X-Force Red Gets Serious About Penetration Testing
This week, IBM announced the creation of X-Force Red, a new elite security testing team. I’ve been working on putting this group together since October of last year, so the announcement gave me a mixture of pride, relief and excitement.
I’ve been involved with security testing long enough that creating one more pen testing team wouldn’t be very challenging or rewarding. This is different, mostly because of IBM’s unparalleled stature in technical innovation.
In 2015, IBM received 7,355 patents in the U.S., making us the leader for the 23rd consecutive year. With Watson, IBM is pioneering aspects of artificial intelligence and data analytics that not long ago seemed like science fiction. Just last week, I was blown away when the IBM website featured an invitation to “sign up to run virtual experiments on a quantum processor.”
I wish that I could say we’re using quantum computing at X-Force Red. We’re not quite ready for that, but we still embody IBM’s innovative spirit.
X-Force Red Does the Heavy Lifting
Anyone in security can tell you how overwhelming massive amounts of vulnerability data can be. Even in small organizations, findings from penetration tests, code reviews and vulnerability scans pile up quickly.
Vulnerability analytics are a key feature of X-Force Red’s offerings. They help to prioritize and track work, identify security trends in your organization, map risks based on shared dependencies and much more. The data can come from any source: tests performed by IBM, vulnerabilities discovered by your own internal work or even issues documented by third-party tests.
There are four main disciplines within X-Force Red:
- Application: Manual penetration tests, code review and vulnerability assessments of web, mobile, terminal, mainframe and middleware platforms;
- Network: Manual penetration tests and vulnerability assessments of internal, external, Wi-Fi and other radio frequencies;
- Hardware: Security tests that span the digital and physical realms with Internet of Things (IoT), wearable devices, point-of-sale (POS) systems, ATMs, automotive systems, self-checkout kiosks, etc.; and
- Human: Simulations of phishing campaigns, social engineering, ransomware and physical security violations to determine risks of human behavior.
A Team of Experts
The vast technical experience at IBM is another advantage of X-Force Red. Any decent security testing team will have experts on the common application and network technologies. But when it comes to bleeding-edge, niche or legacy technology, consultants can be left scrambling. X-Force Red is backed by the collective experience of literally hundreds of thousands of the world’s best technologists that work at IBM.
Simplicity is another key aspect of the X-Force Red strategy. Filling out scoping surveys and counting your webpages, classes or database servers slows down the testing process and doesn’t improve your security. The details on how we scope and size projects can be found here.
Visit Us in Vegas
My team and I are very excited to be a part of IBM and look forward to helping solve your security testing problems. Many of us are in Las Vegas for Black Hat and DEF CON this week. If you have a chance, stop by Black Hat booth No. 908 to learn more or just to chat.