Fix What Matters With Adversarial Exposure Validation (AEV)

[0:10]Welcome to Black Hat 2025. We're here recording live from the Cyber Risk TV Studio in Mandalay Bay in Las Vegas, Nevada. I'm your host, Jackie Maguire, and I'm joined today by Simone Segal. He is the founder of Breachlock. Thank you for joining us. Thanks for having me, Jackie. Yeah, so we're going to talk about something that I think is probably going to trigger a lot of people who work in socks today. Um, it's something that I complain about pretty often, which is uh, alert fatigue and the fact that we've all got, you know, 10,000 untriage alerts in our SIM and a decent chunk of those say that they're critical based on how we have or have not set up our SIM. So is this something that you see a lot? Yeah, I do see a lot and of course I come from a financial background, right? Before I started Breachlock, I was heading the cyber security assessment wing for ING Bank, uh, in Europe. And finance is crazy, right? Because you have, not only is it the crown jewels are actual money, but it's 24 hours. Like banks run 24 hours, so you can't just shut the network down to upgrade something. Absolutely and and you know, the adversaries are following the sun, so you have to do, right? There's no option to put your guard down. And, uh, you know, I've always been a big fan of both offense and defense. Uh, and that's also what I promoted at the bank. I think people get too much focused on on the defense and that's where the alert fatigue comes from. Not that that's bad, but in by the end of the day, you don't want to have like a needle in a haystack problem and then blame your analyst that they didn't find something there. So I think it's also a proactive approach that helps and that's something that I promoted and that's why these days I, I like to talk about vulnerability fatigue and not just alert fatigue. Yeah. So what was the, what was really the onus that caused you to say, I need to start a company to solve this problem? Right, pretty much the same, right? So I, I, when I looked at the investments that the coppers were making, uh, I was buying a lot. I was on the bias shoes reporting directly into the group CISO, so I was part of the CISO's office. All country CISOs were my peers, so I was, you know, having a say in the budget and and what they buy. I was doing a lot of proof of values for the bank and kind of putting my stamp, hey, this is ready to go, we can deploy it. Um, you know, so it all boiled down to too much focus on on defense, like I said, and not the proactive side of security, meaning, we don't want to wait for an incident to happen to to tell us what's broken. Why don't we have a look and find out proactively what's broken so that we can fix it and, you know, that that led me to believe that there's more, um, innovation that needs to be done in offensive security and, you know, that's what Breachlock's all about. We're probably the most complete offensive security solution that's available on the market today. Yeah, and so you have, um, the technique that you use is adversarial exposure validation, right? So how does, how does this work? So I've got all of these alerts in front of me, how does this help me figure out which ones actually matter? Right. So, you know, that that's it it's about fixing what matters, right? So, um, you know, in the bank I learned that there's like a ton of vulnerabilities. Uh, we used to get PowerPoint decks, uh, you know, red, yellow, green and nothing really moved, uh, each month. And, uh, when we did a red team, which was more an ecosystem hack, then a vulnerability view of the world, meaning you focus on people process technology and go from there. It showed a complete different picture that a lot could be breached where, uh, you know, you could have like three critical vulnerabilities sitting for three months and nobody gave a damn about it. Well, we also see that companies will do, you know, a pen test or a red team or something like that, but then they haven't allocated the resources to resolve whatever comes up from that test. Absolutely. You're absolutely right, Jackie. And, and, and the reason I think for that is that again, the fatigue side of things, right? Because you get a report with a ton of vulnerabilities. So what we've done with this new product, uh, it's an agenc tic uh, solution, so it's built off generative AI. Uh, a lot is happening in that space, as you know, so we are on the forefront of that from an offensive security perspective and what we really do there is we kind of, uh, you know, put all the vulnerability intelligence, uh, first, we find it very fast, thanks to GenAI now. Uh, you know, with all the feeds that we can collaborate, uh, we've, uh, we've, uh, very beautifully crafted an agenc tech solution that writes, uh, checks for CVs as they're published. And this is huge. So, you know, with a vulnerability scanning world, you are usually seeing the top players competing, hey, I release this check in 24 hours, 48 hours. So we are doing it near real time now, again, because of the generative AI innovation that's, you know, happening all around us. Um, and from there, when we get the vulnerabilities, we stack them all up from attackers' perspective and sort of give you an attacker a attack tree view, right? Or a kill chain view as, so if I if I'm an attacker, here's what what the actual realistic two or three kill chains would look like that I could use in this scenario. Absolutely. This is how I would get the crown jewel, right? And once you see that in action and you either see a green or a red, red being, it's a red flag, like, yeah, somebody can get to my crown jewel, be be it an active directory, or be it, you know, a grouple or whatever, simplest thing possible, but it still gives the attacker a foothold on your, uh, internal infrastructure. Then it starts to move because then the remediators start to get more excited about, hey, so now the, now that I am able to visualize this skill chain, which of the steps or vulnerabilities or CVEs or CWEs do I need to patch to break the whole kill chain, right? So you get a two-way motivation, one from the management because of course they're worried that something wrong can happen and also the, the system administrators or the devops engineers get much more excited that they could actually patch something that works. And, you know, if you give them a laundry list of vulnerabilities that they need to fix, then of course, there's many bottlenecks and they don't get the approvals with the D tap. So it's not only the admins to blame, you know, it's also the state of the technology we have. You can't just throw patches at systems because you need to have business to be able to live the security side of it, right? So I know coming from a bank, you have to follow the Dtap cycles, you can't just patch left, right and center. And whenever we had the critical, we get the bypasses for all of that and rightly so, right? So I think with the A V concept, you're able to see the kill chain in action, so you know exactly which vulnerability matters and then you fix that. So fix what matters. Yeah. Well, I also, you know, I talk to CISOs a lot and they have a really hard time kind of talking to their executive peers about what they're doing, about why it matters, about the potential fallout. So I imagine when you can take because generally, it's this trade-off between, well, we have cyber risk insurance and the chance of a breach is this percent. The cost of the breach is, you know, $10 million and if there's only a 15% chance, it's less money to, you know, and I think with this, if you can say, no, there is a demonstrable path to critically sensitive information that we have to close. Um, it's not theoretical risk then, right? It's it's real world risk that has to be addressed, um, and that you can actually tie to enterprise value or enterprise risk. Um, because I always say, you know, as a, as a CISO, if you go in and you say, all right, CEO, we have operational risk. They're like, I don't care. Like, well, this operational risk translates to potentially losing $5 million a day in revenue if we're crippled, then they they start to care, right? Absolutely. And you can tie that to the crown jewel, that's why the flags are really important. So in a AV concept, you always go, you start from objectives. And then you go to the final crown jewel, right? So the, the AI is able to come up with the context of the target, right? So let's say if I enter a target ABC bank.com, then the AI already knows that this is a bank, so the first step is to look at the threat and tell that's relevant to that sector and then pick the, uh, the objectives based on that and that's how the whole attack is done and it's completely, uh, with human out of the chain. And I'm not a propagator of like, you know, pen testing or red teaming needs to be done fully automated. So I'm not saying that. However, what we've seen is with this product that we've launched, uh, we've got a lot of traction with internal teams. So the the right way to put this is for enterprise, uh, internal offensive security teams, they see this as a mechanism to scale their own efforts. So they can probably, you know, focus on fixing stuff and then the machines can find most of the things at scale. Yeah, I think you're always going to need a human for pen testing because you have like 95% of it is known variables and things like that. But in security, shout out my couple friends who got caught in a fire escape stairwell trying to sneak into a party a couple days ago. In security, we tend to be a little bit mischievous and we tend to be able to find the very indirect paths into things, so because adversaries, yes, they're well, they are using a lot of automation, but they also still have humans kind of actively trying to find the sneaky things, so but to your point, if there are known variables that you can address, that frees up your team for more time for the actual fun stuff. Because those are the fun red teaming activities, right? Yeah. And I get into this discussion all the time because, you know, at Breachlock we do both, so we have, uh, the human led part that uses technology in house. So that's more for, uh, enterprises that want to have an external pair of eyes looking at their infrastructure, their applications. Whether it's for compliance reasons or just an extra pair of, you know, independent view, but we also have these platform or tools that that are used by internal teams. So we do both. So I get this question very often like, can it be really automated and I always respond by saying it's not either or. Yeah. Right? It's not like, you know, either you would have automated or you need humans, it's both. And we need to stop this discussion and just focus on the scalability benefits of the technology and just end it with saying like, no, humans will be in the loop and they need to be in the loop because that's what the business demands and, you know, that's the sane option available, right? You can't just let it on machines to, it's not microwave or stove, sometimes you need both, right? That's a good way to put it. Some things don't go in the microwave. Yeah, yeah, yeah. That's awesome. So are there, is there a typical profile for a customer? Are you generally mid-market? Are you larger enterprises? Does it kind of span the spectrum? Like what is your typical customer look like? So it it, you know, it's all the way from Fortune 500 to mid-enterprise clients. Mostly software, financial, healthcare, these are the three sectors that we, yeah, like you would imagine, we also have like critical sectors like energy and some of the biggest companies, manufacturing. I can name it, you know, like pen testing is everybody's problem, right? You have to know where you, where you can be. ICS is one of my favorite areas. Like I always like the target breach that happened through their air conditioning system. That's one of my uh, favorite ones also. I used to own, my husband owned a mechanical contractor and he's a an a mechanical engineer and so I ended up having to learn how to write the industrial automation. So when the target breach happened, I was like, I know backnet, I know I know these controls. Yeah, and to your point a lot of OT clients also reach out to us and and rightly so, so I really love the fact that the awareness is rising. Also that they want to do it more continuous and not just like a once a year thing. That's just check the box. Yeah, exactly and that's where technology can help, right? Because then you can have humans do, uh, let's say a couple of times a year or quarterly, if you have the budget. And for the rest, why why leave it out, just test it with, you know, the existing parameters and I think generative AI, uh, is really pushing the bar there, right? Because because, uh, it's a self-learning mechanism and the more you teach it, the more it performs better, right? So that's, does that, so I think I've noticed a real sentiment change from last year to this year with security teams and that last year it was like, block everything, we can't let this in and this year it's like, all right. I I keep saying this, the horse is out of the barn, like we're not going to put these horses back in the barn, let's just figure out how to contain the fallout. So I imagine you get at least some pushback from CISOs around using AI because with agents, with people, there's at least some delay in communication and then there's somebody to fire if things go sideways. Like who do you fire if an agent does things instantaneously that are really bad? So how do you address those concerns? Like what are you hearing with regard to AI concerns from CISOs and how do you address those? Very, very relevant question, so I'm glad you asked that, Jackie. So I'll I'll I'll address two sides of it, right? So first let's talk about Breachlock and then we'll talk about the industry. because I'm a practitioner, right? So I have to give you that answer. So from Breachlock perspective, obviously we saw that coming, right? And what we've built is we've built an AI transparency module. Uh, now I'm not saying that's the answer to all the questions we have with AI or autonomy, but it's a start, right? So exactly, you create the transparency for the CISO and you're able to see like, for example, we have like 18 agents, then they're able to see what each agent is doing, what data it's picking. We only take the mirror data and share it with AI, so it's not your infrastructure or your application info going. Because, I mean, AI doesn't need to know that, it just needs to know what the target is and it doesn't need to know who the target is, right? So you just take the mirror data and that's how it's processed, so we show just like in in in a, um, proxy, vulnerability testing tool, you would see the the get request, the post request. Similarly, whatever is going to the AI and coming back from the AI and the commands that we are injecting, uh, like you said, with the agents interacting with each other, they're able to see everything. So that's one, transparency. Second is that just like, uh, in a Tesla, you know, especially with auto driving cars, uh, in Europe, we have, uh, we have norms where the the driver has to keep the hands on the steering, otherwise, my, you know, BMR starts to beat, right? Uh, so similarly, we have an assisted mode, uh, in our, in our solution, which means that you can switch it on with a toggle button. So if it's a very risky test or a risky environment, then it'll ask you at each step, right? And of course, it not ask you, I'm going to run an Nmap scan or I'm going to do XYZ, that's the normal. You know, if you're worried about that, you've got other problems if systems would break because of a board scan, then you have other problems, but more for the high-risk actions, like launching an exploit or even, you know, establish, uh, establishing a connection, even if it's passive, right? Um, it would ask you and then if you approve as a human, it goes further if not, you know, you you choose what you do. So I want to paraphrase this because I think this is important. You said one is start with metadata, so one I think is privacy. So one is privacy. So start by only collecting the actual data you need to do the work. That's privacy. Two is transparency, and then three, it sounds like control. So give people the control they need to make decisions. Absolutely. So that's the Breachlock side of things, right? Now my practitioner answer. So look, I've seen the movie before many times. I've heard all the buzzwords, seen the technology revolutions, the last one that I can draw reference with and I'm sure you would agree is cloud, right? So when I was at the bank, I mean, we were having discussions like, hey, should we build a private cloud, should we stay in the data center. Look where we are now, like, I, I was speaking to a client that's, uh, you know, in in a defense setting, uh, right? And, uh, you know, we were discussing like, okay, on-prem solution, in the 10 minutes later in the conversation, it turned out they were in a multi-cloud environment, so that that's how we refer to on-prem, uh, these days in a defense setting, right? So I think similar things are going to happen with AI. It's totally fine, we are all discussing where the data is going. My prediction is like five years from now or maybe even sooner, we are all going to just adapt and accept for the right reason, not for the wrong reasons, a multi-modal setup, where three or four big players, just like you have now with AWS, GCP and Azure would be kind of, you know, the trusted partners for any large corporate to deal with and the all the SoC 2 ISO 27001, the data security standards would all be in place and we would all have calmed down our emotions and and be okay with it. The only thing that I don't have an answer to, I'm still looking for, for that is that the autonomy angle for, uh, for the AI, when it, when, when it kind of crosses the guard rails, I don't have an answer for that. I think nobody does. Well, you'll be a billionaire when you figure it out. Yeah, I don't know, but I mean, for from Breachlock perspective, I have to find the answers for my clients. So I'm still looking for that. Well, we're going to bring you back in 2030 because you said five years from now, we'll have you on again and we'll, we'll replay this before your interview. And we'll see if you were right. You bet. Unfortunately, we're out of time. I could probably talk to you for about an hour about this, Simon. So thank you so much for coming on. We really appreciate it. It's my pleasure. Thanks for the good conversation. Thank you. And if you'd like to find out more about Breachlock, please visit securityweekly.com/breachlockbh and for the rest of our coverage, you can visit securityweekly.com/blackhat. I'm Jackie Maguire, we are in the Mandalay Bay at Black Hat 2025 in Las Vegas, Nevada, and we will be right back with lots more guests and great segments. Stay tuned.