Casey Ellis, Bugcrowd: “worst cybersecurity habit is operating under the false pretense that a breach will not occur”
As more companies adopt the “prevention approach” in addressing potential cyberattacks, bug bounty programs have emerged as a way of offering a mass and thus more comprehensive outlook on potential threats.
Bug bounty programs have been recently gaining traction due to their unique approach to cybersecurity. By allowing individuals and companies to reach out to a pool of security professionals and talented researchers, they help swiftly recognize and eliminate vulnerabilities based on the client’s needs.
Casey Ellis, Chairman, Founder, and CTO at Bugcrowd, which connects users and security researchers in a bid to identify vulnerabilities, discussed with us why bug bounty programs are so essential in today’s cybersecurity practices.
Can you tell us more about your vision? How did Bugcrowd come to be?
I started Bugcrowd for two reasons: To connect the latent potential of the whitehat hacker community with the unmet demand of the cybersecurity problem and to keep my buddies who hack in good faith away from jail. Bugcrowd set out to create a radical cybersecurity advantage and level the playing field between attackers and defenders. And now, there is a wide acceptance of crowdsourced security as an essential layer in the security stack.
Bugcrowd was founded in 2012, in a year that almost every industry, banking, education, government, big tech, and even security, was hacked. Many, if not all of these companies, were doing “all” they could to protect themselves against these hacks, and yet they were still left vulnerable. 2012 was also the year we had the “lightbulb moment” where Bugcrowd began connecting the latent potential of the whitehat hacker community with the unmet demand of the cybersecurity market and commenced assembling an army of adversaries with an army of allies.
This army of allies has since grown into a diverse, skilled, and reckoning force of hundreds of thousands of security researchers. Bugcrowd celebrates what the Crowd has done for cybersecurity collectively and individually. We have invested in the Crowd from the beginning and are thrilled to see it pay off for our researchers and the research community as a whole.
Having received millions in funding throughout the years, what do you think makes Bugcrowd stand out in the industry?
The reality is Bugcrowd meets a critical need within the cybersecurity space, acting as a middleman between businesses and security researchers. As security continues to be a top spending priority for enterprises across the globe, the financial and operational leverage that Bugcrowd's platform enables is a highly strategic asset. With record year-over-year growth, including 100% bookings growth in the North American enterprise market and 100% increase in critical vulnerabilities submitted to customers, it is clear to see Bugcrowd is the leader of bug bounty programs because we deliver results and make cyberinfrastructures safer.
Bugcrowd’s proactive approach to cybersecurity and utilization of human intellect and creativity to find vulnerabilities and identify bugs paves the way for a more secure future. Bugcrowd has led the way for bug bounty programs to become valued as an asset in cybersecurity, and this demand-driven innovation was recognized for its fullest value and potential by investors early on.
You take great pride in your bug bounty program. Can you briefly explain what this practice is about?
In order to prevent handing adversaries a prime opportunity to target corporate networks, organizations must enhance their security strategies and augment their internal resources with the help of external security researchers. Bug bounty programs can serve as a security force multiplier within an organization’s security strategy, allowing organizations to proactively engage the on-demand talents and expertise of highly-skilled, global security researchers—know to us collectively as "the crowd" and sometimes called ethical hackers—to proactively identify vulnerabilities within their network before they can be exploited. This approach allows organizations to better balance the economics and resourcing available to the swarm of potential malicious adversaries, as opposed to the traditional approach of addressing vulnerabilities once a cyberattack has occurred.
Bug bounty programs are ultimately a subset of a universally critical concept, vulnerability disclosure programs (VDP), which provide a secure channel and clear terms for security researchers to safely disclose vulnerabilities to a company and receive monetary rewards for their findings. In turn, organizations can address or patch vulnerabilities without the time constraints of fixing a vulnerability once an attack has taken place. This additional time to address vulnerabilities can make or break an organization’s business, as most enterprise leaders are not aware of what a cyber-attack entails or how to resolve it until after an attack has occurred.
How did the pandemic test cybersecurity worldwide? What vulnerabilities were exploited the most?
There has been a rise in cyber attacks since the onset of COVID-19. Similar to the gradual digital transformations in recent years, the pandemic forced many organizations to adopt new technology but at unprecedented paces. In many of these cases, cybersecurity did not remain top of mind during these breakneck speed digital transformations, and towards the back of 2020 and into 2021, the increasing velocity of major breaches has given weight to this trend.
The rapid and globally synchronized shift to work-from-home was hugely impactful from a security attack surface standpoint, but we were collectively focussed on the same goals. As the dust begins to settle on the pandemic, a new threat emerges: technological disruption as a result of a transition to hybrid work, where the goals are widely varied and generally less defined. As a result, the home is now viewed as part of the attack surface, and this introduces such a vast number of new variables that it's safe to say that we don’t really know how that works yet. This is a disturbing development because it is so easy to determine the home address of a potential target these days, bringing the employee’s house into scope as a newly vulnerable attack surface.
Similarly, how should security measures work to protect Zoom video calls? We are all working on these same problems, but there is no easy solution because the approach to hybrid work differs for every organization. Anytime complexity increases, it also increases the potential attack surface.
We have seen increased interest in consumer IOT and home router zero-day exploits, with attacks following close behind. In the past, the home as an attack vector was rarely interesting to sophisticated nation-state attackers or cybercriminal gangs, but we should expect to see more activity in this area over the coming year.
Even though penetration testing has gained momentum over the past few years, why do you think it is still not a widespread practice?
I am increasingly convinced that a lot of what we see on the internet is the product, ultimately, of people not thinking that a significant cyber attack would be possible in the first place. Like this idea of “ostrich risk management,” I call it, where if you bury your head in the sand, all of a sudden, the problem will not matter anymore. There has been a period of time in technology and on the internet, where that has actually been true, where people have gotten away with not doing as much as they should have. But especially over the past two years with changes in the use of technology, and changes in adversary behavior as well, that it is obviously not a good strategy going forward.
Through my work with management, leadership, and the elite, the general attitude seems to be that security errors are going to happen and that mistakes will happen, and while accepting this is a part of cybersecurity, it is more beneficial to an organization’s infrastructure to address vulnerabilities. The rollout of a vulnerability disclosure program has nuanced challenges, but Bugcrowd is a key player in the space because we so effectively address the needs within an organization by connecting businesses with security researchers to navigate the cybersecurity landscape and identify cyber risks within their organization.
You have recently released your annual “Inside the Mind of a Hacker ’21” report. What would you consider to be the main takeaways?
The “Inside the Mind of a Hacker Report” revealed a lot about the introspection that was driven in light of the pandemic for the general community and security researchers alike. Especially within the context of the Great Resignation. However, this has played out in the hacker community in ways that are productive rather than detrimental to the industry. Eighty percent of the people we surveyed had found vulnerabilities they had not encountered before the pandemic. This was partly a product of technology change, but also because hackers are learning new things.
On the tech side of it, 74 percent of the folks responded that vulnerabilities, in general, had increased since the onset of COVID-19. This supports the onset of a digital transformation and how essential it is to pivot in response to the pandemic. Speed is the natural enemy of cybersecurity, so the “Inside the Mind of a Hacker” report was able to shed some light on this swift shift in how we need to approach cybersecurity in a virtual world. Something that hackers excel at in technology because people understand emerging trends and changes in ways automated approaches do not. We have seen a lot of shifts in vulnerability patterns that do oftentimes look like a product of people just doing stuff quickly and not necessarily thinking through the downside.
In your opinion, what are the worst organizational cybersecurity habits? Which bad practices do you come across most often?
The worst organizational cybersecurity habit is operating under the false pretense that a breach will not occur at your organization. There are often lax approaches to security by management because that is how they have always run the business, or security teams feel safe relying on traditional methods despite the fact that attacks are more damaging and occurring at a far higher rate than ever before.
Cybersecurity risk management is as similar and essential as insurance for your business. Each policy offers a means to protect yourself and your family from financial losses (e.g., from hospital coverage), and many policies include things that are designed to reduce the likelihood of those losses occurring in the first place (e.g, fitness benefits, preventative healthcare, etc.).
While buying these policies doesn’t guarantee that the policyholder will be immune to “having a bad day,” it does deliver reassurance and pathways forward should a negative event occur.
In today’s business landscape, there are several basic cybersecurity policies that are becoming increasingly critical to adopt. Whether companies are just beginning to roll these out or view themselves as experts, cyber defense strategies must be proactive and robust like using cybersecurity frameworks, establishing a risk assessment rulebook or checklist, leveraging threat intelligence for improved risk prioritization, utilizing penetration testing for vulnerability insights, and rationalizing security tools by measuring the cybersecurity return on investment.
Which cybersecurity solutions do you see gaining traction in 2022?
Ransomware has been working well for the bad guys for quite some time now as a highly effective and lucrative criminal business model. Just like any regular business, things that work tend to accelerate, receive investment, and evolve, and we should expect to see a continuing acceleration in the adoption of ransomware tools in 2022 by attackers, including the criminal enterprises funded - or shielded - by nation-states.
The ransomware problem is particularly obvious in the healthcare sector. Shutting down computer networks at hospitals and clinics can quickly spiral into a case of life or death for patients, and the increased awareness of healthcare's critical nature makes it an attractive target to hold to ransom. I hope this predicament will force providers to innovate by developing a new category of security solutions to disrupt the economics of ransomware.
We saw a promising development in Q2 of 2021 when the insurance firm Lloyd’s of London retracted their insurance policies for ransomware payments in France. Lloyd’s adjusted their policies to not pay ransom costs anymore, likely because their actuaries told them it was irrational to insure against this problem - we're just not very good at preventing it yet. That step will likely signal big changes coming for the insurance, fintech, and security industries in the year ahead and beyond.
And finally, what’s next for Bugcrowd?
What has made Bugcrowd particularly successful in the crowded cybersecurity market is that we have had core values and a commitment to our mission since Bugcrowd was founded. Our principles and our ethics impact everything we do, and it has allowed us to achieve the level of growth and success that got us to this point.
As far as where Bugcrowd is headed, we plan to continue to level the playing field between attackers and defenders through continued investment into the ethical hacker community. We have made progress in changing the narrative surrounding what it means to be a hacker and through continued advocacy and education, ethical hackers will be viewed as the essential cybersecurity experts they are.
Also, as bug bounty programs continue to rise in popularity, we want to expand to work towards our goal of making the Internet safer. Bug bounty programs are a vital tool for private and public agencies alike, and this year the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency of the US government, selected Bugcrowd and EnDyna to launch its first federal civilian enterprise-wide crowdsourced vulnerability disclosure policy (VDP) platform in support of Binding Operational Directive (BOD) 20-01. It has been gratifying to see bug bounty evolve into a major tool in the cybersecurity arsenal.