Inside CAASM: Q&A with NetSPI Leadership
Hear from NetSPI leadership about the recent acquisition of Hubble’s cyber asset attack surface management (CAASM) solution. Aaron Shilts, CEO at NetSPI, is joined by Tom Parker, founder and CEO at Hubble (and new NetSPI Chief Technology Officer!) to discuss integrating the cutting-edge CAASM technology with NetSPI’s proactive security solutions all under one platform. Learn how the combination of attack surface management (ASM) plus CAASM unlocks visibility and prioritization like no other solution on the market.
What’s the most exciting aspect of bringing NetSPI and Hubble together?
Tom: I’ve spent much of my career in security consulting, so this is a full circle moment. Back in the day, I was a security researcher and a pentester, with multiple CVE’s next to my name. I started Hubble because it addressed one of the biggest challenges I found as an advisor to CISOs, and as a CISO myself: lack of visibility. Fortune 500 customers I worked with universally struggled to manage and remediate vulnerabilities and other security issues because of lack of visibility in their environment. Now we’re able to bring that technology to NetSPI, a rapidly evolving business that is leading the charge in technology-led cybersecurity offerings. That’s very exciting for me.
Aaron: For us, we’ve been on this journey from traditional pentesting to technology-enabled proactive security, integrating more technology into the services we deliver to drive efficiency and generate better outcomes. We’ve had a good view of the external and cloud attack surfaces, but we need to help our customers understand the entire IT estate.
Understanding and seeing the entire cyber asset estate, including internal, is vitally important.
This has been a problem for a long time; I remember discussing it in the industry 20 years ago. We are at an inflection point where all the products customers use must have better integrations than ever before, making it easier to get visibility across technologies. We’re excited to have greater visibility and to start to fuse all the vulnerability information we have together.
Tom: Ten or 15 years ago, what we built wouldn’t have been possible because the technologies found in enterprise environments were largely siloed, self-enclosed systems which, for example, lacked APIs and other methods to integrate with them. Accessing that data was difficult. Now, we live in an ecosystem of technologies that are API-driven and generally play better with other vendors. Bringing data sets together, from existing technologies across your environment, and enabling decision-making on that data has suddenly become possible. Bringing our companies together, integrating independently powerful data sets from NetSPI’s base offerings, pentesting as a service (PTaaS), ASM, and breach and attack simulation (BAS), plus the CAASM capabilities that Hubble brings is a really exciting proposition.
How does the pairing of NetSPI and Hubble enhance NetSPI’s overall capabilities?
Aaron: The enhancements from coming together as an organization create a one-plus-one-equals-three scenario. It’s a force multiplier. Furthering our mission to bring more technology to the proactive security landscape is important. Tom shares our vision of the intersection of technology and talent and the importance of the human element. The industry struggles with visibility and understanding of what they have. Many folks say they have maybe 80% visibility on the endpoint side but don’t know about the remaining 20% and the vulnerabilities there, which is concerning to our customers. Providing them with greater visibility through modern integrations is exciting.
Fusing together our attack surface, vulnerability, and breach and attack simulation (BAS) intelligence into one platform is groundbreaking. We aren’t seeing holistic capabilities like this in the industry, and we can offer our customers something truly innovative.
Tom: The security industry is notoriously guilty of creating siloed solutions — capabilities that address only a small part of the problem. It’s often up to the customer to figure out how to integrate them, which is why the consulting industry gets paid so much to integrate those technologies, in other words creating “single pane of glass.” That’s not the way it should be.
Over the last five years, when I’ve chatted with customers, the top three problems in security almost always include visibility. When I ask what they are doing about it, the response is often that it’s too hard. Well, it’s not too hard anymore. Between our capabilities, we can bring a holistic solution together, providing inside-out and outside-in visibility. With the coming together of our companies, there are no more excuses not to address this systemic issue once and for all.
“Between our two capabilities, we can bring a holistic solution together, providing inside-out and outside-in visibility.”
Tom Parker, founder and CEO at Hubble (now CTO at NetSPI)
One of the things that has changed in the last decade is the abundance of data. We’ve had the data needed to answer these questions for a long time. It’s just been a matter of bringing that information together and making it useful for the end user to drive whatever the use case might be.
Aaron: I agree, and it’s incumbent on us to help organizations bridge the gap between their IT and security teams. Often, the security team feels they don’t get what they need from the IT team in terms of visibility, and the IT team thinks the problem is too big to solve. We are in a good position to bring technology that can help bridge that gap for them.
“It’s incumbent on us to help organizations bridge the gap between their IT and security teams”
Aaron Shilts, CEO at NetSPI
Tom: This speaks to the age-old challenge: if you talk to your network team, they’ll give you one number of assets; talk to your workstation team, and you’ll get a different number; talk to your cloud team, and you’ll get yet another number. Bringing together all these different disciplines and data sources means that, for the first time, organizations can have one answer on how many assets they have — not just network-connected devices, but also user devices, BYOD, applications, vendors, and more.
Aaron: The heart of the technology you built at Hubble is about correlation deduplication, just figuring out how to pull this data together. How do you go about that journey as you’re building it and thinking about what that engine should look like? It’s a big challenge.
Tom: Data quality was always the most important thing for us when we were first building Hubble. We knew that we could have the best user interface, but if the data couldn’t be trusted, no one would use the product. Especially now, as we’re entering an age of hyper-automation, leveraging technologies that make use of machine learning and AI, quality data sets to drive decision making has never been more important.
You don’t want a chatbot that gives you answers based on poor datasets. Things will break and people will make bad decisions. So, the quality of that data was of utmost importance for us. The problem we knew we had to solve was how do we bring data together from potentially dozens of sources, knowing that a lot of source data may not be accurate, would contain duplicates, or may not be complete. How do we scrub that data? How do we fill in the gaps with other data sources? How do we make sure we’re only using the data fields that are the most important and the most trusted, and giving customers the cleanest, most trusted view of truth available in the market? No one else is really doing what we’re doing together.
What is CAASM and why is Hubble’s solution unique?
Tom: CAASM has joined the long list of security alphabet soup that we’re faced with on a daily basis. The term CAASM was initially popularized by a Gartner Hype Cycle, and even then, the market lacked a clear definition of what CAASM actually is. Essentially, for most organizations, CAASM is an inventory of assets that enables cybersecurity practitioners with asset data to drive cybersecurity decision making. The notion was that legacy configuration management database (CMDB) technologies weren’t sufficient in providing security teams with what they needed. Those use cases were largely based in the security operations environment. When CAASM was first coined, the extent of what security organizations really need was not fully realized, for example the idea of integrated posture management capabilities wasn’t really a thing. The problem with the direction it’s gone in now is that certain CAASM vendors are more focused on posture management, some on cloud, and some on on-prem visibility and lack a holistic view of assets.
What I’m really excited about coming together with NetSPI is that we’re able to answer that question in a much more holistic way, providing a capability that is far superior to other CAASM vendors. I’ve always said to customers that Hubble is an asset intelligence platform. If you think about the way that you operationalize threat intelligence to drive decision-making — I have a threat actor, these are the malware samples associated with that threat actor. How can I operationalize that information and drive decision-making to make my organization more secure? It’s the same use case with asset intelligence and I see CAASM as a subset of that. I always like to think bigger than where the industry is in terms of the status quo. CAASM is important, but I think there are extensions to this that go beyond most CAASM solutions in the market.
Without that visibility, it’s a big problem for the CISO/CSO. For them to get a holistic end-to-end view of their security posture without a capability like our joint offering, they should be able to go into one dashboard and understand everything about their security posture. Without it, they’ll likely have to create busy work for their teams, who will then have to go to different product dashboards and try to merge that data together manually. It’s highly inefficient and prone to error, creating risk.
The big message I have for existing and potential customers is that we’re going to drive efficiency in your security programs. We’re going to help you eliminate previously unknown risks, by providing an unmatched view into your assets and your security posture. We’ll be bringing in data from your pentest reports, your BAS and ASM tools, all under one roof, to drive decision-making. For the first time, CISOs can have the confidence that what they’re looking at really represents a full picture of their environment.
“We’re going to drive efficiency in your security programs. We’re going to help you eliminate previously unknown risks by providing an unmatched view into your assets and your security posture”
Tom Parker, founder and CEO at Hubble (now CTO at NetSPI)
How do CAASM and EASM work together to help prioritize issues?
Tom: I often talk to customers about security being a scale issue. We never have enough people, and there’s a massive talent shortage globally, not just for security, but for IT as well. To counter that scale issue, being able to rapidly understand the role of an asset (or asset context) very is important. We need to understand where our most critical assets are, combined with a threat model, to understand what could hurt the organization the most. Hubble has a unique capability for that, enabling customers to understand the context of an asset.
What I mean by that is not just a spreadsheet in the cloud like some of the CAASM providers offer. Rather, how does that asset relate to other things in the environment? If I’m concerned about a user, what does that user have access to? What could the blast radius be if there’s a critical vulnerability that’s identified? I have a thousand systems in my environment with that vulnerability. Where do I start? I have five people on my security team — they can’t possibly fix everything all at once. So, where do I need to focus? Together, we’re able to help customers prioritize and say, “Hey, you’re missing these critical security controls on the 5% of the systems that have the highest risk.” That’s game-changing for security teams. Without context, you’re unable to do that.
What can NetSPI customers expect from a from a technology perspective over the next six to 12 months?
Tom: Independently we both bring strong capabilities through penetration testing and Hubble’s CAASM offering. It’s going to become a powerhouse under The Platform that NetSPI announced just last month. I’m excited to see all those capabilities coming under one roof, so that customers can see that in a product-led fashion, and still have access to the same extremely high-quality penetration testing teams and security professionals employed by NetSPI.
We’re not going to stop here. We’re going to continue to build and add capabilities. And I think there are a lot of opportunities in the market as we start to see consolidation in the market platform of security.
Read the press release:
Aaron: You mentioned how common technology silos are in this industry. I think it’s incumbent on us to ensure we don’t have our own silos and bring this together under one interface for our customers to find value. Fusing the data to build some of the advanced use cases like blast radius and other aspects could be really exciting.
Tom: I’ve spent the last 20 years of my career seeing acquisitions done well and not so well. We’re being very thoughtful about the way we bring these capabilities together. What customers are going to see is not only our existing capabilities becoming stronger, but also the combined capabilities under a single platform to become something unique in the market.
How have you seen CAASM benefit customers in the past?
Tom: Hearing feedback from customers is one of the things that keep us going as founders and entrepreneurs. One of my favorite success stories with a customer was when they were investing in an endpoint provider. They believed that they had complete coverage in their environment and needed to bring us in to validate their security controls.
Through bringing together external and internal data sets, we showed where they were missing critical controls like endpoint coverage and where external assets were sitting in the cloud. We showed them where those went inside the network and who the owners of those assets were. We showed which organizations were responsible for those assets by bringing other data sets together. When you start a company and you have an idea for a technology, you have a thesis, and you hope that it works out. It’s not until you start getting that customer feedback that you start realizing you’re on to something rewarding.
This happened a couple of years ago now, but that was one of our watershed moments where we saw there was a problem, and we had technology that was proven to work at scale. It takes meaningful risk off the table for our customers. That use case is repeated time and time again because it’s a theme that we’ve leaned into.
What do you think is the real value that we bring to existing customers as we integrate our solutions?
Tom: As a former CISO, I would be most excited about this because instead of having to go to lots of different vendors for various components of my program and figuring out how to integrate it all, I can now go to a single leader in the market that has acquired another leading capability and get a holistic, fully integrated attack surface management solution.
Aaron: Yeah, I agree. Fusing this data in a way no one else does allows us to drive advanced use cases and provide insights beyond simple visibility, which I think will become table stakes in the coming years. It will provide much more advanced views for our customers and their security posture.
Watch the full conversation between Tom and Aaron to learn more about NetSPI’s new CAASM capabilities. If visibility of assets and prioritization of efforts is a thorn in your side, reach out to NetSPI for a demo. Our team’s deep expertise, intelligent process, and advanced technology will level up your approach to security no matter where you’re at today. Contact us to get started.
Explore more blog posts
Part 1: Ready for Red Teaming? Intelligence-Driven Planning for Effective Scenarios
Take time for dedicated planning and evaluation ahead of red team testing to prepare your organisation for effective red team exercises.
The Strategic Value of Platformization for Proactive Security
Read about NetSPI’s latest Platform milestone, enabling continuous threat exposure management (CTEM) with consolidated proactive security solutions.
Backdooring Azure Automation Account Packages and Runtime Environments
Azure Automation Accounts can allow an attacker to persist in the associated packages that support runbooks. Learn how attackers can maintain access to an Automation Account.