Aviva Zacks of Safety Detectives had the chance to sit down with Ray Espinoza, Director of Security for Cobalt. She asked him about Cobalt’s pentesting services.
Safety Detective: What was your cybersecurity journey up until now and what do you love about it?
Ray Espinoza: I started off as a systems administrator then moved into managing the team I was a part of, at eBay. After being in that role for several years, an opportunity opened for me to build eBay’s first Incident Response and Security Monitoring program. That was the greatest professional decision that I made. I have since had the honor of building and leading security programs at several amazing companies which allowed me to grow in my career beyond operational security to my first VP-level role at Proofpoint leading security for them, and ultimately landing here at Cobalt as Head of Security and IT.
I love the security leadership aspect. I love being tactical and hands-on. I love being able to leverage the technical upbringing that I have still on a daily basis and developing and positively impacting the team around me.
SD: Tell me about your product.
RE: Our main product is that we are a pentest as a service company with a SaaS-enabled platform to deliver this service. Traditionally, pentest consultancies have hoarded local supplies of skilled pentesting talent and charged premium prices for customized projects. Cobalt simplifies the management of a pentest program by using a credits-based system and pioneering a Pentest as a Service (PtaaS) platform that provides world-class reporting to meet compliance requirements, drive remediation of issues, and facilitate re-testing at no additional cost.
We’ve taken a process that has historically been manual and created a platform to enable communication and collaboration between pentesters and developers, two groups which historically have struggled to work together effectively. We’ve also built a global community of some of the best pentesters around the world. We background check, skills assess, and interview them to ensure we’re getting not only elite talent but ensure they match Cobalt’s values. When a customer needs a pentest, we’re able to match up the pentester who is deep with the skill set that’s relevant to that customer which enables the highest quality outcome. Due to how we track pentester availability within our global talent pool, scheduling happens much faster; we have customers who can come to us and within 24-48 hours and have a pentest spun up and ready to go. The launch for your Cobalt pentest program is also seamless, you can bring on and onboard pentesters quickly using Slack.
Lastly, what makes us unique is that our SaaS platform has integrations so that vulnerabilities identified through pentesting efforts with Cobalt can go directly into customer ticket systems. Historically, customers received pentest details via a detailed report at the end of the engagement. The customer had to take that report and open a ticket for each individual item that needed to be remediated. We’ve automated all that by creating integrations to things like JIRA to facilitate that process. With integrations, it becomes possible to shrink the time gap to notify pentesters or other team members about vulnerabilities and alleviate the dependency on security team members in the entire pentest remediation process, making sure teams can plan or start working on the fix more quickly. Cobalt has modernized the way that security leaders look at pentesting and help it fit more into what is now a DevOps type of environment, in which efficiency is key.
SD: What verticals are interested using Cobalt’s services?
RE: We serve customers from every vertical. Compliance programs like HIPAA, HITRUST, PCI, SOC 2, and ISO 27001 all require pentesting of applications and networks. Given that just about every security compliance framework has this requirement for testing, we get to cover these needs. Depending on the type of asset that needs to be pentested, like a web application for example; the methods we use help identify vulnerabilities that could lead to a breach while also covering the compliance requirement for testing. Cobalt also has the ability to deliver manual cloud configuration pentests to assist customers in remediating flaws tied to their implementation in the cloud.
SD: What do you think is the worst cyberthreat today?
RE: I would say the worst cyberthreat today is the availability of malicious software that’s for sale in digital underground markets. You don’t have to be a genius hacker. You don’t have to be a gifted engineer to be able to write malicious software. You can purchase it for a fraction of a Bitcoin. Most of these kits will even come with instructions. This lowers the bar or the barrier to entry for threat actors out there to be able to join in to be able to take advantage of people who just aren’t up to speed on the different types of threats that they’re likely to see. That manifests itself from network-based attacks to phishing campaigns, specifically business email compromise, where an email typically targets somebody in the accounts payable department, asking for an immediate wire transfer, pretending to come from an executive in the company.
Unfortunately, a lot of other threat actors have caught on because of how successful those campaigns have been. You can buy a BEC kit in these underground markets that come with scripts to build your target list. You don’t have to do a lot of manual work and reconnaissance to be able to kick off one of these campaigns. Realistically, it only takes one wire transfer of tens of thousands of dollars and the threat actor has recouped their investment and then some — and if they continue to monetize that by continuing to go after other victims, it continues to be impactful.
These types of phishing scams are not just a threat to businesses, but to individuals as well. We saw these types of attacks affect individuals who filed for unemployment benefits during the onset of shelter-in-place orders during the COVID pandemic. Many had no idea that a threat actor had already submitted unemployment claims and had started receiving benefits in their name.
SD: How do you feel that cybersecurity is going to be different now that we’ve been living through this pandemic?
RE: I think it’s forced many companies to fast forward a remote-friendly workforce. There are many companies like ours who were born in the cloud and utilize cloud-based services. We expanded our use of Single Sign-on continued to use VPN to access critical resources. The transition to a work-from-home routine was fairly seamless. Many companies were not ready and had to quickly stand up brand new technology, trying to enable a global workforce to be able to work remotely and many did so unsuccessfully or rushed, which led to tons of vulnerable systems within their environment. This rush added a lot of material-technical risk for these companies.
The impact was not only on the company but on the individual. You have an entire workforce who are used to being in an office and are now responsible for ensuring their home network is secure enough to run company software. The threat landscape has grown fairly quickly for most security leaders who now have to take this into consideration and train staff on these risks and how to mitigate them.