Cyber attacks or breaches can cost companies more than just billions of dollars, but operational efficiency, reputational damage, and time. Yet the problem is that most businesses don’t know where to start on their cyber strategy. OccamSec recently released its new Incenter platform, which provides a dual approach to cybersecurity through continuous penetration testing along with vulnerability research and a threat intelligence team.
In this interview with TechBullion, Cyber Security Expert and the Founder of OccamSec, Mark Stamford, will be discussing the key factors that decision-makers need to consider when implementing cybersecurity solutions.
Please tell us more about yourself.
I’m Mark Stamford, the Founder, and CEO of Occamsec. I grew up in North London, and I got my first computer at 8 years old – a ZX81. At 11, I saw the movie War Games (starring Matthew Broderick) and it all took off from there!
What is OccamSec and what unique solutions do you provide?
Our focus for every project is to provide a solution to a problem, or answer a question, and not break the bank. For our clients we are usually asked to answer some (or all) of the following questions:
- Who is going to attack us?
- How are they going to attack us?
- Have we already been attacked?
This is usually followed by, “ok so what do we do about it?”.
OccamSec operates an intelligence team who continuously collects data for the analysis and identification of possible threats to clients. Penetration testing and red teaming are done to work out how an attack could happen. These are either one-offs or conducted continuously using the recently launched Incenter product. Finally, if someone fears they have been breached, or wants to ensure an organization they are working with hasn’t been, threat hunting is conducted to look for attackers who are hiding away in networks.
Could you give us a walkthrough of your new Incenter platform, how does it work?
The Incenter platform provides a comprehensive solution dealing with attack surface management, and vulnerability management, and provides intelligence data. Described as a “game changer” by a client, the platform provides context information for issues, enabling clients to focus only on the issues which matter most – keeping their customers safe.
Don’t get me wrong, traditional pen testing remains a useful tool. How useful it depends on the organization, its objectives, and its threat landscape. For those operating in frequently targeted sectors, point-in-time security testing may not be adequate. For example, Palo Alto’s Unit 42 published its 2022 Incident Response Report covering vulnerability and exploitation metrics last year and found that attackers typically start scanning for vulnerable systems 15 minutes after a publicly disclosed vulnerability.
That’s why it’s beneficial to take a continuous proactive approach to hunt down exposures and preemptively take action. Incenter’s comprehensive approach to vulnerability identification, with intelligence and organizational context, ensures that the attack surface is identified, complex issues identified (via a combination of automated testing and human experts) and remediation action is taken before issues can be exploited. All of this happens on an ongoing basis, issues are reported as they are discovered, and there is no need to wait for an end-of-engagement penetration test report.
For clients who want to know if they have been hacked our threat hunt team works with them to utilize what they have in place, and then augment it with technologies as required. The last few years saw the adoption of “assume breach” as a security posture. We never really understood that unless you also “assume I lost my job” and “assume we lost all our data”. However, where someone fears something may have happened, our team will investigate, determine what’s going on, and help fix it.
What are the key factors that decision-makers need to consider when implementing cybersecurity solutions?
What problem(s) do you have in your cyber security? What does your worst day look like? We usually start with one of these two questions and go from there. Listening to clients and the issues they have, what’s important to them, and what they can’t do helps us to decide a) if we can help them and b) if we can, how?
Our intelligence team finds information that we use to determine the threats clients face. Besides collection via automated tools the team also undertakes manual collection efforts because sometimes you can’t just run a tool in a chat forum and expect it to work. And many times, you need to do work to even get into the chat forum – it continues to amaze me how no one seems to consider that the bad guys realize when someone asks “so, how do you do this and what’s your name?” that they probably know they are talking to a security researcher. This information feeds into our other services and also is directly used by some clients.
Most businesses don’t know where to start on their cyber strategy, how can you understand what you need in cybersecurity?
There are a variety of reasons that companies haven’t already fixed their vulnerabilities, but I think the main one is that there’s a never-ending stream of vulnerabilities being discovered which overloads security teams at an organization. This is made worse by the fact that context is usually missing from everything, so you end up being told to fix 500 “high-risk vulnerabilities” by next week, oh and take care of all this other stuff too. Then in two to four weeks this all happens again.
Context, across cyber security, is the critical element that’s missing. What works for a large bank is not going to work for a small online business. Frameworks that seem useful in one sector are useless in another, and the majority of vulnerability scans and pen tests have no consideration for the environment, so the onus is on the end user to go figure it out.
Almost everyone is impacted by cybersecurity and everyone is trying to sell something, how can we get past the hype?
Network perimeters are everywhere an employee is – checking email at a grocery store, gas station, pub… All while tools are being pushed on these companies as this Big Fix. Tools do some good stuff, but with tighter budgets and smaller teams, managing how they interact with systems and especially each other becomes a hole in itself, we see that often. And to be consistently on top of the curve with new daily vulnerabilities – some small, some Log4j – seemingly smaller, low-hanging fruit gets put on the back burner. We show our customers how vulnerabilities affect them from a technical standpoint AND a business impact and cost standpoint as well.
Many of our team have worked in operational roles, so I think we have some empathy for our clients and the problems they face. When you look across our services there is a clear focus on doing what’s best for the client (I suspect everyone in this business says that, but we mean it).
Our team is fantastic, every person does their job and can help others. Historically, cyber security professionals are a little secretive in their work and don’t share knowledge. At OccamSec we have torn that idea down and throughout all levels of the organization, everyone works together.
We are not big fans of useless bureaucracy and hierarchy, we have just enough to ensure we deliver what clients need. Everyone within the company is encouraged to be accountable, not so they can be hung out to dry if something goes wrong, but because if someone is accountable, and they get something done, there is a sense of achievement. On the flip side, if it goes wrong, we deal with it at the moment, make the required tweaks and move on.
The company started as one person and for the first 11 years grew organically. This required us to be efficient across all areas of operations. We work hard to hire the right people, try to ensure they enjoy their work, ensure people get support, and continue to pursue our objective of saving the world (there’s no point doing things in half measures)
What are you currently working on at OccamSec and what is next on your roadmap? Are any available opportunities for investors or partnerships?
We recently took our first-ever external investment which is helping us accelerate the development of Incenter and bolster our service offerings. While historically we have shied away from playing the standard security game (overhype a product, have a great conference booth, and then blame clients when things don’t work out) we realized we had to no longer just rely on word of mouth and client references to growing, and have started to do work on expanding awareness of our brand, while staying true to our roots (and not overhype our product or spend a fortune on a booth).
We work globally, so our expansion efforts will continue to focus on finding good people and working with them. We are also working on some partnering agreements which will enable us to help even more organizations.