Binalyze | Bugcrowd | CYBER RANGES
Q1. You have talked about the need to democratize digital forensics. What exactly does that mean? How is Binalyze helping enable this democratization?
Democratization in the context of digital forensics means making advanced forensic techniques accessible and usable by a wider range of professionals, not just specialized experts. Our mission is to simplify complex processes, ensuring they are user-friendly and providing the necessary visibility without friction, which is the biggest problem of digital forensics due to being a 40-year-old industry. At Binalyze, we are committed to this cause by developing intuitive, efficient, and scalable solutions that can be used by enterprises and MSSPs for a more cyber resilient world. Our aim is to streamline the digital forensic process, making it faster and more efficient, thereby enabling organizations of all sizes to effectively, and proactively respond to cybersecurity incidents by changing the paradigm from 'monitoring' to 'Assume Breach'.
Q2. How is your company innovating forensic analysis techniques and tools to stay ahead of criminal actors? What do you see as the next frontiers in digital forensics?
Staying ahead of criminal actors in the digital realm requires continuous innovation. Binalyze is at the forefront of this, developing advanced forensic analysis techniques and methods that are faster, more comprehensive, and adaptable to evolving threats. We focus on automation, reducing the time between incident detection and response, and integrating AI and machine learning to enhance the analysis and interpretation of large datasets.
The next frontiers in digital forensics include cloud forensics, dealing with the challenges of distributed environments, and the forensic analysis of a variety of enterprise assets. We are actively researching and developing solutions in these areas to ensure our platform keeps leading the way helping our customers illuminate their environment with unparalleled visibility and automating repetitive tasks to turn the table to the attackers. The next frontier in digital forensics is Compromise Assessment and Cloud Investigations as an extension to on-prem enterprise investigations.
Q3. What was the main takeaway for you from your company's participation at Black Hat Europe 2023? What were your customers and those who interacted with Binalyze at the event, most interested in hearing about from your company?
Participating in Black Hat Europe 2023 was immensely insightful. A key takeaway for us was the increasing complexity and sophistication of cybersecurity threats, highlighting the need for advanced forensic visibility and the need for automation. Attendees showed a keen interest in our approach to handling large-scale data breaches, our ability to provide real-time forensic data analysis, and our strategies for dealing with emerging threats. The feedback and interactions we had at the event are invaluable in shaping our future product developments and research focus. We realized that there is a growing demand for solutions that not only address current threat landscape but are also adaptable to future threats. The most common response was: "We have been looking for a solution like this for years!"
Q1. This March, it will be one year since you joined Bugcrowd as its chief revenue officer. What would you describe as some of the highlights of the year, for you? What are some of your goals and objectives for 2024?
Over the past year, I’ve witnessed incredible success among our researcher community, rapid growth and retention of new customers and partners, and strength in the overall posture of the company. We’ve been able to solve our customers’ trickiest cybersecurity challenges and drove over 50% growth in payments to the hacker community through customer programs, amplifying a pivotal time of remarkable growth and innovation for the Bugcrowd Platform. Our team has been able to also help hackers learn more and earn more, by giving them the tools, skills, community connections, and confidence they need to be successful, with the average reward exceeding $3,250.
This past year, we’ve partnered with hundreds of companies in implementing and strengthening their crowdsourced cybersecurity programs and saw significant global customer momentum, working with top brands such as Rapyd, ExpressVPN and T-Mobile. With our Penetration-Testing-as-a-Service and private Bug Bounty platform, fintech company Rapyd’s goal was to take their program to the next level and to make security testing continuous. They also sought to eventually launch a public program, which they did in six months. In the past year alone, 15 critical vulnerabilities and almost 40 total vulnerabilities were discovered, with average time-to-fix submissions at 18 days across all severity levels, while the industry average is 31 days to fix. Their team noted Bugcrowd’s excellence in accommodating both hackers and organizations. By picking the right hackers for specific programs, Bugcrowd keeps researchers engaged. Our growing list of global customers can be found here.
Last year we also grew our key leadership team tremendously. In September of 2023, we’re proud to have welcomed a handful of powerful new leaders to our team, including Kent Wilson, Vice President of Global Public Sector Sales; Shyam Ramamurthy, Vice President of Engineering; Jennifer Hood, Vice President of People; and Michael Skelton, newly promoted Vice President of SecOps & Hacker Success. Bugcrowd also announced the grand opening of our second office in New Hampshire, bringing the company's innovative, collaborative culture to the surrounding community.
Looking ahead to 2024, we are focused on spearheading growth across our organizations and boosting our sales teams across EMEA, APAC and North America to support our global base of customers. We are a partner to nearly 1,000 customers around the world and our sights are set on retaining them and partnering with them to solve their toughest cybersecurity challenges. We are also looking to continue building a strong and successful relationship with our hacker community, providing an environment within our team that fosters collaboration, communication and personal growth. Overall, we want to continue to innovate and double down on customer success so that they can remain safe in 2024 and beyond.
Q2. As crowdsourced security and responsible disclosure programs gain more corporate traction, how is Bugcrowd advising customers on structuring incentive programs that motivate more external researchers to participate? What have been some of the biggest changes in corporate attitudes towards bug bounty programs over the past year?
When we look at the intersection of Vulnerability Disclosure and Bug Bounty Programs, it's worth calling out the motivations of individuals that participate in these endeavors. In our Inside the Mind of a Hacker 2023 report, 87% of our hackers think reporting a critical bug is more important than making money, 75% identify non-financial factors as their main motivators to hack and 96% agree they help to fill the cybersecurity skills gap for companies. With that being said, these motivations can be ethically driven, notoriety driven, financially driven, etc. Adding financial incentives to our programs adds another layer of benefit to the researcher community.
Reward ranges can be utilized to mobilize different tiers of individuals to invest their time into finding risks that others may not have the skillset to reach. Another financially driven consideration is the value of the time that researchers take testing an asset. Hunting for vulnerabilities with no guarantee of success is a challenging undertaking. Upon occasion, we will see a vulnerability come through that doesn't end up being very impactful as an attack but might point to a best practice or security change that still has value. Rewarding individuals for these actions as well creates good will and establishes a good program reputation.
Corporate attitudes have shifted substantially in recent years. Some of the elements we have noticed are a few mindsets including: "It's hard to talk about your vulnerabilities, but everyone has them and transparency is generally a good thing,” “We shouldn't just focus on our front door, but the whole of our business,” and "We can't hire all the talent we need to be resilient, so we need to go to the talent. Our researchers found that 89% of hackers believe companies are viewing hackers in a more favorable light. And this is a testament to our clients who are collaborating with us on their bug bounty programs like T-Mobile, OpenAI, and others.
Q3. What were some of the top of mind questions and issues that customers and others had for Bugcrowd at Black Hat Europe 2023? What were some of the most notable takeaways from the show, for you?
One of the takeaways from the show is that customers continue to be highly concerned about their security posture, not just with meeting compliance requirements and checking a security box. They are laser focused on staying proactive and strides ahead of threats, having control over their security environment and best preparing for “what if” scenarios. They are also looking for faster time-to-remediate and always-on support.
It goes without saying that one of the major themes during the show was AI’s progressively stronger impact on security from both the defender and attacker viewpoints. The availability of ChatGPT and other generative AI tools have lowered the bar of entry for any wannabee threat actor to create sophisticated attacks. Generative AI has given them access to a lot of new tools and it has broadened the potential threat group. From the defender perspective, the challenge comes because prioritization is usually defined by the business leaders, not by the security practitioners. What we’ve heard again and again – during Black Hat Europe and throughout the community – is that what security professionals feel is most urgent often does not align with the company priorities, which creates a risk to the organization. Seen through that lens, our work around AI is to surface insights from the overall data set as it relates to risk. A vulnerability on its own is not good, but a vulnerability plus a real threat now makes it urgent – it’s like a bomb that hasn’t gone off.
We’ve also seen increasing conversation around Vulnerability Disclosure Programs as a strategic tool and security best practice, bringing hackers in to provide more visibility into organizational security risks. Shifting regulations also dominated mindshare among our team, from the context of how a comprehensive incident response process is vital to adhering to new disclosure regulations such as the SEC’s four-day requirement to report any incident that had a material impact.
Q1. Tell us a little bit about the new collaboration between CYBER RANGES and MAD20 Technologies. What specific needs are you addressing with this strategic partnership?
MAD20 Technologies is a spin-off of The MITRE Corporation's innovation arm MITRE Engenuity. Engenuity elected CYBER RANGES as its cyber-range-of-choice to develop MITRE ATT&CK Defender and Purple Teaming 2.0 training & certification programs. The partnership between CYBER RANGES and MAD20 continues that unique collaboration. MAD uses CYBER RANGES for assessment of Defender graduates, MAD20 Arenas combine MAD20 Defender with the MITRE ATT&CK Simulations by CYBER RANGES to offer a seamless experience in hands-on competence development to B2C, B2B, B2Mil, B2G participants.
Q2. Given the severe shortage of cybersecurity professionals, what opportunities do you see for immersive platforms like CYBER RANGES being leveraged not just for training purposes but also for upskilling and potentially even attracting more talent in the field?
The cybersecurity skill gap is both a quantitative and qualitative issue. Competence is defined as Knowledge, Skills and Abilities. To date cybersecurity education has insisted on qualifications and certifications, which have proved insufficient to provide employable, workplace-ready competence. CYBER RANGES offers advanced, high-fidelity attack emulations that strengthen abilities against the latest threat intelligence and such abilities result as readily employable in the field.
Q3. What were attendees at Black Hat Europe 2023 most interested in learning from, and about, CYBER RANGES? What appeared to be driving their interest in your platform?
CYBER RANGES proved to be the cyber range standing out of the crowd. Cybersecurity people willing to be ahead of the cyber game have found our approach unique, with both virtual labs and ranges or industry-grade simulations, supported by field-hardened defensive and offensive practitioners.
