We sat down with John Stahmann, CISSP and Director of Sales Engineering for Offensive Security and Infrastructure Protection at Fortra, and asked him what he had learned after more than 20 years in the industry about the pitfalls, hacks, and little-known facts of offensive security. With so much architectural complexity, vendor sprawl, and multi-platform problems plaguing the cybersecurity landscape, it is no surprise that his answers centered around one thing: offensive security consolidation.
The Opportunity Cost of Not Consolidating Vendors
Offensive security typically consists of:
And all three typically work in tandem – when done right. Stahmann walked us through the consequences when done otherwise.
What blind spots do you see in teams that only have vulnerability management?
Vulnerability management is a necessary starting point, but a mature organization will gain much more knowledge by having the ability to go beyond knowing about what vulnerabilities exist in their environment. With additional insight, gleaned from pen testing and red teaming, teams can now understand what risk those vulnerabilities may pose and how to prioritize the remediation of those vulnerabilities. Teams that only use basic vulnerability management are likely getting plenty of data but no understanding of how that data should be leveraged to secure their environments.
How successful are pen tests without a prior vulnerability scan?
One of the key phases of penetration testing is a vulnerability assessment which discovers and analyzes the weaknesses of the environment. This step is crucial because it provides valuable information that the analyst would otherwise be unaware of, such as possible remote code execution and cross-site scripting vulnerabilities, open authentication points, additional exploitable vulnerabilities (CVEs), and other weaknesses the analyst might otherwise have to waste the pen test finding out. As the next step is to exploit the vulnerabilities discovered with the scan, an analyst unarmed with this prior knowledge would be shooting in the dark.
Busting the “Separate Vendors” Myth in Offensive Security
“If it ain’t broke, don’t fix it,” the old saying goes. But just because it isn’t broken doesn’t mean it can’t be better. A lot better, according to Stahmann.
What is the biggest objection to consolidating offensive security vendors, and how have you seen teams overcome it?
The biggest objection I’ve heard from customers is that they do not want to rely too much on one vendor. That’s understandable; these days, customers have seen cyber organizations go out of business, get acquired, or otherwise disappear. They want to make sure that they have a variety of vendors to work with if they need a potential replacement. However, Fortra only deals in best-of-breed offensive security solutions, and given our strong financials I’ve found that customers feel that they can trust us to continue to provide those solutions to them for years to come. A company that continuously refine and evolve their solutions are naturally seen as a strategic partner in the offensive security space.
Don’t you get better results if your red team vendor is different from your pen test vendor?
From a services perspective, customers see the Security Consulting Services, Digital Defense, and Outflank team as a trusted partner, as opposed to just a “third party vendor.” They realize that the quality of services our team of experts can provide is much better than what they’ve seen in other places. We also have a large number of red teamers and pen testers internally, so "fresh eyes” are never a problem. We can rotate testers for an engagement so that the guys on the job are truly seeing it for the first time. Meanwhile, as their consolidated vendor, we save the customer on management overhead, multiple startup costs, and the hassle of having to re-explain their goals, objectives, and systems to a new vendor every time.
What about diversifying tools, teams, and talent?
The right offensive security provider will deliver that and can probably do so with more cohesion than a string of different vendors held together by an internal administrator trying to juggle them all. Customers eventually realize that even if there are multiple vendors that could fill their needs, it makes more sense to work with one central hub that could do the same while helping them save on cost and developing an invested relationship.
The Benefits of Offensive Security Vendor Consolidation
Aside from sidestepping blind spots and saving on cost, using a single vendor for all offensive security needs has some specific advantages that customers can get in no other way.
Consolidated Vendors Know You Better
A consolidated vendor can cover all the bases in the offensive security lifecycle. With vulnerability management, pen testing, and red teaming under one roof, organizations get tighter interoperability and integrations and consequently, more in-depth testing. The alternative is tying together a string of individual products not designed to work together and lacking the ability to truly “sing.” Another benefit is that customers can see the long-term roadmap of a consolidated vendor and look forward to the integrations, advancements, and products to come. Most of the time, those products are designed in response to specific customer problems, so they can be part of this symbiotic feedback look in which the client and provider are developing custom solutions that benefit the customer more and more. If organizations are simply using a single-point solution from multiple vendors, it becomes hard to predict how each of those single-point solutions will work together long-term.
Unique Value Adds for Red Teams
Red teaming is different than a penetration test or vulnerability management. Those test the security posture of target systems but not the defenses themselves. On the other hand, red teaming is a goal-driven scenario that is used to test the security operations overall – people, processes, policies, and platforms. A red team engagement challenges detection capabilities, how the security team will respond, and the ability of everything to come together and defend any weaknesses before a cybercriminal exploits them. However, it’s going to waste a lot of time if that red team does not have prior vulnerability assessments or pen test results to go off of. And so will the organization. Red teaming should be the big guns that comes in and does what only red teaming can do, which is comprehensively test the hard stuff. It would be a waste to give specialized red teamers easy access through simple errors not discovered before.
Before vs. After
Customers are typically happy to work with just a single point of contact for sales and renewals vs. having to go through multiple different vendors. They also feel that they have some say in the consolidated vendor’s roadmap because they can provide feedback on a range of their solutions, not just one. In the case of Fortra, they also feel more comfortable to be using our commercial-grade tools as opposed to using open-source or low-cost solutions from small businesses or startups. With the way the economy has been over the past two-three years, customers have seen which vendors have been able to weather the storm and trust that a vendor like us will be there for them in the long run.
What Organizations Stand to Gain from Consolidating their Proactive Security Tools
Customers have to be very selective about the vendors they work with and where they invest their dollars. They are looking to do more with what they already have, and the capabilities of an enterprise-level consolidated security vendor, especially when being used together, are best in class compared to so much of what is out there. And when organizations choose to consolidate offensive security vendors, it means they have extra funds for other security projects outside of the offensive security space. Customers are looking for vendors to help solve real business problems and tie their spend back to the overall goals of their business. By using one capable, comprehensive solution for all their offensive security needs, they can take the savings and invest in the broader cybersecurity portfolio, providing them more business value in the long-term while also reducing costs.
Want to Find Out More About Proactive Cybersecurity?
Learn how layering offensive solutions will reduce the risk of needing to lawyer up in The Complete Guide to Layering Offensive Security