ESG's Jon Oltsik talks with David Wolpoff of Randori about SOAPA. This is part 2 of a 2-part series.
Watch part one in this video series:
Jon: Welcome back to part two of our SOAPA video series. I'm here with David Wolpoff, CTO of Randori. Thanks again for coming, David.
David: Pleasure. Happy to be here.
Jon: So, let me ask you, so CEOs are saying, I need better visibility into cyber risks. I want to make decisions based on what are the most pressing risks and spend money effectively. Does your software, does your service roll up to a CEO level? And if so, how?
David: Yeah, I hope so. I agree with CEO's who are interested in trying to answer those questions. The biggest thing that I'm trying to help organizations understand is a holistic risk picture, right? Business-based risk, what's working, what's not. So, in that sense, yeah, the Randori whole platform is all about helping CISOs be able to report upwards better, helpful to be able to synthesize and understand business risk in a real way.
Jon: Okay. And now, you mentioned the platform. Can you articulate, give me some more details about your platform.
David: Sure. So, Randori software is a service like everybody else these days. It's just an automated attack platform, so it's exactly the same thing you'd expect an adversary to have but put back in the hands of a defender so they can understand how an attacker comes at them, how they view them, how they go after it. So, we've got two core pieces, reconnaissance, which is finding all of your stuff and helping you wrangle it and then attack, which is helping you figure out where the real weaknesses are.
Jon: Okay. Now, that gives me a lot of information. But how does it help me improve my operations and my processes? Because I could get into information overload a lot of times with penetration testing as you know, kind of historical, traditional penetration testing. I got a lot of data and I just reported that up. So, how can it really help me improve?
David: Yeah. So, what we're focusing on is trying to overlay an attacker's perspective on insights that a defense team already knows. So, if you're doing your defense well you probably already understand what your most important assets are or what I would call impact. I as an adversary can tell you what are the things we would attack first, can attack first or most likely to attack, as well as where are attacks working, where are they not working?
So, that gives you likelihood. So, if we overlay impact and likelihood, then we can actually tell you risk. If you can reduce your risk surface, obviously life gets better.
Jon: Yeah. And is there an automation component? So, you tell me that a certain asset's at risk because of a configuration error on a firewall or something. Is there an automation component to immediately change a rule setting?
David: Yeah. So, we're actually still experimenting with how we're integrating with various customers' environments. So, we provide a continuous platform, something changes on a perimeter, we go see that and then we take automated actions based on that. We've got an API and we're feeding that data back to our customers so we've got some folks who are integrating directly into a response workflows. We're doing actions.
We've got some folks who are using us more purple or red team where they're keeping our actions hidden from their core blue teams so they can assess whether they're actually responding in an efficient way.
Jon: Okay. And so, SOAPA is all about an integrated architecture. So, you're hinting at that, give me more detail?
David: Yeah. I think the biggest thing that anybody should be focused on is reducing cycle times, right? Whether I'm a developer trying to get features out to the world faster or whether I'm a, you know, SOC analyst trying to improve my response faster. As we've seen these integrations come across, right? SIEM building into this kind of SOAPA framework that we have now. It's all about can I respond to things in my environment?
Can I change the way I respond to things in my environment? And can I manage the processes for that in an efficient way? So, Randori provides this authentic attacker, right? Point, counterpoint. You're a defender, we're an attacker, and you can actually interrogate, be that programmatically or via human review where your defenses, your processes and your people have lapses. Which things in a forensic workup were right and wrong, and then you can iterate quickly on how your people are using the tools that they're dependent on and how they're iterating on those processes.
Jon: Yeah. And where I've heard integrations are with SOAR platforms to do that automation, automated room remediation and interestingly with deception tools or deception assets to learn from what you're doing and then make the decoys much more authentic.
David: Yeah. I think that that's a valuable insight. You know, one of the biggest failings that I'd ever seen as a red teamer providing services prior to the founding of Randori was that folks would do a forensic workup or they'd do an eviction, right? They threw out their adversary and they assume that they got it all right, because they don't know what they don't know. And then if you're trying to figure out, you know, did my deception technology work or did my endpoint security actually detect the pieces?
Or did I just build the right pictures I was putting together the report to the C suite? You know, they never had a way to check whether they did that correctly. So, hopefully, we can provide that experience in a way that integrates seamlessly into those workflows.
Jon: Well, I think you're on your way and actually I'm hearing from customers, which leads me to my last question and that is what's the future for Randori in the context of SOAPA?
David: Yeah, I think for us, it's all about how we more tightly integrate with specific workflows that folks are working through. Like I said before, it's really all about integrating cycle times, we're at reducing cycle time so that folks can get stuff done quicker. Ultimately, you know, the industry is moving towards risk-based management, right? Trying to figure out like what matters the most and put the most defenses around those things.
So, if we can measure actual risk, you know, get the impact data combined with likelihood and then iterate our responses and you need a framework around which you can do all of that work.
Jon: Yeah. And from my perspective, in the risk management formula, we've focused as an industry on the threat side but not as much on the vulnerability side. And I don't mean software vulnerabilities I mean my business process vulnerability. So, you guys are, I think you're in the right space for this.
David: It's good to hear it for sure.
Jon: Okay. Well, thanks for coming. And stay tuned for more SOAPA videos in 2020 and beyond.