Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Testing the layers of your security onion

Stephan Chenette, AttackIQ

2 Mar 2016 - Doesn’t matter what or how many layers you have until you know for sure they’re protecting you.


After witnessing significant customer frustration, lack of confidence and skepticism over security products, there exists a need for a vendor to provide answers and test assumptions.

“Instead of promising another product to protect you, we offer a product that validates everything you have in place now, and in the future, and helps consolidate into a solid security program with only what is essential to help you manage,” said Stephan Chenette, CEO AttackIQ. “There are 75 security products. On average they ship through hundreds of thousands of alerts, of which fewer than 20% are actionable. There aren’t enough security people to manage all of the security products. There is a huge need to automate security testing.”

So Chenette founded a firm that offers continuous security testing, challenges the infrastructure and products, and helps measure risk, validate, and provide assurance. Founded in 2013, the firm came out of stealth mode only after working with hundreds of companies in various industries.

The platform allows organizations to run security unit tests to challenge every assumption about security posture. Chenette claims it’s the first purpose-built community platform that allows organizations to use their security knowledge for repeatable and consistent tests of their security programs on an ongoing basis.

“So many alerts are myths. In every day data breaches, it’s not only the technology that fails, it’s the humans and their processes that fail also,” he said. “If we have security products you assume are working, you need to test that assumption. Most organizations instead of validating what they have works, they add more products until security becomes unmanageable.”  

Unified security testing that is powered by the AttackIQ research team and the security community includes a repository of curated security tests organizations can use to test their own programs, both on premise and in the cloud. They can safely attack and improve their defense in depth strategies.

Another goal of AttackIQ is to help every organization improve its security and spend money wisely, regardless of budget size. The correct way to buy technology is to decide what is at risk, and then build security around the valuable assets in the organization.

Testing is the missing component. You have to test what you’ve put in place, which allows you to become more resilient and secure. Finding the gaps and blind spots in your infrastructure lets you improve what works and to what degree.

“Most companies go from being skeptical to the belief that they’ve never had this before,” Chenette said. “With the FireDrill platform you can test your AV for example, in minutes. Hundreds of templates help you validate your security. Sign up for the platform, deploy agents, and begin validating your infrastructure.”

Scenarios range from validating firewall egress points, to safely testing adversarial techniques inside an organization defense in depth strategy. The goal is to validate the security controls, while exposing gaps and blind spots so an organization can improve its security and continue to retest.

“What was true yesterday might not be true today,” said Chenette. “Networks change, configurations change, machines come in and out of networks. They must be tested continually.”

It’s designed so that in less than five minutes you can sign up, deploy test points, and validate the security controls in your organization.

You have access to reports, and direct outputs via a number of different mechanisms. An organization can use any data FireDrill has to integrate into its workflow.

Fully API-driven, it’s built to integrate well with other components of an organization… technology agnostic.

“It’s no longer about the promise of technology… we have to stop the guessing game and test our assumptions,” Chenette said. “Stop guessing and start knowing.”