Skip to content

WEBINAR  Beyond Trends: Actionable Cybersecurity Advice for 2023 with Bugcrowd and Red Canary · December 14, 2022 ·  Save your spot!

VIDEO

PlexTrac for Service Providers: 5 Features to Love

As the cybersecurity industry has evolved a window has opened in which automation has become a key differentiator for penetration testing and red teaming services. In this video, Shaun and Jason walk you through the five biggest features in PlexTrac for security service providers. Learn how our platform can be a differentiator for your consultancy, MSP, or MSSP today!

Series: PlexTrac Demos

Category: Product Features, Reports, Service Provider / MSSP

   BACK TO VIDEOS

Play

Please accept marketing cookies to watch this video.

Transcript

As the industry has evolved, the window has open in which automation has become the key differentiator for pen testing and red seating services. It’s been a race to see who can automate first keeping their billable rate at a competitive price, price point, but still offering a high quality service. The ones that have been able to do that have been able to differentiate themselves as market leaders. Now, the unfortunate side effect of this market for us is that we are required to do more with less, and the only way to do that is through automation. And that is the reason I joined PlexTrac. G’day everyone. My name is Jason Krameck and I head up our team that enables our managed security providers to slash the amount of time it takes from beginning of engagement to report delivery.

I’m joined by PlexTrac resident hacker Sean Russell. And over the next ten minutes, we are going to highlight the top five features within PlexTrac that will help automate your red teaming practice and help your organization stand out within this competitive market. Sean, my man, how are you today? Jason, I’m doing good. How are you, buddy? Excellent. We’re here talking on a Friday, so life is good. It is. So your background is as a former Pen tester consultant and hacker.

So if you wouldn’t mind, go ahead and give us a little bit of background and curious to know what led to you PlexTrac? Great question, actually. Yeah, that’s perfectly right on the head, man. I have a background in Pentesting consulting, also engineering. I’ve been with Plex Track almost a year now and just recently took over as the Sales Engineering Manager role. So definitely looking forward to growing this team out and congratulations. Thank you, sir. Thank you.

Yeah. So being in the cybersecurity world roughly 22, 23 years now, I’ve had a chance to work with some really cool organizations to include the DoD, was in the Air Force for many years, got out to open my own consulting firm. So I’ve been the practitioner sitting there doing the engagements, physical security, network security, social engineering, everything like that. Also had a chance to work with some very large two of the largest organizations in the world. One being Semantic, aka Norton, and also Z Scaler, who’s a big up and comer and a huge part of the cyber security and security world. No, it’s kind of neat because I obviously love working for PlexTrac and being a practitioner, one of my biggest pain points was obviously report writing and being able to normalize data that we have. And over the last few years, as I was trying to get back into more of the enterprise working role, I did let my consulting firm go.

And as I was looking through that stuff, came across PlexTrac and saw that, I was like, man, this is insane. And then obviously talking with a few people over the last couple of years at certain events, like black hats and def con of the world and learning what PlexTrac does, I was blown away. And so I was like, I got to be a part of this organization. And so here I am, and very excited, man. Thanks for having me too, Jason. You got it. And I’ve heard you say in the past that if Flat Track was around five years ago, you still have your own consultancy, which I’m kind of glad it wasn’t because then we wouldn’t be able to work together.

I truly do love working with you, but that is 100% true statement. I live by that every day when I can say customers, and I can make them more streamlined and more efficient and cut down that reporting time, which reduces man hours. Sitting there in front of Word or Excel or some scanning tool or pen testing tool, whatever it is, if I can get those workers back out there hacking and cracking, I feel like I’ve done my job just out of bed in the morning. It’s also one thing at the end of the night, I look back at my day and I’m like, I made these three customers today better and more efficient. And that makes me happy. So, yeah, absolutely. If this product was around five, six, seven years ago, 99.9%, I’m sure that I would still be working for myself.

We’re glad you’re here. And yes, you said it’s, less time reporting, more time hacking. That’s our goal. Right? So the idea of Plextrack and he was first conceived by our founder and CEO, Danny Claus. He was a hacker by trade, and over time, we have architects duplex Track in a way that tailors to the service provider specifically by promoting cross team collaboration and saving them a ton of time. So what Sean and I are going to highlight today are the top five features and workflows within PlexTrac that enable collaboration and time savings. So those five focus points being one, the PlexTrac architecture for both single client and aggregate client use.

Number two, data Normalization, which I know is probably your favorite chunk. Three, internal collaboration and quality assurance for the report template and automation process. And then finally, collaboration with your customers through a partner portal experience, which is probably my favorite.

This is the dashboard that we log into. Essentially, when you log in, based on the access controls that you have, which obviously are a huge part of the security industry, it’s going to really dictate and delineate what you can see as a user. We have a couple of different roles we’ll talk about here in just a second. But essentially this first landing page is an aggregate of all of the findings and also all of the assets that we have within the entire organization or whatever that user logging in has access to. See, everything we do is based on this client grouping here. And this is nothing more than a way for you to take all those findings and assets and really rifle them in and collectively have a focal point for you to work on. So you can do this a whole different slew of ways.

I obviously have some geographic locations, I have some organizational units. So network team, infosec department, obviously one off tools that you can do. So for example, if you have a proprietary app or some type of web app that you’re using, being able to just report on those findings alone. But again, this is a completely customizable way for you as an MSSP to group your customer data, right? So you can even call them customer a whatever location, whatever industry they’re in, whatever the case is. As we’re getting through that, I want to come here real fast. A couple of big highlights here. Obviously temporary is our bread and butter, right? So having the ability to have multiple shells of what your end result and end game are.

For example. If you want to have an executive somewhere where it’s a two or three pager sitting in front of that senior management or that senior C suite that wants to see that value. Having that there as opposed to maybe a detailed technical summary where each finding is drawn out. You got recommendations. You got descriptions. You’ve got Cdes. Things like that that are helping you ultimately remediate those vulnerabilities.

Having the ability to quickly switch with the same data is what makes us good. And I say live course people have a bunch of different templates, right? It’s a nightmare just kind of managing those. It’s crazy to see some of the customers I’ve worked with this last year and even as a pen tester myself, to see all the differentiators that certain customers want and have to have. Everyone has their little thumbprint that they want to put on everything they have. And that’s important. Obviously. That’s something that a lot of organizations put a lot of time into.

But being able to come in here and say hey, I’ve got these verbiages, I’ve got all of these findings, I’ve got all of these assets, and say hey, I’ve got all this data but I want it to be formulated in such a way that it’s just an executive summary. So same data but then I can flip the script and use that same exact drop down button and say I want this as a detailed technical summary and then I get a 130 page report instead of a three pager, right? So that’s obviously big bread and butter. Integrations, man, we are constantly growing hacker, one sneak tenable IO. A lot of these SAS based organizations also ticketing systems like Jira and ServiceNow, having a bidirectional to push pool ability to work with these tools, cohesively and that’s massive because if you can’t do that as a cyber security company now you’re set yourself up for failure. So I really love where we’ve gone, and I love where we’re going with a lot of the new integrations that we’re bringing. And it makes me excited as a practitioner myself. And then, of course, all the commercial off the shelf tools that we would expect, nests Wallace and Map, Burgundy, and the ability to parse those and like you mentioned, and the objectives, normalize those findings to me, I get on a soapbox a lot of times when I’m doing demos because this is probably the most important part for me.

I would go do a security engagement, network security engagement, whatever we want to call it, pin test. I would go do these engagements and I would spend a week on site and maybe a week off site doing external testing. But then I bring all that data back to the office or to the home, and I’d be working on bringing the report in. And I’m copying and pasting from word for this section. I’m copying and pasting from Excel for this section. I’m going to Nessus, and I’m copying and pasting the crazy pastel put out that they give there, or Burp or call us all the big names that you just not mentioned before. But I spend in four, five, six days, eight hour mandates, right? I’m doing this and it’s brutal, it’s painful.

Control C, control B in your sleep with your eyes closed, looking backwards. It is a very powerful skill that I have. But, yeah, I’m glad that we don’t have to do that anymore. Those days have passed, right? And that’s one thing that makes me excited, is being able to take all these different tools we have, the nessuses, the qualities, the bursts of the world, even proprietary tools that maybe we don’t integrate out of the box, being able to take like an XML or a JSON file and massage that, using our open API and bringing those findings into the fly track. And what makes me excited is the fact that every time I bring a finding in, no matter of the source, it’s always going to look the same. It’s going to be readable, it’s going to be actionable, and it’s going to look like it’s a custom finding that I built for you as a customer, right? So regardless of its necessary policy, it doesn’t matter, and you’re not going to be able to tell. And that’s a huge thing because I can’t tell you how many reports I did where you scroll ten vulnerabilities, and you’re like, okay, he obviously used Nessus for these ones, and then he obviously used Burp for these ones.

So being able to normalize that data and make it readable and actionable without having to adjust margins, adjust bonds, and to do all that craziness is something I absolutely get excited about. But that being said, also, the other thing is being able to control who sees that data, right? So obviously vulnerabilities we don’t want in the wild. So having the ability to as an MSP or as a provider, have the ability to have multiple users. And I’ll just show this real quick, having multiple users, your admin users, your standard users, and your analyst users over here. So being able to collaborate, like you mentioned in the very beginning of the call, being able to collaborate, invite your customers in that way you’re not having to send through email their executive summaries, or you’re not having to use a share file system or some type of a SharePoint file sharing service. Being able to allow them to come in directly, go look at their findings, look at their reports, download their documents so you’re not having to send them. And that’s cutting down more time for you as a provider as well.

Right? So that whole collaboration effort is huge. I love that, right? Yeah, this was my favorite because what we get a lot of requests is that we want to be able to provide a port to our customers that keep them updated. We don’t want you to SharePoint anymore. We don’t want to share our reports through an email. So that’s exactly what this is for. So we have those three standard profiles, administrator, standard analysts, and then there were some custom profiles that you created. So given the ability to give read only access to customers so they can come out and actually see where you’re at in the process, and then we can start assigning findings if we want.

And the collaboration possibilities are endless.

Great job setting the stage. So let’s go ahead and run through the workflow of creating a client. Create no report, let’s bring in a scan file and let’s just show you how quickly we can do that. Yeah, I love you. Bring that up. And that’s a great settings, great stage to set. So let’s do this.

This is my client repository here. I’m going to go and create a new client real quick. The first thing I also want to know is we are completely white label. So you as a provider, you can put your logos, your URLs, your look and feel to it. So that way when your customers are coming in and they’re dealing with their data, they see your logos, they see your normal day to day instead of seeing PlexTrac. They may not know who we are, but obviously that gives them that warm fuzzy that they’re dealing with someone as professional and they have the ability to have that white label look and feel. So let’s do this real fast.

Let’s call this client example. And we’ll just set myself as a point of contact email. Boom. And this is Sean’s example client. We’re going to go and add a couple of tags. We’ll say Sean’s client will also say this is an intern. We’ll say I’m a finance client, right? Financial client.

Boom. And we’ll say that I am on the west coast. Yeah, frozen fields. You can then come through analytics and start slicing nicer data, right? Yes, absolutely. So this is a huge portion. Everything from the client level down to the report level, down to the finding level, down to the asset level can be tagged. I highly recommend you tagging everything as much as often as you can.

Obviously, you mentioned it right there, slicing and dicing your data. When we get into some of the analytics stuff here, being able to say, hey, I want to see every financial client I’ve worked with for the last twelve months on the West Coast and I only want to see their Nests scans or I only want to see their SQL Server vulnerabilities, right? So being able to quickly get granular and delineate that data is very powerful. So I always recommend tagging as often, as frequently as possible. Let’s go and keep this bad way real fast. We’ll go and pop into my client example. Now I’m in my client a couple of real quick things. You get these tabs up here.

As you build reports, as you add findings, as you add assets, you can quickly see all of those across the entire entity of the client. You can also look at the details. You can change stuff later. So if you want to change the name of the customer, maybe they get acquired, maybe they add locations and you want to rename them location One, location two, location Three. Whatever cases, you can do that. You can change their logos, whatever. You can also look at their statistics and see how many actual rifled in findings they have, how many criticals they have, how many highs, how many mediums, how many lows, so on and so forth.

So we’re going to go ahead and create a report real fast. We’ll call this example report one. Keep it consistent. A couple of quick things here. Obviously we have these five levels of workflow. Everything comes in draft status. I’m going to go ahead and make this published just for sake.

I’m not going to remember to come back and do that. You can also use certain report templates. In this instance, I’ll just use my main shell here. You can also use Fields templates so we can do core findings here. These are things that you as a provider would use over and over and over again without having to go in and change verbiage or change sections or whatever the case is. You can obviously change these on the fly and I’ll show you that here in a second. I’m going to make myself an operator.

Also want to point out at that point our Customer Success Team, right? So one of the very first things we’re going to do is take your template as it exists today. All we need is the Word document and then our Customer Success Team is going to do all the heavy lifting in order to bring that template into PlexTrac. So that when you click Export it looks exactly like you want to. So pretty much just showing what you did here, Sean. Yeah, absolutely. Thanks, man. So a quick couple of things here.

So now we’ve got this report. It’s got our verbiage in it that I’ve already added based on that shell. So this is all content I’ve created over the last year that I add in to every report. You can see. I’ve got some screenshots, but we go down here to the finding stuff. I have no findings yet, right? But all of my verbiage is already here. I have not once opened any other tool like Word or Excel.

Everything is already here. Quick other thing to point out is I do have report templates that I’m using here. But in the event you don’t, you could also use our content library over here, which has our narratives DB and our writers DB, which I’ll talk about in just a second. But the narrative DB is really awesome. So, for example, let’s say this active scanning section, I didn’t want that in there. I can build this as an individual building block, so I can go and drag and drop and select these pieces and bring them over as I see fit. Maybe I don’t want all of this in this report here.

So I wouldn’t choose that report template. Instead of just go to my narrative, I want my active scanning section. Maybe I want an introduction section. Maybe I want a scope or a methodology. Whatever the case is, I can bring those in on the fly and also edit them as well. So if I pop over here in the narrative side, give it just a second. So now all those individual sections I have titled and saved as a report, I can come in here and quickly change, right? That being said, let’s go ahead and pop in some findings.

We’ll bring in a nest of file so we can see how that works. There’s quite a few ways you can bring findings into the platform. I like to say there are five, depending on who you’re talking to, an organization, they may say different, but you obviously got the three main ones right here. You got your custom findings. So your one off pen test actual results. So maybe you have a custom SQL injection that you found on a server farm or whatever the case is. You also have the right of DB.

Like I mentioned here, this is nothing more than a repository of already curated findings that you’ve already baked. You know, the verbiage is good. They do exactly what you want to do. The content is there. The recommendations are all there. You don’t have to recreate the wheel every single time. So you can quickly use those.

You can also use them from the imports, like we mentioned before. So we got our nessuses, our qualities, our burps, all the parsers that we have right here. We’re going to go ahead and just grab a nest file. Let’s bring in a file and let’s also show just adding one from our write up database, right? How easy that is. Absolutely. We’re going to do this again. Tag.

Tag tags. So we got these findings tags. I’m going to say these are internal. They’re also nessus and that’s good there. For the asset tags, we’ll say this is our entire infrastructure. Grab this vehicle here and we’ll say it’s also internal just to keep the tagging consistent. Right there we go upload this, give it just a second while this is loading here.

The other two ways that I mentioned outside of these three are integrations, which very soon we’re going to have integrations down here below the import section here, which is going to be like your hacker ones, your sneaks, your temple, I-O-S of the world. And then the fifth way is if none of those work and can accomplish your objectives, is using the API, like I mentioned a little while ago. So being able to take an XML or a JSON file, massage that and bring it in via the API is a way that we can also bring findings in here. So we added these right here via an import really quickly. I’m also going to grab one from the write ups database. I’m going to grab this bad way here and I’m going to add the open redirection finding scroll down here. There it is, right there.

So see how quickly that is. Now this is a validated finding that I’ve already done and built so I don’t have to recreate the wheel anymore. As you can see, real quick, quick and dirty version of this is everything we see coming in as in draft status. That’s one extra layer of security we have as security professionals to keep our customers who may be interacting with these findings from logging in and seeing ten criticals that they had no idea about. And then all of a sudden it’s like Chicken Little and the sky is falling, right? So by keeping these vulnerabilities in draft status, not published status, we minimize that vector of kind of crazy for our customers. So until we actually click on these bad boys and make them published, which you’ll see real fast, that yellow background, that red dot goes away. Now my customer that logs in would be able to see these, right? So that’s that right there.

One of the biggest things here is as we open these findings up, we’re looking at everything at this view from vulnerability to asset. A quick other way of doing this is flipping the script and saying, hey, I want to look at every asset to the vulnerabilities. So we go to assets, we say, this is my single scope or single host nests file, so I only got this done eleven, but if I open this bad way up, I can see all the vulnerabilities from an asset side down. To a vulnerability side. So you get the same look and feel just however you want to view it and how you want to optimize and prioritize your objectives for that customer and ultimately that engagement that you’re dealing with. Each one of these vulnerabilities, aka findings, depending on what verbiage you want to use, you can actually come over and you can open up each vulnerability. You can come inside, you can add descriptions, you can remove descriptions, you can also track changes for those folks that have like junior pen testers or junior analysts on their team.

They come and say, you know what, this verbiage is just really too much, but this doesn’t make any sense to us. How is it going to make sense to a customer? So you come in here and change this, modify it, do whatever you want. You can add additional assets. Obviously most pen testing organizations don’t pen test every device in an infrastructure, it’s just too much. So we get usually a statistic sample like maybe 10%. So maybe you get 10% of the server farm, maybe you get 10% end points, maybe get 10% of phones, whatever the case is. But we know that this open redirection vulnerability is also on 90 other boxes.

So we can quickly come in and say, you know what, I’ve already validated this vulnerability, but I know it also belongs to these other boxes. So I can quickly add if you have other assets that you’ve already imported in either via Nap or CSV, I would have a big population. This is a new client that I just created, so I don’t have all the clients that I’ve built over the years. But you could easily select ten, dot whatever you want or whatever your IP scheme is and go that route. This instance here, I don’t have any here, but for this sake you can easily do that there. You can also add custom fields to the finding. Easy ways for you to call out stuff on the database screenshots in app video.

So maybe you want to show the person looking at these findings that you did this sequel injection. You got into this group of directory, you left this loop here, you got all these different screenshots of all that. You can combine all those into like a little mini video and you can have a video showing whoever is watching this vulnerability. This is what you did and this is how you did it. And then also obviously code samples as well. So maybe that’s SQL injection or maybe the script that you use to run and exploit the vulnerability, anything of that nature, you can also bring in it as well. Perfect, okay, now we’ve got all this content, right? And now we put all this work in, but we want to see the fruits for our labor so we can actually come back here for the findings.

We can export this report. This again is where I get excited because these are just a few of my templates I have here. So whether or not I want to use a default template, whether or not I want to use a multi scope template, in this instance, I’m just going to grab a single scope template, go ahead and export these bad ways out. And so the thing is, in regards to reporting, the ability to customize your reports from top to bottom, two to tail, however you want to call it, is something that is literally what we’re designed to do. So having the ability to have your logo, your font scheme, your narrative sections, iterated this way. Findings broken down the way you want them. So maybe you’ve got a Nessus file and it has recommendations, it’s got description, it’s got Cdes.

Maybe you don’t want the CDs, you cut them things out, right? So you can use these templates again to make that look and feel exactly what you need for your customer each time that you want them to do that, right? They’re very endless. Very endless. We’ve done some really crazy template replications that we’ve done, so it gets pretty crazy. So this is the report. I actually ran this report yesterday, but it’s the same concept. This is my single scope. I put this fun little graphic in here.

This could be your logo. Anything you want to do. You can make this look and feel corner to corner, exactly how you want it to be done. Scroll down, go to update my table, pull these findings in. There we go. So we’ve got all these findings. We’ve got my introduction to all.

These are my narrative sections, right, that we have. These are those pieces that I build from that narrative DB or I use for my report template. I didn’t have to copy and paste one time to get this right. So this is all stuff I’ve already pre curated. I don’t have to change anything. And if I do have to change them, I can change those dates. Like, maybe I have a day up here.

I can change these dates on the fly inside the report. I don’t have to do anything else. I’m done. Scroll down. We’ll see our table summary of the findings that were here. I have a master listing. You don’t need this.

This is just my template that I built. This is a master listing of these vulnerability. Then as we scroll down, boom, we got all these details. And this is where I get excited, right? This is where that normalization of data comes in. But if you look here, this find number one, right? So I’ve got all this content in regards to this finding, and we’ll scroll down. This is obviously a burp finding, but we can scroll down. And then we’ve got some Nessus findings.

We’ve got a bunch of different versions, but every single thing you see looks the same. It doesn’t matter what the tool is. And. That, to me, does two things. One, it obviously makes me excited, right? But two, man, it saves so much time when you have to copy and paste. Like I mentioned from the earlier, you have to go to nests. You have to copy their output.

Bring it in here. You got to adjust the margins. You got to adjust the font. You got to highlight all their pastel colors, make them your color. You got to do this with Burp as well. You end up with these different kind of wonky. They’re almost closed, but just different versions of output.

Put. To me, this is just awesome. I get excited. I get pumped up. Like I said five years ago, I’d probably still work for myself if I had this tool right here.