Attack Surface Validation: A Discussion with Srinivas Mukkamala of RiskSense

My good friend Greg Oslan pulled me aside last year at the RSA Conference and suggested that there was a young entrepreneur I needed to meet. Soon, I was in front of one Srinivas Mukkamala, smiling ear-to-ear, and eager to share details of the cyber risk technologies he helped develop at New Mexico Tech. After a few minutes listening to the budding Founder of RiskSense, I knew I was with the real deal. Fast forward to now, and I’ve since met several times with Mukkamala, including a recent face-to-face in Manhattan – and I can report that this is one capable cyber security technologist who clearly knows what he is doing in risk management, machine learning, and integration of collected data into actionable intelligence.

During our recent sit-down, Mukkamala talked about how his technology and automation can reduce risk in the enterprise, as well as for state and national elections. The secret sauce is that RiskSense collects output from existing deployed security tools and creates world-class risk management output. This allows enterprise teams to validate the overall attack surface, especially as the network expands toward hybrid cloud infrastructure, software-defined networks, and fully virtualized infrastructure. Below is an abbreviated summary of some salient points Mukkamala was kind enough to share with me during a recent discussion:

EA: What is the underlying cyber risk management methodology that the RiskSense platform supports?

SM: Our platform is developed on the idea that orchestrating the scan output and intelligence from security tools in the enterprise is far too complex a task for human beings. Instead, we believe that an effective platform is required that can integrate with existing and planned cyber security infrastructure to produce clear views of cyber risk. The result is a platform that can be used to support security for a variety of applications ranging from enterprise protection to ensuring the security and integrity of a state or national election.

EA: Are you supporting cyber initiatives associated with any state or national infrastructure today?

SM: Absolutely. The State of Arizona, for example, uses our risk platform today to track and measure the state of their cyber security preparedness. We give them a set of advanced metrics this presented in a manner that is consistent with an individual’s credit score. This approach helps state officials and citizens who are typically less familiar with risk metrics to better interpret the results. We also provide industry and sector averages, as well as considerable historical data on cyber risk.

EA: What is the role of automation in the context of risk management?

SM: Automation is an essential requirement for any type of security scan interpretation and correlation with log and audit output that involves non-trivial size and scope. The modern enterprise security team must have an accurate view of current risk, and the RiskSense platform was designed to automate that task. Such automation does not remove the need for human interpretation, of course, but it is a requirement with the volume and speed of modern cyber attacks on target infrastructure.

EA: As the enterprise attack surface increases, does this impact the enterprise risk process?

SM: We already see the typical modern enterprise transitioning to hybrid cloud infrastructure, so the attack surface has begun to expand rapidly. Mobility, IoT, and related new modern capabilities also increase the likelihood that a serious attack can occur. As you would guess, this expansion complicates the enterprise risk task, simply because it increases the likelihood and consequences of a cyber intrusion or exploit.

EA: How does your platform interact with a typical enterprise IT and security ecosystem?

SM: It is designed to interoperate with the existing and planned IT and security systems and tools found in a typical enterprise ecosystem. We’ve developed connectivity with the most frequently found scanners, and we can consume and interpret output from the security products and tools that will be found in the modern enterprise. We understand that CISO teams have already made cyber security investments. The RiskSense platform is designed to help optimize this investment, and we support attack surface validation for external vulnerabilities, internal vulnerabilities from compromised assets, and web applications.

EA: What are your predictions regarding cyber risk management in the coming years?

SM: It is already emerging as a best practice, so that is consistent with our long-held views and beliefs. It is also a major component of every important cyber security standard, so that is also consistent with our recognition of its importance. Perhaps one area where we would hope the cyber risk management discipline would move is toward greater integration with embedded business unit processes and practices. Some managers still perform risk management in a surface manner, gathering information around existing systems, rather than from within. We expect to see automated platform support bridge this gap.