Thaumaturgic Security
Contributed article from Edward Amoroso (@hashtag_cyber)
I love to ask tech start-up founders what it was that prompted formation of their business. I’m usually listening to see if they are driven by some deeply-held personal belief (good answer) or by some greedy, near-term revenue growth objective (bad answer). I also listen for that wonderful moment when the spark was lit in the founder’s mind to hang out a shingle. Such inspiration is infectious, and usually drives customers to hop aboard.
When I asked this question to Brian Hazzard, co-founder of cyber security company Randori, his answer was indeed memorable: “My team at the time was using a guy named Moose to hack our systems,” he explained. “We noticed that every time Moose gave us a once-over, our security improved dramatically. So, I decided to partner up with Moose to create a company that would automate this red team process – and the result is Randori.”
The Moose, of course, is Randori co-founder David Wolpoff, and it is from his LinkedIn profile that I pulled that awesome term at the top of my post: Thaumaturgic. Its Merriam-Webster definition is “performing miracles,” and in the context of expert penetration testing and white hat engagements, it seems a relevant term – and one that potential Randori customers are likely to remember. Welcome to awesome Cyber Marketing 101.
What Randori does involves the automation of penetration testing using a platform that identifies and scans a customer’s attack surface for vulnerabilities. In the early days of simple white hat projects, this was a straightforward activity. But in today’s evolved enterprise ecosystem with remote access, third-party portals, mobile infrastructure, shadow IT, cloud services, and on and on – locating an enterprise attack surface is easier said than done.
“Our cloud-hosted platform basically allows us to launch attacks on our customer’s infrastructure,” explained Wolpoff, “and we can be creative to locate unknown systems and other subtle vulnerabilities that a normal penetration testing process might not notice. And the automation allows us to provide continuous assessment in a way that would be challenging by a team of humans.”
I asked Wolpoff how the Randori platform stacks up against bug bounties, especially ones that employ automated platform support – and he responded that Randori is designed to complement such crowd-based focus. I also asked how Randori stacks up against automated attack simulation platforms and his answer was the same: “We enhance the overall security ecosystem,” he replied, “even if pen testing, bug bounty, and simulation are present.”
The company was founded in February of 2018, so it remains a toddler, but I must say that it comes with some powerful supporters and advisors. My friend Stewart Baker, for example, serves on their Advisory Board, as do Patrick Morley from Carbon Black, and Mike Convertino from Twitter. It would be a real challenge finding higher quality cyber security veterans than that to offer guidance.
So, if you are in the market to complement your overall assurance program with an automated platform that will attack you from the cloud, then give a call over to David Wolpoff, and ask to hear the Randori story. And maybe you’ll be lucky enough to spend some time with Moose as well. Tell him you were inspired by his reference to Thaumaturgic security – and perhaps Randori will work miracles for you.
As always, please share with us what you learned.
About the Author
Dr. Ed Amoroso is currently Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.
*** This is a Security Bloggers Network syndicated blog from Code Red authored by Hannah Klemme. Read the original post at: https://code-red.randori.com/thaumaturgic-security/
