Security Awareness Training

Automating Breach And Cyber Attack Simulation

Expert Insights Interviews Marcus Carey, founder of Threatcare and Enterprise Architect at ReliaQuest

Expert Insights Interview With Marcus Carey Of ReliaQuest

ReliaQuest is a global security model management platform, known for its GreyMatter solution, which is built for enterprise security teams. In 2019, ReliaQuest acquired Threatcare, an attack simulation vendor founded by Marcus Carey. Carey was a former cryptographer for the US Navy and is now a well-known security expert and innovator.

ReliaQuest’s GreyMatter platform integrates security data from SIEMs, endpoint detection and response platforms and threat intelligences feeds to automate threat detection and response. At RSA 2020, ReliaQuest announced Verify, a new feature of Greymatter based on the Threatcare platform. It allows customers to quickly see the results of a simulated attack from both the point of view of the attacker and the defender, ensuring superior detection and response across all of their security controls.  

We caught up with Carey at the show, to talk through his career, the ReliaQuest platform, and why cyber-attack and data breach simulation is so important.

The Threatcare Platform

Threatcare was initially founded out of a need for automation, identified by Carey through a varied career in multiple security roles. “I started out in the Navy,” Carey tells me. “I was working for various American intelligence agencies as part of the military, and then worked for contractors. For some reason, I kept on falling into the role of testing if our security tools were working or not. After a number of years, I realized that there needed to be a way to automate what I was doing.”

Carey found that every organization he visited had tools that they wanted to put to the test. Tools could be anything from new technologies organizations were looking to purchase and implement that needed testing, to systems that had been left in place for years, running in the background.

Carey identified a need for organizations to be able to test these tools, without requiring a highly technical user like himself to come in and test their systems. “I wanted to allow anybody to be able to test their security technologies, without having the skills of an expert hacker.” he says. “That’s why I created Threatcare.” Threatcare provided organizations with an automated way to test their security tools were working effectively, with simulated breaches and attacks.

Carey says the partnership with ReliaQuest was a natural progression to a platform that combines automated attack simulation with more operational capabilities. “We allowed people to test their network, but what we quickly found is, we could help people identify flaws, but the question we had was, how do we help people to fix those flaws? That’s where the ReliaQuest platform fit.”

Now the ReliaQuest and Threatcare products are integrated, users can continuously perform simulated attacks, and then instantly verify that those vulnerabilities are secured. This allows users automated continuous testing and defense of their security products.

The Verify platform is deployed as an agent that is installed on endpoints. “The agent is able to perform local activity on the endpoint that imitates a hacker,” Carey tells me. “It will simulate ransomware and try to infect other machines.”

This testing helps to show the effectiveness of enterprise security tools to stop hackers, and malware attacks. The tool also analyses networks traffic and performs data exfiltration, to simulate multiple kinds of attack vectors.

Why Enterprises Need Continuous Security Testing

The need for continuous security testing is hugely important. Large enterprise organizations will often have dozens of security tools in place, often for many years. But an important part of the security model process is testing of the services to ensure that they are still working effectively. Carey argues that the best way to test security models is with continuous testing of solutions.

“Cybersecurity should not be a ‘set and forget’ situation. I’ve seen organizations spent millions of dollars on tools that didn’t work for them. Every environment is different, and you have to consider all the nuances, and test tools to make sure they will work for you.”

One of the major trends that ReliaQuest sees security testing is a lack of strong endpoint coverage. Often, after implementing security testing, organizations will find they are missing granular visibility at the endpoint level, which is crucial to combat threats such as ransomware attacks.

Another major trend they see is organizations deploying cloud-based technologies, Carey says. It can be a challenge for organizations to measure how well cloud-based security tools are working, and what the effectiveness of one solution is over another.

It’s important for organizations to remember that there can never be 100% guaranteed security, Carey says. “100% security is not going to happen,” he says. “You need this automated, continuous testing approach.”

The Verify platform works on two levels of continuous security testing. Firstly, it ensures that security tools including firewalls and endpoint protection is working. Secondly is the need to ensure that products are operating across the organization and giving security teams the visibility they need across the organization.

“You have tools at a functional level, and at an operational level,” Carey says. “Functionally, you to know if firewalls are actually working, if the lights are turned on, if the ports are plugged in. From the operational perspective, asking ‘does my team have the information that they need to block these threats?’”

In large organizations this issue of a lack of visibility across security threats is a big problem. Large enterprises can often have only 40-50% visibility across their environments. Out of the visibility they do have, organizations can find it very difficult to measure the effectiveness of their security tools, without using applications that continuously automate security testing.

One of the main use cases for is in organizations undertaking mergers and acquisitions. Usually this means undertaking a full security audit of all the tools in an organization, and automated security testing is a very quick and easy way to accomplish this.

In many occasions, the first-time organizations only start to look at their internal visibility is when they have already been hit by an attack, Carey says.

“From a preparation standpoint,” he says, “running these simulations, running these activities, and then seeing what the data tells you is hugely important for incident response and being proactive in the future.”

Find out more about ReliaQuest here: