Cody Chamberlain
WP_Query Object ( [query] => Array ( [post_type] => Array ( [0] => post [1] => webinars ) [posts_per_page] => -1 [post_status] => publish [meta_query] => Array ( [relation] => OR [0] => Array ( [key] => new_authors [value] => "73" [compare] => LIKE ) [1] => Array ( [key] => new_presenters [value] => "73" [compare] => LIKE ) ) ) [query_vars] => Array ( [post_type] => Array ( [0] => post [1] => webinars ) [posts_per_page] => -1 [post_status] => publish [meta_query] => Array ( [relation] => OR [0] => Array ( [key] => new_authors [value] => "73" [compare] => LIKE ) [1] => Array ( [key] => new_presenters [value] => "73" [compare] => LIKE ) ) [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => [tag] => [cat] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [paged] => 0 [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [search_columns] => Array ( ) [ignore_sticky_posts] => [suppress_filters] => [cache_results] => 1 [update_post_term_cache] => 1 [update_menu_item_cache] => [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => 1 [comments_per_page] => 50 [no_found_rows] => [order] => DESC ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( ) [relation] => AND [table_aliases:protected] => Array ( ) [queried_terms] => Array ( ) [primary_table] => wp_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( [0] => Array ( [key] => new_authors [value] => "73" [compare] => LIKE ) [1] => Array ( [key] => new_presenters [value] => "73" [compare] => LIKE ) [relation] => OR ) [relation] => OR [meta_table] => wp_postmeta [meta_id_column] => post_id [primary_table] => wp_posts [primary_id_column] => ID [table_aliases:protected] => Array ( [0] => wp_postmeta ) [clauses:protected] => Array ( [wp_postmeta] => Array ( [key] => new_authors [value] => "73" [compare] => LIKE [compare_key] => = [alias] => wp_postmeta [cast] => CHAR ) [wp_postmeta-1] => Array ( [key] => new_presenters [value] => "73" [compare] => LIKE [compare_key] => = [alias] => wp_postmeta [cast] => CHAR ) ) [has_or_relation:protected] => 1 ) [date_query] => [request] => SELECT wp_posts.ID FROM wp_posts INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1 AND ( ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{555fbd5af77cfba566443095915939a4644381af1cb806e4ccd825b3bc888377}\"73\"{555fbd5af77cfba566443095915939a4644381af1cb806e4ccd825b3bc888377}' ) OR ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{555fbd5af77cfba566443095915939a4644381af1cb806e4ccd825b3bc888377}\"73\"{555fbd5af77cfba566443095915939a4644381af1cb806e4ccd825b3bc888377}' ) ) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC [posts] => Array ( [0] => WP_Post Object ( [ID] => 32139 [post_author] => 73 [post_date] => 2024-03-19 10:09:07 [post_date_gmt] => 2024-03-19 15:09:07 [post_content] =>Vulnerability scanners help scan known assets, but what about the assets you don’t know exist?
Attack surface sprawl is a growing challenge with 76% of organizations experiencing some type of cyberattack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.1 The constant expansion of attack surfaces has made the need for visibility into potentially unknown attack surfaces more important than ever.
Pairing vulnerability scanners with attack surface management (ASM) gives security teams high-fidelity analysis and prioritization of assets and exposures, while limiting noise and false positives commonly associated with technology-only platforms.
Why vulnerability scanners aren’t enough
The issue lies in the fact that vulnerability scanners can only scan entities you tell them to. Vulnerability assessments operate on a tactical level, often treated as commodities where you acquire a scanner and direct it toward known targets.
Vulnerability scanners rely on a policy that defines the scope and dictates where the scanner should focus its efforts, whether that’s on targets, networks, or assets. Without this essential step, the scanner lacks the intelligence to identify assets, as its sole purpose is to scan what it’s told to. Vulnerability scanning on its own is an output of potential issues; the tool can’t go out and find assets you haven’t explicitly told it to find. That’s where NetSPI ASM comes in.
How NetSPI Attack Surface Management covers gaps
The beauty of ASM is its ability to uncover what’s unknown. This aspect is crucial as it offers a more strategic approach compared to traditional vulnerability assessments. When transitioning to ASM, security experts conduct specific operations to identify elements such as subsidiaries and various IPs associated with the organization. Through these efforts, previously undiscovered assets come to light that had been omitted from scanning and thus excluded entirely from a vulnerability assessment program.
Vulnerability scanners paired with NetSPI ASM enrich the assets, ensuring the scope of your scan is comprehensive.
Leveraging technology, intelligence, and expertise for Proactive Security
The advanced technology behind NetSPI ASM combines with our security experts to deliver the most comprehensive view of external attack surfaces. Our deep visibility helps you understand specific risks to your business so your team can spend less time sifting through alerts or responding to false positives. With the full force of NetSPI in your corner, you can navigate rapid innovation with confidence, while protecting the trust you’ve worked so hard to build.
How do we go about enriching asset discovery?
We research multiple data sources to identify external-facing assets, utilizing a combination of human intelligence and third-party services in our research, a task that a vulnerability scanner could never accomplish on its own.
For example, we use a blend of various OSINT, proprietary and commercial sources, and techniques to continuously search the internet to identify your entire attack surface. This process is a collection of items including, but not limited to business and legal structures, domains, and IP addresses.
Our team performs exposure identification by:
- Port scanning
- Certificate scanning
- DNS scanning / querying
- Sub-domain brute forcing
- Web application scanning
- SNMP queries
- UDP scanning
- TCP scanning
- Taking screenshots, grabbing banners
- API-queries of cloud configured could environments
We utilize active and passive techniques to continuously identify the existence of exposures on assets. Active discovery is performed on all identified assets for ports, technologies, certificates, vulnerabilities, DNS records, etc., while passive discovery is performed through integrations with data feeds that allow us to enrich data found through active discovery.
This detailed information gathering leads to high-quality findings, allowing us to report only on true positives, with highly documented verification steps and remediation instructions. We provide detailed validation and evidence verification, so you only receive the true positives that matter the most to accelerate remediation and eliminate constant alerts and manual correlation from multiple sources. This is the “secret sauce” behind The NetSPI Advantage. Machine intelligence plus human intelligence is compound intelligence that benefits our customers. To put it simply, we go beyond for our customers so they can go beyond for theirs.
Vulnerability scanning vs penetration testing
Both vulnerability scanners and penetration testing have their time and place to enhance the overall security of systems. The biggest difference is the depth of results from each measure. Vulnerability scanning is an automated process that identifies and reports potential vulnerabilities in a system, focusing on known weaknesses.
Penetration testing, on the other hand, involves simulating real-world attacks by skilled professionals, a la The NetSPI Agents, to actively exploit vulnerabilities and assess the system's security posture. While vulnerability scanning provides a broad overview of potential issues, penetration testing goes deeper, uncovering weaknesses that may not be apparent through automated scans. See if you’re getting the most value from your penetration testing reports.
Empower your security posture with NetSPI
The most helpful lesson we can share with anyone working to advance your security posture is don’t go it alone. The shared learning from experts who have worked through the same challenges you face is invaluable to bring clarity, speed, and scale to your security programs.
Reach out to connect with our security experts or keep learning about NetSPI ASM by watching our demo.
[post_title] => From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning [post_excerpt] => Vulnerability scanners and attack surface management work better together. See how the combination works toward a proactive security strategy. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => from-scanners-to-strategies-how-attack-surface-management-enhances-vulnerability-scanning [to_ping] => [pinged] => [post_modified] => 2024-03-19 10:09:08 [post_modified_gmt] => 2024-03-19 15:09:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=32139 [menu_order] => 6 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 30320 [post_author] => 53 [post_date] => 2023-06-06 15:53:25 [post_date_gmt] => 2023-06-06 20:53:25 [post_content] =>NetSPI’s 2023 Offensive Security Vision Report is out now! If you haven’t read it yet, now’s your chance to explore the report in-depth with Head of Product Cody Chamberlain and special guests Ron Eddings and Chris Cochran from Hacker Valley. You can download the full report!
Vulnerabilities are on the rise. This, coupled with the reality of burnt-out security and development teams, creates an imminent need for prioritization. This data analysis examines the past year's top vulnerability findings and trends from thousands of pentests, bringing security and business leaders actionable insights to focus discovery, management, and remediation efforts.
Watch this engaging discussion with our Head of Product Cody Chamberlain and special guests Ron Eddings and Chris Cochran from Hacker Valley Media, around the findings from the Vision Report, including:
- The most prevalent vulnerabilities by attack surface
- Key observations across attack surfaces and industries
- The most significant barriers to timely and effective remediation: a lack of resources and vulnerability prioritization
- The current state of remediation due dates / SLAs
- 2023 hiring trends and how to put further emphasis on entry-level roles.
[wonderplugin_video iframe="https://youtu.be/9uq1QJD11sI" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => An Inside Look at NetSPI’s Offensive Security Vision Report [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => inside-look-offensive-security-vision-report [to_ping] => [pinged] => [post_modified] => 2023-10-27 11:32:07 [post_modified_gmt] => 2023-10-27 16:32:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=30320 [menu_order] => 36 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 29545 [post_author] => 73 [post_date] => 2023-02-28 09:00:00 [post_date_gmt] => 2023-02-28 15:00:00 [post_content] =>Organizations need to proactively embrace the latest security strategies to protect against emerging risks. New, more advanced cybersecurity solutions are constantly developed to address core challenges in the industry. One of these new solutions, external attack surface management (EASM), entered the market in 2021 and is now starting to see increased adoption because of its ability to continuously discover, inventory, test, and prioritize known and unknown assets and exposures on a global external attack surface.
We recently had the pleasure of interviewing our guest Erik Nost, Senior Analyst at Forrester, during a webinar that explored external attack surface management in detail. Learn the key takeaways from the webinar and what to look for if you’re in the process of evaluating EASM vendors.
How EASM complements external penetration testing
Penetration testing is a mature cybersecurity solution and is more widely known than EASM today. However, many organizations still largely use penetration tests for compliance, essentially checking boxes because they have to.
Threat actors thrive on this mentality.
When penetration testing is approached with a compliance-first mindset for regulatory bodies and organization standards, tests are only completed a few times per year or less. Often no action is taken on the findings for months because of building the context and prioritizing which vulnerabilities need to be fixed first.
On the other hand, organizations that are strategic about looking at penetration tests, red teams, and other control validation exercises to formally piece together a remediation puzzle achieve a stronger end state of security. EASM solutions help security teams keep pace with the rate of change in organizations today by offering continuous coverage of attack surfaces to find vulnerabilities as they arise.
Pentesting is a priority that’s complemented by EASM with continuous discovery and prioritization of known and unknown assets and exposures.
Evaluating EASM vendors to make continuous pentesting a reality
The responsibility of EASM often falls under security operations groups and vulnerability management teams rather than having team members solely responsible for EASM, such as an attack surface management analyst.
These teams often have years of experience inventorying assets and identifying vulnerabilities, so they have a strong use case and the right experience to bring in an attack surface management solution. Vulnerability risk management (VRM) analysts, managers, and directors are the people who use ASM the most.
Red teams and penetration testing teams are other groups involved in selecting and partnering with ASM vendors and can help develop plans to more rapidly discover assets to test and validate for any weaknesses or controls. If an organization has a threat intelligence team, an ASM vendor can also help build different types of threat modeling that they might want to look at to determine where the most risky exposures could be.
When evaluating and selecting an external attack surface management provider, organizations need to understand what the vendor brings to the table, including how they're prioritizing risk and whether the approach matches their specific prioritization and remediation strategy. It’s also important to talk to potential ASM providers about how they can help supportcompliance and best practice frameworks.
Looking ahead in EASM security
The external attack surface management market has experienced a lot of mergers and acquisitions in recent years, with larger platforms that don’t have their own solutions buying up EASM providers. EASM may follow a similar path to vulnerability risk management (VRM), which has become a feature or solution as part of a larger platform offerings.
Some standalone external attack surface management vendors may remain, but they will likely also include complementary features and capabilities to improve how organizations identify and protect against cyber threats. For the most part, as we see increased convergence of ASM, VRM, cloud security posture management (CSPM), continuous threat exposure management (CTEM), and other security solutions, EASM is likely to be one component in broader platform offerings in coming years.
NetSPI’s approach to EASM
Taking the time to evaluate and select an external attack surface management vendor is critical to finding a solution provider that aligns with your goals and brings proven experience. External attack surface management is gaining adoption because of its complementary role to pentesting. Think of EASM as continuous, always-on penetration testing with the ability to discover assets and monitor them at scale for real-time exposure alerts. All of this information is presented in prioritized order within a centralized EASM platform.
Global organizations trust NetSPI’s Attack Surface Management (ASM) solution to monitor their external attack surfaces. Through a combination of our powerful ASM platform, global penetration testing experts, 20+ years of pentesting expertise, and comprehensive methodology, we can help your organization discover and address vulnerabilities before adversaries do.
Learn more about NetSPI’s attack surface management solutions or request a demo.
For more insights on external attack surface management, watch the full on-demand external attack surface management webinar with featured guest Forrester analyst Erik Nost.
[post_title] => The Ins and Outs of External Attack Surface Management: What You Need to Know [post_excerpt] => Hear from guest speaker, Forrester analyst Erik Nost, about the growing adoption of using external attack surface management alongside pentesting. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => external-attack-surface-management-forrester [to_ping] => [pinged] => [post_modified] => 2023-05-03 15:11:30 [post_modified_gmt] => 2023-05-03 20:11:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29545 [menu_order] => 139 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 29338 [post_author] => 17 [post_date] => 2023-02-07 09:00:00 [post_date_gmt] => 2023-02-07 15:00:00 [post_content] =>NetSPI prides itself on maintaining a leadership position in the global offensive security space by listening to client feedback, analyzing industry trends, and investing in breakthrough technology developments.
Over the last few months, our development teams have been busy, and are excited to introduce a variety of new features and capabilities across our Breach and Attack Simulation, Attack Surface Management, and Penetration Testing as a Service (PTaaS) solutions to help organizations improve security posture, streamline remediation, and protect themselves from adversaries.
Of the releases across our solutions portfolio, Breach and Attack Simulation (BAS) received the most significant updates, so let's start there.
Breach and Attack Simulation (BAS)
NetSPI BAS data shows that only 20% of common attack behaviors are detected by traditional EDR, SIEM, and MSSP solutions. Although most companies spend thousands, even millions, of dollars on detective controls, very few test to validate if they work and provide the value they claim to.
NetSPI’s Breach and Attack Simulation is designed to evaluate detective control effectiveness and educate security operations teams around common TTPs across the cyber kill chain. After many invaluable feedback sessions with NetSPI clients and hours of market research, we are excited to unveil major updates to our Breach and Attack Simulation platform, dialing in on three core dashboards: the Workspace, Timeline, and Heat Map dashboards.
Workspace
The Workspace is where red teams, purple teams, security engineers, and analysts will spend a majority of their time. Here, they can build, configure and run customized procedures to test their detective controls. Key features within the Workspace include:
- Utilize preconfigured procedures – or customize your own – to put detective controls to the test
- Visualize security posture and identify gaps using detailed summary charts that update in real time. These can be saved and downloaded to easily share with SOC teams and executive leadership to highlight gaps and justify budget for new staff and technology.
- While in the Workspace, users can also learn about each detection phase (logged, detected, alerted, responded, and prevented) for common TTPs within the Mitre ATT&CK framework – down to the individual procedure level.
- The Activity Log feature allows security teams to ditch the spreadsheets, wiki pages, and notepads they currently use to track information around their detective control capabilities and centralize this information from a summary viewpoint down to the findings level, allowing streamlined communication and remediation. It will also automatically log play execution and visibility state changes.
- Tags allow security teams to see the number of malware and threat actors that use the specific technique, helping prioritize resources and remediation efforts. Tags can also be leveraged to generate custom playbooks that include procedures used by unique threat actors, allowing security teams to measure their resiliency to specific threats quickly and easily.
- Export test results in JSON or CSV, allowing the SOC team to plug information into existing business processes and products, or develop customized metrics.
In summary, the Workspace is designed to educate and enable security teams to understand common attack procedures, how to detect them, and provide resources where they can learn more.
Timeline
While the Workspace shows a lot of great information, it focuses on a single point in time. The Timeline dashboard, however, allows you to measure detective controls over time.
This allows security teams to prove the value of investments in people, processes or technology. The Timeline Dashboard will also show where things have improved, stayed the same, or gotten worse at any stage of the Mitre ATT&CK kill chain.
While many competitive BAS offerings will show what is being Alerted on, a unique differentiator for NetSPI is the ability to filter results and show changes in what is logged, detected, alerted, responded, and prevented. These changes can be shown as a percentage (i.e. Logging improved 5 percent) or a count (i.e. Logging improved within two different procedures). Similarly to the Workspace, these charts can be downloaded and easily inserted into presentations, emails, or other reports as needed.
For additional information on how NetSPI defines logging, detection, alerting, response, and prevention, read How to Paint a Comprehensive Threat Detection Landscape.
Heat Map
Security teams often refer to the Mitre ATT&CK framework, which shows the phases, tactics, or techniques of common TTPs and procedures seen in the wild. We know that many teams prefer seeing results in this framework, and as such, have built it into our Breach and Attack Simulation platform. BAS delivers a familiar way to interact with the data, while still connecting to the workspace created for detection engineers and other security team members.
As mentioned in the Timeline dashboard, a key differentiator is that we show the different visibility levels (logged, detected, alerted, responded, and prevented) within the Mitre ATT&CK framework coverage within each phase of the cyber kill chain and even down to each specific technique.
Here, we also have the ability to dig in and show all of the procedures that are supported within each technique category. These are then cross-linked back to the Workspace, to streamline remediation and re-testing of specific coverage gaps.
This is a quick summary of a few new features and benefits included in our updated Breach and Attack Simulation solution. If you would like to learn more, we encourage you to read our release notes, or contact us for a demo.
Attack Surface Management (ASM)
Attack Surface Management continues to be a major focus and growing technology within the cybersecurity industry. NetSPI’s most recent ASM updates focus on organizing, filtering, and expanding on information that was previously included, but will now be even easier to locate and pull actionable information from.
Three key new feature highlights from last quarter include Vulnerability Triggers, Certificate Transparency Logs, and the Subdomain Facet within our domain explore page.
Vulnerability Triggers
First off, what is a vulnerability? Vulnerabilities consist of any exploits of significant risk identified on your attack surface, which are found by combining both assets and exposures. Although a specific asset or exposure might not be very impactful, when combined into a series of steps it can result in a much greater risk.
With the recent introduction of Vulnerability Triggers, admins can now query assets and exposures for specific criteria based on preconfigured or customized search results, and alert on the ones that are the most concerning to you or your company. These Vulnerability Triggers can now be customized to search for criteria related to Domains, IPs, or Ports.
Long story short, Vulnerability triggers allow your company to not only search for common assets, exploits and vulnerabilities, but also key areas of concern for your executive team, industry, organization, or project.
Certificate Transparency Logs & Subdomain Facet
The next two new features are focused on root domain and subdomain discovery.
NetSPI’s ASM has searched root domains and subdomains since its creation, however we are proud to officially introduce Certificate Transparency Logs! We now ingest certificate transparency logs from public data sources, allowing us to significantly increase domain discovery.
We are also excited to announce the release of our Subdomain Facet within our domain explore page. It is common for companies to have tens, or even hundreds, of subdomains on their attack surface, however with the Subdomain Facet within our domains explore page, you will now be able to filter the common subdomains on your attack surface.
A great use case example of this is to discover development subdomains (dev.netspi.com, stage.netspi.com, or prod.netspi.com, etc.) where sensitive projects or intellectual property might be located, and unintentionally exposed externally.
Another common use case for these types of features could be to detect sub domains that have been hijacked by malicious adversaries in an attempt to steal sensitive customer or employee information.
This is a quick summary of a few new features and benefits included in our Attack Surface Management offering, however if you would like to learn more, we encourage you to read our release notes, or contact us for a demo.
Penetration Testing as a Service (Resolve™)
NetSPI’s Resolve, our penetration testing as a service (PTaaS) platform, has been an industry leader for years, allowing users to visualize their test results and streamline remediation by up to 40%. This product would not be able to remain a leader without continued updates from our product development teams.
Recently, we have been focused on delivering updates to enhance the user experience and make data within the platform to be more accessible and easily leveraged within other security team processes and platforms.
AND/OR Logic
Previously, when users created filters in the grid, AND Logic, as well as OR Logic could be used on filtered search results. We are excited to introduce AND/OR Logic to filters, allowing users to combine both AND Logic and OR Logic to deliver more detailed results to their security teams or business leaders.
Automated Instance State Workflow
Finally, we have introduced automated instance state workflows to include bulk edits. Previously, this was only applicable while updating individual instance states. This change improves efficiencies within the Resolve platform for entire vulnerability management teams.
This is a quick summary of a few new features and benefits included in our PTaaS solution, however if you would like to learn more, we encourage you to read our release notes, or contact us for a demo.
This blog post is a part of our offensive security solutions update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and BAS (Breach and Attack Simulation).
Read past solutions update blogs:
“External attack surface management (EASM) helps security and risk pros better assess third parties and M&A targets, uncover and reduce cloud sprawl, and bring IT and security into agreement about risk prioritization,” according to Forrester.
The global research and advisory firm recently released its inaugural research, The External Attack Surface Management Landscape, Q1 2023, which recognizes 36 different vendors, including NetSPI. The report aims to help organizations understand the value they can expect from an EASM solution and navigate the crowded market.
To dig deeper into the findings, we invited Forrester senior analyst and vulnerability management expert Erik Nost to join us as a guest speaker, where we’ll explore:
- Common misconceptions associated with attack surface management.
- How organizations are using EASM today to bring value to their organizations.
- The convergence of ASM, CSPM, VRM, CTEM, and similar solutions.
- Key considerations for selecting an EASM partner.
- and much more.
On November 17, NetSPI Head of Product, Cody Chamberlain, and VP of Services, Cody Wass, were featured in the Cyber Security Podcast on Spotify. Read the preview or listen to the full episode online.
+++
Today's glimpse is with Cody Wass, Vice President of Services, and Cody Chamberlain, Head of Product, of NetSPI hosted by Wendy Meadley, CEO, Next Phase Studio. The Cody's as they are "affectionately nicknamed" shed light on how technology alone cannot solve the greatest cyber security challenges. It is achieved when you effectively leverage technology to maximize the value of human creativity, experience and ingenuity.
[post_title] => Cyber Security Summit: A Conversation with Cody Wass and Cody Chamberlain of NetSPI [post_excerpt] => NetSPI's Cody Chamberlain and Cody Wass shed light on how technology alone cannot solve the greatest cyber security challenges. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyber-security-summit-technology-alone-cannot-solve-cybersecurity-challenges [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:03 [post_modified_gmt] => 2023-01-23 21:10:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29021 [menu_order] => 184 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 28127 [post_author] => 73 [post_date] => 2022-08-02 11:24:44 [post_date_gmt] => 2022-08-02 16:24:44 [post_content] =>NetSPI CEO Aaron Shilts recently wrote an article that centered around this powerful statement: Technology cannot solve our greatest cybersecurity challenges. People can.
As Head of Product, this statement gave me a critical opportunity to pause and reflect on my team’s purpose and ask, “What is the true intent of our technology innovation?”
The answer was abundantly clear: Technology should empower people and maximize the value of human creativity, experience, and ingenuity. It should enable people to do more, with less.
But it is not possible for technology nor people to be a force multiplier on their own. It all comes back to the intersection of the two. Data is just data unless you can derive intelligence from it, tools are just tools unless you can leverage them to deliver outcomes. Shelfware has never made anyone secure.
Cybersecurity Technology Pitfalls
Today, security programs are faced with a dilemma of not having enough people to tackle their greatest challenges, yet technology alone has not provided the level of efficacy to improve security programs. Without people, technology cannot:
🚫 Understand unique organizational needs
Company infrastructures are distinct. While many organizations have the same technical security controls or operate in the same industry, the ways the controls are implemented and operationalized, and the context of each infrastructure can differ greatly. Additionally, risk profiles and tolerance vary. External pressures may be different, driving additional bifurcation in how they approach a specific problem. Technology alone cannot identify these nuances and adjust.
🚫 Continuously manage and operationalize itself
Tools need to be run. The process of evaluating, implementing, and operationalizing technology requires humans. This process often takes focus away from defending against cyber attacks. When we have limited resources, we need to make sure they are focused on the right aspects of the greater mission.
🚫 Support security programs in a cost-efficient way
The security industry is crowded with technology vendors offering a wide range of solutions. Research platform CyberDB has compiled a list of cybersecurity vendors which includes 3,500 companies – just in the US. It has become difficult for security leaders to effectively implement supportive technologies in a cost-efficient way due to redundant functionality, gaps in coverage, and other challenges that come with the crowded market.
The Spectrum of Cybersecurity Tools
To truly understand the value of the intersection of technology and talent, it’s important to define the opposite ends of the spectrum – from traditional services/consulting firms to standalone technology platforms.
- Traditional Services/Consulting Firms:
- Expectations: A comfortable and trusting relationship with specific resources; easy to procure; professional services contracts are well understood; processes are easy to onboard and manage
- Reality: Slow to scale; only as good as the consultant assigned; not maximizing the value; expensive; time consuming
- Standalone Technology Platforms:
- Expectations: All-in-one solution to a problem; use existing resources to manage the platform; low touch management
- Reality: Lacks efficacy; purchased technologies do not meet expectations; requires dedicated resources to manage; opaque (“trust us it works”); operates without context specific to your business needs and risk profile
So, how do you get the best of both worlds?
Platform Driven, Human Delivered
The solution to effectively execute the industry’s security missions with limited human capital lies within the combination of technology and talent. Together, they can be a force multiplier for the industry.
At NetSPI we call this “platform driven, human delivered.” In our approach, we use technology to maximize human value by focusing human value on the right assets, at the right time.
We “automate the automatable.” In other words, we leverage automation to handle mundane and repetitive tasks that take up valuable time for a human to perform. Take our three core services for example:
Penetration Testing as a Service (PTaaS)
The following features in Resolve™, our PTaaS platform, help to ensure our global pentesting team spends more time focused on higher severity issues like authentication, sessions management, and replicating real attacker behavior during our engagements.
- Processing scans on behalf of the pentesters. Using our correlation engine, we’re able to bring disparate scan outputs into one finding.
- Providing additional dimensions of data to findings to help better prioritize the remediation of findings with Risk Scoring.
- Report generation. Our consultants do all their testing within a process management workflow which allows them to simply generate a report at any point in the engagement.
- Process management. Deliver quality and consistency through workflow and process management automation, quality assurance, and communication. Adding automated components to these functions allows the pentesters to be more creative in their approaches and spend time finding higher severity findings.
Attack Surface Management
The following features of our attack surface management solution combine the power of technology and talent by:
- Leveraging the cloud. We’ve taken our tools and techniques from over 20 years of external network penetration testing and are now utilizing the advancements in cloud technology to effectively scale that IP / knowledge capital.
- Continuous monitoring. Leverage technology to continuously monitor the aspects of client’s known assets and ensure they are free from critical issues. AND provide visibility into the aspects of their attack surface they are unaware of.
- Using human input to determine signal vs. noise. In tandem, we utilize our human experts to parse and manage that data to extract “the signal from the noise” to help organizations understand what’s at risk and which exposures to prioritize.
- Making all the data available to clients in the platform so they can use it for analytics and pattern identification.
Breach & Attack Simulation
On average, NetSPI clients identify roughly 15% of the attack techniques we run in their environments – this includes security programs that have spent millions on controls. We automate the automatable by:
- Connecting the execution of attacks in client environments with a NetSPI expert to help prioritize and get context into how we benchmark against industry peers.
- Automating attack plays that map back to the Mitre ATT@CK framework paired with human expertise to help make informed prioritization decisions of the attack techniques most relevant to your business.
- Track ongoing improvements, or reductions, in detection capabilities over time to empower defense teams to make the case for additional resources and shore up their defenses.
Becoming a Force Multiplier in Offensive Security
As an industry, we need to take a step back and evaluate, “what do we need to do to protect ourselves?” What are our priorities?
From an offensive security perspective, our clients have the need to identify all assets, identify vulnerabilities on those assets, and remediate them. No one person, nor one tool can achieve these goals. But together? The opportunity for success is exponential.
After all, technology cannot solve our greatest cybersecurity challenges. People and technology can.
[post_title] => The Intersection of Cybersecurity Technology and Talent [post_excerpt] => Learn why technology and talent cannot succeed on their own and read examples of how the two create massive opportunity for the cybersecurity industry. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-technology-and-talent [to_ping] => [pinged] => [post_modified] => 2023-05-23 08:56:41 [post_modified_gmt] => 2023-05-23 13:56:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28127 [menu_order] => 240 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 28032 [post_author] => 73 [post_date] => 2022-06-30 10:52:00 [post_date_gmt] => 2022-06-30 15:52:00 [post_content] =>On June 30, 2022, NetSPI Head of Product Cody Chamberlain was featured on the CyberWire Daily podcast. Read the summary below or listen to episode 1610 online (starts at 14:37).
+++
- The two pillars of breach communications: There are things you have to do and things you should do when responding to clients. Empathy and transparency will be key in communicating with them.
- Plan the work, work the plan: Building the incident response, knowing who to work with, and trusting the process will give you the confidence you need, so less emotions take over.
- Empathize with clients: Being transparent with clients will appease their needs and worries.
On June 6, 2022, NetSPI Head of Product, Cody Chamberlain, was featured in an interview on TechStrong called Data Breach Communication – Cody Chamberlain, NetSPI. Read the summary below or listen to the interview online.
+++
Data breaches are occurring more frequently than ever before – even with the best security precautions in place. While a cyber-attack may be out of an organization’s control, one thing it can and should control is how it communicates a breach to involved parties. Cody Chamberlain, NetSPI Head of Product, discusses the three key elements to implementing a successful data breach communication strategy: an incident response plan, open communication, and transparency.
[post_title] => Techstrong: Data Breach Communication – Cody Chamberlain, NetSPI [post_excerpt] => NetSPI Head of Product, Cody Chamberlain, was featured in an interview on TechStrong called Data Breach Communication – Cody Chamberlain, NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techstrong-data-breach-communication-plan [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:34 [post_modified_gmt] => 2023-01-23 21:10:34 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27897 [menu_order] => 261 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 27803 [post_author] => 73 [post_date] => 2022-05-23 11:49:00 [post_date_gmt] => 2022-05-23 16:49:00 [post_content] =>On May 23, 2022, NetSPI Head of Product, Cody Chamberlain, published an article in Security Magazine called The Do’s and Don’ts of Communicating a Data Breach. Preview the article below, or read the full article online.
+++
Data breaches are occurring more frequently than ever before, even when organizations have the best security precautions in place. According to the Identity Theft Resource Center’s 2021 Data Breach Report, data breaches rose 68% from the previous year, reaching the highest number ever reported. That said, while a cyberattack may be out of an organization’s control, one thing it can and should control is how it communicates a breach.
Many corporations have developed canned responses to breaches along the lines of “We identified a breach of our systems, and you have been identified as being impacted. Your security is of the utmost importance to us, so we’re providing you with free monitoring.”
However, more sophisticated and impactful breaches need a more detailed response plan. One that focuses on getting systems back online and defines what steps the organization will take to prevent another breach from occurring. There are three key elements to implementing a successful data breach communication strategy; an incident response plan, consistent communication, and transparency.
Lean into the Incident Response Plan
An incident response plan is one of the most critical components of the customer notification process, as it enables an organization to acknowledge they’ve fallen victim to an attack, but also take ownership and focus on the customer.
Following a data breach, the customer ultimately wants to know three things: if their data has been stolen, the risk to the data at the time of the incident, and if they need to take additional action with the government or law enforcement to assist in the investigation.
The incident response plan should provide accurate and timely information that accounts for all these customer questions and keeps their best interests in mind. This plan must be communicated and adopted beyond security and IT teams by a crisis management team that extends across all departments. Every person in the communications chain must report their findings to the executive level for all angles and aspects of the breach to be considered.
An organization must also proactively work with legal and finance teams to understand which regulatory bodies, government entities, and insurance agencies to notify. Once all information is made clear, the organization can convey the details of the incident to the customer in a quick and straightforward manner, and, in high-profile situations, present the case to the public.
Read the full article online.
[post_title] => Security Magazine: The Do’s and Don’ts of Communicating a Data Breach [post_excerpt] => NetSPI Head of Product, Cody Chamberlain, published an article in the Security Magazine called The Do’s and Don’ts of Communicating a Data Breach. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => security-magazine-dos-and-donts-communicating-data-breach [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:37 [post_modified_gmt] => 2023-01-23 21:10:37 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27803 [menu_order] => 268 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 27398 [post_author] => 53 [post_date] => 2022-02-21 12:52:03 [post_date_gmt] => 2022-02-21 18:52:03 [post_content] =>Security leaders today are experiencing change at a rate like never before. Whether they’re going through an acquisition, deploying a remote workforce, or migrating workloads to the cloud, change is inevitable and unknown assets are sure to exist on your network.
Detecting and preventing the unknown is no easy task. But what you don’t know can hurt you. So, how can we identify vulnerable exposures before adversaries do?
It’s time for organizations to master the art of attack surface management. How? By implementing a human-first, continuous, risk-based approach.
In this webinar, participants will learn:
- What is attack surface management?
- How cyber attack surface management fits into broader enterprise-wide vulnerability management efforts
- How to improve your attack surface visibility with continuous penetration testing
- Why a human-first approach is the future of attack surface monitoring
- An introduction to NetSPI’s Attack Surface Management (ASM) solution and our ASM Operations Team
Gartner anticipates that, by 2022, organizations that use a risk-based vulnerability management process will experience 80% fewer breaches. So, how can an organization make this shift and achieve a risk-based vulnerability management program? Two words: Risk scoring.
Leveraging risk scores for remediation prioritization and quantifying risk allows companies to prioritize budgets and resource allocation and focus on the security activities that could have the greatest impact to their business. And the idea of incorporating risk scoring intelligence to make the shift to a risk-based vulnerability management program is evolving.
Through the collaboration of NetSPI’s development, engineering, and product teams, we’ve uncovered an accurate, data-driven methodology to calculate both aggregate and vulnerability risk scores using the data available from our penetration testing and vulnerability management platform, Resolve™. Let’s dig deeper.
What is risk scoring?
In its most abstract form, risk is “the effect of uncertainty on objects involving exposure to danger.” At its foundation, cyber security risk is ultimately a function of (threat x vulnerability). While the definitions are helpful, it is important to look at your security program with a new lens and assess how your organization quantifies its risk – and is it even important to do so? Simply, the answer is yes. Quantifying and measuring cybersecurity risk is one of the most important components to a successful risk-based vulnerability management program.
The evolution of risk-based vulnerability management
Vulnerability incident resolution used to be reactive. Companies would wait for something to be exploited, then fix it. As IT systems became more integral to business operations, the need to be proactive in cyber defense became evident. Many tools have been developed that can hastily provide a list of vulnerabilities, but companies were quickly overwhelmed and overloaded with the number of identified vulnerabilities without direction or priority assigned for remediation.
The introduction of Governance, Risk, and Compliance (GRC) software that could correlate all vulnerabilities aligned to business controls and identify the “true risks” to the company allowed some prioritization of risk. This management activity was done through technology in a system without human touch, lacking real world controls and exceptions. This caused the technologies to be complicated, difficult to implement, and require extensive customization. The latest vulnerability management market entrants are touting their ability to utilize AI to try and predict an exploit before it ever happens. But organizations are spending a lot of money on this technology, and it’s hard to predict. The usage of AI and other automated tools opaquely calculates the likelihood of a vulnerability exploit and offers limited customization to the companies using the technology.
Today, the gold standard is a risk-based vulnerability management program. One where we prioritize vulnerability remediation efforts based on the true risk it presents to your specific organization, as opposed to a program that focuses purely on compliance "check the box" activities or a program that is so overwhelmed it remediates vulnerabilities ad-hoc as they show up, as opposed to appropriately prioritizing them.
For more insights, watch our webinar: The Evolution of Risk-Based Vulnerability Management.
How to use your risk score metrics to help find, prioritize, and fix vulnerabilities
Risk scoring allows companies to manage their evolving attack surface unlike they were able to before. The first step is to develop a customized risk lifecycle that will be the foundation on which risk data is generated. This includes identifying both the external and internal threats and vulnerabilities, as well as the assets that could be attacked. The decision then must be made on the best course of treatment, with options including mitigating, transferring, or accepting the risk.
Here are the seven factors that impact how risk scores are determined in our Resolve™ platform:
- Impact – If this vulnerability was to be exploited, how severe would it’s impact be?
- Likelihood – How likely is it that an attacker can and will attack this space?
- Environmental Modifiers – Think broadly about the asset and the environment in which the vulnerability is located.
- Temporal Modifiers – Focuses on exploit code maturity, confidence, and remediation requirements. Temporal modifiers bring your risk score to life.
- Industry Comparisons – How does your risk compare to other organizations or peers in your sector?
- Threat Actors – Are threat actors actively exploiting vulnerabilities present in your environment?
- Remediation Risk – Using the remediation SLAs available through PTaaS, all vulnerabilities are automatically assigned customizable due dates. Use remediation risk to determine your aggregates that require attention from a compliance perspective.
Vulnerability risk scoring is particularly beneficial in terms of remediation prioritization as it is calculated when you look at (vulnerability risk x the cost of resolution). If the vulnerability is deemed high severity, but the impact on your business is low (if exploited), the risk score would be on the lower side, and it may not be worth spending the money to fix it. And vice versa.
When it comes time to put your risk score to use, here are a few remediation considerations to keep in mind:
- Prioritize – Prioritization is the most difficult part. Companies today can effectively identify vulnerabilities through penetration testing services, but how do they figure out which ones to fix first? What are the true risks to the business? This will vary depending on your business.
- Evaluate – Organizations must understand the efficacy of their risk mitigating controls. Manual pentesting and vulnerability scans still need to be done to validate your efforts are working as intended.
- Utilize the Data – Once you have a risk score, use it to validate and drive decisions around resource allocation, remediation prioritization, spend validation, track risk over time, industry benchmarking, and more.
- Effectiveness – Are you on track to remediate your vulnerabilities before any threat materializes? Are your vulnerability and aggregate risk scores improving over time?
We see it every day. Companies are facing an immense number of vulnerabilities that humans have to manually sift through to assess and prioritize. Having a risk-based vulnerability management program in place allows organizations to identify, prioritize and remediate risks within their organization, saving time, headaches, and – perhaps most importantly – dollars in the end.
[post_title] => The Secret to a Successful Risk-Based Vulnerability Management Program: Risk Scoring [post_excerpt] => Learn why risk scoring can help organizations achieve a risk-based vulnerability management program and, in turn, experience 80% fewer breaches. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => secret-to-risk-based-vulnerability-management-program-risk-scoring [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:55 [post_modified_gmt] => 2022-12-16 16:51:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26115 [menu_order] => 376 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 25477 [post_author] => 73 [post_date] => 2021-06-01 07:00:00 [post_date_gmt] => 2021-06-01 07:00:00 [post_content] =>A Bloomberg Intelligence report forecasts cybersecurity spend to exceed $200 billion a year by 2024, driven by “faster-than-expected adoption of cloud-based security.” Further, Gartner says that the proportion of IT spend moving to the cloud will increase in the aftermath of the pandemic. Not to mention spending on cloud infrastructure such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and others reached $39.9 billion in the fourth quarter of 2020 – up $10 billion from 2019.
Simply put, cloud is top of mind for all security professionals today as it is a natural way to increase capacity or deploy projects in this new realm. The increased emphasis on cloud can be attributed to the pandemic-driven demand to support remote working and learning, ecommerce, content streaming, online gaming, and collaboration, according to Canalys.
As cloud adoption accelerates (and shows no signs of slowing), there is no better time to take a deeper look at common cloud security challenges and learn how to modernize your cloud penetration testing efforts to mature your cloud security program effectively and efficiently.
5 common cloud security challenges and risks
- Managing cloud workloads deployed outside traditional security governance processes. Access to entire technology stacks is available to anyone with only a credit card swipe. This access to technology outside of your security governance processes, or Shadow IT, depends solely on the awareness of that business unit of the security needs of those projects. If you can identify workloads that were deployed outside of your IT environment, you can test the disparate environment to gain some level of assurance that it was deployed securely while supporting a business unit with unique needs that may not be available from the traditional IT programs.
- Resource asymmetry between attackers and defenders. Attackers are limited to only their persistence when attacking your cloud environment. On the other hand, security teams are constrained by budget limitations, resource constraints, and the myriad of other challenges. Cloud configuration assessments informing a penetration test gives you the ability to identify issues that an attacker could identify but in an efficient way that maximizes your investments.
- A simple error can have a catastrophic impact. Traditional IT infrastructures are notoriously slow to adapt to innovation but have the benefit of several layers of defense. Infrastructure-as-Code delivers entire data center capabilities in a Python script but one minor error in the deployment can provide direct, internet-facing access to your environments.
- The cloud is evolving, and attackers are identifying novel attacks faster than the security industry is able to protect the attack surface. Cloud environments can be very complex and providers like AWS, Azure, and Google Cloud release new capabilities so often it’s difficult for security to keep up. For example, in April 2021, AWS posted nearly 200 announcements about new capabilities, services, features, and region expansions. 200 announcements in a single month. There are not enough people with tenured, seasoned experience in deploying cloud workloads to do it securely. It’s no surprise that cloud security topped ISC2’s list of most important skills needed to pursue a cybersecurity career.
- Lack of awareness that cloud security follows the shared responsibility model. It is right to trust cloud providers to secure aspects of your workloads, however, your security team also maintains significant responsibility for security as you migrate to the cloud. This concept is the shared responsibility model, and it varies by provider and service type. Defining you and your providers’ responsibilities is imperative for reducing the number of, and criticality of, vulnerabilities introduced into your cloud environments. You can review the shared responsibility models for Microsoft, Amazon, and Google Cloud online.
How to modernize your cloud penetration testing efforts with configuration review
It can be difficult to understand the difference between testing an application that is hosted in a cloud environment and testing the environment in which an application is hosted. Both are vital.
While network penetration testing and application penetration testing focus on identifying vulnerabilities on a particular series of assets within an environment, cloud penetration testing requires a different approach. Because the cloud is an environment itself, it is important to also look at the infrastructure supporting the environment, not solely the applications and assets deployed as a part of the workload. Not only are you testing workloads; you need to also identify issues inherited from parent subscriptions such as elevated IAM privileges or privileged access to sensitive systems and/or data.
Most organizations are testing cloud environments the same way they've been testing for years, resulting in a massive gap in attack surface visibility. If an organization truly wants comprehensive testing, a focus on cloud configuration should be a large component of your cloud penetration testing strategy.
A configuration review is used to inform a penetration test. If you were to approach cloud penetration testing the way you approach traditional application or network penetration testing, you would be blind to the configuration of the platform.
An analogy that works well to explain configuration review is a doctor’s visit. If you want a doctor to identify what is wrong with you in an hour-long visit, you’d have to inform them of your symptoms, medical history, recent activity, etc. Without the background information on your health, it would require excessive time and resources to run blood tests, x-rays, etc. to get the information needed to identify what the potential issue is. A configuration review is similar in that it gives pentesters the ability to identify root issues in an efficient way, the same way a malicious attacker would over the course of months – or years. It allows pentesters to act as closely to an attacker as they can within the parameters of your security budget.
Configuration reviews also allow testing teams to provide context to penetration test findings. Say you misconfigured a storage bucket. With a greater understanding of the configuration issues, you gain insight into the root cause of critical vulnerabilities caused by the misconfiguration. For example, “we found an issue with this storage bucket which allowed us to exploit _____ during the penetration test.”
Another emerging concept within modern cloud penetration testing is continuous testing and monitoring. Cloud environments are ephemeral (have a short lifecycles) - so, we often hear the question: how helpful is the information from a cloud penetration test if the environment keeps changing? If you are reviewing the configuration of your cloud platform to support penetration testing efforts, you’ve set the foundation for cloud security success. To address the ephemeral nature of the cloud, more frequent tests and continuous monitoring of the attack surface is a key tactic to stay on top of newly introduced vulnerabilities.
Final thoughts
Now is a better time than any to rally your security testing and cloud teams together to talk about what cloud testing means for your organization. When configuration review is included, cloud penetration testing allows you to not only test for vulnerabilities, but also develop an inventory of your cloud workloads, understand what data is in those workloads, and develop your testing plan for cloud-based applications.
[post_title] => Overcome Cloud Security Challenges with Purpose-Built Cloud Penetration Testing [post_excerpt] => Take a deeper look at common cloud security challenges and learn how to modernize your cloud penetration testing efforts with configuration review. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => purpose-built-cloud-penetration-testing [to_ping] => [pinged] => [post_modified] => 2023-03-16 09:16:15 [post_modified_gmt] => 2023-03-16 14:16:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25477 [menu_order] => 402 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 25368 [post_author] => 53 [post_date] => 2021-05-13 07:00:49 [post_date_gmt] => 2021-05-13 07:00:49 [post_content] =>Overview
Over time, the way we view cyber security risk has evolved the penetration testing industry. What once was a static laundry list of vulnerabilities to remediate is now a risk-based vulnerability management program. Modern penetration testing should provide more than a list of vulnerabilities. To be effective, it must guide organizations to effectively prioritize the vulnerabilities, assets, networks, etc. that pose the highest risk to the business.
In this webinar, NetSPI’s product team, Jake Reynolds and Cody Chamberlain, will discuss how risk has evolved in penetration testing services, the role of risk scoring in intelligent prioritization of security activities, the factors that impact a risk score, and pragmatic steps to take after you receive a risk score
Key Highlights:
- 2:18 – What is risk?
- 8:07 – Evolution of risk assessment
- 12:34 – How risk scores are created
- 21:49 – NetSPI’s risk scoring
What is Risk?
At its most abstract form, risk is the effect of uncertainty on objectives. From an information security and cyber IT perspective, organizations have defined risk as threat times vulnerability, if there is no threat, but you're vulnerable, there’s no risk. On the other hand, if a lot of threats and threat actors are attacking an organization, but the organization doesn't have vulnerabilities to exploit, there’s also no risk.
The risk lifecycle includes:
- Context to identify risk tolerance, people, and processes
- Identification of vulnerabilities, threats, and assets
- Assessment using the risk equals threat times vulnerability formula to determine risk likelihood, impact, and asset value
- Treatment by mitigating, transferring, or accepting the risk
Evolution of Risk Assessment
The evolution of risk assessment refers to how an organization has dealt with a specific problem or vulnerability in the past. Originally, it may have been as simple as responding to a problem and fixing it. As IT systems became more important and integral to business processes, organizations realized the need to start proactively identifying the vulnerabilities.
Some steps in the evolution of risk assessment have included:
- Respond to it and fix it: Wait for a problem or vulnerability to happen and fix it.
- Let GRC solve it: Send the risk to an application that will correlate all vulnerabilities aligned to controls and identify the “true risks” to the company.
- Find the vulnerabilities: Proactively finding vulnerabilities and fixing them regardless of the compensating controls, threat actor analysis, or asset value – just fix it.
- Trust us, it works: This includes the use of artificial intelligence (AI) and other tools or efforts to opaquely calculate the likelihood of exploiting a vulnerability.
While risk assessment is now more effective than it was in the past, organizations still face an immense number of vulnerabilities that they have to sift through and prioritize. Risk-based vulnerability management providers are more effectively integrating threat intelligence than in the past. But there’s always an opportunity for more organizations to embrace threat intelligence.
How to Use Risk Scores
A lot of information and criteria go into calculating a risk score, along with many different equations. Once you have a risk score, the next step is figuring out how to use it. The best risk score is one that you can sort by a numeric value. For example, the top score is your worst vulnerability or your most important asset that you need to focus on and start remediating immediately.
At NetSPI, we expose the top risk score in a few different ways using our risk scoring methodology, but ultimately, you can simply sort the risk scores, select the top item, and begin remediation.
An effective methodology also splits risk scoring into two distinct categories. One is vulnerability specific risk scoring and the other is aggregate risk scoring, meaning taking a group of vulnerabilities and assigning a score to them.
Metrics to measure vulnerability risk scoring include:
- Impact takes into consideration how detrimental the impact of a vulnerability would be on an organization, including monetary, brand, and industry specific impact.
- Likelihood measures how likely a vulnerability is to be exploited.
- Environmental factors, such as whether different compensating controls exist within the environment, whether public exploit code is available, and whether the affected asset has access to PII or PHI.
Aggregate risk scoring factors include:
- Vulnerability intelligence: How does this specific combination of vulnerabilities affect your business?
- Industry comparisons: How does your risk compare to other organizations in your sector?
- Threat actors: Are threat actors actively exploiting vulnerabilities present in your environment?
- Remediation effectiveness: Are you on track to remediate your risks on time?
NetSPI’s Risk Scoring
NetSPI’s risk-based vulnerability management capabilities and risk scoring model focus on transparency and collaboration with our clients. Our risk scoring brings together the different aspects of risk into our platform to align with the penetration testing as a service (PTaaS) experience. Clients will not only understand how their risk scores are impacted, but they will also be able to track risk scores over time at the granular vulnerability level, the project level, and the greater organizational level.
Other capabilities include:
- Customization options
- Scalable risk scores
- Benchmarking against peers
- High-touch, high-tech through a combination of advanced technology and human expertise
[wonderplugin_video iframe="https://youtu.be/0NipyMx2Rxs" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => The Evolution of Risk-Based Vulnerability Management [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => evolution-of-risk-based-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2024-03-29 15:25:16 [post_modified_gmt] => 2024-03-29 20:25:16 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=25368 [menu_order] => 57 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 23133 [post_author] => 73 [post_date] => 2021-02-02 07:00:00 [post_date_gmt] => 2021-02-02 07:00:00 [post_content] =>It’s simple in theory. Finding, fixing, and even preventing, vulnerabilities is a shared responsibility between security and development teams. That being said, silos still exist between DevOps and application security teams. DevSecOps – symbolically putting security at the center – is a great theory but is only effective if these groups work together to develop the people, process, and technology needed to be effective.
In fact, a recent Ponemon Institute Research report shows that 71 percent of AppSec professionals believe security is undermined by developers who don’t include proper security functionality early in the software development life cycle (SDLC). That statistic, to me, shows that there is a substantial divide between development and security teams, a divide that can (and should) be overcome. It’s not surprising, though, that these divides exist considering how teams are spread thinner everyday while aiming to increase release velocity. If we are going to solve these problems, we need to focus on creating human connections across teams, and a DevSecOps mentality will become not just policy, but also culture.
Come together by understanding motivations
In my experience, developers and security personnel don’t think that differently. They just have different incentives. Developers work to move through the SDLC quickly to get applications launched. Security teams, on the other hand, are incentivized to make the SDLC process as secure as possible, which is oftentimes viewed as slowing down progress by adding non-functional security requirements. If this is the viewpoint, it is no wonder that the groups may be at odds. Human relationships – even in the work environment – need to find common ground.
One of the best books I’ve read is Hit Refresh, the New York Times bestseller about the transformation happening inside Microsoft, from its CEO Satya Nadella. As Satya describes, “It’s about how people, organizations, and societies can, and must, transform and “hit refresh” in their persistent quest for new energy, new ideas, and continued relevance and renewal.” He is able to achieve this “refresh” he describes by being “out in the world, meeting people where they live and seeing how the technology we create affects their daily activities.” I believe in this philosophy and it has direct parallels to how we work in security.
Empathy for our colleagues and the relationships we develop with them is critical to achieving success within organizations because we can understand how the policies and procedures we develop impact their work and why the outcomes we expect often don’t materialize. Some may view empathy as letting people off the hook for not performing a specific task. But it’s important to connect empathy with accountability. By understanding the needs and incentives of our peers, we develop policies and procedures that are fair and transparent. Holding each other accountable is not only fair, but expected – as a result, security and development teams will uncover creative ways to collaborate to ultimately achieve overlapping goals, faster and with less friction.
Simple steps to start building a strong and productive relationship between development and security teams are:
- Spend time connecting with people – A Journal of Experimental Social Psychology study reported in the Harvard Business Review that face-to-face meetings are 34 times more successful than email. This also provides a forum to develop a mutual understanding of each team’s incentives and mission. Or, if working remote, set up a video conference between security and development teams.
- Creating processes together – Oftentimes development and security teams build processes separately, in a silo. Coming together at the start will help to develop realistic and cohesive goals, processes, and metrics. Further, each team can help to make the case for support, even financial or budgeting support, if necessary for the other team. There have been times in my career when I was able to secure additional budget or resources on-behalf of infrastructure or development teams to ensure they were able to support a specific security initiative.
- “What do you need to effectively support this? I’ll do my best to include it in the project budget.”
- In a ticket-driven world, cleanup is essential – Stacks and stacks of IT tickets notifying of vulnerabilities will never motivate an already stressed development team, especially if they are not deduplicated and remove false positives. Taking the time to clean up this process will show developers that the security team does not want to waste time, respects their SDLC counterparts, and wants to quickly get to the root of any vulnerability issues, particularly high-severity issues. Tickets are important for tracking and accountability, but let’s make sure we’re giving the right information, to the right person at the right time.
- Leveraging automation, in combination with manual pentesting – An effective, reimagined AppSec
program includes being able to manage manual penetration testing and secure code review
augmented by automated vulnerability discovery tools that are deployed at various phases of the SDLC process. Shifting to this mindset will take collaboration and commitment amongst the DevSecOps teams.- “What tools make the most sense and how can we maximize the value of existing investments?”
- “What is the roadmap for the development team and how do we ensure we can grow together?”
- Bringing empathy to the situation to have credible conversations – Allowing openness and a safe space to say “I don't know, but I’ll get the answers” will go far in building a strong DevSecOps team. At the end of the day, we’re all supporting the same business and striving for excellence. Let’s work smart, lead with integrity, and treat each other with respect to ensure we meet that end goal and, hopefully, have a little fun along the way.
It’s come to be expected that security is an emergent property of software. In fact, with Continuous Integration/Continuous Deployment (CI/CD) being adopted more and more, both development and security teams must come together, bringing empathy, accountability, and collaboration into the process, by working toward the same goal with transparency. When done, I’m confident that DevSecOps can become the norm.
[post_title] => Build Strong Relationships Between Development and Application Security Teams to Find and Fix Vulnerabilities Faster [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => relationships-development-application-security-vulnerabilities-2 [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:02 [post_modified_gmt] => 2022-12-16 16:51:02 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=23133 [menu_order] => 431 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 15 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 32139 [post_author] => 73 [post_date] => 2024-03-19 10:09:07 [post_date_gmt] => 2024-03-19 15:09:07 [post_content] =>Vulnerability scanners help scan known assets, but what about the assets you don’t know exist?
Attack surface sprawl is a growing challenge with 76% of organizations experiencing some type of cyberattack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.1 The constant expansion of attack surfaces has made the need for visibility into potentially unknown attack surfaces more important than ever.
Pairing vulnerability scanners with attack surface management (ASM) gives security teams high-fidelity analysis and prioritization of assets and exposures, while limiting noise and false positives commonly associated with technology-only platforms.
Why vulnerability scanners aren’t enough
The issue lies in the fact that vulnerability scanners can only scan entities you tell them to. Vulnerability assessments operate on a tactical level, often treated as commodities where you acquire a scanner and direct it toward known targets.
Vulnerability scanners rely on a policy that defines the scope and dictates where the scanner should focus its efforts, whether that’s on targets, networks, or assets. Without this essential step, the scanner lacks the intelligence to identify assets, as its sole purpose is to scan what it’s told to. Vulnerability scanning on its own is an output of potential issues; the tool can’t go out and find assets you haven’t explicitly told it to find. That’s where NetSPI ASM comes in.
How NetSPI Attack Surface Management covers gaps
The beauty of ASM is its ability to uncover what’s unknown. This aspect is crucial as it offers a more strategic approach compared to traditional vulnerability assessments. When transitioning to ASM, security experts conduct specific operations to identify elements such as subsidiaries and various IPs associated with the organization. Through these efforts, previously undiscovered assets come to light that had been omitted from scanning and thus excluded entirely from a vulnerability assessment program.
Vulnerability scanners paired with NetSPI ASM enrich the assets, ensuring the scope of your scan is comprehensive.
Leveraging technology, intelligence, and expertise for Proactive Security
The advanced technology behind NetSPI ASM combines with our security experts to deliver the most comprehensive view of external attack surfaces. Our deep visibility helps you understand specific risks to your business so your team can spend less time sifting through alerts or responding to false positives. With the full force of NetSPI in your corner, you can navigate rapid innovation with confidence, while protecting the trust you’ve worked so hard to build.
How do we go about enriching asset discovery?
We research multiple data sources to identify external-facing assets, utilizing a combination of human intelligence and third-party services in our research, a task that a vulnerability scanner could never accomplish on its own.
For example, we use a blend of various OSINT, proprietary and commercial sources, and techniques to continuously search the internet to identify your entire attack surface. This process is a collection of items including, but not limited to business and legal structures, domains, and IP addresses.
Our team performs exposure identification by:
- Port scanning
- Certificate scanning
- DNS scanning / querying
- Sub-domain brute forcing
- Web application scanning
- SNMP queries
- UDP scanning
- TCP scanning
- Taking screenshots, grabbing banners
- API-queries of cloud configured could environments
We utilize active and passive techniques to continuously identify the existence of exposures on assets. Active discovery is performed on all identified assets for ports, technologies, certificates, vulnerabilities, DNS records, etc., while passive discovery is performed through integrations with data feeds that allow us to enrich data found through active discovery.
This detailed information gathering leads to high-quality findings, allowing us to report only on true positives, with highly documented verification steps and remediation instructions. We provide detailed validation and evidence verification, so you only receive the true positives that matter the most to accelerate remediation and eliminate constant alerts and manual correlation from multiple sources. This is the “secret sauce” behind The NetSPI Advantage. Machine intelligence plus human intelligence is compound intelligence that benefits our customers. To put it simply, we go beyond for our customers so they can go beyond for theirs.
Vulnerability scanning vs penetration testing
Both vulnerability scanners and penetration testing have their time and place to enhance the overall security of systems. The biggest difference is the depth of results from each measure. Vulnerability scanning is an automated process that identifies and reports potential vulnerabilities in a system, focusing on known weaknesses.
Penetration testing, on the other hand, involves simulating real-world attacks by skilled professionals, a la The NetSPI Agents, to actively exploit vulnerabilities and assess the system's security posture. While vulnerability scanning provides a broad overview of potential issues, penetration testing goes deeper, uncovering weaknesses that may not be apparent through automated scans. See if you’re getting the most value from your penetration testing reports.
Empower your security posture with NetSPI
The most helpful lesson we can share with anyone working to advance your security posture is don’t go it alone. The shared learning from experts who have worked through the same challenges you face is invaluable to bring clarity, speed, and scale to your security programs.
Reach out to connect with our security experts or keep learning about NetSPI ASM by watching our demo.
[post_title] => From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning [post_excerpt] => Vulnerability scanners and attack surface management work better together. See how the combination works toward a proactive security strategy. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => from-scanners-to-strategies-how-attack-surface-management-enhances-vulnerability-scanning [to_ping] => [pinged] => [post_modified] => 2024-03-19 10:09:08 [post_modified_gmt] => 2024-03-19 15:09:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=32139 [menu_order] => 6 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 15 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => e6bb2ca2813806c0994f8cf2e311d49a [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )