Skip to content

WEBINAR  Beyond Trends: Actionable Cybersecurity Advice for 2023 with Bugcrowd and Red Canary · December 14, 2022 ·  Save your spot!

VIDEO

The Future of Pentesting: Continuous Validation with Pentera and PlexTrac

Category: PlexTrac Update Series

   BACK TO WEBINARS

Play

Please accept marketing cookies to watch this video.

Transcript

So, for those of you who aren’t familiar with Pentera, I’ll share just a few words about the company. At the end of the day, our goal is to help organizations find and provide contact with their most critical vulnerabilities so that they can eventually prioritize patching. We call this automated security validation. And we do this by allowing organizations to automate testing all of their security layers against the latest adversary threats. And this helps them understand their true security gaps and provide real time security validation at scale and actionable insights to fix that.

So the company was founded in 2015, and we have more than 200 employees, more than 500 customers in 45 countries, as you can see here. All it takes is the click of a button to enable security teams to test their internal and external attack surfaces against any attack vector in a single solution. I will hand it back over to Hannah to share a few words about Dexter.

Yeah, I’m happy to be here today to share with you a little bit more about PlexTrac. PlexTrac is a cybersecurity reporting and remediation management platform, and we’re all about supercharging security programs. We do that by a series of tools that help make teams more effective, efficient, and proactive. The PlexTrac platform helps pentesters track signal through the noise. Now, that’s really just about what do we need to focus on what’s most important. And the other aspect is breaking down communication silos, which is also very relevant to our topic today, which will show you some of the features that we have built in the PlexTrac platform to help with that communication silo challenge.

And as I said in the prior slide, PlexTrac is all about efficiency. So here’s a little bit more about what our customers are saying about that. 65% shorter reporting cycle, an average 20% time saving per engagement, 30% increase in efficiency, and with all of those efficiencies, not surprisingly, 5x ROI in one year. Over the past several months, as Ali said, we’ve been working really closely to build an integration between PlexTrac and Pentera, and Ellie is going to share a little bit more about what we’re looking to jointly sell for with that integration.

Thank you, Hannah. So now we’ll talk a little bit about the problem we’re here to solve.

First of all, increasing digital footprint of enterprises due to new different applications in hybrid work environments. As you know, it’s pretty relevant. It’s creating an attack surface that is constantly growing and shifting, and this makes it hard to know the organization’s actual security poster at any given moment, obviously putting the enterprise at risk. Additionally, current remediation and reporting processes aren’t necessarily standardized, and this is making cycles significantly longer than they need to be. They often require organizations to pull data from different cyber tools in order to present a single and accurate picture of the current poster. And this requires also a significant investment this prevents cyber professionals from being able to focus on what’s important and to provide value. These existing work processes unfortunately often make it difficult to validate whether or not a risk was actually remediated and it reflected in the risk culture.

So and also, lastly, as everyone knows, we have a shortage of experience in task professionals. This makes the buff pointing even more complicated.

So what you see here is what I call the remediation cycle. And we use here a generic use case to show the actual flow between our system. So just like me and Hannah, we’re running this webinar applications must go back and forth from running tests, exporting results, remediating using different ticketing systems and then rerunning to validate their organizations eventually safe. Well, I hope me and Hannah are running this site chip. The back and forth between application is wasteful and lead increase in remediation and reporting cycle. So, as you can see here, the process starts with Pentera, validating the security which would do best.

Then PlexTrac imports this interesting prioritized and insightful findings.

PlexTrac manages the remediation progress and then Pentera runs and validates. This remediation was actually executed and this ends the remediation. And obviously it’s continuous. As you know, Pentera is a continuous security validation automation tool. And this goes back and forth as remediation cycle.

By combining both Pentera and PlexTrac, our organizations benefit from a shorter cycle through Pentera’s from cyber engine and remediation insights and PlexTrac’s advanced recording capabilities.

So now that we’ve provided a bit of context, I’d like to jump into the live demo. We’ll see here how we export results from Pentera, import them, remediate and then validate so we can forget about that finding that word out in the first place.

Okay, so what we see here is the Pandera. The home screen is the testing history.

Pandera allows the user to run different templates. So we have different kinds of tests we can run. Either it’s a black box, a gray box, which is when you need to provide some starting parameters, or different targeted tests such as ransomware or web application tests or Active directory.

So we’re going to look at one specific test that we ran before and then show the continuation of this process.

So we’re investing now a lot of effort in upgrading different integrations, giving more flexibility to Pentera. We recently published our first batch of public APIs giving more flexibility to companies who want to continue with the Pinterest result and eventually close loops in other applications. And we have even more yet to come.

Let’s look at this test for example.

So we have different tabs here, different than Vulnerabilities. We have the achievements which are actually the proof that something was exploited. We have vulnerability. And also we can see here the different hosts that were enumerated in this time. One of the things I love about intelligence is that not only it knows that you’re vulnerable, it also gives you proof that it’s exploitable and it helps organizations know which ones of hundreds of vulnerabilities are actually valuable to remediate. And of course we provide, as you can see here, a prioritized remediation priority. So for example, if you look at this vulnerability, which is locked fridge vulnerability, you probably know that this was a very hot potato lately generating a lot of bugs.

Some call this one of the single biggest, most critical vulnerabilities in the last decade. So we sent her invested a lot in dealing and reacting quickly to these hot potatoes with our research team. According to reports, the number of critical vulnerabilities is on the rise. I guess you all know that we can only imagine our shortening remediation cycle can contribute to dealing with these potatoes, identifying them, validating their exploitability remediating and validating their remediation, closing the loop as fast as possible.

Also, what you can see here, we have all this information that eventually will see hannah will show that in fact, so that our cyber professionals can know what insights and recommendations and what they should do. We also have here what we call remediation wiki.

So our research team invested a lot of effort in this remediation wiki. This is one of my favorite features in Pentera. It really helps organizations with required background and steps to fix this vulnerability once and for all.

So eventually what the user will need to do is basically click on this icon and then export to PlexTrac. Okay. And this will open a JSON file that is downloaded to your system. This file contains the app achievements, the vulnerabilities and the host. It’s a simple JSON file. And now I will stop sharing and back to you Hannah.

Awesome. So it looks like we did have a question come in and I’ll read that to you if that’s all right here. Ellie question is, does the software test for vulnerabilities outside in or inside out? Meaning do you take an external or non authenticated attack pass? So what I showed here is the core Pentera. So I’m talking about the inside.

This exporting option is not available for what we have surfaced, which is the external product.

And the other question yeah, we don’t deploy an agent. It’s the general question about Pentera. So we don’t need an agent, we’re agents. But this is one of the good things of Pentera.

Awesome. So I’ll jump back into demo here just to catch us back up where we left off. Ellie used the export to PlexTrac feature that they’ve developed on the Pinterest side. We’ve got our JSON file and we’re going to jump into the Plastrax platform for the rest of this demo. So today, for the purposes of what I want to focus on with you all, I won’t be able to show all of the incredible reporting features we support in just with the time that we have. So keep in mind you can reach out if you want to find out more, but we’ll assume I’ve already got a report in the platform started, and we’re going to navigate to findings to upload the file from Pinterest. Within the PlexTrac platform, we offer a lot of options to get findings into the platform.

We’re all about aggregating all of the data you need to effectively communicate in your report. So for this, we’ll select from the ability to add findings here. We have several options, the ability to create them manually. We also offer a write up database that you can develop in full from. But for Pinterest, we’re going to go ahead and select from files, and we’re going to identify that this is a Pinterest file, which is custom to this export we’ve developed in partnerships, and we’re going to upload our JSON file here. Now, in that Track application, at this point, we kind of take a brief pause and give you the opportunity to identify any tagging that you want to associate with findings in this report. So this is going to associate any of the finding or asset tags you developed here with all of the data that you pull in from this file upload.

For this demo today, though, I want to call out that we have, in partnership with Pentera, developed some auto tagging which will be really helpful with the specific type of data coming from Pinterest as a tool. So that auto tag will be either a tag for achievement or vulnerability so that you can navigate between those two types of findings in this report. And tags can be leveraged throughout the entire platform as well. So, very beneficial steps. So we’re getting a notification that our file is uploading, and if for any reason our file were pretty large, you would just get a notification up here at the bell that it’s ready for you. Of course, in this example, that’s not a concern. So as we just kind of want to orient you all to what you’re seeing here on the screen, where in our report we’ve got our findings.

We just uploaded our file. You can see now all of these findings have been populated, and I’m going to pull a finding up to show you a more detailed view. And I’m going to use the same example that Ellie referenced earlier, this log for shelves. So you can see in this integration, we’re automatically populating the finding detail with the description. The title here, of course, and then the other area we partnered very closely on is the custom severity scoring structure that Pentera has. So out of the box, as these findings come into PlexTrac, we’re making sure to set, for example, a ten immediately to a critical in PlexTrac. Ellie also called out the great customer mediation recommendations that come from Pentera, and those are being pulled into this finding detail here as well.

And this goes a long way towards the topic of our talk today, which is how do we communicate what needs to be done. So the Play Track platform does offer you the ability to enhance and expand upon this, but I think this is a really great start that we’re able to populate this here. You’ll also note that we have our tag. I mentioned it’s shown here, and we always show the source. And the reason for showing the source is that we offer the opportunity to pull in findings from multiple sources to help you enrich your reports as much as possible. So all of these findings will be tagged with a source of Pentera and our auto tags. And this is also where we would see any of the tags we chose to add.

Whatever works best for you and your team.

One other feature I’m going to show off a little bit here in this finding detail is an optional feature in the Quick Track platform, Time to SLA. And I think this is really relevant to our talk today as well, because we’re focusing on how we get issues resolved and the time that it takes. You guys shared in your poll the variance and the time that it’s taking to find vulnerabilities in this example from Pinterest and then get them resolved and communicated to the teams that can do the work.

So, speaking of remediation, the first remediation tool that I’m going to call out in the PlexTrac platform is the status tracker. And what we support in our product is the ability to assign a binding to any user within the plastic platform. So you can see I already have a very simplistic example of the timeline you’re able to create when you’re assigning and passing back and forth daily commentary about the status of a finding in the PlexTrac application. Now, when a user in PlexTrac is assigned to a finding, they’ll be alerted to this when they log into the application on their Dashboard. Or we also also optionally is what I’m trying to say have a feature you can choose to have some email notifications. So this status tracker does a great job of working for teams if the team is all working in PlexTrac, as we talked about today too, we mentioned communication silos. I know for many of you, the teams that you’re working with to get the work done are not necessarily going to be working in PlexTrac and maybe working in tools like Jira or Service Now.

And that’s why the PlexTrac platform offers integrations with both Jira and ServiceNow. So if you’re needing that ability to take this data and in our example, we’re talking about data coming from HunterA into PlexTrac, we can then push that data into a gear ticket or Service Now issue if that’s the way you need to communicate what needs to be done. So as either a user is identified and set the ticket to close, this finding will be marked as close. Or if you push this to Jira or ServiceNow and that ticket or issue type is closed. That will come back into the system and through our API integration and update this given binding to be closed.

One other note that I want to call out is that for many of you at this point in the cycle, you’re going to need to export. So, as I mentioned, the PlexTrac platform has a lot of great reporting tools to help you customize the way you communicate all of this data. So feel free to reach out to the Tech Track team if you want to learn more about our reporting output and how you can customize that and enrich that both from a narrative and an informational perspective.

I’ve just shared with you guys quite a bit, and I want to call out that if you’re wanting to get back into some more of this information, the details about the integration between Pentera and PlexTrac. We’ve partnered with the Pentera team on some really great documentation. So you can head over to Docs Flexrack.com to view this joint information and this details everything from the Pentera platform all the way into the PlexTrac platform of how to leverage this. And you do not have to be a current customer of either Pinterest or PlexTrac to access this documentation.

We hope that will be helpful for you. So, with that, as we talked earlier today, ali showed you guys a great visual of the cycle and getting to remediation. And I think, Ali, you are going to mention just briefly a little bit more about the idea of getting back into Pinterest at this point. Yeah, exactly. So one of another cool feature in vendor is we can actually rerun a test. For example, if we know certain vulnerability finding was remediated, we can rerun a test. We can also schedule tests so they can be done continuously, periodically, and then we can reevaluate reassess our security poster.

So for example, here in this example, an operator rerun the test and exported another result, JSON what that’s could look like on the PlexTrac side is again from Pinterest, right, selecting to export to PlexTrac, maybe you develop a follow on report and then having the opportunity to pop back in here and upload in that new file. And just to close this loop, I’ll do another quick demo.

And ideally at this point, right, we’re going to be able to put our findings.

And when in demo always takes a little flash of a second more than you hope. In this example, we’ll go back to our log for Shell that we started with and just showing that data isn’t in this report. We have completed that cycle from Pentera into Plex Tract, then into your remediation tactics, revalidating in Pentera and then re uploading to PlexTrac to validate that we are watching our progress as we progress.

So this ends the live portion of our demo but not our talk. We really hope that this conversation and demo of both platforms shows you guys the value of how Pentera and Puertok together can help with the cycle of validation and remediation and hopefully speed it up, as we saw in your poll results that there’s a lot of variation out there and opportunity.

And I’m just going to pull up a quick slide for some Q and A for those of you who would like to stay with us. So bear with me just a second here.

Okay? We’re going to take a look at our Q and E.

What is the benefit to track the findings and PlexTrac instead of ServiceNow in Jira directly? That’s a great question. So to address that first question, the opportunities in PlexTrac are to monitor over time. We also offer a lot of features to enrich the information. So, as we showed, Century has some great recommendations for remediation, but many teams are looking to expand on that information and be more specific. We also know a lot of our customers have their own narrative, their own style, and that’s the value add that they give to their customers or the teams they work with downstream. So within the PlexTrac platform, you have lots of tools to expand upon and determine how in depth you want your communication to be.

I have a question here. Yeah. Okay. So someone asked what other integrations we support, so I think it’s actually a question for both of us.

Pentagon. We support emailing service, public API. As I mentioned only recently, we have different CM integrations, different formats like Syslog, CES and Leaf.

And as I said earlier, we’re putting a lot of effort these days and giving more flexibility. We’re also working now on a ServiceNow integration, and in the coming future, maybe some other tools as well.

Awesome. For us on the PlexTrac side, I mentioned we have remediation integrations with ServiceNow and Jira, which kind of speaking to the prior question, allow the ability for you to expand upon and enrich what information is actually getting pushed to those remediation tools. And then in terms of additional tools you may be using to establish what needs to be fixed, we offer an API level integration with Snyk and HackerOne, as well as a whole host of file imports, like what we saw today. And I mentioned we have a site Docstockliketrack.com, which has an entire list of all of the integrations and the file types that we can ingest. I believe we’re up to about 20 right now, so feel free to just inquire online as that list is pretty long per nessus quality. A whole host of lists out there. We also have API level integrations with Tenable as well.

Okay, I have another question here. Oh, go ahead, please. How do you determine severity scores in Pentera? So that’s a very good question. So it depends if the vulnerability is confirmed. TV so we use a CVS score and if not, our research team assesses its impact and we use this score. This is basically what I showed you before we prioritize according to this assessment.

I’m just looking at a couple more questions here.

I actually want to make a comment on your prior question as well around severity and call out that Cliche has a lot of tools to customize severity and as we showed in our partnership with Pentera, we’re pulling in their custom severity scoring. But if you’re using PlexTrac to ingest data from multiple sources, you may want to have more customization around severity scoring. And that’s also an upstream benefit that can provide some value before you do push findings into remediation, either with your service. Now if that’s an option you’re using. And then we have a question about exporting reports for customers and can you show some of it? I don’t know that we have time as those tools are, so we have so many, to be honest. But we do have a lot of really great YouTube videos from our team to that question, specifically showcasing all of the report output features that we provide in the Quick Track platform.

So also important to note here that the Pantera product I showed is the core product, which is internal. It’s an onpremise product, so it can be used even if you’re an Air Gaps organization. So it doesn’t necessarily mean you have to be logged in. But in order for us, for electric to work, you have to be logged in. So in order to deploymenter, you don’t need necessarily anything specific unless you want to get updates and then you need certain ports open. If that’s it.

Well, hey, maybe I’ll take a last question around the key benefit for using PlexTrac for remediation. One thing I failed to mention in my demo portion of our talk today is that when you’re assigning a user within the PlexTrac application to a given finding for remediation, because our product was founded by a security practitioner and honestly our team is full of experienced security practitioners and we understand those pain points very well and our product is built out of those pain points. We have a lot of security tools within that. So if you have a team that’s needing to be very clear about who’s working on what report, has permissions to what report and is contributing to the information prior to it being pushed to remediation, we have a lot of great tools for that. And I think just the only other point that I’ll make there is as a product person on this team being focused on tools for workflow and remediation, we are going to continue to build out those tools and enhance those tools. From a roadmap perspective, I can tell you that as a part of the product team.

So with that, I am so grateful for all of you joining us today to learn about the value of Pentera and PlexTrac together, these two very powerful tools. If you want to reach out for a personalized demo or more information Pentera IO and plextrac.com. And we thank you so much for joining us today. Thank you. Thank you for your time. Yeah, and thank you for all the dedicated monthly. It’s been great working with your team.

Team. Yeah. Thank you, too, Hannah. Thank you, both teams and everyone who spends their time here with us today.