Attack, Detect, and Respond a UniChat with Ed Amoroso and Bryson Bort

This UniChat was something special. SCYTHE Founder and CEO, Bryson Bort sat down to discuss Attack, Detect, and Respond with ADR collaborator and friend, Ed Amoroso. Ed is the CEO of TAG Cyber, a cyber expert, and a long-time friend. Bort and Amoroso opened the UniChat by sharing the story of ADR and how it originated. Attack, Detect, and Respond was born out of a need for companies to prioritize aligning risk assessments with business. Amoroso and Bort shared the feeling that the concept of emulation never fit into most of the familiar categories. After months of brainstorming, ADR was created to meet the needs the previous emulation concepts could not. Bort and Amoroso discussed the need to switch from a surgical to realistic view when responding to solutions, the time constraint that inevitably harms all assessments, the rise of detection engineering, and the need to know where you are before you can decide where you want to be. SCYTHE would like to thank Ed Amoroso for his partnership, his insight, and his friendship. We enjoyed the first of many collaborations together.

  • Attack, Detect, and Respond came about as the result of a brainstorming session that Bort and Amoroso had several months ago while evaluating a part of the market that is the evolution of offensive security, and assessing the way companies are trying to make risk assessment more business aligned.
  • Bort and Amoroso came to the conclusion that this concept of emulation didn’t seem to fit into some more familiar categories. They put the pieces together, and ADR made it possible to realistically identify weaknesses.
  • In many cases things are getting more vulnerable rather than less, and that’s weird because we are trying so much harder. It’s like trying to go up the steps but you’re actually going down.
  • ADR began by switching from a surgical view to a realistic view in order to actually demonstrate that you CAN respond to solutions.
  • Interconnectivity of the environment means vendors are part of your risk profile.
  • Increased co-complexity = increased surface, increased surface = increased risk.
  • At the end of the day, when a client engages you, there is only so much time they can spend, and a limited budget they can spend, and in that limited time you are forced to take a snapshot in time of a small little piece of the organization.
  • We are starting to see with the rise of detection engineering, that just looking at the technical controls, no matter how continuous you might be doing that you’re not capturing enough and you’re not driving enough improvement within that contextual business risk to add value to the environment.

  • The goal is to create / emulate the most realistic scenario possible.
  • One offender / attacker can keep forty people busy on defense.
  • Without the foundations, jumping to measuring is like measuring a line in the sand as the ocean continues to pull it back. It has no meaning by itself.
  • Every emulation from our platform is a uniquely compiled piece of code that forces your defensive stack to become behaviorally focused instead of viewing through traditional eyes.
  • Unlike our competitors, our platform can change the code post deployment in two ways: it can polymorph laterally, and it can build itself up in stages.
  • It’s important to take an offensive mindset to defense.
  • The data and insights produced by ADR are extremely valuable, and the analysts from TAG cyber agree that it produces extremely valuable results - Amoroso 
  • In order to succeed in modern business, it is crucial to have at least one or several people within your business who can handle the risk.
  • In the future, even in a potential cyber utopia, there will never be things not happening.
  • Amoroso believes we will colonize on Mars in our lifetime.
  • Simple ways for folks to get started with ADR take an inventory of what you’re doing. Obtain a solid introspective view of your team, of your budget, and your vendors. It is a good idea to take stock from a management perspective- what’s your team, posture, tools, vendors, what’s our business, what’s our objectives and what are we trying to accomplish as a team? And then at that point you can transition to a more surgical approach. If you don’t know where you are, it’s hard to know where you want to be.
  • Three ways to run a security program: A: Do the minimum just to get by. B: Stay in the middle of the pack, do a good job and not have cybersecurity be an issue for our business, but there is no need to be at the very top, and C: Be world class. Make the company the differentiator and make cybersecurity one of the reasons that the company succeeds.