IOActive offers offensive security approach to risk assessment
IOActive launched its Advisory Services practice, offering strategic security consulting that leverages IOActive’s testing and research expertise to help customers better align their security programs with business objectives.
While most risk management services are based primarily on legal, accounting, or audit/compliance pedigrees, IOActive is in a distinctive position to assess security programs from the perspective of actual attackers. The company’s offensive security experience provides insight to customers well before threats, countermeasures, and best practices make their way into the legal or compliance standards that form the basis for conventional advisory services.
“The launch of our new Advisory Services practice, with its adversary-based approach, gives us the ability to measure risk and provide weighted recommendations in a way that other companies are simply not equipped to provide,” explained Daniel Miessler, Director of Advisory Services at IOActive. “This approach allows organizations to allocate their limited resources in the most practical and efficient manner possible, and based on real-word risks, as opposed to compliance or published best practices.”
IOActive Advisory Services key offerings
Program efficacy assessment: A look at the real-world efficacy of an organization’s security program from the perspective of its most likely attackers. After completion of the Program Efficacy Assessment, clients receive ratings for each area of the program, with weighted recommendations for improving their real-world security posture.
Threat scenario analysis: A tabletop exercise focused on prevention, detection, and response to the most likely and dangerous scenarios. Results of this exercise highlight methods for handling these scenarios, with actionable next-step recommendations prioritized by risk.
Data security mapping: A consulting engagement that identifies and classifies company data and then maps its movement through the organization using standard business practices. This process then overlays likely threat actor methods for attacking the organization, and provides weighted recommendations for the prevention, detection, and response to these attacks.
Secure product development: A look at the complete development lifecycle of a company’s primary products. Including requirements, design, implementation, and maintenance, Advisory Services looks at the many considerations that go into creating and maintaining the security of a flagship technology product. This offering also includes multi-dimensional considerations, such as supply chain security, public vulnerability management, and more.
Adversary emulation services: A unique approach to Red Team services that focuses on reproducing the techniques, tactics, and procedures used by the threat actors an organization is likely to face in the real world, as opposed to internal, vendor preferred, or compliance-based techniques. This offering also evaluates internal Red Teams in the key areas of Organizational Independence, Defensive Coordination, Continuous Operation, Adversary Emulation, and Efficacy.