As organizations’ tech stack evolves, security efforts are decentralized and new methodologies to accelerate the development lifecycle emerge, a simple vulnerability scan once in a while is not enough.
Even though recent cyberattacks have forced businesses to turn to various cybersecurity solutions to protect their assets, many still struggle with understanding the extent of their own attack surface. With the abundance of company devices nowadays, having a clear view of the full threat landscape is no longer an optional security measure but a necessity.
To find out more about the importance of continuous and automated scanning, alongside low-noise vulnerability assessments, we sat down with Rickard Carlsson, CEO at Detectify – a company making sure that an organization’s external attack surface is secured
How did the idea of Detectify come to life? What were your major milestones throughout the years?
Detectify was founded on the premise that the internet is flawed and web security testing should be accessible and automated, enabling companies to identify and remediate vulnerabilities quickly. We come from a bug bounty heritage, but we took this concept to the next level by automating ethical hacker submissions into our products. This benefits all customers instead of only one company at a time. The Crowdsource community of ethical hackers that powers Detectify has identified almost 240,000 vulnerabilities in customer assets, submitted more than 1,765 modules, and received over 300 0-days in recent years. Since 2014, Detectify has been working to address the security team’s challenges that fit some of the use cases today aligned with the External Attack Surface Management (EASM) space. This was seven years before Gartner identified Attack Surface Expansion as a major security trend. With a global customer base of over 1,900 customers, Detectify currently manages more than 5.5 million domains and yields an accuracy rate of 99.7%.
Can you tell us more about your attack surface management products? What makes them stand out?
Detectify is a holistic platform for managing risk across the entire external attack surface. The platform discovers all unmonitored, unused, or forgotten assets, tests the entire environment for vulnerabilities, and helps organizations prioritize and remediate the vulnerabilities that represent the most to their business. Many attack surface management solutions are little more than glorified vulnerability scanners. They may have strong discovery capabilities, but their assessments are prone to false positives and/or flagging vulnerabilities that, while present, do not actually represent risk to the business. Detectify delivers the industry’s most accurate vulnerability assessments.
Detectify not only discovers assets, ensuring that our customers maintain visibility into all their internet-facing assets, but Detectify’s continuous payload-based testing utilizes payloads sourced from our elite ethical hacking community to deliver 99.7% accurate assessments. We don’t just scan for vulnerabilities. We test with real payloads to determine if there is an actual attack path present that an attacker could exploit. Furthermore, our assessments take the customer’s unique business context into account – we don’t flag vulnerabilities that don’t represent a real risk. We monitor the entire attack surface, we deliver the most accurate assessments, and we flag the ones that matter most to each security team.
With Detectify, security teams can transition from constantly chasing alerts to holistically managing risk. Our assessments are tuned to the organizations’ unique business context, and the platform is fully customizable – we recently introduced Attack Surface Custom Policies, a new tool allowing organizations to quickly and easily enforce their own custom security policies across the entire attack surface.
It is evident that the crowdsourcing practice is extremely important for Detectify. Would you like to share more about the benefits of this approach?
Our Crowdsource community gives us the unique ability to test customer environments with 100% payload-based testing. New security tests are added daily, with submission to implementation in as fast as 15 minutes. We do not simply scan for CVEs, and we do not test in a way that isn’t indicative of how an attacker might exploit a customer environment. When we learn of a vulnerability, our community develops a real payload that we use to test the environment. This means that when Detectify flags an issue, it is of real concern. It isn’t just some vulnerability that, despite its high CVSS score, doesn’t actually represent a risk to your business. When we flag a vuln, it’s because there is a real attack path that an attacker could exploit to harm your business. We don’t waste our customers' time. Our customers value us because we tell them what they really need to know. Our Crowdsource community is key to this.
How did the recent global events change organizations’ approach to cybersecurity? Were there any new features added to your products as a result?
The recent global events are concerning but don’t actually change a whole lot in the threat landscape. The expanding attack surface was already the biggest problem security teams faced, and it’s not as if organizations have accelerated or slowed the speed of development in response to global events. Companies are still provisioning new apps and services at a breakneck pace, making it difficult for their security teams to manage, and Detectify has regularly rolled out new features to help our customers manage risk across their entire attack surface.
The reality is digitalization drives business value. This means that more companies are provisioning more assets more quickly, creating convoluted tech stacks that are extremely difficult to monitor and defend. This leads to an increasingly active threat landscape as hackers see the opportunity to exploit vulnerable organizations and overwhelmed security teams. The recent global events obviously have not helped, but it’s not like everyone was doing a great job defending their attacks surfaces before. It was already a problem.
With work from home becoming the new reality, what are the best practices companies should incorporate to keep their workload secure?
Organizations need to stop fixating on “remote work” or “in-office work”. There is only “work”. You have a certain number of endpoints and assets to defend. You have an expanding and complex attack surface. Wherever people are adding components to your attack surface, that is your concern. Many organizations keyed in on the idea of zero trust during the early days of the pandemic when remote work became the new reality. Many companies struggled conceptually with the perceived loss of central control and bringing all these new endpoints online and clung to the notion of “Zero Trust” as their best defense.
However, the concept of central control was largely an illusion anyway, and zero trust doesn’t really address it. Attack surfaces have been expanding for years, and it isn’t slowing down. While enforcing some zero trust policies to ensure protection of your endpoints can help, an outside-in approach is much more sustainable. You’ll never get all your employees to obey every single security policy. Your best bet rather is to manage risk holistically across all your internet-facing assets.
To survive in this landscape, organizations need to be realistic. You aren’t going to catch every single vulnerability, and you aren’t going to stand up an IT estate that is 100% bullet-proof. You need to know what you have – you can’t defend something if you don’t know it exists – and you need to manage risk. Keep an accurate inventory of all your assets, identify risk hot spots, and prioritize the threats that matter to your business. It’s the only sustainable way to approach security.
Why do you think certain organizations struggle to keep their cybersecurity up to date?
A lack of resources simply hampers many organizations. Every week there are new surveys detailing the security talent shortage, and it’s telling that in a time of belt-tightening and layoffs, the one job that isn’t getting cut is cybersecurity. Furthermore, many organizations simply have a massive amount of technical debt to deal with – many have grown through M&A and thus have no idea what assets they have, who has the keys to each asset, or how to defend them.
Even organizations that have the resources – perhaps cloud-native organizations that also aren’t burdened with a huge amount of technical debt – still struggle mightily with prioritization. This is a challenge for virtually every security team, and the proposed solutions have not delivered the desired results. Many companies devoted a lot of energy towards “shifting left.” But while catching vulnerabilities in development is good, even companies with mature DevSecOps strategies still end up with vulnerabilities in production. It isn’t the silver bullet they had hoped for, and this is fairly typical of many proposed solutions. A lot of companies have devoted a lot of resources towards technology that theoretically helps them find every single vuln. But all this really does is bury their security teams in alerts, making it impossible for them to identify and prioritize the risks that really matter to their business.
Organizations need a way to manage risk holistically across their entire attack surface. Security teams don’t have time to investigate every single alert. They need solutions that understand their unique business context and deliver accurate assessments that help them prioritize. Security teams are under-resourced and overworked. The last thing they need is solutions that create more work for them.
Share with us, what’s next for Detectify?
Focus on continue building the best solution to protect organizations’ external attack surfaces.