04:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18984 [menu_order] => 321 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [25] => WP_Post Object ( [ID] => 18896 [post_author] => 66 [post_date] => 2020-07-28 07:00:27 [post_date_gmt] => 2020-07-28 07:00:27 [post_content] =>

Let’s face it. The chefs in our lives were right when preaching the “clean as you go” philosophy while cooking. Keeping counters and utensils washed and put back in place helps thwart the influx of bacteria and spread of cross contamination that could make us sick. Shouldn’t that same philosophy apply to cyber security, too? Foregoing a “clean as you go” program and conducting a penetration test just once each year may check a compliance box, but ultimately prove to be unsuccessful when it comes to protecting your network and assets from the potential “bacteria” that can enter at any time.

Systems and applications in any organization become alarmingly vulnerable if monitored under a one-and-done scenario. An ongoing and continuous vulnerability management program or penetration testing program is an important guard against the potential threat to your technology assets that hackers pose nearly every second of the day. In fact, a University of Maryland study says that hackers attack every 39 seconds (on average 2,244 times a day). Think of how vulnerable your technology assets are in this environment if only penetration tested once a year.

As an aid to help put structure around a continuous penetration testing program, here are four core considerations that should be a key part of an always-on security program.

1. Prevent Breaches with an ‘Always On’ Testing Mentality

There’s no doubt about it: attack surfaces grow and evolve around the clock. With network configurations, new tools and applications, and third-party integrations coming online constantly, an atmosphere is created that opens the possibility of unidentified security gaps. This white paper points to the fact that cyber-attacks can affect your business and are almost as prevalent as natural disasters and extreme weather events. And we know from our own NetSPI research that nearly 70 percent of CISO security leaders are concerned about network vulnerabilities after implementing new security tools.

And those CISOs’ concerns are valid: take the recent announcement from the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). CISA published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic. A ZDNet article says that CISA warns it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. CISA is concerned that hurried deployments may have led to important security configuration oversights that could be exploited by attackers. With continuous penetration testing in place, security leaders can identify high risk vulnerabilities in real-time and close those security gaps faster.

2. Automation Is a Tool; Human Logic Is Critical

Good pentesters use automated scanning tools (ideally from many different sources) and run frequent vulnerability discovery and assessment scans in the overall pentesting process. Vulnerability scanning is generally considered an addition to manual, deep-dive pentests conducted by an ethical hacker. Manual pentesting leverages the findings from automated vulnerability and risk assessment scanning tools to pick critical targets for experienced human pentesters to: 1) verify as high-fidelity rather than chasing false-positives, and then 2) to consider exploiting as possible incremental steps in an effort to eventually gain privileged access somewhere important on the network.

Purely automated tools and highly automated testing activities cannot adequately test the business logic baked into an application. While some tools claim to perform complete testing, no automated technology solution on the market today can perform true business logic testing. The process requires the human element that goes well beyond the capabilities of even the most sophisticated automated tools.

3. Penetration Testing Reports Don’t Have to Be Mundane

We can all agree that there isn’t much enjoyment in reading pages and pages of pentesting data presented in static excel or PDF documents. Now picture what the paperwork for a once-a-year penetration testing report. Gulp! Much like many of us consume the daily news headlines, so too should CISOs view the daily “headlines” of their vulnerability management programming through the display of live pentest report results.

Under this scenario, less time is spent analyzing penetration testing report data, opening valuable time to give to the important work of remediation. Insist on the following pentest report deliverables in your penetration testing program:

  1. Actionable, consumable discovery results to automatically correlate and normalize all of the data collected from multiple open source and proprietary tools.
  2. High quality documentation and reports related to all work delivered, including step-by-step screen-capture details and tester commentary for every successful manual attack.

4. Stay Ahead of the Attacks Through Remediation

To stay ahead of the every 39-second hacks every day, it’s important to enable fast and continuous remediation efforts to keep a threat actor at bay. This goes hand in hand with testing, analyzing, and reporting: if you’re not continuously testing for vulnerabilities, it’s highly probable that the issues remain unresolved. Layer in these remediation best practices into your pentesting program:

  1. Industry standard and expert specific mitigation recommendations for all identified vulnerabilities.
  2. Traceability and archiving of all of the work done to make each subsequent round of testing for your organization more efficient and effective.

Factoring these considerations—always on testing, manual testing, real-time reporting, and remediation—into the planning and design of penetration testing programs will significantly minimize the risk of damage or disruption that could occur in an organization, and dramatically boost the security of your cyber assets.

[post_title] => Four Must-Have Elements of an Always-On Cyber Security Program [post_excerpt] => Let’s face it. The chefs in our lives were right when preaching the “clean as you go” philosophy while cooking. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => four-must-have-elements-of-an-always-on-cyber-security-program [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:52:31 [post_modified_gmt] => 2021-04-14 00:52:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18896 [menu_order] => 330 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [26] => WP_Post Object ( [ID] => 18867 [post_author] => 66 [post_date] => 2020-06-09 07:00:41 [post_date_gmt] => 2020-06-09 07:00:41 [post_content] =>

Proactive or preventative cyber security testing continues to be an afterthought in today’s conversations around breach preparedness. In this Forbes article, for example, the author suggests establishing an incident response plan, defining recovery objectives and more, all of which are necessary – but there’s no mention of investing in enterprise security testing tools and penetration testing services that boost your cyber security posture in the first place.

Sure, it can be difficult to make a business case for the C-suite to invest in an intangible that doesn’t directly result in new revenue streams. Historically, though, breaches cost companies millions and sometimes billions of dollars, proving that a ‘dollars and sense’ case can be made for preventative cyber security testing.

Even when a case is made to the board and funding is available, enterprise security teams struggle to be proactive because they are constantly reacting to the threats already looming in their network, lack adequate staffing, and the pace of vulnerabilities continues to outpace the business. So, how can the C-suite and security teams come together to prioritize the urgency of implementing a proactive cyber security testing program? How can we communicate that the upfront planning and set up is a proactive investment that will help eliminate the financial and time strain of a reactive-forward cyber security program?

The reality is that cyber security breaches today are inevitable and put organizations at grave risk. To help your security team make the case for prevention-based security investments, such as penetration testing and adversarial simulation, here are three recommendations that will get the attention of C-suite executives and help your security team remain proactive:

Translate the Impact of a Breach into Dollars and Sense that the C-Suite Understands

In today’s digital world, data is more valuable than ever and more vulnerable. So, how can you best communicate this heightened value of data security and risk to your leadership team? By speaking a language they understand. First, shift your mindset from talking about “cyber security and compliance” to “customer safety and quality services;” these terms will resonate better with the C-suite.

Next, be prepared to talk financial risk. Annually, IBM and Ponemon Institute release the Cost of a Data Breach Report, which includes a calculator based on industry and cost factors – such as board-level involvement, compliance failures, and insurance – to determine the potential financial impact of a breach. Use this resource to calculate your own organization’s estimated cost of a data breach.

A simple calculation case study: In the United States, if an attacker compromises just 5,000 records, it could cost your organization over $1 million (based on the average cost of $242 per lost record). This case demonstrates the cost of a smaller-scale breach – in fact, the average size of a data breach in the United States in 2019 is 25,575 records, resulting in an average cost of $8.2 million per breach. Compare that to the average cost of a vulnerability management or penetration testing program, and your case to the executive team is pretty simple. Notably, loss of customer trust and loss of business are the largest of the major cost categories, according to the report. The study finds that breaches caused a customer turnover of 3.9 percent – and heaps of reputational damage.

Lastly, use examples in your respective industry as proof points. For example, if you’re in the financial services industry, reference other breaches in the sector and their associated cost. It’s important to clearly communicate the reality of what happens when your organization is breached to get the C-suite on board for more cyber security spend. Sharing concerning results of reactive cyber security strategies helps executives see the benefit of investing in proactive security measures to prevent a breach from happening in the first place.

Help Leaders Understand Cyber Security Testing’s Role in a Crisis Preparedness Plan

A data breach is a common crisis scenario for which every business should plan. It should be discussed in tandem with other risk scenarios like natural disasters, product recalls, employee misconduct, and conflict with interest groups, to name a few. As with any disaster preparedness program, documentation and reporting are critical. Specifically, documentation of your vulnerability testing results and remediation efforts should be viewed as a tool to inform leaders about the organization’s exposure to risk, as well as its ability to prevent breach attempts from being successful. Cyber security weaknesses to look for from an organizational standpoint include lack of continuous vulnerability testing and patching, untested incident response plans, and limited training and security awareness programs. These three key areas can turn into the “Achilles heel” of any organization’s security posture if not addressed and implemented properly.

Position Your Pentest Team as an Extension of Your Own Security/IT Team

According to a survey we conducted earlier this year, over 80 percent of security leaders say lack of resources keeps them up at night. And for some time now, the cyber security industry has suffered a skills shortage. While companies are eager to hire cyber security experts to address the ever-evolving threat landscape and avoid the high costs of a breach, there aren’t enough people who can fill these roles. According to the latest data from non-profit (ISC)², the shortage of skilled security professionals in the U.S. is nearly 500,000.

Hiring outside cyber security resources is one solution to this demand conundrum. Time is invaluable, so if you propose to hire new vendors, it’s important from the start to position the white hat testers to your executives as an extension of your own team. It is the responsibility of both corporate security practitioners and vendors to find ways to work collaboratively as one team.

Pentesting is a great example of the importance of collaboration in cyber security. Traditionally, pentesters complete their engagement, hand off a PDF and send the internal team off to remediate. With the emergence of Penetration Testing as a Service (PTaaS), pentesters not only perform an engagement, they also conduct more deep-dive manual tests, continuously scan for vulnerabilities to deliver ongoing pentest reports in an interactive digital platform that separates critical vulnerabilities from false positives (a time-consuming activity for your in-house team) and serve as remediation consultants for your organization. Make it clear to your C-suite that vendor relationships are changing and cyber security testing vendors can serve as a solution for current cyber security skills gaps within the business.

When the C-suite and IT and security departments are disconnected on priorities, the risk of a data breach increases. Learn to speak the language of your executive leaders and communicate the true value of proactive security measures. Effective communication around the potential financial impact of a breach, where vulnerability testing fits in a crisis preparedness plan, and ways to solve cyber security talent shortages, can result in additional budget for proactive cyber security testing and other security initiatives.

[post_title] => Making the Case for Investing in Proactive Cyber Security Testing [post_excerpt] => Proactive or preventative cyber security testing continues to be an afterthought in today’s conversations around breach preparedness. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => making-the-case-for-investing-in-proactive-cyber-security-testing [to_ping] => [pinged] => [post_modified] => 2021-04-14 10:02:30 [post_modified_gmt] => 2021-04-14 10:02:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18867 [menu_order] => 345 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [27] => WP_Post Object ( [ID] => 18813 [post_author] => 66 [post_date] => 2020-05-14 07:00:12 [post_date_gmt] => 2020-05-14 07:00:12 [post_content] =>

On May 13, 2020, NetSPI President and COO Aaron Shilts was featured in Dark Reading.

Aaron Shilts, president and chief operating officer at security testing firm NetSPI, says faster software development life cycles and inefficiencies in manual deep-dive penetration testing programs are driving interest in PTaaS.

Organizations are overloaded with traditional pen-test PDF deliverables, many of which can contain a mountain of findings, he says. This has made it difficult for organizations to prioritize, correlate, and drive remediation activities.

"PTaaS is essentially an enriched delivery model, making it easier for customers to consume testing services, from initial scoping to reporting," he says. "It ultimately helps to accelerate the remediation process."

Read the full article here.

[post_title] => Dark Reading: Organizations Conduct App Penetration Tests More Frequently – and Broadly [post_excerpt] => On May 13, 2020, NetSPI President and COO Aaron Shilts was featured in Dark Reading. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => dark-reading-organizations-conduct-app-penetration-tests-more-frequently-and-broadly [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:31:54 [post_modified_gmt] => 2021-04-14 05:31:54 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18813 [menu_order] => 351 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [28] => WP_Post Object ( [ID] => 17718 [post_author] => 66 [post_date] => 2020-03-09 07:00:00 [post_date_gmt] => 2020-03-09 07:00:00 [post_content] => On Mar. 9, 2020, NetSPI President and COO Aaron Shilts was featured in Banking Dive. The next level of self-hack is conducted at a more enterprise level, called red team testing. There are a few variations of the approach. In one, red-team testers adopt the tactics of a specific, known threat actor and try to achieve a specific objective against a chosen target. Red teaming is typically done by banks that are at a higher level of security maturity overall, said Wong. The value of penetration testing over simply using scanning software is that you’re adding humans to the mix, said Aaron Shilts, president and COO of vulnerability assessment firm NetSPI. "If we were bad guys, you know, what would we use to get in?" Shilts told ABA. "How could we get in? What do their defenses really look like? With limited information, it’s kind of a good way to simulate how accessible the crown jewels are from the outside." Read the full article here. [post_title] => Banking Dive: Banks engage in self-hacks to keep defenses sharp [post_excerpt] => On March 9, 2020, NetSPI President and COO Aaron Shilts was featured in Banking Dive. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => banking-dive-banks-engage-in-self-hacks-to-keep-defenses-sharp [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:15 [post_modified_gmt] => 2021-04-14 05:32:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17718 [menu_order] => 380 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [29] => WP_Post Object ( [ID] => 17402 [post_author] => 66 [post_date] => 2020-03-04 07:00:13 [post_date_gmt] => 2020-03-04 07:00:13 [post_content] =>

We just returned from RSA Conference, and like every year, it did not disappoint in meeting its charter: “to be a driving force behind the world’s cybersecurity agenda… the place that provides a forum for innovation and partnership… as cybersecurity has become more relevant across all aspects of our daily lives.”

While there was much talk about automation, artificial intelligence and of course, technology, Rohit Ghai, president of RSA, emphasized in his keynote address a point that we, at NetSPI, support day in and day out — valuing the critical importance of people in this complicated and ever-evolving world of vulnerability management.

From the stage, Ghai asked the audience if humans in cybersecurity will matter once technology advances. He argued that, yes, the human element will always matter and what differentiates humans from machines is our ability to tell a story. “We, as cybersecurity professionals, need to change the story of cybersecurity and turn the narrative toward 'cyber-resilience,'” Ghai said. Bob Keaveney, managing editor of BizTech concurs. He wrote, “Human activity will continue to be the indispensable difference between successful and foiled hacks.”

Considering the importance of the human touch in cybersecurity, we observed these three prevalent themes during RSA:

Takeaway 1: CISO Leadership Must Be in the Boardroom

We are confident that no organization wants to impede its infosec programs, yet as we pointed out in this blog post, many problems can be traced back to miscommunication and misunderstanding of a technical topic by people who do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your infosec program is critical — starting in the boardroom.

As the individual most responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, the Chief Information Security Officer (CISO) will serve as the bridge between the highly technical language inherent in infosec, vulnerability, and data security management programs to other C-suite executives and board members who are more financially, operationally or innovation focused.

Speaking of the human touch in cybersecurity, read this short case study about how Equifax faces a new day in cybersecurity by emphasizing cultural change as a solution.

Takeaway 2: Intelligence Sharing and Cyber Defense Go Hand in Hand

Infosec experts are creative thinkers. They are constantly coming up with new ways to “break things” in a dogged determination to stay ahead of the vulnerabilities their company may face from hackers and manage the remediation of potential (or actual) breaches.

At NetSPI, this new thinking manifests in our commitment to developing open-source tools that strengthen the infosec community. We publish our open source projects and write a blog specific to best practices and information sharing.

Fortunately, we aren’t alone in our belief in the importance of supporting the entire infosec community. In fact, BankInfoSecurity coined threat intelligence and sharing a top theme of the show. Further, when analyzing the abstracts from would-be speakers at RSA, event organizers noted, "We saw an increase in submissions that documented the inherent weaknesses and challenges of machines, with some deeply technical and wonderfully detailed submissions digging into the specifics and providing guidance and best practice considerations," says Britta Glade, the RSA Conference's director of content and curation.

Takeaway 3: Automation as a Tool, Not the Be All and End All

Automation has a clear role in helping organizations with pentesting for enterprise security management. In fact, as this BizTech article states, closing the cybersecurity skills gap is a perennial problem that automation may help solve. Our concern? Automation alone only exacerbates the plethora of information that CISOs are inundated with daily without, as RSA noted, “the human element – the experts who can turn those stacks of static reports into real-time accessible reporting as vulnerabilities are found.”

And we aren’t alone in this thinking. In its RSA coverage, CRN.com associate editor Michael Novison advocates for a more pragmatic approach to handling risk than traditional vulnerability management, one that would place both automation and remediation front and center. Unisys CTO Vishal Gupta concurs: “Being presented with a list of hundreds of thousands of problems doesn’t do a CISO much good given the amount of digital assets and software in an organization. Continuously telling businesses what’s wrong is more of a risk identification strategy than a risk mitigation strategy and doesn’t provide them with any better handle on the problem.”

Organizations with a mature security program understand that moving past just a point-in-time vulnerability management program to a continuous model delivers results around the clock, enabling infosec professionals the ability to manage vulnerabilities more easily and efficiently. In fact, the concept of continuous monitoring should be baked into the development process from the start. In its RSA coverage, TechBeacon notes that in the DevSecOps model, infrastructure as code allows continuous code and security scanning to handle infrastructure configurations, and that removes the security team from potentially blocking development with time-consuming tests.

In an interview with NCC Group’ Research Director Clint Gibler, TechBeacon writes that infrastructure as code is essential. “For developers, a key advance is the increasing use of infrastructure as code and continuous deployment. When networking and server configuration are part of the application configuration, the settings can be checked for weaknesses in the same way as other application components,” said Gibler. "You can run security checks on your infrastructure code before it is even deployed. And it makes it easy to avoid any drift over time, and get back to a pristine state.”

Continuous Pentesting Coupled with “the Human Element”

In the spirit of these three RSA takeaways, NetSPI introduced its new Penetration Testing as a Service (PTaaS) powered by the Resolve platform at the conference. PTaaS puts our customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, and orchestrate quicker remediation, with the added ability to perform always-on continuous testing. We believe that key to its success is the integration of our team of expert, deep-dive manual pentesting employees who use enhanced automation to uncover an organization’s vulnerabilities. We believe that while automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.

Want to read more about the future of cybersecurity? Read RSA’s 2020 trend report here.

[post_title] => RSA 2020: Three Takeaways from the Halls of the Moscone Center [post_excerpt] => We just returned from RSA Conference, and like every year, it did not disappoint in meeting its charter: “to be a driving force behind the world’s cybersecurity agenda [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => rsa-2020-three-takeaways-from-the-halls-of-the-moscone-center [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:01 [post_modified_gmt] => 2021-04-14 00:56:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17402 [menu_order] => 381 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [30] => WP_Post Object ( [ID] => 17538 [post_author] => 66 [post_date] => 2020-03-02 07:00:21 [post_date_gmt] => 2020-03-02 07:00:21 [post_content] => On Mar. 2, 2020, NetSPI President and COO Aaron Shilts was featured in ABA Banking Journal. Aaron Shilts, president and COO of NetSPI, a vulnerability assessment firm based in Minneapolis that works with large financial firms, says the value of penetration testing over scanning software is “that you’re adding humans to the mix,” he says. “With red teaming you act as an outside adversary.” In designing a test for a client, Shilts asks some basic questions. “If we were bad guys, you know, what would we use to get in?” he asks. “How could we get in? What do their defenses really look like? With limited information, it’s kind of a good way to simulate how accessible the crown jewels are from the outside.” Red team projects with NetSPI typically would last about a month, Shilts says. Read the full article here. [post_title] => ABA Banking Journal: Go Hack Yourself [post_excerpt] => On Mar. 2, 2020, NetSPI President and COO Aaron Shilts was featured in ABA Banking Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => aba-banking-journal-go-hack-yourself [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:19 [post_modified_gmt] => 2021-04-14 05:32:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17538 [menu_order] => 383 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 31 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 29121 [post_author] => 66 [post_date] => 2023-01-10 09:00:00 [post_date_gmt] => 2023-01-10 15:00:00 [post_content] =>

Today, we’re happy to announce that NetSPI has acquired nVisium to continue building upon our suite of offensive security testing solutions. We sat down with NetSPI CEO Aaron Shilts and nVisium CEO and Founder Jack Mannino to learn what this means for their mutual clients and the greater cybersecurity community.

Why nVisium/NetSPI?

Aaron Shilts: The nVisium team brings an impressive track record in cloud and application pentesting, and we’re incredibly excited to welcome them to NetSPI. Coming together, we will unlock great potential in meeting the increasing demand for quality pentesting solutions and reinforce our commitment to growth and innovation. It took months of research, discussions, and interactions to come to this decision, but one thing is for sure, we were always convinced the nVisium team will be the perfect complement to our DNA and culture we’ve built at NetSPI.

Jack Mannino: We’ve competed with NetSPI in the past, and I’ve always respected what Aaron and his team have built. Agreeing to an acquisition is not a small decision, but as soon as we started talking with the NetSPI team, it was clear that both organizations were extremely aligned from a culture, delivery, and people perspective. They care deeply about their people and maintaining a culture of collaboration, plus, we have the same high standards for security testing as they do. With this acquisition, nVisium employees and clients will be presented with a wide array of new opportunities. I’m eager to see what we can accomplish together.

How will this acquisition impact mutual clients and the greater security community?

Aaron: This news follows our recent announcement of KKR’s investment in NetSPI’s future and its promise to continue to bring positive impact to the security community. By joining forces with nVisium, we can move faster, offer clients access to an incredibly talented team of offensive security professionals, and double down on our promise for innovative, platform driven, and human delivered offensive security solutions.

Jack: By joining forces with NetSPI, nVisium has a massive opportunity to expand the breadth and depth of solutions we deliver, improve the client experience, and introduce new growth opportunities to our employees. We have built strong enterprise relationships and we are eager to support them in new ways and, at the same time, build on our capabilities within cloud and application security testing.

Notably, NetSPI’s penetration testing as a service (PTaaS) delivery model has made an incredible impact on its clients, enabling them to test continuously, digest results in a dynamic way, improve vulnerability management efforts, and increase manual testing and triaging. nVisium and NetSPI together will amplify the PTaaS model and allow us to increase our capacity to help more organizations.

What’s next for the combined companies?

Aaron: This acquisition is proof that we are committed to staying true to our mission, disrupting the penetration testing industry by attracting and retaining top talent, and setting the highest standards in the penetration testing market. Over the next few months, we will be focused on integrating the nVisium team to help deliver high-caliber pentesting solutions to more enterprises, globally.

Over the next year, you will see an emphasis on NetSPI’s R&D, particularly with our cloud, IoT, and blockchain solutions. We’ve recently formed an official NetSPI Labs team, who will lead the development and expansion of new offensive security solutions and tools.

Jack: The industry can expect continued growth, innovation, and quality pentesting from NetSPI and nVisium – with no signs of slowing. The power of our combined teams will certainly be a force to be reckoned with.

[post_title] => NetSPI Acquires nVisium – Q&A with the CEOs [post_excerpt] => Hear from NetSPI CEO Aaron Shilts and nVisium CEO Jack Mannino on why they are joining forces and what the acquisition means for the cybersecurity industry. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => nvisium [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:09:56 [post_modified_gmt] => 2023-01-23 21:09:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29121 [menu_order] => 11 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 31 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => c3da325729bd2c00dff139143f70813b [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )

NetSPI acquires nVisium, bringing top penetration testing talent together.

X