Interview: How Continuous Visibility Into Your Cyber Assets Can Help You Navigate The Threat Landscape

Jamie Cowper is VP of Marketing at Noetic Cyber, a leading cyber asset management provider that gives organizations enhanced visibility into their attack surface. Cowper is an experienced B2B marketeer in the cyber space, having worked with companies such as Symantec, Nok Nok Labs and IBM before taking on his role at Noetic, where he currently works to identify the company’s strategic market position and drive worldwide marketing efforts.

At Infosecurity Europe 2022, we spoke to Cowper to discuss why it’s so important to understand the relationships between cyber assets, how continuous visibility into their assets can help organizations navigate today’s threat landscape, and the most common security shortfalls that Noetic is seeing amongst their customers.

Can you give us a brief overview of Noetic Cyber and the solutions that you provide, and what sets you apart from other solutions in the cyber asset management market? 

Of course. Noetic Cyber are a relatively new company—we were founded during the pandemic. We’re co-headquartered in Boston and London, so we have a team over here in the UK and a lot of our development and engineering is out in the Boston area.

We’re in the cyber asset and attack surface management space, which is a hot market at the moment. Out at RSA and again here at Infosec, it’s certainly been a major topic of discussion. What we’re doing is integrating with the existing tooling that companies have, including many of the vendors at the show— security tools, but also IT management and business applications. And we’re continuously using API connections to fetch the asset related information from those tools, which we then aggregate and correlate, and display in a graph database.

This analysis, as well as this improved way of presenting the information, allows us to really understand the hierarchies and the relationships amongst an organization’s assets.

Assets are important, but it’s actually the cyber relationships between them that’s crucial. You care, of course, if a machine has vulnerabilities, but you care even more if it has vulnerabilities and it’s supporting a tier one application, or it’s the CISOs laptop. That context is really where the cyber risk information comes from.

If you look at the background of the founders of the company, they all come from the Security Orchestration, Automation, and Response (SOAR) market, from a company called Resilient Systems, which was acquired by IBM back in 2016. We wanted to leverage what we’d learned about automation in order to not just find and show these coverage gaps, but also to try and close those gaps and fix those problems.

Who are your typical customers, and what are the main challenges that you help them to solve? 

It’s one of these problems that is less industry-specific, because everyone has this problem of not knowing quite what’s in their environment. But we’re certainly seeing organizations in financial services, energy and utility companies, and telecoms as more focused on this area at the moment—ones that perhaps are more highly regulated or more associated with critical national infrastructure.

The challenge they’re facing is twofold. First, everyone’s getting attacked a lot more. Second, the complexity of everyone’s environment is increasing. Everyone is on a journey to the hybrid cloud, and the way we work has evolved. No one’s got rid of their on-premises environment completely, but they are consuming containerized solutions and SaaS applications in greater numbers, and the way they buy and source them is very different and decentralized. This means that there isn’t the same procurement security gate for a lot of companies where, if they buy something, it has to go through a certain checkpoint and the asset gets registered.

So, understanding what they have and how it relates to the rest of the environment is very difficult today, because of these siloed applications. And that difficulty may be also related to events such as  mergers and acquisitions. When companies are acquiring or merging with other organizations, and they don’t know what’s in that other environment. How can they figure that out in a non-intrusive way that doesn’t interrupt business, but which allows them to understand whether there are some significant cyber risks?

Noetic helps organizations to continuously improve their cybersecurity posture. What’s the importance of continuous visibility and improvement in the modern cybersecurity threat landscape? 

The first thing you see is some pretty obvious security coverage gaps, and this is true of every organization. There’s always a percentage of the estate they just don’t know is there, and they don’t know what they don’t know. So, those near-term coverage gaps can be a quick fix and an easy win for security teams—you implement EDR to keep track of your endpoints, and a vulnerability scanning tool to keep everything up to date.

But visibility also improves those tools’ efficacy because, if you’ve invested in a vulnerability solution from one of the many vendors out there, you want it to work effectively. And if it doesn’t know about a particular area of the organization, it can’t be effective. So, greater visibility enables you to start levelling up.

We talk about things like toxic combinations—and every organization has slightly different ones, but it might be something like, “I’ve got a machine with access to PII, which hasn’t had multi-factor authentication enabled.” Visibility allows you to see the total risk by assessing that combination of factors, rather than each one separately.

And that combination of things is what you can really start digging into with cyber asset management. What the technology is great at is helping organizations get a little bit better every day, because we provide that visibility continuously. So, as new assets are coming into the organization, we’re plugging those gaps and you’re improving your security posture a little bit every day.

A lot of the solutions at Infosecurity Europe are focused on helping you to get faster at responding to incidents. We’re more on that preventative side; posture and hygiene and improving the organization’s overall cybersecurity resilience on a daily basis.

We’re hearing a lot about prevention vs. detection in the industry at the moment, especially when walking around the floor at conferences like this. Could you tell us a bit more about where you sit on that?

We do seem to swing backwards and forwards as an industry. Some people say, “We know incidents are going to happen, so how can we get better responding to them?” and that’s completely valid, and investment in XDR and associated technologies are a reaction to that but, at the same time, we need to stop having so many incidents and try to stop them before they start.

If, for example, we can identify which vulnerabilities are truly exploitable, we can at least fix those ones before an attacker can find them. It’s that arms race that everyone’s in, and it’s important to keep that balance between the left and right side of boom.

Are there any common themes that you see when people implement Noetic? What are the most common security gaps and errors that people are making, and how can they best be avoided? 

Absolutely. The cloud is the wild west, really, in terms of getting basic security principles in place, such as scanning for vulnerabilities and getting endpoint security deployed. So, there’s definitely still a lot to do in those areas. And there are a number of different approaches that people can take to do that.

But common misconfigurations, unencrypted data volumes on cloud estate, multi-factor authentication—these are still the big challenges. How do we ensure that we have MFA enabled across all critical applications, for example?

And everyone’s got too many vulnerabilities to manage. So the question is, how do they reduce that from hundreds of thousands of theoretical vulnerabilities, to a relatively small number of ones that they can realistically manage between security, IT and DevOps?

Once you’ve helped an organization identify those pain points or vulnerabilities, how can they use that information to strengthen their security posture?

When we build connectors into common security tooling, we’re looking to make them bi-directional. So, if I’m extracting asset information from Rapid7 or Tenable, I should also be able to trigger a vulnerability scan, or to start a patch management process that’s also involving other tools. What we’re aiming to achieve is a self-correcting loop, as we find and identify common problems.

The organization also needs a clearly understood remediation path, which can be a challenge. When you look at automation, in a lot of security use cases, there’s still an uncertainty; the security team is nervous about breaking stuff in an automated fashion, but with asset management, we’re saying, “This is what good looks like, and what you’ve got has drifted from that. So, how can we return it to that good state in a way that isn’t going to break anything?”

So, with our solution, we have an integrated automation workflow capability. We can set up comprehensive workflows that will either trigger an existing process—if an organization already has a very well-documented vulnerability workflow, for example—, or we can run that in the Noetic platform and work with the tools that we’re already integrated with through APIs.

Finally, what is your advice to organizations looking to implement a cyber asset management solution, what are the key things they should look for? 

It’s tricky because you don’t know what you don’t know. But organizations could start by asking, “What are the use cases we need?” That’s going to depend on where you are on the journey to the cloud. If the organization is ‘cloud-only’, the focus is going to be on common misconfigurations or securing S3 buckets. And that comes back to understanding and prioritizing the threat surface as well.

Whilst we’re very focused on the asset, it doesn’t mean that you shouldn’t be informed by external threat intelligence, based on the relevant industry and who the attackers might be. We see a lot of value in layering this information against the MITRE ATT&CK framework. MITRE is interesting because it focuses on the tactics and techniques that threat actors use, but you can use the MITRE mitigations to start from the other end and say, “Well, if you have this mitigation in place, then actually you’re okay against this attack method.” So, you can identify what mitigations you have in place against certain common attacks, and then use that to help build your environment.  Other frameworks are available too, obviously, but anything that helps you standardize is very useful.

I also love the work that CISA has been doing in publishing a list on known exploitable vulnerabilities. That’s such an amazing resource, not just for US companies, but for the world at large, because it helps us all prioritize our efforts. So, use information that’s already out there to help you identify which areas to prioritize, and then start from there. Don’t try and bite off too much at once, you won’t get it all done on day one.

Thank you to Jamie Cowper for taking part in this interview. You can find out more about Noetic Cyber’s cyber asset and controls management solution via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.