Cody Chamberlain

As Head of Product, Cody focuses on ensuring the delivery of the technical roadmap, strategizing on future product offerings, and partnering with sales and marketing on go-to-market strategies. He has spent the majority of his career in varying cyber security roles at companies like Ameriprise Financial and Target Corp.
More by Cody Chamberlain
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "73"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "73"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "73"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "73"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "73"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "73"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "73"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "73"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
			SELECT   wp_posts.*
			FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
			WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{657f3a173c42db995d0436eeed504a5aca329842f6ea8751a732d7196d2282d9}\"73\"{657f3a173c42db995d0436eeed504a5aca329842f6ea8751a732d7196d2282d9}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{657f3a173c42db995d0436eeed504a5aca329842f6ea8751a732d7196d2282d9}\"73\"{657f3a173c42db995d0436eeed504a5aca329842f6ea8751a732d7196d2282d9}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
			GROUP BY wp_posts.ID
			ORDER BY wp_posts.post_date DESC
			
		
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 28127
                    [post_author] => 73
                    [post_date] => 2022-08-02 11:24:44
                    [post_date_gmt] => 2022-08-02 16:24:44
                    [post_content] => 

NetSPI CEO Aaron Shilts recently wrote an article that centered around this powerful statement: Technology cannot solve our greatest cybersecurity challenges. People can.  

As Head of Product, this statement gave me a critical opportunity to pause and reflect on my team’s purpose and ask, “What is the true intent of our technology innovation?” 

The answer was abundantly clear: Technology should empower people and maximize the value of human creativity, experience, and ingenuity. It should enable people to do more, with less. 

But it is not possible for technology nor people to be a force multiplier on their own. It all comes back to the intersection of the two. Data is just data unless you can derive intelligence from it, tools are just tools unless you can leverage them to deliver outcomes. Shelfware has never made anyone secure. 

Cybersecurity Technology Pitfalls 

Today, security programs are faced with a dilemma of not having enough people to tackle their greatest challenges, yet technology alone has not provided the level of efficacy to improve security programs. Without people, technology cannot: 

🚫 Understand unique organizational needs 

Company infrastructures are distinct. While many organizations have the same technical security controls or operate in the same industry, the ways the controls are implemented and operationalized, and the context of each infrastructure can differ greatly. Additionally, risk profiles and tolerance vary. External pressures may be different, driving additional bifurcation in how they approach a specific problem. Technology alone cannot identify these nuances and adjust. 

🚫 Continuously manage and operationalize itself 

Tools need to be run. The process of evaluating, implementing, and operationalizing technology requires humans. This process often takes focus away from defending against cyber attacks. When we have limited resources, we need to make sure they are focused on the right aspects of the greater mission.  

🚫 Support security programs in a cost-efficient way 

The security industry is crowded with technology vendors offering a wide range of solutions. Research platform CyberDB has compiled a list of cybersecurity vendors which includes 3,500 companies – just in the US. It has become difficult for security leaders to effectively implement supportive technologies in a cost-efficient way due to redundant functionality, gaps in coverage, and other challenges that come with the crowded market. 

The Spectrum of Cybersecurity Tools 

To truly understand the value of the intersection of technology and talent, it’s important to define the opposite ends of the spectrum – from traditional services/consulting firms to standalone technology platforms. 

  • Traditional Services/Consulting Firms: 
    • Expectations: A comfortable and trusting relationship with specific resources; easy to procure; professional services contracts are well understood; processes are easy to onboard and manage
    • Reality: Slow to scale; only as good as the consultant assigned; not maximizing the value; expensive; time consuming
  • Standalone Technology Platforms:
    • Expectations: All-in-one solution to a problem; use existing resources to manage the platform; low touch management
    • Reality: Lacks efficacy; purchased technologies do not meet expectations; requires dedicated resources to manage; opaque (“trust us it works”); operates without context specific to your business needs and risk profile 

So, how do you get the best of both worlds? 

Platform Driven, Human Delivered 

The solution to effectively execute the industry’s security missions with limited human capital lies within the combination of technology and talent. Together, they can be a force multiplier for the industry. 

At NetSPI we call this “platform driven, human delivered.” In our approach, we use technology to maximize human value by focusing human value on the right assets, at the right time. 

We “automate the automatable.” In other words, we leverage automation to handle mundane and repetitive tasks that take up valuable time for a human to perform. Take our three core services for example: 

Penetration Testing as a Service (PTaaS) 

The following features in Resolve™, our PTaaS platform, help to ensure our global pentesting team spends more time focused on higher severity issues like authentication, sessions management, and replicating real attacker behavior during our engagements. 

  1. Processing scans on behalf of the pentesters. Using our correlation engine, we’re able to bring disparate scan outputs into one finding.
  2. Providing additional dimensions of data to findings to help better prioritize the remediation of findings with Risk Scoring.
  3. Report generation. Our consultants do all their testing within a process management workflow which allows them to simply generate a report at any point in the engagement.
  4. Process management. Deliver quality and consistency through workflow and process management automation, quality assurance, and communication. Adding automated components to these functions allows the pentesters to be more creative in their approaches and spend time finding higher severity findings. 

Attack Surface Management 

The following features of our attack surface management solution combine the power of technology and talent by:  

  1. Leveraging the cloud. We’ve taken our tools and techniques from over 20 years of external network penetration testing and are now utilizing the advancements in cloud technology to effectively scale that IP / knowledge capital.
  2. Continuous monitoring. Leverage technology to continuously monitor the aspects of client’s known assets and ensure they are free from critical issues. AND provide visibility into the aspects of their attack surface they are unaware of.
  3. Using human input to determine signal vs. noise. In tandem, we utilize our human experts to parse and manage that data to extract “the signal from the noise” to help organizations understand what’s at risk and which exposures to prioritize.
  4. Making all the data available to clients in the platform so they can use it for analytics and pattern identification. 

Breach & Attack Simulation  

On average, NetSPI clients identify roughly 15% of the attack techniques we run in their environments – this includes security programs that have spent millions on controls. We automate the automatable by: 

  1. Connecting the execution of attacks in client environments with a NetSPI expert to help prioritize and get context into how we benchmark against industry peers.
  2. Automating attack plays that map back to the Mitre ATT@CK framework paired with human expertise to help make informed prioritization decisions of the attack techniques most relevant to your business.
  3. Track ongoing improvements, or reductions, in detection capabilities over time to empower defense teams to make the case for additional resources and shore up their defenses.  

Becoming a Force Multiplier in Offensive Security 

As an industry, we need to take a step back and evaluate, “what do we need to do to protect ourselves?” What are our priorities? 

From an offensive security perspective, our clients have the need to identify all assets, identify vulnerabilities on those assets, and remediate them. No one person, nor one tool can achieve these goals. But together? The opportunity for success is exponential. 

After all, technology cannot solve our greatest cybersecurity challenges. People and technology can. 

Want to experience “platform driven, human delivered” offensive security solutions? Contact us.
[post_title] => The Intersection of Cybersecurity Technology and Talent [post_excerpt] => Learn why technology and talent cannot succeed on their own and read examples of how the two create massive opportunity for the cybersecurity industry. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-technology-and-talent [to_ping] => [pinged] => [post_modified] => 2022-08-02 11:24:45 [post_modified_gmt] => 2022-08-02 16:24:45 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28127 [menu_order] => 32 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 28032 [post_author] => 73 [post_date] => 2022-06-30 10:52:00 [post_date_gmt] => 2022-06-30 15:52:00 [post_content] =>

On June 30, 2022, NetSPI Head of Product Cody Chamberlain was featured on the CyberWire Daily podcast. Read the summary below or listen to episode 1610 online (starts at 14:37).

+++

  • The two pillars of breach communications: There are things you have to do and things you should do when responding to clients. Empathy and transparency will be key in communicating with them.
  • Plan the work, work the plan: Building the incident response, knowing who to work with, and trusting the process will give you the confidence you need, so less emotions take over.
  • Empathize with clients: Being transparent with clients will appease their needs and worries.
[post_title] => The CyberWire: Cody Chamberlain on Breach Communication [post_excerpt] => On June 30, 2022, NetSPI Head of Product, Cody Chamberlain, was featured on the CyberWire Daily podcast. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyberwire-breach-communication [to_ping] => [pinged] => [post_modified] => 2022-07-06 12:42:08 [post_modified_gmt] => 2022-07-06 17:42:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28032 [menu_order] => 39 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 27897 [post_author] => 73 [post_date] => 2022-06-06 11:54:00 [post_date_gmt] => 2022-06-06 16:54:00 [post_content] =>

On June 6, 2022, NetSPI Head of Product, Cody Chamberlain, was featured in an interview on TechStrong called Data Breach Communication – Cody Chamberlain, NetSPI. Read the summary below or listen to the interview online.

+++

Data breaches are occurring more frequently than ever before – even with the best security precautions in place. While a cyber-attack may be out of an organization’s control, one thing it can and should control is how it communicates a breach to involved parties. Cody Chamberlain, NetSPI Head of Product, discusses the three key elements to implementing a successful data breach communication strategy: an incident response plan, open communication, and transparency. 

[post_title] => Techstrong: Data Breach Communication – Cody Chamberlain, NetSPI [post_excerpt] => NetSPI Head of Product, Cody Chamberlain, was featured in an interview on TechStrong called Data Breach Communication – Cody Chamberlain, NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techstrong-data-breach-communication-plan [to_ping] => [pinged] => [post_modified] => 2022-06-08 14:45:22 [post_modified_gmt] => 2022-06-08 19:45:22 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27897 [menu_order] => 53 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 27803 [post_author] => 73 [post_date] => 2022-05-23 11:49:00 [post_date_gmt] => 2022-05-23 16:49:00 [post_content] =>

On May 23, 2022, NetSPI Head of Product, Cody Chamberlain, published an article in Security Magazine called The Do’s and Don’ts of Communicating a Data Breach. Preview the article below, or read the full article online.

+++

Data breaches are occurring more frequently than ever before, even when organizations have the best security precautions in place. According to the Identity Theft Resource Center’s 2021 Data Breach Report, data breaches rose 68% from the previous year, reaching the highest number ever reported. That said, while a cyberattack may be out of an organization’s control, one thing it can and should control is how it communicates a breach.

Many corporations have developed canned responses to breaches along the lines of “We identified a breach of our systems, and you have been identified as being impacted. Your security is of the utmost importance to us, so we’re providing you with free monitoring.” 

However, more sophisticated and impactful breaches need a more detailed response plan. One that focuses on getting systems back online and defines what steps the organization will take to prevent another breach from occurring. There are three key elements to implementing a successful data breach communication strategy; an incident response plan, consistent communication, and transparency. 

Lean into the Incident Response Plan

An incident response plan is one of the most critical components of the customer notification process, as it enables an organization to acknowledge they’ve fallen victim to an attack, but also take ownership and focus on the customer.

Following a data breach, the customer ultimately wants to know three things: if their data has been stolen, the risk to the data at the time of the incident, and if they need to take additional action with the government or law enforcement to assist in the investigation. 

The incident response plan should provide accurate and timely information that accounts for all these customer questions and keeps their best interests in mind. This plan must be communicated and adopted beyond security and IT teams by a crisis management team that extends across all departments. Every person in the communications chain must report their findings to the executive level for all angles and aspects of the breach to be considered. 

An organization must also proactively work with legal and finance teams to understand which regulatory bodies, government entities, and insurance agencies to notify. Once all information is made clear, the organization can convey the details of the incident to the customer in a quick and straightforward manner, and, in high-profile situations, present the case to the public. 

Read the full article online.

[post_title] => Security Magazine: The Do’s and Don’ts of Communicating a Data Breach [post_excerpt] => NetSPI Head of Product, Cody Chamberlain, published an article in the Security Magazine called The Do’s and Don’ts of Communicating a Data Breach. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => security-magazine-dos-and-donts-communicating-data-breach [to_ping] => [pinged] => [post_modified] => 2022-05-25 11:20:49 [post_modified_gmt] => 2022-05-25 16:20:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27803 [menu_order] => 60 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 27398 [post_author] => 53 [post_date] => 2022-02-21 12:52:03 [post_date_gmt] => 2022-02-21 18:52:03 [post_content] =>

Security leaders today are experiencing change at a rate like never before. Whether they’re going through an acquisition, deploying a remote workforce, or migrating workloads to the cloud, change is inevitable and unknown assets are sure to exist on your network.

Detecting and preventing the unknown is no easy task. But what you don’t know can hurt you. So, how can we identify vulnerable exposures before adversaries do?

It’s time for organizations to master the art of attack surface management. How? By implementing a human-first, continuous, risk-based approach.

In this webinar, participants will learn:

  • What is attack surface management?
  • How cyber attack surface management fits into broader enterprise-wide vulnerability management efforts
  • How to improve your attack surface visibility with continuous penetration testing
  • Why a human-first approach is the future of attack surface monitoring
  • An introduction to NetSPI’s Attack Surface Management (ASM) solution and our ASM Operations Team
[post_title] => Mastering the Art of Attack Surface Management [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => the-art-of-attack-surface-management [to_ping] => [pinged] => [post_modified] => 2022-04-05 11:13:19 [post_modified_gmt] => 2022-04-05 16:13:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=27398 [menu_order] => 12 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 26115 [post_author] => 31 [post_date] => 2021-08-10 07:00:00 [post_date_gmt] => 2021-08-10 12:00:00 [post_content] =>

Gartner anticipates that, by 2022, organizations that use a risk-based vulnerability management process will experience 80% fewer breaches. So, how can an organization make this shift and achieve a risk-based vulnerability management program? Two words: Risk scoring.

Leveraging risk scores for remediation prioritization and quantifying risk allows companies to prioritize budgets and resource allocation and focus on the security activities that could have the greatest impact to their business. And the idea of incorporating risk scoring intelligence to make the shift to a risk-based vulnerability management program is evolving. 

Through the collaboration of NetSPI’s development, engineering, and product teams, we’ve uncovered an accurate, data-driven methodology to calculate both aggregate and vulnerability risk scores using the data available from our penetration testing and vulnerability management platform, Resolve™. Let’s dig deeper.

What is risk scoring? 

In its most abstract form, risk is “the effect of uncertainty on objects involving exposure to danger.” At its foundation, cyber security risk is ultimately a function of (threat x vulnerability). While the definitions are helpful, it is important to look at your security program with a new lens and assess how your organization quantifies its risk – and is it even important to do so? Simply, the answer is yes. Quantifying and measuring cybersecurity risk is one of the most important components to a successful risk-based vulnerability management program.

The evolution of risk-based vulnerability management

Vulnerability incident resolution used to be reactive. Companies would wait for something to be exploited, then fix it. As IT systems became more integral to business operations, the need to be proactive in cyber defense became evident. Many tools have been developed that can hastily provide a list of vulnerabilities, but companies were quickly overwhelmed and overloaded with the number of identified vulnerabilities without direction or priority assigned for remediation. 

The introduction of Governance, Risk, and Compliance (GRC) software that could correlate all vulnerabilities aligned to business controls and identify the “true risks” to the company allowed some prioritization of risk. This management activity was done through technology in a system without human touch, lacking real world controls and exceptions. This caused the technologies to be complicated, difficult to implement, and require extensive customization. The latest vulnerability management market entrants are touting their ability to utilize AI to try and predict an exploit before it ever happens. But organizations are spending a lot of money on this technology, and it’s hard to predict. The usage of AI and other automated tools opaquely calculates the likelihood of a vulnerability exploit and offers limited customization to the companies using the technology. 

Today, the gold standard is a risk-based vulnerability management program. One where we prioritize vulnerability remediation efforts based on the true risk it presents to your specific organization, as opposed to a program that focuses purely on compliance "check the box" activities or a program that is so overwhelmed it remediates vulnerabilities ad-hoc as they show up, as opposed to appropriately prioritizing them.

For more insights, watch our webinar: The Evolution of Risk-Based Vulnerability Management.

How to use your risk score metrics to help find, prioritize, and fix vulnerabilities

Risk scoring allows companies to manage their evolving attack surface unlike they were able to before. The first step is to develop a customized risk lifecycle that will be the foundation on which risk data is generated. This includes identifying both the external and internal threats and vulnerabilities, as well as the assets that could be attacked. The decision then must be made on the best course of treatment, with options including mitigating, transferring, or accepting the risk. 

Here are the seven factors that impact how risk scores are determined in our Resolve™ platform:

  • Impact – If this vulnerability was to be exploited, how severe would it’s impact be? 
  • Likelihood – How likely is it that an attacker can and will attack this space? 
  • Environmental Modifiers – Think broadly about the asset and the environment in which the vulnerability is located.
  • Temporal Modifiers – Focuses on exploit code maturity, confidence, and remediation requirements. Temporal modifiers bring your risk score to life.
  • Industry Comparisons – How does your risk compare to other organizations or peers in your sector? 
  • Threat Actors – Are threat actors actively exploiting vulnerabilities present in your environment? 
  • Remediation Risk – Using the remediation SLAs available through PTaaS, all vulnerabilities are automatically assigned customizable due dates. Use remediation risk to determine your aggregates that require attention from a compliance perspective.

Vulnerability risk scoring is particularly beneficial in terms of remediation prioritization as it is calculated when you look at (vulnerability risk x the cost of resolution). If the vulnerability is deemed high severity, but the impact on your business is low (if exploited), the risk score would be on the lower side, and it may not be worth spending the money to fix it. And vice versa.

When it comes time to put your risk score to use, here are a few remediation considerations to keep in mind:

  • Prioritize – Prioritization is the most difficult part. Companies today can effectively identify vulnerabilities through penetration testing services, but how do they figure out which ones to fix first? What are the true risks to the business? This will vary depending on your business. 
  • Evaluate – Organizations must understand the efficacy of their risk mitigating controls. Manual pentesting and vulnerability scans still need to be done to validate your efforts are working as intended. 
  • Utilize the Data – Once you have a risk score, use it to validate and drive decisions around resource allocation, remediation prioritization, spend validation, track risk over time, industry benchmarking, and more.
  • Effectiveness – Are you on track to remediate your vulnerabilities before any threat materializes? Are your vulnerability and aggregate risk scores improving over time?

We see it every day. Companies are facing an immense number of vulnerabilities that humans have to manually sift through to assess and prioritize. Having a risk-based vulnerability management program in place allows organizations to identify, prioritize and remediate risks within their organization, saving time, headaches, and – perhaps most importantly – dollars in the end. 

[post_title] => The Secret to a Successful Risk-Based Vulnerability Management Program: Risk Scoring [post_excerpt] => Learn why risk scoring can help organizations achieve a risk-based vulnerability management program and, in turn, experience 80% fewer breaches. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => secret-to-risk-based-vulnerability-management-program-risk-scoring [to_ping] => [pinged] => [post_modified] => 2022-02-15 18:48:23 [post_modified_gmt] => 2022-02-16 00:48:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26115 [menu_order] => 168 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 25477 [post_author] => 73 [post_date] => 2021-06-01 07:00:00 [post_date_gmt] => 2021-06-01 07:00:00 [post_content] =>

A Bloomberg Intelligence report forecasts cybersecurity spend to exceed $200 billion a year by 2024, driven by “faster-than-expected adoption of cloud-based security.” Further, Gartner says that the proportion of IT spend moving to the cloud will increase in the aftermath of the pandemic. Not to mention spending on cloud infrastructure such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and others reached $39.9 billion in the fourth quarter of 2020 – up $10 billion from 2019.  

Simply put, cloud is top of mind for all security professionals today as it is a natural way to increase capacity or deploy projects in this new realm. The increased emphasis on cloud can be attributed to the pandemic-driven demand to support remote working and learning, ecommerce, content streaming, online gaming, and collaboration, according to Canalys

As cloud adoption accelerates (and shows no signs of slowing), there is no better time to take a deeper look at common cloud security challenges and learn how to modernize your cloud penetration testing efforts to mature your cloud security program effectively and efficiently.

5 common cloud security challenges and risks

  1. Managing cloud workloads deployed outside traditional security governance processes. Access to entire technology stacks is available to anyone with only a credit card swipe. This access to technology outside of your security governance processes, or Shadow IT, depends solely on the awareness of that business unit of the security needs of those projects. If you can identify workloads that were deployed outside of your IT environment, you can test the disparate environment to gain some level of assurance that it was deployed securely while supporting a business unit with unique needs that may not be available from the traditional IT programs. 
  2. Resource asymmetry between attackers and defenders. Attackers are limited to only their persistence when attacking your cloud environment. On the other hand, security teams are constrained by budget limitations, resource constraints, and the myriad of other challenges. Cloud configuration assessments informing a penetration test gives you the ability to identify issues that an attacker could identify but in an efficient way that maximizes your investments
  3. A simple error can have a catastrophic impact. Traditional IT infrastructures are notoriously slow to adapt to innovation but have the benefit of several layers of defense. Infrastructure-as-Code delivers entire data center capabilities in a Python script but one minor error in the deployment can provide direct, internet-facing access to your environments. 
  4. The cloud is evolving, and attackers are identifying novel attacks faster than the security industry is able to protect the attack surface. Cloud environments can be very complex and providers like AWSAzure, and Google Cloud release new capabilities so often it’s difficult for security to keep up. For example, in April 2021, AWS posted nearly 200 announcements about new capabilities, services, features, and region expansions. 200 announcements in a single month. There are not enough people with tenured, seasoned experience in deploying cloud workloads to do it securely. It’s no surprise that cloud security topped ISC2’s list of most important skills needed to pursue a cybersecurity career.
  5. Lack of awareness that cloud security follows the shared responsibility model. It is right to trust cloud providers to secure aspects of your workloads, however, your security team also maintains significant responsibility for security as you migrate to the cloud. This concept is the shared responsibility model, and it varies by provider and service type. Defining you and your providers’ responsibilities is imperative for reducing the number of, and criticality of, vulnerabilities introduced into your cloud environments. You can review the shared responsibility models for MicrosoftAmazon, and Google Cloud online. 
Graphic of Responsibility for Security 'in' the Cloud for the Customer and 'of' the Cloud for the Software, AWS
AWS shared responsibility model

How to modernize your cloud penetration testing efforts with configuration review

It can be difficult to understand the difference between testing an application that is hosted in a cloud environment and testing the environment in which an application is hosted. Both are vital.

While network penetration testing and application penetration testing focus on identifying vulnerabilities on a particular series of assets within an environment, cloud penetration testing requires a different approach. Because the cloud is an environment itself, it is important to also look at the infrastructure supporting the environment, not solely the applications and assets deployed as a part of the workload. Not only are you testing workloads; you need to also identify issues inherited from parent subscriptions such as elevated IAM privileges or privileged access to sensitive systems and/or data.

Most organizations are testing cloud environments the same way they've been testing for years, resulting in a massive gap in attack surface visibility. If an organization truly wants comprehensive testing, a focus on cloud configuration should be a large component of your cloud penetration testing strategy.

Learn more about NetSPI's Cloud Penetration Testing

A configuration review is used to inform a penetration test. If you were to approach cloud penetration testing the way you approach traditional application or network penetration testing, you would be blind to the configuration of the platform. 

An analogy that works well to explain configuration review is a doctor’s visit. If you want a doctor to identify what is wrong with you in an hour-long visit, you’d have to inform them of your symptoms, medical history, recent activity, etc. Without the background information on your health, it would require excessive time and resources to run blood tests, x-rays, etc. to get the information needed to identify what the potential issue is. A configuration review is similar in that it gives pentesters the ability to identify root issues in an efficient way, the same way a malicious attacker would over the course of months – or years. It allows pentesters to act as closely to an attacker as they can within the parameters of your security budget.

Configuration reviews also allow testing teams to provide context to penetration test findings. Say you misconfigured a storage bucket. With a greater understanding of the configuration issues, you gain insight into the root cause of critical vulnerabilities caused by the misconfiguration. For example, “we found an issue with this storage bucket which allowed us to exploit _____ during the penetration test.”

Another emerging concept within modern cloud penetration testing is continuous testing and monitoring. Cloud environments are ephemeral (have a short lifecycles) - so, we often hear the question: how helpful is the information from a cloud penetration test if the environment keeps changing? If you are reviewing the configuration of your cloud platform to support penetration testing efforts, you’ve set the foundation for cloud security success. To address the ephemeral nature of the cloud, more frequent tests and continuous monitoring of the attack surface is a key tactic to stay on top of newly introduced vulnerabilities. 

Final thoughts

Now is a better time than any to rally your security testing and cloud teams together to talk about what cloud testing means for your organization. When configuration review is included, cloud penetration testing allows you to not only test for vulnerabilities, but also develop an inventory of your cloud workloads, understand what data is in those workloads, and develop your testing plan for cloud-based applications.

[post_title] => Overcome Cloud Security Challenges with Purpose-Built Cloud Penetration Testing [post_excerpt] => Take a deeper look at common cloud security challenges and learn how to modernize your cloud penetration testing efforts with configuration review. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => purpose-built-cloud-penetration-testing [to_ping] => [pinged] => [post_modified] => 2021-06-01 01:43:42 [post_modified_gmt] => 2021-06-01 01:43:42 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25477 [menu_order] => 194 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 25368 [post_author] => 53 [post_date] => 2021-05-13 07:00:49 [post_date_gmt] => 2021-05-13 07:00:49 [post_content] =>

Over time, the way we view cyber security risk has evolved the penetration testing industry. What once was a static laundry list of vulnerabilities to remediate is now a risk-based vulnerability management program. Modern penetration testing should provide more than a list of vulnerabilities. To be effective, it must guide organizations to effectively prioritize the vulnerabilities, assets, networks, etc. that pose the highest risk to the business.

In this webinar, NetSPI’s product team, Jake Reynolds and Cody Chamberlain, will discuss:

  • How risk has evolved in penetration testing  
  • The role of risk scoring in intelligent prioritization of security activities  
  • The factors that impact a risk score 
  • Pragmatic steps to take after you receive a risk score
[post_title] => The Evolution of Risk-Based Vulnerability Management [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => evolution-of-risk-based-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-11-12 11:37:45 [post_modified_gmt] => 2021-11-12 17:37:45 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=25368 [menu_order] => 26 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 23133 [post_author] => 73 [post_date] => 2021-02-02 07:00:00 [post_date_gmt] => 2021-02-02 07:00:00 [post_content] =>

It’s simple in theory. Finding, fixing, and even preventing, vulnerabilities is a shared responsibility between security and development teams. That being said, silos still exist between DevOps and application security teams. DevSecOps – symbolically putting security at the center – is a great theory but is only effective if these groups work together to develop the people, process, and technology needed to be effective.

In fact, a recent Ponemon Institute Research report shows that 71 percent of AppSec professionals believe security is undermined by developers who don’t include proper security functionality early in the software development life cycle (SDLC). That statistic, to me, shows that there is a substantial divide between development and security teams, a divide that can (and should) be overcome. It’s not surprising, though, that these divides exist considering how teams are spread thinner everyday while aiming to increase release velocity. If we are going to solve these problems, we need to focus on creating human connections across teams, and a DevSecOps mentality will become not just policy, but also culture.

Come together by understanding motivations

In my experience, developers and security personnel don’t think that differently. They just have different incentives. Developers work to move through the SDLC quickly to get applications launched. Security teams, on the other hand, are incentivized to make the SDLC process as secure as possible, which is oftentimes viewed as slowing down progress by adding non-functional security requirements. If this is the viewpoint, it is no wonder that the groups may be at odds. Human relationships – even in the work environment – need to find common ground.

One of the best books I’ve read is Hit Refresh, the New York Times bestseller about the transformation happening inside Microsoft, from its CEO Satya Nadella. As Satya describes, “It’s about how people, organizations, and societies can, and must, transform and “hit refresh” in their persistent quest for new energy, new ideas, and continued relevance and renewal.” He is able to achieve this “refresh” he describes by being “out in the world, meeting people where they live and seeing how the technology we create affects their daily activities.” I believe in this philosophy and it has direct parallels to how we work in security.

Empathy for our colleagues and the relationships we develop with them is critical to achieving success within organizations because we can understand how the policies and procedures we develop impact their work and why the outcomes we expect often don’t materialize. Some may view empathy as letting people off the hook for not performing a specific task. But it’s important to connect empathy with accountability. By understanding the needs and incentives of our peers, we develop policies and procedures that are fair and transparent. Holding each other accountable is not only fair, but expected – as a result, security and development teams will uncover creative ways to collaborate to ultimately achieve overlapping goals, faster and with less friction.

Simple steps to start building a strong and productive relationship between development and security teams are:

  • Spend time connecting with people – A Journal of Experimental Social Psychology study reported in the Harvard Business Review that face-to-face meetings are 34 times more successful than email. This also provides a forum to develop a mutual understanding of each team’s incentives and mission. Or, if working remote, set up a video conference between security and development teams.
  • Creating processes together – Oftentimes development and security teams build processes separately, in a silo. Coming together at the start will help to develop realistic and cohesive goals, processes, and metrics. Further, each team can help to make the case for support, even financial or budgeting support, if necessary for the other team. There have been times in my career when I was able to secure additional budget or resources on-behalf of infrastructure or development teams to ensure they were able to support a specific security initiative.
    • “What do you need to effectively support this? I’ll do my best to include it in the project budget.”
  • In a ticket-driven world, cleanup is essential – Stacks and stacks of IT tickets notifying of vulnerabilities will never motivate an already stressed development team, especially if they are not deduplicated and remove false positives. Taking the time to clean up this process will show developers that the security team does not want to waste time, respects their SDLC counterparts, and wants to quickly get to the root of any vulnerability issues, particularly high-severity issues. Tickets are important for tracking and accountability, but let’s make sure we’re giving the right information, to the right person at the right time.
  • Leveraging automation, in combination with manual pentesting – An effective, reimagined AppSec
    program includes being able to manage manual penetration testing and secure code review 
    augmented by automated vulnerability discovery tools that are deployed at various phases of the SDLC process. Shifting to this mindset will take collaboration and commitment amongst the DevSecOps teams.
    • “What tools make the most sense and how can we maximize the value of existing investments?”
    • “What is the roadmap for the development team and how do we ensure we can grow together?”
  • Bringing empathy to the situation to have credible conversations – Allowing openness and a safe space to say “I don't know, but I’ll get the answers” will go far in building a strong DevSecOps team. At the end of the day, we’re all supporting the same business and striving for excellence. Let’s work smart, lead with integrity, and treat each other with respect to ensure we meet that end goal and, hopefully, have a little fun along the way.

It’s come to be expected that security is an emergent property of software. In fact, with Continuous Integration/Continuous Deployment (CI/CD) being adopted more and more, both development and security teams must come together, bringing empathy, accountability, and collaboration into the process, by working toward the same goal with transparency. When done, I’m confident that DevSecOps can become the norm.

[post_title] => Build Strong Relationships Between Development and Application Security Teams to Find and Fix Vulnerabilities Faster [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => relationships-development-application-security-vulnerabilities-2 [to_ping] => [pinged] => [post_modified] => 2021-05-26 00:15:39 [post_modified_gmt] => 2021-05-26 00:15:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=23133 [menu_order] => 225 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 9 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 28127 [post_author] => 73 [post_date] => 2022-08-02 11:24:44 [post_date_gmt] => 2022-08-02 16:24:44 [post_content] =>

NetSPI CEO Aaron Shilts recently wrote an article that centered around this powerful statement: Technology cannot solve our greatest cybersecurity challenges. People can.  

As Head of Product, this statement gave me a critical opportunity to pause and reflect on my team’s purpose and ask, “What is the true intent of our technology innovation?” 

The answer was abundantly clear: Technology should empower people and maximize the value of human creativity, experience, and ingenuity. It should enable people to do more, with less. 

But it is not possible for technology nor people to be a force multiplier on their own. It all comes back to the intersection of the two. Data is just data unless you can derive intelligence from it, tools are just tools unless you can leverage them to deliver outcomes. Shelfware has never made anyone secure. 

Cybersecurity Technology Pitfalls 

Today, security programs are faced with a dilemma of not having enough people to tackle their greatest challenges, yet technology alone has not provided the level of efficacy to improve security programs. Without people, technology cannot: 

🚫 Understand unique organizational needs 

Company infrastructures are distinct. While many organizations have the same technical security controls or operate in the same industry, the ways the controls are implemented and operationalized, and the context of each infrastructure can differ greatly. Additionally, risk profiles and tolerance vary. External pressures may be different, driving additional bifurcation in how they approach a specific problem. Technology alone cannot identify these nuances and adjust. 

🚫 Continuously manage and operationalize itself 

Tools need to be run. The process of evaluating, implementing, and operationalizing technology requires humans. This process often takes focus away from defending against cyber attacks. When we have limited resources, we need to make sure they are focused on the right aspects of the greater mission.  

🚫 Support security programs in a cost-efficient way 

The security industry is crowded with technology vendors offering a wide range of solutions. Research platform CyberDB has compiled a list of cybersecurity vendors which includes 3,500 companies – just in the US. It has become difficult for security leaders to effectively implement supportive technologies in a cost-efficient way due to redundant functionality, gaps in coverage, and other challenges that come with the crowded market. 

The Spectrum of Cybersecurity Tools 

To truly understand the value of the intersection of technology and talent, it’s important to define the opposite ends of the spectrum – from traditional services/consulting firms to standalone technology platforms. 

  • Traditional Services/Consulting Firms: 
    • Expectations: A comfortable and trusting relationship with specific resources; easy to procure; professional services contracts are well understood; processes are easy to onboard and manage
    • Reality: Slow to scale; only as good as the consultant assigned; not maximizing the value; expensive; time consuming
  • Standalone Technology Platforms:
    • Expectations: All-in-one solution to a problem; use existing resources to manage the platform; low touch management
    • Reality: Lacks efficacy; purchased technologies do not meet expectations; requires dedicated resources to manage; opaque (“trust us it works”); operates without context specific to your business needs and risk profile 

So, how do you get the best of both worlds? 

Platform Driven, Human Delivered 

The solution to effectively execute the industry’s security missions with limited human capital lies within the combination of technology and talent. Together, they can be a force multiplier for the industry. 

At NetSPI we call this “platform driven, human delivered.” In our approach, we use technology to maximize human value by focusing human value on the right assets, at the right time. 

We “automate the automatable.” In other words, we leverage automation to handle mundane and repetitive tasks that take up valuable time for a human to perform. Take our three core services for example: 

Penetration Testing as a Service (PTaaS) 

The following features in Resolve™, our PTaaS platform, help to ensure our global pentesting team spends more time focused on higher severity issues like authentication, sessions management, and replicating real attacker behavior during our engagements. 

  1. Processing scans on behalf of the pentesters. Using our correlation engine, we’re able to bring disparate scan outputs into one finding.
  2. Providing additional dimensions of data to findings to help better prioritize the remediation of findings with Risk Scoring.
  3. Report generation. Our consultants do all their testing within a process management workflow which allows them to simply generate a report at any point in the engagement.
  4. Process management. Deliver quality and consistency through workflow and process management automation, quality assurance, and communication. Adding automated components to these functions allows the pentesters to be more creative in their approaches and spend time finding higher severity findings. 

Attack Surface Management 

The following features of our attack surface management solution combine the power of technology and talent by:  

  1. Leveraging the cloud. We’ve taken our tools and techniques from over 20 years of external network penetration testing and are now utilizing the advancements in cloud technology to effectively scale that IP / knowledge capital.
  2. Continuous monitoring. Leverage technology to continuously monitor the aspects of client’s known assets and ensure they are free from critical issues. AND provide visibility into the aspects of their attack surface they are unaware of.
  3. Using human input to determine signal vs. noise. In tandem, we utilize our human experts to parse and manage that data to extract “the signal from the noise” to help organizations understand what’s at risk and which exposures to prioritize.
  4. Making all the data available to clients in the platform so they can use it for analytics and pattern identification. 

Breach & Attack Simulation  

On average, NetSPI clients identify roughly 15% of the attack techniques we run in their environments – this includes security programs that have spent millions on controls. We automate the automatable by: 

  1. Connecting the execution of attacks in client environments with a NetSPI expert to help prioritize and get context into how we benchmark against industry peers.
  2. Automating attack plays that map back to the Mitre ATT@CK framework paired with human expertise to help make informed prioritization decisions of the attack techniques most relevant to your business.
  3. Track ongoing improvements, or reductions, in detection capabilities over time to empower defense teams to make the case for additional resources and shore up their defenses.  

Becoming a Force Multiplier in Offensive Security 

As an industry, we need to take a step back and evaluate, “what do we need to do to protect ourselves?” What are our priorities? 

From an offensive security perspective, our clients have the need to identify all assets, identify vulnerabilities on those assets, and remediate them. No one person, nor one tool can achieve these goals. But together? The opportunity for success is exponential. 

After all, technology cannot solve our greatest cybersecurity challenges. People and technology can. 

Want to experience “platform driven, human delivered” offensive security solutions? Contact us.
[post_title] => The Intersection of Cybersecurity Technology and Talent [post_excerpt] => Learn why technology and talent cannot succeed on their own and read examples of how the two create massive opportunity for the cybersecurity industry. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-technology-and-talent [to_ping] => [pinged] => [post_modified] => 2022-08-02 11:24:45 [post_modified_gmt] => 2022-08-02 16:24:45 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28127 [menu_order] => 32 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 9 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 12b94f8d5ead486b489a586ede0e3868 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
Mastering the Art of Attack Surface Management
Cody Chamberlain