Critical Infrastructure Security

Industry Innovators: Analysis & testing

There are two times when we need analysis and testing: before and after an event. Before an event, we want to test our vulnerability to attack so that we can close holes. We need to do that on many levels, including general vulnerabilities, deeper penetration resistance, application weaknesses and for the all-out tiger team approach – something that can test both physically and logically. This year we cover all of those bases. 

We are interested in general vulnerabilities and that, strangely, has its own challenges. We say “strangely” because one would think that a simple vulnerability scanner would be all that was needed. That turns out not to be the case – as anyone knows who has scanned a large enterprise only to find that by the time the scan is complete the results are obsolete.

If we want to do the whole tiger team thing, we need to be able to sneak past physical controls and focus on deep penetration and compromise. This year, we have a very clever approach to this challenge. Application vulnerabilities are, arguably, the biggest challenge to security professionals because they represent the easiest attack vector in many cases. So we need a tool to test applications and it needs to be both comprehensive and effective. The problem often is, though, that such tools are great for the security geek but not so great for the developers who need to fix the holes the tools find. 

Getting all of the threat and vulnerability data into one place and getting there in a useful manner is the strength of another one of this year's Innovators in this group. And that brings us to dealing with the aftermath of an attack or cyber crime. If all fails and the bad guys prevail, we turn to digital forensic tools to figure out what happened. While this year's Innovator in the forensic area doesn't deal strictly with the attack's results, it is a strong tool in the fight against cyber or cyber-related crime.

This batch of analysis and testing tools sets a pretty high bar for creativity, effectiveness and applicability to some really tough challenges.


Seeker is not built by security professionals for security professionals. Its entire focus is on application developers and the application development process. This is a big deal if one thinks about it a bit. Typically, application vulnerability assessment tools identify vulnerabilities and may point to the section of the code where the vulnerability exists. Seeker takes that process a step further.

When Seeker finds a vulnerability, it takes the user to the place in the code where the vulnerability exists, makes remediation recommendations, and then allows one to play a simulation of an exploit against that vulnerability. Everything is in the language of developers and quality assurance teams, not just security professionals.

The tool approaches the problem of application vulnerabilities through analysis of the data flows within the application, rather than the code. It addresses the code responsible for the data flow that shows indications of vulnerability. This allows Seeker to identify vulnerabilities that are a bit more complicated than might be found by focusing on a block of code.

Once the vulnerability has been tentatively identified, the tool attempts to exploit it. This is similar to the relationship between vulnerability assessment and penetration testing in the systems world.

Seeker accomplishes its task by injecting an agent into the code. The agent learns the proper behavior for the application and then starts looking for various interactions as exemplified by data flows. Once it finds and proves that a vulnerability is exploitable, it identifies the business impact. With this information Seeker can notify and educate the developer even to the point of showing a video of the successful exploit attack.

Seeker tests the entire application – end-to-end – so it can look at the web front-end, intermediate code and the backend database, all in the context of what the application is supposed to do.

Perhaps the most impressive aspect of this Innovator – beyond the clever technology – is its perspective on the development process. Quotium answers a very important, but somewhat impertinent-sounding question: Who cares? Who cares is and must be the developers. The applications that organizational developers create are driven by business needs and often touch critical or sensitive data directly. These folks need a vulnerability assessment tool that thinks like a developer with the security savvy of an information security professional. That is exactly what Seeker provides.


Vendor: Quotium

Flagship product: Seeker

Cost: Starts at $30,000 for standalone version

Innovation: A clean way to secure applications through the development cycle, resulting in fewer vulnerabilities and far fewer false positives during the vulnerability testing cycle by focusing on data flows within the application under development.

Greatest strength: Solid understanding of the application development process and where vulnerabilities might enter it.


When BeyondTrust acquired eEye – and, in the process, Retina CS – it got a serious player in the vulnerability management market. More than just vulnerability assessment, Retina CS also supports patch management and a raft of compliance-related functions. With the rapid growth of new exploits, it is not enough to scan for vulnerabilities. One must manage the vulnerabilities and their remediation. Then, at the end of all of that – and before one starts over from scratch again – admins need to be able to produce the compliance reports that drive the security market today.

BeyondTrust is far more than a one-trick pony. The company's creativity and drive to innovate is what keeps this organization at the forefront of its market. Like many companies, currently and in the past, BeyondTrust has based a lot of its growth on acquisition of new technology. Whether it buys companies to get the technology, licenses the technology or hires experts to develop them in-house, new approaches to tough problems are what make this Innovator run. In the case of Retina CS, the technology came from the acquisition of eEye, a pioneer in the field.

Companies such as BeyondTrust take on a serious responsibility when they provide products that protect their customers. Some of the company's customers are among the largest of their type in the world. Protecting the majority of the world's 10 largest banks translates, ultimately, into having a stake in protecting the world's economy. BeyondTrust takes that burden very seriously – and it is part of what drives the innovation within the company.

In the case of this Innovator's vulnerability management tools, one of its key benefits is scalability. It is very difficult to perform vulnerability scans on large numbers of devices, both in a timely manner and without undue burden on network resources. Retina CS manages that very nicely using agent technology. Add to that an extremely broad base of supported devices and systems and you have a vulnerability management tool for today's widely disbursed, often virtual, environments.

While we focused on this Innovator's vulnerability management tool, it is pretty important to note that the company is in a lot more market spaces. The imagination and creativity to integrate its overall vision for enterprise security extends from the cloud through the data center to mobile and other endpoint devices. It is the hallmark of this very creative and innovative company.


Vendor: BeyondTrust

Flagship product: Retina CS


Cost: 256 asset count begins at $8,000

Innovation: Delivering insight and intelligence into the high velocity world of security and compliance.

Greatest strength: Vision and customer-centered approach.


Pwnie Express

OK, so there is a bit of a hacker flavor here. Pwnie (pronounced “Pony”) Express comes from the hacker term "pwn," which means to own or control. It came from a common typo when “own” got typed as “pwn” due to the p and the o being adjacent on the keyboard. Add the pun of substituting Pwnie Express for Pony Express and the insider joke is complete. But, make no mistake. Pwnie Express is no joke, and while, like any vulnerability assessment tool, its products could be co-opted and abused by a criminal hacker, their purpose is very serious.

Pwnie Express's first product, the Pwn Plug, was a small, self-contained device that could easily be hidden inside an organization to conduct penetration testing from the inside. The tester could then contact the device remotely and conduct the testing. This is a fine tool for tiger teams testing the physical, as well as the logical, security of the enterprise. Pwn Plug has evolved and many of its capabilities now have moved to the Enterprise Pen Testing Appliance.

The heavy thinking surrounding Pwnie Express's tools comes from developing a paradigm shift for pen testing. The idea is that pen testing can be focused at the top vulnerabilities – those that make up the bulk of all compromises – and then automated. This supports the recent findings in Verizon's "2012 Data Breach Investigation Report": The bulk of all compromises were enabled by fairly simple and, in some cases, old vulnerabilities. Test for those and you remove the low-hanging fruit. This is the basic premise behind the Pwnie tools.

Along the way, you can lower the cost of pen testing, make the process easier to perform and make it easier to interpret the results. By covering all seven layers of the OSI model, testing can be quite thorough, even though it is also quite selective.

We have been watching this product line and the company evolve since its birth a couple of years ago and while at first we had our reservations, the more we watched the more we liked. These folks are deadly serious about their innovation, they are thorough professionals and at the cutting edge of creative thinking. They also have a pretty cool sense of humor.


Vendor: Pwnie Express

Flagship product: Pwn Plug/Power Pwn/Enterprise Pen Testing Appliance

Cost: Starts at $795 for Pwn Plug Elite

Innovation: Self-contained vulnerability assessment and pen testing tools, some of which fit into the palm of a hand.

Greatest strength: Taking something that is traditionally expensive, difficult and time-consuming and making it cheaper, more nimble and easier to deploy.


A security information and event management (SIEM) tool is just a SIEM. Right? Not so fast. Most SIEMs look at what has happened – post-incident, so to speak. What if one could look at pre-incident data and anticipate the incident – allowing one to do something about it in advance? That is just what eIQnetworks does. The company calls this approach unified situational awareness. When we asked this Innovator to characterize its approach, the answer was, “the unified situational awareness platform, SecureVue, delivers an accurate, timely and coherent view of an organization's threat, compliance and risk posture via a single console.”

There is a lot of innovation in that simple description. The big one is the situational awareness approach. It allows the company to get a broader and deeper view of the enterprise and the threats against it than does a single-point best-of-breed tool. Also, this solution is accessible to small- and mid-market organizations. These firms are generating quite a bit of security-related information, often without realizing it. For example, there probably is a firewall and there are Windows machines that are generating logs, as well as some Cisco gear that can generate net flow traffic. All of these can go into SecureVue NGS.

Along with the actual SIEM functionality, more and more smaller organizations are being faced with compliance requirements. One of the most important – and certainly most prevalent – is payment card industry (PCI) reporting. PCI can affect rather small organizations, and the compliance requirements are stringent. eIQnetworks claims that it can get its product up and generating useful data in under an hour. With that level of ease of use, SIEM capability is within the reach of organizations that cannot afford skilled analysts or large IT and/or security staffs.

The use of a single console to view a unified picture of threats, risks, vulnerabilities and compliance posture is, as well, very important. This single view brings the unified approach into focus and answers important questions quickly and accurately.

In order for situational awareness to result in actionable information, it needs context. By tying all of the pieces of threat and risk together, that context is achieved. By seeing the overall risk and threat posture in context, the organization can be proactive – reducing the need for post-incident recovery.


Vendor: eIQnetworks

Flagship product: SecureVue NGS

Cost: Starts at $12,595

Innovation: Adding unified situational awareness to SIEM and making it accessible to small- and mid-markets.

Greatest strength: Experience and vision.


We love this product. Mobile device forensics is a tough go at best. There are other excellent mobile device forensic tools in the market, but one of the things that distinguishes the Universal Forensics Extraction Device (UFED) is its ease of use and extremely rapid deployment. In actual use on live cases, we have found that we can dump a cell phone or iPad very quickly. Depending on the device and the amount of data on it, we have been able to dump a cell phone in under five minutes from seizure to storage of the results. That makes the UFED ideal for high volume analysis.

The UFED product line can pull data from cell phones, tablets, smartphones and GPS devices. It also covers devices made with Chinese chipsets. This Innovator does not sit still, however. There is a huge challenge just keeping up with the waves of new mobile devices coming on the market. Smartphones, especially Androids, come at the rate of new implementations every month or so.

Just because it is an Android, however, does not mean that it is like every other Android. A lot depends on the chipset in the device, and a lot depends on how the manufacturer has deployed its apps in the Android environment. In addition to Android, of course, the UFED products support iOS and BlackBerry. Innovation at Cellebrite does not stop with the technology, although the company is admittedly driven by technology. Understanding where their products fit in the investigative continuum also is important. Thus, Cellebrite is developing products that can support the e-discovery and intelligence communities, as well as its traditional law enforcement client base.

This Innovator uses its knowledge of the customer base – both current and future – to craft its technology strategy. Here is one mark of a real innovator: using a core strength – in this case market depth and understanding – to drive another core strength: technology. The UFED can manage both logical and physical extractions and the newly introduced Touch technology is up to 10 times faster than the prior generation.



Flagship product: UFED Touch Ultimate

Cost: Starts at $10,000.

Innovation: Comprehensive, highly portable mobile device forensics.

Greatest strength: Experience, strong technical roots and market depth.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.