Combining External Attack Surface Management and Crowdsourced Security Testing – Webinar Recap

Bugcrowd offers crowdsourced security testing through a community of white hat hackers. CyCognito offers automated discovery of an organization’s externally exposed attack surface. Combined, the two solutions allow for a comprehensive inventory of exposed assets to be included in the scope of bug bounties or pentests.

Last month, Casey Ellis, Founder and Chief Strategy Officer of Bugcrowd, and Rob Gurzeev, Founder and CEO of CyCognito, sat down to discuss the joint solution and the impact on security teams. Their conversation covered how businesses see security today, how technology has changed the security game, the real impact of AI, and how far automation can take security teams. 

Below are excerpted highlights from their conversation, lightly edited for readability. If you want to hear the whole conversation, the video replay is also available here.

On Why Organizations Need to Rethink Their Approach to Security

Casey Ellis:  In 2014, the internet looked radically different, and I expect that trend to continue over time. The consumer views cyberspace as the extension of their physical environment, and when you think about humans and how they consider physical safety, it’s transiting onto the internet now, and I think that’s a really important thing to consider for everyone.

Probably the second piece is that CISOs – they’re almost a victim of our own success at this point in time – because cybersecurity is being integrated into just overall risk management for a business. It has been treated historically as this kind of weird geeky thing that sits in the corner, but you’ve got stuff like SEC regulations being passed that actually hold boards accountable for their understanding of cybersecurity and different things like that. That puts a lot of pressure on a CISO to basically be a bridge between what’s happening from a technology and a threat standpoint and the business and into risk management from an overall governance standpoint.

Rob Gurzeev: If you go back 20 years, even Apple, Google and those guys had maybe one website exposed to the internet – so one web application. They had between zero and one networks connected to the internet. So, I think that when these practices and technologies were developed, folks knew what to focus on, and it was mostly a routine and a pretty straightforward process in the sense of scope. One huge difference conceptually is now when you have thousands of networks connected to the internet, and you have thousands – sometimes tens of thousands – of web applications connected to the internet, and every DevOps instance, every router, every internal tool might have something exposed to the internet.

The scoping questions and coverage questions are completely different. And maybe that’s becoming a huge portion of the overall challenge and the work versus 20 years ago.

On Why Security Technology from Ten Years Ago is No Longer Sufficient

RG: Nmap, Nessus, classic pen testing and other such tools, have existed since, I think,’ 96, 97 or so. I think most people would say they haven’t changed much, maybe some would say at all,  over these almost 30 years. My co-founder Dima and I were surprised that for 20-plus years these are the [tools] used by many enterprises to do so much.

On the visibility side, one of the biggest challenges is uncovering these complete unknowns, as well as unknown unknowns, and blind spots.  For example, port scanning cannot lead you to find a subsidiary you don’t know about or the cloud asset that is used in this marketing campaign. There are so many edge cases that are extremely hard to find.  You can find them manually, but that can take weeks to months speaking from experience.

CE: No, look, I fully agree with all of that. I think my perspective on automation, just in general, is that bad guys operate in the gaps. So whatever we figure out how to automate and solve, do as close to a hundred percent as we can as defenders, their literal job as a criminal, the business model of criminals, regardless of what their incentive is, is to innovate past those gaps and figure out what we’ve left behind. So to me, this idea of automating to solve a security issue to 100 percent, it’s kind of not necessarily the game that we’re playing here. It’s like how do you use automation and leverage it to get as much efficiency as you possibly can with the things that are able to be automated. 

On the Bugcrowd/CyCognito Partnership

CE: How we make use of automation is again an example of why I get super excited about this partnership. Because the way and the thoughtfulness that’s been applied to solving the EASM problem that CyCognito has in the hands of people that are thinking about how to use that and then go forward and create impact based on that knowledge, that’s a really powerful combination. Ultimately it doesn’t make sense for [white hat hackers] to do that stuff themselves anymore. I think the bug bounty hunters figured out [automated recon] was a useful way to find risk back in 2013. The fact that this is a problem in the first place is kind of old news. We don’t need people to repeat that message. [EASM] is a perfect candidate for automation. And that’s sort of where I think the automation piece comes in to actually help us do what we do as well.

RG: That’s a very cool and very important area I think that you guys are innovating in, which is how do you communicate scope recommendations, target, and success at scale with customers, and ideally continuously.

On Compliance

CE: I think when compliance was first introduced, part of that question is the really important part because compliance in a risk management and especially in a cyber risk management context is meant to be a trailing indicator. And I think more often than not, we’ve treated it as a leading one. So the whole idea of like, yeah, PCI DSS says I need to do these things once I’ve done these things, we’re good to go. That was never really the intent of compliance frameworks in the first place. The idea is to say, okay, here’s your minimum height to ride the rollercoaster, and if you’re not doing these things, then you’re really not doing a good job. It’s more of a baseline, but I think we treat it as the goal oftentimes from an implementation standpoint. I honestly think the reason for that is that security’s hard.

RG: From conversations I’ve had with CISOs and risk leaders over the years, ten years ago, I would say carefully most management teams didn’t know exactly what to measure, and maybe that’s how compliance became a prominent tool, a proxy to Are we secure? So people were asking, Are we secure? And then you would get some kind of an answer from the CISO and then you would have compliance, but maybe that was it. In most organizations, even Fortune 500, I’m seeing exponential increase. There’s still a lot of way to go, absolutely. But exponential increase in CEOs and board members’ interest in what’s actually going on.

On Continuous Testing

CE: when it comes to continuous testing, the reason we don’t do it is that paying people by the hour to test on a 24x7x365 basis, people need to sleep for starters. So that just doesn’t work from the outset, but the economics of actually making that work on the defender side don’t really make sense. So this idea of, in an ideal world, if that was possible, we’d do it, we’d have human creativity applied on a continuous basis to understanding what kind of risks do we have, what kind of things might be new, what techniques have been newly discovered out there on the internet that we might be vulnerable to. We saw obviously Log4j as kind of the bingo card example of where that popped up as a problem that we needed to solve very suddenly, and that was a very busy couple of weeks for us because we deployed the crowd to answer that question, and the customers that were using the crowd on a continuous basis had that question come in organically without them having to trigger that action.

I do think this idea of distributed collaborative contribution, it does solve that access issue. The idea of being able to share that problem out amongst a group of the right people who have the right skills and the right levels of trust and all those different things that match them most appropriately with your company and the problems that you’re trying to solve.

On AI

CE: We’ve used AI in the triage queue for six or seven years. So it’s funny to hear AI talked about as this brand new thing that’s just kind of dumped on the internet. I think what’s happened with ChatGPT and others that have kind of popped up over the past period of time, that they’ve radically democratized access to this kind of tooling and availability of that type of power to the user, and that’s captured the imagination of just about everyone, including us. OpenAI is a customer of ours. We work with Google Philanthropic, a bunch of the others that are working on the foundational LLM piece, and it’s a fascinating space and it’s transformative. So I’m not diminishing it, but that is to say that this kind of automation’s steered how we’ve gotten to this point already. So I think going forward, it’s going to be a lot more of the same.

RG: From my perspective, and for example, we use bayesian ML models, which as Casey mentioned, are actual AI, even though they were available 10, 15 years ago at an enterprise grade. With those types of models, combined with NLP, graph data models and other technologies, you can actually map everything, test everything continuously. And then you can have your scarce resources, wherever they are, to focus on the most exploitable assets you have.