Overview
What is proactive security? How must pentests evolve to stay relevant and valuable? What makes an effective red team? What parallels can be drawn between managing a household of six children and a 400+ person security team?
Get answers to these questions – and more – during this event as NetSPI CEO Aaron Shilts sits down with EVP of Strategy Tim MalcomVetter to discuss:
- Hot takes on a variety of proactive security topics
- Effective red team operations
- Security testing maturity levels
Tim recently joined NetSPI bringing an incredibly insightful background as a security analyst, pentester, director of red team, and chief technology officer for some of the most prominent companies around the globe. During which he built the red team program at the world’s largest retail company, led high performing teams of security engineers, and hacked everything from mainframes to APIs to mobile to IoT devices.
Let’s deep-dive into the world of proactive security together!
Key highlights
00:38 – History working together
01:38 – Tim’s focus at NetSPI
06:54 – Evolution of cybersecurity over the last decade
10:43 – What is proactive security
14:20 – Biggest misconception with proactive security
16:30 – Least favorite cyber buzzwords
21:18 – Future of GenAI
28:18 – Parallels between running a household and security team
Welcome, Tim MalcomVetter
Today, I’m excited to be chatting with Tim MalcomVetter, a member of our executive team. We first crossed paths 10 years ago, and I’ve been fascinated by his career journey, from a hands-on practitioner all the way to the executive ranks. We’re thrilled to have him onboard, working closely with our customers and leading his team in strategic initiatives that directly benefit our customers. Now, Tim’s title is EVP of Strategy, which might sound similar to a “VP of Special Projects,” but his role goes far beyond that.
Welcome to NetSPI, Tim! What are you most excited to tackle in your role here?
A significant part of my work involves thinking disruptively and asking, “How can we revolutionize penetration testing? How can we push the boundaries and make them even more impactful than they’ve been in the past 20 years?”
This drives me to explore continuous testing and find ways to bridge the gap between the advanced security practices of well-funded programs and the needs of enterprises, both large and small. Many smaller companies may not even know where to begin, and that’s where I find my true purpose — helping businesses of all sizes adopt robust security measures. This is what excites me about my future at NetSPI, and ultimately, why I’m here.
Tim and I have known each other for more than a decade. What was the hottest thing in security when we first started working together (2014)?
Application security was reaching maturity by that point—it was a thing that stood on its own. But enterprises were still early in the early stages of adopting it. Credit cards were still what people were really concerned about, like ransomware. The first ransomware was 10 years ago. When I started red teaming, and even pentesting, we were all concerned about credit cards, especially when you work with different merchants, that’s the number one thing that bothered them.
Now, red teams don’t even go for that hardly at all. The black market isn’t selling stolen cards the same way. You used to get a lot of value out of them. But now the banks have figured out how to detect fraud. The merchants have become largely very mature. And there’s credit card tokenization and scope reduction and all this stuff. We used to do this crazy stuff where we would attack credit card tokenization systems; we were using timing analysis where you’d send a request and see if it is 50 milliseconds or 80 milliseconds to get the response back. The difference in time indicated whether we’d hit an existing token. It was weird, though, the things we would do now. Now nobody cares what that’s like, it’s just gone.
What is proactive security? How do you define it?
I think offensive security is probably a deep joke that some red teamer thought of, you know, ‘You guys are defensive, so I’ll be offensive.’ Am I offensive or offensive, like the stress on the syllables matter. I think it was a joke, and the industry took it.
Now that being said, the culture or idea that we’re going to be offensive, we’re going to be brash is 100% not NetSPI. I haven’t seen it anywhere. That’s not in the culture.
I think that has a lot to do with the way NetSPI works, how we were building up talent through NetSPI University. We actually teach them ourselves. There’s this culture of we bring people along here; there’s not this culture of, ‘We go hire rock stars that are suddenly the best you can get, and your quality is different on your engagement, because you got the right rockstar.’
So, to level set, that’s not here and you don’t see that that mindset here. Secondly, in terms of proactive security, it’s taking the same concepts of, ‘OK cool, you did an external pentest and that was a two-week engagement. What did you do the other 50 weeks of the year?’ How do you know that you’ve got somebody with expert level eyes?
If you’ve got an external pentester, one of the things that they’re really good at is finding weird stuff. You might not know it, and there might be this moment in time that something popped up and it was there for a week and it went away. That’s the opportunity. That’s the thing that caused the breach.
If we can race it, like everything in cyber is all about finding the bad things faster than the bad guys can find it so that the good guys can get ahead of it and aligning with the defender’s mindset. If you work in a SOC, nobody understands this better than people that work in SOCs because it doesn’t ever turn off. 24/7 and you’ve got something you could be looking at. Our goal is to align that mindset and bring the most important things to the top so you’re not wasting time.
What is the biggest misconception with proactive security?
As somebody who wasn’t familiar with how NetSPI did delivery, and when we first talked about it as pentesting, you look at this technical review, break it apart and then ship somebody a 100-page PDF. That is so old fashioned. Why is pentesting still doing that?
And then I got into NetSPI, and I saw we’ve already figured that out with our Resolve platform. We’re doubling it down with our new platform that we’ll talk about later this year. We are getting ahead of that. We’re not just shipping you a PDF. It is now part of your workflow; we integrate with your JIRA for your developers, or whatever bugs ticketing and tracking system you’ve got. It becomes a piece and a part of the process where we can bring our expertise in. To me, that is already wildly different than a lot of consultants out there.
I’ve seen it on the other side, where that’s part of the benefit of being a practitioner on the enterprise side, you get to see pentesters who’ve found all this stuff. Now it’s going to go get farmed out to four different dev teams, because there’s different components — there’s a complicated app, and different dev teams have different priorities. How do we get all of that friction and remove it? Make it where we understand how you work. To me, that’s one of the ways we can be the most disruptive is to take all that friction away, and make it as easy as possible.
Shifting gears slightly, what are your least favorite cyber buzzwords?
I am fascinated by the fact that SIM, or SIEM as some people pronounce it, still persists, defiantly by the way, those who cling to the term SIEM. How that term even came to be is a weird story. Back in the early days of my career when I was naive and young, I thought, “Oh, security is just like following a recipe, right? I’m this expert chef, here’s all the ingredients, I’m going to use this type of protein and this type of starch, and we’re going to mix it all up, and we’re going to have this perfect security model, right? And it’s never going to break.”
Eventually, I realized, well, that’s stupid. It was a wake-up call for me that you have to monitor. And if you’re going to monitor, you have to throw your stuff in some sort of place where you can find your logs.
And everybody said, “Okay, we’re going to throw it in a SEM. We’re going to call it a Security Event Management solution.” Another company came along and said, “We’re going to throw it in our SIM, as in Security Information Manager.” And then somebody said, “Hold the phone. Our marketing is better than yours. We’re going to be both. We’re going to be a Security Event and Information Manager, or Security Information and Event Manager.” Nobody knows!
I seriously think that if you go to a random SOC today, and you find somebody with less than, say, three years of cyber work in the frontlines defending some big enterprise today, and you ask them, “What does SIM stand for?” There’s a coin toss chance that they don’t even know. And if you ask the most seasoned person in there, “Where did the name come from?” I guarantee they don’t know. They don’t realize that it’s like that.
What’s your take on the GenAI boom? Any thoughts around its rapid adoption?
I will say that I was the first person up until about June-July timeframe to say stop talking about AI. I’ve even joked that one of the best things I’ve ever done in my career is to take certain cyber marketing people and tell them to stop saying AI and ML where it doesn’t make sense. You can do anomaly detection, you can do k-means clustering, things like that; that’s a form of ML, but it doesn’t mean we need to go slap it on there just to be buzzword-compliant. I still maintain that there’s still a place for discrete algorithms and human intelligence that will absolutely trump, and you can’t take that out. But at the same time, unless you’re not paying attention, with what with the GPT-3, branch release and everything else, that changed a lot of things. But it didn’t completely and now we’ve got all these organizations rushing to adopt it.
If you’re an enterprise, almost in any space, if you’re not rushing to adopt it, you’re taking on too much risk by not adopting it. I like to go back to Dan Geer — I listen to his talks all the time — and he talks about two kinds of risk:
- Not putting enough risk and play with the business, and
- At the same time also having too much risk
You’ve got to find that sweet spot to really grow your business. You must have it in there. But the way I see it going, honestly I’ve bounced this off a bunch of different people inside and outside, and inside my network. This looks to me, like you’re going to have people building models. And it’s going to be deep understanding of the math behind the model. Understanding how the model works and how you can potentially do adversarial ML against the model, whether it’s a large language model, or it’s just a traditional ML like a classifier or something or unsupervised learning, like all of that stuff, very deep, very technical. There’s going to be a subset of enterprises that absolutely have to have them, almost all of that will be tech companies, with some big enterprises kind of mixed in with little projects that they do.
As this becomes normalized and adopted, it’s going to meld into what you do for AppSec. For example, I have this web application, and I need to do a penetration test. By the way, you’re going to list out the components: I’m using this CDN in front of it, I’m using this WAF, I’m using this development stack, I’m integrating with these types of services. I’ve got a microservices architecture, and by the way, I’m integrating with this large language model. Then that’s going to bring out a set of abuse cases that need to get tested with the app. It’s going to merge, and the pentesters who don’t know that are going to get left behind, because they’re not going to get proper coverage for their customers.
At the same time, that’s a good thing, because it means we can help the big enterprises that are adopting the frameworks. We test all the big tech companies’ LLMs in all their tech stacks to make sure that it’s all functional.
I joke and say it’s somewhere between SQL injection and securing an s3 bucket. If you remember, when SQL injection came out, everyone was vulnerable, because everyone was doing string concatenation on their web apps. You could inject random SQL statements into your query, and then bad things would happen.
Then what happened? Every development framework came out with a mechanism to drop in parameterize queries. You had a framework that just took care of it for you — developers don’t have to understand anymore, they just know to use this framework and be done. I think we’ll see that happen with the injection side, and then on the like the equivalent of the s3 bucket, when Amazon s3 service and same thing with Azure and GCP storage came out, people would start putting things in there and not understand the permissions and then expose content to the world and not understand because it’s complicated.
I think you’ll have the same kind of problem with people over indexing and giving too much data into their LLM for building out the model for what it has access to the APIs and everything else, so we’ll see a governance aspect there.
Before we go, I have one last question for you. This one is for all the team leads listening in. What are some parallels between managing a household with six children and managing a 400+ person cybersecurity team?
What ends up happening is I use the same kind of conversations when drama does inevitably happen on either of those scenarios with my kids. I can say, “Does hitting your sister get you closer or further to your goal of getting ice cream?” And I can say, “Did talking to your coworker that way get you closer or further to getting your project approved?” It’s the same thing. It’s kind of funny how sometimes that works.
Catch the full conversation between Tim and Aaron below or continue your proactive security journey by reaching out to NetSPI for a consultation to guide your next steps toward proactive security.