Aug 31, 2023

Security Boulevard Community Chats Webinars Library Black Hat: Security Validation With Pentera’s Aviv Cohen Shira Rubinoff: Hi, this is Shira Rubinoff. I’m here with Aviv from Pentera. Aviv, it’s such a pleasure to be with you here today. Can you please share with our audience who you are and what you do with Pentera? Thank you for having me. Shira Rubinoff: Pleasure. Aviv Cohen: My name is Aviv Cohen, I head marketing in Pentera. Pentera, for those who don’t know, is a security validation software company. What we do is identify risk and help its mitigation and we do it by emulating real attacks, exactly taking the adversary point of view and running tests against one, infrastructure. Actually, our customers do it themselves in a DIY fashion. Just run the tests against the latest attacks and see what they need to fix in their infrastructure to reduce exposure. It’s as simple as that really. Shira Rubinoff: Excellent. And how do you differ from other companies out there? Aviv Cohen: So the big banner we carry is automated security validation, which means as opposed to if we go back at the day, pen testing is a manual operation and security audits are also manual. We do it completely automated. It’s just amazing. Some people compare it to a house iRobot Roomba, where you set the scope or the template and you press test and Pentera actually does the rest and it does work of a pen tester, fully automated, available to you 24/7. Many of our customers, and we have over 800 enterprise customers in production today, use Pentera daily. So if you want to compare it to what was like old days, once a year pen test, and then throughout the year you have no really good idea of what your posture is in terms of the attacker perspective, now you can run it daily in a very agile, sprint way to do incremental patching and remediation and keep that strong posture. So automation is one of the big differentiator. And we’re also an agentless technology. Shira Rubinoff: Oh, that’s important. Aviv Cohen: So some people compare it to different breach and attack simulation players, BAS. In that case, you need to install agents in all places of your infrastructure and run some playbooks of attacks between them. Forget about all that. Shira Rubinoff: Too many layers. Aviv Cohen: It’s too many layers, too much maintenance. And actually, it’s not how hackers do. Hackers don’t come install agents and then- Shira Rubinoff: Hang on a second, let me get everything in place, then we’ll go, right? Aviv Cohen: Okay. So the thing about security validation, you want to validate as close as possible to the real threat. So Pentera acts, and that’s why it’s, by the way, agentless, completely like an attacker. You don’t need to give it anything. You don’t need to install anything and it’s fully automated. So these are the two great differentiators, fully automated and an agentless platform you can run every day and test your security again against the latest attacks. Perhaps it’s worth mentioning a couple more differentiators. One is our substantial research team. So what we do when threats come about, and sometimes we’re ahead of the curve, we re-engineer a safe replica of that, let’s say malware and insert it constantly into the updates of the platform. So the test you ran yesterday is not the test you’re going to run today. As threats evolve, you want your automated security validation to also keep updated. And we assure that because we have this substantial research team. Shira Rubinoff: Well, that’s very important and you’re certainly taking a strong stance and the proactive stance of cybersecurity productivity. In the past it was really being reactive, “How do we deal with it once it happens?” And you’re really mitigating threats and teaching and training as well, which is really important. And I’d actually like to segue to something incredible that you guys produced, and kudos to you, your book Castle Defenders. And this is a children’s book that you wrote and it talks about teaching children about being cyber secure. Can you talk to our audience a little bit about this and the importance behind teaching young children about being cyber secure, what that means? And what was the brainchild behind this book as well? Aviv Cohen: So thank you for saying that. So as Pentera continues to grow and we’re a cyber unicorn, we feel obligated to contribute to the community and this is one of our way to contribute. The first thing we thought about is really, it came out of a place of respect to this community, to the defender community. Cyber community defenders actually defend our way of life. So think about a single day that all of cyber defenses would be down. Instantly, you won’t have electricity, food, energy, transportation, healthcare, communication. And to substantiate that, just think about all the attacks that happened, let’s say in the past 10 years happening just in one day. So it would be complete havoc. Now, these people put a lot of effort and I would say also sacrifice working day and night to defend our way of life. And I think the way that they’re perceived are not like say equivalent, other essential workers like police officers, firefighters, they’re treated in one way and cybersecurity people are much less understood and therefore much less appreciated. I think one of the things that’s most important, got us to write this book is from a place of respect and appreciation, and it starts with a family. So if a few of the children, we ask many of our customers, “Do your children know what you’re doing?” Say, “No, they don’t. No. They just know I go out to work and I come back late. That’s all they know.” Okay. So the book would change that to be much more understood. Then the next thing is about the young generation. The young generation is online and needs to understand the risk of fraud, all the risks that are online and understand, let’s call it cyber literacy, is something we should encourage both for their wellbeing as well as for them to possibly join the defender ranks later on. So when you see a hero image when you’re young, when you grow up, you want to follow suit perhaps, your parents. So understanding the parents, understanding cybersecurity. Now, the process of writing this book actually took us quite a few months. We had children’s psychiatrists advise us to make sure everything is proper, to take all these complicated concepts of internet, cyber prevention, detection, response, zero trust, and put them in a book about defending a castle, which is the essence of the book. And we actually gave it as a beta test to a few children. We got great reviews and now we’re rolling the book out to more and more people, which are sending us a lot of raving pictures of their kids reading, kids actually saying, “Dad or mom, can you read it to me again?” That’s the greatest compliment. So it’s very well received and I think it came in just to that niche where there was nothing for the ages of five to 12 to explain what cybersecurity is in terms children can understand. So that’s a great start. Shira Rubinoff: Well, I think that’s very important in this day and age as kids are growing up with the internet, with devices, with connectivity, with communication, and to teach them from a young age what it means to be cyber secure and what it means to be a defender, as you put it. Really, also, not just keeps them secure, but think about a larger type of system or organization. Let’s say this child’s parent is a CO of a company or a large family office or a bank and they’re a child that might be risky behavior online that could lead to all sorts of problems. So starting any type of education from young, certainly cybersecurity is so critical. And there was a hole I would say in the industry and a lot of talk around educating middle schoolers and high schoolers, but this age group is so important. So really, congratulations to you for really finding this space and taking care of it. Aviv Cohen: So a little bird whisper to me that you have some background in psychology, right? Shira Rubinoff: Yes, I used to be a psychologist before my cybersecurity career. Aviv Cohen: In children, specifically? Shira Rubinoff: In children and teenagers, yes. Aviv Cohen: So the thing about cybersecurity is that yes, there’s the technology aspect, but there’s also the human aspect. The human factor is always what is called the weakest link, but it’s weakened just in terms of cybersecurity. The thing is that even companies invest a lot in educating their employees. For children to defend themselves, and the book also has the 10 commandments of safe online conduct, so to speak, is really important to become cyber literate. And in the same way you say to, “Don’t talk to strangers on the street,” in cybersecurity is, “Don’t click on this link.” It’s a way that people need to evolve and understand the online modern world from a young age. I think the book is a very positive step towards that. But again, it came from a place of respect to this community. So Pentera on one hand is doing great as a cyber unicorn, one of the top five growing cybersecurity companies in the world today. But we had a privilege, myself and a great team of marketing that put this book together to actually also contribute something that has nothing to do with our technology. So I feel that’s a little bit of a privilege. There’s the book and we also have a coloring book to go with it, and I always say, soon the audiobook and the movie and the play, right? Shira Rubinoff: Excellent. You need them all. Aviv Cohen: We need to put them all together. Shira Rubinoff: The thing that you mentioned, the human factors piece, that’s where I deal heavily in the cybersecurity world. We talk about the people, the process and the technology. You need great people, you need to deal with the human factors. You can have the best technology out there, but the process is the glue. And as you said, they say the people are the weakest link in the chain. So I counter that, I said, “Make them part of the solution.” And you’re doing this from a young age. You’re literally taking that human factors piece of saying, “The human’s the weakest link. Why are they the weakest link?” The weakest link because they’re not either educated, they don’t know. They call it the negligent insider threat. Take all that away, teach them from a young age up, have a part of their culture that they are cyber secure and they do recognize what is important and how to conduct themselves. It’ll lead to much better security as they grow older, but also within their lives. So it really covers many bases. Aviv Cohen: It’s very much in line with statistics that says that within the insider threat family, the majority of it is unintentional, where people unintentionally bring in contamination and threats into the organization, but that’s just because they got it somewhere else and unknowingly played a role in the kill chain without any intent. So that’s definitely that. Aside from that, I would say it’s a fun book and I do advise especially people with children at the ages of five to 12 to just take a read. It can be found on Amazon. So just Castle Defenders on Amazon is a good start and it’s already a bestseller, so it will pop up on the top of the search. No worries. Shira Rubinoff: Oh, that’s wonderful. And I know that Pentera’s here at Black Hats, and could you share with our audience, we’re live-streaming at Black Hat, where you are on the booth floor, what your number of the booth is that people come visit you and see a demo and talk to some folks there, as well as any other happenings you have going on at Black Hat? Aviv Cohen: So definitely. We’re at the booth 2400 and we have six demonstrations waiting for people to come and see the Pentera technology at work and how we validate security and advise on remediation in an automated way. Also worth noting is that we’re having on Thursday night, a big party in the HACKasan, said to be the big party of the event. So I advise also to come to the 2400 booth to get your wristband and register. And really happy to partner with anyone and at the end of the day, grow an enterprise to be cyber strong. That’s the point, to be proactive, reduce risk dramatically and be cyber strong. If you see analysis of breaches, most of them could have been prevented with a current stack. That’s the reality. Something was misconfigured. It’s always the anomaly, one file, one password. Shira Rubinoff: That’s all it takes. Aviv Cohen: All it takes. But you can also find those if you have a security validation software that covers your entire attack surface on a continuous regular basis and does so with a click of a button. That’s the value. And anyone who wants to listen or hear more, really happy to receive people in our booth. Shira Rubinoff: Well, excellent. It certainly sounds like something that people should take a look at and I encourage the audience to stop by the booth. Anyone who’s here at Black Hat, you know where to find them. And Aviv, it was a pleasure speaking with you today and I look forward to speaking to you again soon. And this is Shira Rubinoff reporting live here at Black Hat, and stay tuned for upcoming interviews. Thank you.