Rob Gurzeev, CyCognito: "felons need to find a weak spot, while security teams must defend the whole attack surface"

As cyberattacks are becoming more common, there is a need to discover and protect the weak points of organizations.

Although more companies are starting to take their cybersecurity seriously and adopt advanced measures to combat emerging threats, many still struggle with understanding their own network perimeter.

To avoid cases of compromised sensitive information using some overlooked vulnerability, having a clear view of the full attack surface should be a crucial part of one’s cybersecurity system.

Today we are talking with Rob Gurzeev, the CEO of CyCognito – ​​a company specializing in securing the full attack surface. Rob explains that to evaluate and mitigate risks, one must adopt the perspective of an attacker first.

How did the idea of CyCognito come to life? What were your major milestones throughout the years?

The CyCognito journey began with an awareness that attackers often have the upper hand. They only need to find one weak spot, while security teams must defend every possible point of entry in an always-changing attack surface. To compound the problem, most organizations have potential points of entry unseen by security teams but easily discoverable by threat actors.

With this context, my Co-Founder, Dima Potekhin, and I wanted to shift the paradigm where instead of deploying agents or instructing a port scanner to scan a few known IP ranges, we would create a solution that worked like a world-class attacker, meaning it would begin knowing only a company’s name and then proceed to identify the assets most at risk and the most tempting open pathways. We looked to simulate an attacker's whole offensive operation, starting from step one, where the attacker knows only the target company’s name and has “compromise” as an objective.

In 2017, we took our national intelligence agency experience and began to make this happen with the mission of protecting organizations from exploitation, using publicly accessible intelligence and methods used by highly organized, well-funded nation-state actors.

I would say that the major milestones for CyCognito are these: the founding of CyCognito in 2017, it being named Gartner Cool Vendor in 2020, as well as receiving Series A, B, and C funding.

Can you tell us more about your External Surface Management Platform? What makes it stand out?

The CyCognito platform delivers attack surface protection by giving security teams the perspective of an attacker. The platform automates offensive security techniques to close the gaps left by other security solutions including external attack surface management (EASM) products, vulnerability scanners, penetration testing, and security rating services. Attack surface protection for the entire attack surface is achieved by combining the market’s most advanced EASM capabilities with automated multi-factor testing, to discover and eliminate the paths of least resistance that attackers are most likely to use to compromise organizations. The platform then prioritizes the security gaps discovered and provides actionable remediation guidance with a contextualization of assets, classifying their business purpose, and attributing them to specific organizations within the enterprise.

There are many things about the CyCognito platform that make it stand out from the competition. The main features are automation – from discovery to remediation, our ability to map an organization’s external attack surface and reveal business relationships across the enterprise, our ability to prioritize high-risk threats, and the depth and scale of our security testing.

You often mention the importance of risk management. Why is this practice crucial?

Security teams are overwhelmed with information and alerts about potential risks and are in a constant state of having to triage: to determine what is most relevant and urgent, and what falls below the threshold of requiring immediate action. Security expertise and resources are limited, so it is not possible to fix everything, and teams need to make difficult decisions about where to focus. Often these decisions are made based on “institutional knowledge” such as what is and isn’t a “crown jewel” that must be protected. As organizations grow and constantly change, it’s impossible for most companies to discover changes and establish an understanding of what assets are valuable, and how they may be at risk. Therefore, the imperative is to find a way to manage the risk that is rooted in hard facts about what is part of the attack surface, whether and how it is at risk, and how to prioritize the risk that must be resolved first.

Risk management is the product of every other part of your security program. Identifying risks by testing assets for vulnerabilities and security issues, prioritizing and mitigating those which impact the business’s risk profile the most, while monitoring those which you cannot fix immediately. As with everything in an organization, tradeoffs must be made to achieve your goals. The best way to approach these tradeoffs is with the most information and context about each issue. External attack surface management provides this insight and context from an outside-in perspective, which is the same way attackers view you as a target. Combine that with your other threat detection technology and telemetry, and you have a 360-degree view of your security and risk posture.

How did the pandemic change organizations’ approach to cybersecurity? Were there any new features added to your services as a result?

Many organizations needed to quickly adopt an almost entirely working-from-home (WFH) model due to the shelter-in-place orders early in the pandemic, and many have maintained that WFH model or moved to a hybrid model. This means that understanding how attackers might exploit remotely accessible entry points and the options available to block them are more critical than ever before.

To enable the WFH or hybrid model, organizations expanded the purchase and use of virtual private network (VPN) solutions, remote desktop solutions, and increased reliance on cloud environments and applications. VPN and remote access gateways have always been ideal candidates for adversaries to target, and their increased use in the wake of COVID-19 amplifies these risks.

Our external attack surface management platform has always discovered and prioritized these remote access exposures as security issues for organizations, even pre-pandemic. Having these types of internet-exposed issues has always been seen as a risky, albeit sometimes necessary, practice, but being aware of them is key to monitoring and protecting them from a breach.

In addition, the pandemic forced many organizations to escalate their digital transformation projects. Organizations undertaking digital transformation projects typically find their attack surface growing in ways they didn’t foresee. The focus on digital transformation may leave them in a position where they are open to ransomware attacks because of exposed pathways in their IT ecosystem of which they were completely unaware. The rewards of a well-executed digital transformation may outweigh the risks, but the security risks are real. For organizations that have missed building their digital transformation initiative on a strong attack surface management foundation, the time to start is now.

With work from home becoming the new reality, what are the best practices companies should incorporate to keep their workload secure?

VPN solutions vary widely in their performance, quality, and approach to security. When relying on a VPN for secure transmissions, an organization should institute an independent verification of the security of the implementation. Of course, having a VPN provider check the security of their own solution is a start. However, it’s not enough because it’s like relying on a company that sets up security fences to verify their effectiveness – if that fence provider is asked if the fence is adequate, they will of course say yes.

The CyCognito platform observed an increase of 7 times the number of newly deployed, and thus exposed, RDP servers in March of 2020, which is not surprising given the massive shift to remote working. What is surprising is that two-thirds of those RDP servers don’t have the recommended Network Level Authentication (NLA) implemented. NLA is a mitigation tool that prevents unauthenticated access to the RDP tunnel and dramatically decreases the chance of success for RDP-based worms. NLA is recommended as protection against vulnerabilities like BlueKeep, CVE-2019-0708, a widespread and wormable RDP vulnerability discovered last year that still exists on many networks.

I also want to mention the ongoing increase in cloud adoption. Whether sanctioned or shadowed IT, it results in an increase of security risks and it is a reality that security teams must factor in as they manage their security programs. The increased risk associated with cloud services may be due to lack of visibility to abandoned cloud environments spun up by various departments or, more significantly, due to the fact that legacy security tools are simply not designed to identify cloud assets and the attack vectors associated with them. In any case, working remotely will undoubtedly fuel more growth in the adoption of cloud services, increasing the need to continuously monitor for security gaps and then secure these environments.

Since many companies have started to adopt cloud solutions to enhance security, are there any details that might be overlooked in the process?

With the shared responsibility model of the cloud, the outstanding question of “who is responsible for security in the public cloud?” often remains at issue. The answer to that question depends on what kind of service you use. Is it SaaS, PaaS, or IaaS? Each of these operates with a different shared responsibility model. The service provider is supposed to take care of securing their backend infrastructure but the customer of the service is responsible for securing their own assets in the cloud.

With so much of the extended IT ecosystem now residing in the cloud, an excellent way to validate security effectiveness is with an outside-in approach using an attack surface and risk management solution that will:

• Identify any assets an organization has in the cloud that already present a risk of exposure because they can be targeted by an outsider.
• Identify if any of these resources are misconfigured or vulnerable to attack.
• Prioritize the problems identified based on business context and the severity of the security issue.
• Identify the team responsible for the assets in question.
• Regularly rescan and update.

When all of these points are addressed, organizations can take that prioritized set of issues and get to work using their extended security resources (e.g., which may include subsidiaries and partners) to solve them. This way, they will find and fix the most critical cloud security issues first.

Why do you think certain organizations struggle to keep their cybersecurity up to date?

Security-related organizations face a myriad of challenges in staying on top of cybersecurity. First, there is a well-recognized shortage of security talent to keep up with attackers. On top of that, there are more and more vulnerabilities and other weaknesses discovered today than there were just a few years ago, and the IT sprawl has also increased exponentially.

The good news is that a significant number, in fact, most of those vulnerabilities or exposures are either on systems that don’t lead anywhere, don’t house any confidential data, or have no known exposure. Because of that, there are no serious risks present. The key is to ruthlessly prioritize based on present risk and continuously monitor this set of potential attack vectors to know in real-time when that risk level changes.

In your opinion, what kind of cyberattacks can we expect to see more of in the near future? What actions can individuals take to protect themselves?

I believe that attackers who infiltrate systems will continue to get more and more sophisticated in how they utilize that initial infiltration to get more money out of the target organization and downstream actors like employees, customers, or partners. Whether it’s using the initial access to exfiltrate sensitive data and demand ransom in return for not publicly releasing the data (on top of a ransom to avoid critical system shutdown), or something like using said data to execute a targeted phishing attack, most attackers are financially motivated. Having that said, I expect to see more cases revolving around stolen data.

Share with us, what’s next for CyCognito?

We see tremendous value in combining our attack surface insights with threat intelligence to give enterprises a real-time view into how they are affected by in-the-wild threats. We will continue to invest in these capabilities to make it faster for organizations to understand the risks present on their attack surface.

Over the next year, CyCognito will incorporate more capabilities in executive and board-level reporting on risk for self-assessment and third parties. This will build on the platform’s market-leading attack surface discovery and security testing to provide actionable risk intelligence for business-level decisions about security posture management.

In addition, we will continue to invest in our technology partner ecosystem, making it easier for enterprise security teams to integrate CyCognito’s attack surface intelligence into their broader security programs.