We spoke to Hanspeter Karl from Pentera about Automated Security Validation.
Could you tell us something about your background Hanspeter Karl? How did you get into IT security?
My career started on a different trajectory from where I find myself today. I initially studied political science, communication theory, and sociology, and unexpectedly ended up in the realm of enterprise technology sales. Over time, I’ve had the privilege of contributing to several multinational technology leaders, including Dell, SAP, and HP, but around 2010 I decided to make a change and move into a new industry. I recognized the growing need for security in the enterprise, and realized that there was a major opportunity to provide value. Not long after I took my first job as a Director of Sales at a German cybersecurity organization. I continued to work with a number of security providers and it was through my tenure at Cyvera, later acquired by Palo Alto Networks, that I was introduced to Ran Tamir, who later became the Chief Product Officer at Pentera.
What particularly brings you joy in your job, and what occasionally makes you laugh?
The most rewarding aspect of my role is the opportunity to deliver value to our customers. I am convinced that Pentera stands out in the market, offering a solution that is truly innovative, and capable of making an impact for any organization and as a result, making the world a safer place for all of us. It’s such a rare opportunity to know that your solution can make such a difference regardless of vertical, location, or even what the IT environment looks like. Something that I find funny in my day-to-day work is the reaction of CISOs when I tell them I don’t care about their existing security solutions. They are so used to security vendors asking in-depth questions about their security stack, but I always enjoy the look on their faces when I tell them that it doesn’t impact Pentera’s performance.
What is currently occupying you and your team the most – what questions do customers come to you with?
I think the main question that we face is whether we are really able to automate the complex process of Pentesting without any risk of harming the organization. Customers aren’t used to worrying-free penetration testing. Too many have been impacted by pentesters who have accidentally caused unplanned downtime, and while they understand the value of continuous pentesting, they are understandably cautious. With our safe-by-design platform, Pentera is able to automate traditional pentesting at-scale without impacting the environment. During our one day PoV, we’re able to demonstrate how Pentera can run penetration tests live in their production environments without causing any harm to their organization. Once they see it live, it changes everything for them. Automated security validation is a revolutionary leap in security testing. Being able to test on-demand empowers security teams to continuously validate the security of their organization, instead of waiting for your annual checkup. Once you know it’s possible, you don’t want to go back to how you did it before.
Continuous Security Validation or Automated Penetration Testing is indeed a very young security category. What would you advise interested parties to pay attention to when procuring a solution?
When selecting a security validation solution, the most important factor I would tell people to pay attention to is ensuring your solution is as close to the real attacker mindset as possible. Security Validation is about assessing your organizational resilience against real threat actors. Organizations want to know how their security will perform in the moment of truth. You need a solution that tests your defenses against the wide selection of techniques that threat actors will utilize against you. If your security validation solution utilizes playbooks, you’re automatically at a disadvantage because real hackers don’t utilize playbooks. Hackers are dynamic, and your solutions need to be able to replicate their capabilities. The other factor to pay attention to is ensuring that your security solution is able to test your complete attack surface: On-prem, web, and cloud. Threat actors are not limited to a single part of your attack surface; they can target multiple assets, and their attacks can even move across different attack surfaces. Your security validation solution must be able to test the complete attack surface and account for the dynamic nature of their attacks.
What are the differences compared to vulnerability scanners like Tenable or Qualys?
Pentera goes the extra step to not only discover potential vulnerabilities, but to identify proven exploitable security gaps across your complete attack surface.
Traditional vulnerability scanners excel at cataloging the total count of CVEs (Common Vulnerabilities and Exposures) present in an organization but fall short in determining which CVEs pose a real exploitable threat in your specific environment. Moreover, these tools lack the capability to identify unpatchable security threats, including misconfigurations, at all. So even if you are patch perfect according to Tenable and Qualys your system may still be vulnerable to attacks. Emulating attacks against your production environment, Pentera pinpoints exploitable gaps threat actors can use to put your organization at risk. Showcasing the full kill-chain, Pentera enables organizations to understand how the hackers can exploit them and enact evidence-based remediation practices and prioritize real exposure.
What are typical surprises you experience during PoC / PoV?
We never know where the PoV will take us, but we are confident that it will work. Every company’s network and cloud environments are different, different verticals work with completely different IT and security tools, but ultimately we are confident that we will succeed in discovering the potential kill chains within these environments.     The thing that’s most surprising, and it sounds a bit strange to say, is that the PoV is an emotional exercise. Security teams are shocked when they see the payloads and exploits Pentera is able to achieve in real-time, and so active, passionate discussions usually take place in the room once the results start coming in. It’s also surprising how often the CISO/CIO wants to be in the room for the summary session at the end of the PoV. As someone who has sold a number of different security solutions over the years, generally the end users within the organization are the only ones in the room, but because of what we’re able to demonstrate, the top stakeholders are very interested in our reports.
From your perspective, at what customer size does it make sense to use an automated Pen Tests / Security Validation solution as a supplement to manual Pen Tests?
I think that any organization that is already pentesting should 100% be using Automation. Pentests provide you with a real understanding of your organizational resilience against adversarial attacks. The issue is that most in organizations the rate of testing and the rate of IT change don’t align. Most organizations pentest only every 6 months, while their IT environment changes on a far more frequent basis. Automation allows security teams to continuously evaluate the performance of their security controls at any given moment and pinpoint exploitable gaps in their defenses in real time, before they can be exploited by adversaries. Why wouldn’t you want to identify and reduce your exposure continuously? How can one accept the assumption that their network is protected without validating it?
Which security tool categories do you think are over- or undervalued? For example, would you invest in an NDR or EDR system first?
The weakest link in the organization is the employee. Many employees are not cyber oriented and no matter how many training videos and courses you send, they still make elementary mistakes that expose the organization. Employees reuse passwords, click on phishing emails… etc. EDR provides real-time investigation into anomalous behavior to catch threats in real-time. It’s a mandatory solution for any organization, and should be the first any organization gets in my opinion.
What, in your opinion, are misconceptions in the security field, and what do you perhaps see differently from prevailing opinions?
There’s too many assumptions in the security world. Security teams trust that the security solutions they have integrated will keep them secure, but fail to validate them often enough to be impactful. At Pentera we have a motto: Don’t assume. Validate. Most organizations pentest only once or twice a year and those pentests only test a small percentage of their total assets. If you can’t validate your entire IT environment in a continuous manner, then you are basing the security of your organization on an assumption.
What’s next – What’s on your technical roadmap, what have you set your sights on?
We actually just announced the launch of Pentera Cloud as the market’s first-ever automated cloud penetration testing product. The launch of our cloud makes Pentera the first end-to-end security validation platform that covers On-Prem, Web, and Cloud environments. This is a game changer for us and our customers because there is no gap in their validation capabilities no matter what their organization looks like. It doesn’t matter if you have an on-prem data center as well as a mission critical cloud workload. Pentera is able to pinpoint your riskiest security gaps across your complete attack surface to reduce your exposure and increase your cyber resilience.