Charles Henderson spent nearly a decade working for security firm Trustwave, running the company’s penetration testing business. In October 2015 he made the move to IBM, where he created and continues to manage a new type of penetration testing service called IBM X-Force Red.
“Fundamentally I believe that human beings can outpace anything that a machine can do, but machines can provide added breadth to a security program.” Henderson told eSecurityPlanet. “I have always committed to not just classic tool-based testing, but to also manually test anything out there.”
While script kiddies are still common, they don’t comprise the entire hacker population, he said. Script kiddies are attackers that typically use exploit kits and other existing tools as opposed to more advanced attack vectors.
“There was a time that if you could outrun the script kiddies, you would outrun the bear,” Henderson said. “Today you have to go above and beyond, because the attacker community is just as diverse as the IT defender community.”
Having clear and concise rules of engagement is an important element of the X-Force Red approach, Henderson said. Instead of simply using standard rules, his team takes a consultative approach with customers to make sure they actually understand what is important when defining the terms of engagement.
“We have clear and concise methods with a collaboration portal, whereby you can define what is in-bounds and what is out-of-bounds,” he said.
Going a step further, using IBM’s analytics, X-Force Red can quantitatively show the possible impact of excluding a particular area from testing.
“At IBM, we can predictively work with our clients to expose risks in the security testing process” Henderson said.
Traditional security testing can fail because it is restricted to non-production environments, in a bid to reduce any potential impact on live services. Henderson said that IBM can help organizations evaluate non-production environment to evaluate risks, however, if that’s what a customer wants.
“Your environment is being tested right now; the only difference between now and the way X-Force Red will test is that we will test better than the criminal and we’ll give you a report of what’s wrong,” Henderson said.
From an engagement perspective, IBM X-Force Red is available as both a point-in-time service as well as on a subscription model. Henderson said the goal with X-Force Red is to essentially become part of an integrated managed security service that helps promote and implement best practices.
Many organizations will first engage with a penetration testing service as part of a compliance-related effort, such as PCI-DSS. While the X-Force Red service can be brought in for compliance, Henderson noted, that’s only a small piece of the overall effort.
“Security doesn’t stop when the compliance checkbox is checked. We work on a regular basis, showing clients why they should be going above and beyond compliance,” he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.