“Your Environment Is in a Constant State of Change and Criminals Are Constantly Innovating Attack Tactics, Techniques and Procedures.”
Hi, Anthony. Please tell us about your role as CTO and the team and how did you arrive here.
As the CTO, my primary focus is delivering value to our customers through our Automated Pen Testing as a Service product, NodeZero. NodeZero gives our clients the ability to see their environments through the eyes of an attacker, so they can fix what matters. I am fortunate enough to have some of the most brilliant and humble teammates, which means I need to listen more than I talk. Each of them brings a unique set of experiences and skills to the table. We’ve fused former U.S. Special Operations cyber operators with experienced enterprise and startup engineers to drive the cyber security industry into the future. This aggregate, in my opinion, has been the key to our early success.
Like most CTOs, my journey is unique. I spent 21 years in the U.S. Air Force, with the majority of my time spent in highly competitive positions with sensitive missions. My twilight position as the Deputy CTO at a US Special Operations Command organization enabled me to help make data securely available and accessible in support of the national mission force. Protecting the country is becoming less about kinetic effects and more about who can wrangle the right data to make better decisions faster. I co-founded Horizon3.ai with Snehal Antani in an effort to continue our passion for protecting people from bad guys.
How has your role evolved during the pandemic and how did your previous experiences with technology management help you scale your efforts and meet unprecedented challenges?
The pandemic (and an amazing team) shifted me out of a deeper engineering role and into an executive/management role sooner than I would have liked. Some personality types thrive on interacting with people, where others are drained by it. In order to ensure the effectiveness of both types, our strategy was “Hybrid-Clusters.” Clustering teams in areas of the country that would/could work both on-prem and from home as needed. COVID shifted us fully remote and this approach requires two-way trust and effective communication. When lock downs began, it was critical that I focused on communication and spent more time translating vision to intent. As a former member of the special operations community, I’m no stranger to leading extremely disciplined and talented teams spread globally, with the role of attending to the technological needs of an organization. Lastly, we knew early on that in order to survive as a young company, we needed to take advantage of every efficiency possible, so preparing for an automation-first, perimeter-free and cloud-native approach would set the conditions to scale from both a technology and an organizational perspective.
Can you tell me a little more about Horizon3.AI? What exactly is “Automated Pen Testing as a Service?
Horizon3.ai was created from our frustration as cyber practitioners. The industry is filled with expensive and ineffective security tools, alert fatigue, false positives, and burnt-out defenders. The only way we could curb the noise and really focus on the biggest risk factors was to optimize penetration testing. Pen testers were looking for weaknesses the way an attacker would. They showed us what was important to fix right now and how it would impact our organization. But they could only cover a small portion of our environment, and we couldn’t afford to have them come back every week to verify our fixes and find more. It was ALMOST everything we needed to efficiently shift the economics of an attack in our favor, but we needed it to be continuous and we needed it to cover our entire environment. So, Snehal and I founded the company, sought out U.S. nation-state-level attackers, brilliant industry architects and engineers, and we built it ourselves.
Read More: ITechnology Interview with Yaniv Bar-Dayan, CEO and Co-Founder at Vulcan Cyber
What is the most contemporary definition of ‘Security Assessment’ in modern IT and networking context?
Most of the definitions are fairly good. They boil down to “evaluating risks that lead to business impact.” It’s not the definition that causes problems; it’s the implementation. There are two common failures I see in implementing security assessments. The first is a narrow scope. This checks the compliance checkbox and keeps the cost manageable, but allows you to lose sight of the forest while you are staring at a tree. The other failure is missing the implied “continuous” nature of these assessments. Your environment is in a constant state of change and criminals are constantly innovating attack Tactics, Techniques and Procedures (TTPs). Those facts mean your risk aperture is also in a constant state of change. If you’re not assessing it at the appropriate rate, your risk acceptance threshold becomes unknown and hope becomes your strategy.
What are the major security challenges for IT-driven companies that have erupted in recent times?
All security challenges will stem from the economics of an attack. Criminals want to extract value from your organization. It could be direct transfer of money through ransoms, selling your data or your customers’ data to others, or stealing your compute or storage to offset their costs, etc. At the end of the day, they have their own financial goals and margins to meet or beat. The time, effort, and money they spend on a target is directly related to the potential payout of a successful attack. The harder you make it for an attacker to get to that value, the more you drive your risk down.
What kind of tech capabilities should we be talking about while evaluating the role of AI in Security?
I’d say ALL of them. Just like automation, we don’t want to limit the use of AI to offensive or defensive capabilities, or bound it to a market like vulnerability assessment, endpoint detection, or incident response. There are analyst tasks humans do that AI/ML/RL have a potential to expedite and help secure cyberspace regardless of industry or capability. We’re just now scratching the surface.
What is your prediction for the future of AI in Information Security?
AI-driven offensive security capabilities are going to shift the cyber security landscape over next 12 – 24 months. That includes nation-state, criminal, and in support of legal defensive efforts. In order to verify the efficacy of controls, holistically assess environments, inform defenses, train defenders, and support secure system/application development, we must allow machines to do what they do best. This does not eliminate the need for the creativity of offensive security professionals; it creates a force multiplier for them. There is a severe lack of available talent and the available talent isn’t c****. Having an affordable capability to offset that missing piece of a defensive architecture is critical. Again, it all falls back to the economics of an attack.
Read More: ITechnology Interview with Ashley Kramer, Chief Product and Marketing Officer at Sisense
Tag a person from the industry whose answers you would like to see here.
Ollie Whitehouse, Group CTO and NED, NCC Group
Thank you, Anthony! That was fun and we hope to see you back on itechnologyseries.com soon.
[To participate in our interview series, please write to us at sghosh@martechseries.com]
I have a passion for solving problems with technology and using automation to create and increase capability. Although my Air Force career field (Cyber Transport Systems) is focused on network engineering, my thirst for knowledge and self initiative enabled me to understand, implement, and architect solutions spanning the full stack on a global scale. My obsession with constant improvement allowed me to drive significant improvements to the way the United States Air Force trains new IT recruits. My breadth and depth of technical expertise enabled me to revolutionize how the U.S. special operations communications community builds, deploys, monitors, and automates service delivery to our users. In addition, by leveraging my 23 years in ITOps and vast professional network, I have been able to drive a digital transformation in my organization and spark the same in others. Finally, I love learning new things and sharing my knowledge and experience with those around me.
Horizon3.ai is a leader in security assessment and validation, using the attacker’s perspective to provide continuous security overwatch. Our solution, NodeZero, provides a premium blend of pen testing, breach and attack simulation, vulnerability scanning, and security management by identifying and contextualizing ineffective security controls and kill chains that can be exploited, all without consultants, persistent agents or up-front configurations. NodeZero continuously assesses external, internal and open-source intelligence resources while baselining and measuring defense controls and tuning and verifying security controls, so you spend your security resources fixing what matters. Founded in 2019 by industry and U.S. National Security veterans, Horizon3.ai is headquartered in San Francisco, CA, and made in the USA.