10/07/2021

How FireCompass is Shaping the Future of Security Testing

With the volume of attacks on enterprises increasing by the day, it is no longer sufficient to do occasional or manual penetration testing. Organizations usually test “some” of their assets “some of the time,” whereas hackers are attacking “all of the assets” all of the time. Today, it’s quite common for enterprises to be attacked thousands or even millions of times a day. Red Teaming and Blue Teaming exercises, and frequent audits help check the risk profile of an organization. However, new techniques like Continuous Automated Red Teaming (CART) and Attack Surface Management (ASM) have proven to be more effective in blocking attacks. A Bangalore and Boston-based startup named FireCompass, which was part of the NetApp Excellerator Cohort 8, is helping organizations with continuous testing. FireCompass is included in Gartner’s Hype Cycle for Security Operations, 2021. Apart from Autonomous Penetration Testing and Red Teaming, FireCompass is also mentioned in the EASM market within the Hype Cycle report. FireCompass also received similar recognitions from IDC and RSA.

By Brian Pereira, Editor-in-Chief, CISO MAG

FireCompass was founded in 2019, and its offices are located in Bengaluru, Boston, and New York. Its co-founders are Bikash Barai, Priyanka Aash, and Paul Dibello. They have yet to publicly announce their recent funding series.

The Indian co-founders met at IIT Kharagpur (as students) and their idea took root there, with the launch of their first venture. Bikash Barai, Co-founder of FireCompass spoke to CISO MAG and revealed how the company was founded, and its journey through the years.

Automating Ethical Hacking

“In those days, hacking was about people writing scripts, and it was more of a manual process. Few people were into hacking, so this activity was confined to small groups,” said an amused Barai. “And we launched a company with the vision to automate ethical hacking. After we built this automated ethical hacking product, we began receiving awards from Intel, UC Berkeley, Homeland Security, U.S. Navy, etc. So, we got a lot of recognition. But we faced a challenge; we noticed that not too many people were buying our product. We realized that it was much ahead of the times in terms of automating ethical hacking. And this was two decades ago.”

The irony was that the product was receiving many awards, but there were few customers for it. So, the co-founders reached out to the alumni for advice. The response they received gave them a business idea.

“An alumni member said, I would love to buy this product, but I don’t have anyone to run it for me,” said Barai. “So, we thought, why not we run it for you. Instead of giving away the product, we can host it and run the product for our customers. And that’s how it became a SaaS offering. In fact, we were one of the first SaaS companies from India.”

That move paid off, and the response improved. The company raised a round of funding from IDG Ventures. It grew steadily soon after and bagged 100 global customers. Cigital then acquired it. The co-founders continued to run the business, which continued to grow. Barai informed us that 18 out of the top 20 U.S. banks were using its products and services. Eventually, Cigital was acquired by Synopsis. Their product became the engine for Synopsis’ cloud-based testing. And that was the first innings for FireCompass and its co-founders.

The Next Phase

After spending two years at Synopsis, they were again bitten by the entrepreneurial bug and started thinking about their next product. What was the next problem to solve?

“We noticed something very interesting, and very strange. We saw a top financial services company getting breached because they had an open database without any password. And we were very intrigued because we knew that this particular company is highly mature. They have the best tools and the best folks working for them. We wondered why they missed that. Moreover, many other such companies were getting breached. We noticed the same pattern – they were getting breached because of some very simple stuff. And once we dived deeper, we noticed that this particular database that they were using, which got compromised, was made online by the marketing team, without the knowledge of the central IT.”

Well, doesn’t this problem sound familiar? They call it shadow IT. Business units helping themselves to cloud services or creating their own products without the approval of the IT team. That’s a recipe for a security disaster.

“This new problem was not there a decade ago (before the cloud era). And you have to blame it on rapid cloud adoption, digital transformation, distributed teams, and agile teams who have got this autonomy to create things on their own. Ten years ago (before cloud), anything that had to go online had to go through IT; you did not get access to a public IP easily. But today, anybody can spin up a new asset (virtual machine), there can be new API integrations, and many new applications getting created,” said Barai.

This was clearly a problem to be addressed, and an opportunity for Barai and his company. The second problem was the limitation of the first-generation testing tools.

First generations tools or Testing 1.0 Tools could only test known systems. One had to input the IP addresses or the application URLs to test assets. So, in plain speak, these tools can’t test what they can’t see. If you do not have complete visibility of all your assets, you can’t test them.

And then there was another problem with testing, or rather, the shoddy manner in which organizations were testing their assets.

The Need for Continuous Testing

“Red teaming or penetration testing exercises are done intermittently, a few times a year. And not all the assets were tested. So, organizations are testing some of the assets some of the time, whereas hackers, the ransomware guys, the nation state actors — they’re attacking all the assets all of the time,” said Barai.

To add to that, there is inadequate cybersecurity talent in the industry. Organizations cannot scale up their testing or do continuous testing just by hiring more people.

“We believe Testing 2.0 is the future of testing, where we are continuously discovering all our assets. And we are continuously testing all our assets. So, testing has to move from that point in time to continuous. Continuous discovery of assets and continuous testing has to be automated. And it has to be continuous,” said Barai.

And it is with that vision that they founded FireCompass.

How Continuous Testing Guards Against Attacks

FireCompass offers solutions for Continuous Automated Red Teaming (CART), External Attack Surface Management (EASM) & Ransomware Attack Surface Testing (RAST). It enables organizations to map out their digital attack surface, including shadow IT blind spots, by continuously discovering, indexing, and monitoring the web. The platform then automatically launches safe multi-stage attacks, mimicking a real attacker, to help identify attack paths before hackers do, continuously and proactively providing security. And that’s how continuous testing makes an organization more secure.

The Attack & Recon Platform of FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s external attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify and prioritize vulnerabilities that are most likely to be attacked.

“We first go and index the entire internet, and we index the deep dark surface web, collect all that data and put it into a big data platform. And then, we analyze that data automatically using various algorithms. From absolutely zero knowledge, we build the hackers’ view of the attack surface or the map of the attack surface of all these organizations, and we do it on a near real-time basis,” informed Barai.

FireCompass is continuously monitoring its customers’ assets and discovering their attack surface. They look for new assets that are going online, such as databases or VMs, new open ports, new APIs, etc.

“We mimic various threat actors and do a mock ransomware attack or other types of attacks on an organization. This is a red teaming and pen test exercise. Finally, we give real-time alerts,” said Barai.

So, this goes much beyond offering reports, as we saw in first-generation testing. This is really the future of testing.

NetApp Excellerator Program

NetApp, a global cloud-led, data-centric software company, announced the graduation of its eighth cohort of the flagship startup accelerator program, NetApp Excellerator, on July 23. The eight business-to-business (B2B) tech startups, which all share a focus on deep tech, including artificial intelligence (AI), machine learning (ML), cloud, and data, graduated via a virtual demo day event yesterday.

Since its inception in 2017, the award-winning NetApp Excellerator program has received over 1,700 applications.

FireCompass was one of the eight startups in the eight cohort. Speaking about his experience in the program, Barai said, “The global exposure that you can get and the access to such great minds and their knowledge within NetApp, is very special. The knowledge that you can gain from the experts at NetApp is immense. The team has been very supportive and helps you come out of the program as a better & more efficient version of you. One of the key highlights of the program that we were personally excited about was the joint GTM opportunity along with NetApp. This program introduces us to their experts globally in NetApp and getting their help to create a strong combined GTM is very exciting for us.  Also, the paid proof of concept, which was an integral part of the program, helped in fine-tuning the offerings.”

Blog Source: CISOMAG