Episode Summary

11:11 Systems Director of Product Market Intelligence Brian Knudtson is joined by guests Martin Edwards, Mike Spanbauer, and Nico Stein for a conversation about the whys and hows of Penetration testing. We discuss how to prioritize pentesting in your own organization, how to properly run tests in someone else’s cloud without getting yourself into trouble, and how to find a good pentesting firm. Make sure you’re not relying on any random provider or any single test.

Panel

Cloud Conversations

Topic 1

[02:41] What is the value of having such a real demonstration of an attack to convince management to take defense seriously? And how can security professionals ensure it is a priority?

Topic 2

[10:18] [For] organizations that are running on a third party cloud platform, what kind of special limits or legal situations [should they] account for when they go to do a penetration test?

Topic 3

[15:38] If you were advising another organization that wanted to do that same type of setup, what considerations should they keep in mind when they are paying somebody to breach their own data?

Cloud Bites

[04:24] “[Penetration] tests are not a one and done activity. You must set up a rigorous cycle, in my opinion, to have monthly or quarterly tests. And then I would recommend that something be set up in an automated capacity and augment that with a specialist set from a third party to kind of build a more robust or complete picture of this outcome”  — Mike Spanbauer 

[08:19] “We do outsource our pen testing, and when they come on site, we don’t enforce our defenses. It is what it is at this point. But I was able to leverage the findings like, look, we need to put the solution in or we need to get some consultant there or external help to fix those issues. So it is a very powerful tool and I think we talk about later and also enjoyed a little battle me and my team against them. Sometimes we win, sometimes we don’t. But the outcome is always positive in my opinion.” — Nico Stein 

[13:20] “Everyone understands if penetration testing happens. But understanding stops if, just because another tenant is doing this, it brings down my services or affects my member data.” — Nico Stein

[18:32] “When you see an organization’s clear communication of tools, abilities and where the tools fall short, it kind of demonstrates their awareness of what the tools are and are not effective at, as well as how they augment that to ensure that they can effectively assess attack, surface or organization potential issues, which then of course becomes the report or, you know, the communication, you know, at the end of the end of the event” — Mike Spanbauer

[28:46] “I tended to lean towards where pentesting was testing systems and configurations, and red teaming was often attacking policy and procedure… What vulnerabilities are in the systems, can they be exploited? That’s one layer of protection. That’s vulnerability management for configuration changes and things like that. And then also, do you have security tooling that is catching it or are there people actually looking at those alerts? What is the policy and process around that? And that’s just kind of the multilayer defense between policy and then as best as you can, just hardening infrastructure to not allow it to happen.” — Martin Edwards