Red Teaming With Talha Tariq From HashiCorp
Whenever we get to sit down with other organizations to talk about their security and compliance programs, we like to help pull back the curtain on how Chief Information Security Officers, compliance experts, and other security practitioners keep their companies secure. And when we ask how they’d hack their company, a common answer is: by hiring someone to hack you, on purpose.
In our latest conversation, we discuss red teaming with Talha Tariq, HashiCorp’s Chief Information Security Officer. HashiCorp is a leader in multi-cloud infrastructure automation software.
For listeners who might not be familiar with red teaming, it is a type of role playing where experienced pen testers validate or poke holes in an organization's security infrastructure—be it physical security or cybersecurity.
Hear more about an unusual red teaming exercise that ended in the police being called and why phishing scams still might be one of your company’s biggest security threats on Spotify, Apple Podcasts, and Amazon Music.
How Would Someone Else Hack Your Company?
How do you know if the controls you’ve put in place to keep your company and your customers’ data safe actually works? Are your employees putting to use the security training they had last quarter? Have you really thought about every possible way someone could hack your company?
While it might seem counterintuitive to let someone hack you on purpose, the resulting information can be invaluable. The best way to know if you’re prepared for potential attacks is to test it out before a real breach occurs.
“I know this might not jive with the conventional idea of what a red team does, but as you think about how red teams should be structured and run and why they are critical to the business, you're actually helping inform the effectiveness of your security, controls and posture, and actually helping build adversarial emulation and use cases on what are you worried about.”
Talha’s four year tenure as HashiCorp’s CISO and decade of security experience has shown the variety of ways red teaming can be executed. Their first year doing red team exercises was focused on foundational security practices, the second year advanced to pen testing, and now they have matured to planning short and long term campaigns and assessments. He stresses that red teaming will be different for every company depending on a variety of factors.
“I think that red team exercises could mean very different things, depending on what you want to achieve as an outcome and the type of company you are and the maturity of the security program you are in,” he explains.
It Always Comes Back to the Basics
While the industry is seeing more breaches than ever before, the attacks themselves aren’t necessarily getting more sophisticated. The source of the problem for most companies, Talha believes, is the lack of a solid security foundation.
“I mean, if you’ve got the basics right, then you can improve your maturity. But I think a lot of times I see security organizations and companies chasing fancy expensive tech rather than focusing on the process and enablement and the human aspects of security. And that's where it feels like, yes, they’re interesting attacks and sometimes they're fascinating to see, but a wide variety of breaches are an account compromise because MFA wasn't turned on or your logs weren't there for you to correlate at the same time or to respond was too close.”
He goes on to elaborate on a key fact of the security industry, one most folks don’t like to think about. “We as an industry should steer everybody towards the foundations and the basics and the risk. And I mean, also just help understand, like you will not be able to protect everything. The whole notion of security needs to help inform risk and the right level of security controls for what's applicable to the industry and the company.”
It can be tempting to feel like if you pay top dollar for an advanced security technology that your practices are infallible. If you’ve invested enough money, surely it must mean you’re protected, right? But there is nothing more worth your time, money, and effort than establishing a strong security program for your company that focuses on the fundamentals first.
In case you missed Episode Zero, we brought in some members of Drata’s security team to talk shop and share why it’s important to ask dumb questions. To stay up to date on conversations like these, webinars, and other Drata news, subscribe to Trusted, our bi-monthly newsletter.
Put Compliance on Autopilot
Close more sales and build trust faster while eliminating hundreds of hours of manual work needed to maintain your SOC 2 report and ISO 27001 certification.