Supply Chain Security for Enterprise Companies
Supply chain security and red teaming involve the assessment of an organization’s ability to detect and respond to a real-world breach event. As corporate and software development environments evolve with the adoption of new technologies such as (cloud, microservices, containerization, and Kubernetes) so does PreCog Security focus on performing a guided audit or test against an organization or a testing object. This approach can include performing an audit and developing a process according to ISO 27001 for an organization or verifying the security level of an application according to OWASP ASVS (Open Web Application Security Project – Application Security Verification Standard). When a company wants to simulate a realistic threat against a system and find vulnerabilities, it is suggested to perform penetration testing on an application, network, or organization. The result is that the company simulates an attacker of a certain skill level, and aligns hired testers to that same skill set of an attacker in order to discover vulnerabilities or risks.
Classic red teaming also falls under this category by simulating an adversary of a specific skill level with an extended engagement period than in a regular penetration test and wider encompassing rules of engagement which allows for more freedom while testing. While red teaming is very useful in order to detect new avenues of risk, it is expensive and usually provides only a single path that the red team took in order to compromise the organization.
In both cases, the specific focus is on either broad risk assessment and asset discovery, to perform very specific checks and assessing risks for an application or part of the system.
The PreCog Security approach is about leveraging available frameworks, customer resources/infrastructure, and our expertise in order to build a customized risk framework. Our team consists of a diverse lineup of professionals, from C-Level security strategy executives with backgrounds in some of the largest IT enterprises like McAfee and Intel Security to experts with prior industry expertise to academic background experts with PhDs in information security. The diversity of our team enables us to view every security problem or every element of your enterprise from multiple viewpoints and scale our approach from the finest technical detail to c-level and boardroom executive reports.
Our approach for strategic risk assessment and analytical red teaming takes a blended approach with three critical areas and phases:
Phase 1 – Baseline assessment and identification (where is the organization now)
Phase 2 – Customized Risk Framework Development (where the organization wants to be)
Phase 3 – Implementation of Risk Framework (how the organization is doing)
Baseline Assessment and Identification
we establish gap analysis in your current approach and available resources and frameworks. Initial security maturity assessment and gap analysis include attack surface discovery. In this phase, we analyze your security maturity, alignment with best practices, and identify strategic points for improvement. Based on the findings we define desired level of approach, organizational risk level, and best customized framework for third-party risk assessment.
Deliverable: executive summary report on security maturity and security gap analysis.
Customized Risk Framework Development
a) We define a customized framework in cooperation with you in order to best assess the strategic risks in your organization.
b) Instead of focusing on inventorying assets within standard frameworks NIST 800-30 or ISO 27005 or only focusing on the “known-knowns” risks or “unknown-knowns” risks, we focus on the specific “unknown-unknowns“ risks
c) Based on your organization’s risk profile we help you build a process to identify the most threatening vulnerability and within your defined framework.
Deliverable: customized third-party risk assessment framework and process.
Implementation of Risk Assessment Framework
a) PreCog Security team performs all or partial testing and assessments in collaboration with the organization’s security teams.
b) PreCog Security team performs guided reconnaissance as real attackers, where we observe applications within your network through the attacker’s perspective with a goal to find real and exploitable vulnerabilities.
c) Common goal is to optimize for time and find the most pressing and realistic risks and vulnerabilities in the shortest amount of time. Instead of focusing on one type of assessment, we tailor our assessments for the ease and speed of verification.
(ex. Usually, a code review in an application will verify if there is a specific risk or a problem in a shorter time frame, which is more time and cost-effective than trying to develop a PoC exploit to demonstrate a vulnerability.). PreCog Security’s emphasis is on actual, applicable, and realistic risks based on the already established customized risk framework for our client.
Deliverable: executive summary and detailed risk report for a specific organization or system components.