We are shifting gears away from CMMC content this week and bring you an episode focused on the ever-exciting topic that is pen-testing. Ben Denkers of Redspin and Patrick Guay of Pcysys join us this week to discuss Redspin’s continuous pen-testing capabilities. Learn about automated pen-tests that continuously conduct ethical exploits and deliver prioritized threat-based weaknesses.
LAUREN FRICKLE: Welcome to Cyberspin, the podcast that brings you expert insights to today’s hot topics in cybersecurity, privacy, and compliance for highly regulated industries. Subscribe to Cyberspin on Apple, iTunes, Spotify, or your preferred podcast platform and a transcript of each episode can be found at www.redspin com. Welcome back to CyberSpin! This week, we are coming at you with a non CMMC related topic. This week we are discussing Continuous Pen-testing with our two guests, Patrick Guay, the VP of sales at Pcysys, the award-winning one-click, automated penetration testing platform and Ben Denkers with Redspin. Hello Ben and welcome to the show!
BEN DENKERS: Thank you, Lauren. Happy to be here. A little background. We have found that adding capabilities to continue with penetration testing and validation provides immense value in helping an organization not only mature their security programs but also prioritizing where they need to focus their energy to reduce risk. We use Pentera as a key technology to help automate control, validation, and testing for our customers. So, without further ado, let’s dive in. So, Patrick, most of our customers are asking how we can be better prepared beyond waiting for the next wave of attackers to hit. What is Pentera doing to help better plan and better validate their readiness?
PATRICK GUAY: Great question, Ben, and thanks Lauren for inviting Pentera and myself here today to speak with you. When you think about Pentera, you think about validation and you know companies are spending 10s of thousands of dollars a year on security products in their infrastructure. The real question is, is everything configured correctly? Are all the policies in place to do what the security strategy set out to do and is everything working together to accurately and adequately protect the environment? And what Pentera does, as a platform is, we test all these scenarios. We test all of the products that are in place to make sure that nobody is getting that dreaded phone call at 3:00 o’clock in the morning saying that there’s been a breach, and now you turn an organization that might be very proactive in nature into being very reactive. So, what we’re really giving is visibility and that ability to become more and more proactive and ensure that all the configuration is done correctly and that all of that money that’s been spent has been spent in the right way.
BEN DENKERS: Got it, I appreciate that. So, with Covid and the impact, obviously, we’ve seen pretty major shift as it relates to work from home. And this scramble made us realize that a lot of IT teams degree of control were probably not as effective in many cases, and in some cases even enabled employees to work within compromised security scenarios without IT being aware. What are the implications of these types of changes?
PATRICK GUAY: Yeah, it certainly has been a crazy year, right? So, you see people that had traditionally been working in very secure environments using laptops or using computers that were hardened that had gold images you know downloaded on them in a in a very, very controlled way. All of a sudden, having to connect up from home from their dining room table, maybe using their kid’s laptop on a good day using a VPN at least, but in some cases not even using VPN’s. So overnight, everybody’s idea of what a secure environment and a secure infrastructure goes out the window. And throughout the last year there’s been all kinds of, you know, new devices that have been added in where you know, talking using video conferencing today that’s become very prevalent in everybody’s, work-life. And so the whole landscape of the threat has changed, and every time there’s a change in a network, those of you that are listening in or are networking professionals or security professionals understand this. You introduce the risk of something going wrong, so even the simple act of patching a server, fixing a vulnerability, realizing that some asset is exploitable in some way, and doing what you should do, which is to remediate that situation. You can find yourself in a situation of solving one problem and creating three others. And again, what Pentera is doing is now be able to run basically a penetration-test an automated penetration-test with zero pen-testing experience on your premise whenever you like. So rather than waiting for that quarterly or annual pen-testing consultant to come in, you can have that information at your fingertips, weekly or monthly, and that’s effectively what Pentera does. Removing that risk profile considerably.
BEN DENKERS: Yeah, absolutely. We see the value of this concept of continuous pen-testing. Why do you think this is not more widely adopted or done more often?
PATRICK GUAY: Well, I think a lot has to do with the fact that prior to Pentera, the only way to really do this was manually, and now with our partnership and your ability to offer this as a service to your customers, it can be done in an automated way. So now you know you don’t have to necessarily have a one-to-one correlation between a security professional that is, you know, running in pen-test and that pen-test, actually running and gathering information. The second thing is, most organizations found it very difficult to hire people, so people that wanted to run their own pen-tests or build up build out their own red teams. Those resources, those skill sets are very, very limited. And when you are able to find them, they tend to be pretty expensive and so there’s a definite cost associated with doing it. And the last point I’ll raise is somewhat of a sticky one in that pen-testing leads to a very long list of things that need to get fixed. And remediation is one of the reasons why people don’t want to add more to the pile before they’re able to fix the things that the prior pen-test found. Again with Pentera we’re helping to prioritize not only the static vulnerabilities that are found in these networks, but we’re able to marry those vulnerabilities up with the most critical and the most exploitable assets, effectively giving people a filter of what needs to get fixed first, so the 5% of the assets that have the 95% of the impact in a breach, we’re going to point you right to that so that they can be remediated quickly and then allow you to run another pen-test to make sure that everything was fixed correctly again, giving that peace of mind and giving that validation that the overall security architecture is sound.
BEN DENKERS: Got it, and so this concept that you created where vulnerabilities aren’t always equal that this process of you identifying which were you know the 5% of the weaknesses as opposed to 95% of the risk which you kind of discussed. That focus really allows the organization to know where to prioritize right and really help understand what they need to fix and where to put their attention first.
PATRICK GUAY: Exactly and again you know your listeners probably are familiar with this. You run a standard vulnerability scan and you get back thousands of potential areas of weakness or vulnerabilities in the network. Some of those vulnerabilities might be associated with a print server sitting in a closet somewhere that, yeah, you know, would be nice to be able to patch that and remediate that vulnerability, but does it meet the priority list to be done today? Now differentiate that against a CEO’s laptop or somebody connecting to your network that’s looking to do real harm and run real exploits. We’re going to point you to that, and we’re going to allow you to then go fix, you know those more critical assets much faster.
BEN DENKERS: So, a lot of our listeners, if they had taken a continuous validation approach, how would the outcome be different?
PATRICK GUAY: Yeah, great question and you know we see this all the time. What Pentera helps our customers really do is compartmentalize the risk and compartmentalized exposures within their environment so that they’re ready for anything. If you think about zero-day attacks if you think about the whole concept of ransomware if you think about what happened with some of the SolarWinds breaches. Nobody could have predicted the techniques that were used for those attacks, but what you can do is you can make sure that your architecture is sound, irrespective of what the technique is that’s being used to go and attack you. And that’s effectively what Pentera is able to do. It’s particularly important in healthcare environments. I was amazed to find out that the data that’s associated with health care information is 25 times more valuable than information about your bank account. And when you think about it, you can go get yourself a new Social Security number, or you can go get yourself a new checking account. You can’t change your DNA, and so the fact of the matter is the health care information is extraordinarily valuable out there in the marketplace. People are going to try and get it, and the damage that it can cause to the reputation of companies who are breached, and where this information comes from can be immeasurable, and so we’re really focused to bring these solutions into market so that your customers can be more proactive and can avoid any sort of material breaches that could cause an issue.
BEN DENKERS: Patrick, do you have any specific examples that you could maybe highlight to the listeners to help them better understand how some of your customers are using this solution today.
PATRICK GUAY: Yeah, so you know one of our great customers is from Apria health and, Jerry Sto. Tomas, Chief Information Security Officer at Apria Healthcare has done a lot of work with us. He was one of our early customers and really helped us understand the value of continuous security validation. He’s told us that Pentera has helped him reduce his spend by upwards of 60%. And if you look at that, it doesn’t necessarily mean that you’re swapping out the hardware. But what it does mean is that maybe you’re doing fewer externally based pen-tests. You’re paying your consultants only to come in maybe once a year once every other year to run a manual pen-test because all the other times you’re getting that data from Pentera and again with the partnership that we’ve struck, it’s now a service that your customers can simply subscribe to and we can, you know, deliver these monthly weekly BI Monthly reports in terms of exactly what their security profile looks like. Ben, you mentioned the concept of continuous controls validation. Why is this so important?
BEN DENKERS: Well, we have customers who often think that they have certain safeguards or processes in place that are effective, and our validation services, which leverages Pentera, helps test internal controls and validates where weaknesses may exist. And as you mentioned, we subscribe to this concept of that a continuous view of controls is greater than an annual or even biannual look.
PATRICK GUAY: And I’m assuming that the advisory validation service ties in somehow to an organization’s overall security strategy?
BEN DENKERS: Absolutely, this is a critical piece to any sort of organization’s security puzzle. With the continuous view, it allows the organization to ensure it’s addressing risks as they are being identified. This data, from my perspective, is critical and can be used to refine not only internal process but can be used as part of a larger enterprise initiative like annual risk assessments to provide a technical gauge of how effective and mature the current program is.
PATRICK GUAY: Yeah, that makes total sense. You know I see a lot of customers that are bringing pen-testing and Red teaming in house is. Is that something that you’re seeing a lot of?
BEN DENKERS: We are certainly seeing the demand for these types of resources and services, especially as compromises become the norm and these resources you know, as you previously mentioned, are often expensive and hard to find, and specifically depending upon the geographic location of where the facility is located. Adversary validation really looks to not only address the talent gap but again provide a continuous view to allow the organization to make dynamic changes as those individual threats are identified.
PATRICK GUAY: That’s great and thank you so much for giving the opportunity to come talk to you and Lauren this afternoon, I really appreciate it.
BEN DENKERS: Patrick and I appreciate you taking the time to discuss and Pentera and this concept of continuous validation or listeners wanting to learn more. Please feel free to give us a call and we’ll be happy to have a conversation in greater detail.
LAUREN FRICKLE: Awesome and thank you both for your insights. A note to our listeners, we want to hear from you. Please feel free to contact us and or leave a comment on this podcast. Also, as always, don’t forget to like and subscribe. Thanks for listening.