How Verizon Media beefs up cybersecurity with red teams and bounties
CISO Chris Nims looks for a security team that "doesn't grade its own homework."
By and large, security teams prioritize software patches for the rest of the company while it's up to individual departments to deploy them.
Still, when something goes wrong, the security team is the first to shoulder the blame.
Traditional cyber defense organizations are usually comprised of "folks that have the great privilege of being woken up at 2 a.m. on a Sunday morning because something is happening," said Chris Nims, CISO of Verizon Media, in an interview with CIO Dive.
Even with a diverse cybersecurity workforce, security teams can often feel the burden of skill gaps, a lack of outside eyes or extra backup. The companies that can't hire the people that think like hackers can outsource to ones that do — enter bug bounty programs.
Go for red
Companies as large as Verizon Media have a broad attack surface, presenting numerous opportunities for malicious activity. In the name of defense, bug bounty programs are meant to complement in-house security teams.
Nims looks for a security team that "doesn't grade its own homework," he said. Though there are frameworks like NIST, Nims never wants to assume following those guidelines is adequate.
The companies that can't hire the people that think like hackers can outsource to ones that do — enter bug bounty programs.
Formal frameworks give security experts a common language so they can share industry best practices but "kind of fall into the category that I consider necessary but insufficient," Nims said. The solution for the gaps in frameworks is a "red team" where there's an intersection of security capabilities.
Nims tells his security organization to always challenge assumptions. This means, just because a software update was deployed doesn't mean potential exploits have been eliminated. Challenging assumptions leaves space for healthy skepticism.
Companies can assume the antivirus software they put on employee laptops will be sufficient for detecting malware. The red team tests those assumptions.
In addition to Verizon Media's bug bounty program, its red team is "a team of folks that behave as our adversaries behave," Nims said. "Their job is super fun because they attack the company all day long, that's all they do."
The red team will drop malware on an employee's device to see if the security organization can actually find it. Other scenarios take months, requiring the team to take on the persona of a particular adversary, from a specific country, with outlined objectives to achieve.
From there, Nims can assess if Verizon Media's cyber defense team detected the malware, how long it took and what can be done to expedite detection. "If our cyber defense team can catch our red team, then in theory, we should catch a real adversary as well," Nims said.
Temptations of the dark side
Diversity of thought is welcomed and crucial in cybersecurity, and though hackers tend to get a bad reputation, many act in a just manner when hired by companies to test their systems.
Security teams have skill gaps and on occasion, bug bounty hackers act more like the red team than the red team itself, according to Deloitte Cyber Risk Services.
"If our cyber defense team can catch our red team, then in theory, we should catch a real adversary as well."
CISO of Verizon Media
"It is more a natural evolution of the security research community, which has undergone a transition from effectively back water emailing lists," according to a spokesperson for Deloitte Cyber Risk Services, and "into a cottage industry, into arguably an important part of a testing program with well recognized and maturing providers and evolving standards around their use."
There are still risks companies run when using bug bounty programs. Hackers can effectively call out a company for failing to live up to expectations or if a hacker finds a vulnerability severe enough customers begin to question the integrity of a company's security, according to Deloitte Cyber Risk Services.
There is also the question of internal fraud if an employee finds a vulnerability. Companies have to decide whether or not they can receive bug bounty compensation. Likewise, if a true bad actor were to join a bug bounty program, it is likely they will continue to act maliciously.
However, "there's no incentive for hackers with malicious intent to participate in a bug bounty program," said Ben Sadeghipour, hacker and Hacker Operations lead at HackerOne, in an email to CIO Dive.
Most bug bounty programs have limitations on accessing data, like having an acceptable amount of data to convey a realistic impact, according to Deloitte Cyber Risk Services.
If there is a case of disagreement between hackers and a company with a vulnerability disclosure program, HackerOne's operation team intervenes.
"Typically, it's not that one party hasn't played by the rules, it's usually a misunderstanding that can be quickly resolved, and this is something we can offer as the platform," Sadeghipour said.
Bounties are an industry affair
Yahoo, a brand within the Verizon Media portfolio, started its public bug bounty program in 2013. A public bug bounty program allows anyone on the internet to go through the HackerOne platform to help companies scope vulnerabilities.
Other brands owned by Verizon Media, like AOL, had invitation-only, private bug bounty programs accessible through HackerOne. AOL's program focused on specific products and applications in its portfolio.
Detection for even the slightest anomalies or abuse requires technology experts, engineers, software developers and members fluent in governance and compliance to oversee risk management.
CISO of Verizon Media
But in April 2018, Verizon Media, then Oath, consolidated into a single program. By the end of the year, the company awarded $5 million in bounties, which is five times the amount awarded in 2017 and 10 times the amount paid in 2016.
Detection for even the slightest anomalies or abuse requires technology experts, engineers, software developers and members fluent in governance and compliance to oversee risk management, though those are often considered less technical roles, Nims said.
However, an in-house cyber team doesn't always suffice and outside eyes and ears can fill the gap. From organized crimes, hacktivists and nation-state sponsored attacks, companies have to be aware all kinds of threats and what eyes they have on their assets.
Follow Samantha Ann Schwartz on Twitter