BreachLock’s New EASM Platform, SET – Interview with Cybercrime Ventures

Attack surfaces are growing rapidly, making it increasingly challenging for enterprise CISOs to manage external risk. With shadow IT assets being launched outside of the SOC’s visibility, the increasing use of APIs, and just the overall speed of digital transformation, security leaders need an effective way to not only identify their external attack surfaces, but also to continuously manage external threat exposure.

External Attack Surface Management (EASM) has proven to be an effective solution to managing external risk in large enterprises, as it gives security leaders the ability to discover external assets, identify existing breaches, and run vulnerability scans on findings altogether.

The Rising Need for External Attack Surface Management Explained

In a recent interview, Seemant Sehgal, Founder & CEO of BreachLock, a global leader in Pentesting as a Service (PTaaS), unveils BreachLock’s new EASM platform, BreachLock SET (See External Threats). Cybercrime Magazine’s Steve Morgan investigates CISOs’ need for a strong EASM solution and drives a deeper discussion about the value of combining EASM and penetration testing into a new, continuous threat exposure management (CTEM) approach.

Watch the full interview here, or watch and read along with the full transcript below.

Hackers Only Need to Be Right Once

Steve Morgan
BreachLock is a great site, not just for your platform, but you have a blog there and a lot of resources. I go out to the site, I was reading the blog a couple of weeks ago, and before rushing out to write my own blog I said, “Oh we better have Seemant come on.” The company is doing something really exciting with your new EASM platform, which we’re going to get to in a minute.

As a lead-in, I want to ask you about something you wrote in that blog. You said that criminals only need to be right once, but defenders need to be right every time. Explain that to us.

Seemant Sehgal
I think that statement is powerful. It kind of explains what the cyber security professionals are up against. Just like any other thing in the world, the bad guys need one point of entry to commit a crime – and cyber security is no different because we’re up against some bad people. With the expansion of IT, cloud, IoT, and APIs getting exposed, this problem is becoming even more complex, because now we’ve got a lot more to protect.

The other aspect of this thing is, that cybercriminals are extremely smart people. You should respect your enemy, so I’m coming from that standpoint here. They’re smart people, and they would not go after something extremely complex. They’re looking for the easiest window or the easiest door that has been left open, whether it’s bad governance or a missing patch, or just an asset that a marketing team came up with outside the purview of the CISO. No matter what it is, it’s that one single mistake – that blind spot – that the attacker is going to take advantage of, and that’s very true in our industry.

The Benefits of BreachLock SET for EASM

Steve Morgan
Seemant, talk to us about BreachLock’s new EASM or External Attack Surface Management solution. What is it and what does it do for the CISOs? We have a lot of them tuned in now and the security leaders who work for them.

Seemant Sehgal
The EASM solution is called SET for See External Threats – and that’s exactly what it does. In our 4.5 years of existence in the industry and after serving thousands of clients, we have close to 850 active clients on the platform now. There was one question that was popping up all the time from the CISOs that I met. One of them said, “Seemant, I’m really worried about that shadow IT component – things that I don’t know of. How do I deal with what I don’t know?” That was one thing that always came up.

The second thing that always came up to us was, “How can I make my cyber exposure management a continuous process?” Instead of doing point-in-time red teaming or point-in-time pen testing, how can I make this into an always-on endeavor, so I know in real time what my vulnerabilities and exposures are?

To answer these two questions, we set out on this journey to come up with this attack surface management platform that we call SET.

It does three simple things:

1. It’s an always-on component in your IT infrastructure, in your security stack, that’s going to be out there looking out for every asset that hits the Internet or is seen by attackers from an external attack surface perspective. This includes domain names, subdomains, IP addresses, ASN records, you name it. There’s a ton of information being collected around the clock, and all we need is the company’s domain name to start – that’s how easy it is to set this tool on its way to give you a continuous feed of your attack surface.
2. The second thing that it does is go onto the dark web and explore the unexplored territory to find out if your credentials and your user accounts have been exposed – and that is a fear and a concern that a lot of CISOs have discussed with me personally. They wanted to solve this problem next to the external attack surface discovery part, so we included that as a benefit that we offer our clients. When you combine these two things, asset discovery and breach discovery, the next question that comes to mind is, “Ok, how did they get there, and what are the vulnerabilities that I’m exposing on these assets?” That can then be a deciding factor to prioritize what you go after in terms of mitigation and maybe even another investigation into what, exactly, the problem is.
3. The third benefit that we included in the platform was a high-level security check. It’s a very quick vulnerability scan that will run on any externally exposed asset. Again, it doesn’t matter if it’s a website, IP address, IP block, API – whatever that is, it’s just going to tell you if there’s a high, medium, or critical vulnerability that we can see from that quick scan perspective.

When you combine these three sets of information, you can understand where you stand from a high-level security check perspective. You’ve got all the bells and whistles on the table to make a prioritization decision.

That’s where we, as the PTaaS vendor, come in – because it’s not just this EASM platform. We also have Penetration Testing Service. When you discover things, you didn’t know about and prioritize what to go after first, we can help you build the case from a pentesting perspective and tell you exactly what the attackers did to get in and demonstrate that to you in a pen testing report. Then, we help you with the remediation – that’s the most important piece. In the end, you don’t just want to discover things, you also want to fix them, so that’s the value proposition of SET that extends itself further into our PTaaS platform.

Steve Morgan
Seemant, BreachLock has a large customer base. I’m curious, what does it look like for them to get up and running? What kind of time is involved? Is this part of the platform that they’ve already been using, or an update? Then I’ll ask you about brand-new customers coming online with you.

Combining PTaaS and EASM for Powerful Attack Surface Management

Seemant Sehgal
It’s both – we wanted to see how our clients would react to this platform, and the response has been incredible. It is a separate platform, just to be clear, but we offer everything in a modular fashion within BreachLock. You don’t have to buy it all and can go module-by-module if you’re just looking for that web application security posture piece, then you could go after that. Then if you wanted to add the external network piece, you could do that, and the internal network could be another step.

The same goes for SET. You don’t have to buy it as an all-or-nothing package, and the response that we’ve got is that it’s kind of beefed up our demand on the pen testing side. We can have them up and running in just 30 minutes, and within an hour you start to see your attack surface emerging right in front of your eyes. Again, it’s always on, so it’s a continuous process, and once the CISOs start to see something that they weren’t aware of that, for example, one country launched a marketing website, sustainability project, or charity initiative as a part of the larger brand, they want to know if that’s a big risk for the brand. It might not carry any sensitive data or credit card data in the end, but you still have your logo on there, and for a bank that could be a big deal.

We’re seeing very quick adoption from our clients, and beyond that, we’re saying once they discover new assets, they want to pentest them. On the new client side, it’s a very easy discussion to have with the CISO now, because the first question we ask is, “Would you like to see something that you don’t know of but exists in your threat landscape?” If the answer to that is yes, then it’s an easy discussion to start.

What we’re also seeing is, Steve, that when we go to new clients with the combined propositions of the continuous asset discovery, the breach detection, and pentesting, it’s an unmatchable deal on the table. With our incredible team and the support that we give to our clients, we enjoy our good reputation, so we’re loving every moment of it. I think it was it was a great effort from the team to come up with a product like this that fits so well into our strategy as a PTaaS provider.

The Secret to Building Powerful Cybersecurity Solutions

Steve Morgan

Seemant, before we let you go, talk to us a little bit about your people. You have such an outstanding team, and we call them the BreachLockers, maybe we picked that up from you – I don’t even remember, but we put a video out, and you’ve got one of the best teams in the industry. I know that it is tied to your client base and why companies choose BreachLock. Just tell us a little bit about the team.

Seemant Sehgal
It’s an incredible team we have. The team is based out of multiple countries from different backgrounds with a different set of experiences, and I couldn’t be prouder of the team we have. The secret to that success is that our hiring process is really intensive. We take a lot of time, not so much on the skill set or the expertise that the candidate comes with, but we are always looking for that passion, that drive, that cultural fit that is common to each person that’s on the team. It’s a good mix of great technical talent and strong leadership backgrounds. Some of our leaders came from large corporations like Cisco and IBM, and some from banking. It’s a good mix – diversity is driving us forward, and I hope that will continue to be the case for many years to come.

Steve Morgan
Seemant, always great to have you on with us. I think we’ve been talking to each other for around two and a half years now, and you sort of understate what you’re doing while being passionate about it and you over-deliver. That’s why we’re excited about BreachLock, so we’ll have you back on with us next quarter for a follow-up.

Seemant Sehgal
Absolutely – thanks for having me again.

Steve Morgan
I’m Steve Morgan, Founder of Cybersecurity Ventures and Editor in Chief at Cybercrime Magazine. Joining us today was Seemant Sehgal, Founder & CEO at BreachLock®, developers of a World Class, award-winning penetration testing as a service platform. For more information on BreachLock, visit BreachLock.com.