Last Tuesday, November 27, I spoke at "Business Asks for Cyber Attacks" meetup organized by PRYTEK investment platform. The event was held at the PRYTEK Moscow office in a beautiful XIX century building of a former textile manufactory.
The goal of the meetup was to talk about new approaches in Vulnerability Analysis and how they can reduce the Information Security costs for organizations.
There were two presentations:
For the most part this was my report from the last ISACA VM Meetup. The only difference was in the conclusions, since the topic of this event and the audience were different.
I stressed that the Attack Simulation tools, like Cronus, that analyze vulnerabilities and network connectivity of hosts can be very helpful. They allow you to assess the criticality of each vulnerability better and help to justify the need in prompt patching for IT Team (see "Psychological Aspects of Vulnerability Remediation").
I mostly liked Doron Sivan's speech. It's always interesting to see how different companies sell the need in Vulnerability Management. According to vendor's description, Cronus CyBot is a network agentless Vulnerability Scanner for infrastructure and web applications, that operates mainly in authenticated mode. It also analyses host connections and can produce attack path scenarios: potential ways that attacker can use to reach critical targets in the organization.
So, that's why it can be called a Breach and Attack Simulation solution in terms of Gartner.
Screenshot from the video "Cronus Cyber Technologies: CyBot overview and demo"
It can also be integrated with Splunk, watch it on the video from "VB-Trend 2018 Splunk Conference" since 6:15.
The only thing I didn’t like was that Cronus was presented as Automated Pentest solution, as a "pentest that can be done every day". And the price of the Cronus was compared with the price of traditional pentest.
I see a substitution of concepts here. Cronus doesn't actually run the exploits on the host. So, it looks pretty much like traditional Vulnerability Management tool.
What are the features of Penetration Testing:
Vulnerability Management, in it's turn, is about regular and rapid detection of ALL existing vulnerabilities (even potential and theoretical), their analysis and remediation.
Vulnerability Management and Pentest are very different processes with very different goals, focuses and scopes, and they should not be mixed.
On the other hand, I certainly understand why it was presented in this way. It is very difficult for a new Vulnerability Management vendor to safe place on the market, and therefore it’s better to distance as much as possible from the competitors, positioning the solution as something completely new.
And it could really look like an analogue of pentest or as a framework for pentest, if the solution was a combination:
In this case, I would have no more questions. I hope that they will develop in this direction.
NB. Vulnerability exploitation from the scanner is possible, for example, in ERPScan.
After the speeches there were many specific questions about Cronus. For example, we learned that it does not detect yet vulnerabilities in the third-party software for Windows (they plan to release this in January). There is no option to disable checks. You can choose IP scope, scheduling settings, infrastructure scan, choose a web or a web with injection scan. It turns out in the UK, you can not scan with an injection, even if the customer has allowed this.
To the credit of the event organizers, I was able to convey all my thoughts about the Cronus, as well as other criticism regarding the VM vendors. For such vendor-centric event this is very rare and valuable. And I think it created a more objective view of the solution and was useful for everyone. Thanks to the organizers for the great and interesting event!