Jonathan Cran, Founder and CEO at Intrigue Corporation, joins Jake Kouns, General Manager of Risk Based Security at Flashpoint to talk about all things related to Attack Surface Management (ASM). ASM is the new security “hot topic” and while Jonathan breaks down all the definitions, we make sure to ask the hard questions.
Is ASM just the new marketing term for CMDBs? Why is asset inventory so difficult and what can organizations do to make this painful process easier? Do ASM products replace pen-testing? How can organizations get started with their own ASM strategy?
Show Notes
0:00 – Welcome and speaker introductions
1:10 – What is Attack Surface Management?
3:46 – What is asset inventory?
5:20 – What is asset discovery and how is it different from inventory?
7:02 – What is asset mapping?
8:50 – Is ASM just the new term for CMDB?
10:40 – Why asset inventory is hard, but not impossible
13:00 – A message to those that gave up on asset inventory
14:28 – What are the Asset Attributes that should be collected?
17:23 – Do ASM products replace pen-testing?
21:03 – Moving past vulnerability scanning
23:50 – Understanding the attack surface
27:30 How does ASM address the SBOM problem?
30:23 – Mandiant Advantage and Intrigue
36:50 – The vulnerability intelligence gap
39:25 – How to get started with an ASM
43:20 – The CPE deficiency
46:00 – Closing thoughts
Episode transcript
JAKE
I’m Jake Kouns, General Manager of RBS at Flashpoint. Welcome to this edition of The Right Security, the show in which we spend time talking with leaders and veterans in the security space, tackling the issues of the day. Today, I’m joined by Jonathan Cran, Jonathan’s the founder CEO of Intrigue Corporation. There is some big news but we’ll talk about that later. He has had several positions in the security industry including, and head of research at Kenna, VP of Product at Bugcrowd, Chief Technology Officer at Pwnie Express, and multiple roles at Rapid7, from pen tester, then joining the Metasploit project.
Jonathan has always focused on solving technical problems in a way of creating new solutions for them. I’ve known Jonathan for a while and I’ve enjoyed some really solid debates over the years and I’m looking forward to some of it today. Jonathan. Welcome to the show.
JONATHAN
Thanks so much Jake. Super happy to be here.
JAKE
Yeah. Alright. So today, I’m really looking forward to diving into attack surface management, but I have a feeling maybe there’s no way that we don’t cover some vulnerability stuff at some point, right? But let us jump in and let’s try to set the stage today for the conversation. So attack surface management, it appears to be pretty hot right now, it even has its own acronym. Now, you might hear ASM, right? I know you get asked a lot but can you please start off given our viewers some definition? So how about I throw a few sort of… of terms and things that you and then you respond. So I’ll… I’ll start off and we’ll just say what is attack surface management?
Jonathan
Yeah, yeah. Good question. Yeah. So, so it is… it is a hot term right now. I would say it’s evolved a little bit over the last few years especially to become something that sort of on the ticket, the tongue of… of quite a few security vendors. I would say it’s more well understood or at least well used within the security vendor’s base than it is within practitioners and… and the vendor side. So it’s evolving in… in the way… the way I look at it. And the way we’ve looked at it at Intrigue, is it’s pulling together a bunch of disparate different challenges, you know, like things like vulnerability management, asset discovery, asset management. I mean… it’s… it’s a combination. And… and really when… when you boil it down, it’s about getting visibility of your environment. It’s about getting visibility of your exposures whether from an external perspective, which is what we primarily do at Intrigue, or from a cloud perspective, which is, you know, there’s other vendors who are specifically focused on cloud or from an internal perspective.
JONATHAN
I mean, it’s all about visibility. It’s all about knowing what you have. It’s all about knowing what those things are running and the configurations of those devices. And then it’s all about what is it, what is it actually exposed to? Or what am I as my organization exposed to? So you see aspects of, you know, vulnerability management, asset management, digital threat monitoring, threat intelligence, all those things kind of used together. And I think, you know, I think that the reason that hi, I’m right for a new space is you see this migration to the cloud, lots and lots of things or API available. Now, there’s many… many databases that can be integrated. And really there’s just these gaps that have been left by traditional solutions where, you know, if you’re not pointing it out the exact right range or you’re not, you know, plugging in the individual host that you want to scan on a regular basis. You’re… you’re missing things and… and threat actors are taking, you know… you know, getting gain from this because there’s just, you know, these gaps in your network that are, you know, exploitable. And so it’s all about finding that exploitable stuff before the threat that’s my long winded answer to that question.
JAKE
It was interesting to hear you say internal assets as well because I’ve seen a lot of definitions here recently that are just saying internet facing assets, the perimeter, those kinds of things. So that leads me into my next question, what is asset inventory?
JONATHAN
Yeah. I mean that, yeah, we, we’ve been around, both of us have been around long enough to… to have seen this one evolve across a bunch of different technologies that used to be your CMDB, and in this registry that you would create. And… and typically, you would have, you know, an actual IP address assigned to a host or at least, you know, your scanners would be feeding your asset inventory.
Reality is like everything’s…
Ephemeral these days. Any modern system that’s getting created is… is, you know, it’s there. And then it’s gone. So, the systems have to evolve. Asset inventory is all about finding things that exist whether they exist for a long-term you know, many years, they’re like a laptop or a mobile device or whether they’re ephemeral on, they… they exist for only a few seconds or… or their container. And the thing is you can’t really be well defined and assets in the… in the edge of software to find everything. It’s… it’s… it’s a… it’s a now and, you know, it’s it. But… but those sorts of nouns are evolving. You know, what’s a lambda or, you know, a cloud process these days is a cloud function. You know, is that an asset we’ll certainly need to know about if you’re sitting in a security spot. So I don’t try to be too pedantic about it. I just say listen if it’s a noun and it’s a thing that we should know about as a security team that’s the thing we care about. It should be somewhere in an inventory that we can get access to it and see that it exists.
Jake
I’m going to be annoying here. And I’m gonna say, alright, I’m following you. But then what is asset discovery and how’s that different from inventory? And I know this is getting down into wording, but, you know, I’m seeing a lot of people using these words and they’re not all being used the same. So from your perspective, asset discovery or what is it?
Jonathan
Yeah, it was… it was discovery. Yeah. So, so I… I would… I would argue the discovery is the… the active process or… or pass it the process of discovering things to put into your inventory. You know, we have… we have a bunch of magic at Intrigue to do discovery with… which sort of have an iterative or cursive process. So it’s not like discovery is just a simple process of scanning with a simple process of listening on the network anymore. I mean, we… We like to think about treating discovery as an investigation. It’s like when you get a piece of information, can you use that… that piece of information to find additional unknown?
So, I would say discovery is more this holistic process of finding everything that exists and whether that be, you know, with again external cloud on-prem doesn’t really matter. It’s all about finding those things and then getting them into your inventory on a continuous basis. So that when you’re able too or when you… when you need to, really, you can just simply search. I would also argue that’s a… that’s a piece of attack surface management is having the ability to search that inventory especially under… under a fire drill where you’re trying to figure out, are you running a piece of software which is potentially vulnerable? Are you running a configuration which is potentially vulnerable? So you have to have strong discovery to be able to… to facilitate that feeding into a continuously updated inventory?
Jake
Makes sense. So the last one that I see all the time now is asset mapping. What, how do you respond when you hear someone talking about asset mapping?
Jonathan
Yeah. Yeah. So I would argue mapping in discovery or relatively interchangeable mapping. Might, you know, if you… if you see this, we use this term too, if you see it… it might entail that process of recursive discovery. So, you know, one thing worth considering here is, you know, sitting in a security spot, you’re… you’re not always going to have full visibility of everything that’s happening inside the organization that’s okay, you wanna… you wanna power developers, you want empowered marketing teams, you want these folks to be able to go out and create new things for the organization. However… you… you also have responsibility protecting those things and a lot of cases and… and most of the time or at least a lot of the time, the processes aren’t so robust that things get registered with security ahead of time. And you put in the being reactive a little bit and having to… to go out and, you know, discover those things. Well, the reality is it’s hard to discover unknowns. And so, can you use your knowns to discover your unknowns and make those nodes and then find more on notes and just continue this process of being able to map out the attacks surface or, you know, effectively create what we like to think of as a graph of the organization and all the interconnected pieces you know, and again pivoting from one piece of information to the next to be able to find every everything that’s out there as complete as possible. So that’s how I think about mapping in relation to discovery… discovery might be an older term. Mapping, you know, is a relatively new term. I would say in this… this space where it’s you know, all about finding everything recursively using known and unknown unknowns interchangeably.
Jake
All right. So I have… I have to ask this last final question. We mentioned it earlier. CMDB, right? So for… for me, who, you know, came up through the old school, it ranks right from it till the infrastructure library. We always talked about a CMDB, right? Configuration management database. So is this just all a CMDB have you marketing people have rebranded this to attack service management.
Jonathan
Burn… burn it with fire. No, the… the CMDB is an old term. Of course, its legacy is definite for sure. It doesn’t… It doesn’t come across something that’s continuously updated, you know, like it’s such a… such a… you know, oftentimes a percentage of what you actually own it. Listen, every organization is going to have a CMDB of some sort and it’s probably going to be fed by a bunch of different sources. However it’s not sufficient. I think if you look at modern organizations, there is no CMDB right? Because legacy concept organizations have, you know, Jeff plugged in or… or some sort of plugged in. So they could actually see all the different devices. And so CMDB to me is not integration oriented. It’s more, you know, it’s… it’s like a database, you put things into it’s… it’s, RSA Archer you know, like it’s… it’s like… this… this… this thing, a database that… that needs to be fed versus pulling information from all the different places. So, I think there’s a fundamental flip. They’re like no longer should see security, expect things to be pushed to them so much as they should be pulling information from lots of different places, of course that’s a given. But yeah, that’s how I think about that burning.
Jake
To get some emails from the old school. I, till people after this video. But alright, lots of the base in the security industry always and asset inventory, let’s just use that term instead of all the other ones that’s been highly debated, forever, right? And I’ve been seeing the debate pop up again about can you even do asset inventory, right? So just a few days ago, I saw the spider man info, sec name about asset inventory and it… it had like the three frames, right? Telling me the truth, I’m ready to hear it. And the next thing was you being an accurate inventory of your assets before we can work on protecting it and then crying face. So what’s your initial reaction? Are these asset inventory problems too hard? So we don’t even bother with it and… and that.
Jonathan
Well, this means it’s pretty accurate for today. Let’s say that it is a challenging problem… here’s… here’s. Why am I not here? Why I don’t think it’s impossible. I’m in a world of cloud based infrastructure and software defined everything, you know, everything’s an API. And as long as you can get credentials to the right places, generally speaking, create a relatively accurate inventory. And we see that, you know, like the… the… the forward thinking organizations already doing this right? They’re finding the places where there EDI, ours not… not deployed… using… using a multitude of different solutions but in general, they’re plugging all their systems which would have some amount of inventory information that’s gonna be your vulnerability scanners, that’s going to be your network scanners, that’s going to be your SDR in… in your cloud systems. Aws, GCP is your, all of these things can be plugged together to be able to give you a relatively accurate view of what’s out there. Now, there’s always that last mile problem and we work really hard and Intrigued to solve this problem and that’s really where our… our… our biggest focus is… is finding taking knowns, turning them, you know, like in finding unknowns from the nodes. But, you know, I actually in… in 2021, I think we’re on the right track to solve this problem. Even though things are super ephemeral. Now, it just becomes a problem of understanding how to manage ephemeral data more than it is a problem of being able to get the data.
Jake
I find it amusing that so many people still can’t agree about asset stuff. And so I… I did on that mean post, I read a little bit of the comments and there were… There were two that stuck out to me. One was we must get away from security which depends upon full inventory. It was difficult back when things were mostly static. It’s practically impossible at 2021 speeds. And then the other one was even if you could have full inventory, you’ll be out. It’d become outdated pretty quickly. So I’m gonna hit this one again. Like what do you say to those people that have kind of given up all the asset inventory and say, how could we be expected to know what we have?
Jonathan
Yeah. Yeah. I mean, the only… the only logical thing to say is like you can’t manage what you do, what you… what you don’t know about. And so, you know, if… if you really boil it down to an information problem, the more visibility and more information you have about what you own, the easier it becomes to manage, you know, the easier it becomes to get a solution in front of it. So, you know, I’m not one of those who would… I would necessarily say, you know, stick your head in the wrong and I would say go integrate with everything you possibly can and there’s more API available then there’s ever been before. That doesn’t mean it’s not a challenging problem but… but, you know, now is the time… to… to see these things start to come together. Like I think we’re I think we’re actually in a pretty good spot now.
Jake
Yeah. I think personally, it’s so much easier now than it was. So it feels like we’re some folks are hanging onto this concept of it was so hard that it’s still hard and I think it’s getting better. But so, you know, at RBS here, we believe in risk scores, right? And we’d have to find them more simplistically as asset value times, threat, likelihood, times, vulnerability exposure that gives us a risk score. So, and our view of the world and what we’ve been saying for a good 10 years without understanding your assets, it’s pretty hard to understand how to prioritize and figure out what to remediate. So, I want to, instead of being on to find the assets stuff more, I think we’ve done that enough. What are your thoughts on assets? Once you find them, what are those asset attributes that an organization shares? That would then maybe help them understand how to prioritize?
Jonathan
Yeah. Yeah. Yeah. And by the way, just like going back to the previous problem for a second like that’s not to make light of… of ti problems or, you know, there are definitely modern difficult challenges of getting that asset information that the harking back to 20 years ago. But I think you’re exactly right? I mean today where we are, it’s much easier to gather information, you know, as queries, like sort of modernized a bunch of that. So, so yeah, I think that’s the exact rate a line of thinking is not now that we can get it what now… and you know, you start with the basics, right? You start with versions, software running on them and forget about configurations for a second. Like that’s. It’s a hard enough problem to just get, you know, what is this thing running? What is the software on it, handling back porting handling? You know… you know, specific multi versions on a… on a given system that’s where I would start… is with what software is it running? You know, how is that software out of date? Is it outdated? Is about, you know, out of life and have lived? And then you can start to get into specific configurations. You know, getting is this… this piece of software, is this… is this distributed by the OS? And is it back boarded? Or is it, you know, custom installed, things like that… that is probably where I would first start but… but there’s a… there’s a more fundamental challenge actually which is naming of systems. So we deal with this ally because, you know, what happens if you have an IP address that’s like one one on one one on your network or 10 10 10 10. And then you know, another system pops up attentively. And then, it’s running a different set of software. Like are those the same system? And so having a pretty strong ability to define how you’re naming schemes work. This is the thing that was well defined a candidate to, I think I’d be interested to know how you handle the problem… but you know, that in and of itself just the naming of a given asset, we’re in a world where everything’s ephemeral, how to even manage that, and how do you manage it over time? Like that’s a challenging problem right there. So even just the most basic of attributes can be difficult.
Jake
Makes sense. So, I think, you… you know, one of the things that we’ve been on sort of rant about is trying to get organizations out there when they say vulnerability management to stop saying, yeah, we scan, right? I mean, I… I firmly believe the scanner, it’s part of it, but it’s not, right? And… and as you know, I think intelligence is the foundation. And then once you have that intelligence only then can you prioritize and remediate. And when I say intelligence, of course, vulnerability intelligence is huge but it’s also intelligence about your own organizations, those assets, we run into a lot of people right now where they’re… they’re understanding this, but they’re still scanning or pen testing because they believe that’s how they get the visibility that’s how they solve that, collect the asset intelligence. So, I’m gonna put you on the spot here and say this does attack surface management. They have some products. Does it replace that?
Jonathan
Man? Good question.
You can think about what we’re doing as continuous pen testing. If you… if you were to put an actor behind the keyboard, put a… put a person behind the keyboard and say, go find all our assets. A lot of what we’re doing is what they would do. You start with the nodes, you scan those things, you look and see what… what are they, what are the devices on there? You analyze deeply, you know, think about… think about an application endpoint and all the links that it points out to some of which are going to be your own. That’s gonna find more assets. And so, you know, we messaged early on. I think we were saying intelligent digital footprint because I think what we had before it’s access management. We were saying intelligent digital footprint, which is, you know, just our way of saying like, listen, we try to pivot the same way a person would, we treat asset discovery like an investigation. So, you know, in the end, nothing’s ever gonna replace a person like a, an intelligent person sending you looking at data is going to have more context… than… than any automation really ever could. You know, I think that’s mostly true in the HTML and so, you know, nothing should replace red teaming or true pen testing. But I do think it’s time to… to… to take people away from doing what we would have called, you know, vulnerability assessments or, you know, these… These sort of like point a scanner to range and then look at the results and see what’s exploitable. We can automate the heck out of that. We’ve been automating the heck out of it for the last 15 years. And so, yeah, of course, when we find a piece of software that has a known exploit, we’ll map that together. We’ll try to exploit it if it’s, you know, if it’s reasonably exploitable. We’ll try to do all those things and just point out, hey, there’s something that’s definitely like a tomcat instance which can be exploited today or… exchange lots of monthly exchange stuff out there. Those sorts of things should be fully automated at this point. Like it’s 2021. Come on like you can for the… for the cost of a person, you can be doing 10 X the amount of work in… in the same, you know, in less time and it, it’s crazy to think that you would have people doing these sorts of things. Now, we do run into two shops that… that are still doing that and they are literally begging for more headcount. But once you kind of put… put a NSM solution in front of them, they’re like I get it. You know, we can use this to triage off a bunch of work and focus our people on the right thing. So what I would say is, yeah kind of you’re not gonna replace people though.
Jake
I think that… that makes sense. But we’re… we’re seeing the same sort of thing that people are starting to realize that legacy vulnerability scanning had its place and it helped us to get here. But there’s better ways to go about things moving… moving forward with saving money and… and better prioritization, so, it’s it’ll be interesting to see how they have some stuff plays in overlaps complements, because, you know, some people still, they’ll want to get rid of their scanners because they’ve always done it that way and the regulatory things, you know, talk about it. So it’s gonna be interesting, well, you know?
Jonathan
You know, what I think is going to happen is, and I think it’s already happening. I just think it’s not evenly distributed yet. You have things like… like carbon Black. And because we have worked on that, a Kenna, and… and pretty much every BDR solution today is self reporting in terms of what the UI is, you can just query, right? You’ve got all this information there. You can cross reference that with… with your vulnerability database, right? Like better vulnerability information that was ever available because you can get a cpe out or better than a CB, even, you can cross reference that and get a pretty good handle on what the vulnerabilities are. So, you have these sort of like self… you know, communicating or… or what’s the word I’m looking for… you know, essentially their self reporting machines and you still have that last mile problem which is kind of what we’re focused on which is, you know, there’s gonna be stuff where you can’t either you don’t know that… that system. It isn’t plugged into your… your self reporting infrastructure, enable you to cross reference with vulnerabilities and report, hey, I’m vulnerable or it’s just, it’s simply an unknown. It was spun up in a different Aws account, different GCP account, whatever it is and… and you’ve still got to protect that stuff like it’s still on your network in some form. They’re still credentials there which provide access to sensitive data. You know, there’s an open database somewhere because, you know, the developer needed it but… it forgot the protection properly or wasn’t able to predict properly. So, I think you see this legacy scanner market moving into kind of self reporting, you know, systems that are SDR is kind of like taking that now. But then there’s again, there’s this… this Asa, I’m just gonna picking up the slack I think in looking broadly across the infrastructure and we end up talking to security intelligence teams to read teams, to blue teams, app, sec teams, kind of all of it because there’s still gaps no matter what no matter how self reporting, a set of infrastructure is, you’re still gonna have gaps and you want somebody continuously kinda looking at it to say, hey, even though this things patched, you’re still miss configuring this one attribute. And by the way, I can create a Nessus RF into that system and use that system to pivot to the next one. You know, things like that. So, so, yeah, I mean, I just see the scanner market splitting into these like self reporting and then you can like last mile scanners.
Jake
So you’ve covered this a little bit but I think it’s such an important one. I wanna… I wanna talk again about new technology and how new technology coming out is great for solving problems. But, you know, some of the inventory problems that, you know, that you’re trying to solve and other people try it kind of creates it makes it a little bit more challenging. So can we maybe touch a little bit more, get on virtualization, cloud containers, and how that makes sort of understanding your attack surface a little more challenging? And then if you have any sort of… of recommendations or thoughts for organizations on things that they could do that could make your job better, that would be awesome to hear. Yeah.
Jonathan
Yeah. Yeah. I think it goes without saying that lots and lots of software defined assets exist in any organization today. Whether you’re the smallest, you know, like just starting and you’re using SaaS services for everything. You know, you got your… your Hubspot or your Salesforce and you’re… you’re spending updates in there that’s… that’s an asset for you or you’re… you’re sort of legacy organization or maybe a colonial pipeline to… to… to think about it. You know, you’ve got these kinds of systems that have been there forever. They’re on the same network, but… but they’re still doing stuff in the cloud, right? Like there’s still spinning up, you know, customer facing services. And so you’re going to have some of them on a fair morality two machines, you have to sort of decide, you know, what’s yours, how deeply do you want to manage these things? How long do they live? How much drift is there in these devices? So, you know, if you’ve got the golden image like a VM or a docker file or a, you know, an image of whatever sort and you’re spinning those up and they never modify, will. Then most of your challenges are just app, sec challenges. They’re… they’re you know, can I ever use the application layer stuff? But if they’re running, you know, over a period of time and there’s any amount of drift, you have a vulnerability management problem. And you, if you can’t refresh them or re-hydrate them is a word that gets used as well. You’re not in a position where you have to patch and if you have a patch, you’ve… you’ve gotta have visibility of them. You’ve got an, so, you know, like when are they spending up? And when are they spending down? So to answer your question, what… What makes this whole thing easier? I mean, there’s a multitude of solutions out there. We also do this. We plug into Aws accounts, GCP accounts, and we pull data out of them, looking for easy two instances, looking in the container registries, looking for software defined assets, and then analyzing those things looking for vulnerabilities and so I would say if you’re not in the market for one of those today. You should be looking at it and you should be plugging it into as many Aws accounts you have. Yeah, I mean, that’s… that’s how I would approach the problem is, you know, doing… doing the things you’ve been doing, but also looking for the solutions that can directly integrate into these… these systems, whether it’s via or whether it’s a WS, whether it’s GCP or is your all those things should be plugged into. Now, another thing actually like one thing that we get a lot of value out of is plugging into DNS. So if you plug us into your DNS systems, we can actually use that to pivot and pull all the information associated with what’s on your network. You know, if you have dub… dub… dub dot company dot com, we’ll pull that will resolve. It will go look at that system. But… but more, you know, more commonly what you’ll have is, you know, a long random string of 16 characters, dot company dot com because that’s an ephemeral asset. And that’s a good way to find those that plug into DNS. So that’s the thing. I think… I think we’re pretty unique and I’m not sure if everybody’s doing that, but it is a good way of, you know, kind of identifying that last mile of ephemeral things.
Jake
So I love that. We’ve been sort of talking about assets and trying to define what they are. And then when you layer in sort of the depth checkups stuff and you talk about SBOM Bill materials and things like that, I… I find that kind of funny debate as well because a lot of times I’ll… I’ll see people that love SBOM and they think it’s amazing. And everyone needs to know everything that’s in your app. But then they’ll say, but it’s impossible to get full asset inventory which makes the debate really funny. Chanel. We’re thinking you’re at, but to know everything in your… your environment is… is completely different. How do you do, how many new things? And then how does the whole attack surface management consider the SBOM problem today? Or is it? No, we only look at the fully delivered asset?
Jonathan
Yeah. I think what you’ll see is evolution. And… and by the way, I think the… even already attack surface management is splitting into different sorts of factions. And so, you see, you know, the traditional app, sec fashion infection and you see the… the cloud sec faction and you see sort of us, the external E a SM, I think is what it’s going to.
But it’s all kinds of different views of the same thing on the, I can send this mostly an app sec problem and I look at the seo solutions that exists, you know, the Black duck, the white sources, you know, these sorts of things sneak, of course, and so they are probably in the best position because they can plug in… in, you know, who’s actually in the best position to figure this out is the repository platform. So to get hubs to get labs, if you push your code in there in the position of having access to that all the time. And I look at, you know, just get… get hubs, Dependency bought. You know, we use the heck out of this thing that’s great because it just tells us when there’s something in one of our components they need to update. And oftentimes it will actually, you know, allow you to make that update itself. So this is… this is like the, you know, the grand vision of automated remediation, and all it takes for us to get there is a difference and it is code you can’t really have automated remediation without having definition as code that’s the thing. I think… I think a lot of folks forget. It’s just too dangerous to patch or run a system, patch, a dynamic environment like an, it would… would… I would hate that. And so the way you deal with that is you have everything defined in this code and then you can automatically suggest the patch which is what Dependency bought does. And I… I look at that as sort of the future of, you know, vulnerability remediation in the app sec space and really everything is becoming upset. So, you know, we’re we look at that, but we tend to think of that as an app sec problem today. It’s not something we’re directly dealing with today that we are pushing a GitHub integration. We’re currently focused on finding secrets in GitHub and gitlab repositories. It’s an interesting idea to use that for inventory as well. I kinda liked that idea. Thank you, Jake. Yeah.
Jake
Well, I mean if only they had the best phone intelligence, it would be a home run, right?
As all these things come together. But yeah, I think it’s going to be just the SM platforms will look at it that way as well. You know, if… if you’re really saying the holes, the tax surface management, and you’re just giving me, you’re running this thing but we don’t figure out what’s in it then maybe that I’m not seeing that, right? Alright. So what we’re gonna… we’re gonna go into Intrigue, wanna talk Intrigued with you. Okay? And you can tell me other stuff you want to tell me that you were an open source project. You had your first commit July fifth 2015 is what I think I discovered when I was researching, but then treat it as a company founded in 2019. I’m sorry, can you tell us a little bit about sort of the journey? And then I think it’s probably time you can drop your big news for us?
Jonathan
Yeah, yeah, yeah. Thanks for that. By the way the… the setups are awesome. And so 2015 was the… was the current iteration of core. There were several iterations before one called taper. The API for reconnaissance was… was the original idea. We had to integrate the taper logo and everything. He was… he was really great. Steven Hilton made us a logo, you know, shaped like the form of paper that one last couple of years, I was learning rails of the time and so it, you know, it will ultimately, we decided, okay, we need to rewrite. And so the 2015 rewrite was, I think the third time we tried to rerun it and by the way the regional Genesis, this was a lotta conversations around P tests. If you remember the pen test execution standard put together by, you know, mid and Chris nickerson, Chris gates, a whole bunch of guys and I was just, I was… I was thinking like what can I do to automate a lot of this stuff?
Jonathan
And I just ultimately converged on recon as like one of the hardest challenges. It was clearly a big data problem. And so it was in… in, at the same time. I was also, you know, pen testing myself and I wanted to automate as much as I could thinking, you know, like how could we make pen testing more like multi? Go? Could we make it visual? Could we make it so that pivoting is really ultimately pivoting is the concept, the pen testing. How do I get from point a to point B? Pivoting a bunch of jobs anyway. So take that take, you know, what does it mean now? Seven years of open source development largely with a small team, whenever a commit would show up. We sort of like insta recruit them, bring them into the team, start to pay them. And so we had a small team of contractors that we’re also working on the open source side. And… yeah, we had, I think we have like something like 50,000 downloads on the open source side now. But to your point in 2019, I actually formed the company but it didn’t really start working on it as a company until about 2020 right around the RSA timeframe, I… I decided, okay, you know, the market’s clearly hot. It’s time to accelerate. I was being told pretty extensively by everybody that I talked to that I needed to accelerate because there were lots of folks who were working on this problem. And so we… We raised some money in 2020. We started to build up a team. We’re about 10 people now and just, you know, it rebuilt the entire UI. We have this sort of horrendous you know, traditional HTML, awful hard to use thing. It was actually very powerful underneath. But like, if you were to look at it, you go like.
I don’t…know if I want to touch that… that… that, that’s it looks terrible. I found an amazing designer, a great group of engineers and we… We rebuilt and put the new platform to be launched in April. I wanna say like early April and then we had some execution and we got some really good customers… large enterprise and, you know, a lot of government interest and, you know, effectively three months ago, I would say we got some interest to… to acquire the company. And over the course of the last three months, we’ve been working on this process. And just last week we announced we’ve been acquired by Mandient and by the right man yet. And so that, you know, was… was literally the fastest. I think if you… if you consider 2020 as the actual starting point of the company, I think it was eight months of execution basically which is exciting. It’s… it’s a little. It’s a little like a seed stage company to be pulled into a public company like this, especially one that’s you know, of course fire, I and Mandient, is becoming the company and divesting. Fire. I, but that’s part of what made it exciting to be honest is I can’t think of another opportunity where, you know, you’ve got this incredible intelligence company who’s automating a lot of what they’re doing or at least like feeding their intelligence into this platform called Mandient, that advantage. And we sorta have pulled in to take these access management components of that and build upon it and sort of expand the market in a big way. It’s such a bigger platform than what we had access to as a startup company. And so, you know, we were having these conversations with the… the largest of the large organizations. But, you know, as a… as a 10 person startup company, you know, they kinda look at you and they go, yeah, but we like what you’re doing. But we’re not going to give you any data. And so this… this sort of changes that whole equation to where now we’re the large company. We have a security team that’s looking at our stuff. We’ve already been red teamed. Everything’s been through a bunch of different security processes over the last couple of weeks. But, you know, that… that… that transition into this larger platform into this larger company, especially on the verge of, you know, repositioning the company as a fast growing SaaS company was really exciting and it definitely says a strategic decision on the part of… of the company. You just don’t… don’t get many opportunities to do something like this and you don’t get to choose your buyer, they choose you. And so this… this was definitely the right time for us to accelerate in a big way. We’re going to double the size of the team, get a ton more resources and just go like we wanna… we wanna really define what’s going on and… and text service management.
Jake
I’m really happy for you. Proud of you and you should be proud of yourself and that’s someone that takes me 10 years now. I was pretty fast, brother. Wow.
Jonathan
Yeah… yeah. Nobody gets to see the… the, you know, the grueling nights and weekends on the open source side. My wife, you know, she was… she was very thrilled about the idea of, you know, potentially we could exit and me to, you know, the… the reality is this… this is a good… good thing for the team. It’s a good thing for the investors like everybody’s pretty, yeah, good.
Jake
Awesome. Well, I’m… I’m happy for you, alright. So a couple of weeks ago, you tweeted at me and by the way, I’ve been trying to stay off Twitter because it makes me cranky a lot but, and I think he spoke and we were gonna talk using this method for everybody.
But so what new tweet? It? And I’m gonna put links in… the show knows everyone you tweeted at and you said data science, driving vulnerability intelligence forward in a big way can’t stress enough that we need better data analysis. And then I think you saw my reply which was a shocked face and I reply was about CBD continuing the most important vulnerabilities exploits being available. So, I know, I love it and I think you’ll find they’ve come around to it. But I love that picture from the infosec, world panel that marks aren’t, I’ll put together for us where we’re debating CVE, just how… how bad things, where, so have you come around on the CV that, or do we need to break this up some more? Where are you with CVE?
Jonathan
I’ll say I was right. I continue to be right, Jake. There was… there was never a question about that. No, no, I really do think CVE is scaling, I, of course, there’s always more to do and I think you… you do an amazing job of closing that gap that CVE is unable to take on. And, you know, it’s always interesting to see your, you’d like more than anybody else. The… the vulnerability intelligence reports that you put out just the numbers around those. And I think I didn’t realize until a few years ago just how much automation you had in discovering these and how you’re using sort of bug trackers and all sorts of things to identify these vulnerabilities, everybody else. And ultimately like, you know, you’ve got this fantastic set of data which I’ll just say this like with the split in this vulnerability intelligence assessment management market and you’ve got the SDR solutions and you’ve got the Texas management solutions here, well positioned to get that intelligence in front of people because now people are more inclined to match on cpe and match on, you know, on the actual vulnerability, the software. So I was right?
Jake
No… that’s… that’s your, the guest or not. It should be nice to you. I won’t argue too. But yeah, see if he’s still struggling. We… We reference them because people like it, but it’s… it’s really eye opening with how they’re trying to federate the work out that the quality now and the timeliness has gotten way worse. We were seeing some numbers go up but artificially makes it feel better. But the actual actionable to have that met a data the intelligence overlap with SM can do is… is really not… not there. So, but anyway, alright. So look… get that pretty light. I didn’t give you too much grief.
All right. So, for companies that are struggling with too much work, too many assets, you don’t have any vulnerability. Yeah. What do you say to them about how to get started with maybe an attack surface management program?
Jonathan
Yeah. So a combination of things, I think what we’re talking about is… is prioritization as a problem. You know, we… we do a lot of the things that… that are required for prioritization which is cross referencing discovered issues with active threat, which by the way, just coming back to that previous mentioned that the GitHub… repository that I tweeted. I actually think the scientists guys… they put together this analysis of like here’s… here’s the problem. There’s not enough structured intelligence to be able to prioritize, well. And we’re now in a position where if we can use them out and we can use classifiers determine whether something is actively exploited or not. Meaning there is an exploit on GitHub or not, you know, you don’t see GitHub labeling things with a CVE. It might be in the name of the repository. You know, the user might actually put it out there in the readme, but in the end, it’s difficult to tell. This is actually a vulnerability that I actually care about. And again, it’s not just CVE. It is… is this thing useful? Is this a piece of code which can be used to explore a piece of software in a particular configuration? So finding those things quickly automatically and then cross referencing it across your entire inventory. That’s a difficult challenge. Now, we do a lot of that. We do it primarily based on CVE today that we will find miss configurations, things like that. But one thing I’m doing Jake, we’re finding the technology. We’re grabbing versions whenever we can because we also believe that it’s important to be able to know exactly what software you’re running, and to be able to cross… cross reference that with… with the best vulnerability data. And so long story short, automate everything, get an attack, surface management solution especially on the external side to start with would be my suggestion and self serving, but I’ll… I’ll just say it, it’s simple to plug in. You don’t actually have to have any integrations to get value out of it. You know, our… our trials end up being just pointing at… at a company which we got this catalogue of 100,000 companies already pre… pre gathered. And we’ve got some pretty interesting stuff and… you can effectively get a set up of a stream of intelligence about what’s out there. What a hacker can see. Now that’s just the typical iceberg, you want to plug it into your cloud accounts. You want to plug it into your GitHub, you want to plug it into pretty much everything you have. So you can get a more complete inventory of pictures and then we will do the work. To automatically cross reference will cross reference with CVSS, a CD. When it’s available. We have a threat severity rating and we’re working on getting eps S, which is the, you know, the work that kind of came out of, you know, Jacobs the scientists folks kinda folks. And Jake, we should really talk about eps because it’s… it’s cool. It’s… it’s coming. It is a way to get a rating. And admittedly it’s… it’s stuck on CVE today or it’s… it’s limited to CD, but at least we can use it to determine whether something should be fixed right away or not. And that is an important piece of prioritization. So my long winded answer automates by Intrigue cross reference with vulnerability.
Jake
I love it. No. And the PSS stuff, there’s… there’s a few things in there I want to switch, but I do like that. We’re trying to predict those exploits because again, we’re trying to, you know, we need to talk about if we need to tell customers and an organization, every ball that’s out there and then give them that met data to pick the ones that apply to them. We don’t wanna have limited scope and say, you know, don’t worry about it. So I agree with you. There’s some great stuff happening there. Now we’ll… we’ll say for me, I’m a big fan of inventory but the… the area that I feel like still isn’t there yet and it’s not just SBOM was trying to figure out how to, you know, to name sort of I’ll say dependencies, but even like with packages on Lennox boxes and all this other stuff. And now you have package managers and there’s so many of them. I feel like you need a package banner or package manager and it’s like it is really hard sometimes when a volume comes out to be able to… to figure out how to communicate to all these systems when we’re not communicating inventory in a common fashion. And I’m not seeing anything yet that’s going to solve it holistically. I see some point solutions for SBOM. I see some individual sort of… of groups. I see some vendors getting behind things. And there, this is the way we’re doing it and you can do it or not. So that to me is the area where I think we need to see some movement.
Jonathan
Yeah. Yeah, yeah, I do. We… we had, so, so I assume you’re talking about like, you know, CPE being insufficient to be able to correctly identify that the thing that actually exists. Yeah, I mean, 100 percent, this is a difficult problem and I agree with you like I would happily, you know, put effort and time and work into helping figure this out. The… the problem of course with standards is, you know, you create one more every time you create a standard. But, you know, what we’ve done is we’ve… we’ve adopted cpe, we’ve… we’ve modified it to create things like services. So when we detect, you know, hey, you’ve got a, you’ve got a connection here to Hubspot. You know, we’ll… we’ll actually go like CVSS being the… the terminator for Hubspot, and then Hubspot event or Hubspot product, that sort of thing. Now, of course, you’re not necessarily gonna care about vulnerabilities, but you might care about a breach that’s a useful thing to be able to correlate those two things. But listen, I agree with you. It’s not specific enough. You see the CA vendors. You know, this needs to Sonatype et cetera, create or adopt or, you know, modify cbe or create their own. I don’t know if there is one standard. There was some talk on… the… the miter, cpe list a while back about a different standard, but I don’t recall what it was that didn’t seem to have lost the team. Are you aware of anything that exists or anything that’s like gaining steam?
Jake
Not right now. The big focus seems to be all on the SBOM stuff that Alan and the team are doing and… and they’ve made great progress there, but it’s you know, it’s kinda focused on that area and not… not the larger one. All right, man. So hey, let’s… let’s wrap up here. Let’s wrap it up. And for all the SM, hater is out there for all the people that say asset inventory is to our just do security, stop complaining about inventory and closing what you concisely say to them.
Jonathan
Just come check it out. I mean, like that is… that is the only thing I can say is we… we will, and if… if you don’t wanna use the… the hosted version, use the open source version, check it out. It’ll work. You will get value out of it. I promise this is not a solvable problem. We are going to solve the problem.
Jake
I could tell you, I think I only saw the version with the bad you I, which was rough. I think that was my feedback to you. But all the data that you had and what you were able to do was… was… fabulous. And I’m looking forward to great things that come. So, Jonathan Cran, founder and CEO at Intrigue. I’m sure some new title or something that comes soon, congrats on all your success. It’s… it’s great to see what you’ve done with the company, what you’ve done with your open source core, really appreciate your time today and pleasure debating as always and I look forward to talking with you.
Jonathan
Always awesome. Thank you, Jake. I really appreciate it. Talk to you soon.