This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Interviews | April 26, 2022
It's Time to Replace Security Assumptions with Security Certainty
Q1. How have software supply chain security risks evolved in recent years? What's driving the trend?
While the idea of supply chain security is not a new problem (analysts have been alerting us to this trend since 2017), the existing processes of risk mitigation cannot keep pace in today’s world. There is a big difference between being reactive and leveraging a software bill of materials or chipping away at a list of known vulnerabilities, and being proactive and providing developers tools to prevent supply chain attacks. The amount of software that needs to be managed has grown too large to perform routine risk assessments.
Unfortunately, looking only for known vulnerabilities ignores the attacks and other issues that have arisen in the open-source ecosystem in the last year. Much of what is driving the trend is the realization that while there is some known risk tolerance for vulnerable open-source packages within an organization, there is zero tolerance for malicious packages. This is pushing the industry to provide real solutions that can clearly distinguish between packages that are known to be risky in some circumstances, versus packages that are clearly designed to cause harm.
Q2. What are some of the key requirements for a good supply chain security program? What kind of measures/controls are essential to reduce breach risk via the software supply chain?
Overall, I think organizations need to put programs in place to examine the provenance of open-source packages before they are brought into the environments of organizations. One of the things we are doing at Checkmarx is actually running the open-source packages in a safe environment -- what we call a detonation chamber -- that allows us to look at and analyze the behavior of running open-source packages. This gives us the chance to look at the code from both a static and dynamic perspective and observe how it behaves. Essentially, we are treating these packages with the same scrutiny with which we would treat our own proprietary code. This technology helps remove uncertainty about the intent of an open-source package. It also helps rule out malicious intent, ultimately boosting confidence in the adoption of open-source software.
Q3. What does Checkmarx plan on highlighting at Black Hat Asia 2022? What do you want customers at the event to learn about Checkmarx and its strategy for helping organizations protect against supply chain risks?
As a leader in applications security, we are starting to see more customers migrate to the cloud and we anticipate the growing demand for an end-to-end appsec platform for cloud native application security. Checkmarx’s AST platform is delivered from the cloud and designed to support on-premises, cloud and hybrid environments. It is truly a one-size fits all solution as it spans across the complex landscape of custom code, open-source components, Infrastructure-as-Code (IaC) deployments, and open-source supply chain allowing application code to be more efficiently and effectively secured.
Additionally, Gartner has predicted by 2025, 60% of organisations will harden their software delivery pipelines to protect against supply chain attacks. Attackers are shifting their attention to the software supply chain by abusing open-source software ecosystems, which have traditionally been trusted by the worldwide developer community. Checkmarx is bringing a developer-first approach to detecting supply chain attacks in code packages, leveraging a comprehensive suite of threat intelligence, behavioral intelligence and machine-learning models. Current solutions in the market are reactive in that they rely on community feedback to detect vulnerable code and analyze the code, but not the person behind it. The Checkmarx Supply Chain Security solution is built on the principle of 'don't take code from strangers' and instead references our reputation database, which is like a credit score system for a code contributor. Our goal is to support enterprises with rapid application development while maintaining the trust of their customers.
Q1. You have written about familiarity breeding a false sense of security at many organizations. How is that impacting enterprise responses to mitigating phishing risks? What should security leaders be doing to ensure that familiarity doesn't lead to complacency when it comes to dealing with security threats?
Security leaders need to recognize some of the basic tendencies of human nature. When it comes to something like familiarity breeding a false sense of security, there are several ways that happens. First, if you are an organization that does phishing simulations and you always send the same template or tend to train on the same types of phishing tests, then you are really just teaching your people how to spot those specific types of phishing emails. And so, if you look at your phishing metrics and are celebrating your current phish-prone percentage, then you’ll have a false sense of security because attackers certainly aren’t limited to the single attack type that you’ve trained on.
There’s another type of familiarity that causes problems – and that’s where you provide the same video content, posters, or other material over and over and over. The first couple times people see the information, it’s new and they will pay attention. After that, they become numb to it. If it’s a poster that’s been up for several months, many people will not even notice that it is there anymore… it’s effectively invisible to them.
The way to ensure that familiarity doesn’t become a problem for you is to inject diversity and variety in your training. You need to do simulations using a wide variety of phishing templates and even consider taking some of the actual phishing emails that have bypassed your secure email gateway and create simulated versions of those. Your goal isn’t just to get your people good at spotting simulated phishing attacks, it’s to get them good at spotting and reporting all types of phishing.
Similarly, with content like videos, posters, and newsletters, you need to keep things fresh. And, more importantly, ensure that your content is relevant. That combination of elements will naturally encourage greater interest and engagement.
Q2. KnowBe4 recently introduced a new Security Culture Maturity Model for helping organizations measure the maturity of their current security-related practices. What exactly does it help an organization measure and how will they benefit from it?
Over the past few years, the phrase “security culture” has gotten pretty popular. Security awareness leaders, CISOs, and other executives instinctively know that it is important. But there was a problem – despite the fact that everyone believed it was important, there was very little understanding of what security culture actually is. There was no industry definition for the concept; and that meant that lots of people agreed that “it” is a good thing. But they had no way of measuring how good they were doing at achieving “it.”
Our first step at helping address this problem was setting forth an industry definition of security culture. Security sulture is defined as the ideas, customs, and social behaviors of a group that influence its security. Then we took it a step further by demonstrating that security culture could be broken-up and measured across seven different dimensions: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities.
But there was still one more step needed. And that was a high level, data-driven and evidence-backed instrument to measure an organization’s journey to create a security culture. And that’s what we set out to do when creating the Security Culture Maturity Model (SCMM). This new model can measure an individual, group, department, organization, or region’s security culture using something that looks very much like a capability maturity model… but actually hides a lot of complexity.
We are able to measure several data points – what we refer to as Culture Maturity Indicators (CMIs). Each one of these CMIs are interesting on their own; but the power comes in the aggregation of several CMIs. That aggregation is what helps to stabilize the data and provide the most accurate picture possible of an organization’s true security maturity.
Q3. What does KnowBe4 plan on highlighting at Black Hat Asia 2022? What do you want customers to take away from your organization's participation in the event?
We’ve got a ton planned for this year. At the KnowBe4 boot, we will be discussing our KMSAT platform showing people how they can easily get up and running with a fully mature security awareness program. We’ll also be demonstrating PhishER and some really cool features like PhishRIP and PhishFlip that can truly make an organization’s employees part of an active defensive security layer.
We also have an on-demand zone session, featuring a presentation from our Chief Product Officer, Greg Kras. Greg will be highlighting the power of our platform and showing-off some of our most exciting features like our new Security Culture Benchmarking Feature which allows an organization to compare their security culture against that of similar organizations. He’ll also show how the platform provides AI-Driven training recommendations for end users in their own UI, our “Brandable Content” capabilities that gives organizations the option to add branded custom content to select training modules, and a ton of other cool stuff. Please be sure to stop by.
Q1. Pentera recently secured $150 million in a funding round at a $1 billion valuation. What's behind the investor interest in the company? What's the value-add that Pentera brings to the penetration testing space?
Our round C investment earlier this year followed the exceptional growth we experienced in 2021. It was yet another testament to the growing demand for real-world security validation in the market. Having K1 Investment Management and Evolution Equity Partners join our existing investors Insight Partners and Blackstone is very exciting and further reaffirms the valuation.
It’s clear that the security industry is no longer willing to compromise security readiness for assumptions and is shifting to a continuous attack-based posture validation approach. At the end of the day, traditional validation practices such as manual penetration testing and vulnerability scans don’t align with the dynamic nature and sophistication of today’s threat landscape. Enterprises require automation for testing all aspects of the attack surface and all layers of the information security defenses. The modern approach distills the risk-bearing security gaps the organization faces, allowing for optimal use of remediation resources.
With Pentera, security teams can confidently grow security readiness with an automated security validation practice.
Q2. How have penetration testing requirements changed in recent years—particularly the last two? What do security leaders need to understand about their attack surface these days?
The adoption of remote work in the past few years created a number of new challenges many security teams hadn’t faced previously. One of them is the hyper-expansion of the attack surface, which introduced even more vulnerabilities to an already unmanageable amount.
This challenge further emphasized the need for an approach that provides visibility to the true security posture of the enterprise and the ability to prioritize vulnerabilities based on their exploitability and risk impact on the business.
Automated security validation is essentially that. It’s how we flip on the light to focus on real security gaps and guide cost-effective remediation. This approach provides a true view of current security exposures by emulating real-life attacks and enabling a surgical remediation plan. It replaces security assumptions with security certainty.
Q3. What's on the agenda for Pentera at Black Hat Asia 2022? What are you hoping customers will take away from Penetra's presence at the event?
We’re very excited to bring the revolution of Automated Security Validation to the Asia Pacific market. We have over 500 customers globally and quite a few customers in Japan, Thailand and Australia and now have a local team to expand and cement our presence in the region.
At the Black Hat booth, you can see Pentera in action in a live environment and interact directly with our expert red team to better understand the best practices of continuous security validation and how it can help you improve security readiness against the latest threats and attack techniques. We look forward to seeing you there. If you'd like to book a private meeting just email Uri@pentera.io
Q1. Organizations have made several changes to their security strategies over the last two years in response to pandemic related trends—such as the shift to remote work and accelerated cloud adoption. Which pandemic-related security changes do you expect organizations will continue using/building upon over the long term?
A world event such as pandemic brings unexpected IT challenges to organizations. Enabling a remote workforce is not a trivial challenge in the best of times, and it can seem especially daunting when rolling out during a global crisis. Many organizations needed to transition their workforce to remote work overnight and had to ensure:
- Their users/employees can be productive while working remotely – that includes making sure they have the right tools, having access to new devices or enabling use of personal devices.
- They can handle the serious spikes in remote app access which put a lot of pressure on VPN scalability for on-premises app access.
- They are prepared to detect and respond to cybersecurity threats exploiting the situation and the bad actors taking advantage of the crisis.
Building a security foundation for the remote workforce is the key to enhance resiliency and stay secure moving forward. There are three important steps to secure remote workforce: enabling remote access to apps, managing devices and apps, and protecting corporate resources. Microsoft has been working with many organizations across the globe, in concert with our productivity and security experts to provide practical remote worker guidance and recommendations. We have identified three areas where organizations can make quick progress in ensuring their people are secure and productive when working remotely:
- The first step is to enable remote access to all apps – that includes on-premises and cloud apps.
- The second step is managing devices and apps effectively in this new remote work situation, whether that be protecting BYO, or administering ongoing patches and updates.
- The third step is about protecting corporate resources from threats and keeping your data protected. We see organizations continue to adopt a Zero Trust mindset.
What this means is: instead of assuming everything behind the corporate firewall is safe, assume breach and verify each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, every request is fully authenticated, authorized, and encrypted before granting access. Another key aspect is to know your perimeter and have visibility into your entire environment. For example, weak endpoints can become beachheads for network infiltration and reconnaissance activity. With the pandemic-driven shift to remote workforces, endpoints are farther away from the corporate network, so a robust endpoint detection and response solution can help keep endpoints protected and secure. We will see more organizations adopt XDR (Extended Detection and Response) to secure their users, devices, applications, data as well as their network and infrastructure. Adopting secure cloud architecture, leveraging automation and AI to help ease the burden of defending against new attacks, modernizing security operations with cloud and modern security controls/tools, and strengthening cross-cloud security postures will continue to be critical. Organizations will need to invest in user training and keep training them. Users can be the weakest link or the first line of defence. When security awareness is institutionalized on an organizational level, end users can be the early responders to activity that might indicate compromise. Investing in people and building their resiliency against security threats will continue to be a key to a safer remote workforce.
Q2. What are the essential components of a zero-trust architecture? What's the best starting point for implementing a zero-trust architecture?
Zero Trust teaches us to “never trust and always verify”. Guiding principles of Zero Trust are
- Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access. Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive polices, and data protection to protect both data and productivity.
- Assume breach. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness.
Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses. A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy. This is done by implementing Zero Trust controls and technologies across six foundational elements: identities, devices, applications, data, infrastructure, and networks. Each of these six foundational elements is a source of signal, a control plane for enforcement, and a critical resource to be defended. This makes each an important area to focus investments. As organizations assess their Zero Trust readiness and make changes to improve protection across identities, devices, applications, data, infrastructure, and networks, they should consider the following key investments to help drive their Zero Trust implementation more effectively. Through our own experience, we’ve these six factors to be critical to closing important capability and resources gaps:
- Strong authentication. Ensure strong multi-factor authentication and session risk detection as the backbone of your access strategy to minimize the risk of identity compromise.
- Policy-based adaptive access. Define acceptable access policies for your resources and enforce them with a consistent security policy engine that provides both governance and insight into variances.
- Micro-segmentation. Move beyond simple centralized network-based perimeter to comprehensive and distributed segmentation using software-defined micro-perimeters.
- Automation. Invest in automated alerting and remediation to reduce your mean time to respond (MTTR) to attacks.
- Intelligence and AI. Utilize cloud intelligence and all available signals to detect and respond to access anomalies in real time.
- Data classification and protection. Discover, classify, protect, and monitor sensitive data to minimize exposure from malicious or accidental exfiltration.
Different organizational requirements, existing technology implementations, and security stages all affect how a Zero Trust security model implementation is planned. Using our experience in helping customers to secure their organizations as well as implementing our own Zero Trust model, we’ve developed a maturity model to help you assess your Zero Trust readiness and build a plan to get to Zero Trust. While a Zero Trust security model is most effective when integrated across the entire digital estate, most organizations will need to take a phased approach that targets specific areas for change based on their Zero Trust maturity, available resources, and priorities. It will be important to consider each investment carefully and align them with current business needs. The first step of your journey does not have to be a large lift and shift to cloud-based security tools. Many organizations will benefit greatly from utilizing hybrid infrastructure that helps you use your existing investments and begin to realize the value of Zero Trust initiatives more quickly. Fortunately, each step can help reduce risk in the entirety of your digital estate. According to a recent Forrester Consulting report, adopting Microsoft’s Zero Trust strategy delivers a three-year 92% ROI, 50% lower data breach, and numerous efficiency gains of 50% or higher across security processes. Microsoft’s industry-leading protection across Zero Trust pillars has generated USD15 billion in revenue during 2021 alone – a testament to the confidence organizations worldwide put in us.
Q3. What are Microsoft's plans at Black Hat Asia 2022? What's your focus going to be at the event?
Our key focus at BlackHat Asia 2022 will be on cyberattacks and how we might defend against them at every level. Set against the backdrop of a hybrid working world still recovering from the pandemic, cybersecurity has never been more challenging. Cyberattacks have become not only more frequent and costly, but also increasingly sophisticated. Add that to mounting global economic stress and an increasingly hybrid workforce, and you’ll find that the modern CISO role has evolved. We want to bring light to their top challenges and opportunities, as well as strategies they can apply to their organization. To successfully detect and defend against cyberthreats, we’ll also need to come together as a community and share our expertise, research, intelligence, and insights with fellow security practitioners. One key strategy we can adopt is the Zero Trust approach – a new security model that adapts to the complexity of the modern environment, protecting people and data wherever they are located. As a real-world case study, our tech specialist Dmitry Butko will take attendees through the groundbreaking Zero Trust Maturity Model and discuss its applicability for organizations outside of the US. Through the planned sessions and activities, we hope to inspire more organisations to take a proactive and integrated approach to cybersecurity. We invite interested parties to hear from and speak with our experts at the Black Hat Asia 2022. We hope to see you there.
Q1. Your company introduced the Strobes vulnerability management platform in the US market earlier this year. What do you want organizations to know about the technology and the differentiation it offers over other products in the vulnerability management space?
Strobes VM365 is a risk-centered vulnerability management platform purpose built to make vulnerability management easier and more effective. It seamlessly and effectively aggregates vulnerabilities from different sources and follows a validated prioritization mechanism to efficiently predict patching using threat intel.
A differentiating factor is the platform scanner and tools are vendor agnostic. The platform’s framework integrates seamlessly with any security product and IT service management tools and today we have 45+ integrations.
Our major differentiating factor over other products in the Vulnerability Management Space is Prioritization Engine. Our prioritization scoring heavily depends on our proprietary Vulnerability intelligence (Strobes VI). Vulnerability intelligence is an advanced correlation between CVEs and various Indicators of compromise (IOCs), taxonomies, and compliances. The vulnerability scoring is done by assessing multiple parameters such as CVSS, asset sensitivity, business risk and Strobes VI.
Q2. How has cloud adoption and the shift to a more distributed work environment/WFH environment complicated the vulnerability management challenge for organizations over the past two years?
With more people collaborating from home and using public VPN endpoints between locations, the risk increases. Vulnerability management has always been a challenge at all levels of IT operations.
As modern businesses continue to restructure and look for ways to simplify their operations, gathering information and closing the management gap is becoming a necessity. The cloud, WFH environment, and distributed work have added complexity to vulnerability management.
The shift to a distributed work environment/WFH setup is an integral part of the cloud transformation movement. However, this introduces a difficult new environment regarding vulnerability management and related security processes. With cloud users working from home, public VPN endpoints are suddenly exposed and are "in the wild" on the Internet. This means more vulnerable entry points than ever before, and a more complicated process of maintaining them. All this combined with scanning, accessing scan results, prioritizing vulnerabilities, and then crunching key performance indicators (KPIs) and key risk indicators (KRIs). While vulnerabilities are continually introduced into IT environments with cloud transformation, updating security processes is key to maintaining effectiveness during this shift.
Q3. What do you expect will be top of mind issues for customers at Black Hat Asia 2022? What are you hoping organizations will take away from your company's presence at the event?
Vulnerability Management has been a bigger problem since the adoption of cloud and digital transformation because of all the additional vulnerabilities to manage and the challenges that come along with those. I believe most of the product owners, security folks and CISOs are searching for solutions around Vulnerability Aggregation, Vulnerability Prioritization and Cyber Risk Quantification.
The key takeaways from Strobes Security are:
- Creating playbooks and workflows to automate security assessments, schedule scans and bulk patching.
- An easier way to manage assets, aggregate and de-duplicate vulnerabilities.
- Bridge the gap between the security stakeholders in an enterprise and how a CISO can quantify cyber risks and get actionable insights.