Now that Black Hat and DEF CON 2016 are behind us, I can finally report what a great week we at IBM had. We had high hopes for the public launch of X-Force Red, of course, but the response exceeded our expectations.

The media coverage has been very positive and we’ve received great feedback from both customers and colleagues in the industry. Of course, this wouldn’t have been possible without a great team, to which I owe a huge thanks.

Improved Scoping Mechanisms

Everyone hates scoping a penetration test. If you’re a client, filling out complex scoping surveys about the count of webpages, classes or database servers eats up your time and does nothing to improve your security.

Instead of questionnaires, X-Force Red offers simple scoping mechanisms. For application and hardware projects, customers can select preset test durations based on the target’s size and risk profile. Similarly, network tests are scoped by targeted IP address blocks and source code reviews are scoped per line.

Three X-Force Red Models

X-Force Red can be engaged in three models: standalone tests, subscription and managed. The standalone offering is for organizations that want to purchase each test individually.

The subscription model allows an organization to dedicate a set of funds for testing over the next 12 to 36 months. When the need for security testing arises, there is no additional need for statements of work, contracts or any other legal paperwork that can slow down an engagement. The client simply picks the level and type of testing, and the project is scheduled. This is ideal for organizations that may not know what specific targets need to be tested at the beginning of the fiscal year.

The managed model builds on the subscription model by providing a dedicated resource to run the client’s testing program. The consultant is responsible for identifying testing targets, prioritizing them and selecting the proper testing level. Once the test is complete, the consultant also tracks and coordinates the client’s remediation efforts.

Four Testing Categories

As mentioned previously, we offer four categories of tests: application, network, hardware and human. A client can select any test, regardless of their engagement model.

• Application: Manual penetration tests, code review and vulnerability assessments of web, mobile, terminal, mainframe and middleware platforms;
• Network: Manual penetration tests and vulnerability assessments of internal, external, Wi-Fi and other radio frequencies;
• Hardware: Security tests that span the digital and physical realms with Internet of Things (IoT), wearable devices, point-of-sale (PoS) systems, ATMs, automotive systems, self-checkout kiosks, etc.; and
• Human: Simulations of phishing campaigns, social engineering, ransomware and physical security violations to determine risks of human behavior.

Human Touch

Any company can license a tool and sell automated scans as penetration tests. Anyone who has been around security testing for very long has seen many cases of this misleading practice.

Automation is cheap and will always have its place in security, but it is the human factor that makes true penetration tests so useful. Every one of our penetration tests rely on human ingenuity. CISOs and other security decision-makers should use human testers as a critical criterion for their security program.

As my team moves forward in this new initiative, we are excited about the possibilities ahead.