Specialty Podcast: Pen Testing 101 - Finding Cyber Weaknesses Before Hackers Do

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Brendan Hall (00:09):
All right, welcome to another Alliant Specialty podcast. I am joined here today by our esteemed guest, Gaurav Kulkarni. Gaurav, welcome to the pod.

Gaurav Kulkarni (00:19):
Hey, thanks Brendan for having me. Excited to talk to you guys today.

Brendan Hall (00:21):
Yes, I really appreciate the opportunity. Gaurav, you're with Sprocket Security. Do you want to give us, before get into the meat and potatoes here, do you want to give us a high level of what Sprocket does and how you guys came to be?

Gaurav Kulkarni (00:32):
Of course. Yes, thanks for chatting with us. Sprocket Security, we're a company headquartered out of Madison, Wisconsin. Really our go-to market and what we do is we're expert-driven, continuous security testing company. Think of us as always on, always active, with a hybrid pen-testing approach. A lot of what we're focused on is really changing the market of what has been, what I would say point-in-time testing, what we call legacy testing, moving those customers into a continuous model.

Brendan Hall (00:57):
I guess that really segues really nicely into the first of our questions here. Most of our clients are doing some level of penetration testing. What is continuous pen testing, and how is it different from the more legacy models?

Gaurav Kulkarni (01:10):
I'm glad you asked. There's a lot of noise around what continuous actually means that are out there. I guess let me start with just legacy and what we call legacy. Many organizations like you talked about are still doing legacy pen testing. Think of this as like an annual penetration test, a very service-based engagement that is a week, two week, you name it, where they're actually getting attacked on either an external, internal or application type of infrastructure. Somebody comes in, they hack away at it, they produce a report, and then they go away. Continuous, the whole concept of continuous is looking at it and say, well hey, what happens when that person actually leaves? Did something change in your attack surface? Did a new threat come out? Did a new vulnerability come out? What are you doing about that from an organization risk perspective, and what can you do to go through and mitigate it? The entire concept of actually getting into a continuous security program and trying to mitigate risk is getting a lot more adoption these days because it's more than just making sure that you've got a checkbox to do the penetration test. Now you're essentially looking at, hey, what are the things that I knew I had risks for? Are you going to go through and remediate them? Happy to talk a little about our model and how it differs for some of the other players that are out there too.

Brendan Hall (02:16):
Yes, that's great. Our clients, I think as I mentioned to you before, still a little bit confused sometimes as to what actual pen testing is versus, and I think there's a lot of folks out there that offer really just scanning, and they're not trying to break in and get in the doors and windows and so I think clients are, if they're not paying attention, may not have such a strong grasp of how one service differs from or is better or worse than the other. Where and how would you say that continuous pen testing makes a difference for organizations?

Gaurav Kulkarni (02:44):
Yes, great call out. I guess I'd say from a continuous perspective, the biggest difference is we want to make sure that you're essentially doing anything that you might need from a compliance perspective to facilitate those gaps, so you're proving that you're actually doing testing. But really what happens when something changes, a new exploit comes out, rather a new vulnerability comes out, and if that new vulnerability comes out, you want to know is your organization actually affected? I put together a couple analogies. Think about recalls from a car manufacturer for perspective. There's lots of recalls that are published for maybe a Toyota Corolla or a Honda that might be out there. However, the risk and mitigation that are recalled is only dependent on A, do you have that type of car and B, do you drive it in a certain way, and does it actually go through and affect you? From a continuous penetration perspective, we look at it and, hey, can I get in? Can I have ways to go get in, and did something change your environment that now I have a different avenue to actually exploit that. Most of our customers that we work with have come from that legacy model where they've done an annual test, and what we hear them talk about really is, hey, like you said, it's more than just a scan. Scanning is just going to tell you at a high level what are the areas that I potentially have at risk in my environment. But penetration testing is really going beyond and say, hey, can I actually exploit that risk? Can I actually do something with that risk where it might impact my business in a much, much more negative way? They use that to really prioritize what they're working on and make sure that they're continuing on that process.

Brendan Hall (04:03):
So the risk then, I guess you would say, for not using continuous pen testing is that, essentially if you did a week or two weeks worth of pen testing, they're hacking away at it, they finish it, they give them the report, and there's a zero-day that kicks up the next day that that may be missed entirely, right? If you're presenting, that's your one annual test, and you may not know about it until next year.

Gaurav Kulkarni (04:22):
A hundred percent. I think there's two things in that. One is that zero-day may nullify all the findings that they've found earlier because it's much more critical than what they actually found. But the other thing is, if you look at organizations that are going through an annual pen test, the majority will get a set of findings that are critical, high, medium, low that they then have to remediate. They'll go through a process to go through and remediate, but they'll only check to see if those were actually remediated in the next annual pen test. So realistically, from like a gaps perspective, one of the values ads that we provide is think of us as unlimited retesting. There's no window for when they need to actually fix or complete those things. They can simply go in and say, hey, I believe I've patched this system, I believe I've done something where I've blocked this port. Can you still get in? The truth may be there might be a different avenue and attack vector in versus the actual remediation fix that's out there, and you may not know what's happening there in that annual legacy pen testing model. You may not know until the next year. It leaves you much, much more susceptible to that risk to actually mitigate those.

Brendan Hall (05:17):
The question obviously everyone's going to go, wow, sounds great. What does it cost?

Gaurav Kulkarni (05:21):
Yes.

Brendan Hall (05:22):
Is it more than traditional, or is it about the same? Does it require anything more from a client from participation?

Gaurav Kulkarni (05:28):
Yes, so great question. I get this question asked quite a bit. So if you think about our model, especially at Sprocket, one of the things we wanted to do as we're converting the industry is make sure that we gave them everything that they would get in their annual legacy pen test. Our engagement model such that if you need to go through a pen test to have any type of compliance requirements or any type of cyber insurance readiness, we're going to make sure to facilitate and have that. Then we're going to put you in a continuous model that really our differentiator is we're using software technology to figure out what are the things that are actually at risk. Then we have human-based testers to go through and exploit and go after those. I'd say on average we're only about 20% more than what they would be spending on an actual legacy pen test. The big value we talk to clients about is, okay, how much is that worth in terms of risk mitigation through your business? What is the type of exposure that you want to be comfortable with, and can you bridge that 20% gap to know that you've got the comfort level that you're actually doing an always on, always testing model with somebody like a Sprocket to help go mitigate that. It's a common ask. But the model, I'll just double click a little bit on it, is look, because we have a hybrid approach with humans actually driving some of the pen testing that the requirements out there, we can still satisfy a lot of the audit requirements that these customers are going after, especially when it comes to F&B clients or mid-market clients that have to generate a report and have to show what they've actually remediated against it. We can do both of those while we're doing getting them in a continuous model.

Brendan Hall (06:49):
Got you. Now is this for everybody, do you think? Is there a size of company where it's probably not worth it for you? Do you feel like this is going to be the replacement for traditional pen testing, or is there still a place for the traditional pen testing and the continuous is something above and more suitable to certain industry types, size of companies?

Gaurav Kulkarni (07:06):
Yes, that's also a great question. We get asked a lot about is this approachable or acceptable for most businesses? We truly do think that that legacy pen testing model is going to die. That's just such a model that especially in this day and age, with the rate of change, with many organizations moving to cloud, with many organizations changing things with AI advents that are out there, the rate of change doesn't actually help you showcase what that penetration test would've actually done. So part of it is, is it accessible for everybody? Well ultimately it's a business appetite and risk. So the smallest of smallest, we'll probably just say, look, this is not for me. I've got to do some basic infrastructure, be it this common MFA, endpoint detection, et cetera that are out there, and then I'll get to the next one. But we see a lot of success in the mid-market companies. Because we have a hybrid approach, these are companies that have probably set their baseline standards in place. They've gotten some basic infrastructure in there, but they don't have a huge IT or security staff. Working with somebody that's a continuous provider like ours that has a hybrid approach is not only are we doing a lot of the automation to do always on testing, we also make sure that the testers are accessible and available to them. So if they have questions around remediation, we can help provide guidance on what that remediation might look like. It starts getting into more of a, what I think people these days are calling as a continuous threat exposure management program. Regardless of size of business, many businesses are starting to look at this and say, instead of doing this and then this and then this, why not actually because the nature of the world is much more based on rapid change, get something where we're actually looking at threats, we're actually mitigating the threats that are relevant to our environment, and then assessing and doing it again. And then assessing and doing it again, just this loop that we start to see organizations start to adapt.

Brendan Hall (08:42):
Right. We're starting to hear more about this. There's new terms. Like every time I think I have a handle on all the terms and phrases in this business.

Gaurav Kulkarni (08:49):
Always an acronym.

Brendan Hall (08:50):
I know, always an acronym, and people love to drop an acronym like everyone else in the room knows what it means, and everyone's saying to each other like what the heck does that mean again? You always have to stop and realize you got to spell it out for people at least the first time. So CTEM, right? Continuous threat exposure management. We're starting to hear more about this, is emphasizing prioritizing exposures based on business risks. How can continuous testing help organizations identify and validate the real world impacts of those exposures before attackers do?

Gaurav Kulkarni (09:16):
This is I think a process and a methodology. It's gaining a lot of steam across IT and across security, is just going through continuous threat exposure management. Here’s how we look at it, is the concept of it is there's five phases in CTEM. There's a scoping phase which is, what are your business risks and what are the things that you want to go through and look at for your threat? There's a discovery phase which is really validating and figuring out the stuff that you identified, is that actually the things that I want to go look through? There's a prioritization phase to be like alright, maybe I don't want to look through everything. Most critical risky assets are the things that I want to go after. Then there's a testing phase around validation. Am I actually there? What's happening as part of that? What are the threats that are actually exposed in there? Lastly, it's mobilization. What do I do about it that's in there? Our approach on this is a large portion of what's being put out there is something that we were built from the ground up to help customers and organizations do. We've got components of our technology product that gives them access to their attack surface, so they see exactly what's actually out there from a discovery perspective or their assets. We've got components of our platform that then enables us to test against what those assets are, what's internet facing, what you may or may not know is out there. And then we've got components where we can actually help them remediate and get into a mobilization phase and then keep running those testing. I look at it as the industry in general, not just security, but I'll just say all businesses that have any type of external facing footprint should start looking at adapting something like this. I think what's going to happen is it's a program, it's just a mindset more than anything, of just ensuring that, if I have something that's public facing internet and these days majority of businesses do, whether it be their own hosted website or something else that might be a client facing portal or just a web presence of like, here's who we are and here's what we sell, here's what we do that's out there. They have some external exposure that's out there. Well the truth is that not only is that external exposure changing, the attack vectors keep changing. Putting something in place that helps you actually define that gives you a methodology as a business to go through and look at that, can only help. For us, we look at that continuous pen testing, it's overlapping a large portion of that, really that large portion is when it comes to everything from discovery, prioritization and validation in that continuous threat exposure lifecycle management. We can help facilitate a good piece of that, and the goal is nobody's going to be perfect. Everybody's trying to do their own best thing and what's proper for their business. Businesses what we see are just trying to implement this to make sure that they're focused on more than just a checkbox. They're doing something more proactive and then just reduce their risk as much as possible.

Brendan Hall (11:39):
What's a typical cadence? Because you say continuous pen testing, I assume you're not actually 24/7, 365 days a year? Is it just a matter of you pay, you're testing and then you retest as often as you want? How often are clients doing that? Once a month, once a quarter? What does that look like?

Gaurav Kulkarni (11:55):
Great question. We had to change the philosophy of that model. So think of it as really much more change driven. First and foremost, we want to go in and give them essentially what they would expect from a legacy pen test. Here's a report, here's something that you'd go through. The rest of the infrastructure, the frequency really varies on the client. It varies really on three things. Number one, it's how quickly and how often does their attack surface change? When I say attack surface, it's anything external facing that may be either a host, a server, an IP address, DNS. Did something change? If so, from an attacker's perspective, that's an opportunity for them to actually go through and test. So number one, did something for your attack surface change? Number two is, did a new threat come out? These zero-days coming out all the time. Part of our process is from an attacker's perspective, they're looking at the next greatest vulnerability, figuring out if they can create an exploit to actually go after that vulnerability. Then trying to see which customers or companies out there have that so they can keep going. That’s the other piece of continuous, so how frequently does it come through? Then did they actively change something? That’s where unlimited retesting comes in, which is like, I knew there was a gap, I patched the hole here, but guess what, maybe my ship is still sinking because I've got another gaping hole over here that I wasn't even aware of as I was focused on it. When we talked to organizations about that continuous model, we focused less on the frequency of testing and more around the rate of change that they have. The rate of change that they have should drive the level of frequency in terms of the types of things that are actually happening for the organization. Every business is slightly different based off of that.

Brendan Hall (13:16):
Just for our audience here, that change would be an update to a software platform, new technology you've implemented. Something along those lines. I also wanted to clarify, we were just throwing out zero-day exploit, which isn't an abbreviation, but of course then not everybody knows what that means. You want to talk about what is a zero-day, and how has that been impacting folks?

Gaurav Kulkarni (13:34):
Yes. Great idea. So zero-day, think of a zero-day as like breaking news, hitting the wire that nobody was aware of. I think about that and when you had network news. There's the news flash of breaking news that's out there. Something critical is happening on there. These zero-days are typically things that are massive that somebody has released somewhere in the wild, and they could potentially be critical to your infrastructure. Absolutely critical. It’s a very reactive nature with zero-days that organizations go to. If they hear about a zero-day, it's all hands on deck to make sure that you try to go mitigate and fix it. The challenge that they have though is there's so many of these that come out, is organizations have a difficult time figuring out, is that relevant to me? Back to the car analogy. Yes, okay, I know that there's a recall for a '95 Honda Civic that's out there, but I don't own a Honda Civic, so probably irrelevant for me, and I don't need to go worry about it. I can go sleep at night.

Brendan Hall (14:25):
But it creates a fire drill, at least a small fire drill. It just depends on your exposure and what that looks like for you. I find zero- days, there's a book out there by the former head writer of New York Times, the cybersecurity writer called, "This Is How They Tell Me The World Ends." It's a whole historic thing about bug bounty programs, but then it really gets into, because back then you would, hey Microsoft, they would get mad at you for showing them that there was a flaw in Word or Excel that could be exploited, and they would threaten to sue people, and they quickly turned suit and said actually we'll pay you for those. Then people, like three letter agencies, start paying big bucks for those things, and they're stockpiling these zero-days.

Gaurav Kulkarni (15:01):
There’s great value there. I'm glad you touched on it. Sometimes there's a lot of just noise around the industry. I want to make sure for the listeners out there that we're separating bug bounty programs compared to penetration testing. A bug bounty sum program is just a hygiene component that I think organizations should have. It's something where you're essentially paying to identify an external weakness that might be out there, and then you pay a bounty for it. You’re rewarding somebody to say thanks for identifying that gaping hole in my infrastructure that's out there. The difference that I would call out with those is a lot of those are crowdsourced, meaning you're getting those from X number of people across the world that'd be out there. Sometimes the incentives are incorrect. They're paid for finding the gaping hole, so they're going to go to the most expensive ones, obviously in a free market economy, that they're going to go through and send. But for your organization and for especially medium sized other businesses, it may not be that big to them. It's still big for you though, right? It may be critical to your actual business and your infrastructure. What we try to call out is penetration testing is then actually taking the next level and saying not only do I have an exposure, but here's how I got through. Here's the damage that I can do if I actually got through, here's the data that I can take out, here's the access that I can get, and here's some of the actual accounts that I can potentially take over to keep going.

Brendan Hall (16:14):
It's like someone telling you when you got food in your teeth pretty much.

Gaurav Kulkarni (16:17):
Exactly right.

Brendan Hall (16:18):
I would pay for that. Somebody came up to you at a party, all the sudden, so you got food in your teeth. I would, yes, a couple bucks, right?

Gaurav Kulkarni (16:23):
Couple bucks, right? What's the damage you could do with it? Oh yes.

Brendan Hall (16:27):
Yes. Well this has been a great chat, man. I really appreciate all the insight here. I think hopefully our listeners got something out of this, and I think you're right. I think we're heading towards a place and these things, everything improves. You think about where we were even five years ago, 10 years ago, relative to now that, the continual model just being, is it because the rate of change is so severe, especially at larger organizations. Moving to a more continuous model is just a fore-guarded conclusion in my opinion.

Gaurav Kulkarni (16:52):
Yes, I know the focus sometimes is on the rate of change. We see a lot of value from I'll say more medium sized organization as well because they're understaffed, so they don't have the time necessarily to look at it. If we can show in a continuous model really how their defenses can be breached, ultimately our goal at Sprocket is to prevent as many breaches as possible. If we can actually showcase them, a lot of times it clarifies, opens some eyes of, I had no idea that there was something that was such a gaping hole for me here because of all the noise that are out there and that's the value we try to provide.

Brendan Hall (17:21):
The middle market's great for that because they're actually the ones raising their hands to say I need help. Everyone wants to work with Goldman Sachs and JP Morgan, all these gigantic banks and pharma and tech companies. But they have huge teams, and there's a huge procurement process, and it's just generally a big pain in the butt. But the middle market's like, hello, please help us, we have budget, we'll hire. Anyway, yes, I really appreciate the time. Thanks so much, and if you haven't seen it, check out Sprocket Security.

Gaurav Kulkarni (17:44):
Thanks so much for having me.