NetSPI CEO Aaron Shilts recently wrote an article that centered around this powerful statement: Technology cannot solve our greatest cybersecurity challenges. People can.
As Head of Product, this statement gave me a critical opportunity to pause and reflect on my team’s purpose and ask, “What is the true intent of our technology innovation?”
The answer was abundantly clear: Technology should empower people and maximize the value of human creativity, experience, and ingenuity. It should enable people to do more, with less.
But it is not possible for technology nor people to be a force multiplier on their own. It all comes back to the intersection of the two. Data is just data unless you can derive intelligence from it, tools are just tools unless you can leverage them to deliver outcomes. Shelfware has never made anyone secure.
Cybersecurity Technology Pitfalls
Today, security programs are faced with a dilemma of not having enough people to tackle their greatest challenges, yet technology alone has not provided the level of efficacy to improve security programs. Without people, technology cannot:
🚫 Understand unique organizational needs
Company infrastructures are distinct. While many organizations have the same technical security controls or operate in the same industry, the ways the controls are implemented and operationalized, and the context of each infrastructure can differ greatly. Additionally, risk profiles and tolerance vary. External pressures may be different, driving additional bifurcation in how they approach a specific problem. Technology alone cannot identify these nuances and adjust.
🚫 Continuously manage and operationalize itself
Tools need to be run. The process of evaluating, implementing, and operationalizing technology requires humans. This process often takes focus away from defending against cyber attacks. When we have limited resources, we need to make sure they are focused on the right aspects of the greater mission.
🚫 Support security programs in a cost-efficient way
The security industry is crowded with technology vendors offering a wide range of solutions. Research platform CyberDB has compiled a list of cybersecurity vendors which includes 3,500 companies – just in the US. It has become difficult for security leaders to effectively implement supportive technologies in a cost-efficient way due to redundant functionality, gaps in coverage, and other challenges that come with the crowded market.
The Spectrum of Cybersecurity Tools
To truly understand the value of the intersection of technology and talent, it’s important to define the opposite ends of the spectrum – from traditional services/consulting firms to standalone technology platforms.
- Traditional Services/Consulting Firms:
- Expectations: A comfortable and trusting relationship with specific resources; easy to procure; professional services contracts are well understood; processes are easy to onboard and manage
- Reality: Slow to scale; only as good as the consultant assigned; not maximizing the value; expensive; time consuming
- Standalone Technology Platforms:
- Expectations: All-in-one solution to a problem; use existing resources to manage the platform; low touch management
- Reality: Lacks efficacy; purchased technologies do not meet expectations; requires dedicated resources to manage; opaque (“trust us it works”); operates without context specific to your business needs and risk profile
So, how do you get the best of both worlds?
Platform Driven, Human Delivered
The solution to effectively execute the industry’s security missions with limited human capital lies within the combination of technology and talent. Together, they can be a force multiplier for the industry.
At NetSPI we call this “platform driven, human delivered.” In our approach, we use technology to maximize human value by focusing human value on the right assets, at the right time.
We “automate the automatable.” In other words, we leverage automation to handle mundane and repetitive tasks that take up valuable time for a human to perform. Take our three core services for example:
The following features in Resolve™, our PTaaS platform, help to ensure our global pentesting team spends more time focused on higher severity issues like authentication, sessions management, and replicating real attacker behavior during our engagements.
- Processing scans on behalf of the pentesters. Using our correlation engine, we’re able to bring disparate scan outputs into one finding.
- Providing additional dimensions of data to findings to help better prioritize the remediation of findings with Risk Scoring.
- Report generation. Our consultants do all their testing within a process management workflow which allows them to simply generate a report at any point in the engagement.
- Process management. Deliver quality and consistency through workflow and process management automation, quality assurance, and communication. Adding automated components to these functions allows the pentesters to be more creative in their approaches and spend time finding higher severity findings.
The following features of our attack surface management solution combine the power of technology and talent by:
- Leveraging the cloud. We’ve taken our tools and techniques from over 20 years of external network penetration testing and are now utilizing the advancements in cloud technology to effectively scale that IP / knowledge capital.
- Continuous monitoring. Leverage technology to continuously monitor the aspects of client’s known assets and ensure they are free from critical issues. AND provide visibility into the aspects of their attack surface they are unaware of.
- Using human input to determine signal vs. noise. In tandem, we utilize our human experts to parse and manage that data to extract “the signal from the noise” to help organizations understand what’s at risk and which exposures to prioritize.
- Making all the data available to clients in the platform so they can use it for analytics and pattern identification.
On average, NetSPI clients identify roughly 15% of the attack techniques we run in their environments – this includes security programs that have spent millions on controls. We automate the automatable by:
- Connecting the execution of attacks in client environments with a NetSPI expert to help prioritize and get context into how we benchmark against industry peers.
- Automating attack plays that map back to the Mitre ATT@CK framework paired with human expertise to help make informed prioritization decisions of the attack techniques most relevant to your business.
- Track ongoing improvements, or reductions, in detection capabilities over time to empower defense teams to make the case for additional resources and shore up their defenses.
Becoming a Force Multiplier in Offensive Security
As an industry, we need to take a step back and evaluate, “what do we need to do to protect ourselves?” What are our priorities?
From an offensive security perspective, our clients have the need to identify all assets, identify vulnerabilities on those assets, and remediate them. No one person, nor one tool can achieve these goals. But together? The opportunity for success is exponential.
After all, technology cannot solve our greatest cybersecurity challenges. People and technology can.