Is attack surface profiling the same as a pen test? If it isn’t what unique insight can attack surface profiling deliver?
Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Nick Shevelyov, former CSO, Silicon Valley Bank.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor Keyavi
[David Spark] Is attack surface profiling the same as a pen test? If it isn’t, what unique insight can attack surface profiling deliver?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of CISO Series. And joining me for this very episode is Steve Zalewski. He at one time was the CISO over at Levi Strauss, and he said, “Sayonara. I’m out of here. All I want to do is this podcast and absolutely nothing else.” Am I correct, Steve?
[Steve Zalewski] Absolutely. Hello, audience.
[David Spark] He does a few other things now, too. Advising other cyber teams that need some help. I should mention that our sponsor for today’s episode, who I’m going to say is one of our most spectacular if not our best sponsors we have ever had since day one of the CISO Series. We love them. They love us. It is Keyavi. What if your data was self-protecting, self-aware, self-intelligent? More at keyavi.com. But more about them later in the show. Steve, you posted about this on LinkedIn, and that is attack surface profiling. So, what is the buzz around it, and why has it been compared to a traditional pen test?
[Steve Zalewski] So, I would say about 18 or 24 months ago it started to become a common phrase. I was hearing people talk about attack surface profiling. Over the last 18, 24 months I’d say the buzz has picked up, and the opportunity for today is to really talk about why isn’t it a pen test. And so I don’t want to give it away at this point, but the key is it is different. We’re going to talk about why.
[David Spark] It is very different, and I’m glad for all the feedback we got from the community. Because we got some really, really good feedback on this. Joining us… I’m so thrilled that he’s joining us, and he is now a former CISO as of two weeks. Former as of two weeks of Silicon Valley Bank, Nick Shevelyov. Nick, thank you so much for joining us.
[Nick Shevelyov] Thanks for having me.
What are they looking for?
[David Spark] Jerich Beason, CISO of Commercial Bank, Capital One, said, “It’s just getting a view of my environment from attackers’ perspective. It’s affectively the reconnaissance phase of an attack. Knowing what the adversary sees helps me prioritize my activities and forecast where the adversary may attack.” And Chris Carter of Zurich Insurance said, “Fully understanding your asset inventory and ensuring proper configuration management.” And Allen Westley of L3Harris Technologies said, “What you can’t see are the gaps that make up your attack surface profile.” So, this really… The way I kind of read this is this is kind of like stage two of asset management. Would that be a good way to place it, Steve?
[Steve Zalewski] I would say all three of these are correct in a perspective. What I’d say is it’s not stage two of asset management. What I would say is if anything it’s a realization that static testing is no longer sufficient given how much third party risk and integrations we’re having to do and that what we’re looking for is something that’s much more dynamic that’s allowing me to be able to react quicker when there are gaps in my defensive perimeter.
[David Spark] Okay. Nick, your take on the definition of attack surface profiling, and do you think…well, Steve, Jerich, Chris, and Allen did a good job?
[Nick Shevelyov] I think they did. The way I think about it is that Sun Tzuwrote a book, “The Art of War.” Actually many generals contributed to it. One of the underlying premises was know thyself and know they enemy, and you will win a hundred battles. And in terms of know thyself, only the paranoid survive. You need to continuously be probing and understanding what are your assets, what is the territory that you’re defending. To some of the points that were brought up before, is a pen test is a point in time typically conducted by human beings. And you can have a strong posture today during your pen test, and tomorrow that posture, due to change control, due to new vulnerabilities being released, that can change. You’ll miss that with the traditional one-time pen test approach. Whereas an algorithmic approach to continuously mapping the territory that you need to defend is a more mature and appropriate step in this dynamic threat environment that we live in today.
What’s the issue here?
[David Spark] Jason Norred, CISO of Solutions II said, “Like zero trust, this is another term to describe an existing process that has grown in complexity as our digital footprint is now so pervasive. I tend to call it profiling or monitoring if I’m purely assessing or monitoring my attack surface.” And Rob Gurzeev of CyCognito said, “Gartner now calls it ‘exposure management.’ Do we have the same visibility adversaries have to our assets and weak spots? Are we responding to risk quickly enough?” So, I like Rob’s comment here, and also it hearkens back to what Jerich’s comment was in the first segment – saying like, “I want to see the way my attackers see this, not just where am I exposed.” Because where am I exposed doesn’t really show it in the way the attackers see it. Or am I wrong when I say that, Steve?
[Steve Zalewski] I’m going to start with Gartner having exposure management, and it’s a new term that Gartner has recently introduced where I think they’ve understood that they have to talk about something, but they don’t know what it is yet.
[David Spark] Every year there’s a new acronym, new label.
[Steve Zalewski] New buzzword.
[David Spark] New buzzword, new product to buy.
[Steve Zalewski] So, here’s what I would say with exposure management – exposure management to me is proactive. Okay? Exposure management means I’m looking at my perimeter. I’m not trying to do vulnerability management. I’m trying to look at material impact and look at the likelihood of exposures through. And then figure out how to disrupt it. Okay? That’s a very proactive stage. Where I see attack surface profiling is not that far in. To me, what it’s acknowledging is that the way that the attackers use automated tooling to find chinks in our armor. Whereas Nick said our armor is changing out almost every day. We’re exposing. We’re moving. We’re constantly showing new kinks. Why can’t we use the same profile management that the bad guys are doing to find the initial way to in to be able to constantly reevaluate so when it happens we at least initially have visibility into it to then go worry about exposure management.
[David Spark] Nick, this constant reevaluating of exposure seems daunting and exhausting. Is it, and how do you not make it so?
[Nick Shevelyov] In our business, only the paranoid survive, and we have to have a mindset. The mindset of zero trust is really a philosophical journey on the continued application of least privilege, multifactor authentication, identity, and access management. The mindset of attack surface management is continuously at machine speed validating that you’re defending what you should be defending. And to the point that Steve brought up is it continues to give you a profile of what does the environment look like. I’m making probabilistic bets as a CISO. I’m applying controls. I’m building systems that hopefully are interlocking and complimentary to one another. But in order to customize those for my network… Every network is like its own snowflake. It’s similar but different. I need to understand how that environment is changing, and that calculus is going to determine how I allocate my capabilities and my investments. And so that’s how I think about it is consistently filming the change that I need to manage and then replay that change so I have a better understanding of the environment.
[David Spark] I want to also get back to the question I had for you, Steve, and I want both of you to answer this is… And tell me if there’s a difference between this. Looking at your own exposure as you just described it versus what the attackers see, is there a difference, or is it truly the same thing? Is there a way to look at it more so through their eyes? Steve?
[Steve Zalewski] I’m going to talk about bug bounty programs for a minute because what are bug bounty programs. It was pen testing where what you were going to do is do it a little more continuously. The problem with bug bounty is you have to tell them what to look for so that you’re willing to pay for what they find. That’s very proactive. It assumes that you have control over your environment. And what we’re all saying now is we have to be resilient to business process change. Okay? The way that the business applications are adapting with digital transformation, they’re not necessarily coming to us. Third party and fourth party integrations are occurring ever quicker so that what we’re really saying is how can we be resilient to the change that the business process is inflicting on us in a way that we can withstand more attacks and still maintain the business. And so I say that’s the difference between pen testing, and then we got the bug bounty programs. And now what we’re saying is, “Well, the bad guys are still getting through, so why can’t we get closer to the way the bad guys do it?” And the bug bounty companies are starting to give us some of that. But to Nick’s point is our mindset is changing now. It’s an insurance policy. It’s probability and statistics. It’s not being proactive and telling the business when they’re allowed to change their applications. It’s us adapting to our business infrastructure as quickly as they’re changing it, and hopefully almost as quickly as the bad guys are attacking it.
[David Spark] Nick, what would you add to that? Again, in terms of your viewpoint. Is it through bug bounty, something else, as an attacker versus just looking at your exposure?
[Nick Shevelyov] Steve brought up that business wants to move quickly. There are third party relationships, these interdependencies introduce risk. If security’s mission is protecting to enable business outcomes, well, we need to enable security through the right perspective of understanding the holistic ecosystem that they need to protect. So, if a business is moving fast, and signing partnerships with third parties, and establishing connections, the space will help tease that out and show the interdependencies and the risks associated therein for you to have a broader and more thoughtful understanding of what am I really caring about, how am I actually allocating my controls, and how am I actually validating the efficacy of controls. Because one of the underlying things that Steve and I have dealt with over the course of our career is that the efficacy of controls degrades over time, and you want to know about it before the attacker does.
Sponsor – Keyavi
[Steve Prentice] There is a myth that companies cannot protect themselves against cyber threats, and this is in large part because metaphorically they spend their time locking the barn doors instead of training the horse. Elliot Lewis, CEO of Keyavi, has a much better solution.
[Elliot Lewis] I think that the proof is in the headlines already. Look, we have a lot of great technology, a lot of great services on the reactive approach of trying to keep data contained. And when that is not possible, because data needs to be shared in order to be useful, then you lose that control and that visibility, and that’s what we’ve been living with in the industry since the dawn of IT. Now we’ve reversed that problem because data can take its security with it because data is wrapped in its own policies and controls because it can do this in real time, because it can modify its policies any time you want to even though it’s been out there forever. No matter where it went, no matter who’s holding it, the data is smart enough to react and control to your needs, your operations, your IT capabilities. That’s the key. This is where we’ve been trying to get to as an industry, and Keyavi’s technology enables you to do that. You can now start using the data the way you always wanted to. You don’t have to worry about it being lost. It’ll actually follow your commands, no matter where it goes.
[Steve Prentice] You can find out more about Keyavi’s solutions and how surprisingly easy they are to deploy and maintain by visiting Keyavi.com.
Why is this an issue?
[David Spark] Lajos M. of Mandiant said, “Your pen test is usually a point in time.” Aw, we did talk about this. “Attack surface profiling usually takes place daily and covers the gap you might have with your asset management.” Ah, why I brought up asset management earlier. And Ryan Franklin of SAP said, “Attack surface profiling seems a bit more like a natural evolution from traditional vulnerability management.” Okay, so his take is it’s more from vulnerability management. It kind of sounds like that from what you guys have been discussing. Is that a good way to view it, Nick?
[Nick Shevelyov] I think it builds on certain disciplines within vulnerability management. If you’ve got a mature vulnerability management program, you’re scanning your environment, you’re finding your systems and applications, you’re tying them to business owners, technology owners, you’re finding the vulnerability, the criticality of the vulnerability, the time to live and from an SLA perspective tying it back to policy, and you’re remediating it with burn down rates appropriate for the risk associated to that and how your policy and governance outlines that vulnerability. So, I think it steps on above that process. I think it broadens your understanding of where the vulnerabilities may lie. Organizations might not have a particular vulnerability, but they might be sharing information about themselves through job postings, through LinkedIn postings, through other publicly shared information that as an attacker. When I was in that space from a white hatter perspective, you harvest that information, and you use it against your target. And that is not a traditional security vulnerability like a bug. That is information that can be used against you. The very technology that empowers us may also imperil us, but the very information that we’re sharing about ourselves may also imperil us. So, I think all that is brought into a broader, more sophisticated view of resilience in security risk management at organizations.
[David Spark] Steve, what does your security program look like if you are not doing attack surface profiling?
[Steve Zalewski] You are on your heels, and you’ve got one burnt out threat response team. Because you’re losing the battle, and you’re losing it worse every day. To me, it’s a realization that the traditional approach of discover, protect, detect, respond is just not working. It’s too slow. It’s too much on vulnerability management. So, a lot of what Nick said when he was so elegant in summarizing all that is an acknowledgement that we’ve been doing for the last ten years, the efficacy is continuing to decline. And we’re now below water, so we better figure out something else to do, or we’re going to drown. This is the beginnings of us pivoting our thinking to resiliency, and whether you call it exposure management, whether you call it attack surface profiling. It’s getting to realize to improve the efficacy we have to a more resilient, more offensive/defense type posture. And that’s what you’re seeing here.
[David Spark] What I’m hearing from both of you and even more so from you, Steve, just in this moment is this is just yet another step to mature your security program, and you have to get to the stage of being more resilient to have an effective security program. Yes?
[Steve Zalewski] I would say yes. But 20% of us have reached that level of thinking to be able to understand, “Well, how do we message that to our teams, to our business, to our executive teams?” Because this maturation that we’re talking about, what I would call the third kind of stage of maturation, is really deviating from how we got here. Okay, so to be able to do something different… It isn’t that we’ve learned how to build a house and all we’re doing is adding a second story to the house. Kind of like what we’ve realized is we’ve built the house, but now what we have to do is build an apartment complex. And it is just a different way of thinking about how we’re going to be able to address all the comings and goings of people.
What aspects haven’t been considered?
[David Spark] Matt P. of Picnic Corporation said, “What’s missing is how their people are likely to be targeted based on their exposed digital footprints. Every attack starts with recon, and an organization needs to know how its humans and their digital identities are being profiled by attackers.” And Jason Norred, CISO over at Solutions II said, “Be aware of the environment you are responsible for and take appropriate actions to reduce the risk of that environment.” Nick, I want to toss to you, but I’m going to quote a hacker that I met at a bug bounty event. I asked him, “What’s the difference between the work you do now hacking versus five, ten years ago?” And he simply said, “The information I have now on you is a lot more.” And that gets to Matt P.’s comment here. How much of knowing what your employee’s digital footprints are, personal and professional, goes into I guess understanding your attack surface? Nick?
[Nick Shevelyov] Yeah, I think that generally speaking a lot of security programs, to Steve’s point, feel underwater with the existing technical vulnerability risk management they have to do and don’t have the time and the bandwidth to actually expand their horizon on just exactly how the attack surface is expanding through the very behavior of employees and what they share on the internet about themselves. And to your hacker’s point, yeah, they do have a lot more information because people are sharing a lot more insights that can be used against the target. And so for CISOs, it’s the dose that makes the poison. If you give them too much bad news, it’s poisonous, and now they know about it. And so they might want to modulate the amount of bad news that they need to intake. And so you have to think about how do you manage the bad news and create the right system so that you can deploy the right controls to mitigate that bad news. I’ve used the analogy that white swans are known knowns. Gray swans are known unknowns. Black swans are the unknown unknowns. But to me, it’s the red swans, the known knows that just aren’t so that burn you in security. And so if you can develop that mindset of understanding that the game is changed you need to establish the traditional controls, the defense in depth, adopting zero trust principals but also continuously probing how the very information that’s being shared about you and your company can be used against you. That’s a holistic mindset for the 21st century risk imperative in cyber security.
[David Spark] Steve, how do you deal with the exposure coming from all angles, many you may not be aware of because it could be like the personal profiles of your employees?
[Steve Zalewski] Yeah, so I’m going to give you my ah-ha moment, and I’m going to pick up on the conversation here around the identities, the digital footprints of people. I don’t know how many remember, but four or five years ago there was a capture the flag exercise where a government had put a million dollar bounty out, and we had ten different teams build machine based capture the flag capabilities. And the best of those that won then went up against the best of the humans that won the capture the flag. This was at DEF CON. The humans won hands down. But what I understood by watching that is that the ability to decompose applications to identify vulnerabilities, the ability to analyze the data, to be able to see whether it was interesting or not showed me that it’s not about people identities. It’s about data identities. It’s about application code vulnerability. It’s about this is the speed now that is being thrown at us to be able to decompose our business environments and our applications in order to be able to exploit. And so when I look at these two comments I go, again, this is kind of like yesterday’s thinking. This is not what we’re up against now. And so that was why the we need to be aware of the fact that everything is an identity, that everything is potentially vulnerable but that when we look at attack surface profiling and exploits, it’s us now trying to redefine statistically mathematically what is most important for us, and what can we do about it.
[David Spark] All right. Well, that brings us to the very end of our show, and at the very end of our show I ask folks what was your favorite quote, and why. And, Nick, I will start with you. Nick, what was your favorite quote?
[Nick Shevelyov] Mr. Beason’s comment on it’s just getting a view of my environment from attackers’ perspective. That sort of sums it up. All right, and I think that it addresses the fact that never be comfortable in this role. You want to have a continuous reconnaissance of the territory that you need to defend and develop a map to defend that territory. But as Napoleon once said is never paint a picture of the battlefield. It changes too quickly. And so we should know never to paint a picture of our own battlefield. It’s changing too quickly. And embrace that dynamic nature. Embrace and adapt your controls and your capabilities appropriately.
[David Spark] Excellent. Steve, your favorite quote, and why?
[Steve Zalewski] I am going to pick [Inaudible 00:25:06]Rob Gurzeev of CyCognito. I’m going to do it for two reasons. One, he calls out Gartner now calls it exposure management.
[David Spark] Yes, you’ve doubled down on that.
[Steve Zalewski] I want to double down on that. Which was Gartner now knows there’s something out there, and we got to think about it. But what that really is saying… And I like the second part. Do we have the same visibility adversaries have to our assets and weak spots? And that’s what we’re trying to accomplish here is beyond pen testing and getting to vulnerability profiling and getting to exposure management is are we doing everything we can to leverage machine capabilities to know that as the business is changing we are adapting with them.
[David Spark] I like it. All right, now we are officially at the end of our show. But we get last comments from everybody. First I want to thank our sponsor, and that would be Keyavi. Keyavi, more about them, keyavi.com. Self-protecting data – data that protects itself. You don’t need to interfere. It knows what to do if it’s in the wrong place, and it will protect itself. More at keyavi.com. Nick, I’ll let you have the very last word. But first, Steve, any last thoughts?
[Steve Zalewski] Two. One, thank you, audience, again. The responses to the posts that I had demonstrate just some amazing forward looking thinking. People are really thinking about this. We couldn’t do this show without the quotes that we got. And two, a big thank you to Nick. I’ve known Nick for years – a thought leader. This conversation and this topic is one where Nick agreed to be our guest I just thought really brought the A team to what I think is an incredibly important topic.
[David Spark] Nick, let me ask you, was this more fun than dealing with a Nation State attack?
[Nick Shevelyov] 100%. 100%, David.
[David Spark] Okay, we are better than a Nation State attack. Nick, I can quote you on that. We’re more fun than Nation State attack. That is good to know. All right. Now, usually I ask my guests are you hiring, but you’ve left. You’re free. I’m assuming Silicon Valley Bank is hiring for your successor, yes? Correct?
[Nick Shevelyov] Yeah, this has been a long time transition, and I helped participate in hiring a few of my different successors and then stayed on as an advisor and wrapped up a 15-year career two weeks ago. So, still very much close friends with the bank and the people on the team. But now I’m just exploring what I’m going to do next – talking to lots of interesting companies and looking at different opportunities. I get to spend a little bit of time with friends like Steve and do fun things like this, David. So, it’s just a fun period. I don’t know where I’ll land. It might be a few different things. It might be a fun, new adventure. We shall see. RSA is coming up, so that’ll be a fun time.
[David Spark] Yes. Well, when people hear this it’ll be after RSA, but we’re recording this just a week before RSA. You should do what Steve does – go the advising route. Because that way you can use your intelligence without the pressure of actually having to secure anything. [Laughs]
[Nick Shevelyov] I’m always just following in Steve’s footsteps. He’s a wise man, and it’s just fun having a conversation with Steve and yourself, David. This has been a lot of fun. It’s thought provoking. This is a space that’s moving so fast, and I’m getting nuggets of information from friends and colleagues that’s so useful. And it reminds me to ask myself, “Am I playing chess? Am I playing poker? Or am I go playing go? Or am I playing elements of all three in this fast moving landscape against the adversary?”
[David Spark] Let me ask you this question… You’re 15 years in security at Silicon Valley Bank?
[Nick Shevelyov] Yeah, the average tenure of a CISO is I think two and a half years.
[David Spark] I’ve heard from 18 months to about 3 years. Yeah, I’ve heard everything. But here’s what I want to know – what… I’m sure plenty of changes… What was security like 15 years ago?
[Nick Shevelyov] I got to start it from scratch. I literally was the first CISO. I literally…
[David Spark] You probably had one of the first… Because that title is not too much longer than 15 years old. It’s not that much longer.
[Nick Shevelyov] There weren’t a lot of CISOs at the time. I had to reach out and meet other folks and became a member of the Bay Area CISO Counsel. I’d go to the FSSI…
[David Spark] But I want to know, what did security programs look like 15 years ago?
[Nick Shevelyov] It was a couple of folks doing computer security, incident response. It was an outsourced SoC to a vendor that wasn’t doing a very good job. It was pleading with IT to patch vulnerabilities. It was educating your board on why security matters. And now the Wall Street Journal does that job for me. And now there’s a… The world has changed. It’s the golden age of cyber security. People understand that it’s the 21st century risk imperative.
[David Spark] It’s interesting, Wall Street Journal does that for me. There was a time that the breaking news would hit the trades first and then bubble up to the Wall Street Journal. Complete flip. They break in the Wall Street Journal, and then the trades explain it.
[Nick Shevelyov] Isn’t it amazing how the world has changed.
[David Spark] Completely different. Thank you, Nick. Thank you, Steve. Thank you, audience. We greatly appreciate your contributions. By the way, if you see an awesome conversation online, send it to us. We turn it into a show. That’s what we like to do. So, do that. Contribute, participate, and continue listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.