Phil Lewis, Titania: “companies need to consider whether their supply chain takes network security as seriously as they do”

As attacks on enterprises get more frequent and sophisticated, keeping up with your own company’s cybersecurity is not enough.

Over the last couple of years, the number of ransomware and other devastating incidents skyrocketed, and shockingly, even cybersecurity-focused companies were affected. Cases like these show that instead of attacking an enterprise directly, threat actors have taken a new approach – by exploiting vulnerabilities within the company’s suppliers and partners, criminals are eventually able to make their way up to their main target.

Today we are talking with Phil Lewis, the CEO of Titania – a company providing a clear view of the risks and security gaps across the network. Phil believes that checking for vulnerabilities should be a continuous process, not an occasional practice.

Tell us about your journey throughout the years. How did the idea of Titania originate?

For more than 10 years, elite penetration testing, vulnerability assessment, and compliance teams have been complementing their scanning and software vulnerability management with a highly accurate configuration auditing software that we developed and named – Nipper. Nipper and its evolution are at the core of Titania.

Nipper was originally developed to automate penetration testing and device hardening best practice checks to identify exploitable misconfigurations in networking devices. To do this analysis accurately, the software virtually models the device configuration as a single entity, allowing it to consider interdependencies across the network to identify vulnerable configurations. Because this analysis is so granular, it enables the software to categorize the risks it finds and prioritize them by criticality. This is the real value to customers because it allows them to optimize their resources and achieve significant security and financial ROI. It’s why we have so many customers – including the US military, 30+ federal agencies, global telcos, multinational financial institutions, and oil and gas companies, who all advocate using Nipper to secure their networks.

We know that over the years, the scope, scale, and cadence of our customers’ assessment needs have evolved, and we continue to invest in our products and roadmaps to meet their changing requirements. For example, we’re evolving Nipper to meet the needs of larger enterprises and on a continuous basis for the entire network.

We’re also matching our investment in our products with investment in our people – growing our high-performing, diverse team so that we can help more organizations secure their networks from preventable attacks.

Can you introduce us to your Nipper solution? What are its key features?

Nipper is a desktop application that automates the accurate auditing of firewall, switching, and routing devices to detect exploitable misconfigurations that pose a risk to network security. It also provides a network risk context for any issues it finds. Competitor products use the Common Vulnerability Scoring System (CVSS) rather than risk scoring, but Nipper also takes into account other risk factors to the network, not just to the device, including:

  • The impact of the exploitation of the misconfiguration
  • How easy it is to exploit i.e. to assess risk likelihood
  • The time it will take to remediate

To meet the market need for continuous accurate, risk and remediation prioritized assessments, Titania is focusing on scaling Nipper for enterprises and enhancing its compliance lens to help organizations move beyond pass/fail and deliver security that is more in line with regulators’ aims and requests. This involves integrating with more trusted platforms and delivering more intelligence across an entire enterprise, more frequently.

What tools do you use to assess the status of one's network security?

Modern networks can contain hundreds of thousands of devices and potentially millions of endpoints. This represents an enormous attack surface to defend and typically requires a combination of tools to help keep the network secure.

With increasingly sophisticated cyber threats making headline news, threat intelligence, hunting, and management have, too. As a result, the technology and services needed to support threat detection and response programs have rightly held the spotlight on the cyber stage for a long time. However, threats are only a risk when they meet exploitable vulnerabilities. And increasingly, exploitable vulnerabilities, and how to prevent them, particularly in large and complex networks, are back on the agenda following some high-profile attacks on critical national infrastructure organizations.

This type of preventative network security work requires a different set of tools and a different mindset. Worryingly, the tools that many organizations are currently relying on to automate vulnerability detection are perpetuating alert fatigue and are not succeeding in making the day-to-day network security checking process more efficient and effective. In fact, inaccurate automation tools have compounded the skilled people shortage, so auditing networks remains a quarterly (at best) exercise rather than the daily drill it should be, and it often involves sampling. This ultimately leaves networks exposed to potentially critical risks caused by configuration drift.

These challenges are heightened when it comes to firewalls, routers, and switches, which are pivotal to the security of all networks and managed through a complex configuration. It's why organizations need tools like ours to check these devices regularly (ideally daily) for misconfigurations (either accidental or deliberate) that could result in critical security risks. This is an important first line of defense.

Have you noticed any new threats emerge during the Covid-19 pandemic?

No doubt, the pandemic escalated cyberattacks. The rise in ransomware and phishing attacks was well documented – despite the organizations’ efforts to improve endpoint software patching in response to remote working.

The real issue here is that too many networks remain inadequately segmented with users sitting on the same networks as critical applications and data. This means ransomware attacks will remain a simple, automatable and therefore low cost, scalable and lucrative attack vector to be exploited.

Take the Colonial pipeline incident, which highlighted its vulnerability to ransomware attacks. Of course, pipelines have the added complexity that they rely on Operational Technology (OT), as well as IT; devices that are old and were never designed to sit on a network connected to the Internet and are not upgradable/patchable.

The good news is effective network segmentation with continually validated deny all/permit by exception access is key to limiting the risk of critical operational and/or commercial/economic issues from both OT device attacks and ransomware attacks.

More sophisticated attacks are usually more difficult to detect. And if network security is only assessed annually, it increases the opportunity for an advanced persistent threat to dwell undetected while moving laterally until it finds the specific vulnerabilities it seeks to exploit.

While sensitive data confidentiality or availability breaches will often become public as part of a commercial exploit, nation-state attacks can be designed to compromise the integrity of sensitive data and are often more difficult to detect. But are potentially even more impactful in geopolitical and economic terms if successful.

In your opinion, why do certain companies still fail to recognize the necessity of regular security audits?

Mindset. Businesses manage complex risks on a daily basis, so leaders need to adopt a mindset to acknowledge that security risks are now so large, that they must invest adequately in managing them before they cause critical business issues.

Zero Trust, for example, is a mindset, not a technology. Recognizing you simply cannot trust that your network, applications, and employees/users haven’t been compromised. Adopting Zero Trust means you are investing in people, processes, and best-of-breed security automation to continually validate that your employees/users, networks, and applications are secure and that your business operations, customers, and data remain safe.

The point here is this means checking everything as part of a continuous process. What was secure yesterday might not be today. Configuration drift is the perfect example of this, where network engineers make changes to meet operational requirements, resulting in device configurations drifting out of compliance with policy, which in turn creates unintended security risks. The consequences of mistakes can be as devastating in security, privacy, and business terms.

But to check everything, every day, companies need tools that can deliver accurate, prioritized, actionable network information. They need to know which vulnerabilities pose critical security risks – and they need to know how to fix them, wherever they lie on the network. It’s why we are developing Nipper Enterprise, to support customers as they move from regular sampling to continuously assessing every firewall, switch, and router every day. Delivering on two Department of Defense Zero trust reference architecture baseline requirements, namely:

  • Networks are segmented with deny all/permit by exception
  • Devices are managed and compliant with IT security policies

None of this is rocket science but it does require a change in mindset, an investment in continuous good cyber hygiene practices, and a commitment to not just sustain, but develop those capabilities to mitigate future, as well as current attack vectors.

However, I fear, particularly in the United States, it will take an ENRON or MCI Worldcom scale corporate collapse with devastating shareholder and employee losses, probably followed by Sarbanes Oxley style personal, as well as corporate, security accountabilities and penalties, for Boards to act with the required speed and at the required scale.

Besides quality risk management systems, what other security measures do you think should be a part of every modern company?

The need for a zero-trust mindset coupled with the capabilities to validate network security every day, hour by hour. I think following a risk management framework is a sure-fire way to bring about change in an organization. I’m not talking about tick-box compliance but genuinely delivering security from compliance.

Industry often follows governments when it comes to security best practices, and there are a lot of recently introduced standards and requirements, such as NIST 800-171, that are publicly available. There is nothing to stop companies from adopting it as their security north star to protect their confidential corporate and customer information.

Companies also need to consider whether their supply chain takes network security as seriously as they do. And if a company follows the same risk management framework as you do, it is a great way to assess this.

What dangers can customers be exposed to if a company they trust struggles to ensure compliance?

Today, “security” isn’t just about how secure your business is – it’s about your entire supply chain. An attack on your business could impact the businesses you work with and vice versa. The SolarWinds attack is the perfect example, where malicious code was pushed out to thousands of clients, including Fortune 500 customers and government agencies.

The repercussions of incidents like this can be massive. Besides the loss of data and sensitive customer information, you can face severe fines and lose contracts, especially if you do business with the federal government. These reputational and financial losses can crush a business.

It can also prevent you from acquiring business deals, as increasingly contracts are being written to ensure that cybersecurity requirements extend to a contractor’s supply chain. We’re likely to see more and more of this.

So, if your network security strategy doesn’t feature supply chain risk management – it isn’t complete. How you manage supply chain risk will depend on the sector in which you do business and your organization’s appetite for risk. But you do need to consider it, nonetheless.

In your opinion, what kind of attacks are we going to see more of in the upcoming years? What can average Internet users do to protect themselves?

Supply chain attacks have proven to be particularly devastating. The reach is broad and impactful, so we expect to see them continue and increase. We’re also likely to see more attacks as a result of insider threats – not just in terms of employees but compromised software, too.

Ransomware and phishing schemes will continue to prosper, too. Not to mention a rise in more sophisticated cyberattacks on critical infrastructure, as the tragic situation in Ukraine has highlighted. It has long been recognized that a determined attacker will gain access to a network eventually using one out of a variety of techniques. Therefore, inhibiting lateral movement wherever possible through continuous security and/or compliance assessments within effective zero-trust frameworks is key.

And of course, average internet users are not immune to attacks either. Keeping up to date with OS patches for laptops, phones, and other devices, as well as investing in trusted and continuously updated anti-malware and anti-virus software is critical.

Again, we come back to the theme of continuous security. It’s not enough to check for vulnerabilities once a quarter – organizations and people need to be doing this daily.

Tell us, what's next for Titania?

There is a lot on the horizon! We’re focusing on our enterprise product and launching a roadmap of integrations designed to help our customers automate all the work needed to improve the security and compliance posture of their entire fleet of firewalls, switches, and routers. Our aim is always to help customers reduce their mean time to detect network misconfigurations and improve their mean time to remediate risks. All of these new enhancements will support users on their mission to establish a defendable network.

We’re also focused on how we can help our customers demonstrate continuous compliance with new mandated security frameworks. For example, PCI DSS 4.0 is launching in Q1 of 2022, affecting millions of companies worldwide who will now need to make cardholder data security a continuous focus. So, we are working to refine our products’ assessment and reporting capabilities to help customers easily demonstrate their compliance with the framework.

We are also growing our leadership team, having recently welcomed a new VP of Engineering, Claire Clark to the team, and we’re recruiting for other strategic hires to support our growing list of global clients. What’s great for me is to see how many people who are truly passionate about and experienced in cyber, support our story, and want us to be part of theirs. We’re doing great things together and are very proud of that as a team.