Join Sean Martin and Francesco Cipollone for an insightful discussion on Phoenix Security, live from Infosecurity Europe 2024 in London.
In the dynamic and ever-changing world of cybersecurity, it is crucial to remain at the forefront of addressing vulnerabilities, implementing innovative solutions, and getting to know companies that are making a differences in this industry. At Infosecurity Europe 2024 in London, Sean Martin sits down with Francesco Cipollone, co-founder of Phoenix Security, to discuss the company’s journey, achievements, and unique value propositions, highlighting their significant impact within the cybersecurity community.
Setting the Stage
The bustling environment of Infosecurity Europe 2024 serves as the backdrop for an engaging conversation about the latest cybersecurity trends. Martin and Cipollone delve into Phoenix Security’s origins as an internal project at HSBC, aimed at addressing engineer burnout by improving communication and prioritization in vulnerability management.
Phoenix Security’s Journey and Vision
Cipollone explains how Phoenix Security was created to help engineers avoid burnout, originally focusing on solving communication and prioritization challenges in vulnerability management. This initiative quickly evolved into a comprehensive solution that bridges the gap between security and engineering teams by providing actionable risk assessments and automating decision-making processes.
Innovative Solutions for Modern Cybersecurity Challenges
Phoenix Security stands out by offering powerful tools that streamline vulnerability management across enterprise systems. Their platform allows for better scheduling of workloads and prioritization of tasks, significantly reducing the time it takes to address vulnerabilities from hours to just minutes. This efficiency not only prevents engineer burnout but also ensures that security measures are implemented effectively.
Success Stories and Client Feedback
Cipollone shares success stories from clients like ClearBank, who have benefited from real-time, up-to-date asset inventory and operational insights. By using Phoenix Security, these organizations can engage in informed risk-based decision-making, enabling security teams to focus on high-impact vulnerabilities and maximize risk reduction.
Expanding Reach Through Strategic Partnerships
Highlighting the importance of collaboration, Cipollone mentions Phoenix Security’s recent partnership with Booncheck. This partnership integrates advanced threat intelligence into the Phoenix platform, offering clients access to a wealth of vulnerability data and enabling more effective risk management strategies.
Conclusion
The conversation concludes with insights into future security trends and Phoenix Security’s commitment to innovation and community-driven solutions. Cipollone emphasizes that Phoenix Security aims to simplify decision-making processes, giving engineers and security professionals more time to focus on what truly matters.
We encourage all ITSPmagazine viewers and listeners to connect with the Phoenix team, download their new book, and stay tuned for more updates from Infosecurity Europe 2024.
Learn more about Phoenix Security: https://itspm.ag/phoenix-security-sx8v
Note: This story contains promotional content. Learn more.
Guest: Francesco Cipollone, CEO & Founder at Phoenix Security [@sec_phoenix]
On LinkedIn | https://www.linkedin.com/in/fracipo/
On Twitter | https://twitter.com/FrankSEC42
Resources
Learn more and catch more stories from Phoenix Security: https://www.itspmagazine.com/directory/phoenix-security
View all of our InfoSecurity Europe 2024 coverage: https://www.itspmagazine.com/infosecurity-europe-2024-infosec-london-cybersecurity-event-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Meet Phoenix Security | A Brand Story Conversation From Infosecurity Europe 2024 | A Phoenix Security Story with Francesco Cipollone | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Volume is good?
[00:00:04] Francesco Cipollone: Go for it.
[00:00:05] Sean Martin: I know. It's really loud. Is it really loud? He's really loud. The Italian is really loud.
Are you used to that with me? I am used to that.
[00:00:15] Francesco Cipollone: You've been quiet. You've gone quieter.
[00:00:17] Sean Martin: I know. The other side of the camera is talking. And, uh. Getting louder and louder. He's getting. You can probably hear him on our mics.
But, uh. Here we are. Um. We're recording.
Alright, I'm seeing what you're up to. So, Francesco, here we are my friend. What was it, last year we, uh, we we,
[00:00:44] Francesco Cipollone: yeah, we came about and we crossed paths here. I know. And now we're on the other side of the camera.
[00:00:53] Sean Martin: Exactly. So we're at, uh, InfraSecurity Europe. You can probably see the sign as Marco shifts it around here.
Um, and you have a cool spot inside, I do have to say. Yeah. You've got a nice, uh, nice booth there. And the booth is busy, so you have some good conversations there. So, we're gonna get the, uh, the origin story in Phoenix and, uh, all the cool stuff you're doing, the announcements you have already in place, some that are coming.
That I'm getting under embargo, you're going to hear about tomorrow when this comes out. But, uh, Francesco, it's always good to see you, man. And I'm glad to see you're doing well and all the fun stuff you're doing. But let's, uh, let's start with, well, let's start with you first. Maybe a couple words about some of the stuff you've been up to in the past that led you up to today.
[00:01:42] Francesco Cipollone: Yeah, no, thank you. And it's always a pleasure to talk to you guys. Um, it's been quite a while in the making, this. And Phoenix and what we built, uh, and I always pride myself to focus on helping engineering not burn out. And that was my mission from the day one when we started Phoenix as a, almost an internal project in HSBC.
And I had my team burning out on a consistent basis and we just sat down together and said, It can't be that the whole world need to rely around millions of vulnerabilities and we get the worst part of it. And by discussing about the problem we quickly realized that it was a communication problem on one end and a prioritization problem.
When we were discussing with the engineers the knee jerk reaction was please don't sell me more vulnerability stuff to fix because of course everybody has their day job and If we came to a secure
[00:02:43] Sean Martin: We only think so much.
[00:02:45] Francesco Cipollone: Exactly. But it wasn't even in the job spec. The challenge was, okay, fixed vulnerability in your spare time.
Why should you do it? Why should you focus on fixing vulnerability? It's not a really good selling point. Oh, by the way, on this evening, you're going to spend another couple of hours fixing vulnerability and not seeing your family. And of course we need to make it important for the business, but by trying to communicate to.
Business executive. Oh, look, you have this business critical system that has critical vulnerability exploitable in X, Y, and Z by this threat actor. You already lost them at word number 10, right? So we needed a way to translate businesses, executive language to engineering to security. And we found that that was the biggest language gap.
That was the biggest challenge that we had because not engineer didn't want to just push us back. It didn't. They didn't have that. Security in their agenda and even when security was in their agenda was a lip service. Like we shall be more secure from an engineer perspective. It's like, how many story point does it equate to?
It's like five story point, 10 story point. And do they even know how to write those stories? No, no, exactly. And there was a massive language gap in this connection gap between the expectation from an executive perspective into engineering practice. Like engineer works in list, security works in risk. And the business work in RISC.
There is a massive disconnect in that. You need to translate RISC objective and target into action for engineers. And that's what we built with Phoenix. On the early, early version of Phoenix, we help engineers just focusing on RISC. And that didn't require us security team to get involved with engineers.
Because it didn't require anymore telling engineers, Look, you need to focus on this particular list of stuff. The system was doing that for us. What we started working is, can we do this even smarter? Can we work systemically about, like, similar to what CISA has done, like, memory safe language of this particular setting, category of vulnerability, is more interesting because, as I was talking in the talk this morning, These are more in the attack surface.
13 percent or 14 percent of the MVDs on one specific category of vulnerability that can either be remote code execution, buffer overflow, or memory corruption. So if you focus on those, chances are that you will focus on the same stuff that the attacker will focus. Because they think like a business.
They think like, I need to generate a piece of code. That's going to attack the majority of the installation base and that's usually is the known the known folks, Microsoft, Oracle, and so on. So And specific attack method and pattern like remote code execution, cross site scripting, and so on. Those are the ones that are easy to automate.
So if you think like an attacker, as a security you can deliver a massive, massive benefit to the business. And you're going to be loved by engineers,
[00:05:59] Sean Martin: right?
[00:06:00] Francesco Cipollone: Yeah, because all of a sudden you're not showing up to a stand up meeting and saying, Look, can you please fix 50 vulnerabilities? Like if you fix this, this and this, or if you focus in this library, you maximize your risk reduction.
They're going to love you because first of all, you're giving them an objective and an actionable objective and something that they can focus on and compete on.
[00:06:22] Sean Martin: So talk to me about what they see there. Maybe a comparison to what they get normally working with one or more scanners, right, the different types.
Versus what you get with Phoenix in terms of here's the high impact, you might fix something here that's critical. Maybe don't need to fix it here because it's not necessarily a high value app or whatever. But I guess paint that picture. For the engineer security team so they can visualize what you do there.
[00:06:56] Francesco Cipollone: And usually when you work with scanner that's your first approach or like it's a more reactive and that's what we wrote in the book. Like the first stuff that you do is you scan, you get a list of problems and that's fine when you have one scanner on one problem. There can be libraries, there can be your code, there can be your infrastructure.
But then you start adding, okay, now we need to scan for misconfiguration. Misconfiguration in production, or where you run your code, and misconfiguration on the way you build your code. Okay, now you have three sources. Then you add SEA. Yeah. But now you add SEA. So, composition analysis. And now you have five sources.
And now you have composition analysis on your container. And now you have six sources. And now you got dust. But that's on your pipeline or that's externally now your eight sources and so on and so on so Understanding fundamentally this as an engineer is complicated and then on top of that You expect engineers to go and pick up their own project from this list and sometimes they're massive the 3, vulnerabilities like Go and find what belongs to you in that particular things and then reverse engineers in that list if that actually You need to fix in that particular instance or you need to fix it in a particular piece of code that is deployed somewhere That takes nine hours to understand a specific problem, and then you need to go and fix it like nobody want to do it So what what's the fix the fix is actually Phoenix?
[00:08:27] Sean Martin: No, I'm saying it For each vulnerability, what's the right fix?
[00:08:30] Francesco Cipollone: Exactly, but that's what we focus on on Phoenix. We are what we call an actionable ASPN. Because we focus more on looking at the fix that deliver the biggest risk reduction. But not in general, but for the application that are deployed in production for your particular team.
So it's a very narrow down list of vulnerability that are actionable and then we also inform you from a risk perspective What is fixable, exploitable and convert all of that into an automated risk formula that you can also customize because some business say for me it's particularly important where things are or for me it's particularly important where exploits are if something is fixable so you can customize it as business because every business has a different risk perception and tolerance.
But then from an engineer perspective they get a list of things that is finite and to fix on a week to week basis and they can't go crack on. In line with the expectation of the executive. So as a CISO you can say, I want to be at this risk level. Or I want to be at this risk level. As a CISO you can understand how many hours are that equates.
How many work hours are that equates from an engineering perspective. Am I going to achieve that in a quarter or in six months?
[00:09:43] Sean Martin: Right.
So, and talk to me about, because often times it isn't just one fix. Right? So there could be multiple ways. It could be an upgrade a library. It could be writing a new line of code.
It could be writing new lines of code, multiple lines of code. It could be you have a different configuration you can play which will mitigate or you might have some other compensating controls. So how much, how much of that can you present to the team? Does it always have to be engineering as well?
[00:10:12] Francesco Cipollone: No, it can be a mix between GLC, engineering, other forms because right now we rely heavily on engineers because only them can understand this world of vulnerability.
But if you start talking about risk and um, what are the factors that from a risk perspective um, influence the scoring, then everybody can say, look, I have this compensating control in my application. Can I reduce systemically this particular set of risk? That's a GRC function, and I haven't talked about vulnerability.
So you can kind of democratize vulnerability assessment management, the risk management across your whole organization, and as well shorten the skill gap that currently we have, because we don't have enough engineers to cover all of this. No security engineers. So with this you can kind of upscale. With Phoenix you can upscale your workforce to think about risk management.
approach and hence, um, cover more with less people or with the same amount of people that you have and prevent burnout because you automate a lot of the decision time that normally takes you hours with Phoenix. It takes you, I mean, the best case would reduce to 10 minutes to decide if you need to fix and where you need to fix specific things.
And then we obsess with fix, because as you rightfully say, Marko, Sean, um, I see you. I see you guys are a single entity. Sean, um, as you rightfully said, there is a path to do I fix in this particular thing, so do I fix in the library? We actually correlate and contextualize where things are so that we can see you have this problem here, but actually you build with this particular infrastructure as a code.
So go and fix the infrastructure as a code. File instead of focusing on operation or this particular container that is deployed 50 times, touch many, and then you can deploy this in particular, this build file for this particular container. So that's the stuff that we focus with Phoenix to actually maximize risk reduction based on vulnerability pattern of fix.
[00:12:19] Sean Martin: So I don't know the name, but I think you just, you just closed the new client, which is cool. So tell me, tell me, uh, what some of the outcomes are for some of your customers. What's the feedback you're getting? Is it, clearly, it's to make life easier for the engineering, bringing both better collaboration and experience and connection between security, application security, and operational security in engineering.
So what's some of the feedback you're getting?
[00:12:47] Francesco Cipollone: So, one of the good feedback that we got, for example, one of the largest banking client that we have, ClearBank, we got, It's into a state where they have in real time, up to date, your asset inventory and the attribution. So which team actually is maintaining what from an operational perspective, so from a runtime perspective and from an application security perspective.
So from a team perspective, they can jump on Phoenix on a weekly basis, schedule the workload and see the impact on the week after of the things that they fix and if they're making progress or not. Now, from a security perspective, they saw that specific teams weren't making a huge dent because they had to maintain a lot of vulnerability.
And hence they start focusing on, look, if you fix on this particular campaign of vulnerability, if you fix on this particular pattern of vulnerability, then you're going to maximize your risk reduction. So it's making it informed risk based decision, but also helping security team engaging with the engineering team in a more practical and proactive way.
That they leave a good feeling results because nobody want to go home and say, I didn't manage to make a dent in my whole organization. And that's 90 percent of security work.
[00:13:58] Sean Martin: Basically, I'm going to tell them, let's, um,
so I, one thing that I noticed, I, I follow you closely, closely. No, but I do, I do see, I do see what's going on. And I. I'm always thrilled to see that you continue to grow. What I noticed is a lot of partnerships. Now, Brani, you're working with a lot of scanners and other feeds, sources to inform you, which inform your engineers and security teams.
Talk to me about some of the partnerships you have. I think you just announced another one.
[00:14:36] Francesco Cipollone: Yeah, so this year we recognized that what we're really good at is Troubleshooting, looking at the vulnerability source data. So we have 150, 000 vulnerability findings that then we convert in 10, 000 verified exploit.
Now, if you want to take that to the next degree, because as a platform, we rely heavily on weaponization, exploitation, and so on to actually inform our risk, or we wanted to offer our clients the next level of threat intelligence, because maybe you want to deploy Yara rule. Maybe you want to understand which threat actors It's actually using particular vulnerability.
So we decided to partner up and announce the partnership today with Booncheck so that you can have their own threat intelligence vulnerability data directly in the platform and be flagged if a particular vulnerability is exploited, not exploited, weaponizable, together with our threat intelligence. So with a minimal spend, you get an enormous amount of vulnerability, almost the whole entire world of vulnerability exploitation.
Uh, at a single click. And all of that automated in the decision making process that Phoenix operates on. Together with the recently announced patented four dimensional risk formula that enabled us to bring a lot of the intelligence and the context, uh, the probability of exploitation, how bad the vulnerability is, and which threat actor are looking at a particular vulnerability into a single risk formula that you can make decision on.
Um, but also give you all of these facts as well. One other thing that our clients love is the fact that we're transparent. We tell you exactly if this particular vulnerability is exploitable and then it's corroborated by this particular evidence. And it's not just a single number that you need to believe it or not.
We actually, we're an engineering, we're an engineering community. So we tell you, this is particularly vulnerable because of A, B, and C, because the vulnerability is on a system that is externally facing up to this percentage is critical, has X amount of weaponization, uh, in the wild and so on. So. Helps you making risk based informed decision, but also shorten up the amount of time security team need to spend with engineering If you give them all that data up front and all that context up front.
[00:16:50] Sean Martin: Otherwise, they're they're doing that research to
[00:16:53] Francesco Cipollone: correct
[00:16:53] Sean Martin: Right to understand it and to validate it and have the understanding of what to do
[00:16:59] Francesco Cipollone: Yeah,
[00:16:59] Sean Martin: so what else you have some other stuff you're announcing
[00:17:02] Francesco Cipollone: Yes, so the book is actually one of the reasons the most proud publication It's been it's been A year in the making, so I thought it would have been taken much less, and it's an evolution on the SLA risk based decision process that we previously published.
On this one we decided to do something slightly different, so we decided to bring both vulnerability management folks, so like Chris Yu and Xin Tang, and application security team to actually bring things together. And it was a really difficult project because application security folks thinks in a very different way from vulnerability management people.
But right now the surface is one, so we decided why not bring all of these minds together into one. And this is basically a lot of the compounds, uh, data, talks, and intelligence that we all have done over the years together with the vulnerability exploitation and the process that we have. Phoenix relies on as well.
Uh, there is a race based approach.
[00:18:11] Sean Martin: Again, more transparency.
[00:18:13] Francesco Cipollone: Yeah, absolutely. But it's, Phoenix has been, Uh, product born from the community, for the community, and we do a lot for the community because we want, ultimately we build a product to actually simplify decision making times and give back the time that engineers need and security engineers need to actually do what matters most.
Not just open JIRA tickets, writing and troubleshooting, but actually having the effect and the most effective impact on the organization. Do you see MBOs, Management By Objectives, changing? A little bit. I see a little bit the OKR changing into more objective based. I've seen security targets, simple security targets, being translated into engineering function.
I've seen the shift from pure SLA. Into, instead of looking at let's fix all the critical, let's fix all the critical risk and let's fix all the critical risk on the application that are in production. So I've seen a transition from knee jerk reaction. We have this exploit to I have a log for J on which system do we have or I have a spring for shell.
I look at my spawn library and then am I affected by it or not? So we enable security with confidence.
[00:19:34] Sean Martin: Without chaos. Without chaos. You're trying to do, boil the ocean, patching everything.
[00:19:42] Francesco Cipollone: I mean you can, it's just going to take you a long time. It's going to be hard and your team is going to burn out. And by the time you actually start, stop fixing, new things have popped out, and probably somebody has figured out that that particular vulnerability you haven't fixed because you, you focus on fixing the back ends of the cafeteria log for J, And they're going to get in from that place.
And then from a management perspective, they say, we spend so much in vulnerability analysis, why can't we be secure? Because it's a matter of priority.
[00:20:13] Sean Martin: All right. You got to take action on what you find. It's not just enough to find it. And, uh, you don't want to burn out in the process.
[00:20:21] Francesco Cipollone: And we don't have enough people even to burn them out.
[00:20:24] Sean Martin: I know. Well, Francesco, it's been great chatting with you. Hopefully, uh, you get some folks to connect with you and here at the show and, and, uh, beyond the show. Yes. I'll see you in Lisbon. See you in Lisbon. For a little AppSec Global. Great to speak to you. And, uh, yeah, it's going to be fun. Always a pleasure, Francesco.
Great to see you in London. I know. Good to see you. Thanks, everybody. Goodbye. Connect with Francesco and, uh, the Phoenix team and, uh, see you next time. Download the book. Get the book as well.
[00:20:55] Francesco Cipollone: Stay safe out there. Bye.