ESG's Jon Oltsik talks with David Wolpoff of Randori about SOAPA. This is part 1 of a 2-part series.
Watch part two in this video series:
Jon: I'm here with David Wolpoff, CTO of Randori. David, welcome to the SOAPA video series.
David: Thanks for having me.
Jon: So, let's start with a basic question. What do you guys do, and how does it fit into SOAPA?
David: So, Randori is an automated attack platform, so we break into stuff. Well, we build a platform that breaks into stuff for us. It fits in by providing an automated partner that folks can test their security with.
Jon: Okay. Who at the organization is buying this? What are they thinking, and what do they want to test? What do they want to learn when they use Randori?
David: Sure. We're mostly focused on really big questions, like, does my program work? So a lot of what we get are CISOs who are interested in asking what should be really fundamental, basic questions, but people struggle with a lot. Do my defenses work at all? If something goes wrong, would I know it? Does my team know how to use the tools that we have?
Jon: Mm-hmm, and what are the answers that they're finding?
David: Well, I think generally speaking, we're seeing some improvement, but folks are still struggling with basic metrics, so it's hard to say for sure is it going better or worse? But definitely we're finding lots of unexpected stuff and hopefully helping people build better programs.
Jon: Now, what I find is just basic things, like I'm the CISO, I know everything that's on my network. But in reality, when you use a product like Randori Recon, you find out that that's not true. Is that your experience?
David: Yeah, for sure. In fact, in my whole career as a red teamer, prior to founding Randori, one of the things that always surprised me the most was how much stuff was out there that customers didn't know they needed to be responsible for. Certainly, as we've built the Randori platform and Recon, in particular, finding things on perimeters, we're still finding a lot of stuff that folks are surprised is there. They don't know they need to defend their maintenance. As we're moving inside networks that problem just amplifies as the scale increases.
Jon: So you talked about what people want to know, but what do they do with this information, and then who does it? Is it a security thing? Is it an IT ops thing? Does it go to a risk management team? How does that work?
David: Well, in my ideal world, everything would be integrated with a risk management team. Obviously, the industry's not there yet, today. I think the first thing most CISOs are doing is trying to get a handle on what's there. Then they're trying to reduce what they're responsible for. Right? So, get a handle on your surface, reduce your surface. Then it's all about prioritization, right?
Figuring out which things are high risk, where the risks are real, as it were, and then trying to put some controls that are business-centric, figure out which things are most important and focus your defenses around those things specifically.
Jon: Now, one of the things that I'm seeing, I'm sure you've seen this over the last few years, is the uptick on the MITRE ATT&CK; Framework. More and more companies not only are using the MITRE ATT&CK; Framework, but they're asking their tools vendors to contribute to the killchain that MITRE ATT&CK; produces. Is that your experience? How do you fit into that?
David: Well, it's definitely my experience that folks are asking for that a lot. It is one of the easy things for folks to measure, you know, do I have the security check box fit? I think MITRE is great, and that it's a wonderful framework for folks to understand what it's possible to do with a computer. My background as a hacker, I always look at that box and then try to figure out how to hack it, right?
David: So, at Randori, we're definitely taking all the attack actions we do on our attack product. We're mapping this to the framework, where we can. Then, we're also trying to push the bounds and make sure that we've got some stuff that either doesn't map cleanly, or that fits a box neatly, but that might not be detected, or expected to be detected immediately by tools. We're really trying to help folks understand what are the bounds of this as a useful tool, and then how to assess whether other vendor's tools are actually working.
Jon: Right. I think there has been a dependence on MITRE ATT&CK; Framework, like it's a panacea. What it sounds like to me is you're finding the gaps there and teaching me, as the CISO, where those gaps are and how to defend.
David: Yeah, I think they've made some good strides in trying to standardize. You know, if you look at techniques, some of them are really big, some of them are really small. So we've got some techniques that we are, well, I guess what we would call an attack, or a run book, or an action, where it might be, you know, 14 things on the MITRE Framework, but it's the smallest thing that we could reduce to, as an attacker actually building software.
We've got some things where it's, you know, one really big thing we do, and it's one box on the framework. Right? So, for somebody to be able to answer a question, like, do I detect this particular technique, doesn't always make sense.
Jon: Yeah. Well, can you stick around for part two of our video?
David: For sure. Happy to.
Jon: Okay. We'll be right back with part two.