ReliaQuest is a global security model management platform, known for its GreyMatter solution, which is built for enterprise security teams. In 2019, ReliaQuest acquired Threatcare, an attack simulation vendor founded by Marcus Carey. Carey was a former cryptographer for the US Navy and is now a well-known security expert and innovator.
GreyMatter platform integrates security data from SIEMs, endpoint detection and
response platforms and threat intelligences feeds to automate threat detection
and response. At RSA 2020, ReliaQuest announced Verify, a new feature of
Greymatter based on the Threatcare platform. It allows customers to quickly see
the results of a simulated attack from both the point of view of the attacker
and the defender, ensuring superior detection and response across all of their
We caught up with Carey at the show, to talk through his career, the ReliaQuest platform, and why cyber-attack and data breach simulation is so important.
The Threatcare Platform
was initially founded out of a need for automation, identified by Carey through
a varied career in multiple security roles. “I started out in the Navy,” Carey
tells me. “I was working for various American intelligence agencies as part of
the military, and then worked for contractors. For some reason, I kept on
falling into the role of testing if our security tools were working or not. After
a number of years, I realized that there needed to be a way to automate what I was
that every organization he visited had tools that they wanted to put to the
test. Tools could be anything from new technologies organizations were looking
to purchase and implement that needed testing, to systems that had been left in
place for years, running in the background.
identified a need for organizations to be able to test these tools, without requiring
a highly technical user like himself to come in and test their systems. “I
wanted to allow anybody to be able to test their security technologies, without
having the skills of an expert hacker.” he says. “That’s why I created
Threatcare.” Threatcare provided organizations with an automated way to test
their security tools were working effectively, with simulated breaches and
Carey says the partnership with ReliaQuest was
a natural progression to a platform that combines automated attack simulation
with more operational capabilities. “We allowed people to test their network,
but what we quickly found is, we could help people identify flaws, but the
question we had was, how do we help people to fix those flaws? That’s where the
ReliaQuest platform fit.”
Now the ReliaQuest and Threatcare products are
integrated, users can continuously perform simulated attacks, and then
instantly verify that those vulnerabilities are secured. This allows users
automated continuous testing and defense of their security products.
The Verify platform is deployed as an agent
that is installed on endpoints. “The agent is able to perform local activity on
the endpoint that imitates a hacker,” Carey tells me. “It will simulate ransomware
and try to infect other machines.”
This testing helps to show the effectiveness of
enterprise security tools to stop hackers, and malware attacks. The tool also
analyses networks traffic and performs data exfiltration, to simulate multiple
kinds of attack vectors.
Why Enterprises Need Continuous Security Testing
The need for continuous security testing is
hugely important. Large enterprise organizations will often have dozens of
security tools in place, often for many years. But an important part of the
security model process is testing of the services to ensure that they are still
working effectively. Carey argues that the best way to test security models is
with continuous testing of solutions.
should not be a ‘set and forget’ situation. I’ve seen organizations spent
millions of dollars on tools that didn’t work for them. Every environment is
different, and you have to consider all the nuances, and test tools to make
sure they will work for you.”
One of the
major trends that ReliaQuest sees security testing is a lack of strong endpoint
coverage. Often, after implementing security testing, organizations will find
they are missing granular visibility at the endpoint level, which is crucial to
combat threats such as ransomware attacks.
major trend they see is organizations deploying cloud-based technologies, Carey
says. It can be a challenge for organizations to measure how well cloud-based
security tools are working, and what the effectiveness of one solution is over
important for organizations to remember that there can never be 100% guaranteed
security, Carey says. “100% security is not going to happen,” he says. “You
need this automated, continuous testing approach.”
The Verify platform works on two levels of
continuous security testing. Firstly, it ensures that security tools including
firewalls and endpoint protection is working. Secondly is the need to ensure
that products are operating across the organization and giving security teams the
visibility they need across the organization.
“You have tools at a functional level, and at an operational level,” Carey says. “Functionally, you to know if firewalls are actually working, if the lights are turned on, if the ports are plugged in. From the operational perspective, asking ‘does my team have the information that they need to block these threats?’”
organizations this issue of a lack of visibility across security threats is a
big problem. Large enterprises can often have only 40-50% visibility across
their environments. Out of the visibility they do have, organizations can find
it very difficult to measure the effectiveness of their security tools, without
using applications that continuously automate security testing.
One of the
main use cases for is in organizations undertaking mergers and acquisitions.
Usually this means undertaking a full security audit of all the tools in an
organization, and automated security testing is a very quick and easy way to
occasions, the first-time organizations only start to look at their internal
visibility is when they have already been hit by an attack, Carey says.
“From a preparation standpoint,” he says, “running these simulations, running these activities, and then seeing what the data tells you is hugely important for incident response and being proactive in the future.”
Find out more about ReliaQuest here: https://www.reliaquest.com/