Know where your data lives and who has access to it.
Know your Web App Security landscape
Know that your entire digital network perimeter needs protection
Know your 3rd party vendor Risk
Know a hacker only needs one way in.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Michelle Wilner, CEO /Co-Founder of VIRTIS, a full-service, woman-owned cybersecurity firm; reshaping the dynamics of the cybersecurity landscape with globally unique solutions and services. Dually headquartered in the US and New Zealand, a country known for being early adopters of leading-edge technology, VIRTIS taps into some of the world’s most advanced technology long before the US is even aware. Michelle’s vision is to revolutionize web app & API protection and modernize vulnerability management. She is passionate and dedicated to protecting organizations and more importantly, people against data breach. Her revolutionary award-winning SHIELDING TECHNOLOGY (VIRTIS Vi) is the fastest, safest and most cost-effective way to protect your Entire Digital Network Perimeter: All outward-facing Web Assets: Websites, Web Apps, APIs, Online Shopping Carts, Online Customer Portals, and the sensitive data that sits behind them from hackers and data breach. Globally unique differentiator: VIRTIS Vi (Vulnerability Intelligence) does not touch a single line of source code. VIRTIS’ interception proxy transforms the application code on the fly nullifying exploitability which is why they are faster and safer than anyone in the industry. VIRTIS’ streamlined automated platform is at an 80 to 1 ratio where it would take 80 people to our 1 automated service to achieve the same results which is why we are more cost effective than anyone in the industry. VIRTIS provides an awarding-winning fully managed shielding service with nothing for you to manage on your end! Guaranteeing they can keep you 100% protected against all of your known vulnerabilities. Proprietary solutions that others cannot deliver on, combined with a boutique, white glove customer service, enables VIRTIS to provide strategic roadmaps, leading-edge technology, and support services to some of the most technically advanced organizations in the world. Dedicated to making a difference in an industry with only 11% women, Michelle has championed diversity and inclusion for women and minorities. Knowing that women are incredibly underrepresented in technology, generally, and cybersecurity, especially, is what inspires Michelle to promote STEM careers and cybersecurity certification paths to young girls. Michelle is honored to be named by Women in IT, 2019 Entrepreneur of the Year Award. She has recently earned recognition from Congress, the Senate, the California Legislature, and the California Assembly for her innovative technology. Additional Awards: 2019 Top 50 Tech Visionaries Awards by InterCon. 2019 Woman of the Year, Businesses Services, Stevie Awards 2019 Innovator of the Year, by the National Association Woman Business Owners (NAWBOVC) Named 2018 Top 10 Most Promising Cybersecurity Solution Providers, CIO Review Named 2018 Top 10 Artificial Intelligence Solution Providers, Enterprise Security Magazine
Thank you so much for joining us in this interview series! Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Yes. The massive proliferation of infected internet-connected devices has supplied bad actors with essentially infinite free client resources to conduct reconnaissance and attacks on web applications. Using these resources, attackers can now use automation to rapidly discover system technologies and then attempt to automatically exploit any published flaws. Publications from 30 years ago and from last night are equally relevant. This means that leaving any exploitable application online across your entire perimeter is increasingly dangerous. The focus on the top 4% of issues is increasingly naive. The bad guys only need one way in. Bot defensive tools are increasingly hindsight defense as the bad actors continue to innovate and develop evasion techniques rapidly. For Example, IP Reputation, Browser Challenges, Captchas, Fingerprinting can all be evaded with increasing ease.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We have many stories. One example is a national retailer that had an exploitable online shopping cart. Customers had reported seeing other customers’ account details upon logging in. Further investigation revealed significant problems with the application, including complete evasion of login and viewing all client details(credit card Information, addresses, etc). Developers estimated 6–18 months to resolve in the source code, so the legal department required the site to be taken offline.
Using our globally unique shielding technology, our developers created the required application logic manipulation code shielding objects within 48 hours. As a fully managed service, we had the issues resolved within two weeks and back online.
As part of our 24/7/365 fully managed service, we run attack and vulnerability correlation and report what we have found that would have breached their application if not stopped. Real-time reporting.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
We use our globally unique Shielding Technology bundled with RiskRecon’s Risk Management capabilities to provide a 24/7/365 fully managed, robust Web App & API Security Service.
Exposure is immediately eliminated. Risk acceptance is no longer needed.
We don’t touch a single line of source code. We focus on the vulnerability and not the application. Hence, we remove the vulnerability from being exploited without touching the application code itself. This enables us to provide remediation of application vulnerabilities without breaking the application or its dependencies. There is nothing for you to manage on your end. No tools or resources needed, making VIRTIS the safer, faster & more cost-effective choice over the traditional methods that leave organizations exposed.
We automatically risk prioritizing issues based on issue severity and the system value at risk. It’s easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all of your third parties as well. With risk prioritization, you know exactly where to start. CEOs & Board level executives love this because you can provide real-time reports validating your risk score and how you benchmark against industry peers. Now, you can defend the money your spending with confidence.
Tools utilized in our fully managed service:
1. Scanners (OSINT, Infra, and Web App) and manual pen testing to find exploitable application
2. Public cloud infrastructure to absorb massive DDoS attacks and scale applications
3. Specialist DDoS scrubbing providers (note this is becoming more and more a public cloud service)
4. WAFs to detect and block both bots and malicious traffic
6. SIEM (Service Incident & Event Management
7. Machine learning algorithms
8. Attack simulation tools for both DDoS and Exploits
9. Artificial Intelligence
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency or hire their own Chief Information Security Officer?
With 48% of all breaches coming from Web Apps, 50% of all critical and high vulnerabilities never fixed, and 50+ new vulnerabilities coming out every day, it’s an uphill battle. Companies need to allocate the proper budget to secure their digital network perimeter.
To know what would effectively secure an organization’s environment, we would need to perform a Web Application Risk Assessment (that is complimentary). From there, we discuss their options.
Up until now, a WAF(Web Application Firewall) and/or developers have been the traditional solution, which leaves organizations exposed.
1. WAFs cannot protect against business logic flaws.
a. A WAF is only a small piece of the security puzzle. Maybe protecting up to 30–50%.
b. VIRTIS protects against complex business logic flaws IMMEDIATELY
2. Developers are too slow (4–6 months, on average, to fix critical & high vulnerabilities
a. VIRTIS protects against ALL your known vulnerabilities IMMEDIATELY
b. Legacy Apps often cannot be fixed by developers
c. VIRTIS protects your legacy Apps from vulnerabilities IMMEDIATELY
OUR DIFFERENTIATOR #1: We pick up and protect where WAFs fall short.
OUR DIFFERENTIATOR #2: We don’t touch a single line of source code. We focus on the vulnerability and not the application. Hence, we remove the vulnerability from being exploited without touching the application code itself. This enables us to provide remediation of application vulnerabilities without breaking the application, or its dependencies, making VIRTIS the safer, faster & more cost-effective choice over any other method out there today.
OUR DIFFERENTIATOR #3: No WAF can protect what we can. No Developers can do what we do at the speed that we can.
As mentioned, with VIRTIS currently being the only Stateless and STATEFULL 24/7 Fully Managed Web App & API Protection Service on the market today, we are the safer, faster, and more cost-effective choice over traditional methods that leave organizations exposed.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be “amiss”?
This is increasingly difficult to spot. We would suggest engaging a specialist service. The bad guys are smart and sophisticated.
∙ If you turned off your computer when you left and programs are running when you get back, someone may have been trying to access information.
∙ If you receive a lock-out message the first time you try to access an account
∙ Your internet searches are redirected
∙ You see frequent, random popups
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
They need to ensure that they implement a program that systematically finds and addresses risks in a timely fashion.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR, and other related laws affected your business? How do you think they might affect business in general?
This has raised the stakes on organizations that have traditionally been quite blasé with consumer data. If the risks companies have been accepting where occupational health and safety, they would be shut down. This legislation is bringing the same consequence to the digital world.
After all, the security of consumers is one of the grand challenges, and in a digital world, this should apply as well
What are the most common data security and cybersecurity mistakes you have seen companies make?
1. Deploying tools without experts and process to produce outcomes
2. Not understanding their risk exposure
3. Relying on survivor bias and risk accepting in a world that is becoming more automated and breach is no longer personal; instead, you are just a breachable static.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes. Companies have had to rapidly deploy new technologies and expose more applications to remote access. Hence, the threat surface for attackers to probe has increased. Attackers are taking advantage of the current landscape and having a field day. The increase in data breach since COVID has quadrupled.
What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity,” and why? (Please share a story or example for each.)
There are a number of new or updated data protection statutes and regulations. These data protection laws are enforceable. Severe Fines and now possible jail time is on the table. Exposure is no longer an option.
1. Know where your data lives and who has access to it.
2. Know your Web App Security landscape
3. Know that your entire digital network perimeter needs protection
4. Know your 3rd party vendor Risk
5. Know a hacker only needs one way in.
Bank Website Example:
We had a bank that didn’t feel they needed to protect their informational website because they said it was a low priority.
A hacker created a new page on their brochure ware site with pictures and bios of the employees on the list.
∙ He sent spoofed emails to the bank employees on the list, asking them to visit the (trusted) website’s new page and approve their bio. The link is valid and points to the ‘trusted’ asset.
∙ Waited for employees to visit the page and when they did, exploited their browser and workstation to gain access to the bank’s internal network.
∙ From the foothold on the internal network, discovered and gained access to the bank’s core network that controls ATM machines.
In this case, a marketing website with no access to the bank’s network was leveraged by a hacker as a ‘trusted’ asset. This is not a phishing site, so it is not flagged as such. All the security focus was on the bank’s network perimeter. However, your perimeter is not simply your physical or logical network. Your true perimeter is defined by your network of trust.
To defend effectively, you must have no weak links. All your perimeter devices must be secure regardless of what information they hold or access they provide. Any trusted system that is compromised will undermine all your security assumptions.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!