ITSPmagazine Podcasts

Beyond Traditional Pen Testing for Continuous Risk Assessment | A Brand Story Conversation From RSA Conference 2024 | A Hadrian Story with Rogier Fischer | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Dive into the complexities of modern cybersecurity with Sean Martin and Hadrian co-founder Rogier Fischer as they explore how advanced AI-driven tools can outsmart traditional methods in vulnerability detection and risk management. Learn how Hadrian’s innovative event-driven architecture and selective AI application are revolutionizing the way organizations protect themselves from ever-evolving threats.

Episode Notes

In the latest episode of the Redefining CyberSecurity Podcast, host Sean Martin engages with Rogier Fischer, co-founder and CEO of Hadrian, to delve into the evolving landscape of cybersecurity. The discussion navigates through the intricacies of modern cybersecurity challenges and how Hadrian is providing innovative solutions to tackle these issues. Sean Martin sets the stage by emphasizing the importance of operationalizing cybersecurity strategies to manage risk and protect revenue. Rogier Fischer shares his journey from an ethical hacker working with Dutch banks and tech companies to co-founding Hadrian, a company that leverages advanced AI to automate penetration testing.

Fischer highlights the limitations of traditional cybersecurity tools, noting they are often too passive and fail to provide adequate visibility. Hadrian, on the other hand, offers a proactive approach by simulating hacker behavior to identify vulnerabilities and exposures. The platform provides a more comprehensive view by combining various aspects of offensive security, enabling organizations to prioritize their most critical vulnerabilities.

One of the key points Fischer discusses is Hadrian's event-driven architecture, which allows the system to detect changes in real-time and reassess vulnerabilities accordingly. This ensures continuous monitoring and timely responses to new threats, adapting to the ever-changing IT environments. Another significant aspect covered is Hadrian's use of AI and machine learning to enhance the context and flexibility of security testing. Fischer explains that AI is selectively applied to maximize efficiency and minimize false positives, thus allowing for smarter, more effective security assessments.

Fischer also shares insights on how Hadrian assists in automated risk remediation. The platform not only identifies vulnerabilities but also provides clear guidance and tools to address them. This is particularly beneficial for smaller security teams that may lack the resources to handle vast amounts of raw data generated by traditional vulnerability scanners. Additionally, Hadrian's ability to integrate with existing security controls and workflows is highlighted. Fischer notes the company's focus on user experience and the need for features that facilitate easy interaction with different stakeholders, such as IT teams and security engineers, for efficient risk management and remediation.

In conclusion, Rogier Fischer articulates that the true strength of Hadrian lies in its ability to offer a hacker’s perspective through advanced AI-driven tools, ensuring that organizations not only identify but also effectively mitigate risks. By doing so, Hadrian empowers businesses to stay ahead in the ever-evolving cybersecurity landscape.

Top Questions Addressed

Learn more about Hadrian: https://itspm.ag/hadrian-5ei

Note: This story contains promotional content. Learn more.

Guest: Rogier Fischer, Co-Founder and CEO, Hadrian [@hadriansecurity]

On LinkedIn | https://www.linkedin.com/in/rogierfischer/

Resources

View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage

Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story

Episode Transcription

Beyond Traditional Pen Testing for Continuous Risk Assessment | A Brand Story Conversation From RSA Conference 2024 | A Hadrian Story with Rogier Fischer | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello, everybody. You're very welcome to a new brand story episode here on ITSP Magazine. This is Sean Martin, host of Redefining Cybersecurity podcast, where I get to talk about All kinds of cool things, cyber and the cool people behind, uh, behind the programs and the products and the tools and all the good things that are going on in our industry. 
 

And as you know, if you listen to the show, it's all about how to take something and operationalize it for the benefit of the business, uh, just to manage risk and, and, uh, reduce exposure, those are important pieces, which we're going to talk about today, but it's all in, in the, in the In the support of generating revenue and protecting that revenue when we generate it. 
 

So I'm thrilled today to have Roger Fisher on. Good to see you.  
 

Rogier Fischer: Very nice to be here, Sean.  
 

Sean Martin: The pleasure, pleasure to have you on and I'm excited to, to learn more about Hadrian and, and it's inception and the, uh, the challenges that you help teams [00:01:00] overcome before we get into. What you actually do as the, uh, co founder and CEO of the company. 
 

Um, maybe a quick look back to some of the things you've done working up to, uh, launching Adrian.  
 

Rogier Fischer: Yeah, very quickly. Um, so some, I started out as an ethical hacker, I think as, as a lot of people in this industry do start out when I was a teenager, uh, primarily focused around Dutch banks, but got my street cred on some of the hall of fames of the larger tech companies as well. 
 

Um, I really enjoyed offensive cybersecurity or echo hacking because it feels like you're solving puzzles. It's, it's, it's technically complicated, but at the same time, there is, there's a very clear goal and sometimes a bit of an adrenaline rush when you finally find something. Um, so yeah, spent, spent quite a, quite a lot of teenage years there. 
 

Um, And rolled into the cryptocurrency game afterwards, started my own cryptocurrency [00:02:00] exchange in 2012, which turned out, um, in hindsight was a very good time to start a cryptocurrency exchange. Um, so from 2012 to around 2020, I built that company until it was acquired, um, and it became relatively big. We were around 50 people managing, uh, slightly more than a billion in crypto assets and the management. 
 

Um, yeah, so a company got acquired by, by a competitor and I left, uh, and about a year later I started Hadrian together with, uh, with some good friends of mine that I used to, uh, used to hack together as seniors as well.  
 

Sean Martin: Nice one. And when you're hacking, I mean, let's just, uh, let's just say what Hadrian does, cause you, you, uh, you basically help companies eliminate the risk exposure, right. 
 

Or minimize the risk exposure. I don't know if we ever get a hundred percent, but I presume you, you How you view this problem is deeply rooted in how you attacked, [00:03:00] attacked organizations when, uh, when you were working as a hacker.  
 

Rogier Fischer: Oh, yes. A hundred percent. So, so also you won't, you won't hear me claim that we. 
 

We solved the problem completely of cybersecurity. I don't think there's, there's any such company out there. Um, what I, what I think is what we can give you is a, is a piece of visibility of how you look like from an attacker's point of view, right? That's where our experience lies. And that's what we automate with Hadrian, where we, we believe that by building tooling and then applying AI. 
 

Um, to automate some of these steps as well. Um, we, we can reach a certain scale of testing that, that traditional methodology just can't traditional pen testing or traditional vulnerability scanning, um, which gives you visibility of some of the exposures that you have. It's not even about remediation yet. 
 

I think that that's a very solid next steps, but it's, it's about. Getting visibility, prioritizing those things that matter most. Um, and then giving the, [00:04:00] the, the customer the tools to remediate that as well. So giving them clear guidance on how to solve some of these problems.  
 

Sean Martin: So what are some of the, the area? 
 

Well, let me pour it for you there. What, what was the. What was the drive to start the company? Was it something you kept seeing over and over and over and experience you had or something, your co founders? Um,  
 

Rogier Fischer: yes, it was, it was actually something that Oliver and I, we, I mean, Oliver went into join another cybersecurity startup after his hacking career, um, and, and basically continued his hacking career. 
 

Whereas I went into the cryptocurrency startup. Um, But we both noticed that the tooling there that, that we used to exploit a lot when you were hacking manually, which was primarily red reconnaissance and, and, and basically finding a full attack surface, and then actually. Using tooling to, to attack those as well. 
 

Um, we, we noticed that a lot of the existing tools in the market, they [00:05:00] were too passive in nature, right? They were a bit too worried about actually launching attacks because well, inherently these tools were more or less focused on, uh, third party risk management or, or gaining just a very light touch view of, of your map of your attack surface. 
 

So what we know  
 

Sean Martin: is that they're afraid of knocking something over.  
 

Rogier Fischer: They're afraid of knocking something over or they're not confident enough on, on what they've discovered belongs to you and therefore they're not sure if they're allowed to actually run a penetration test on them, right? Because those are more intense and could be illegal to run on just a random asset. 
 

So, so there's a higher degree of certainty required to actually do the automated pen testing part, uh, than if you were just doing the passive scanning. So the problem with passive scanning is it generates a ton of data, which can be super interesting if you have a team of 20 to go through it and actually monitor it. 
 

All right. So you, you saw, especially in the finance sector, large security teams being able [00:06:00] to actually extract a lot of value out of this tools. Um, but in reality, the, the, the smaller security teams, especially in industrials and, and another smaller, uh, medium enterprise, uh, you saw that not being able to really extract the value out of traditional ASM tooling. 
 

Um, and that's where actually the automation that follows the actual, uh, comes in where you, you can combine multiple aspects of offensive security to basically automate the work for them in advance. You know, people can still interact with the data as they used to be before, so they can still have a full view and map of their attack surface. 
 

But more importantly, they get a. Pre digested understanding of what that data actually means to them and what exposures they, they are exposed to.  
 

Sean Martin: And how, how much detail you said some of the existing tools or legacy tools may not go deep enough or broad enough and may not capture enough. Um, what are some of the things that you [00:07:00] bring into the picture that gives additional context, additional information, additional intelligence, uh, to really help paint a picture that's, that's  
 

Rogier Fischer: So there's two important elements to that. 
 

The first one is just as the enrichment based on AI context. And, and why I'm saying AI in context, I don't like the word AI at Hadrian. We have a very strict policy to only apply AI whenever it actually suits a purpose. Right? Because in reality, every time you use AI, you add a lot of computational resource, but you're also adding. 
 

A lot of statistics around false positives, right? You don't know what's exactly going on. So you only add AI whenever you feel it true, truly feel a need that this adds value to the outcome. So AI is great at, and especially machine learning is great at, at being trained to understand context. So whereas existing tools are. 
 

What I would say one dimensional, they just run a test and the test is pre written, [00:08:00] very well defined, but also not very flexible. If slight changes or firewalls in, in, in before the asset, uh, you'll see that the results might vary and it's very prone to false positives. If you add AI into that equation and you can basically create specific and custom texts to your, your customers environments, I Uh, you'll be able to massively reduce the false positives, but you'll also be able to massively reduce the amount of tests you will have to run in any way. 
 

Because of the context that you already know about the asset, you know that the majority of some of these tests are completely useless. So that's one. The second part is Is around being able to chain together multiple aspects of security testing and into basically a, a, an attack chain that exploits a whole lot of problems at once. 
 

So I think proxy shell is probably the most, most, uh, clear example of this, where, uh, in order to, to exploit a proxy shell attack, you abuse three different, uh, [00:09:00] vulnerabilities. Traditional vulnerability scanners are very good at identifying the individual vulnerability. And they will run a scan, get a true or false on that, uh, test results, and then, you know, whether you're vulnerable, but you're seeing now more and more that the automated pen testing tools in the market, such as Hadrian, they're able to chain these attacks in, in, in parallel or in linear fashion, um, in order to execute them fully. 
 

And again, here is where AI comes into play because there is a requirement of a certain flexibility of how these tools can be chained together. Um, and, and again, you want to predict the best way to, to accomplish that. Um, and, and this is something again,  
 

Sean Martin: On that point, meaning what, um, meaning how the, the attacker would normally put them together or how, how they, how you'd put them together in your environment. 
 

Rogier Fischer: So, so in, in, in reality, once we're in, [00:10:00] in one way, that's our main focus. So we will not try and prioritize them. There, there, there's multiple different ways, but automatically inherently in how the system works, you'll try many, many different permutations of different attack thoughts. And that's, again, something that. 
 

Um, is allowed by understanding that context because you know what to test for right in reality. So let's look at, let's say, in theory, you have about 500 next steps, potential next steps that can happen after you run a test. Um, if you have five or six of those steps, you already can imagine that the amount of permutations and possible iterations are going to be trillions. 
 

You don't have your own cloud capacity for that. Cloud costs will go through the roof, but also on the customer end, they will not, they will not necessarily appreciate you running that amount of testing, right? Especially if you want to be able to do this on a continuous level. Um, like, like we try to do it with Hadrian. 
 

You basically have to, um, bid a certain statistical relevance, understand what is, what is needed to test [00:11:00] for right now. And what is most likely to re to result in a, in a positive outcome, a positive outcome being a successful breach.  
 

Sean Martin: And successful can be what exploitable currently exploited, um, signs of indicators of compromise. 
 

Um, all of those things.  
 

Rogier Fischer: It's a good question. No, it's not all of those things because it's, it's a very proactive tool, so to say, right? So we, we do not detect when you've been breached where, where, um, Equivalent to manual penetration testing, but then in an automated skill, hence, we would always be able to give you insights around how somebody can breach you. 
 

Um, we do have our own threat intelligence integrated as well. So whenever we find a way to get into your environment, we can also say, look, there, there are threat actors that are currently exploiting. vulnerabilities like these, uh, but we, we cannot determine whether you [00:12:00] are actually actively being exploited right now. 
 

Sean Martin: Got it. So, so view of where, where the exposure is, um, and the ability to, yeah, paint a full picture of that exposure based on a collection of vulnerabilities that, that you've uncovered. Exactly. And what you'll figure  
 

Rogier Fischer: out, Which you'll figure out. And what we, what we see constantly is that on average companies that we work with, they have tens of thousands of CVS exposed to the internet, which is what traditional tech service management tools have been telling them. 
 

Um, in reality, when you go and actually try and exploit those CVS or combined at CVS that, that rely on multiple things happening at the same time, uh, you'll see that there's probably less than 50 that are actually leading to direct exposure to the company. And that's on top of the idea that a lot of, uh, Well, a lot of exposure doesn't come directly from CVS or vulnerabilities. 
 

I'd say that probably around one in five of our critical [00:13:00] findings are just exposed files and credentials, um, on, on sensitive parts, heap dumps that are exposed, uh, backups that are exposed. And all of these things that I tend to think that perhaps a vulnerability scanner might pick up, but traditional text service management would not. 
 

They often don't even load the DOM of a page. Um, and therefore it often falls into this gap where nobody's really looking for, nobody's really monitoring for it, but it leads to a lot of risk and exposure and, and, and obviously sometimes even very low hanging fruit in terms of data breaches.  
 

Sean Martin: So talk to me a bit about, cause you mentioned. 
 

Uh, continuous or at least regular, um, assessments and scanning the, we both know, uh, an environment isn't static, right? Things are changing their, um, data's changing, systems are changing, being added and removed. And of course on the other side, uh, threats aren't, uh, uh. I'm slowing down. So exploit exploitations [00:14:00] are, are constantly changing the way they attack the, the, the way they connect different exploits to, to, to do their deed changes as well, how does what you do at Hadrian kind of help stay on top of that? 
 

So you have a continuous, but not. Then just an ever never ending growing list of stuff.  
 

Rogier Fischer: No, it's a, it's a very good question. And especially that your point around environments not being static, right? They change a lot. Um, and that's this also one way, one manual pen test that you do every quarter or sometimes even every year, they tend to, to, to. 
 

Have problems slip through the gaps during that year, or they, you introduced problems that you might only figure out much later. So one of the most important modules that we've developed. So, so our, our, our system is completely modular and all those modules they, they can interact with each other. One of the first modules that we developed, it developed, it's just a detection for change. 
 

Just to understand, has something changed on this asset? And we run that every [00:15:00] day. If nothing has changed. We will not rerun all of the tests that we've already done, but if something has changed, we, we might decide, Oh, well, basically we seeing that, I don't know, the, the, the server IP has changed, or we, we detect a different type of technology supporting, um, this environment, and then you restart basically your, your whole, um, scans. 
 

And, and we, we call this an event driven architecture where we basically have these events that, that can trigger. Um, and that can also then interact between these different modules and event can be something very simple as, as a port opened up and therefore we want to retest something. The event can also be external, like you said, where we've already mapped you and done like the, the, the old school attack service management software. 
 

We know what type of technology you're running somewhere. And, and at some point there comes out. Some news around, I don't know, Fortinet or Palo Alto releasing a zero day into their VPN software. At that point, we already know where you would be running that software. So whenever our threat intelligence implies, look, we have [00:16:00] this new vulnerability. 
 

You need to start testing for this. Um, we know already exactly where to test for it. And we. trigger an event that will only retest that asset for that vulnerability. So instead of doing the whole exercise again, you want to be very specific once you, what you do, because if you are very specific in what you do, you can do it far more often and thereby, um, you can reach that, that, that almost continuous level of monitoring. 
 

Sean Martin: So, a big part of this, um, clearly if you, depending on how you have your controls set, you might mitigate some of this stuff with, with some controls and, uh, yeah, firewall settings, things like that. Um, but sometimes you can't get away from the, the need to patch. And we've seen things like log4j and others where, Teams scramble to find them all everywhere and patch them all everywhere and it may or may be may not be [00:17:00] That they need to do all of them in every place right all at once might be based on business need might be based on Exploitability might be Yeah, there might be a piece missing in the, in the attack chain, right? 
 

That says, well, they might pop that, but they're not going to get anywhere because of your, your specific environment. So how, tell me how teams that you work with are levering, leveraging what you provide them to be smarter in how they approach their Their patch management program and then other other mitigation program. 
 

Rogier Fischer: So, so the first, first things first, they use the data just to gain visibility, right? Because that's the first thing that they want just to understand what, what risks am I actively taking? What decisions am I making? And because if you don't have the data to even, you know, Understand where you might be exposed, where you might run the log4j type software, um, then, [00:18:00] then you are nowhere and you can't even make a proper risk assessment, right? 
 

So the first thing is just, just knowing what data you have exposed to the internet, knowing where you might be exposed. And then the second part of it is actually that, that exploitability, which is so crucial to understand whether we were able to autonomously create an exploit and execute that or not. 
 

It's a huge driver for priority if, because quite frankly, if we were not able to, it's, I will never exclude that. It's not possible. It's just that it's, it means that most likely it's, it's far more complicated. And from an automated fashion, you're most likely not going to receive an attack that way. You still might be attacked by somebody manually, but. 
 

Obviously the vast majority of attacks on the internet they happen already in an automated fashion. So you want to be at least You're sure that you're you're well relatively safe against those ones um, and again that ties back into the to the Prioritization because if there are automated ways to to get into those systems And we do find a way to exploit the lock for J vulnerability [00:19:00] or something like that. 
 

Then obviously that, that also tells exactly the opposite of the story we're saying, look, if we can ultimately exploit it, there's at least a hundred threat actors out there that are also running internet wide scans on this specific vulnerability, trying it in a specific manner. Um, and, and one of them is surely just as capable as we are in terms of building our, our, our, our. 
 

Automation around this. So in that, in that sense, it, it gives them feedback that they should probably look at that one first.  
 

Sean Martin: Yeah. It makes perfect sense. So as we wrap here, um, one of the things that always sticks in my mind is we do. There's a lot of work, right? involved. There, there are analysts, uh, there, there are teams working together. 
 

Uh, you have to collaborate with it. You probably have sim team, SOAR team. You're, you're organizing things with it as well in the soc. Um, [00:20:00] it it, for me, it comes down to how, how do you communicate or how does, how do the customers you work with communicate? To whomever cares that what we're doing matters, right? 
 

And there's the,  
 

I don't necessarily  
 

like the MTDR, MTDD, all that, all that stuff. But how do you say,  
 

Rogier Fischer: this is probably the, one of my biggest mistakes when starting Hadrogen as a company is, is underestimating this part of the problem. Whereas Luke, my background was an ethical hacker. I wanted to ethical hack. 
 

I wanted to reach scale. I wanted to provide you with insights. And the first year and a half, when we built our platform, um, we didn't focus on, on that part of the user experience. We didn't focus on providing the user with tools to interact and integrate into existing security controls. And what we noticed was that even though. 
 

People were buying out of software for the findings. Um, the, the main feedback that [00:21:00] kept on coming was like, okay, so, but it would be so useful if I can just automate some of the work flows from this where we were like, yeah, but we're automating the hacking part. And then afterwards, I just want to integrate into your ticketing system and good luck with it. 
 

Um, and what, what, what we learned is that often. Especially for large conglomerates, subsidiaries, etc. They also don't have proper ticketing systems and they don't often don't, they don't even have their own proper security controls to the level that I would expect them to have them sometime. And what we ended up saying about a year ago. 
 

Um, was, okay, we're going to have to focus on building features where, um, you basically take control over the risk management into the platform. One of the first things we launched was just a secure share feature where you can give any email in your organization access to one particular risk, not the rest of the platform. 
 

And that person can then interact on that page on that risk as if they were a user of our platform. And, and this is exactly how you, what you gave as an [00:22:00] example, if you, if you're a security engineer. You're not part of, of a very large IT team. Usually you're, you're part of a separate team. The IT person of, of one of your offices will end up having to resolve the fact that there is a Windows machine outdated, right? 
 

So you want them to interact with the platform because you don't, you don't want to share these things over email, but you also don't want them. Give full access to, to the risk and uh, full access to the platform and all the other risks. Um, so about a year ago, we, we really started building features around the workflows that come with risk remediation. 
 

Um, and, and I think what, what our next step is in that direction is also to, to automate some of the risk remediation itself. Like you gave examples of integrating into firewall software to block potential attack mats or at least break attack chains in a certain way. Right. So that that's not, that's not in the platform right now, but I can envision that that will be where we're heading with this automation of workflows around. 
 

Uh, risk remediation. [00:23:00]  
 

Sean Martin: I love it. Uh, it's, uh, it's cool stuff. I, uh, I think you're onto something here, obviously. Um, and I appreciate you telling this story. I mean, just the, I mean, there are no lack, no lack of tools, let's be honest. Right. And to your point, uh, they create a lot of noise and, and they're not as, not as proactive as they should be. 
 

And what I'm hearing is that what you're working on is automating the mindset of the hacker. And uncovering the vulnerabilities, but taking it again from the mindset of a hacker and chaining those vulnerabilities intelligently to say these things can be chained together to, to create additional exposure and be exploitable. 
 

And, uh, that, that intelligence and that knowledge, uh, I can only imagine is super helpful.  
 

Rogier Fischer: Exactly. Right. And, and I think the big, big chunk there is, is that the, the, the [00:24:00] tooling that allows us to accomplish a lot of these is, is the recent advancements in AI. Right. I, I, I'm not an AI expert myself. We have them in our team, but the fact that we were able to basically generate all these context modules and we'll be able to, to assess what an asset even entails, even predict the importance of some of your assets based on, on the interaction you have on your website. 
 

That allows us. To, to really help you with that prioritization, but also with changing those attacks, uh, those from a bit together, knowing what, what might be relevant to what.  
 

Sean Martin: And for the change management, I think that's another big, big area or event driven, uh, reassessments, if you will, based on changes internally or externally, uh, Yeah, huge, huge, uh, insights there as well. 
 

Well, Roger, thank you, uh, for sharing this Adrian story with us. I'm, uh, I'm certain people listening or trying to figure out [00:25:00] how do I, how do I get my hands on this and fold it into my program? Uh, you want to, of course, we'll include links to, uh, To your website and we'll, uh, this story and any others you choose to share with us and whatnot. 
 

We'll include in the show notes, um, but final word for you, call action people, how people can connect with you and the team and, uh, get their hands on a, on a demo or.  
 

Rogier Fischer: Sean, thank you so much for your time and having me on the, on the show here. I really appreciate your, your questions. I had a great time. Um, look, we're going to be at many conferences and, and we're always ready to speak, um, also very easy for us. 
 

Look, one of the biggest advantage of a tool like Hadrian is that it runs completely external to your environment. So a POC or a POV doesn't require any time and interaction from your side. And the only thing that we expect from you is that you, you remediate some of the findings that we'll present to you. 
 

Uh, but you're most likely will be interested in that yourself as well. [00:26:00] Um, so please reach out if you feel like. Your existing attack service management is, is not helping you enough in, in that prioritization question and, uh, and we'll be able to help you.  
 

Sean Martin: Perfect. All right. There you have it. Everybody, uh, connect with Roger and the, and the Hadrian team and, uh, get your assessment started. 
 

And I do appreciate everybody listening and watching, uh, this brand story here on ITSP magazine. Appreciate Hadrian telling the story with all of us. Uh, keep all everybody. Thanks again, Roger.  
 

Rogier Fischer: Thank you, Sean. Bye bye.