Beyond vulnerability scanning: Enhancing attack surface management for more proactive security


Greenhill Builds Stronger Security By Sparring with Randori

The Challenge: Knowing Where You Stand

For the past 17 years, CIO John Shaffer has overseen the infrastructure and security that keeps Greenhill running and secure. As a leading investment and financial advisory firm with 15 offices worldwide, maintaining an up-to-date picture of their global attack surface was a constant challenge for John and his team.

As Greenhill evolves, shadow IT and the potential of blindspots, misconfigurations, or gaps in the security program were of increasing concern. As the threat landscape changes and the security program advances, a fundamental question remained: “How effective is our security program at protecting what is most important to Greenhill?”

John was looking for a red teaming solution that would not only reveal weaknesses and validate existing investments, but train and challenge Greenhill to elevate their security program.

The Solution: Continuous Automated Red Teaming

Starting from a single email address, Randori started - just like a traditional red team - by discovering Greenhill's external attack surface. Using a black-box approach, Randori discovered what Greenhill had exposed and provided John and his team with a prioritized list of targets that an attacker would most likely take action on first - if targeting Greenhill. Through this process, Randori helped Greenhill discover a number of systems they did not know were exposed to the internet. With the help of Randori's prioritization engine, the team was able to flag these issues and quickly patch, reconfigure and deploy new controls to reduce their external risk.

Having hardened and reduced their attack surface, Greenhill was ready to move beyond discover and begin testing the efficacy of their security program against Randori's continuous and automated red team (CART). Using Randori's policy-driven authorization engine, John defined an objective and gave Randori Attack authorization to begin testing his environment. Emulating an authentic adversary, the Randori Attack Platform gained initial access by exploiting an appliance on Greenhill's attack surface with a private capability.

This enabled Greenhill to test their defenses against an "assume compromise" scenario. When facing new exploits, misconfigurations, or stolen credentials, patching isn't an option. Teams must find effective ways to detect and respond, regardless of the source of infection. This requires security teams adopt a defense-in-depth approach and that the right products be deployed and configured effectively, have the right incident response processes in plan, and be trained and experienced enough to jump into action and execute under press. Serving as a trusted adversary, the Randori Attack Platform enables teams such as Greenhill's to train, practice and improve by providing ongoing access to an authentic attack experience.

Using Randori has helped me understand how much risk I am willing to accept. It has completely changed my mindset on how we should do security.

John Shaffer, CIO, Greenhill

Having established initial access, Randori then pivoted through controls to achieve persistence and lateral movement. This created an opportunity for Greenhill to exercise their managed detection and response (MDR) capabilities. Along the way, John had complete visibility into all attack attempts and executed actions by Randori as they happened - enabling him to monitor his controls to identify which worked as expected, and which did not. Over time, Randori's continuous red teaming enabled John to identify a need to increase investments in network monitoring at key points in the network, as well as optimize their SIEM detection and alerting rules. As John and the team learned, Greenhill was able to validate the efficacy of these investments and reduce their "mean time to contain" and "mean time to detection".

The Result: A More Resilient Security Program

With the combination of Randori's real-time attack action reports and ongoing monitoring of their attack surface, John now has real-time visibility into his cyber risk and can measure the efficacy of his security program - what's working, what's not - and better direct investments across his security program.

"Seeing authentic attacks on our network gives me a powerful narrative to share with leadership. I can validate what's working and build up my team"

After sparring with Randori, Greenhill is remediating faster and benchmarking their progress over time. John and his team are excited to train for the next fight.