Security begins with knowing what to protect An effective security program requires an accurate, up-to-date, and complete inventory of everything an organization owns (CIS Control 1). Often, security teams are asked to build this inventory by combing through mountains of data provided to them from various systems across multiple departments. This commonly results in defenders not knowing what they are trying to protect, and pressures attackers to pursue as much information as possible from an organization’s perimeter. A critical piece of infrastructure when presenting these findings are the visual representations of a target. Humans are generally poor number parsers; we are much more suited to process pictures and language. This is pretty clear from our engineering of solutions like DNS, and the amount of visually impactful websites in our modern web. Let’s take a look at the difference between 1990’s Yahoo and 2019’s Yahoo. These images are very effective in eliciting an attackers reaction of “This is going to be fun” and conversely the defenders “oh no. that’s on my perimeter”. Unfortunately, gathering all the information needed to come to these conclusions is non trivial. Much of what comprises those feelings can come down to factors such as whether the […]

I am pleased to announce the release of a new Solutions Showcase from Enterprise Strategy Group (ESG) on the Randori Attack Platform.

There is nothing trendier in infosec today then to describe anyone under the sun showing any degree of competence as “advanced” or “sophisticated.” It’s an epidemic.

In cybersecurity, there is no such thing as perfection. If perfection is your goal, you are doing it wrong.

Hackers gonna hack. That’s what they do. But that does not mean they run in heedless of the defenses arrayed against them. Sometimes attackers will see something in a target that forces them to stop and think before proceeding.

When the Shadow Brokers leaked nation-state level hacking tools in April of 2017,  I immediately began digging into the post-exploitation capabilities and tradecraft of the supposed “APT” group.

Security cannot exist in a vacuum. If an organization’s security is dictated from one room, one group of people, the value of shared responsibility is lost.

I love to ask tech start-up founders what it was that prompted formation of their business. I’m usually listening to see if they are driven by some deeply-held personal belief (good answer) or by some greedy, near-term revenue growth objective (bad answer).