In a world where new vulnerabilities appear seemingly every minute, threat intelligence is more important than ever.
And one of the most intriguing approaches to threat intelligence is attack surface management.
To explain the ins and outs of attack surface management, I invited Steve Ginty, Director, Threat Intelligence at RiskIQ, onto the show. He shares the work RiskIQ is doing in the field and how it could benefit your organization.
In this episode, we discuss:
- What attack surface management is and how RiskIQ can help
- How RiskIQ can let you respond faster when new vulnerabilities arise
- The importance of gaining visibility into not just your own attack surfaces, but those of your vendors
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.
Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator(Intro/Outro) (00:06):
You’re listening to The Virtual CISO podcast, a frank discussion providing the best information, security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey there, and welcome to yet another episode of The Virtual CISO podcast. With you as always, John Verry, your host, and with me today, Steve Ginty. Steve, good afternoon, sir?
Steve Ginty (00:37):
Hey, thanks for having me. Excited to be here.
John Verry (00:39):
Cool. Listen, I’m excited to have you on because you use words that I don’t know very well.
Steve Ginty (00:47):
No, not true. Not true.
John Verry (00:50):
Anyone who knows me knows I have a razor-thin ego and I don’t like not knowing something, so you’re going to educate me a little bit here today. So, I’m looking forward to chatting. Before we get going, always like to start easy. Tell us a little bit about who you are and what is it that you do every day?
Steve Ginty (01:03):
Yeah. So, I am the director of Threat Intelligence at RiskIQ and I focus mainly on helping customers understand the attack surface on the internet, what’s internet-facing and how the bad guys may be leveraging those internet-facing assets and vulnerabilities in them to target their organization. And who they are. Who are the bad guys that are targeting them, how bad is the current threat environment and really helping organizations understand their exposure and risk.
John Verry (01:31):
Gotcha. I always ask, before we get down to business, what’s your drink of choice?
Steve Ginty (01:36):
Ooh. I know you said you are a bourbon and beer guy and I would have to say I am as well.
John Verry (01:41):
Right. I thought I liked you already. Somehow I knew.
Steve Ginty (01:47):
So, on the beer side, I’m an IPA person and I am from New England originally, but now in Memphis, Tennessee, and my go-to is Maine Beer Company and their IPAs are fantastic. So, that’s my go-to beer.
John Verry (02:01):
Yeah, you like them big and juicy. You’re a Citra, Mosaic, Simcoe style?
Steve Ginty (02:05):
Yes.
John Verry (02:05):
Yeah. Yeah.
Steve Ginty (02:06):
If it tastes like pine, I’m in.
John Verry (02:08):
Yeah. Yeah. Yeah. My son is in that same realm. He’s gotten me… It’s really funny because we go out often and sample beers, hit either breweries, or we have this fantastic bar by our house that’s got like 30 beers on tap and you can get flights.
John Verry (02:23):
And it’s funny, my kids are now to an age where I drink with them. And it’s interesting because they’ve educated me a little bit, which you wouldn’t… I’m always like, “Nah, I’m not a big IPA fan.” And my son is, so he’s got me into the Citra, mosaic, that style.
Steve Ginty (02:39):
Nice. Nice.
John Verry (02:40):
And my daughter is a, believe it or not, a sours fan. I always hated sours and then I guess I had never drank good sours. There’s a particular brewery called Drowned Lands that she’s a big fan of. I’m now to a point where it’s not my favorite. I still prefer a stout, but I’ll tell you, I won’t turn down a sour now, which is interesting.
Steve Ginty (03:01):
I’m leaning in that direction as well. I would have classified them more as pond water when someone first proposed them to me. But my business partner is a big sour person and he has pushed me to try them every once in a while. And so on a hot day, especially here in Memphis, you really can’t drink IPAs in 110 degree heat. Something with a little bit of sour to it is a nice deviation.
John Verry (03:26):
Yeah. The hottest day I ever spent was a morning in Memphis, Tennessee. That is the most humid… I mean, I’m from Jersey where it gets humid, I’ve been to Houston where it gets humid, Memphis takes it to another whole level.
Steve Ginty (03:38):
It is special. Let’s go with. And I’ve had to get used to it, but I’ve been here for eight years now. And so, I feel like I’m maybe finally acclimating. I don’t know. Next year will be worse. I’ll be like, “What is this?”
John Verry (03:51):
Exactly. So, you use a term, and I wasn’t kidding, it was a term I was like, “Ah, I have to go look that up and see exactly what they mean.” So, tell me about attack surface management. What is attack surface management?
Steve Ginty (04:05):
So, it’s the idea that from outside of your organization, there’s a lot of information exposed on the internet that actors could use to understand your vulnerabilities and find ways into your organization.
Steve Ginty (04:19):
And so, RiskIQ, we focus on helping organizations understand their attack surface. What are all of these assets that are attached to the internet, where are they, what are they, what are they running and how do you more proactively manage them?
Steve Ginty (04:36):
So, everybody’s had internal IT capabilities and spread sheets of things and databases of assets and where they live. But the IT environment of organizations is changing so dramatically now. And even more so with the shift to the cloud, that we try to help organizations understand what their exposure is. And we help answer questions that they may have about their attack surface.
John Verry (05:01):
Gotcha. So, how far does that go down into the, I’ll call it reconnaissance wormhole? You’ve got stuff like… I know we used to do, like we’d look up the way domain names were registered, because there’s ways that you can [inaudible 00:05:16], right? There’s a flag. Something transfer prohibited as I recall, things of that nature.
John Verry (05:21):
Same thing with, you can see challenges with DNS services and things of that nature. So, is it a combination of that and other things that you’re looking at? And is it being done as a one point in time, or is this some type of a, do you consider attack surface management to be a real time ongoing exercise?
Steve Ginty (05:39):
It’s certainly an ongoing exercise. We always start in a point in time now. And so, our idea is we get what we call seeds from organizations. It may be a domain, it may be IP blocks or ASNs that they actually own. And we use those as the starting point of our algorithms that go out and discover everything from our data about an organization.
Steve Ginty (06:04):
So, RiskIQ has collected and indexed WHOIS data. On a large scale, we have a full instance of passive DNS collection that helps us understand domain to IP and historical connection points. And we also have a crawling and scanning infrastructure that goes out and interrogates specific web properties and webpages to understand interactions on them. But also a scanning environment that focuses on fingerprinting ports and services open on IP addresses.
John Verry (06:34):
That latter one sounds an awful lot like a vulnerability and configuration management scanning.
Steve Ginty (06:41):
We’re more passive. So, this is legitimately what service is running on, on this port, on this IP address. And that is it. So, we’re not going full deep scan to understand 100% vulnerable. We’re looking to point you in the right to of the assets that could be vulnerable.
John Verry (07:00):
Gotcha. So, if you’re passive, does that mean you’re not actually talking out to see those particular ports, or are you somehow sitting on firewall logs, or do you have some mechanism by which you can sniff traffic that’s out on the internet to see these communications and see the port destination requests and map things up?
Steve Ginty (07:22):
Yeah. Passive maybe wasn’t the full right word. It is an active scanning environment. We’re not interrogating for full vulnerability.
John Verry (07:31):
Gotcha.
Steve Ginty (07:31):
So, when we’re running those scans, we’re basically saying, “Hey, here’s what we would expect to respond on this port. Are we getting that response? Yes. Port’s open. Yes, we got the appropriate banner back that correlates to X service. And therefore we can then start to make assumptions.”
Steve Ginty (07:49):
So, the Cisco’s vManage vulnerability that came out last week, I can go into our system and say, “Show me everywhere we’ve observed those systems over the past 30 days.” I can’t tell you if it is 100% vulnerable to that remote code execution vulnerability, but I can tell you where they are in your environment or if it’s something you have to be worried about.
John Verry (08:12):
Gotcha. So, I can see where… So, you got one side of it, which I think is more the assets that the organization owns and controls. Right?
Steve Ginty (08:21):
Mm-hmm (affirmative).
John Verry (08:21):
That’s where you’re doing that active vulnerability scanning and staying on top of that. How does it work for the things that they don’t directly control? The information that’s out on the internet that needs to be there, that while they might have control over it, it’s not something that they’re looking at on a daily basis. All right?
John Verry (08:39):
I mean, you register your domain name and you probably never go back to it unless you have to renew it. Right? Or things of that nature. Talk a little bit about that. How is that being done?
Steve Ginty (08:53):
With our scanning environment, we’re looking at webpages and all types of assets. So, it’s not specifically IP and services. We’ll look at hosts and domains and everything as a part of our scanning. And physically, we have a crawling environment that will go on a virtual walk through your webpage and click down through connected links to see how the page interacts.
Steve Ginty (09:15):
So, we’re doing a whole host of information collection. And then we’re just layering filters on top of that information collection for a given customer. So, if you want to know what domains are expiring the next 30 days, you can come in and see that filter inside of our platform, because for our customers, we do more active monitoring.
Steve Ginty (09:36):
So, if you tell us these are important assets to you, we will do more continuous monitoring on a daily or weekly timeframe, all depending on what makes the most sense, so that you can get more information. WhoIs look-ups, expiration dates, SSL certificates that are about to expire.
John Verry (09:54):
Gotcha.
Steve Ginty (09:55):
So, it’s really just, I like to say RiskIQ is a big data company. We do large scale internet data collection. And then our products are just filters on top of that data that let you answer questions.
John Verry (10:06):
Interesting. That makes complete sense. So, do you do the same thing? Do you guys delve into the… You did the internet, do you do the dark web and some of the non-internet specific? Like some organizations, I don’t know if you guys delve into this, where I can give you intellectual property assets, project keywords, things of that nature, and they’ll look to see whether or not this is being talked about on forums or it’s being bled to pastebin and places like that.
Steve Ginty (10:36):
We have a white-glove service that provides that kind of deeper dive into those types of dark web forums and monitoring. And there’s some configuration ability with our platform itself to allow you to monitor for keywords, and social media profiles, and different things that give you that view into dark web forums.
Steve Ginty (10:59):
It’s more on the customer to do that just because it is a, I would say it’s a harder dataset to operationalize, right? There’s a lot of information, there’s a lot of noise but you have to have strong intelligence requirements that you want to answer in order to be effective.
Steve Ginty (11:15):
And so, that usually works best when one of our analysts is sitting down with a customer and understanding really what the aim of their program is so that we can then tailor the system to collect and alert them on things of interest.
John Verry (11:28):
Gotcha. So, is it generally a SaaS service with an option for add-on professional services? That sounds what it’s like, or is there always some level of, like the equivalent of SOC monitoring for SIM or security information events.
Steve Ginty (11:47):
So, we take the approach of SaaS platform with additional ability to add professional services. We obviously have a big account team and support team that helps you onboard and configure and all those things as a part of getting the platform into your organization.
Steve Ginty (12:02):
As far as it moves into operationalizing that data on a daily basis, you have your account management team that can help. But if you’re looking for a much more tailored approach, we have those services to go along with it.
John Verry (12:15):
Yeah. So, I was looking at your website and you had a phrase there that caught my eye, mapping the internet IP and non-IP space. And it made me think of the work that Bill Cheswick did when he was at AT&T and then he spun that out into a company called Lumeta that a couple of my friends worked at. Conceptually, is that similar to what you’re doing or is it just a turn of phrase, so to speak?
Steve Ginty (12:39):
I think it is similar a bit, but I don’t know enough about the solution to make a full, educated assessment. But yeah, our idea here is that we are trying to map IPs associated to organizations, web properties, social media, really anything that could be used on the internet that bad actors could target your brand with.
Steve Ginty (13:02):
So, we’re going beyond just IP analysis and port and service analysis, which is very important from the vulnerability side, but also the broad scale crawling of webpages to understand malicious injections for credit card skimming or tweets or social media posts that are impersonating a bank or an executive of an organization. So, really trying to provide full visibility to an organization on threats on the internet.
John Verry (13:28):
Gotcha. In the latter, when you were talking about Twitter, are you talking about that you’re monitoring their authorized Twitter account, or you’re monitoring Twitter to look for somebody who is impersonating them, not on their specific account?
Steve Ginty (13:47):
It would be the impersonation aspect. So, we would be looking for… I mean, again, it comes down to working with the client to understand who we’re monitoring. And usually it’s someone high profile within the organization, or maybe it’s a customer service type scenario that they’re looking to service or fake customer service reps. So, we would be able to instrument our collection to alert on discreet keywords, brand names, derivations of brand names, logos, and things like that.
John Verry (14:13):
Okay. Yeah. So, that’s interesting. Cross over into that like you hear this field of reputation management. So, you’re crossing over there. Just out of curiosity, is that different if it’s a B2B versus B2C? So, as an example, right now I’m having a little bit of a problem. It’s not a problem for me, but it’s not a good situation.
John Verry (14:36):
Someone is trying to connect with a lot of people that I know on Facebook using my name and my picture. I put a Facebook page up like 10 years ago to monitor my kids and probably go there about once a year. I’ve never ever posted anything. And all of a sudden I’m getting, “Did you reach out to my wife and ask her about this?” And I’m like, “I don’t have any idea what you’re talking about.”
Steve Ginty (15:02):
What’s going on?
John Verry (15:05):
If somebody was doing those types of activities, and it was somebody that you were monitoring, let’s say the chief executive office or a COO of an organization, that’s the type of stuff that you would be highlighting as being within this attack surface and something they should be cognizant of?
Steve Ginty (15:19):
Yeah. We could show that someone has maybe wholesale copy and pasted a specific profile for an organization or individual and is using that under maybe a different user name. And therefore work with the customer and obviously the platform to address it and get it taken down.
John Verry (15:39):
Cool. So, we touched on to this point, but let’s just drill into each of them. So, I know that you promote four main use cases. So, let’s talk about that a little bit. Threat and vulnerability intelligence. I know we covered some of that. You want to dig in a little deeper?
Steve Ginty (15:54):
Yeah. So, I mean, we’ve focused on the attack surface management piece and that is a core offering of our business. But we also service a lot of organizations inside threat intelligence, security operations, and incident response. And it’s just a different product set on top of the same data.
Steve Ginty (16:10):
And so, it’s a PassiveTotal investigative platform. And so, what it allows those organizations to do is come in with a suspicious or malicious IP domain, and basically ask us to provide everything we know about that instance across PDNS, malware, WHOIS, our crawling infrastructure, et cetera. And basically allow organizations to make an assessment about, is this thing good or bad, if it’s bad, are there other associations to it?
Steve Ginty (16:39):
Does this IP have other domains on it that maybe malicious? And actor-owned, did the actor use the same WhoIs email address and WhoIs to register multiple domains. That analyst tailored view into our index data to allow them to start to answer questions about an attack.
John Verry (16:57):
Gotcha. So, a use case for that would be that I’ve got a SIM in place, I see a particular IP of potential concern, and either through manual or automated means I’m getting that to you guys. And I have the benefit of not only perhaps the work you’ve done on my behalf relating to that IP, but the work you’ve done for your client base as a whole, right? So, I have the threat intelligence component, right? Where I’m benefiting from the work that you’re doing for other people?
Steve Ginty (17:25):
Yes. And it’s our view of the internet too. Right? So, your prime example of wiring this into a SIM or another alerting platform is we have the idea of a reputation score. Based on our visibility of the internet, we know certain things are discretely malicious.
Steve Ginty (17:44):
We know there are attributes that make an IP or a domain suspicious, and we know something that is non-malicious. And so, we can help you make that assessment and hopefully help you triage events quicker inside of your organization.
John Verry (17:56):
Gotcha. Back in the day, we used to do a lot of this and we’d use a lot of the open source or even some of the commercial, I’m going to call them, lists for lack of a better word. And we found them to be quite noisy.
John Verry (18:09):
Any special magic to, because I mean, I can remember one example that would happen all the time is we’d have a connection to a known bad acting IP, but that IP would host like 30 websites and one of those websites was the malicious one.
John Verry (18:26):
So, only 1 out of every 30 times that we got that alert was it actually valid. Have you guys figured out any special sauce to minimize that challenge?
Steve Ginty (18:35):
I mean, it’s still a challenge, to be quite honest. A couple of the things we try to focus on are discreet observations. So, since we are doing this crawling and active scanning, we on a daily basis, can observe something as being malicious. And I would say this is more towards domains and hosts, but we add things with high fidelity to any of our block lists.
Steve Ginty (19:00):
So, if we’ve observed this specific host and URL in a phishing campaign, the URL is bad. If we see that host associated with multiple URLs, once it hits a certain threshold, we will promote the host to being on the block list.
Steve Ginty (19:15):
Once we’ve seen multiple hosts associated with the domain, moving up the chain of fidelity so that we’re reducing some of the noise that an organization would see.
Steve Ginty (19:26):
Since we also have this scanning environment, we do have a lot of first seen/last seen observation timeframes. So, we can provide customers with that. To be a little more tailored, specifically around IPs, like you said, there can be a lot of instances of this IP was bad yesterday and is good today. Right?
Steve Ginty (19:46):
And now with cloud environments, I think I was looking at something that was Cobalt Strike two months ago, and today it is part of Slack’s CDN because it’s an AWS IP address. So, I mean, you have to take that into account, and that’s something we grapple with and talk about a lot.
John Verry (20:02):
Gotcha. Yeah. I mean, it’s not a completely solvable problem, but any improvements that can be made over where we were are just hugely valuable.
Steve Ginty (20:13):
Yeah.
John Verry (20:13):
Yeah.
Steve Ginty (20:15):
Yeah. And the ecosystem has changed so much since even I started. And was really focused more on espionage campaigns and the work I did at VeriSign iDefense. And so, you could have a list of bad domains that were bad for a year plus and very tailored. And now it seems that infrastructure swaps over so fast that it’s very hard to keep up. I guess the time to live of bad is much more compressed now than it was.
John Verry (20:42):
Yeah. Listen, I mean, I always joke around with folks is that, the bad guys take advantage of the technological advances faster than the good guys do. Right? So, they’ve gone to agile, CI/CD of their hacking activities.
John Verry (20:57):
And like you said, I mean, now it’s infrastructure is code and it’s attack stuff as code and they can take it up and pick it up and put it down quicker than we can recognize where they are.
Steve Ginty (21:10):
Yeah. Yeah.
John Verry (21:11):
Interesting stuff. And you mentioned something else that was interesting to me, you said that you provide a block list. Would that be something that somebody would, are you actively involved in blocking outbound traffic or would that be something that they would then inject into their palo environment or something of that nature?
Steve Ginty (21:28):
It’s more of a list that you would ingest elsewhere in your environment to proactively block. So, we’re not in the blocking game at the moment, although with our visibility and our recent acquisition via Microsoft, we hope we can do more proactively with this information in the future.
John Verry (21:48):
Yeah. Yeah. I’m going to be curious as to hear what you can and can’t tell me about the Microsoft acquisition, but you’re getting ahead of me. You’re getting ahead. Let’s say in your four main use cases because the next one is really intriguing to me.
John Verry (21:59):
Third party risk, of course, is a risk de rigueur, especially now that we talked about whether or not you can get down into the supply chain, right? So, that’s the big thing. That was part of the executive order. We’re talking about [S-PAMS 00:22:12], we’re talking about some phrases and terms we haven’t heard before.
John Verry (22:16):
Tell me a little bit about what you can do there. Not only can you help me manage my third party risk, right? Because you could do the same monitoring that you’re doing for me for a third party that I ask you to do it for. But how far down the chain can you get to fourth party, fifth party? Does that even make sense, given the construct and what you guys are trying to accomplish?
Steve Ginty (22:34):
We’re new to the third party space in really product land. At the beginning of this year, we launched the ability for anybody to come in and look at their supply chain and tell us, “Hey, these are my top 25 suppliers that I’m really worried about. Tell me what you know about their attack surface and where I should be worried.”
Steve Ginty (22:56):
And so, we have built that for organizations to be able to more easily consume their supplier and third party suppliers attack surfaces and to make more better decisions around risk. We’ve always been in this supply chain scenario because we can tell you about all your dependencies that we know that run in your environment.
Steve Ginty (23:19):
We know that you’re reaching out to AWS when you’re building your site or that this data is stored in an S3 bucket or that Akamai happens to be your CDN or what have you, based on the information we’re collecting with our crawling. So, we’ve always been able to help you understand how large of a supplier footprint you’ve had and how that impacts your attack surface.
Steve Ginty (23:38):
What we’re doing now though is creating discreet insights across those attack surfaces and saying, “Here’s what we know about you and we’re worried about these 10 things. And here are those 10 things layered over your suppliers as well.” So, it’s a one to many mapping.
Steve Ginty (23:55):
Our research team builds these insights, whether it’s the latest vulnerability or whether it’s open source tooling like Cobalt Strike, whether it’s a misconfigurations, I can give you that kind of snapshot into not only your environment, but also all of your suppliers.
John Verry (24:11):
Gotcha. When you say you’re doing an overlay, is that just you’re pointing out the same risks that exist in each environment, or is it more like there’s a really cool tool called RedSeal that will say, “Oh, you have this vulnerability and based on all of the access control lists between a malicious individual and that vulnerability, we can figure out whether or not it can get there.”
John Verry (24:33):
So, are you trying to match up where a vulnerability at one of your suppliers could be leveraged to exploit something in your environment? Is that what you mean by an overlay?
Steve Ginty (24:44):
No. What I mean is we’re trying to templatize the view that we’re giving everybody to make it consistent across organizations. So, it is a dedicated set of insights that I display to you about your attack surface and that you can also dig into about each of your suppliers.
John Verry (25:01):
Gotcha. Now, if let’s say that you got something like a Target or something like Home Depot, right? Both of those had their breaches. They host a lot of extranet systems, which are maybe not necessarily, they might be IP address restricted. So they’re not full internet public.
John Verry (25:17):
Do you guys just do the internet or if they give you extranet access or extranet information, can you also cover that environment as well?
Steve Ginty (25:28):
We are just internet-facing. So, that’s our dividing line. We’ve spent our time perfecting our collection and visibility from the internet-facing assets. And then we partner with endpoints. We have integrations with different endpoint providers. Obviously we’re integrated into Microsoft Sentinel. We have an integration with CrowdStrike’s EDR. And so, we’re partnering for that additional visibility.
John Verry (25:57):
Gotcha. You talked a little bit about vulnerability management before, right? By the fact that you guys are doing some active scanning and identifying open ports and what’s running on them and perhaps where they’re vulnerable. Anything more than that in that front?
Steve Ginty (26:11):
Yeah. We’re trying to create a smaller haystack for organizations to go rifle through when yet another vulnerability comes out. Right? So, it seems like the tempo is daunting at best. And every week, there’s something new to understand and manage. And so, what we are trying to do is point you in the right direction to where that vulnerability may exist in your organization and give you context around it.
Steve Ginty (26:37):
Who’s exploiting? Is there proof of concept code? Are there actors that we know of that are exploiting it? Does it target a specific vertical to help you make better risk decisions around your vulnerability management program, because as security professionals, I think if we go to the vuln management team one more time and tell them that they have to patch this critical RCE, they’re probably gonna all kill us.
Steve Ginty (26:59):
So, we’re trying to make that case easier for organizations to understand the risk profile of a given vulnerability based on that threat intelligence information layered over what we know of the vulnerability, and how big is it on the internet?
Steve Ginty (27:13):
I can see Microsoft’s exchange was a perfect example. We could see of a corpus of 400,000 exchange servers a week out from patch Tuesday, 100,000 were still vulnerable on the internet. And so, we could give you scale of understanding of that vulnerability as well.
John Verry (27:30):
Gotcha. And I’m assuming frequency of update on looking at their infrastructure is daily, weekly, monthly?
Steve Ginty (27:38):
For IPv4, we scan daily across all of IPv4. So, we’re trying to keep as up-to-date as our scanning capacity will allow. And for crawling, it’s a little more ad hoc for non-customers. For customer assets, you can tell us how often you want us to crawl a website and we will queue it into our system to be crawled. So, it could be daily, it could be weekly, it could be monthly depending on how important that site is to you.
John Verry (28:07):
Gotcha. And on the crawling, is that typically a credential crawl or a non-credential crawl?
Steve Ginty (28:13):
These are mostly non-credential crawls, although we do have the ability to do some of that. This is really just, how is the webpage interacting when any normal user would come to it?
John Verry (28:23):
Gotcha.
Steve Ginty (28:24):
To understand code injections, dependencies, et cetera.
John Verry (28:27):
Right. Right. I gotcha. So, it’s not an application security assessment, it’s a website assessment, right?
Steve Ginty (28:34):
Correct. And the original usage for that crawler was malvertising, malicious ads being loaded into websites. It obviously has evolved over time and we spend a lot more time looking at malicious JavaScript injects for credit card skimming now, which seems to be happening all the time.
John Verry (28:54):
Yeah. I would imagine that organizations that do eCommerce would be an ideal customer for you for that feature. Right? Knowing that, like if there’s one of their shopping cart… I mean, shopping carts tend to be third party components that let’s just say have had a couple of problems. Yeah. I don’t know if you’ve ever heard about that.
Steve Ginty (29:16):
No, no, no. Nothing’s wrong.
John Verry (29:18):
Yeah, exactly. So, that would be cool there. And just one last question there. When someone’s interacting with your platform, it’s a very interesting sounding tool. Is it another place where they go when they’re almost on a dashboard and it’s almost like another, it’s not a security information event management, but it’s relevant information, or is it the type of system where they’re pushing feeds and alerts from that to a different system, whether it’s a help desk ticketing system or SIM or JIRA? What’s the workflow look like?
Steve Ginty (29:50):
It depends on the organization. So, it could be either of those. It could be both of those at the same organization. We have a centralized dashboarding area that you can come in and see, keep up-to-date with changing assets, new information, events, workflow management, et cetera. But we also have a full suite of APIs that can feed this information to other applications. If that’s not where you do your primary work.
Steve Ginty (30:18):
So, it really depends on the customer use case. We have the version that is more templatized and the discreet insights is community.riskiq.com and anybody can go and register for an account and have a trial of our Illuminate platform.
Steve Ginty (30:36):
And it’s a combination of this attack surface management capability that we’ve been talking about with also the investigative tool I mentioned earlier, PassiveTotal.
Steve Ginty (30:44):
And it has a portal of open source intelligence articles and vulnerabilities that have been coming out where we go and we extract the pertinent information and extract IOCs indicators of compromise for any of this public reporting so that it’s nicely packaged up and you can start pivoting and click and get all that context right away. And then if you want to dig into our data, you can go from there.
John Verry (31:06):
Gotcha. And then I’m assuming that those APIs are super helpful for the next area, which is incident response. So, I’m assuming you are not an instant response platform. I’m assuming you are a source of key information while I’m going through incident response?
Steve Ginty (31:20):
Correct. Yeah. So that analytical tool and PassiveTotal platform is key to our customers who are either internal incident response to an organization, or even we have a lot of security vendors that use our data to then provide additional insight when they’re responding to incidents for their customers.
Steve Ginty (31:37):
So, it could be used either way. It could be used via API programmatically to bulk enrich an incident. It could also be used as a hunting tool to understand this is the group that’s targeting us. These are the IPs and domains that we’ve seen from the infrastructure where their malware is communicating to, what else do we know? Can we find additional infrastructure that that actor may own? And can we proactively block that or maybe put it into a SIM to alert, to find other hosts inside the environment that may be compromised.
John Verry (32:06):
Yeah. And I can see an interesting way these could all build on each other, and one plus one, plus one, plus one equals four, right? Because that incident response is taking advantage of the threat intelligence that you have from my org and any, all the other orgs.
John Verry (32:23):
You know about my vulnerabilities, so you can tell me whether or not I was vulnerable to the attack that I might be investigating, if you will. And then I would imagine that you could also tell me at the same time, whether or not any of my third parties might be subject to the same risk so that I can reduce my supply chain risk at the same time I’m reducing my risk.
Steve Ginty (32:42):
Correct. And so, they all seem disparate at times. Vuln management and threat intelligence don’t always come together. But I think you’re seeing that shift a little bit more in the market right now.
John Verry (32:55):
Agreed. Because if you really think about it, it doesn’t really matter where the exploit comes from. If you’re exploited, game’s over. Right? So, it doesn’t matter if it happened at headquarters, it doesn’t matter if it happened in a regional office or an overseas operation. It doesn’t matter if it happened in a critical vendor or a critical…
Steve Ginty (33:15):
Exactly.
John Verry (33:16):
And you give me some level, if I give you the right information, you can give me some level of visibility into all that. I mean, there’s no 100%, there’s no fail proof, but I’m going to be in a lot better shape if I’m looking at all that information than if I’m not.
Steve Ginty (33:31):
It helps. Right? Yeah. I mean, the threat environment is very dynamic and is constantly changing, but we can let you answer those questions quicker based on having this information in front of you. When the Confluence Vulnerability from two weeks ago came out and some ransomware actors are going to be leveraging this.
Steve Ginty (33:52):
And someone in your C-suite says, “Do we have to be concerned about this?” With some confidence, I can show you where those assets are and help you manage that infrastructure and possibly help you get ahead of it, or at least have that visibility to have some confidence in the decisions you’re making.
John Verry (34:11):
Gotcha. So, you said that folks can trial this. When someone trials it, what’s the most likely oh my God moment when they’re looking at the dashboard? What is it that most people will see that maybe they don’t expect to see or where you’ll identify the most likely problem that you would identify for someone in short order?
Steve Ginty (34:31):
Yeah. I think for major organizations, you can request a snapshot of your attack surface. And we’ll present it in the platform for you to investigate. And the idea is, we know certain things about you and we have built an algorithm that will go out and collect that information based off mainly your email domain.
Steve Ginty (34:55):
So, it’s not going to be all of your assets, but there’ll be high confidence that the assets we are showing you are ones you own. And you’ll probably be surprised at how much we can find out from just that little bit of information. Right?
Steve Ginty (35:10):
And so, I think that usually, for a lot of organizations, is the interesting piece, is with only one or two seeds of information, we are able to discover a decent amount about an organization even without any input. And so, I think that’s always the interesting part.
John Verry (35:28):
I don’t even know if it still exists, but I used to always creep people out by showing them, there used to be a website called The Pipl, pipl.com.
Steve Ginty (35:36):
Mm-hmm (affirmative). Yes.
John Verry (35:37):
Okay. So, almost in the same way that that is, the first time that you hit Pipl with your name, how creepy a feeling that is, and you’re probably going to want to say no, because now I’m calling your product creepy. But just in the same way you-
Steve Ginty (35:54):
[crosstalk 00:35:54].
John Verry (35:54):
Yeah. Just in the same way you’d want to know that all this information is out there about you. It’s the same thing there. People are going to look at that and go like, “Oh my God, how does somebody know all of that about my company from me giving them this one little piece?” Because you just don’t realize how much information is out there.
Steve Ginty (36:12):
It’s true. And so, I mean, the ability for us to do that discovery and present it back to you in a meaningful way, in fairly quick order, right? I think is the surprise. It’s the ability to then action that data.
Steve Ginty (36:25):
And we have it in the platform where we’ll show you the new assets over the last 30 days. Well, show you anything that we think is potentially vulnerable or that should be investigated. And then we’ll give you the tools to go dig through our data to respond to an incident or to enrich any investigations you’re doing or any kind of incidents or alerts that may be happening.
Steve Ginty (36:48):
And so, it’s a lot of information to hand over because we want people to understand the value proposition, get their hands dirty and really see the value we’re bringing.
John Verry (36:57):
Yeah. It makes complete sense. Actually, I was thinking that there was equivalent tool for companies, right? Maltego, I think. Probably still is out there. I haven’t looked at it in a while, but same kind of a thing where you give it some information and you’re like, “Oh wow.”
Steve Ginty (37:09):
Yep. We have an integration with Maltego.
John Verry (37:11):
Oh, do you?
Steve Ginty (37:12):
Yeah, for visualizing all of the connected information.
John Verry (37:17):
Oh, I didn’t know that. That’s cool. I haven’t looked at Maltego personally in a long time. I used to do some work in that area. Now they don’t let me do any work anymore.
Steve Ginty (37:27):
It happens.
John Verry (37:27):
My job is to yap with people like you all day.
Steve Ginty (37:31):
It’s not a bad gig. Right?
John Verry (37:35):
So, you mentioned the MS purchase. Right? And I know that very often you, especially with someone like Microsoft, there’s probably some limitations on what you can and can’t tell me. Can you provide any insight into the plans?
John Verry (37:44):
And what I’m also interested in is that, is your tool and your tool and/or through Microsoft, just an enterprise level tool or SMB/SME, is there value there? Is it priced in such a way, or does the move to Microsoft provide… I mean, is it going to get integrated into the Office 365 stack? And I’m going to have some of these wonderful features on my security and compliance dashboards?
Steve Ginty (38:07):
Still to be determined. But I think if you look at the reason that Microsoft acquired RiskIQ, it was twofold. It was for this attack surface management capability and being able to help their customer base better understand their environments and specifically the move to a hybrid cloud environment. How do you help an organization manage that?
Steve Ginty (38:29):
So, that was a very key component of it. And also, the threat intelligence and the research that our team brings to the table to help organizations respond to incidents. So, both of those were key factors in the acquisition.
Steve Ginty (38:42):
For now, we’re still figuring out what looks like. Right? And so, we have a full integration of our enrichment and threat intelligence capability into Azure Sentinel. So, we are focused in the near term on making that, really polishing that integration to provide a great integration point for our data into the Microsoft Azure ecosystem immediately.
Steve Ginty (39:06):
And that’s our near term goal. And then obviously, the excitement piece you kind of hit on it is, RiskIQ’s primary customer base was Fortune 500, Global 2000. So, I think the exciting component is, how do we bring this to a larger market?
Steve Ginty (39:22):
And I think the thing, obviously that Microsoft brings is scale. And so, we’re really excited about that and see how we can scale out this capability to provide this service to more organizations.
John Verry (39:35):
Yeah. I mean, I could see so many integration points with the Sentinel SIM solution that you just think yourself like, “Wow, okay. That would be that sexy.”
Steve Ginty (39:44):
Yeah. We’re really excited about that as our first entry point. Here’s my plug, if you are an Azure Sentinel customer right now, the Logic App is live in the store. So, you can go and add it into your instance. We were working with them as a strategic partner pre-acquisition to get that deployed. And now we’re working to revamp it and make it even better.
John Verry (40:07):
Gotcha. Excuse my ignorance. When you’re on Azure and you plug in your app, does that come along for the ride or is that a charge?
Steve Ginty (40:14):
It would be for enterprise customers, because it’s going to be hitting our API at significant limits.
John Verry (40:21):
Oh, I gotcha. Okay. So, if you’re already a customer, then what you’ve done is you’ve basically integrated directly into the Azure environment on their behalf?
Steve Ginty (40:28):
Correct.
John Verry (40:29):
Gotcha. That’s really cool.
Steve Ginty (40:31):
But there’s a way to, you can play around with it. With the free trial, you do get some API access so you could see how that workflow would work. There are discrete workbooks and everything. So, there is value to testing it out, but if you’re going to implement it in its full force, you’re going to need a license so that you can get the benefit of all the data.
John Verry (40:52):
We beat this up pretty good. Anything else we missed? Anything else that you want to discuss with regards to your solution?
Steve Ginty (40:59):
No. I mean, I think this has been a great back and forth. I definitely appreciate it. The key piece is that anybody can go to community.riskiq.com and see what we have to offer at a free and trial level.
Steve Ginty (41:15):
So, we’ve always had a community component. So, even if you do the trial and it’s not something you’re ready to pull the trigger on as an organization, you can still be a community member and get limited access to the data each month. And so, we don’t just shut off the spigot. It turns to a little bit of a slower run, but you get that benefit of still having access to some of that data.
John Verry (41:39):
Gotcha. And is there a specific vertical, whether it’s SaaS, cloud service provider, legal firm, government entity that you think the solution provides a particularly compelling value proposition?
Steve Ginty (41:57):
So, it really depends on the product. And so, with our attack surface management capability, it has traditionally been Fortune 500 and financial institutions that have a lot of infrastructure to manage.
Steve Ginty (42:11):
But we built this, what we call Illuminate, which is more of a discreet one-to-many solution for these attack surfaces that I think have broader applicability to a lot of organizations who just want some situational awareness of what does my attack surface look like, what’s the low-hanging fruit? Where should I dive in?
Steve Ginty (42:32):
And so, I think we’re trying to broaden that reach to really any organization that wants to start to manage this. And then on our PassiveTotal product which is the threat-hunting piece, it’s really cross market, honestly. Anyone who has a team of security analysts investigating suspicious incidents can get value out of it.
John Verry (42:53):
Gotcha. And you’ve used the term threat a couple of times. Would you say this provides threat hunting? Because one of the things that unfortunately drives behavior these days are vendor due diligence questionnaires people got to answer. Right?. Yeah.
John Verry (43:07):
So, do you have a vulnerability and configuration? Do you have two-factor authentication? Now we’re starting to see, do you have threat-hunting capability, right? And that’s one of the things that are mentioned in CMMC as well. If I asked you, do you think that you scratch the threat-hunting itch with your threat intelligence data?
Steve Ginty (43:24):
I mean, I think it’d be a question mark. Right? How do you define it? I mean, I just used it, right? And probably means something totally different to me than it does to whoever’s filling out that questionnaire.
Steve Ginty (43:37):
We’ve provide a threat hunting capability in that if you know infrastructure that bad actors use, you can find new infrastructure that they are standing up on a regular basis and proactively block it.
Steve Ginty (43:47):
And so, my term of threat hunting is, we have the ability to monitor some of these IPs, some name servers, things that we know are often used by specific actor groups and see their new infrastructure for X campaign start to appear and proactively block that.
Steve Ginty (44:04):
We would not provide a threat hunting service in the traditional vein of digging through your network traffic and data and internal capability that probably is more common language that someone would think of as threat hunting.
John Verry (44:18):
Yeah. You speak to an excellent point of the challenge of what do we mean exactly by threat hunting? In my mind, yeah, I agree more with your interpretation that I do think that you could argue scratch that itch, especially because, I mean, I look at threat hunting as benefiting from the wisdom of the herd. Right?
John Verry (44:35):
And in the world of zero day, I mean, if you’re not, that’s as fundamental a concept as the first antivirus product, anything that’s signature based requires somebody to get hurt before we’re all protected. Right?
Steve Ginty (44:49):
You have to know something, right? Yeah.
John Verry (44:52):
Exactly.
Steve Ginty (44:53):
Spend a lot of time looking at Cobalt Strike. Right? You know what I mean? It seems like every attack has Cobalt Strike in it now. And so, how do we fingerprint that? How do we identify that? How do we monitor that infrastructure being stood up so that we can be more proactive to our customer base?
John Verry (45:08):
Right. Yeah. I agree. Cool. So, we’re going to see if, it’s my fault if you’re not, because I didn’t send you this till this morning. Give me a fictional character or real person you think would make an amazing or horrible CISO and why?
Steve Ginty (45:22):
I was going to go with Denzel Washington’s character in Hunt for Red October as an amazing CISO.
John Verry (45:29):
I love that movie.
Steve Ginty (45:30):
I read that question from you and that was the first thing I thought of. So, that was what I was going to go with because he stuck stuck to his convictions even in really hard and a pressure situation. And I think having never been a CISO and only being an outside observer, it seems like a job that really takes a lot of conviction and you need to have staying power. So, I salute the CISOs.
John Verry (45:54):
Yeah. I don’t think you can go wrong using a submarine movie for your answer, so well played. Last question. You are in the thick of it and you see an awful lot. Knowing this podcast is listened to by information security and business leaders, any other topics you think would be interesting from your perspective?
Steve Ginty (46:15):
From the vendor seat, we can often get, we drill into our solutions and the way we’re trying to solve a problem. Anything from the trenches is always interesting to me so that I broaden my perspective.
Steve Ginty (46:33):
And then anything from the small and medium sized market that you talked about earlier. That really excites me right now is we’re solving problems for the higher end of security organizations and customers. And as we try to grow our solution, I really want to try to find ways to help solve this problem for those businesses who maybe have one security person. How do we better help them on a daily basis?
John Verry (46:59):
Yeah. And that was why I was excited when I saw what you were doing with Microsoft, because I think Microsoft has done an amazing job of bringing tools and technology to the SMB space that a few short years ago were just the domain of Fortune 500s.
John Verry (47:19):
And every day you go into the platform and they’ve added some other crazy capability and the price… Again, of course, the price goes up and hopefully he’s not listening to me. He’s going to raise all our prices.
John Verry (47:32):
But I mean, when you think about what you pay for a subscription, and you think about what they add into that. I mean, you can go license a project management tool for 30 bucks a month per user with a third party or you can have three or four of them that are built into Microsoft for free, along with the email, along with Office, along with everything else.
John Verry (47:53):
So, if they could figure out a way to leverage what you’re doing, I think altruistically, we would be in a much better place as a ecosystem.
Steve Ginty (48:06):
Yeah, I agree.
John Verry (48:08):
I think the challenge you have, and I completely understand why you’re an enterprise product, right? Because it costs a lot to do what you do. But in a weird way, do you think the average Fortune 500 would benefit more than the average SMB if they could use a product like yours?
John Verry (48:28):
Because I would think the SMBs, I mean, they’re the ones that I see that just don’t have anyone. You go into a good Fortune 500 and they might have a team of 10, or 20, or 50, or 100 people that are doing this, right? 500 people, 1000 people. You get into a typical SMB. And like you said, they might have one guy or maybe not. He’s outsourced or he’s an IT guy that they call an InfoSec guy.
Steve Ginty (48:50):
Yeah. Yeah. It’s a good question. I mean, I think we’ve seen on our attack surface management piece, it’s probably a larger market play overall just because of the assets under management. But from the vulnerability and threat intelligence piece that we’re building up right now, I think there is a good opportunity in the small and medium sized space.
Steve Ginty (49:11):
To your point about block lists earlier and how they’re noisy or that a lot of the stuff we see that we can fingerprint that we know of maybe is only targeting one or two people. If I can get that information or organizations, as you say, if I can get that information into a larger ecosystem like Microsoft, that can proactively alert or block on it and help that one person that maybe is going to get ransomed in a month, that’s a really big deal.
Steve Ginty (49:37):
And so, that’s what I’m excited about is possibly being able to action information at a faster tempo that can help that person that is just one person doing security or IT at a small or medium size business.
John Verry (49:52):
Well, I’m excited and I have my fingers crossed that you can bring this to the masses because working with who I work with every day, I can tell you we could use the help. So, will keep my fingers crossed for you, sir. You mentioned the community.riskiq.com, I believe it was.
Steve Ginty (50:10):
Yes.
John Verry (50:11):
If somebody wanted to get in contact with you further to ask any questions, how would they do that?
Steve Ginty (50:16):
There is a chat application inside of the platform on the community website. You could also just email support@riskiq and they route everything appropriately. If you’re interested in learning more about the solution, obviously [email protected] can also be used to reach us awesome.
John Verry (50:34):
Awesome. This has been cool. I appreciate you coming on and educating me like I asked you to. So, my razor thin ego will be less bruised the next time somebody uses the phrase threat surface management or attack surface management. I’ll know now. I’ll say Steve told me.
Steve Ginty (50:50):
I appreciate you having me. This was a great conversation.
John Verry (50:53):
All right. Have a good one, Steve.
Narrator(Intro/Outro) (50:54):
You’ve been listening to The Virtual CISO podcast. As you probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.
Narrator(Intro/Outro) (00:06):
You’re listening to The Virtual CISO podcast, a frank discussion providing the best information, security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey there, and welcome to yet another episode of The Virtual CISO podcast. With you as always, John Verry, your host, and with me today, Steve Ginty. Steve, good afternoon, sir?
Steve Ginty (00:37):
Hey, thanks for having me. Excited to be here.
John Verry (00:39):
Cool. Listen, I’m excited to have you on because you use words that I don’t know very well.
Steve Ginty (00:47):
No, not true. Not true.
John Verry (00:50):
Anyone who knows me knows I have a razor-thin ego and I don’t like not knowing something, so you’re going to educate me a little bit here today. So, I’m looking forward to chatting. Before we get going, always like to start easy. Tell us a little bit about who you are and what is it that you do every day?
Steve Ginty (01:03):
Yeah. So, I am the director of Threat Intelligence at RiskIQ and I focus mainly on helping customers understand the attack surface on the internet, what’s internet-facing and how the bad guys may be leveraging those internet-facing assets and vulnerabilities in them to target their organization. And who they are. Who are the bad guys that are targeting them, how bad is the current threat environment and really helping organizations understand their exposure and risk.
John Verry (01:31):
Gotcha. I always ask, before we get down to business, what’s your drink of choice?
Steve Ginty (01:36):
Ooh. I know you said you are a bourbon and beer guy and I would have to say I am as well.
John Verry (01:41):
Right. I thought I liked you already. Somehow I knew.
Steve Ginty (01:47):
So, on the beer side, I’m an IPA person and I am from New England originally, but now in Memphis, Tennessee, and my go-to is Maine Beer Company and their IPAs are fantastic. So, that’s my go-to beer.
John Verry (02:01):
Yeah, you like them big and juicy. You’re a Citra, Mosaic, Simcoe style?
Steve Ginty (02:05):
Yes.
John Verry (02:05):
Yeah. Yeah.
Steve Ginty (02:06):
If it tastes like pine, I’m in.
John Verry (02:08):
Yeah. Yeah. Yeah. My son is in that same realm. He’s gotten me… It’s really funny because we go out often and sample beers, hit either breweries, or we have this fantastic bar by our house that’s got like 30 beers on tap and you can get flights.
John Verry (02:23):
And it’s funny, my kids are now to an age where I drink with them. And it’s interesting because they’ve educated me a little bit, which you wouldn’t… I’m always like, “Nah, I’m not a big IPA fan.” And my son is, so he’s got me into the Citra, mosaic, that style.
Steve Ginty (02:39):
Nice. Nice.
John Verry (02:40):
And my daughter is a, believe it or not, a sours fan. I always hated sours and then I guess I had never drank good sours. There’s a particular brewery called Drowned Lands that she’s a big fan of. I’m now to a point where it’s not my favorite. I still prefer a stout, but I’ll tell you, I won’t turn down a sour now, which is interesting.
Steve Ginty (03:01):
I’m leaning in that direction as well. I would have classified them more as pond water when someone first proposed them to me. But my business partner is a big sour person and he has pushed me to try them every once in a while. And so on a hot day, especially here in Memphis, you really can’t drink IPAs in 110 degree heat. Something with a little bit of sour to it is a nice deviation.
John Verry (03:26):
Yeah. The hottest day I ever spent was a morning in Memphis, Tennessee. That is the most humid… I mean, I’m from Jersey where it gets humid, I’ve been to Houston where it gets humid, Memphis takes it to another whole level.
Steve Ginty (03:38):
It is special. Let’s go with. And I’ve had to get used to it, but I’ve been here for eight years now. And so, I feel like I’m maybe finally acclimating. I don’t know. Next year will be worse. I’ll be like, “What is this?”
John Verry (03:51):
Exactly. So, you use a term, and I wasn’t kidding, it was a term I was like, “Ah, I have to go look that up and see exactly what they mean.” So, tell me about attack surface management. What is attack surface management?
Steve Ginty (04:05):
So, it’s the idea that from outside of your organization, there’s a lot of information exposed on the internet that actors could use to understand your vulnerabilities and find ways into your organization.
Steve Ginty (04:19):
And so, RiskIQ, we focus on helping organizations understand their attack surface. What are all of these assets that are attached to the internet, where are they, what are they, what are they running and how do you more proactively manage them?
Steve Ginty (04:36):
So, everybody’s had internal IT capabilities and spread sheets of things and databases of assets and where they live. But the IT environment of organizations is changing so dramatically now. And even more so with the shift to the cloud, that we try to help organizations understand what their exposure is. And we help answer questions that they may have about their attack surface.
John Verry (05:01):
Gotcha. So, how far does that go down into the, I’ll call it reconnaissance wormhole? You’ve got stuff like… I know we used to do, like we’d look up the way domain names were registered, because there’s ways that you can [inaudible 00:05:16], right? There’s a flag. Something transfer prohibited as I recall, things of that nature.
John Verry (05:21):
Same thing with, you can see challenges with DNS services and things of that nature. So, is it a combination of that and other things that you’re looking at? And is it being done as a one point in time, or is this some type of a, do you consider attack surface management to be a real time ongoing exercise?
Steve Ginty (05:39):
It’s certainly an ongoing exercise. We always start in a point in time now. And so, our idea is we get what we call seeds from organizations. It may be a domain, it may be IP blocks or ASNs that they actually own. And we use those as the starting point of our algorithms that go out and discover everything from our data about an organization.
Steve Ginty (06:04):
So, RiskIQ has collected and indexed WHOIS data. On a large scale, we have a full instance of passive DNS collection that helps us understand domain to IP and historical connection points. And we also have a crawling and scanning infrastructure that goes out and interrogates specific web properties and webpages to understand interactions on them. But also a scanning environment that focuses on fingerprinting ports and services open on IP addresses.
John Verry (06:34):
That latter one sounds an awful lot like a vulnerability and configuration management scanning.
Steve Ginty (06:41):
We’re more passive. So, this is legitimately what service is running on, on this port, on this IP address. And that is it. So, we’re not going full deep scan to understand 100% vulnerable. We’re looking to point you in the right to of the assets that could be vulnerable.
John Verry (07:00):
Gotcha. So, if you’re passive, does that mean you’re not actually talking out to see those particular ports, or are you somehow sitting on firewall logs, or do you have some mechanism by which you can sniff traffic that’s out on the internet to see these communications and see the port destination requests and map things up?
Steve Ginty (07:22):
Yeah. Passive maybe wasn’t the full right word. It is an active scanning environment. We’re not interrogating for full vulnerability.
John Verry (07:31):
Gotcha.
Steve Ginty (07:31):
So, when we’re running those scans, we’re basically saying, “Hey, here’s what we would expect to respond on this port. Are we getting that response? Yes. Port’s open. Yes, we got the appropriate banner back that correlates to X service. And therefore we can then start to make assumptions.”
Steve Ginty (07:49):
So, the Cisco’s vManage vulnerability that came out last week, I can go into our system and say, “Show me everywhere we’ve observed those systems over the past 30 days.” I can’t tell you if it is 100% vulnerable to that remote code execution vulnerability, but I can tell you where they are in your environment or if it’s something you have to be worried about.
John Verry (08:12):
Gotcha. So, I can see where… So, you got one side of it, which I think is more the assets that the organization owns and controls. Right?
Steve Ginty (08:21):
Mm-hmm (affirmative).
John Verry (08:21):
That’s where you’re doing that active vulnerability scanning and staying on top of that. How does it work for the things that they don’t directly control? The information that’s out on the internet that needs to be there, that while they might have control over it, it’s not something that they’re looking at on a daily basis. All right?
John Verry (08:39):
I mean, you register your domain name and you probably never go back to it unless you have to renew it. Right? Or things of that nature. Talk a little bit about that. How is that being done?
Steve Ginty (08:53):
With our scanning environment, we’re looking at webpages and all types of assets. So, it’s not specifically IP and services. We’ll look at hosts and domains and everything as a part of our scanning. And physically, we have a crawling environment that will go on a virtual walk through your webpage and click down through connected links to see how the page interacts.
Steve Ginty (09:15):
So, we’re doing a whole host of information collection. And then we’re just layering filters on top of that information collection for a given customer. So, if you want to know what domains are expiring the next 30 days, you can come in and see that filter inside of our platform, because for our customers, we do more active monitoring.
Steve Ginty (09:36):
So, if you tell us these are important assets to you, we will do more continuous monitoring on a daily or weekly timeframe, all depending on what makes the most sense, so that you can get more information. WhoIs look-ups, expiration dates, SSL certificates that are about to expire.
John Verry (09:54):
Gotcha.
Steve Ginty (09:55):
So, it’s really just, I like to say RiskIQ is a big data company. We do large scale internet data collection. And then our products are just filters on top of that data that let you answer questions.
John Verry (10:06):
Interesting. That makes complete sense. So, do you do the same thing? Do you guys delve into the… You did the internet, do you do the dark web and some of the non-internet specific? Like some organizations, I don’t know if you guys delve into this, where I can give you intellectual property assets, project keywords, things of that nature, and they’ll look to see whether or not this is being talked about on forums or it’s being bled to pastebin and places like that.
Steve Ginty (10:36):
We have a white-glove service that provides that kind of deeper dive into those types of dark web forums and monitoring. And there’s some configuration ability with our platform itself to allow you to monitor for keywords, and social media profiles, and different things that give you that view into dark web forums.
Steve Ginty (10:59):
It’s more on the customer to do that just because it is a, I would say it’s a harder dataset to operationalize, right? There’s a lot of information, there’s a lot of noise but you have to have strong intelligence requirements that you want to answer in order to be effective.
Steve Ginty (11:15):
And so, that usually works best when one of our analysts is sitting down with a customer and understanding really what the aim of their program is so that we can then tailor the system to collect and alert them on things of interest.
John Verry (11:28):
Gotcha. So, is it generally a SaaS service with an option for add-on professional services? That sounds what it’s like, or is there always some level of, like the equivalent of SOC monitoring for SIM or security information events.
Steve Ginty (11:47):
So, we take the approach of SaaS platform with additional ability to add professional services. We obviously have a big account team and support team that helps you onboard and configure and all those things as a part of getting the platform into your organization.
Steve Ginty (12:02):
As far as it moves into operationalizing that data on a daily basis, you have your account management team that can help. But if you’re looking for a much more tailored approach, we have those services to go along with it.
John Verry (12:15):
Yeah. So, I was looking at your website and you had a phrase there that caught my eye, mapping the internet IP and non-IP space. And it made me think of the work that Bill Cheswick did when he was at AT&T and then he spun that out into a company called Lumeta that a couple of my friends worked at. Conceptually, is that similar to what you’re doing or is it just a turn of phrase, so to speak?
Steve Ginty (12:39):
I think it is similar a bit, but I don’t know enough about the solution to make a full, educated assessment. But yeah, our idea here is that we are trying to map IPs associated to organizations, web properties, social media, really anything that could be used on the internet that bad actors could target your brand with.
Steve Ginty (13:02):
So, we’re going beyond just IP analysis and port and service analysis, which is very important from the vulnerability side, but also the broad scale crawling of webpages to understand malicious injections for credit card skimming or tweets or social media posts that are impersonating a bank or an executive of an organization. So, really trying to provide full visibility to an organization on threats on the internet.
John Verry (13:28):
Gotcha. In the latter, when you were talking about Twitter, are you talking about that you’re monitoring their authorized Twitter account, or you’re monitoring Twitter to look for somebody who is impersonating them, not on their specific account?
Steve Ginty (13:47):
It would be the impersonation aspect. So, we would be looking for… I mean, again, it comes down to working with the client to understand who we’re monitoring. And usually it’s someone high profile within the organization, or maybe it’s a customer service type scenario that they’re looking to service or fake customer service reps. So, we would be able to instrument our collection to alert on discreet keywords, brand names, derivations of brand names, logos, and things like that.
John Verry (14:13):
Okay. Yeah. So, that’s interesting. Cross over into that like you hear this field of reputation management. So, you’re crossing over there. Just out of curiosity, is that different if it’s a B2B versus B2C? So, as an example, right now I’m having a little bit of a problem. It’s not a problem for me, but it’s not a good situation.
John Verry (14:36):
Someone is trying to connect with a lot of people that I know on Facebook using my name and my picture. I put a Facebook page up like 10 years ago to monitor my kids and probably go there about once a year. I’ve never ever posted anything. And all of a sudden I’m getting, “Did you reach out to my wife and ask her about this?” And I’m like, “I don’t have any idea what you’re talking about.”
Steve Ginty (15:02):
What’s going on?
John Verry (15:05):
If somebody was doing those types of activities, and it was somebody that you were monitoring, let’s say the chief executive office or a COO of an organization, that’s the type of stuff that you would be highlighting as being within this attack surface and something they should be cognizant of?
Steve Ginty (15:19):
Yeah. We could show that someone has maybe wholesale copy and pasted a specific profile for an organization or individual and is using that under maybe a different user name. And therefore work with the customer and obviously the platform to address it and get it taken down.
John Verry (15:39):
Cool. So, we touched on to this point, but let’s just drill into each of them. So, I know that you promote four main use cases. So, let’s talk about that a little bit. Threat and vulnerability intelligence. I know we covered some of that. You want to dig in a little deeper?
Steve Ginty (15:54):
Yeah. So, I mean, we’ve focused on the attack surface management piece and that is a core offering of our business. But we also service a lot of organizations inside threat intelligence, security operations, and incident response. And it’s just a different product set on top of the same data.
Steve Ginty (16:10):
And so, it’s a PassiveTotal investigative platform. And so, what it allows those organizations to do is come in with a suspicious or malicious IP domain, and basically ask us to provide everything we know about that instance across PDNS, malware, WHOIS, our crawling infrastructure, et cetera. And basically allow organizations to make an assessment about, is this thing good or bad, if it’s bad, are there other associations to it?
Steve Ginty (16:39):
Does this IP have other domains on it that maybe malicious? And actor-owned, did the actor use the same WhoIs email address and WhoIs to register multiple domains. That analyst tailored view into our index data to allow them to start to answer questions about an attack.
John Verry (16:57):
Gotcha. So, a use case for that would be that I’ve got a SIM in place, I see a particular IP of potential concern, and either through manual or automated means I’m getting that to you guys. And I have the benefit of not only perhaps the work you’ve done on my behalf relating to that IP, but the work you’ve done for your client base as a whole, right? So, I have the threat intelligence component, right? Where I’m benefiting from the work that you’re doing for other people?
Steve Ginty (17:25):
Yes. And it’s our view of the internet too. Right? So, your prime example of wiring this into a SIM or another alerting platform is we have the idea of a reputation score. Based on our visibility of the internet, we know certain things are discretely malicious.
Steve Ginty (17:44):
We know there are attributes that make an IP or a domain suspicious, and we know something that is non-malicious. And so, we can help you make that assessment and hopefully help you triage events quicker inside of your organization.
John Verry (17:56):
Gotcha. Back in the day, we used to do a lot of this and we’d use a lot of the open source or even some of the commercial, I’m going to call them, lists for lack of a better word. And we found them to be quite noisy.
John Verry (18:09):
Any special magic to, because I mean, I can remember one example that would happen all the time is we’d have a connection to a known bad acting IP, but that IP would host like 30 websites and one of those websites was the malicious one.
John Verry (18:26):
So, only 1 out of every 30 times that we got that alert was it actually valid. Have you guys figured out any special sauce to minimize that challenge?
Steve Ginty (18:35):
I mean, it’s still a challenge, to be quite honest. A couple of the things we try to focus on are discreet observations. So, since we are doing this crawling and active scanning, we on a daily basis, can observe something as being malicious. And I would say this is more towards domains and hosts, but we add things with high fidelity to any of our block lists.
Steve Ginty (19:00):
So, if we’ve observed this specific host and URL in a phishing campaign, the URL is bad. If we see that host associated with multiple URLs, once it hits a certain threshold, we will promote the host to being on the block list.
Steve Ginty (19:15):
Once we’ve seen multiple hosts associated with the domain, moving up the chain of fidelity so that we’re reducing some of the noise that an organization would see.
Steve Ginty (19:26):
Since we also have this scanning environment, we do have a lot of first seen/last seen observation timeframes. So, we can provide customers with that. To be a little more tailored, specifically around IPs, like you said, there can be a lot of instances of this IP was bad yesterday and is good today. Right?
Steve Ginty (19:46):
And now with cloud environments, I think I was looking at something that was Cobalt Strike two months ago, and today it is part of Slack’s CDN because it’s an AWS IP address. So, I mean, you have to take that into account, and that’s something we grapple with and talk about a lot.
John Verry (20:02):
Gotcha. Yeah. I mean, it’s not a completely solvable problem, but any improvements that can be made over where we were are just hugely valuable.
Steve Ginty (20:13):
Yeah.
John Verry (20:13):
Yeah.
Steve Ginty (20:15):
Yeah. And the ecosystem has changed so much since even I started. And was really focused more on espionage campaigns and the work I did at VeriSign iDefense. And so, you could have a list of bad domains that were bad for a year plus and very tailored. And now it seems that infrastructure swaps over so fast that it’s very hard to keep up. I guess the time to live of bad is much more compressed now than it was.
John Verry (20:42):
Yeah. Listen, I mean, I always joke around with folks is that, the bad guys take advantage of the technological advances faster than the good guys do. Right? So, they’ve gone to agile, CI/CD of their hacking activities.
John Verry (20:57):
And like you said, I mean, now it’s infrastructure is code and it’s attack stuff as code and they can take it up and pick it up and put it down quicker than we can recognize where they are.
Steve Ginty (21:10):
Yeah. Yeah.
John Verry (21:11):
Interesting stuff. And you mentioned something else that was interesting to me, you said that you provide a block list. Would that be something that somebody would, are you actively involved in blocking outbound traffic or would that be something that they would then inject into their palo environment or something of that nature?
Steve Ginty (21:28):
It’s more of a list that you would ingest elsewhere in your environment to proactively block. So, we’re not in the blocking game at the moment, although with our visibility and our recent acquisition via Microsoft, we hope we can do more proactively with this information in the future.
John Verry (21:48):
Yeah. Yeah. I’m going to be curious as to hear what you can and can’t tell me about the Microsoft acquisition, but you’re getting ahead of me. You’re getting ahead. Let’s say in your four main use cases because the next one is really intriguing to me.
John Verry (21:59):
Third party risk, of course, is a risk de rigueur, especially now that we talked about whether or not you can get down into the supply chain, right? So, that’s the big thing. That was part of the executive order. We’re talking about [S-PAMS 00:22:12], we’re talking about some phrases and terms we haven’t heard before.
John Verry (22:16):
Tell me a little bit about what you can do there. Not only can you help me manage my third party risk, right? Because you could do the same monitoring that you’re doing for me for a third party that I ask you to do it for. But how far down the chain can you get to fourth party, fifth party? Does that even make sense, given the construct and what you guys are trying to accomplish?
Steve Ginty (22:34):
We’re new to the third party space in really product land. At the beginning of this year, we launched the ability for anybody to come in and look at their supply chain and tell us, “Hey, these are my top 25 suppliers that I’m really worried about. Tell me what you know about their attack surface and where I should be worried.”
Steve Ginty (22:56):
And so, we have built that for organizations to be able to more easily consume their supplier and third party suppliers attack surfaces and to make more better decisions around risk. We’ve always been in this supply chain scenario because we can tell you about all your dependencies that we know that run in your environment.
Steve Ginty (23:19):
We know that you’re reaching out to AWS when you’re building your site or that this data is stored in an S3 bucket or that Akamai happens to be your CDN or what have you, based on the information we’re collecting with our crawling. So, we’ve always been able to help you understand how large of a supplier footprint you’ve had and how that impacts your attack surface.
Steve Ginty (23:38):
What we’re doing now though is creating discreet insights across those attack surfaces and saying, “Here’s what we know about you and we’re worried about these 10 things. And here are those 10 things layered over your suppliers as well.” So, it’s a one to many mapping.
Steve Ginty (23:55):
Our research team builds these insights, whether it’s the latest vulnerability or whether it’s open source tooling like Cobalt Strike, whether it’s a misconfigurations, I can give you that kind of snapshot into not only your environment, but also all of your suppliers.
John Verry (24:11):
Gotcha. When you say you’re doing an overlay, is that just you’re pointing out the same risks that exist in each environment, or is it more like there’s a really cool tool called RedSeal that will say, “Oh, you have this vulnerability and based on all of the access control lists between a malicious individual and that vulnerability, we can figure out whether or not it can get there.”
John Verry (24:33):
So, are you trying to match up where a vulnerability at one of your suppliers could be leveraged to exploit something in your environment? Is that what you mean by an overlay?
Steve Ginty (24:44):
No. What I mean is we’re trying to templatize the view that we’re giving everybody to make it consistent across organizations. So, it is a dedicated set of insights that I display to you about your attack surface and that you can also dig into about each of your suppliers.
John Verry (25:01):
Gotcha. Now, if let’s say that you got something like a Target or something like Home Depot, right? Both of those had their breaches. They host a lot of extranet systems, which are maybe not necessarily, they might be IP address restricted. So they’re not full internet public.
John Verry (25:17):
Do you guys just do the internet or if they give you extranet access or extranet information, can you also cover that environment as well?
Steve Ginty (25:28):
We are just internet-facing. So, that’s our dividing line. We’ve spent our time perfecting our collection and visibility from the internet-facing assets. And then we partner with endpoints. We have integrations with different endpoint providers. Obviously we’re integrated into Microsoft Sentinel. We have an integration with CrowdStrike’s EDR. And so, we’re partnering for that additional visibility.
John Verry (25:57):
Gotcha. You talked a little bit about vulnerability management before, right? By the fact that you guys are doing some active scanning and identifying open ports and what’s running on them and perhaps where they’re vulnerable. Anything more than that in that front?
Steve Ginty (26:11):
Yeah. We’re trying to create a smaller haystack for organizations to go rifle through when yet another vulnerability comes out. Right? So, it seems like the tempo is daunting at best. And every week, there’s something new to understand and manage. And so, what we are trying to do is point you in the right direction to where that vulnerability may exist in your organization and give you context around it.
Steve Ginty (26:37):
Who’s exploiting? Is there proof of concept code? Are there actors that we know of that are exploiting it? Does it target a specific vertical to help you make better risk decisions around your vulnerability management program, because as security professionals, I think if we go to the vuln management team one more time and tell them that they have to patch this critical RCE, they’re probably gonna all kill us.
Steve Ginty (26:59):
So, we’re trying to make that case easier for organizations to understand the risk profile of a given vulnerability based on that threat intelligence information layered over what we know of the vulnerability, and how big is it on the internet?
Steve Ginty (27:13):
I can see Microsoft’s exchange was a perfect example. We could see of a corpus of 400,000 exchange servers a week out from patch Tuesday, 100,000 were still vulnerable on the internet. And so, we could give you scale of understanding of that vulnerability as well.
John Verry (27:30):
Gotcha. And I’m assuming frequency of update on looking at their infrastructure is daily, weekly, monthly?
Steve Ginty (27:38):
For IPv4, we scan daily across all of IPv4. So, we’re trying to keep as up-to-date as our scanning capacity will allow. And for crawling, it’s a little more ad hoc for non-customers. For customer assets, you can tell us how often you want us to crawl a website and we will queue it into our system to be crawled. So, it could be daily, it could be weekly, it could be monthly depending on how important that site is to you.
John Verry (28:07):
Gotcha. And on the crawling, is that typically a credential crawl or a non-credential crawl?
Steve Ginty (28:13):
These are mostly non-credential crawls, although we do have the ability to do some of that. This is really just, how is the webpage interacting when any normal user would come to it?
John Verry (28:23):
Gotcha.
Steve Ginty (28:24):
To understand code injections, dependencies, et cetera.
John Verry (28:27):
Right. Right. I gotcha. So, it’s not an application security assessment, it’s a website assessment, right?
Steve Ginty (28:34):
Correct. And the original usage for that crawler was malvertising, malicious ads being loaded into websites. It obviously has evolved over time and we spend a lot more time looking at malicious JavaScript injects for credit card skimming now, which seems to be happening all the time.
John Verry (28:54):
Yeah. I would imagine that organizations that do eCommerce would be an ideal customer for you for that feature. Right? Knowing that, like if there’s one of their shopping cart… I mean, shopping carts tend to be third party components that let’s just say have had a couple of problems. Yeah. I don’t know if you’ve ever heard about that.
Steve Ginty (29:16):
No, no, no. Nothing’s wrong.
John Verry (29:18):
Yeah, exactly. So, that would be cool there. And just one last question there. When someone’s interacting with your platform, it’s a very interesting sounding tool. Is it another place where they go when they’re almost on a dashboard and it’s almost like another, it’s not a security information event management, but it’s relevant information, or is it the type of system where they’re pushing feeds and alerts from that to a different system, whether it’s a help desk ticketing system or SIM or JIRA? What’s the workflow look like?
Steve Ginty (29:50):
It depends on the organization. So, it could be either of those. It could be both of those at the same organization. We have a centralized dashboarding area that you can come in and see, keep up-to-date with changing assets, new information, events, workflow management, et cetera. But we also have a full suite of APIs that can feed this information to other applications. If that’s not where you do your primary work.
Steve Ginty (30:18):
So, it really depends on the customer use case. We have the version that is more templatized and the discreet insights is community.riskiq.com and anybody can go and register for an account and have a trial of our Illuminate platform.
Steve Ginty (30:36):
And it’s a combination of this attack surface management capability that we’ve been talking about with also the investigative tool I mentioned earlier, PassiveTotal.
Steve Ginty (30:44):
And it has a portal of open source intelligence articles and vulnerabilities that have been coming out where we go and we extract the pertinent information and extract IOCs indicators of compromise for any of this public reporting so that it’s nicely packaged up and you can start pivoting and click and get all that context right away. And then if you want to dig into our data, you can go from there.
John Verry (31:06):
Gotcha. And then I’m assuming that those APIs are super helpful for the next area, which is incident response. So, I’m assuming you are not an instant response platform. I’m assuming you are a source of key information while I’m going through incident response?
Steve Ginty (31:20):
Correct. Yeah. So that analytical tool and PassiveTotal platform is key to our customers who are either internal incident response to an organization, or even we have a lot of security vendors that use our data to then provide additional insight when they’re responding to incidents for their customers.
Steve Ginty (31:37):
So, it could be used either way. It could be used via API programmatically to bulk enrich an incident. It could also be used as a hunting tool to understand this is the group that’s targeting us. These are the IPs and domains that we’ve seen from the infrastructure where their malware is communicating to, what else do we know? Can we find additional infrastructure that that actor may own? And can we proactively block that or maybe put it into a SIM to alert, to find other hosts inside the environment that may be compromised.
John Verry (32:06):
Yeah. And I can see an interesting way these could all build on each other, and one plus one, plus one, plus one equals four, right? Because that incident response is taking advantage of the threat intelligence that you have from my org and any, all the other orgs.
John Verry (32:23):
You know about my vulnerabilities, so you can tell me whether or not I was vulnerable to the attack that I might be investigating, if you will. And then I would imagine that you could also tell me at the same time, whether or not any of my third parties might be subject to the same risk so that I can reduce my supply chain risk at the same time I’m reducing my risk.
Steve Ginty (32:42):
Correct. And so, they all seem disparate at times. Vuln management and threat intelligence don’t always come together. But I think you’re seeing that shift a little bit more in the market right now.
John Verry (32:55):
Agreed. Because if you really think about it, it doesn’t really matter where the exploit comes from. If you’re exploited, game’s over. Right? So, it doesn’t matter if it happened at headquarters, it doesn’t matter if it happened in a regional office or an overseas operation. It doesn’t matter if it happened in a critical vendor or a critical…
Steve Ginty (33:15):
Exactly.
John Verry (33:16):
And you give me some level, if I give you the right information, you can give me some level of visibility into all that. I mean, there’s no 100%, there’s no fail proof, but I’m going to be in a lot better shape if I’m looking at all that information than if I’m not.
Steve Ginty (33:31):
It helps. Right? Yeah. I mean, the threat environment is very dynamic and is constantly changing, but we can let you answer those questions quicker based on having this information in front of you. When the Confluence Vulnerability from two weeks ago came out and some ransomware actors are going to be leveraging this.
Steve Ginty (33:52):
And someone in your C-suite says, “Do we have to be concerned about this?” With some confidence, I can show you where those assets are and help you manage that infrastructure and possibly help you get ahead of it, or at least have that visibility to have some confidence in the decisions you’re making.
John Verry (34:11):
Gotcha. So, you said that folks can trial this. When someone trials it, what’s the most likely oh my God moment when they’re looking at the dashboard? What is it that most people will see that maybe they don’t expect to see or where you’ll identify the most likely problem that you would identify for someone in short order?
Steve Ginty (34:31):
Yeah. I think for major organizations, you can request a snapshot of your attack surface. And we’ll present it in the platform for you to investigate. And the idea is, we know certain things about you and we have built an algorithm that will go out and collect that information based off mainly your email domain.
Steve Ginty (34:55):
So, it’s not going to be all of your assets, but there’ll be high confidence that the assets we are showing you are ones you own. And you’ll probably be surprised at how much we can find out from just that little bit of information. Right?
Steve Ginty (35:10):
And so, I think that usually, for a lot of organizations, is the interesting piece, is with only one or two seeds of information, we are able to discover a decent amount about an organization even without any input. And so, I think that’s always the interesting part.
John Verry (35:28):
I don’t even know if it still exists, but I used to always creep people out by showing them, there used to be a website called The Pipl, pipl.com.
Steve Ginty (35:36):
Mm-hmm (affirmative). Yes.
John Verry (35:37):
Okay. So, almost in the same way that that is, the first time that you hit Pipl with your name, how creepy a feeling that is, and you’re probably going to want to say no, because now I’m calling your product creepy. But just in the same way you-
Steve Ginty (35:54):
[crosstalk 00:35:54].
John Verry (35:54):
Yeah. Just in the same way you’d want to know that all this information is out there about you. It’s the same thing there. People are going to look at that and go like, “Oh my God, how does somebody know all of that about my company from me giving them this one little piece?” Because you just don’t realize how much information is out there.
Steve Ginty (36:12):
It’s true. And so, I mean, the ability for us to do that discovery and present it back to you in a meaningful way, in fairly quick order, right? I think is the surprise. It’s the ability to then action that data.
Steve Ginty (36:25):
And we have it in the platform where we’ll show you the new assets over the last 30 days. Well, show you anything that we think is potentially vulnerable or that should be investigated. And then we’ll give you the tools to go dig through our data to respond to an incident or to enrich any investigations you’re doing or any kind of incidents or alerts that may be happening.
Steve Ginty (36:48):
And so, it’s a lot of information to hand over because we want people to understand the value proposition, get their hands dirty and really see the value we’re bringing.
John Verry (36:57):
Yeah. It makes complete sense. Actually, I was thinking that there was equivalent tool for companies, right? Maltego, I think. Probably still is out there. I haven’t looked at it in a while, but same kind of a thing where you give it some information and you’re like, “Oh wow.”
Steve Ginty (37:09):
Yep. We have an integration with Maltego.
John Verry (37:11):
Oh, do you?
Steve Ginty (37:12):
Yeah, for visualizing all of the connected information.
John Verry (37:17):
Oh, I didn’t know that. That’s cool. I haven’t looked at Maltego personally in a long time. I used to do some work in that area. Now they don’t let me do any work anymore.
Steve Ginty (37:27):
It happens.
John Verry (37:27):
My job is to yap with people like you all day.
Steve Ginty (37:31):
It’s not a bad gig. Right?
John Verry (37:35):
So, you mentioned the MS purchase. Right? And I know that very often you, especially with someone like Microsoft, there’s probably some limitations on what you can and can’t tell me. Can you provide any insight into the plans?
John Verry (37:44):
And what I’m also interested in is that, is your tool and your tool and/or through Microsoft, just an enterprise level tool or SMB/SME, is there value there? Is it priced in such a way, or does the move to Microsoft provide… I mean, is it going to get integrated into the Office 365 stack? And I’m going to have some of these wonderful features on my security and compliance dashboards?
Steve Ginty (38:07):
Still to be determined. But I think if you look at the reason that Microsoft acquired RiskIQ, it was twofold. It was for this attack surface management capability and being able to help their customer base better understand their environments and specifically the move to a hybrid cloud environment. How do you help an organization manage that?
Steve Ginty (38:29):
So, that was a very key component of it. And also, the threat intelligence and the research that our team brings to the table to help organizations respond to incidents. So, both of those were key factors in the acquisition.
Steve Ginty (38:42):
For now, we’re still figuring out what looks like. Right? And so, we have a full integration of our enrichment and threat intelligence capability into Azure Sentinel. So, we are focused in the near term on making that, really polishing that integration to provide a great integration point for our data into the Microsoft Azure ecosystem immediately.
Steve Ginty (39:06):
And that’s our near term goal. And then obviously, the excitement piece you kind of hit on it is, RiskIQ’s primary customer base was Fortune 500, Global 2000. So, I think the exciting component is, how do we bring this to a larger market?
Steve Ginty (39:22):
And I think the thing, obviously that Microsoft brings is scale. And so, we’re really excited about that and see how we can scale out this capability to provide this service to more organizations.
John Verry (39:35):
Yeah. I mean, I could see so many integration points with the Sentinel SIM solution that you just think yourself like, “Wow, okay. That would be that sexy.”
Steve Ginty (39:44):
Yeah. We’re really excited about that as our first entry point. Here’s my plug, if you are an Azure Sentinel customer right now, the Logic App is live in the store. So, you can go and add it into your instance. We were working with them as a strategic partner pre-acquisition to get that deployed. And now we’re working to revamp it and make it even better.
John Verry (40:07):
Gotcha. Excuse my ignorance. When you’re on Azure and you plug in your app, does that come along for the ride or is that a charge?
Steve Ginty (40:14):
It would be for enterprise customers, because it’s going to be hitting our API at significant limits.
John Verry (40:21):
Oh, I gotcha. Okay. So, if you’re already a customer, then what you’ve done is you’ve basically integrated directly into the Azure environment on their behalf?
Steve Ginty (40:28):
Correct.
John Verry (40:29):
Gotcha. That’s really cool.
Steve Ginty (40:31):
But there’s a way to, you can play around with it. With the free trial, you do get some API access so you could see how that workflow would work. There are discrete workbooks and everything. So, there is value to testing it out, but if you’re going to implement it in its full force, you’re going to need a license so that you can get the benefit of all the data.
John Verry (40:52):
We beat this up pretty good. Anything else we missed? Anything else that you want to discuss with regards to your solution?
Steve Ginty (40:59):
No. I mean, I think this has been a great back and forth. I definitely appreciate it. The key piece is that anybody can go to community.riskiq.com and see what we have to offer at a free and trial level.
Steve Ginty (41:15):
So, we’ve always had a community component. So, even if you do the trial and it’s not something you’re ready to pull the trigger on as an organization, you can still be a community member and get limited access to the data each month. And so, we don’t just shut off the spigot. It turns to a little bit of a slower run, but you get that benefit of still having access to some of that data.
John Verry (41:39):
Gotcha. And is there a specific vertical, whether it’s SaaS, cloud service provider, legal firm, government entity that you think the solution provides a particularly compelling value proposition?
Steve Ginty (41:57):
So, it really depends on the product. And so, with our attack surface management capability, it has traditionally been Fortune 500 and financial institutions that have a lot of infrastructure to manage.
Steve Ginty (42:11):
But we built this, what we call Illuminate, which is more of a discreet one-to-many solution for these attack surfaces that I think have broader applicability to a lot of organizations who just want some situational awareness of what does my attack surface look like, what’s the low-hanging fruit? Where should I dive in?
Steve Ginty (42:32):
And so, I think we’re trying to broaden that reach to really any organization that wants to start to manage this. And then on our PassiveTotal product which is the threat-hunting piece, it’s really cross market, honestly. Anyone who has a team of security analysts investigating suspicious incidents can get value out of it.
John Verry (42:53):
Gotcha. And you’ve used the term threat a couple of times. Would you say this provides threat hunting? Because one of the things that unfortunately drives behavior these days are vendor due diligence questionnaires people got to answer. Right?. Yeah.
John Verry (43:07):
So, do you have a vulnerability and configuration? Do you have two-factor authentication? Now we’re starting to see, do you have threat-hunting capability, right? And that’s one of the things that are mentioned in CMMC as well. If I asked you, do you think that you scratch the threat-hunting itch with your threat intelligence data?
Steve Ginty (43:24):
I mean, I think it’d be a question mark. Right? How do you define it? I mean, I just used it, right? And probably means something totally different to me than it does to whoever’s filling out that questionnaire.
Steve Ginty (43:37):
We’ve provide a threat hunting capability in that if you know infrastructure that bad actors use, you can find new infrastructure that they are standing up on a regular basis and proactively block it.
Steve Ginty (43:47):
And so, my term of threat hunting is, we have the ability to monitor some of these IPs, some name servers, things that we know are often used by specific actor groups and see their new infrastructure for X campaign start to appear and proactively block that.
Steve Ginty (44:04):
We would not provide a threat hunting service in the traditional vein of digging through your network traffic and data and internal capability that probably is more common language that someone would think of as threat hunting.
John Verry (44:18):
Yeah. You speak to an excellent point of the challenge of what do we mean exactly by threat hunting? In my mind, yeah, I agree more with your interpretation that I do think that you could argue scratch that itch, especially because, I mean, I look at threat hunting as benefiting from the wisdom of the herd. Right?
John Verry (44:35):
And in the world of zero day, I mean, if you’re not, that’s as fundamental a concept as the first antivirus product, anything that’s signature based requires somebody to get hurt before we’re all protected. Right?
Steve Ginty (44:49):
You have to know something, right? Yeah.
John Verry (44:52):
Exactly.
Steve Ginty (44:53):
Spend a lot of time looking at Cobalt Strike. Right? You know what I mean? It seems like every attack has Cobalt Strike in it now. And so, how do we fingerprint that? How do we identify that? How do we monitor that infrastructure being stood up so that we can be more proactive to our customer base?
John Verry (45:08):
Right. Yeah. I agree. Cool. So, we’re going to see if, it’s my fault if you’re not, because I didn’t send you this till this morning. Give me a fictional character or real person you think would make an amazing or horrible CISO and why?
Steve Ginty (45:22):
I was going to go with Denzel Washington’s character in Hunt for Red October as an amazing CISO.
John Verry (45:29):
I love that movie.
Steve Ginty (45:30):
I read that question from you and that was the first thing I thought of. So, that was what I was going to go with because he stuck stuck to his convictions even in really hard and a pressure situation. And I think having never been a CISO and only being an outside observer, it seems like a job that really takes a lot of conviction and you need to have staying power. So, I salute the CISOs.
John Verry (45:54):
Yeah. I don’t think you can go wrong using a submarine movie for your answer, so well played. Last question. You are in the thick of it and you see an awful lot. Knowing this podcast is listened to by information security and business leaders, any other topics you think would be interesting from your perspective?
Steve Ginty (46:15):
From the vendor seat, we can often get, we drill into our solutions and the way we’re trying to solve a problem. Anything from the trenches is always interesting to me so that I broaden my perspective.
Steve Ginty (46:33):
And then anything from the small and medium sized market that you talked about earlier. That really excites me right now is we’re solving problems for the higher end of security organizations and customers. And as we try to grow our solution, I really want to try to find ways to help solve this problem for those businesses who maybe have one security person. How do we better help them on a daily basis?
John Verry (46:59):
Yeah. And that was why I was excited when I saw what you were doing with Microsoft, because I think Microsoft has done an amazing job of bringing tools and technology to the SMB space that a few short years ago were just the domain of Fortune 500s.
John Verry (47:19):
And every day you go into the platform and they’ve added some other crazy capability and the price… Again, of course, the price goes up and hopefully he’s not listening to me. He’s going to raise all our prices.
John Verry (47:32):
But I mean, when you think about what you pay for a subscription, and you think about what they add into that. I mean, you can go license a project management tool for 30 bucks a month per user with a third party or you can have three or four of them that are built into Microsoft for free, along with the email, along with Office, along with everything else.
John Verry (47:53):
So, if they could figure out a way to leverage what you’re doing, I think altruistically, we would be in a much better place as a ecosystem.
Steve Ginty (48:06):
Yeah, I agree.
John Verry (48:08):
I think the challenge you have, and I completely understand why you’re an enterprise product, right? Because it costs a lot to do what you do. But in a weird way, do you think the average Fortune 500 would benefit more than the average SMB if they could use a product like yours?
John Verry (48:28):
Because I would think the SMBs, I mean, they’re the ones that I see that just don’t have anyone. You go into a good Fortune 500 and they might have a team of 10, or 20, or 50, or 100 people that are doing this, right? 500 people, 1000 people. You get into a typical SMB. And like you said, they might have one guy or maybe not. He’s outsourced or he’s an IT guy that they call an InfoSec guy.
Steve Ginty (48:50):
Yeah. Yeah. It’s a good question. I mean, I think we’ve seen on our attack surface management piece, it’s probably a larger market play overall just because of the assets under management. But from the vulnerability and threat intelligence piece that we’re building up right now, I think there is a good opportunity in the small and medium sized space.
Steve Ginty (49:11):
To your point about block lists earlier and how they’re noisy or that a lot of the stuff we see that we can fingerprint that we know of maybe is only targeting one or two people. If I can get that information or organizations, as you say, if I can get that information into a larger ecosystem like Microsoft, that can proactively alert or block on it and help that one person that maybe is going to get ransomed in a month, that’s a really big deal.
Steve Ginty (49:37):
And so, that’s what I’m excited about is possibly being able to action information at a faster tempo that can help that person that is just one person doing security or IT at a small or medium size business.
John Verry (49:52):
Well, I’m excited and I have my fingers crossed that you can bring this to the masses because working with who I work with every day, I can tell you we could use the help. So, will keep my fingers crossed for you, sir. You mentioned the community.riskiq.com, I believe it was.
Steve Ginty (50:10):
Yes.
John Verry (50:11):
If somebody wanted to get in contact with you further to ask any questions, how would they do that?
Steve Ginty (50:16):
There is a chat application inside of the platform on the community website. You could also just email support@riskiq and they route everything appropriately. If you’re interested in learning more about the solution, obviously [email protected] can also be used to reach us awesome.
John Verry (50:34):
Awesome. This has been cool. I appreciate you coming on and educating me like I asked you to. So, my razor thin ego will be less bruised the next time somebody uses the phrase threat surface management or attack surface management. I’ll know now. I’ll say Steve told me.
Steve Ginty (50:50):
I appreciate you having me. This was a great conversation.
John Verry (50:53):
All right. Have a good one, Steve.
Narrator(Intro/Outro) (50:54):
You’ve been listening to The Virtual CISO podcast. As you probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.