Our good friend, Dan Lamorena of Forescout Technologies, is creating a series of blogs centered around zero-days and IoT. In this series, he’ll be interviewing cybersecurity experts to discuss what they’re seeing out there in the “Wild, Wild West” of security.
The first blog post of the series is right here, with Logan Brown, President/Founder, and Ted Ross, CEO, of Exodus Intelligence. Logan has spent his career in security research finding vulnerabilities in commonly used software. Exodus has been around for four years now, and prior to that, Logan was at TippingPoint’s Zero Day Initiative. Ted has been in the industry for 27 years and brings experience from both a security practitioner and a threat intelligence background.
Dan: What are the biggest challenges for IT security organizations when it comes with dealing with software vulnerabilities?
Logan: People are still chasing tails trying to protect against known vulnerabilities. They still have the issue of finding and addressing known vulnerabilities.
Ted: I agree, it’s difficult for organizations to identify all the vulnerable software, and once they do, there are many points of failure pushing patches (both technically and from a human error perspective). At Exodus, we find vulnerabilities that no security vendor is capable of detecting. Because of the failures with identification and patch management, we are forced to handle our results very carefully so our customers have time to protect themselves before the vulns are found in the attacker community.
Dan: Most large organizations have a hard time with IT asset identification, knowing what they have, where it is and it’s current patch status…
Logan: Right, so that’s sucking up most of their time. There are also unknown threats they don’t know about it. And the reality is, APT actors are focusing more on zero days as Symantec demonstrated with their report showing that 0-day attacks more than doubled over the last year. A lot of security vendors provide known bad IP addresses and malware samples, but those are known by the industry at large. The real challenge for security organizations is to find zero day vulnerabilities. This is where vendors like Exodus Intelligence can help. We find the vulnerabilities before they go out in the wild. Most security vendors gather from the internet or buy from other hackers versus finding them themselves. We work around the clock testing the products organizations use and find what bad actors will eventually discover and utilize.
Dan: And, most IT organizations don’t have the resources to do this research themselves.
Logan: Most IT Security teams-and even security vendors–can’t find the security research talent who can do this work, and they definitely can’t afford it.
Ted: Outside of the malicious actors, there’s a small community of researchers that are capable of finding these vulnerabilities at a rate that scales (for a business). The skills and experience required are rare to come by and the resources are not cheap. To give you an example, we look for assembly experience and reverse engineering to start as a Junior Researcher. Our senior guys are teaching the Master Class for exploit development.
In addition to our research team, we have a bounty program. If a white-hat researcher finds a new vulnerability, they can handle it responsibility (by giving it to us) and be paid for their work. After contacting us, we validate the vulnerability prior to making a payment. So anything that goes through this program is something impactful.
Going back to your original question: Correct, most organizations don’t have the resources nor are they be able to fund/manage a bounty program. Exodus does both and zero-days are our core competency. We take great pride in finding new attacks that cannot be detected or stopped by existing security solutions – it’s our passion.
Are you ready for Part 2 in this series? See it here.
We want to thank Dan, and Forescout Technologies, for the great interview.