Aaron Shilts
WP_Query Object ( [query] => Array ( [post_type] => Array ( [0] => post [1] => webinars ) [posts_per_page] => -1 [post_status] => publish [meta_query] => Array ( [relation] => OR [0] => Array ( [key] => new_authors [value] => "66" [compare] => LIKE ) [1] => Array ( [key] => new_presenters [value] => "66" [compare] => LIKE ) ) ) [query_vars] => Array ( [post_type] => Array ( [0] => post [1] => webinars ) [posts_per_page] => -1 [post_status] => publish [meta_query] => Array ( [relation] => OR [0] => Array ( [key] => new_authors [value] => "66" [compare] => LIKE ) [1] => Array ( [key] => new_presenters [value] => "66" [compare] => LIKE ) ) [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => [tag] => [cat] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [paged] => 0 [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [search_columns] => Array ( ) [ignore_sticky_posts] => [suppress_filters] => [cache_results] => 1 [update_post_term_cache] => 1 [update_menu_item_cache] => [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => 1 [comments_per_page] => 50 [no_found_rows] => [order] => DESC ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( ) [relation] => AND [table_aliases:protected] => Array ( ) [queried_terms] => Array ( ) [primary_table] => wp_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( [0] => Array ( [key] => new_authors [value] => "66" [compare] => LIKE ) [1] => Array ( [key] => new_presenters [value] => "66" [compare] => LIKE ) [relation] => OR ) [relation] => OR [meta_table] => wp_postmeta [meta_id_column] => post_id [primary_table] => wp_posts [primary_id_column] => ID [table_aliases:protected] => Array ( [0] => wp_postmeta ) [clauses:protected] => Array ( [wp_postmeta] => Array ( [key] => new_authors [value] => "66" [compare] => LIKE [compare_key] => = [alias] => wp_postmeta [cast] => CHAR ) [wp_postmeta-1] => Array ( [key] => new_presenters [value] => "66" [compare] => LIKE [compare_key] => = [alias] => wp_postmeta [cast] => CHAR ) ) [has_or_relation:protected] => 1 ) [date_query] => [request] => SELECT wp_posts.ID FROM wp_posts INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1 AND ( ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{16075d7c257bcd7c523622b74101f615f0f18e5e10ca062e952178ef332171e5}\"66\"{16075d7c257bcd7c523622b74101f615f0f18e5e10ca062e952178ef332171e5}' ) OR ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{16075d7c257bcd7c523622b74101f615f0f18e5e10ca062e952178ef332171e5}\"66\"{16075d7c257bcd7c523622b74101f615f0f18e5e10ca062e952178ef332171e5}' ) ) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC [posts] => Array ( [0] => WP_Post Object ( [ID] => 32190 [post_author] => 53 [post_date] => 2024-03-27 13:50:27 [post_date_gmt] => 2024-03-27 18:50:27 [post_content] =>Watch Now There are nearly countless tools in our industry right now that can give us an inventory of our external facing assets, laid out neatly for our teams to tackle.
But, how do you know which of those high-scoring vulnerabilities is actually going to be the most impactful on your particular environment? Does your team know how to interpret the assessments these tools provide while considering your company’s external attack surface? Has the assessment really given you what you need to validate and prioritize the identified risks?We dove deep into these questions – and more – during this live event! As part of our “Let’s Talk Proactive Security” series, NetSPI CEO Aaron Shilts sat down with our EVP of Strategy Tim MalcomVetter to pick apart these questions and give guidance on how to approach external attack surface management in the right way for your company.
[wonderplugin_video iframe="https://youtube.com/live/LWljCaJ43rs" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => Let’s Talk Proactive Security: Are You Validating & Prioritizing the Right Critical Risks? [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => proactive-security-prioritizing-critical-risks [to_ping] => [pinged] => [post_modified] => 2024-03-27 13:50:32 [post_modified_gmt] => 2024-03-27 18:50:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=32190 [menu_order] => 8 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 31760 [post_author] => 53 [post_date] => 2024-01-16 09:14:22 [post_date_gmt] => 2024-01-16 15:14:22 [post_content] =>Watch Now Overview
What is proactive security? How must pentests evolve to stay relevant and valuable? What makes an effective red team? What parallels can be drawn between managing a household of six children and a 400+ person security team?
Get answers to these questions – and more – during this event as NetSPI CEO Aaron Shilts sits down with EVP of Strategy Tim MalcomVetter to discuss:
- Hot takes on a variety of proactive security topics
- Effective red team operations
- Security testing maturity levels
Tim recently joined NetSPI bringing an incredibly insightful background as a security analyst, pentester, director of red team, and chief technology officer for some of the most prominent companies around the globe. During which he built the red team program at the world’s largest retail company, led high performing teams of security engineers, and hacked everything from mainframes to APIs to mobile to IoT devices.
Let’s deep-dive into the world of proactive security together! 🤿
Key Highlights
00:38 – History working together
01:38 – Tim’s focus at NetSPI
06:54 – Evolution of cybersecurity over the last decade
10:43 – What is proactive security
14:20 – Biggest misconception with proactive security
16:30 – Least favorite cyber buzzwords
21:18 – Future of GenAI
28:18 – Parallels between running a household and security teamWelcome, Tim MalcomVetter
Today, I'm excited to be chatting with Tim MalcomVetter, a member of our executive team. We first crossed paths 10 years ago, and I've been fascinated by his career journey, from a hands-on practitioner all the way to the executive ranks. We're thrilled to have him onboard, working closely with our customers and leading his team in strategic initiatives that directly benefit our customers. Now, Tim’s title is EVP of Strategy, which might sound similar to a "VP of Special Projects," but his role goes far beyond that.
Welcome to NetSPI, Tim! What are you most excited to tackle in your role here?
A significant part of my work involves thinking disruptively and asking, "How can we revolutionize penetration testing? How can we push the boundaries and make them even more impactful than they've been in the past 20 years?"
This drives me to explore continuous testing and find ways to bridge the gap between the advanced security practices of well-funded programs and the needs of enterprises, both large and small. Many smaller companies may not even know where to begin, and that's where I find my true purpose — helping businesses of all sizes adopt robust security measures. This is what excites me about my future at NetSPI, and ultimately, why I'm here.
Tim and I have known each other for more than a decade. What was the hottest thing in security when we first started working together (2014)?
Application security was reaching maturity by that point—it was a thing that stood on its own. But enterprises were still early in the early stages of adopting it. Credit cards were still what people were really concerned about, like ransomware. The first ransomware was 10 years ago. When I started red teaming, and even pentesting, we were all concerned about credit cards, especially when you work with different merchants, that's the number one thing that bothered them.
Now, red teams don’t even go for that hardly at all. The black market isn’t selling stolen cards the same way. You used to get a lot of value out of them. But now the banks have figured out how to detect fraud. The merchants have become largely very mature. And there's credit card tokenization and scope reduction and all this stuff. We used to do this crazy stuff where we would attack credit card tokenization systems; we were using timing analysis where you'd send a request and see if it is 50 milliseconds or 80 milliseconds to get the response back. The difference in time indicated whether we’d hit an existing token. It was weird, though, the things we would do now. Now nobody cares what that’s like, it's just gone.
What is proactive security? How do you define it?
I think offensive security is probably a deep joke that some red teamer thought of, you know, ‘You guys are defensive, so I'll be offensive.’ Am I offensive or offensive, like the stress on the syllables matter. I think it was a joke, and the industry took it.
Now that being said, the culture or idea that we're going to be offensive, we're going to be brash is 100% not NetSPI. I haven't seen it anywhere. That’s not in the culture.
I think that has a lot to do with the way NetSPI works, how we were building up talent through NetSPI University. We actually teach them ourselves. There's this culture of we bring people along here; there's not this culture of, ‘We go hire rock stars that are suddenly the best you can get, and your quality is different on your engagement, because you got the right rockstar.’
So, to level set, that's not here and you don't see that that mindset here. Secondly, in terms of proactive security, it's taking the same concepts of, ‘OK cool, you did an external pentest and that was a two-week engagement. What did you do the other 50 weeks of the year?’ How do you know that you've got somebody with expert level eyes?
If you've got an external pentester, one of the things that they're really good at is finding weird stuff. You might not know it, and there might be this moment in time that something popped up and it was there for a week and it went away. That's the opportunity. That's the thing that caused the breach.
If we can race it, like everything in cyber is all about finding the bad things faster than the bad guys can find it so that the good guys can get ahead of it and aligning with the defender’s mindset. If you work in a SOC, nobody understands this better than people that work in SOCs because it doesn't ever turn off. 24/7 and you've got something you could be looking at. Our goal is to align that mindset and bring the most important things to the top so you're not wasting time.
What is the biggest misconception with proactive security?
As somebody who wasn't familiar with how NetSPI did delivery, and when we first talked about it as pentesting, you look at this technical review, break it apart and then ship somebody a 100-page PDF. That is so old fashioned. Why is pentesting still doing that?
And then I got into NetSPI, and I saw we've already figured that out with our Resolve platform. We're doubling it down with our new platform that we'll talk about later this year. We are getting ahead of that. We're not just shipping you a PDF. It is now part of your workflow; we integrate with your JIRA for your developers, or whatever bugs ticketing and tracking system you've got. It becomes a piece and a part of the process where we can bring our expertise in. To me, that is already wildly different than a lot of consultants out there.
I've seen it on the other side, where that’s part of the benefit of being a practitioner on the enterprise side, you get to see pentesters who’ve found all this stuff. Now it's going to go get farmed out to four different dev teams, because there's different components — there's a complicated app, and different dev teams have different priorities. How do we get all of that friction and remove it? Make it where we understand how you work. To me, that's one of the ways we can be the most disruptive is to take all that friction away, and make it as easy as possible.
Shifting gears slightly, what are your least favorite cyber buzzwords?
I am fascinated by the fact that SIM, or SIEM as some people pronounce it, still persists, defiantly by the way, those who cling to the term SIEM. How that term even came to be is a weird story. Back in the early days of my career when I was naive and young, I thought, "Oh, security is just like following a recipe, right? I'm this expert chef, here's all the ingredients, I'm going to use this type of protein and this type of starch, and we're going to mix it all up, and we're going to have this perfect security model, right? And it's never going to break."
Eventually, I realized, well, that's stupid. It was a wake-up call for me that you have to monitor. And if you're going to monitor, you have to throw your stuff in some sort of place where you can find your logs.
And everybody said, "Okay, we're going to throw it in a SEM. We're going to call it a Security Event Management solution." Another company came along and said, "We're going to throw it in our SIM, as in Security Information Manager." And then somebody said, "Hold the phone. Our marketing is better than yours. We're going to be both. We're going to be a Security Event and Information Manager, or Security Information and Event Manager." Nobody knows!
I seriously think that if you go to a random SOC today, and you find somebody with less than, say, three years of cyber work in the frontlines defending some big enterprise today, and you ask them, "What does SIM stand for?" There's a coin toss chance that they don't even know. And if you ask the most seasoned person in there, "Where did the name come from?" I guarantee they don't know. They don't realize that it's like that.
What's your take on the GenAI boom? Any thoughts around its rapid adoption?
I will say that I was the first person up until about June-July timeframe to say stop talking about AI. I've even joked that one of the best things I've ever done in my career is to take certain cyber marketing people and tell them to stop saying AI and ML where it doesn’t make sense. You can do anomaly detection, you can do k-means clustering, things like that; that's a form of ML, but it doesn't mean we need to go slap it on there just to be buzzword-compliant. I still maintain that there's still a place for discrete algorithms and human intelligence that will absolutely trump, and you can't take that out. But at the same time, unless you're not paying attention, with what with the GPT-3, branch release and everything else, that changed a lot of things. But it didn't completely and now we've got all these organizations rushing to adopt it.
If you're an enterprise, almost in any space, if you're not rushing to adopt it, you're taking on too much risk by not adopting it. I like to go back to Dan Geer — I listen to his talks all the time — and he talks about two kinds of risk:
- Not putting enough risk and play with the business, and
- At the same time also having too much risk
You’ve got to find that sweet spot to really grow your business. You must have it in there. But the way I see it going, honestly I've bounced this off a bunch of different people inside and outside, and inside my network. This looks to me, like you're going to have people building models. And it's going to be deep understanding of the math behind the model. Understanding how the model works and how you can potentially do adversarial ML against the model, whether it's a large language model, or it's just a traditional ML like a classifier or something or unsupervised learning, like all of that stuff, very deep, very technical. There's going to be a subset of enterprises that absolutely have to have them, almost all of that will be tech companies, with some big enterprises kind of mixed in with little projects that they do.
As this becomes normalized and adopted, it's going to meld into what you do for AppSec. For example, I have this web application, and I need to do a penetration test. By the way, you're going to list out the components: I'm using this CDN in front of it, I'm using this WAF, I'm using this development stack, I'm integrating with these types of services. I've got a microservices architecture, and by the way, I'm integrating with this large language model. Then that's going to bring out a set of abuse cases that need to get tested with the app. It's going to merge, and the pentesters who don't know that are going to get left behind, because they're not going to get proper coverage for their customers.
At the same time, that's a good thing, because it means we can help the big enterprises that are adopting the frameworks. We test all the big tech companies’ LLMs in all their tech stacks to make sure that it’s all functional.
I joke and say it's somewhere between SQL injection and securing an s3 bucket. If you remember, when SQL injection came out, everyone was vulnerable, because everyone was doing string concatenation on their web apps. You could inject random SQL statements into your query, and then bad things would happen.
Then what happened? Every development framework came out with a mechanism to drop in parameterize queries. You had a framework that just took care of it for you — developers don't have to understand anymore, they just know to use this framework and be done. I think we'll see that happen with the injection side, and then on the like the equivalent of the s3 bucket, when Amazon s3 service and same thing with Azure and GCP storage came out, people would start putting things in there and not understand the permissions and then expose content to the world and not understand because it's complicated.
I think you'll have the same kind of problem with people over indexing and giving too much data into their LLM for building out the model for what it has access to the APIs and everything else, so we’ll see a governance aspect there.
Before we go, I have one last question for you. This one is for all the team leads listening in. What are some parallels between managing a household with six children and managing a 400+ person cybersecurity team?
What ends up happening is I use the same kind of conversations when drama does inevitably happen on either of those scenarios with my kids. I can say, "Does hitting your sister get you closer or further to your goal of getting ice cream?" And I can say, "Did talking to your coworker that way get you closer or further to getting your project approved?" It's the same thing. It's kind of funny how sometimes that works.
Catch the full conversation between Tim and Aaron below or continue your proactive security journey by reaching out to NetSPI for a consultation to guide your next steps toward proactive security.
[wonderplugin_video iframe="https://youtu.be/5j8xGsWSib4" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => NetSPI LinkedIn Live: Proactive Security with NetSPI’s Tim MalcomVetter [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => proactive-security-with-netspis-tim-malcomvetter [to_ping] => [pinged] => [post_modified] => 2024-02-07 15:19:12 [post_modified_gmt] => 2024-02-07 21:19:12 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=31760 [menu_order] => 10 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 30145 [post_author] => 66 [post_date] => 2023-05-18 09:00:00 [post_date_gmt] => 2023-05-18 14:00:00 [post_content] =>There’s a lot to celebrate when you’re the global leader in offensive security.
Technology innovation, global expansion, responsible vulnerability disclosures, special shoutouts from clients. Plus, personal accomplishments like job promotions, buying your first home, welcoming a new life into the world, traveling to new places, the list goes on.
All of this and more was the focal point of our 2023 NetSPI Employee Kickoff event. We brought nearly 500 of our offensive security experts together to Minneapolis to connect face-to-face, celebrate our accomplishments, and align the entire organization on our vision for the future. This year’s theme was “A World of Opportunities” which explored the opportunities we can uncover to make a real impact as the global leader in pentesting, attack surface management, breach and attack simulation – and beyond!
The claim “global leader in offensive security” is a bold one to make. The proof is in our impressive growth year-over-year, the skillset of our team, the comprehensiveness of our solutions, and our client’s desire to choose us over our competition.
The kickoff event presented a unique opportunity to reflect on what exactly got us to this point. Certainly, a lot of hard work and grit from the team, but these four core narratives were made evident throughout the course of the day.
Collaboration and diverse thought
“Individual commitment to a group effort – that is what makes a team work, a company work, a society work, a civilization work.”
Vince LombardiThis quote articulates the importance of collaboration and the main reason we brought everyone together in one room (plus, I couldn’t let the day go by without at least one Green Bay Packers reference). Building relationships with one another and feeding that culture of collaboration was at the core of our 2023 kickoff.
What we’ve built is special because of our people. But talented individuals alone are not enough. While it’s often an overused marketing term, collaboration is, and will always be, a core value of NetSPI. We pride ourselves on our ability to collaborate across boundaries and teams to uncover new offensive security solutions and solve seemingly impossible cybersecurity challenges.
There is immense power in the diversity of thought that brings unique ideas and approaches to challenge the status quo. It was incredible to see members of the team spending time with people outside of their social circle or department, people with backgrounds and perspectives different to theirs. This is where the magic happens.
Unwavering dedication to our clients
Events like this are a great platform to reinforce the why behind everything we do. In our case the why is our clients, some of the world’s most prominent organizations. We are maniacally focused on customer delight, ensuring that everything we do brings value to programs and is not creating more work for security teams.
At the end of the day, we are providing offensive security testing solutions so that businesses can innovate with confidence.
Our keynote speaker, Brittany Hodak, spoke about how to create superfans, leaving us with the acronym SUPER (Start with your story, Understand your customer’s story, Personalize, Exceed expectations, Repeat). Her session was preceded by a panel of six NetSPI superfans, or soon to be.
NetSPI Chief Revenue Officer Alex Jones moderated the panel, which centered around the key pain points cybersecurity leaders face today. Interacting with and speaking to customers to understand the challenges they are dealing with is invaluable, and something we make a conscious effort to do day in and day out. Key takeaways?
- Cyber is not the #1 risk for businesses, it is just one of the risks.
- Perimeter security is paramount. Understanding what is on your perimeter should be a priority.
- Those who follow foundational security best practices are going to succeed. Get the basics done right.
- Generative AI (e.g. ChatGPT) is a real concern for security leaders. Many are evaluating the risk and building policies.
- Security now has a seat at the table! The role of the CISO is becoming less technical and more strategic.
- Media headlines around breaches and other security incidents are helping cyber leaders get executive buy-in.
NetSPI delivers real solutions to these mission critical challenges. We are a key player in the arms race against a sophisticated and well-funded adversary. Offensive security must be scaled and adopted globally, or our clients will fall short.
This year, we made a strategic investment in a product leader, Vinay Anand, to help us rise to this challenge and create a strong technology platform that is scalable, continuous, easy to use, and leverages intelligent automation. Aligning on this vision as an organization was one of my top highlights of the day. I don’t want to give too much away, but a unified offensive security platform is on its way.
Maintaining the NetSPI culture and staying true to our Purpose
Innovation dies without a strong culture. While there may be amazing ideas brought to bear, they won’t flourish without a culture of collaboration, respect, motivation, and challenging our peers. Our culture is the foundation of our success.
We spend a massive amount of our lives at work, so it's truly meaningful when we say on top of all this, we’re having fun! We're disciplined; we're focused; we're competitive. But at the end of the day, we enjoy each other's company and the strong culture we've built together.
Our clients feel this in their interactions with us. They tell us this regularly and it's one of the many reasons they continue to work with us. They feel supported by a team that takes their offensive security goals as seriously as they do. Our culture at NetSPI is the formula for creating superfans that help us unlock opportunities.
Someone who emulates the NetSPI culture is our very own Eric Gruber who was the recipient of the NetSPI Founders Award at this year’s kickoff event.
Another component of our culture is our passion for giving back, whether that’s by way of security community involvement, donating our time to help others, or financially with our philanthropic partner, the Masonic Children’s Hospital.
Last year, we raised $250,000 for Jersey, the newest facility dog at the University of Minnesota Masonic Institute for the Developing Brain. Jersey made her debut at the kickoff, and we heard first-hand how she is making an impact supporting the emotional and social needs of patients.
Making an impact, globally
In attendance were teams from across the US, UK, and Canada – then we took the show on the road to Pune, India where our team of 60+ came prepared with unbelievable energy.
Most organizations have global aspirations, so who are we to think our global aspirations are so unique? Well when you have something so special, you want others to experience it. In a very short time, we’ve ramped up top-notch teams in Canada and the UK and continue to build our Pune team. There’s no doubt in my mind that we have the top offensive security teams in those regions today. There are many large multinational clients who need NetSPI to have global operations, and many regions where we can advance and accelerate their testing programs.
Circling back to a point made earlier, innovation thrives in diversity of thought. Learning new cultures and ways of doing business is a once in a lifetime experience for our team and an opportunity to bring increasingly diverse viewpoints and approaches to support our clients.
I mentioned this in the written recap of last year’s kickoff, but it’s worth reiterating: To other business leaders considering an all-employee in-person event, I couldn’t recommend it more. There’s no replacement for human connection.
We are at an inflection point as an organization and we cannot become complacent. We continue to find ways to ensure we attract top talent, refine our processes, and stay agile while driving innovation.
I am both honored and privileged to be a part of the global leader in offensive security. Keep an eye on this team. You won’t want to miss the world of opportunities we uncover next. I'll leave you with this recap video to keep the energy high until next year – cheers!
[post_title] => Celebrating a World of Opportunities with a World-Class Offensive Security Team [post_excerpt] => Read about NetSPI’s 2023 employee kickoff event, where we brought our offensive security experts together to connect face-to-face, celebrate our accomplishments, and align on our vision for the future. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => world-of-opportunities-world-class-offensive-security [to_ping] => [pinged] => [post_modified] => 2023-05-17 19:49:20 [post_modified_gmt] => 2023-05-18 00:49:20 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=30145 [menu_order] => 112 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 29121 [post_author] => 66 [post_date] => 2023-01-10 09:00:00 [post_date_gmt] => 2023-01-10 15:00:00 [post_content] =>Today, we’re happy to announce that NetSPI has acquired nVisium to continue building upon our suite of offensive security testing solutions. We sat down with NetSPI CEO Aaron Shilts and nVisium CEO and Founder Jack Mannino to learn what this means for their mutual clients and the greater cybersecurity community.
Why nVisium/NetSPI?
Aaron Shilts: The nVisium team brings an impressive track record in cloud and application pentesting, and we’re incredibly excited to welcome them to NetSPI. Coming together, we will unlock great potential in meeting the increasing demand for quality pentesting solutions and reinforce our commitment to growth and innovation. It took months of research, discussions, and interactions to come to this decision, but one thing is for sure, we were always convinced the nVisium team will be the perfect complement to our DNA and culture we’ve built at NetSPI.
Jack Mannino: We’ve competed with NetSPI in the past, and I’ve always respected what Aaron and his team have built. Agreeing to an acquisition is not a small decision, but as soon as we started talking with the NetSPI team, it was clear that both organizations were extremely aligned from a culture, delivery, and people perspective. They care deeply about their people and maintaining a culture of collaboration, plus, we have the same high standards for security testing as they do. With this acquisition, nVisium employees and clients will be presented with a wide array of new opportunities. I’m eager to see what we can accomplish together.
How will this acquisition impact mutual clients and the greater security community?
Aaron: This news follows our recent announcement of KKR’s investment in NetSPI’s future and its promise to continue to bring positive impact to the security community. By joining forces with nVisium, we can move faster, offer clients access to an incredibly talented team of offensive security professionals, and double down on our promise for innovative, platform driven, and human delivered offensive security solutions.
Jack: By joining forces with NetSPI, nVisium has a massive opportunity to expand the breadth and depth of solutions we deliver, improve the client experience, and introduce new growth opportunities to our employees. We have built strong enterprise relationships and we are eager to support them in new ways and, at the same time, build on our capabilities within cloud and application security testing.
Notably, NetSPI’s penetration testing as a service (PTaaS) delivery model has made an incredible impact on its clients, enabling them to test continuously, digest results in a dynamic way, improve vulnerability management efforts, and increase manual testing and triaging. nVisium and NetSPI together will amplify the PTaaS model and allow us to increase our capacity to help more organizations.
What’s next for the combined companies?
Aaron: This acquisition is proof that we are committed to staying true to our mission, disrupting the penetration testing industry by attracting and retaining top talent, and setting the highest standards in the penetration testing market. Over the next few months, we will be focused on integrating the nVisium team to help deliver high-caliber pentesting solutions to more enterprises, globally.
Over the next year, you will see an emphasis on NetSPI’s R&D, particularly with our cloud, IoT, and blockchain solutions. We’ve recently formed an official NetSPI Labs team, who will lead the development and expansion of new offensive security solutions and tools.
Jack: The industry can expect continued growth, innovation, and quality pentesting from NetSPI and nVisium – with no signs of slowing. The power of our combined teams will certainly be a force to be reckoned with.
[post_title] => NetSPI Acquires nVisium – Q&A with the CEOs [post_excerpt] => Hear from NetSPI CEO Aaron Shilts and nVisium CEO Jack Mannino on why they are joining forces and what the acquisition means for the cybersecurity industry. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => nvisium [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:09:56 [post_modified_gmt] => 2023-01-23 21:09:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29121 [menu_order] => 166 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 28667 [post_author] => 66 [post_date] => 2022-10-17 09:00:00 [post_date_gmt] => 2022-10-17 14:00:00 [post_content] =>On October 17, NetSPI CEO Aaron Shilts was featured in the eSecurity Planet article called NetSPI Lands $410 Million in Funding – And Other Notable Cybersecurity Deals. Read the preview below or view it online.
+++
NetSPI, a top penetration testing and vulnerability management company, recently announced a $410 million funding round, a huge amount in a year in which $100+ million rounds have become a rarity. The investor was KKR, one of the world’s largest alternative asset firms.
KKR previously invested $90 million in NetSPI in May 2021, so NetSPI has demonstrated considerable traction since then.
That the funding round occurred in a difficult environment makes it all the more impressive. According to data from Crunchbase, the total amount of investments in cybersecurity startups came to $2.6 billion in the third quarter. This was the lowest since the same period in 2020.
The number of deals for this year’s Q3 was only 124. This is a level not seen since 2014.
Filling the Cybersecurity Talent Gap
Of course, the drop-off has been widespread across the tech sector. With a bear market, high inflation, rising interest rates, and concerns of a recession, investors are certainly getting more conservative – and generally focusing on top-notch deals.
As for NetSPI, it fits into this sweet spot. Founded over 20 years ago, the company’s vision is “technology powered, human delivered.” This involves sophisticated penetration testing for some of the world’s largest financial institutions, cloud operators, and healthcare organizations.
For the past five years, revenues have spiked by 5X. Organic growth was 50% in 2021 and 61% thus far in 2022.
“We combine human ingenuity from our 400 global offensive security professionals with our innovative technology platforms – a unique combination that ensures quality, consistency, transparency, accountability, and efficiency across all NetSPI assessments,” said Aaron Shilts, CEO, NetSPI.
A key focus is on hiring top talent in ethical hacking and adversary simulation and leveraging NetSPI’s three technology platforms, which include Resolve, ASM, and AttackSim.
“Additionally, the scarcity of talent is still one of the biggest issues in the cybersecurity industry,” said Shilts. “Investors are aware of this and have become acutely focused on acquiring organizations with a concentration on hiring the best talent globally and who offer programs to fill the talent gap.”
NetSPI plans to use the capital for investing in R&D, hiring, and global expansion. Part of the money will also be to recapitalize the equity investment of an early investor, Sunstone Partners.
You can read the full article at eSecurity Planet!
[post_title] => eSecurity Planet: NetSPI Lands $410 Million in Funding – And Other Notable Cybersecurity Deals [post_excerpt] => eSecurity Planet covers NetSPI's $410 million in cybersecurity funding from KKR plus other commentary from NetSPI CEO Aaron Shilts. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => esecurity-planet-netspi-lands-410-million-in-cybersecurity-funding [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:06 [post_modified_gmt] => 2023-01-23 21:10:06 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28667 [menu_order] => 190 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 28555 [post_author] => 66 [post_date] => 2022-10-05 21:00:00 [post_date_gmt] => 2022-10-06 02:00:00 [post_content] =>On October 5, NetSPI CEO Aaron Shilts and VP of Business Development and Strategic Alliances Lauren Gimmillaro were featured in CRN's article called KKR Invests Another $410M In Fast-Growing Security Firm NetSPI. Read the preview below or view it online.
+ + +
Private equity powerhouse KKR obviously likes what it’s seen since it first invested in cybersecurity firm NetSPI last year.
The New York-based KKR, which led a $90 million funding round for NetSPI in 2021, is now investing an additional $410 million in the penetration testing and attack surface management firm, NetSPI said on Wednesday.
The massive growth investment will be used to support NetSPI’s product development, talent hirings, possible company acquisitions and aggressive expansion of the firm’s channel program, said NetSPI chief executive Aaron Shilts.
Much of the money will also be used to effectively buy out previous majority owner Sunstone Partners, Shilts told CRN.
As for the channel, Shilts said less than 10 percent of the private company’s current revenues come from the channel. But NetSPI, which recently hired a new channel chief and launched a new partner program in August, is determined to boost its sales via various players within the channel, he said.
“It was the right time for us to double down on channel investment,” said Shilts, whose company was founded in 2001 but only received its first outside investment in 2017, led by Sunstone Partners.
Shilts said the firm decided to wait a bit after its first equity investment five years ago before moving from mostly direct sales to channel sales.
“We wanted to ensure that we had the maturity and the growth,” he said. “I think the worst thing that we could do is not have that [initial sales] mastery in place. It was just a matter of maturing over several years before we were ready.”
You can read the full article at CRN!
[post_title] => CRN: KKR Invests Another $410M In Fast-Growing Security Firm NetSPI [post_excerpt] => NetSPI CEO Aaron Shilts and VP of Business Development and Strategic Alliances Lauren Gimmillaro were featured in CRN's article called KKR Invests Another $410M In Fast-Growing Security Firm NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => crn-kkr-invests-410m-in-netspi [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:11 [post_modified_gmt] => 2023-01-23 21:10:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28555 [menu_order] => 203 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 28565 [post_author] => 66 [post_date] => 2022-10-05 09:00:16 [post_date_gmt] => 2022-10-05 14:00:16 [post_content] =>On October 5, NetSPI CEO Aaron Shilts was featured in the VentureBeat article called Need for secure cloud environments continues to grow, as NetSPI raises $410M. Read the preview below or view it online.
+ + +
In an era of cloud computing and off-site third-party services, traditional network-based security approaches simply aren’t effective. With research showing that large organizations maintain an average of 600 software-as-a-service (SaaS) applications, the modern attack surface is too vast to manage without a purpose-built attack surface management solution.
Attack surface management solutions provide a tool to automatically discover public-facing assets located outside the perimeter network, and identify vulnerabilities in shadow IT assets and misconfigured systems that hackers can exploit.
As the need to secure cloud environments increases, these solutions are beginning to pick up more interest, with penetration testing and attack surface management vendor NetSPI today announcing that it has received $410 million in growth funding from global investment firm KKR.
The new funding demonstrates that vulnerability management is giving way to the broader, automated and decentralized approach of mitigating exploits across the entire attack surface.
NetSPI’s answer to cloud vulnerability sprawl
The writing on the wall is that enterprises need an approach to managing vulnerabilities that can scale to address exploits across the entire attack surface. For NetSPI, that comes down to offensive security.
“As we look forward to this next chapter, NetSPI will continue to challenge the status quo in offensive security,” said Aaron Shilts, CEO of NetSPI. “With KKR’s support, we are well positioned to amplify our success building the best teams, developing new technologies, and delivering excellence, so that the world’s most prominent organizations can innovate with confidence.”
In effect, NetSPI provides enterprises with a solution to scan for assets in real-time, 24/7/365, using Open Source Intelligence (OSINT) and other methods.
You can read the full article at VentureBeat!
[post_title] => VentureBeat: Need for secure cloud environments continues to grow, as NetSPI raises $410M [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the VentureBeat article called Need for secure cloud environments continues to grow, as NetSPI raises $410M. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => venturebeat-netspi-raises-410m [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:08 [post_modified_gmt] => 2023-01-23 21:10:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28565 [menu_order] => 196 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 28562 [post_author] => 66 [post_date] => 2022-10-05 09:00:00 [post_date_gmt] => 2022-10-05 14:00:00 [post_content] =>On October 5, NetSPI CEO Aaron Shilts was featured in the StarTribune article called Minneapolis cybersecurity firm NetSPI raises $410M to expand globally. Read the preview below or view it online.
+ + +
A New York investment firm is injecting $410 million in fresh capital into Minneapolis cybersecurity firm NetSPI to fuel the company's global expansion, a move that reinforces investor confidence in the company's rising profitability.
The investment from KKR is nearly five times the amount NetSPI raised last May, when it piled up $90 million in growth funding from investors, including KKR, the firm's first investment in the cyber company. It also is one of the largest this year in Minnesota.
NetSPI will use the money for hiring and further development of its technology, according to a release from KKR. In addition to personnel in Canada, NetSPI is expanding its footprint in Europe, the Middle East, Africa and India.
NetSPI, based in Minneapolis' North Loop with more than 400 security professionals on payroll, develops offensive security tools that other companies use to test their cyber defense systems against various threats to uncover gaps and reduce security breaches. The list of clients includes financial institutions, cloud providers and health care organizations.
"We're both grateful and proud of the industry disruption we drove during our partnership with Sunstone Partners," said Aaron Shilts, CEO at NetSPI. "With KKR's support, we are well-positioned to amplify our success."
The company secured its first outside investment in 2017 from Sunstone Partners, an investment firm based in San Mateo, Calif. NetSPI officials did not share the company's value following the recent funding round, which puts it its total of outside growth capital at or above $500 million since its founding in 2001.
Following the company's $90 million raise in 2021, Shilts told the Star Tribune he anticipated the company would finish the year with about $50 million in 2021 sales. So far in 2022, the company has experienced a 61% increase in revenue, year over year.
The funding round by NetSPI is one of the largest by an investor-backed, Minnesota private company this year.
"We are excited to double down on our investment in NetSPI to help build a differentiated leader in offensive cybersecurity," Jake Heller, partner and head of KKR's technology growth team in the Americas, said in a statement. "We have been very impressed by the performance of the company and the exceptional execution by Aaron and his team over the past 18 months. We believe this is just the beginning of what we can accomplish together."
You can read the article at Star Tribune!
[post_title] => Star Tribune: Minneapolis cybersecurity firm NetSPI raises $410M to expand globally [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the StarTribune article called Minneapolis cybersecurity firm NetSPI raises $410M to expand globally. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => star-tribune-netspi-raises-410m [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:09 [post_modified_gmt] => 2023-01-23 21:10:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28562 [menu_order] => 199 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 28553 [post_author] => 66 [post_date] => 2022-10-05 09:00:00 [post_date_gmt] => 2022-10-05 14:00:00 [post_content] =>On October 5, NetSPI CEO Aaron Shilts was featured in the Bloomberg article called KKR Backs Cybersecurity Firm NetSPI With $410 Million Funding. Read the preview below or view it online.
+ + +
KKR & Co. has agreed to provide cybersecurity firm NetSPI Inc. with an additional $410 million in growth equity, according to a statement reviewed by Bloomberg.
The deal, slated to close by the end of the fourth quarter, is KKR’s second investment in the company, bringing the private equity firm’s total commitment to $500 million. KKR led a $90 million investment last year.
As part of the deal, existing investor Sunstone Partners will exit its position, according to NetSPI Chief Executive Officer Aaron Shilts.
“We’re now just focused on this next phase of growth that’s gonna require investment, focus and we’ve got some exciting plans for the next three-four years,” Shilts said in an interview. “We have really enjoyed the last 18 months of our relationship with KKR. I think we’ve had some really good, just strategic discussions on how to approach the market.”
Founded in 2001, NetSPI is a provider of penetration-testing and attack-management services for clients including Microsoft Corp. and the US Air Force, according to its website. That means its products simulate cyber attacks, which helps businesses and organizations prepare for real threats.
Shilts said NetSPI is approaching $100 million in revenue this year following good growth since a “breakout” 2020. The company has operations in the US, Canada, UK and India.
Cybersecurity remains a coveted sector for KKR’s technology-growth team. It’s a market that the private equity firm has been tracking “well before” investing in NetSPI, according to KKR Director Ben Pederson.
“If you step back in terms of what we’re looking for broadly in this time of uncertainty, it’s companies that are going make it through the next five plus years regardless of what’s happening in the short term here on the macro side,” Pederson said.
You can read the article at Bloomberg!
[post_title] => Bloomberg: KKR Backs Cybersecurity Firm NetSPI With $410 Million Funding [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the Bloomberg article called KKR Backs Cybersecurity Firm NetSPI With $410 Million Funding. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => bloomberg-kkr-backs-cybersecurity-firm-netspi [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:12 [post_modified_gmt] => 2023-01-23 21:10:12 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28553 [menu_order] => 206 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 28556 [post_author] => 66 [post_date] => 2022-10-05 09:00:00 [post_date_gmt] => 2022-10-05 14:00:00 [post_content] =>On October 5, NetSPI CEO Aaron Shilts was featured in the Crunchbase article called KKR Invests $410M In Cyber Firm NetSPI. Read the preview below or view it online.
+ + +
Although venture funding in cybersecurity has taken a slight dip this year—as it has in most sectors—that does not mean large growth rounds do not exist.
Minneapolis-based cybersecurity company NetSPI locked up a $410 million growth investment from private equity giant KKR. The company provides enterprise penetration testing and attack surface management by simulating cyber attacks for large enterprises and helping businesses defend against them.
KKR initially invested $90 million into NetSPI in May 2021. This new round of funding will recapitalize Sunstone Partners’ stake in the company and allow the firm to exit.
“As we look forward to this next chapter, NetSPI will continue to challenge the status quo in offensive security,” said CEO Aaron Shilts in a release. “With KKR’s support, we are well positioned to amplify our success building the best teams, developing new technologies, and delivering excellence, so that the world’s most prominent organizations can innovate with confidence.”
Founded in 2001, NetSPI has now raised $500 million. It has grown its revenue fivefold and is seeing 61% revenue growth in 2022 to date, according to the company.
Cyber funding
Funding to VC-backed cybersecurity startups is not on pace to hit last year’s high of more than $23 billion, as it was at about $10.3 billion through the first six months of the year, according to Crunchbase data.
That is not surprising considering venture capital as a whole has seen a slowdown. However, it is worth noting cyber startups saw more funding in the first half of the year than in all of 2020, which saw $8.9 billion invested in the industry.
The NetSPI deal also shows KKR’s continued interest in cybersecurity. In May, the firm led a $200 million Series C for Hoboken, New Jersey-based Semperis, an enterprise identity protection provider.
You can read the article at Crunchbase!
[post_title] => Crunchbase: KKR Invests $410M In Cyber Firm NetSPI [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the Crunchbase article called KKR Invests $410M In Cyber Firm NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => crunchbase-kkr-invests-410m-in-netspi [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:12 [post_modified_gmt] => 2023-01-23 21:10:12 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28556 [menu_order] => 205 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 28587 [post_author] => 66 [post_date] => 2022-10-05 09:00:00 [post_date_gmt] => 2022-10-05 14:00:00 [post_content] =>On October 5, NetSPI CEO Aaron Shilts was featured in the ISMG article called Pen Test Firm NetSPI Gets $410M Boost From KKR to Fuel M&A. Read the preview below or view it online.
+ + +
Rising offensive security star NetSPI has received a massive follow-up investment from KKR to pursue acquisitions and expand the offensive cybersecurity vendor's technological and geographic footprint.
The Minneapolis-based penetration testing and attack surface management vendor says the private equity giant's $410 million growth investment comes on the heels of 50% organic revenue growth in 2021 and 61% year-over-year sales growth thus far in 2022. The latest investment comes just 18 months after KKR led a $90 million growth round to expand the company's security and client experience teams (see: Hatem Naguib on Charting Barracuda's New Course Under KKR).
"We're really challenging the status quo in our segment of cybersecurity," NetSPI CEO Aaron Shilts tells Information Security Media Group. "Growth is paramount, especially given the market volatility."
Automation Takes Center Stage
NetSPI was founded in 2001 and employs 400 people, up roughly 50% from a year earlier, according to Shilts. A chunk of the $410 million will be used to recapitalize Sunstone Partners, which brought Shilts in as CEO in 2017, along with an investment. Sunstone Partners is now exiting its position in NetSPI, and with its latest investment, KKR is now the majority owner of NetSPI, he says.
You can read the full article at ISMG Network!
[post_title] => ISMG Network: Pen Test Firm NetSPI Gets $410M Boost From KKR to Fuel M&A [post_excerpt] => NetSPI CEO Aaron Shilts was featured in the ISMG article called Pen Test Firm NetSPI Gets $410M Boost From KKR to Fuel M&A [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ismg-network-netspi-gets-410m-boost [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:09 [post_modified_gmt] => 2023-01-23 21:10:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28587 [menu_order] => 197 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 28485 [post_author] => 66 [post_date] => 2022-10-05 08:00:00 [post_date_gmt] => 2022-10-05 13:00:00 [post_content] =>Today I’m thrilled to announce that the global investment firm KKR is to invest $410 million in NetSPI. This growth investment marks one of the largest private equity deals in cybersecurity this year – a massive accomplishment for Team NetSPI.
We didn’t become the leader in offensive security by checking boxes or sticking to the status quo. We got here by hiring the best talent in the business, innovating without limits, and creating a workplace culture of excellence. This is where our focus will remain as we double down on our investments to build strong teams, develop our technology stack, and expand our offensive security services globally.
In May 2021, KKR made a $90 million investment in NetSPI, with participation from Ten Eleven Ventures. Over the past 18 months, they’ve been a dedicated partner who believes deeply in this team. This growth investment is further proof that hard work pays off as we near the end of another record year of growth and celebrate our recent accomplishments including, the continued adoption of our PTaaS delivery model, our acquisition of Silent Break Security, the introduction of Attack Surface Management, our global expansion to EMEA, our NetSPI University training program, and more.
We are much more than a penetration testing company. We’re a group of incredibly talented ethical hackers, vulnerability researchers, project managers, and strategic partners who ultimately want to help our clients innovate with confidence. We’re a company that understands how to develop and leverage technologies to create efficiencies at a time where resources are limited, empowering people to focus on what matters most.
To ensure the security of today’s most prominent organizations and keep pace with the evolving attack surface, we must challenge the status quo in offensive security. With KKR’s support, we will continue doing just that. I, for one, am excited for this new chapter in NetSPI’s story of growth, disruption, innovation, and dedication.
Aaron Shilts, CEO at NetSPI
[post_title] => What KKR’s Growth Investment Means to NetSPI [post_excerpt] => Learn what KKR’s growth investment in NetSPI means to the penetration testing company. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => kkr-growth-investment [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:13 [post_modified_gmt] => 2023-01-23 21:10:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28485 [menu_order] => 208 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 27790 [post_author] => 66 [post_date] => 2022-05-24 08:00:00 [post_date_gmt] => 2022-05-24 13:00:00 [post_content] =>Technology cannot solve our greatest cybersecurity challenges. At least not on its own.
Last month, NetSPI held its 2022 Employee Kickoff event in-person after a long two-year hiatus. Nearly 300 employees from across the globe came together in the North Loop neighborhood of Minneapolis, just steps from NetSPI headquarters.
The day was buzzing with great energy from the get-go as we reunited with our friends and colleagues, met people in-person for the first time, and got to experience firsthand what an incredible workplace culture NetSPI has.
Amidst the keynotes, build-your-own lego Scan Monster races, and live 90’s rock band, one thing became abundantly clear: the power that comes from bringing people together face-to-face to form relationships, share ideas, and collaborate is unmatched.
All too often in the high-growth cybersecurity industry, we view technology as the ‘silver bullet’ against today’s threat actors. But at the end of the day, it’s people who will solve the greatest challenges we face.
Reflecting on the day, I wanted to share four takeaways that highlight the importance of the human impact in the tech industry.
The cyber arms race can only be won through the intersection of technology and talent
We cannot rely solely on technology to win this cyber “arms race” we’re experiencing today. We often find ourselves myopically focused on technology to solve difficult problems. And while technology and automation are critical, our industry will not thrive on tech alone.
The only way that the good guys will come out on top is through the intersection of technology and talent.
Technology should enable humans to do their job in a more effective and efficient way, and we should remember to view it through this lens. For example, during the NetSPI Employee Kickoff Event, we revealed a couple of Resolve updates to our security consultants who use the vulnerability management and penetration testing platform. We updated notification settings to be more customizable and created a portal for all project kickoff documentation and tracking. These are fairly simple and administrative updates, but it nearly resulted in a standing ovation for our product and development teams.
Again, technology enables humans to do what they do best. In this case, we found a way to limit notifications and streamline a mundane process to free up our pentesters’ time, enable them to do the work they enjoy, and ultimately find more business-critical vulnerabilities for our clients.
As we’re all aware, recruiting and retaining a team with the right cyber talent is incredibly hard in a market where unemployment is 0%. But simply assembling a team with the right technical skills is far from enough. It is vital to tackle cybersecurity with empathy, curiosity, and creativity – all traits that only humans can possess.
“Culture eats strategy for breakfast”
Peter Drucker stated, “Culture eats strategy for breakfast.” And he was right.
Culture and values define who you are. They drive innovation in technology, how teams collaborate, and the service clients receive and how they perceive you.
NetSPI Chief Revenue Officer Alex Jones said it well in his keynote, “Values represent whatever is important to YOU.” Work is important... and so is everything else. Employees should get to spend time doing what they enjoy in and outside of the workplace. Once organizations recognize this, it becomes much easier to embrace a values-driven culture.
A strong culture requires teams working authentically and in concert with each other, a task that became increasingly difficult during a global pandemic that sent most organizations, including NetSPI, to operate fully remote.
I believe we have underestimated the power of in-person, human connection. Bringing 300 people together in-person certainly had its risks, but it was immediately evident how valuable the human connection was in driving collaboration and building relationships – and in turn improving the customer experience and the team's performance.
Collaboration and diverse perspectives are key to solving the most difficult challenges
In cybersecurity and at NetSPI, we solve client challenges every day, often for the largest organizations in the world. We succeed at solving the most difficult of these challenges when collaboration and diverse thoughts reign.
One thing I noticed at the event was that sales didn’t cling to their sales peers, services didn’t cling to their services peers, leadership didn’t cling to their fellow leaders. Although it can be difficult, breaking down departmental silos within an organization can cultivate idea sharing and welcome new perspectives across the organization. This event helped us make big strides toward that goal.
Allowing everyone to have a seat at the table and feel comfortable speaking up and sharing their ideas is something that we value greatly at NetSPI. After all, diverse thought fuels innovation.
In-person events can help you uncover the Purpose that your team will rally around
After the event, I challenged myself to think hard about what my employees really care about. What can I do as a leader to deliver on that purpose and adhere to my employee’s values? Am I creating a workplace environment that allows them to adhere to their values?
These events tend to be a wakeup call around a greater mission. And a presentation from our philanthropic partner, the Masonic Children’s Hospital, did just that.
The Director of Development at the Hospital, Nicholas Engbloom, shared a powerful story about Minnesota Gopher placeholder Casey O’Brien and his journey battling cancer. For those unfamiliar with Casey, I’d encourage everyone to listen to his story.
It was clear how much the story and our partnership with the Masonic Children’s Hospital resonated with and empowered our employees. It showed me how powerful it is for our employees to rally around a greater sense of Purpose and give back to the community. I’m excited to ramp up our philanthropic activities with the hospital and other organizations this year.
Investments that you make as an organization to bring your team members together have incredible Return on Investment (ROI) – and that’s just the ROI we can measure. To other cybersecurity business leaders considering an all-employee in-person event, I couldn’t recommend it more.
People are the key to solving the world’s biggest cybersecurity challenges. And the organizations that are enabling employees through tech and creating a values-driven workplace culture will be the ones leading the charge.
I’ll leave you with some incredible dance moves, courtesy of the NetSPI team. Check out this video recap for highlights from the NetSPI 2022 Employee Kickoff:
Want to join us next year? NetSPI is hiring!
[post_title] => Technology Cannot Solve Our Greatest Cybersecurity Challenges, People Can [post_excerpt] => Read this article by NetSPI CEO Aaron Shilts on why people are the greatest asset to the cybersecurity industry. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => technology-cannot-solve-cybersecurity-challenges [to_ping] => [pinged] => [post_modified] => 2023-06-12 13:37:16 [post_modified_gmt] => 2023-06-12 18:37:16 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27790 [menu_order] => 267 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 27738 [post_author] => 66 [post_date] => 2022-05-03 14:06:11 [post_date_gmt] => 2022-05-03 19:06:11 [post_content] =>On May 3, 2022, Aaron Shilts was featured in the Business Journals article 21 Twin Cities Executives Named Regional Finalists for EY's 2022 Entrepreneur of the Year Award. Preview the article below, or read the full article online.
+++
Twenty-one leaders of Twin Cities companies are finalists for Ernst & Young's 2022 Entrepreneur Of The Year award for its seven-state "Heartland" region.
The Minnesota executives dominated EY's recently unveiled list of 28 finalists from a region that also includes North Dakota, South Dakota, Iowa, Nebraska, Kansas and Missouri.
EY will name the winners in June, then pick national winners in the fall.
The Heartland region finalists, with titles gleaned from LinkedIn and company websites, are:
- Sam Anderson, president and CEO, Bay & Bay, based in Eagan
- Jeff Crivello, CEO of BBQ Holdings Inc., based in Hopkins
- Dave Perrill, CEO at Compute North, based in Eden Prairie
- Subodh Kulkarni, president and CEO, CyberOptics Corp., based in Golden Valley
- Barry McCarthy, president and CEO, Deluxe Corp., based in Minneapolis
- Scott Lien, CEO and co-founder, GrandPad, based in Hopkins
- Lili Hall, president and CEO Knock Inc, based in Minneapolis
- Christine Lantinen, president and owner of Maud Borup Inc., based in Plymouth
- Aaron Shilts, president and CEO, NetSPI, based in Minneapolis
- Thompson Aderinkomi, CEO and co-founder, Nice Healthcare Management Co. Inc., based in Roseville
- Clifton Kaehler, CEO, Novel Energy Solutions, based in St. Paul, Minnesota
- David Saber, chairman and CEO, Park State Bank, based in Minneapolis
- Tyrre Burks, founder and CEO, Player's Health, based in Minneapolis
- Brian Murray, CEO of Ryan Cos. US Inc., based in Minneapolis
- Eric Hall, CEO, and Rita Katona, board chair, chief brand & innovation officer, So Good So You, based in Minneapolis
- Barry Nordstrand, retired CEO, Solutran, based in Plymouth
- Chad Hetherington, CEO, The Stable Group, based in Minneapolis
- Chris Metz, CEO, Vista Outdoor, based in Anoka
- Jason Von Bank, president and CEO, Wellbeats, based in Golden Valley
- Bret Weiss, president and CEO, WSB, based in Golden Valley
Nominees for the award are evaluated based on six criteria: entrepreneurial leadership; talent management; degree of difficulty; financial performance; societal impact and building a values-based company; and originality, innovation and future plans.
Other finalists from elsewhere in the region are Byron Whetstone of American Direct, based in Lenexa, Kansas; Greg Siwak of CareVet, based in Clayton, Missouri; Josiah Cox of Central States Water Resources, based in St. Louis; Jay Kim of DataLocker, based in Overland Park, Kansas; Todd Keske of Foam Supplies Inc., based in Earth City, Missouri; Brian Weaver of Torch.AI, based in Leawood, Kansas; and Austin Mac Nab of VizyPay, based in Waukee, Iowa.
[post_title] => The Business Journals: 21 Twin Cities Executives Named Regional Finalists for EY's 2022 Entrepreneur of the Year Award [post_excerpt] => On May 3, 2022, Aaron Shilts was featured in the Business Journals article 21 Twin Cities Executives Named Regional Finalists for EY's 2022 Entrepreneur of the Year Award. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minneapolis-finalists-2022-ey-entrepreneur-of-the-year-award [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:39 [post_modified_gmt] => 2023-01-23 21:10:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27738 [menu_order] => 273 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 27700 [post_author] => 66 [post_date] => 2022-04-24 09:16:00 [post_date_gmt] => 2022-04-24 14:16:00 [post_content] =>On April 24, 2022, Aaron Shilts was featured in the Authority Magazine article, Cyber Defense: Aaron Shilts of NetSPI On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack. Preview the article below, or read the full article online.
+++
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Aaron Shilts, CEO of NetSPI.
As President and CEO of NetSPI with 20+ years of industry leadership, Aaron Shilts is known for his honest, open, and energizing leadership and his undeniable focus on corporate culture, collaboration, and business growth. Under Aaron’s leadership, NetSPI has experienced 35% and 50% Organic Revenue Growth in 2020 and 2021 respectively. In addition to his work at NetSPI, Aaron is the co-founder of “Change Starts With Me,” a Minneapolis non-profit, and advises several global firms. Aaron earned his B.S. from St. Cloud State University and proudly served in the Army National Guard.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
In today’s evolving threat landscape where cybercriminals have become more sophisticated and motivated than ever before, cybersecurity is now everyone’s responsibility. In fact, the weakest link within any organization is typically its employees. Everyone working for, or with, the business should understand that security is everyone’s business — from the CEO down to the seasonal intern, and even the third-party contractor.
For this reason, organizations should implement frequent, hands-on security training, and regularly test the effectiveness of such training with simulated attacks to determine if more work needs to be done. After all, it only takes one accidental click on a malicious link to cripple an entire organization and its assets.
Read the full interview online.
[post_title] => Authority Magazine: Cyber Defense: Aaron Shilts of NetSPI On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack [post_excerpt] => On April 24, 2022, Aaron Shilts was featured in the Medium article, Cyber Defense: Aaron Shilts of NetSPI On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 5-ways-to-shield-your-business-from-cyberattacks [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:42 [post_modified_gmt] => 2023-01-23 21:10:42 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27700 [menu_order] => 281 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 27664 [post_author] => 66 [post_date] => 2022-04-14 11:16:00 [post_date_gmt] => 2022-04-14 16:16:00 [post_content] =>On April 14, 2022, NetSPI President and CEO, Aaron Shilts, was featured on the CyberWire Daily podcast. Listen to the interview (begins at 11:00) to hear Aaron's insights on:
- Proactive public-private sector security collaboration
- How legislation like the Strengthening American Cybersecurity Act of 2022 enables the overall industry to be better at reporting cyberattacks
- The complexity of reporting cyberattacks while maintaining federal and state regulations
- Recommendations on building intentional relationships between organizations in the private and public sectors
Four Tips to Proactively Improve Your Security Posture
Is cyber warfare in your crisis management plan? If not, it’s time to revisit your incident response plans and get proactive with your security as tensions rise in Eastern Europe.
Recently, several Ukrainian government and bank websites were offline as a result of a massive distributed denial-of-service (DDoS) attack. Shortly following these attacks, a new “wiper” malware targeting Ukrainian organizations was discovered on hundreds of machines to erase data from targeted systems.
Experts believe both security incidents were carried out by Russian cybercriminals or nation-state hackers, creating a new digital warfare environment that affects organizations worldwide.
Now, on the heels of the Biden administration issuing new sanctions against Russian banks, the U.S. government is advising public and private organizations to heighten cybersecurity vigilance related to ransomware attacks carried out by the newly identified wiper malware. In fact, New York recently issued an “ultra high alert” as the state faces increased risk of nation-state sponsored cyber attacks.
As cybercrime escalates and tensions mount, business leaders can take the following four steps to bolster security measures and remain better protected against potential risk:
1. Evaluate Your Current Security Posture
Before implementing any new initiatives or overhauling existing measures, it’s important to evaluate the organization’s current security posture. This means taking a closer look at its attack surface, customer environments, vendor relationships, and other partnerships to understand an organization’s true exposure to malicious actors.
Businesses that have proactively developed an incident response playbook are best prepared to evaluate their position, and large organizations likely have policies that cover geopolitical unrest. However, with the threats still unclear, even late adopters can allocate resources to strengthen their security posture in weeks or even days.
2. Refer to CISA’s Shields Up Initiative
The Cybersecurity and Infrastructure Security Agency (CISA) recently launched Shields Up, a free resource that features new services, the latest threat research, recommendations for business leaders, as well as actions to protect critical assets.
Whether an IT security professional, or a top C-suite leader, all roles within an organization should familiarize themselves with Shields Up and the actionable advice recommended by CISA.
Such advice includes reducing the likelihood of a damaging cyber intrusion; taking steps to quickly detect a potential intrusion; ensuring that the organization is prepared to respond if an intrusion occurs; and maximizing the organization's resilience to a destructive cyber incident.
3. Prioritize Proactive Offensive Security Measures
Proactive cybersecurity testing is oftentimes an afterthought for business leaders when evaluating breach preparedness. In reality, enterprise security testing tools and penetration testing services that boost an organization’s cybersecurity posture from the onset should be a top priority, now more than ever before.
While many tend to focus on the physical disruption nation-state attacks can cause, popular cybercriminal tactics like distributed denial-of-service and ransomware can be mitigated through proactive offensive security activities like Penetration Testing as a Service (PTaaS), red team, breach and attack simulation, or attack surface management.
4. Understand that Security is Everyone's Responsibility
The weakest link within any organization is its employees. Everyone working for, or with, the business should understand that security is everyone’s business – from the CEO to the seasonal intern, and even the third-party contractor.
For this reason, organizations should implement frequent, hands-on security training, and regularly test the effectiveness of such training with simulated attacks to determine if more work needs to be done. After all, it only takes one accidental click on a malicious link to cripple an entire organization and its assets.
During times of unrest, cybercrime skyrockets as individuals become distracted and increasingly vulnerable. It’s important to remain vigilant while the current attacks continue, even if an organization does not directly work with Ukraine or Russia.
[post_title] => Cyber Attacks on Ukraine Signal Need for Heightened Security [post_excerpt] => Protect the security of your organization with these four cybersecurity measures. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyber-attacks-signal-need-for-heighted-security [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:47 [post_modified_gmt] => 2023-01-23 21:10:47 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27525 [menu_order] => 294 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 27424 [post_author] => 66 [post_date] => 2022-02-22 02:42:00 [post_date_gmt] => 2022-02-22 08:42:00 [post_content] =>On February 22, 2022, Aaron Shilts was featured in a Twin Cities Business article titled, The Malware Pandemic. Preview the article below, or read the full article online here.
+ + +
In the information technology world, Log4j could become the equivalent of a particularly virulent Covid variant—and for businesses, a potentially bigger danger.
Log4j is an open-source, Java-based utility that logs error messages in software applications. In early December, a cybersecurity staffer with the Alibaba Cloud service in China discovered a vulnerability—a flaw—in Log4j that could open millions of businesses and other organizations to cyberattacks. A second flaw was found shortly afterward.
Compared to a data breach releasing sensitive information of millions of retail customers, the dangers of Log4j’s flaws are harder for non-IT people to understand. But as a cybersecurity threat, Log4j could become a disaster of pandemic proportions. That’s because innumerable organizations have the utility in their IT networks—and many don’t even know it’s there. Log4j could allow cybercrooks worldwide to steal data, encrypt servers, shut down factory floors, deceive companies into wiring them money, and demand thousands, even millions, of dollars in ransom.
Lurking in the shadows
Every software program inevitably and unavoidably has vulnerabilities. Over time, most bugs get fixed. But as in the case of Log4j, a tiny flaw in a widely used software component can explode throughout networks worldwide.
A flaw could be something that isn’t visible, notes Aaron Shilts, CEO of Minneapolis-based cybersecurity firm NetSPI, which specializes in network penetration testing and “attack surface management” for its business clients. More than 50 percent of NetSPI’s work involves testing applications—which Shilts terms “the lifeblood of any enterprise” —for vulnerabilities.
[post_title] => Twin Cities Business: The Malware Pandemic [post_excerpt] => On February 22, 2022, Aaron Shilts was featured in a Twin Cities Business article titled, The Malware Pandemic. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => tcbmag-malware-pandemic [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:52 [post_modified_gmt] => 2023-01-23 21:10:52 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27424 [menu_order] => 306 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [18] => WP_Post Object ( [ID] => 25805 [post_author] => 66 [post_date] => 2021-06-29 15:00:00 [post_date_gmt] => 2021-06-29 20:00:00 [post_content] =>On June 29, 2021, NetSPI President and CEO Aaron Shilts was featured in an article from Minne Inno and Minneapolis/St. Paul Business Journal:
Ransomware attacks have recently made headlines as everything from meat suppliers to schools and hospitals are falling prey to the unforgiving data breaches.
Minneapolis-based NetSPI, a network security firm, is now offering a ransomware attack simulation service to help companies protect themselves.
The service works by emulating real-world ransomware attacks to find and fix vulnerabilities in a companies cybersecurity defenses.
"The DNA and the way we deliver our work lends itself well to helping companies with ransomware," said NetSPI CEO Aaron Shilts." … We act as a ransomware attacker, using the same attacks, same tools and show them where their weakness would be."
Shilts said the simulation not only illuminates where a breach can be made, but how the companies systems responded to the attack.
"That's a big part of it. If you can detect something soon, you can usually protect it before they take out the entire network," he said. "If you don't have the detection capabilities, it will spread very quickly.
With tens of millions of dollars funneling towards the attackers, many of whom are backed by foreign governments, it seems like a daunting task to stay on pace with the attackers.
However, out of NetSPI's 225 employees, 150 of them are cyber security experts that research and familiarize themselves with the latest attack patterns.
Shilts said the team is incredibly sharp and "lives and breathes" cybersecurity.
As far as who would benefit the most from the company's service, Shilts said any operating business is a target to the attacks.
NetSPI's work gravitates more towards heavily regulated financial services that store personally identifiable data. But less regulated industries such as K-12, state and local government are high targets because they're easier to pick-off.
To learn more, read the full article here: https://www.bizjournals.com/twincities/inno/stories/news/2021/06/29/netspi-ransom-ware-attack-simulation.html
[post_title] => Minne Inno & MSP Business Journal: NetSPI adds ransomware attack simulation to its penetration testing portfolio [post_excerpt] => On June 29, 2021, NetSPI President and CEO Aaron Shilts was featured in an article from Minne Inno and Minneapolis/St. Paul Business Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minne-inno-msp-business-journal-netspi-adds-ransomware-attack-simulation-to-its-penetration-testing-portfolio [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:52:00 [post_modified_gmt] => 2022-12-16 16:52:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25805 [menu_order] => 390 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [19] => WP_Post Object ( [ID] => 25421 [post_author] => 66 [post_date] => 2021-05-17 07:00:37 [post_date_gmt] => 2021-05-17 07:00:37 [post_content] =>On May 17, 2021, NetSPI President and CEO Aaron Shilts was featured in a Forbes article.
So it is perhaps not a coincidence that, just five days after the Colonial attack, KKR led a $90 million growth investment in a cybersecurity company called NetSPI. “The reality is that cyber security attacks today are inevitable and put organizations at grave risk,” the company’s CEO, Aaron Shilts, said in a statement. “At NetSPI, we strive to stay one step ahead of hackers, breaches and bad actors.”
In the years to come, NetSPI will have plenty of changes to prove its worth—and hopefully help prevent other instances of infrastructure-crippling bitcoin blackmail.
Now, onto the rest of the things you need to know from the past week in private equity, M&A and beyond…
Read the full article here: https://www.forbes.com/sites/kevindowd/2021/05/17/how-private-equity-factors-in-to-the-colonial-pipeline-hack/?sh=2725b64f5262
On May 13, 2021, NetSPI President and CEO Aaron Shilts was featured in the Minneapolis/St. Paul Business Journal.
Cybersecurity company NetSPI has raised $90 million in growth funding, it announced Wednesday.
The round was led by New York City-based investment firm KKR. Cybersecurity-focused venture capital firm Ten Eleven Ventures also participated.
Read the full article here: https://www.bizjournals.com/twincities/news/2021/05/13/netspi-raises-90-million-cbersecurity.html
On May 12, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune.
NetSPI, which works with companies to thwart cyberattacks, has raised $90 million in minority investments from KKR and Ten Eleven Ventures.
The new infusion of capital will help the 225-employee software firm develop and improve products, add clients and hire more people, NetSPI CEO Aaron Shilts said in an interview Wednesday.
Read the full article here: https://www.startribune.com/netspi-a-minneapolis-cyber-security-firm-raises-90-million-new-investors/600056465/
- How Covid-19 affected NetSPI's workforce
- Nothing connected to the Internet is safe, so what can you do?
- How much cyber security can affect mergers and acquisitions
- What he anticipates his greatest challenge will be in 2021
- The upsides of working through a pandemic
As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week. We know now the breaches have been linked back to a supply chain attack on the SolarWinds Orion Platform, a software platform that manages IT operations and products for over 300,000 organizations, including over 425 of the Fortune 500, all ten of the top U.S. telecommunications companies, all five branches of the U.S. Military, all five of the top U.S. accounting firms, and many, many more.
While FireEye, the U.S. Treasury, and National Telecommunications and Information Administration (NTIA) were the first to report a security breach, the breadth of SolarWinds’ customer base is an indicator that the breaches are seemingly the tip of the iceberg.
For the sake of information sharing, here is an overview of the attacks, immediate steps you can take to identify whether you have fallen victim, and tips for protecting your organization as communicated by FireEye, SolarWinds, and NetSPI. For the full technical deep-dive, we highly recommend the FireEye blog post.
Overview: SolarWinds Orion Manual Supply Chain Attack
On December 13, SolarWinds issued a security advisory alerting to a manual supply chain attack on its Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
FireEye discovered the attack and suggests it is a state-sponsored global intrusion campaign by a group named UNC2452 - though many industry experts are attributing the attack to APT29, a group of hackers associated with the Russian Foreign Intelligence Service.
- Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
- How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
- Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.
Known breaches include:
FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.
U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.
Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:
- First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
- SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
- Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.
Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.
[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now? [post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:03:39 [post_modified_gmt] => 2021-05-04 17:03:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20716 [menu_order] => 442 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [25] => WP_Post Object ( [ID] => 18904 [post_author] => 66 [post_date] => 2020-09-22 07:00:06 [post_date_gmt] => 2020-09-22 07:00:06 [post_content] =>You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. And you’ve committed to building an ongoing and continuous vulnerability management program to guard against the potential threats to your assets. Now what?
Putting a successful vulnerability management program in place needs careful consideration up-front to ensure your organization is set up for success to remediate vulnerabilities for each application and system you have. The following checklist breaks the best practices process down and provides you with a planning roadmap to getting the most value out of a penetration testing and vulnerability management program.
Penetration Testing Program Plan of Attack
Deliverable |
Elements of Success |
Requirements |
Step One: The Plan |
Develop a plan that puts structure and strength around cybersecurity to include continuous vulnerability testing and patching, incident response plans, and training and security awareness programs. The ultimate goal? Decrease time to remediation and to close security gaps in your network. Clearly define the scope, objectives, identification of testing, and the order in which they are to be performed. Build a vulnerability management team. This could include both in-house talent as well as industry analysts or consultants. When choosing a pentesting service provider, ask about the credentials of their pentesting team, beyond technical competencies. Will your team be comprised of a dedicated work group or an outsourced group who haven’t previously worked together, for example. Team structure has implications on streamlined communications and in knowing who is inside your network. Augment with careful preliminary risk planning with contingency plans should any services be unintentionally disrupted. Types of penetration testing: |
□ Develop a high-level vulnerability management plan – be sure to include non-negotiables such as scalability and continuous testing □ Present your case to business leadership; gain agreement on budge □ Refine plan and define ownership and scope of your program to include personnel and their roles and responsibilities □ Develop policies, standards, and procedures □ Determine merchandising strategy – to bring visibility to the program’s successes |
Step Two: Scanning and Assessment | Layer in automated scanning functions that deliver results that can be easily sorted and acted upon with human capital to find and fix vulnerabilities. Create an enumeration (list and count) of suspected vulnerabilities that are enumerated only after using multiple automated tools over time, not just one single tool. Build in further analysis of suspected vulnerabilities using specialized tools and manual techniques as required. |
□ Identify all assets you want to scan □ Define vulnerability landscape:
□ Define actionable reporting structure of vulnerabilities □ Deploy automated vulnerability scanning, use authenticated mode to scan high-value resources □ Prioritize pentesting cadence, beginning with an external network penetration test followed by internal network testing □ Commence manual pentesting |
Step Three: Preparing for Risk-Based Remediation | Develop a risk-based remediation plan commensurate with your program’s maturity level and appetite for business risk. Employ a comprehensive verification of high-risk vulnerabilities including but not limited to safe exploitation of these vulnerabilities using both automated and manual processes, including the injection of malicious code when called for. |
□ Rank vulnerabilities through an established remediation timeline. For example:
□ Assign application and system remediation owner □ Build in business leadership approvals for long lead remediations |
Step Four: Ongoing Reporting and Improvement | Automate your vulnerability management program as much as possible: spreadsheets, emails, and document sharing portals are insufficient for most organizations, large ones in particular. Automation enables 24/7 pentest report visibility with business leadership and continuous improvement. Find a penetration testing reporting platform that is engaging and customizable to showcase what is most important to your business, one that can track and compare data over time. |
□ Build a reporting framework – for the pentesting team and for business leadership □ Identify continual improvement opportunities □ Use comparison data to showcase progress over time and highlight successes |
All organizations should aspire to have the people, processes, and tools necessary to effectively execute an ongoing vulnerability management program. Failure to do so may result in poor tool selections, testing mistakes, and faulty interpretation of vulnerability scanner and pentest results that often lead to a false sense of security and could put the enterprise at risk. By building out a vulnerability management plan, as depicted above, you can dramatically increase the security of your enterprise and can be better assured to reach your ultimate goal: to decrease time to remediation and close any security gaps in your network.
[post_title] => Checklist: Getting the Most Value Out of Penetration Testing and Vulnerability Management [post_excerpt] => You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => checklist-getting-the-most-value-out-of-penetration-testing-and-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2024-03-29 17:29:40 [post_modified_gmt] => 2024-03-29 22:29:40 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18904 [menu_order] => 471 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [26] => WP_Post Object ( [ID] => 19475 [post_author] => 66 [post_date] => 2020-09-08 07:00:16 [post_date_gmt] => 2020-09-08 07:00:16 [post_content] =>The term ‘red teaming’ is said to be overly used in the cyber security industry, which is why the concept is often misunderstood and unclear. But for the right cyber security pro, red teaming can be an exciting profession. Red teaming assessments are objective based assessments of an organization’s security posture. Assessors are allowed to use any technique that they deem appropriate to try and determine if the objectives, defined upfront, can be accomplished. Typically, a red team’s goal is to gain unauthorized access to an organization’s environment while avoiding detection and then maintaining access for a pre-determined period of time to test an incident response team’s ability to identify and respond to threats.
Red teaming is not a job for the faint of heart as it involves travel and many hours, even days, of thinking strategically and reacting quickly to the situation at hand. Nevertheless, it’s a critical component of every vulnerability testing strategy and can help organizations accurately assess threats to IT assets, benchmark current security capabilities, justify security investments, sharpen the skills of the team and improve detective controls. Given the importance of red teaming engagements, the industry should also understand the people behind the engagements and how they operate in order to get the most value out of the engagement. I talked with NetSPI Managing Director Nabil Hannan for an inside look at red teaming culture.
Aaron Shilts (AS): Who is drawn to red teaming work?
Nabil Hannan (NH): Although having solid technical skills to be able to circumvent security controls in the software, network or infrastructure may be an important skill to have, ultimately, the personalities who are most attracted to this type of work, and end up being most successful at red teaming engagements, are people who are clever and can think outside the box. Having the ability to think quickly on one’s feet and solve problems on the fly are important attributes for people who perform these assessments.
AS: Penetration tests and red teaming assignments can cause stress and anxiety, how does this affect professionals?
NH: Although red teaming engagements can be stressful, typically the personalities who do these engagements enjoy, and even thrive on, doing this type of work, and – from my experience – rarely consider this as true “stress.” Red teaming engagements really allow assessors to go above and beyond and truly think outside the box on how to circumvent security controls in creative ways to successfully complete objectives. These creative methods can range from being able to create phishing emails (that generate excitement and make victims fall for the attack and click/respond to the phishing attack) all the way to physical security attacks where you can use condensed air cans or even something as simple as a balloon to trigger motion sensors and get access to parts of a building which require special access or clearance.
AS: What kind of tools do red teams have at their disposal?
NH: Red Teaming assessments can leverage any existing information they have at their disposal regarding vulnerabilities and weaknesses in the systems and environments they are trying to compromise. This may include penetration testing reports, automated scan reports (e.g. static application security testing (SAST), dynamic analysis security testing (DAST), interactive application security testing (IAST), network scanning), video surveillance feeds, user guides, documentation around access controls, and more. There are also many tools and gadgets that can be purchased for fairly low cost to do reconnaissance and exploits with things like WiFi antennas with extended range, RFID sniffers, and USB mice with flash storage inside them.
AS: How can leaders help balance the demands of the job while creating a sense of camaraderie among their teams?
NH: Most red teaming engagements are performed in teams of two or more. It’s important for the team to work cohesively together and help complement each other’s strengths. Building a team with a good mix of both technical and non-technical skills is important for success. Successful leaders will assign specific roles for each team member focused on harnessing their strengths, and also ensure that the team works together to brainstorm and create plans and strategies on how to accomplish specific objectives outlined in the engagement.
AS: What background or qualifications are beneficial for a red team professional?
NH: Professionals with military and law enforcement backgrounds are a valuable addition to a team because they can help navigate the legal and physical security aspects of an engagement. And it’s critical to have professionals on the team who have the resources and technical expertise to be able to identify and exploit vulnerabilities in software systems to find ways to circumvent security controls and accomplish the objectives of the engagement.
AS: Is there risk for red teams to get in trouble with the law while participating in an engagement?
NH: There have been some incidents, but they are very rare. Typically, during Red Teaming assessments, the assessors are provided with a “get out of jail free” letter that they are required to carry throughout the engagement. These letters have details provided regarding the engagement, who the sponsor is, and contact information of the client to call and confirm the rules of engagement and scope of the assessment by law enforcement. The cyber security community typically isn’t worried about their assessors getting arrested and facing criminal charges, because they were performing the work on behalf of an organization, and they have contractual languages that protect them.
Red teaming professionals certainly have their work cut out for them, as cyber security adversaries continue to evolve and find new ways to access sensitive systems and data. Let this article be a reminder to thank red team assessors next time you see them – and talk with them about how IT and security leaders can better enable them to work collaboratively, use all available resources, and use their creative, yet technical, minds to help organizations assess security threats and ultimately improve their security posture.
[post_title] => Q&A with Nabil Hannan: An Inside Look at Red Teaming Culture [post_excerpt] => The term ‘red teaming’ is said to be overly used in the cyber security industry, which is why the concept is often misunderstood and unclear. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => qa-nabil-hannan-inside-look-at-culture [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:51:01 [post_modified_gmt] => 2021-04-14 00:51:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19475 [menu_order] => 472 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [27] => WP_Post Object ( [ID] => 18984 [post_author] => 66 [post_date] => 2020-08-18 07:00:45 [post_date_gmt] => 2020-08-18 07:00:45 [post_content] =>No industry is safe from a cyberattack and last year’s long list of breach victims is testament to that. Within the first six months of 2019, 3,800 breaches were reported, exposing 4.1 billion records. The impact of a breach continues to grow, and the wide-ranging threat landscape continues to shift – thus, our network security testing strategies should evolve in tandem.
Penetration testing has been around for decades and has remained at the foundation of vulnerability testing and management programs. But as the modern enterprise continues to evolve, and attack surfaces become much more complex, pentesting has remained relatively unchanged. Following a pentest, security and IT teams are typically left with an immense amount of vulnerability data that ends up in PDFs with limited context, making it challenging to process and collaborate with development teams for vulnerability remediation. In addition, many organizations struggle with the breadth of their security testing coverage and lack the time or financial resources to adequately pentest all of the applications and systems in their environment – and they can’t remediate all the vulnerabilities from each test. According to Gartner, once a company discloses a vulnerability and releases a patch, it takes 15 days before an exploit appears in the wild.
To ensure critical assets are secure and their entire attack surface has some level of pentesting coverage, today’s modern enterprise requires a more continuous and comprehensive penetration testing process.
Enter Penetration Testing as a Service, or PTaaS: a hybrid approach to security testing that combines manual and automated ethical hacking attempts with 24/7 scanning, consultation and streamlined communication and reporting delivered through a single platform. By delivering pentesting “as a service,” organizations receive a broader, more thorough vulnerability audit year-round instead of relying on point-in-time pentests, which are typically executed just once a year.
Point-in-Time Pentesting Versus PTaaS
While an important starting point, point-in-time penetration testing has its limitations. Once a test has been completed, how can one be sure that no new vulnerabilities arise during the remaining 364 days of the year? To better understand the impact of PTaaS, here are four core differences between point-in-time penetration testing and PTaaS. PTaaS gives organizations:
- Visibility and control. Through PTaaS, organizations are put in control of the pentest. Security teams gain the ability to request and scope new engagements, see the progress and status of all open engagements, easily parse the vulnerability trends, and work to understand and verify the effectiveness of remediations, all within a single online platform.
- Paths to quicker remediation. The penetration testing reports, often static PDFs, created after a standard pentest leave much to be desired when it comes to vulnerability remediation. On average, it takes 67 days to remediate critical vulnerabilities. PTaaS platforms allow findings to be actionable as they can be sorted, searched, filtered, and audited. As the vulnerability or exploit evolves over time, the data related to it will be updated, not remain unchanged in a document. Additionally, PTaaS provides development teams with the most up-to-date and relevant information for remediation, with assistance and consultation from the team of pentesters who found the vulnerability.
- More security testing possibilities. Due to both the cost savings of automation and the efficiency provided for remediating vulnerabilities, companies are able to do more with their budgets and internal resources. The faster vulnerabilities are found and remediated, the quicker the company can move on to protect itself from the next vulnerability.
- Prioritized, actionable results. PTaaS platforms, like NetSPI’s Resolve will aggregate and correlate the findings, eliminating manual administrative tasks while providing a result set that drives the right set of actions in an efficient manner for all organizations. According to Gartner, one of the most common ways to fail at vulnerability management is by sending a report with thousands of vulnerabilities for the operations team to fix. Successful vulnerability management programs leverage advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.
What’s fueling the desire for an “as a Service” model for penetration testing?
Businesses, no matter the industry, are constantly changing and are on the lookout for technology that can scale with them. Because of the constant flux that businesses remain in today, whether from engaging in a merger or acquisition or integrating a new software program, there is a desire to uncover the most efficient way to maintain an always-on vulnerability testing strategy, while also ensuring capacity to remediate. PTaaS is scalable, so that organizations of all sizes and maturity can use it to maintain a small part of their security testing program – or the entire program.
Further, heavily regulated industries – such as financial services, healthcare, and government – benefit greatly from an “as a Service” model, given the level of sensitive data stored and pressures of maintaining compliance. With PTaaS, organizations can consume their data, on-demand, in many formats for their various regulatory bodies and gain the visibility to know what is happening in their security testing program, and what actions need to be taken.
PTaaS is the new standard for vulnerability testing and remediation as security teams recognize that annual testing does not enable a proactive security strategy. Pentesting engagements are no longer a once-a-year tool for compliance and have evolved into a critical part of day-to-day security efforts.
[post_title] => Four Ways Pentesting is Shifting to an “Always On” Approach [post_excerpt] => No industry is safe from a cyberattack and last year’s long list of breach victims is testament to that. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => four-ways-pentesting-is-shifting-to-an-always-on-approach [to_ping] => [pinged] => [post_modified] => 2022-02-15 19:04:32 [post_modified_gmt] => 2022-02-16 01:04:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18984 [menu_order] => 475 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [28] => WP_Post Object ( [ID] => 18896 [post_author] => 66 [post_date] => 2020-07-28 07:00:27 [post_date_gmt] => 2020-07-28 07:00:27 [post_content] =>Let’s face it. The chefs in our lives were right when preaching the “clean as you go” philosophy while cooking. Keeping counters and utensils washed and put back in place helps thwart the influx of bacteria and spread of cross contamination that could make us sick. Shouldn’t that same philosophy apply to cyber security, too? Foregoing a “clean as you go” program and conducting a penetration test just once each year may check a compliance box, but ultimately prove to be unsuccessful when it comes to protecting your network and assets from the potential “bacteria” that can enter at any time.
Systems and applications in any organization become alarmingly vulnerable if monitored under a one-and-done scenario. An ongoing and continuous vulnerability management program or penetration testing program is an important guard against the potential threat to your technology assets that hackers pose nearly every second of the day. In fact, a University of Maryland study says that hackers attack every 39 seconds (on average 2,244 times a day). Think of how vulnerable your technology assets are in this environment if only penetration tested once a year.
As an aid to help put structure around a continuous penetration testing program, here are four core considerations that should be a key part of an always-on security program.
1. Prevent Breaches with an ‘Always On’ Testing Mentality
There’s no doubt about it: attack surfaces grow and evolve around the clock. With network configurations, new tools and applications, and third-party integrations coming online constantly, an atmosphere is created that opens the possibility of unidentified security gaps. This white paper points to the fact that cyber-attacks can affect your business and are almost as prevalent as natural disasters and extreme weather events. And we know from our own NetSPI research that nearly 70 percent of CISO security leaders are concerned about network vulnerabilities after implementing new security tools.
And those CISOs’ concerns are valid: take the recent announcement from the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). CISA published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic. A ZDNet article says that CISA warns it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. CISA is concerned that hurried deployments may have led to important security configuration oversights that could be exploited by attackers. With continuous penetration testing in place, security leaders can identify high risk vulnerabilities in real-time and close those security gaps faster.
2. Automation Is a Tool; Human Logic Is Critical
Good pentesters use automated scanning tools (ideally from many different sources) and run frequent vulnerability discovery and assessment scans in the overall pentesting process. Vulnerability scanning is generally considered an addition to manual, deep-dive pentests conducted by an ethical hacker. Manual pentesting leverages the findings from automated vulnerability and risk assessment scanning tools to pick critical targets for experienced human pentesters to: 1) verify as high-fidelity rather than chasing false-positives, and then 2) to consider exploiting as possible incremental steps in an effort to eventually gain privileged access somewhere important on the network.
Purely automated tools and highly automated testing activities cannot adequately test the business logic baked into an application. While some tools claim to perform complete testing, no automated technology solution on the market today can perform true business logic testing. The process requires the human element that goes well beyond the capabilities of even the most sophisticated automated tools.
3. Penetration Testing Reports Don’t Have to Be Mundane
We can all agree that there isn’t much enjoyment in reading pages and pages of pentesting data presented in static excel or PDF documents. Now picture what the paperwork for a once-a-year penetration testing report. Gulp! Much like many of us consume the daily news headlines, so too should CISOs view the daily “headlines” of their vulnerability management programming through the display of live pentest report results.
Under this scenario, less time is spent analyzing penetration testing report data, opening valuable time to give to the important work of remediation. Insist on the following pentest report deliverables in your penetration testing program:
- Actionable, consumable discovery results to automatically correlate and normalize all of the data collected from multiple open source and proprietary tools.
- High quality documentation and reports related to all work delivered, including step-by-step screen-capture details and tester commentary for every successful manual attack.
4. Stay Ahead of the Attacks Through Remediation
To stay ahead of the every 39-second hacks every day, it’s important to enable fast and continuous remediation efforts to keep a threat actor at bay. This goes hand in hand with testing, analyzing, and reporting: if you’re not continuously testing for vulnerabilities, it’s highly probable that the issues remain unresolved. Layer in these remediation best practices into your pentesting program:
- Industry standard and expert specific mitigation recommendations for all identified vulnerabilities.
- Traceability and archiving of all of the work done to make each subsequent round of testing for your organization more efficient and effective.
Factoring these considerations—always on testing, manual testing, real-time reporting, and remediation—into the planning and design of penetration testing programs will significantly minimize the risk of damage or disruption that could occur in an organization, and dramatically boost the security of your cyber assets.
[post_title] => Four Must-Have Elements of an Always-On Cyber Security Program [post_excerpt] => Let’s face it. The chefs in our lives were right when preaching the “clean as you go” philosophy while cooking. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => four-must-have-elements-of-an-always-on-cyber-security-program [to_ping] => [pinged] => [post_modified] => 2024-03-29 17:50:55 [post_modified_gmt] => 2024-03-29 22:50:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18896 [menu_order] => 484 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [29] => WP_Post Object ( [ID] => 18867 [post_author] => 66 [post_date] => 2020-06-09 07:00:41 [post_date_gmt] => 2020-06-09 07:00:41 [post_content] =>Proactive or preventative cyber security testing continues to be an afterthought in today’s conversations around breach preparedness. In this Forbes article, for example, the author suggests establishing an incident response plan, defining recovery objectives and more, all of which are necessary – but there’s no mention of investing in enterprise security testing tools and penetration testing services that boost your cyber security posture in the first place.
Sure, it can be difficult to make a business case for the C-suite to invest in an intangible that doesn’t directly result in new revenue streams. Historically, though, breaches cost companies millions and sometimes billions of dollars, proving that a ‘dollars and sense’ case can be made for preventative cyber security testing.
Even when a case is made to the board and funding is available, enterprise security teams struggle to be proactive because they are constantly reacting to the threats already looming in their network, lack adequate staffing, and the pace of vulnerabilities continues to outpace the business. So, how can the C-suite and security teams come together to prioritize the urgency of implementing a proactive cyber security testing program? How can we communicate that the upfront planning and set up is a proactive investment that will help eliminate the financial and time strain of a reactive-forward cyber security program?
The reality is that cyber security breaches today are inevitable and put organizations at grave risk. To help your security team make the case for prevention-based security investments, such as penetration testing and adversarial simulation, here are three recommendations that will get the attention of C-suite executives and help your security team remain proactive:
Translate the Impact of a Breach into Dollars and Sense that the C-Suite Understands
In today’s digital world, data is more valuable than ever and more vulnerable. So, how can you best communicate this heightened value of data security and risk to your leadership team? By speaking a language they understand. First, shift your mindset from talking about “cyber security and compliance” to “customer safety and quality services;” these terms will resonate better with the C-suite.
Next, be prepared to talk financial risk. Annually, IBM and Ponemon Institute release the Cost of a Data Breach Report, which includes a calculator based on industry and cost factors – such as board-level involvement, compliance failures, and insurance – to determine the potential financial impact of a breach. Use this resource to calculate your own organization’s estimated cost of a data breach.
A simple calculation case study: In the United States, if an attacker compromises just 5,000 records, it could cost your organization over $1 million (based on the average cost of $242 per lost record). This case demonstrates the cost of a smaller-scale breach – in fact, the average size of a data breach in the United States in 2019 is 25,575 records, resulting in an average cost of $8.2 million per breach. Compare that to the average cost of a vulnerability management or penetration testing program, and your case to the executive team is pretty simple. Notably, loss of customer trust and loss of business are the largest of the major cost categories, according to the report. The study finds that breaches caused a customer turnover of 3.9 percent – and heaps of reputational damage.
Lastly, use examples in your respective industry as proof points. For example, if you’re in the financial services industry, reference other breaches in the sector and their associated cost. It’s important to clearly communicate the reality of what happens when your organization is breached to get the C-suite on board for more cyber security spend. Sharing concerning results of reactive cyber security strategies helps executives see the benefit of investing in proactive security measures to prevent a breach from happening in the first place.
Help Leaders Understand Cyber Security Testing’s Role in a Crisis Preparedness Plan
A data breach is a common crisis scenario for which every business should plan. It should be discussed in tandem with other risk scenarios like natural disasters, product recalls, employee misconduct, and conflict with interest groups, to name a few. As with any disaster preparedness program, documentation and reporting are critical. Specifically, documentation of your vulnerability testing results and remediation efforts should be viewed as a tool to inform leaders about the organization’s exposure to risk, as well as its ability to prevent breach attempts from being successful. Cyber security weaknesses to look for from an organizational standpoint include lack of continuous vulnerability testing and patching, untested incident response plans, and limited training and security awareness programs. These three key areas can turn into the “Achilles heel” of any organization’s security posture if not addressed and implemented properly.
Position Your Pentest Team as an Extension of Your Own Security/IT Team
According to a survey we conducted earlier this year, over 80 percent of security leaders say lack of resources keeps them up at night. And for some time now, the cyber security industry has suffered a skills shortage. While companies are eager to hire cyber security experts to address the ever-evolving threat landscape and avoid the high costs of a breach, there aren’t enough people who can fill these roles. According to the latest data from non-profit (ISC)², the shortage of skilled security professionals in the U.S. is nearly 500,000.
Hiring outside cyber security resources is one solution to this demand conundrum. Time is invaluable, so if you propose to hire new vendors, it’s important from the start to position the white hat testers to your executives as an extension of your own team. It is the responsibility of both corporate security practitioners and vendors to find ways to work collaboratively as one team.
Pentesting is a great example of the importance of collaboration in cyber security. Traditionally, pentesters complete their engagement, hand off a PDF and send the internal team off to remediate. With the emergence of Penetration Testing as a Service (PTaaS), pentesters not only perform an engagement, they also conduct more deep-dive manual tests, continuously scan for vulnerabilities to deliver ongoing pentest reports in an interactive digital platform that separates critical vulnerabilities from false positives (a time-consuming activity for your in-house team) and serve as remediation consultants for your organization. Make it clear to your C-suite that vendor relationships are changing and cyber security testing vendors can serve as a solution for current cyber security skills gaps within the business.
When the C-suite and IT and security departments are disconnected on priorities, the risk of a data breach increases. Learn to speak the language of your executive leaders and communicate the true value of proactive security measures. Effective communication around the potential financial impact of a breach, where vulnerability testing fits in a crisis preparedness plan, and ways to solve cyber security talent shortages, can result in additional budget for proactive cyber security testing and other security initiatives.
[post_title] => Making the Case for Investing in Proactive Cyber Security Testing [post_excerpt] => Proactive or preventative cyber security testing continues to be an afterthought in today’s conversations around breach preparedness. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => making-the-case-for-investing-in-proactive-cyber-security-testing [to_ping] => [pinged] => [post_modified] => 2024-03-29 14:49:11 [post_modified_gmt] => 2024-03-29 19:49:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18867 [menu_order] => 499 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [30] => WP_Post Object ( [ID] => 18813 [post_author] => 66 [post_date] => 2020-05-14 07:00:12 [post_date_gmt] => 2020-05-14 07:00:12 [post_content] =>On May 13, 2020, NetSPI President and COO Aaron Shilts was featured in Dark Reading.
Aaron Shilts, president and chief operating officer at security testing firm NetSPI, says faster software development life cycles and inefficiencies in manual deep-dive penetration testing programs are driving interest in PTaaS.
Organizations are overloaded with traditional pen-test PDF deliverables, many of which can contain a mountain of findings, he says. This has made it difficult for organizations to prioritize, correlate, and drive remediation activities.
"PTaaS is essentially an enriched delivery model, making it easier for customers to consume testing services, from initial scoping to reporting," he says. "It ultimately helps to accelerate the remediation process."
Read the full article here.
[post_title] => Dark Reading: Organizations Conduct App Penetration Tests More Frequently – and Broadly [post_excerpt] => On May 13, 2020, NetSPI President and COO Aaron Shilts was featured in Dark Reading. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => dark-reading-organizations-conduct-app-penetration-tests-more-frequently-and-broadly [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:31:54 [post_modified_gmt] => 2021-04-14 05:31:54 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18813 [menu_order] => 505 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [31] => WP_Post Object ( [ID] => 17718 [post_author] => 66 [post_date] => 2020-03-09 07:00:00 [post_date_gmt] => 2020-03-09 07:00:00 [post_content] => On Mar. 9, 2020, NetSPI President and COO Aaron Shilts was featured in Banking Dive. The next level of self-hack is conducted at a more enterprise level, called red team testing. There are a few variations of the approach. In one, red-team testers adopt the tactics of a specific, known threat actor and try to achieve a specific objective against a chosen target. Red teaming is typically done by banks that are at a higher level of security maturity overall, said Wong. The value of penetration testing over simply using scanning software is that you’re adding humans to the mix, said Aaron Shilts, president and COO of vulnerability assessment firm NetSPI. "If we were bad guys, you know, what would we use to get in?" Shilts told ABA. "How could we get in? What do their defenses really look like? With limited information, it’s kind of a good way to simulate how accessible the crown jewels are from the outside." Read the full article here. [post_title] => Banking Dive: Banks engage in self-hacks to keep defenses sharp [post_excerpt] => On March 9, 2020, NetSPI President and COO Aaron Shilts was featured in Banking Dive. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => banking-dive-banks-engage-in-self-hacks-to-keep-defenses-sharp [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:15 [post_modified_gmt] => 2021-04-14 05:32:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17718 [menu_order] => 534 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [32] => WP_Post Object ( [ID] => 17402 [post_author] => 66 [post_date] => 2020-03-04 07:00:13 [post_date_gmt] => 2020-03-04 07:00:13 [post_content] =>We just returned from RSA Conference, and like every year, it did not disappoint in meeting its charter: “to be a driving force behind the world’s cybersecurity agenda… the place that provides a forum for innovation and partnership… as cybersecurity has become more relevant across all aspects of our daily lives.”
While there was much talk about automation, artificial intelligence and of course, technology, Rohit Ghai, president of RSA, emphasized in his keynote address a point that we, at NetSPI, support day in and day out — valuing the critical importance of people in this complicated and ever-evolving world of vulnerability management.
From the stage, Ghai asked the audience if humans in cybersecurity will matter once technology advances. He argued that, yes, the human element will always matter and what differentiates humans from machines is our ability to tell a story. “We, as cybersecurity professionals, need to change the story of cybersecurity and turn the narrative toward 'cyber-resilience,'” Ghai said. Bob Keaveney, managing editor of BizTech concurs. He wrote, “Human activity will continue to be the indispensable difference between successful and foiled hacks.”
Considering the importance of the human touch in cybersecurity, we observed these three prevalent themes during RSA:
Takeaway 1: CISO Leadership Must Be in the Boardroom
We are confident that no organization wants to impede its infosec programs, yet as we pointed out in this blog post, many problems can be traced back to miscommunication and misunderstanding of a technical topic by people who do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your infosec program is critical — starting in the boardroom.
As the individual most responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, the Chief Information Security Officer (CISO) will serve as the bridge between the highly technical language inherent in infosec, vulnerability, and data security management programs to other C-suite executives and board members who are more financially, operationally or innovation focused.
Speaking of the human touch in cybersecurity, read this short case study about how Equifax faces a new day in cybersecurity by emphasizing cultural change as a solution.
Takeaway 2: Intelligence Sharing and Cyber Defense Go Hand in Hand
Infosec experts are creative thinkers. They are constantly coming up with new ways to “break things” in a dogged determination to stay ahead of the vulnerabilities their company may face from hackers and manage the remediation of potential (or actual) breaches.
At NetSPI, this new thinking manifests in our commitment to developing open-source tools that strengthen the infosec community. We publish our open source projects and write a blog specific to best practices and information sharing.
Fortunately, we aren’t alone in our belief in the importance of supporting the entire infosec community. In fact, BankInfoSecurity coined threat intelligence and sharing a top theme of the show. Further, when analyzing the abstracts from would-be speakers at RSA, event organizers noted, "We saw an increase in submissions that documented the inherent weaknesses and challenges of machines, with some deeply technical and wonderfully detailed submissions digging into the specifics and providing guidance and best practice considerations," says Britta Glade, the RSA Conference's director of content and curation.
Takeaway 3: Automation as a Tool, Not the Be All and End All
Automation has a clear role in helping organizations with pentesting for enterprise security management. In fact, as this BizTech article states, closing the cybersecurity skills gap is a perennial problem that automation may help solve. Our concern? Automation alone only exacerbates the plethora of information that CISOs are inundated with daily without, as RSA noted, “the human element – the experts who can turn those stacks of static reports into real-time accessible reporting as vulnerabilities are found.”
And we aren’t alone in this thinking. In its RSA coverage, CRN.com associate editor Michael Novison advocates for a more pragmatic approach to handling risk than traditional vulnerability management, one that would place both automation and remediation front and center. Unisys CTO Vishal Gupta concurs: “Being presented with a list of hundreds of thousands of problems doesn’t do a CISO much good given the amount of digital assets and software in an organization. Continuously telling businesses what’s wrong is more of a risk identification strategy than a risk mitigation strategy and doesn’t provide them with any better handle on the problem.”
Organizations with a mature security program understand that moving past just a point-in-time vulnerability management program to a continuous model delivers results around the clock, enabling infosec professionals the ability to manage vulnerabilities more easily and efficiently. In fact, the concept of continuous monitoring should be baked into the development process from the start. In its RSA coverage, TechBeacon notes that in the DevSecOps model, infrastructure as code allows continuous code and security scanning to handle infrastructure configurations, and that removes the security team from potentially blocking development with time-consuming tests.
In an interview with NCC Group’ Research Director Clint Gibler, TechBeacon writes that infrastructure as code is essential. “For developers, a key advance is the increasing use of infrastructure as code and continuous deployment. When networking and server configuration are part of the application configuration, the settings can be checked for weaknesses in the same way as other application components,” said Gibler. "You can run security checks on your infrastructure code before it is even deployed. And it makes it easy to avoid any drift over time, and get back to a pristine state.”
Continuous Pentesting Coupled with “the Human Element”
In the spirit of these three RSA takeaways, NetSPI introduced its new Penetration Testing as a Service (PTaaS) powered by the Resolve platform at the conference. PTaaS puts our customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, and orchestrate quicker remediation, with the added ability to perform always-on continuous testing. We believe that key to its success is the integration of our team of expert, deep-dive manual pentesting employees who use enhanced automation to uncover an organization’s vulnerabilities. We believe that while automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.
Want to read more about the future of cybersecurity? Read RSA’s 2020 trend report here.
[post_title] => RSA 2020: Three Takeaways from the Halls of the Moscone Center [post_excerpt] => We just returned from RSA Conference, and like every year, it did not disappoint in meeting its charter: “to be a driving force behind the world’s cybersecurity agenda [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => rsa-2020-three-takeaways-from-the-halls-of-the-moscone-center [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:01 [post_modified_gmt] => 2021-04-14 00:56:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17402 [menu_order] => 536 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [33] => WP_Post Object ( [ID] => 17538 [post_author] => 66 [post_date] => 2020-03-02 07:00:21 [post_date_gmt] => 2020-03-02 07:00:21 [post_content] => On Mar. 2, 2020, NetSPI President and COO Aaron Shilts was featured in ABA Banking Journal. Aaron Shilts, president and COO of NetSPI, a vulnerability assessment firm based in Minneapolis that works with large financial firms, says the value of penetration testing over scanning software is “that you’re adding humans to the mix,” he says. “With red teaming you act as an outside adversary.” In designing a test for a client, Shilts asks some basic questions. “If we were bad guys, you know, what would we use to get in?” he asks. “How could we get in? What do their defenses really look like? With limited information, it’s kind of a good way to simulate how accessible the crown jewels are from the outside.” Red team projects with NetSPI typically would last about a month, Shilts says. Read the full article here. [post_title] => ABA Banking Journal: Go Hack Yourself [post_excerpt] => On Mar. 2, 2020, NetSPI President and COO Aaron Shilts was featured in ABA Banking Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => aba-banking-journal-go-hack-yourself [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:19 [post_modified_gmt] => 2021-04-14 05:32:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17538 [menu_order] => 537 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 34 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 32190 [post_author] => 53 [post_date] => 2024-03-27 13:50:27 [post_date_gmt] => 2024-03-27 18:50:27 [post_content] =>There are nearly countless tools in our industry right now that can give us an inventory of our external facing assets, laid out neatly for our teams to tackle.
But, how do you know which of those high-scoring vulnerabilities is actually going to be the most impactful on your particular environment? Does your team know how to interpret the assessments these tools provide while considering your company’s external attack surface? Has the assessment really given you what you need to validate and prioritize the identified risks?
We dove deep into these questions – and more – during this live event! As part of our “Let’s Talk Proactive Security” series, NetSPI CEO Aaron Shilts sat down with our EVP of Strategy Tim MalcomVetter to pick apart these questions and give guidance on how to approach external attack surface management in the right way for your company.
[wonderplugin_video iframe="https://youtube.com/live/LWljCaJ43rs" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => Let’s Talk Proactive Security: Are You Validating & Prioritizing the Right Critical Risks? [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => proactive-security-prioritizing-critical-risks [to_ping] => [pinged] => [post_modified] => 2024-03-27 13:50:32 [post_modified_gmt] => 2024-03-27 18:50:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=32190 [menu_order] => 8 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 34 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 7af1d086d1a009383fc88ad2bea66c73 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )