ITSPmagazine Podcasts

Innovations in Autonomous Penetration Testing and Continuous Security Posture Management | 7 Minutes on ITSPmagazine | A Short Brand Innovation Story From Black Hat USA 2024 | A Horizon3 Brand Story with Snehal Antani

Episode Summary

Dive into Horizon3.ai's cutting-edge approach to autonomous penetration testing and continuous security posture management with CEO Snehal Antani, as he discusses innovative solutions that transform how organizations stay ahead of cybersecurity threats.

Episode Notes

In 7 Minutes on ITSPmagazine Short Brand Story recorded on location during Black Hat USA 2024, Sean Martin had a fascinating conversation with Snehal Antani, CEO and Co-Founder of Horizon3.ai. The discussion revolved around the innovative strides Horizon3.ai is making in autonomous penetration testing and continuous security posture management.

Snehal Antani shared his journey from being a CIO to founding Horizon3.ai, highlighting the critical gaps in traditional security measures that led to the inception of the company. The main focus at Horizon3.ai is to continuously verify security postures through autonomous penetration testing, essentially enabling organizations to "hack themselves" regularly to stay ahead of potential threats. Antani explained the firm's concept of “go hack yourself,” which emphasizes continuous penetration testing. This approach ensures that security vulnerabilities are identified and addressed proactively rather than reacting after an incident occurs.

A significant portion of the discussion centered around the differentiation between application and infrastructure penetration testing. While application pen testing remains a uniquely human task due to the need for identifying logic flaws in custom code, infrastructure pen testing can be effectively managed by algorithms at scale. This division allows Horizon3.ai to implement a human-machine teaming workflow, optimizing the strengths of both.

Antani likened its functionality to installing ring cameras while conducting a pen test, creating an early warning network through the deployment of honey tokens. These tokens are fake credentials and sensitive command tokens designed to attract attackers, triggering alerts when accessed. This early warning system helps organizations build a high signal, low noise alert mechanism, enhancing their ability to detect and respond to threats swiftly.

Antani emphasized that Horizon3.ai is not just a pen testing company but a data company. The data collected from each penetration test provides valuable telemetry that improves algorithm accuracy and offers insights into an organization’s security posture over time. This data-centric approach allows Horizon3.ai to help clients understand and articulate their security posture’s evolution.

A compelling example highlighted in the episode involved a CISO from a large chip manufacturing company who utilized Horizon3.ai’s rapid response capabilities to address a potential vulnerability swiftly. The CISO was able to identify, test, fix, and verify the resolution of a critical exploit within two hours, showcasing the platform's efficiency and effectiveness.

The conversation concluded with a nod to the practical benefits such innovations bring, encapsulating the idea that effective use of Horizon3.ai’s tools not only promotes better security outcomes but also enables security teams to perform their roles more efficiently, potentially even getting them home earlier.

Learn more about Horizon3.ai: https://itspm.ag/horizon3ai-bh23

Note: This story contains promotional content. Learn more.

Guest: Snehal Antani, Co-Founder & CEO at Horizon3.ai [@Horizon3ai]

On LinkedIn | https://www.linkedin.com/in/snehalantani/

On Twitter | https://twitter.com/snehalantani

Resources

Learn more and catch more stories from Horizon3.ai: https://www.itspmagazine.com/directory/horizon3ai

View all of our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugal

Learn more about 7 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs

Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/

Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up

Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story

Episode Transcription

Innovations in Autonomous Penetration Testing and Continuous Security Posture Management | 7 Minutes on ITSPmagazine | A Short Brand Innovation Story From Black Hat USA 2024 | A Horizon3 Brand Story with Snehal Antani

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] Here we are. We're ready for another seven minutes on ITSB Magazine. I'm thrilled to have Snehal Antani with me. How are you, Snehal?  
 

Snehal Antani: Good. Thanks for the time.  
 

Sean Martin: Appreciate you joining and excited to hear this story about Horizon 3. AI. Maybe let's kick it off with a brief overview of what you and your team are doing. 
 

Snehal Antani: Sure. So, when I was a CIO, I had no idea I was secure until the bad guys showed up. So, are we fixing the right vulnerabilities, logging the right data in Splunk? Does my team know how to respond to a breach? And the answer is, I don't know. I have to wait for a bad guy or I've got to hire a consultant to show up once a year to test my environment. 
 

And what I wanted to do is continuously verify my security posture by hacking myself as often as I possibly could. So our t shirts say, go hack yourself. And what we enable is continuous penetration testing.  
 

Sean Martin: What are some of the types of things you're testing against?  
 

Snehal Antani: What's interesting is. Uh, if you break pen testing up into two categories, you have application pen testing, which I believe is a uniquely human problem to [00:01:00] solve. Uh, because finding logic flaws in custom code is a uniquely human kind of gift. Whereas infrastructure pen testing is uniquely solved by algorithms, and that's where we focus. 
 

So infrastructure pen testing at scale, which is everything below that custom code layer. So as I see kind of the future of pen testing, I see humans becoming scalpels focused on the app layer and algorithms executing at scale in this really interesting human machine teaming type workflow.  
 

Sean Martin: , interesting. You've been very busy innovating and creating and delivering. What are some of the new, uh, new things you've launched?  
 

Snehal Antani: Yeah, so, uh, a key part of just building a, a highly valuable large scale company is you start with one use case with a well defined pain and then you evolve to a multi product platform. 
 

So we're kind of in that journey as a company. So pen testing, autonomous pen testing was our first use case. And now we moved into the adjacency. So right now, imagine as a burglar, as we're breaking into your house, we install ring cameras along the way. So if a real bad [00:02:00] guy shows up, you're going to get some sort of alert. 
 

Well, the analogy applies to pen testing. So we just launched a product called node zero tripwires. So while running a pen test, we'll automatically deploy honey tokens In hosts that we've compromised file shares, we gained access to building this early warning network based on pen test results. And the whole product strategy and company strategy is think of pen testing or pen test results as a map and compass that helps you decide how to improve your defenses. 
 

Sean Martin: I love this idea actually. It's really cool. Let's leave some, some tokens there to see if somebody else might again, find their way to the same through the same path. And I guess it doesn't have to be the same path as long as they end up at the same destination or same point on the network, right? 
 

Snehal Antani: Yep. That's exactly right. Because within an enterprise, not all servers or file shares are equal. Some are far more important than others. Some are far more suscept, uh, susceptible than others. And so a pen test is the most effective way to figure out what is of value to the attacker, [00:03:00] what are critical way points that the attacker is going to eventually get to en route to a compromise. 
 

And the pen test results help you identify those waypoints, those critical pieces of componentry. And if you deploy Honey Tokens within those environments, you have a very high signal, very low noise, um, early warning network you're able to create.  
 

Sean Martin: So, those tokens are  
 

Snehal Antani: So they're actually, they're fake AWS credentials, fake Azure credentials, fake sensitive command tokens, as the start. 
 

There are things that a normal user would have no business or interest in using, or touching. But an attacker's gonna find it, and they're gonna get excited by it, and they're gonna try to use it, and then set off a bunch of alerts. The other interesting thing for Horizon 3 is, you know, we're not a pen testing company. 
 

We're a data company. Pen testing is just a sensor. So every time we run a pen test, we're getting a ton of telemetry on every host, port, service, credentials, so on and so forth. And that telemetry allows us to improve our algorithms, but [00:04:00] more interesting, that telemetry allows us to understand your security posture over time. 
 

So we're able to actually help you articulate how secure you are and how that posture has changed over time because we have the source of truth versus like an arbitrary spreadsheet that you fill out in other GRC type solutions. Well, similarly now with node zero tripwires. We immediately, when we turned it on, have the largest early warning network in the industry because all of my customers, by default, get a bunch of these tokens for free. 
 

They can always buy more, but I suddenly have this massive early warning network of, of honey tokens precisely deployed in critical spots across my entire install base. And that becomes another source of data I'm able to integrate into understand your posture.  
 

Sean Martin: Do you capture the Path. There's a lot of times. It's not just that it's triggered, but it's how they got there, right?  
 

Snehal Antani: Yeah. So, um, in our case, it's a little bit. The path is a little bit different. So when we run an autonomous pen test, we're actually going to show you like from this initial host that [00:05:00] was compromised. 
 

What was the attack path that led to domain admin or sensitive data exposure? And we'll show you that we gained access to JMX server, got code execution, dropped a rat, Uh, pivoted over to another machine, did something else, and so on. Well, if we, uh, deployed a rat, uh, then we likely also deployed a Node 0 tripwire on that same box. 
 

So that's how we'll show you the attack path on how we did it. Now, on the flip side, if an attacker triggers one of those, uh, Node 0 tripwires, we can do the inverse lookup, which is, hey, this Node 0 tripwire is on a host, and that host enabled us to, uh, Uh, previous pen test results to do these 15 different attacks from that, that location. 
 

So it's almost like from this spot, here are the 15 or 10 or three likely things they're going to go do next, because that's what the node zero pen test did previously. Yeah, I love it.  
 

Sean Martin: I love it. What's some of the outcomes, what are, what are your customers telling you they're, they're able to do now? 
 

Snehal Antani: Um, so there's a couple of them and I'll give you an example of a [00:06:00] CISO of a large, uh, chip manufacturing company. So we're really good at rapid response. So think of a celebrity CVE in the news from CISA or whatever else. Well, we quickly reverse engineer it, weaponize it, add it to the product. And then we'll proactively notify you that, uh, we're, we're quite confident you have this F5 KEV on these hosts based on previous pen test results. 
 

And that's like, uh, and that's a situation where time is the enemy. So the CISO is telling me the story of how, uh, We proactively notified him. He had, uh, he was exposed, susceptible to a Palo KV. He immediately ran a test to verify he was exploitable, found a bunch of occurrences, fixed them, reran the test and then showed the before and after screenshots to the board and to the CEO and the whole process took less than two hours and the board and the CEO of that manufacturer was like, holy crap, in less than two hours, you tested the entire environment at scale for a devastating problem, fixed it, proved it was fixed. 
 

And then the guy got a promotion.  
 

Sean Martin: Nice [00:07:00] one. So work with ai team and get yourself a promotion.  
 

Snehal Antani: Yeah, that's exactly. And go home early.  
 

Sean Martin: And go home early. Well, that's fantastic. And that is 7 Minutes here on ITSP Magazine. This is Snehal. Thank you.  
 

Snehal Antani: Awesome. Thank you.