Webinar Recording

You Deserve a Better Security Testing Experience


Log in and watch the full video!

Join security experts from KuppingerCole Analysts and security testing firm Synack as they discuss how to address the security challenges of digital transformation, rapid infrastructure change, agile software development, compliance requirements, sophisticated attackers, and the global security skills shortage.

Martin Kuppinger, Principal Analyst at KuppingerCole will look at the business and security benefits of taking proactive measures to protect your organization from security threats. He will also explain how effective security testing enables organizations to stay ahead of cybercriminals. Wade Lance, Field CISO at Synack and security veteran will explain how traditional penetration testing fails to meet the scale, speed, flexibility, creativity, and diversity requirements of modern IT environments. He will discuss how combining smart technology with a global team of security researchers can overcome these challenges to deliver round the clock security testing, reporting, and improvement.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome to our call webinar. You Deserve a Better Security Testing Experience. This webinar is supported by cac and the speakers today are Whitelands who, Phil CISO at Cak and me Martin. I am Principal Analyst at Call Analyst. In our today's webinar talk about security testing, or many of you might better know the term pen testing or penetration testing, which is a core part of that. And we look at how to do it better, how to do it in an appropriate manner to what we need today in an age of, of ever increasing and more and more severe cyber attacks where we need to protect our businesses and our organizations and digital age. So before we jump into the topic of today's webinar into the presentations, a bit of housekeeping here. So we are controlling audio, you don't need to care about it. We will have a q and a session by the end of the webinar.
We are recording the webinar and we will make the podcast recording available as well as the slidex of post speakers to you for download. And finally, we will run two poles, two short poles that I really appreciate if you provide an answer to these polls. So, and that's what I do right now, the first poll. So when you look at the, the, the approach you're taking on cybersecurity, then we are curious about whether this is this really more reactive approach still in some way where you say, okay, maybe I have a bit of a protection, yes. But then when something happens, then I start looking at, or today a more proactive approach or a combination of both. So proactive in the sense of your checking, your SEC security, your running security testing, you're running anomal detection, all the other things. So looking forward to your responses. And as usual for such pulse, the more people provide an answer, the better this for that pulse. So don't be shy and at least tell us what your organization is doing today.
And if time allows, we'll, we'll also look at the poll results during the q, q and A session also, depending on how many questions we, we have to answer there. So I'll leave it up for another few seconds and then we'll dive into the subject of today's webinar. Okay, thank you. So with that, let's have a look at, I'll talk about the business and security benefits of taking a proactive approach and which roles I, our security testing plays in that. And the second part, and we'll talk about where traditional pen testing is, is limited and how he sort to speak and soak address and this challenge by a combination of people and technology by a combination of sort of focus testing and continuous approaches. And I've said part number three will be the q and a part where we'll talk about this. So to start with the entire thing, I look a bit at cybersecurity spending, but also cost of cybersecurity.
And when we look at what we are doing these days as organizations, then, then we see this significant increase still in cybersecurity spending. There are, there are many numbers that just put together a few from different sources like World Economic Forum, stta, PERS and others. And I also put in some numbers we've researched. So when we've asked our audience about how cybersecurity budgets are changing, then we see that a lot still say it's, it's readily stable, maybe with a slight increase, but we have more than one third of organizations say our budget is growing in a five to 20% range and we have another 22%, which are telling us that their cybersecurity budgets are growing with more than 20% a year and very, very few. So really minorities as there will be really a significant decrease. And I think that these numbers should indicate what is happening in the market.
We see the increase in attacks, the increase in costs like what Oracle economic forum published thing, it's three 6 million per incident, which is a very high sum, it probably depends a bit on how you count the number of incidents, et cetera. But per successful attack, that can cause very considerable cost. And we've seen these huge incidents take Colonial pipeline or several of the, the, the ER attacks against organizations which have cost tens of millions at least sometimes even more. The spendings are growing, they are a bit different numbers, but the tendency is very clear. Our numbers, the numbers from from others outside, they all indicate the same direction. Significant growth even in times of a big of economic turmoil. But also that's the other side of the coin. The number of cyber attacks going up and the number of ransomware attacks is part of that also goes up.
And yes, you will sometimes see numbers that say, oh, that or that has gotten a bit down in the, but usually just because it has been replaced by something better. And we need to just be clear, there's a business model for cybercrime for cyber attacks aside of the state sponsored attacks. And so we will not be any decrease maybe in numbers of cyber attacks, but not overall and not in the sever in the overall severity. So we need to be propel and that means we need to become proactive. We need to look at, so we always need to stay ahead of the, the cyber criminals and the, the state sponsored attackers. So yes, surely that means that the state is acting in some way criminal, but at the end we need to stay ahead of the attackers. And that means we need to, to find a good balance between different measures, proactive reactive ones.
And that is a, a topic where we can, can spend hours on probably days on talking about all the types of measures and which are relevant for what and how relevant are these, how effective are these, et cetera. There are a couple of things I'd like to look at today a bit more in detail. And so from, from a proactive side, sure, we need intelligence to immediately detect what is happening. This is proactive in the sense that we, we don't wait until we have signals of something has gone wrong, but we try to identify anomalies before we see the effect of the attack. And so this collection of when the detection, looking at the outliers and then triggering a reaction, that means this is the consequence of it is one of the, the most important elements. Surely there are a lot of technologies like privileged access management, privileged users are sort of a common element in many specifically managed targeted attacks.
So when our targeted attack is running, then the attackers always, always are after the privileged accounts. So they try to gain access to highly privileged accounts which allow them to, in many cases, walk through the network, go to an access in more access and then extract data, cost damage, whatever their plan, their intention is. We need security awareness trainings. Yes, it doesn't go without security awareness trainings. Even while I'm a strong believer in that we shouldn't always talk about the user, the human is the weakest link in security because it's not correct, it's the first line of defense. I think it's a way better think positive one. Yes, we need to have people involved. So they alert us that they say, oh, there's something wrong. There's something we, we haven't seen that I don't know what to do with educate, do it regularly. And finally, and this is the point we will touch a lot of time on or spend a lot of time on today is, is about penetration testing.
We also need to understand our attack surface, our weakness, our vulnerabilities. So where are they? And we need to test for that. We need to look at it because then when we know what, where are the doors so to speak, the open doors, then we can try to close the doors. Only them. This helps us to be targeted. And then this helps us also to be, be better in, in what we do reactive. And by the way, from a reactive perspective, when we take this typical cycle, it's about protect or protect, detect and then then react and respond or respond. And then I'm a big fan of the recover part of all of that. So we also need to prepare, be prepared that something goes wrong. The best cybersecurity measures are never are perfect. So sometimes something will go wrong, sometimes something will go so early wrong.
So we also need to be prepared for recovery. But back to the benefits, when we have a good proactive security, when we know where our weaknesses are, when we do things like security testing, then we can react, we can react way better because we know what the problem is where, where the, the biggest risks are at least many of the biggest risk that still may remain. Some we have identified. But the better we are, the more consequent we are, the more targeted is where we spend our money on. And going back to what I've talked about, the the growing cybersecurity budgets, the problem is the attacks also are increasing. And so we need to find ways to not only keep pace, so to speak, but to get ahead. That means we need to target perfectly well. What we are doing, it helps us to gain a stronger cybersecurity push to remain compliant.
So we see, see a lot of requirements around, for instance, penetration testing, a lot of other security measures, not only from a sort of from the government or regulations and that part of compliance, but also we, we see a lot of requirements raised by the large customers to their suppliers saying, we need to to increase our cybersecurity supply chain security. And that means you need to do certain things. If we do it right, it doesn't mean that we never will experience an incident, but if we are doing it right, we will have lesser and we will have incidents and we will be able to better, faster react and potentially contain the damage compared to not doing. So within all of that, the area of security testing, as I said, many of you surely will, will think of in in penetration testing as a term term.
Factually it is security testing's more than penetration testing. And we will elaborate on that in his part of the webinar. But it is an important element and when we look at it, then there are a couple of, of, of elements and components of that. I don't want to go too, too much into detail. I'm pretty confident that a couple of you have their experience in the space anyway and also wait, we'll talk about it. So we have different types of hack so to speak, ethic hackers, which usually work sometimes together or frequently together with our internal teams in different teams. So the attackers, the defenders, et cetera. So the set of teams has established itself quite well. And specifically also testing the defense is, is a very interesting aspect because it, it also helps understanding, okay, what can I do as a countermeasure if something happens?
So this teaming is, is one part of it and there need to be specialists that are very good in attacking your organization, which is a challenge because they are not that easy to find. And this is again, something Wade will elaborate on how this can look like, how you can use also a broad range of different, so to speak, diverse resources also to, to mimic different types of behavior of attackers. We have different stages. So we, we, we plan, we, we, we scam, we gain access, maintain the access, and then there's analysis reporting. And truly in an ideal world, not much happens in the later stages, so to speak. But in the real world there will be that access, there will be that situation where someone really can maintain access and there are potentially quite a number of things that can happen in the reality, in the real work we can test and we must test a range of different areas.
So it's not just checking whatever is TC tcp, Porwal, XY or set open. This is way more nowadays it's about a network, yes, which is somewhere in the middle. It's about APIs. So which APIs can be used, web applications, so osp, top 10, et cetera, known cloud vulnerabilities, mobile apps, also testing social engineering. So, so, so how many of your employees of sort of the probe full trap, which one can you convince? And you, you have different strategies. So white box where lot is known in the black box, etc. And again, this requires to work with different approaches and ideally you also don't do that once, but you do it regularly actually even at least in parts continuously. And to be aware of today in the age, in the digital age, in the age of DevOps, in the age of continuously creating new digital services, et cetera, your attack surface is changing constantly.
So the pen test you did six months or 12 months ago will not reflect today's reality of your IT infrastructure. So let me come to, to the end of my part before I quickly bring up a second poll. So what are some of the best practices and things you need to do beyond best practices objectives? So not just say, okay, I do a pen test, but have an objective not only for the one pen test, but for your pen testing strategy over time and ensure that you have to budget. Yes, it costs money, but looking at a cost of incidents, it's well spent. Money system methodologies choose to focus areas. So which approaches do you do in which combination? Maybe one. When do you do what, what do you do more frequently? What do you do less frequently? Understand the different approaches on the the concepts.
Select the right people. So you need people that are good and still trustworthy. Work with them, monitor, also learn from the testing process. And then you look at what has happened. So understand the results unless the results use the guidance you, you receive by the pen testers and start with the remediation. So look at what are the biggest risks and what you need to do to be proactive and to close gaps. And the security testing is definitely an essential and, and and inevitable element in what we do in cybersecurity. We need to do it, we need to do it right. So the question faculty I want to raise, the second part is about, let's say you see security testing as something which is part of the, sort of the effective cybersecurity solutions you have in place or you need to have in place in your organization. Where do you say, okay, nice to have, but I don't need it that much. Again, the more people take power, the poll, the better the results are. So please take a few seconds and enter your values. Okay. It's not, not very surprising when we are heading. So come on, there's still a few which haven't wroted.
Okay, then I think we can close down at Paul. Thank you very much for listening to my part. And with that, wait right now we'll talk about the limitations and what can be done differently and better. Wait, it's your time.
Thanks Martin, appreciate the overview and for the attendees for the opportunity to present a little bit about the CNA approach to security testing because we, we've definitely have an opinion through our experience that that security testing today really isn't living up to its potential. There's ways to have a better experience and we wanna talk about some of the drivers behind that and the, and and some of the potential. So, you know, if we look back at penetration testing and security testing, one of the things we know is that over the 20 years where this has been common practice, there really isn't, we would suggest a subsequent a substantive improvement in security posture based on security testing. And what I mean by that is, you know, we do security testing, vulnerability testing. Most organizations, they find some vulnerabilities, they fix some, and that that helps with the tactical issue of finding and fixing big open doors.
So that's helpful. But the biggest outcome we find in the biggest driver for most organizations around security testing are the regulators meeting compliance requirements, which is an important thing to do. But overall, we find that, that these really are the primary drivers, the values that organizations are getting out of security testing today, finding some vulnerabilities, fixing some of them, satisfying the regulators. One of the, one of the difficulties here is that this is a very commoditized process when the real outcome is just achieving compliance. Organizations tend to want to do that as efficiently as possible. And we think there's opportunities to, to get more value out of the existing testing process. So the way we think about this is how could we leverage the existing security testing, the adversarial penetration testing process to get strategic value out of that process. So, and actually improve our security posture.
So think about tactical versus strategic value in security testing. Want to use these two models? Again, we don't own these terms as kind of a, kind of a general framework we'll use for today. Tactical value we think of in terms of just finding exploitable identities and fixing those individual conditions, right? Hey, someone left the back door open and we should, we should close it and lock it. We'd be in a, in a better, a better condition. Now, as Martin said, well tomorrow we'd have to do that again because we don't know if the, we don't know if the back door's unlocked again, right? Strategic value really takes a look at those conditions at the next level saying why, what are the root causes behind every time we look the back doors on open? You know, perhaps we could solve the problem by training the folks that use this building to lock up on their way out, right?
Which would mean, yeah, we're still gonna check to see if the back doors open, but in fact we're going after the root cause of why is the door left open in the first place? And we, and we think of this root cause as being a huge opportunity for leveraging more value out of the existing security testing process. So there are a, a, a couple of factors that are multiplying the challenges in this space. There is an accel accelerated vulnerability creation today, digital transformation, agile software development means that, that the rate of change is increasing. Most organizations would, would acknowledge that they really have to improve their capabilities online and mobile applications because customers and, and partners and vendors and suppliers all kind of expect that automated experience. And so there really is a demand signal for organizations to rapidly automate. And we're seeing organizations embrace that.
I think one of the latest times we saw that one of the biggest shifts was when, when the covid became very prevalent and, and work from home became such a priority, we saw kind of the standard pattern, which is most organizations worked very aggressively to enable work from home. Then after they had enabled it, they then begin to look at, okay, now how do we secure it? Right? So, and, and we find that, you know, very commonly that the, the priority in the driver is around business enablement and that happens at speed and then security kind of has to come behind. So that's certainly a driver in the rate of change. And, and when I talk to organizations about security testing, what's interesting is that the rate of security testing, it doesn't seem like has really, has really matched the rate of change, right? Organizations are, are still testing in many cases at the same cadence that they used to test prior to a lot of these accelerators.
And it, it puts 'em in a, it puts 'em in a bad position. The other side of this really is the talent shortage. We won't spend a bunch of time on it, on it today, but think about the, the talent shortage as not just the lack of people in this space, but also the skills of those people. Meaning that there are conditions that sometimes security organizations don't take a proactive stance on because people may not have the background and experience to move aggressively in those, in those environments. So that combination of the speed of change and the talent shortage has really put a lot of organizations in a, in a difficult posture. And so it's, it's important to get every possible value out of all of our security processes. And we think that security testing is an area where organizations can, can get more value.
One of our founders here at syntac likes to say, you know, you are, you are being scanned and probed every single day. The most organizations are, you just don't get the report right? That attacking communities out there working all the time, they're just not gonna show us what they're seeing. And so these multipliers sit on top of kind of this security posture issue. And so I was talking with a CISO recently and he said something that I thought was so succinct as a, as what most organizations would have to say about their security testing in, in three statements. And so I recorded it here because it was, it was, it was just very telling. And he said that all the money that they spend on security, security testing and remediation to remediate the vulnerabilities that they find, all the money spent yesterday is gone, right?
And what's interesting is that he said, we don't learn anything from the process of testing and remediation and we don't leverage that data strategically. We just claim success if the regulators are satisfied. And I think when I talk to CISOs all over the planet, I find that this is, this is commonly the posture and you know, as security organizations, many organizations are getting some incremental growth in their budget, but it seems that we're all always under pressure to get more value with the same budget or less. And we think that better security testing is a way to do exactly that. How do we get both the tactical value that we're getting today out of security testing, finding some vulnerabilities and fixing some of those, satisfying the regulators, but how do we also get strategic value out of that process and and improve our security posture in a way that is substantive and meaningful.
So the CAC approach to this is really a, a a two sides of the same coin. It's, you know, a technology and a people process, but the, the technology piece, we'll talk about each of 'em briefly. The technology piece is important in that we have a SaaS platform from where we do penetration testing as a service. Now, this unified platform has a, a a bunch of value in particular provides access to on demand security testing. It provides realtime feedback and instant notification of issues when they're identified. But it also gives us a place to look across the security testing that we're doing and identify patterns and deficiencies that are revealed across various tests, right? So that enterprise platform is a key piece. The other side is are are the people that look at the information provided by the platform, the scanning and, and at SY we have over 1500 security researchers in 90 different countries.
And, and what's important to to think about is that most security people have a defender's mentality. They've been trained to defend and to build defensive capabilities and, and I, you know, detection capabilities, but there's a very different mindset for a penetration tester or an ethical hacker and they have that attacker's mindset, which is super valuable, especially when you've got a diversity of perspectives. As we have at cac, over 1500 people from a, a broad swath of the globe that we're able to apply. So not just people with specific backgrounds. I like to say to people, you know, there's no such thing as cloud security testing. There's AWS security testing, there's GCP security testing, there's Azure security testing, and they're very different. Does the security tester have specific backgrounds in testing exactly that platform? And we think that that's a, a critical part of the solution.
Note that these people are very difficult to hire and maintain because even if you had 50 people on your security testing team or a hundred or 150, you still may not have access to all the different skills that you need. So that combination of a platform and the people is an essential element to solving this problem and getting the strategic value. Okay, so we're gonna run through a couple of requirements. How do you define strategic security testing? What does that look like? How do you move into that? We're gonna talk about that now. The first requirement for doing strategic security testing is to look at your assets. And by this I would mean APIs, web applications, mobile applications, infrastructure network segments hosts and, and classify those assets according to their critical posture in your environment. Everything down on the low end of the posture, the, the low critical items, maybe automated vulnerability scanning is sufficient, right?
Just reaching out and doing checks on those systems, looking for open ports, known vulnerabilities that may be sufficient for i for hosts with a low enough criticality. Then we stack up the next level, which is on demand security tasks. The next movement up the scale are hosts and applications where you need the ability to get at say, OS top 10 analysis or NIST framework tasks. Maybe regulators have some views on, on compliance for some of these systems. When log four J came out, we found a lot of customers had an immediate need for in increased capability to do a specific task going and looking for a new, a new vulnerability. Further up the scale. Some systems that get both automated vulnerability and on demand security tasks, some of those systems will also require targeted penetration testing. And this is where, at some cadence, whether it's once a month, once a quarter, once a year, but at some point, based on the criticality and the sensitivity and the risk in these assets, it, it's very worthwhile to do human driven targeted penetration testing.
Now, most organizations stop at this point, but we're finding that there is a ton of strategic value in doing continuous security testing for assets that are of a very critical nature. That continuous testing at cac we do in two different approaches. One is 90 days, we'll do 90 days of continuous testing. Think about hosts where, let's say e-commerce sites where they go through a lot of change in August, September and October. Then there's code lock as you go through the holiday season when people are very sensitive about, about impacts to the platform and the applications based on trying to make code changes. And so in that August, september, October timeframe, while they're heavily iterating on the software, it may make sense to do continuous security testing so that vulnerabilities and issues are identified as early as possible so that the development team can make changes.
We do the same thing in migrations to cloud environments. That's where continuous testing can bring a lot of value. Also, there are certainly environments where continuous testing 365 days a year makes sense. Not, not most systems, obviously this is the smallest bucket, but in fact anytime serious risk to the organization, reputational damage, this is the primary economic stream for organizations, technology companies who their business is built on their software being something that they market certainly worthy of continuous testing, various, very difficult to successfully do continuous testing, takes a, a large group of people to do that. But at at at sinec, we, we cycle through different teams, different cadres of testers to keep their eyes fresh and and successfully do continuous testing. But in thinking about your organizations, in your environments, when I'm speaking to groups of security leaders and I ask them, how many of you have looked across your assets and sat down with a grid like this and classified your assets for the kind of security testing, kind of make sure that we're doing the appropriate kind of testing for each asset.
And typically it's about 5% of organizations have done this. So highly recommended is, again, we'll, we'll make this deck available after the, after the webinar so that you can get access to this and think about how this might allow you to take a strategic approach to security testing in your environment. The second requirement for doing strategic security testing is really around looking at aggregated data across disconnected security tests. And in other words, if, if we think about most security testing, the results of that testing perhaps are a PDF or a CSV where you know, here are the vulnerabilities and the configuration issues that we found in this environment. And there's really no way for organizations to look across all the tests that they've done in the last year or six months and say, what are the patterns in that? And so this really becomes a way to take security testing to the next level.
One of the things that we find here is that by doing this process, we identified the root cause issues in programs, technologies and people so that we, the security team can build programs to address those root causes. So now we're not just getting tactical value out of security testing, we're actually going after the root causes and stopping creating vulnerabilities at the rate at which we were. Then what's great about a strategic security testing model is that as we implement those solutions to the root cause of our security posture problems, ongoing testing will deliver the metrics that we need to demonstrate to management, Hey, we are actually solving the root cause issues. Sure enough, we are, we are improving our posture. The security team is implementing a appropriate programs to retrain people, to upscale technology, to improve processes, to give us a, a stronger security posture.
So the security testing experience we find you want, you, it's, it's critical to have both tactically superior security testing about do I have the access to the right kind of testers, can I do it at the speed that we need to be able to do it? Are we, are we doing continuous testing where it's appropriate to do that, but also getting strategic value out of that program and, and learning from our experience as we go through the testing process. So we encourage people to ask themselves these questions, are you able to start security tests in days rather than months? Right? If it takes you, you know, a month or two to even start a security test, chances are you're not, you're not reacting to and you're not identifying security conditions as, as early as you, you as your attacker is able to identify your vulnerabilities.
There's also the need to run both on demand and continuous security tests leveraging both the security platform and the human intelligence. And I find this this quite a lot in, in speaking with organizations that they have good technology, they're doing some scanning, but really the human element looking at that results, I think some statistics show that most security scanning identifies about 20% of the vulnerabilities that are present. It's the human layer looking at that scanning data and then doing the next level penetration testing that tends to reveal the next 80% of the vulnerabilities that are present. So are we getting a good balance between both technology and scanning and then also the human experience breadth and depth of experience and then actionable vulnerabilities, right? Organizations can't handle endless lists of every possible vulnerability. It's like, look, just give me the exploitable vulnerabilities and stack rank them across a priority so we know what to handle first.
Okay, so a couple of quick points and, and then we will transition over to to q and A and spend some time there. One, I wanted to give some examples of the kinds of strategic value that people find from doing strategic security testing. So I've got five quick examples here. We'll just describe 'em quickly so that you can get a sense of what's possible consistent functional deficiencies. Like every time we go looking into this environment, we always find the same kinds of deficiencies. Well, let's stop just finding the deficiencies. Go, let's go identify the root causes and see if we can improve and now have consistent functional capabilities, not, not deficiencies, inconsistent functional capabilities. What, you know, why is security so strong and our posture so good here and yet in this environment it's so consistently weak, right? That inconsistency, you know, your attacker is able to identify those conditions.
And we found that through strategic security testing and this comparative analysis, organizations are able to better point their security budget at bringing the weaker elements in their program up to snuff disparity in application security levels. We can see this very commonly tier one applications actually pretty hardened, pretty good condition, but other applications not so much. And the disparity there can be really dramatic and attackers are aware of that. Disparities in security program elements, one organization had really good endpoint controls and email control and yet external facing applications were, were really deficient or hidden. IT deficiencies in one environment. We kept discovering the exact same vulnerabilities on separate hosts in different environments and our security team was able to communicate to the customer, Hey, I think you guys have a gold image issue. Rather than finding these vulnerabilities and patching 'em at the edge, let's, let's update your gold image program to stop creating these vulnerabilities in the production environment.
It's a very, very successful program. So quick notes on cac. We're about finding the vulnerabilities that matter. You can see a list of our partners and some of our, some of our customers here. But CAC is really about helping you transform security testing, keeping pace with the digital transformation, and really allowing security team to demonstrate to management how you are proactively improving your security posture. We, our work protects every US taxpayer. We did over 37,000 security tests in 2021 and I'm very excited to have the opportunity today to speak to you with Martin. So thanks Martin back over to you and for the opportunity to tell a little bit of the SY story.
Thank you for all the insights provided there were quite many and we have a couple of questions already here. So to the audience, if you have questions to wait or me please enter them and go to webinar control panel, which is usually the right side of your screen. So, and I think some of these you have touch certain and extent, but it's definitely works to go go a bit deeper and, and I think one of the points is surely that especially some, some of the larger organizations also may consider saying, okay, we we have internal source talent. Why, why, why should we build on a single hacker based model for security testing? So where do you see the the advantages?
Yeah, well it's a great question, right? Because organizations, particularly larger organizations that have an internal security testing capability, there's a couple of things there. One is there will be situations where, you know, you wake up in the morning and realize I need a whole bunch of testers in very short order. Log four J was a classic example of this, where all of a sudden you may need twice the capacity that you have and you may need particular skill sets that aren't really inherent in your particular team. And this is an area that we, those are the two areas where we really consistently provide a lot of value for our customers. Access to surge capacity, but then also specialized skills. I, I remember a particular incident customers, you know, thinking about trying to get access for security testers for a particular api and they had, you know, again, kind of general API skill sets, but now they had onboarded a, a fairly unique api and of course they were told very late in the process, right?
And so how do we, how do we quickly get access to people that have that mindset? The other thing Martin is, is there's lots of research out there on a topic called familiarity blindness. And it's this idea that if, if I walk into my living room every single day for a year and then, and then someone sneaks into the living room and switches two pictures, how long does it take you to notice that? And it's actually days or weeks or never, right? Yes. That familiarity blindness. And so, so using outside third parties and security testers really gives organizations an advantage not taken away from their own security teams. They're, they're typically great, but it's also nice at some point for those people to have vacations and holidays and sometimes having, having a third party makes that possible as well.
And I like the sample pictures for instance cause trust reality that you notice sometimes you don't notice what is happening. Or people that have been wearing a wearing glasses and don't wear glasses anymore, you look at them and you know something has changed, but you don't know what, and it may take you really long to to, to come to the, to identify what has changed. I think the other point is also that attackers are working in different manners and, and so if you have internal externals, et cetera, then, then you have a better mix of that. And this from my perspective, helps you to, to get more, more secure. Okay. Maybe I quick look at a second question we have here. So, so this is also an interesting one. So matrix and measurements are always a challenge in security. So, so I just recently had a conversation with a group of s but how do you report the state of cybersecurity to your board? And the number of, the number of KS and KPIs was very different from one to more than 50. And so, so there's really not that, that sort of one approach that the established approach, which works perfectly well. But also when you, when you create the data, so how do you put together the data? How do you make it comparable? Which is always challenging.
Yeah, it's, it, it has been very challenging, especially when that data is, is disconnected. So two, two comments I'll make here. One is that the use of the platform to do security testing is a, is a huge advantage in that automatically because all the results are loaded into the platform. All the testing testing is tracked in the platform. So we're, I mean we're in a position, right? The, to, to analyze across the data. The data is not in PDFs and CSVs, it's, it's maintaining databases and we build, you know, correlation algorithms to go looking for patterns. So that all just kind of happens automatically. It, it, it really does solve a lot of problems. The other side I think that we see is that when management is trying to report up to the board or the rest of leadership, what is our posture? You tend to get, you know, hey, I filled out this questionnaire that graded me against other standards, which is good. That's, that's good practice, that's certainly helpful, but not nearly as accurate as simply using the test results to find out what actually is our posture. We do this a lot for our customers. Well, they'll have partners and vendors that they really rely on and they'll say, well, rather than just rely on questionnaires from this organization, I, I'd like SY to go take a look and find out what their posture is and tell us, yes,
This leads us directly. The next question, which is about, so to speak. Traditionally we have seen a lot of more and more compliance driven testing see change, but I think my perspective, I've never been a believer in, so there are two things I, a couple, couple of things I've never believed in. Two of them are to believe that compliance equals security or that we just to should look for checkbox compliance. So we may be compliant but still insecure. And I think this is, this is one aspect we always need to be aware of. Checkbox compliance doesn't help us in these days. It helps us to pass maybe an audit but not more. And the other thing is manual versus automated controls. The point is that there is a tendency to, let's phrase it friendly, adjust manual controls specifically in the case of a crisis. So, but also they tend to be more positive than the reality is and they are not based on as many facts as a good automated control can be. So my perspective here is very clear. We need to use good mix, we need to use humans and automation, we need to use manual and automated controls and we need to be compliant, but we also need to be secure. So what's your perspective on number Travis, do you see in this market changing?
Well, I, I think you're spot on Martin and, and, and as you pointed out, being compliant doesn't mean I'm secure, although being non-compliant kind of demonstrates that I'm not secure. So, you know, compliance is important from, from that perspective, you know, the regulation, the regulators can, can find you very heavily and that's got a cost associated with it plus reputational damage. So, you know, compliance is important. We, we acknowledge that. We still find in a lot of organizations that the compliance budget and drivers are driving a lot of security testing. And, and, and that's okay, nothing wrong with that. It's just that as you point out, you can absolutely be a lot of organizations that pass all their compliance checks and satisfy the regulators then end up on the front page of the Wall Street Journal because they were, they were compromised, right?
That just big of the organizations that passed it 12 months ago and felt safe.
Yeah, yeah, absolutely. So what what we are suggesting and what we're finding for our customers is this, look, you have to do the security testing anyway. We have to satisfy the regulators, we should. But if we can get a next layer of value out of that and get strategic value out of that, that actually and demonstrably shows that we have a better security posture. There's every incentive to do that, right? And it takes a little, you know, creative thinking. The last thing I'll, I'll say on the regulators that, you know, regulations always follow after attack patterns and security risks, right? The, the risk comes out, it becomes well known, well understood, and several years later the regulators catch up and, and build regulations. And so certainly in that timeframe, organizations are, are, are very vulnerable to those kind of, those kind of patterns. And, and, and look, the best organizations certainly that, that are, are investing in in actual, you know, security, security not just compliance and security are, are finding a lot of value in, you know, what it allows 'em to do. I'll say one last thing. What it allows you to do is to, is to expand your capabilities aggressively. You can grow your business aggressively and really innovate if you have an aggressive security testing and capability because you know that you're, you're able to, to do the kind of business that allows you to compete in the market and not, and not have such a severe risk of, of, of compromise and, and reputation and functional damage.
What I also like is, is, you know, it helps you understanding your attack surface, understanding the, the, the highest risk areas. And that's sort of focus your, your spending. And I talk a lot about, for instance, our security portfolio assessment. So, so how do I understand where to spend your, your money on because you can't do everything. And, and this is truly something which helps a lot in getting better here we have one final question and only a bit of time left, which is maybe you can provide some examples of the type of systemic deficiencies that can be identified and approved. It's the result of penetration testing.
Yeah, yeah, absolutely. Lots and lots of examples. We'll just do one, maybe two for the sake of time. So in one organization we've done a series of tests around their environment and this was application tests, host testing and interesting statistic, 80% of the vulnerabilities that we identified were around authentication, insecure authentication.
Hey, I'm, I'm identity guy, you're preaching to converted,
Right? So, but that number, when you look across organizations in their vertical and at their level of maturity, that number should be 20% not to be 80% right? It's a huge deficiency. So, and and they've been doing this for years, but now that we're able to do pattern analysis across the test, say, hey, 80% they built a program to upskill their people, both applications, infrastructure on secure authentication practices.
And it is so easy to do nowadays and even if you do it right, your security goes up and your convenience goes up. We're doing so much around cetera in our research. Yeah. Wait, thank you very much. A lot of very valuable insight. It's a very interesting conversation we have to the towards the end. Thank you. Do you wait, thank you for, to cek for supporting this coming call Analyst webinar. And thank you to all ATS for listening in to our webinar. Hope to have you soon, back soon. Thank you.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00