ThreatCare CEO Marcus Carey Interview — Simulating attacks with ease


Note — I’ve known Marcus for a long time since he did “Dojosec” here in Maryland. I am an investor an adviser at ThreatCare. I like the ease of use it brings to testing and training your security staff and making sure your expensive array of security products is working as expected. Many security vendors are using it to demo their products and avoid a “Tanium” moment. I conducted the following interview with Marcus over email.

Threatcare is a service that allows you to test the effectiveness of security controls without the need for live malware or performing an actual, potential disruptive, intrusion. What kinds of simulations can be performed with Threatcare?

At Threatcare we allow enterprises to measure their ability to detect, defend, and log intrusions. Our simulations create intrusion artifacts via DNS, HTTPS, HTTP, SMTP, and several other protocols. Threatcare does data exfiltration, lateral movement, egress scan, and inbound executable via email to name a few. Threatcare does all these simulations without harmful malware to allow organizations to test their security solutions prior to, during, and after deployments.

Tanium was recently in the news for using live customer data to demo their product. Can Threatcare be used to test the effectiveness of host based and network based security products?
Threatcare creates both network and host-based artifacts to test tools such as Tanium. Tanium and their competitors can use Threatcare simulations to show how their solutions work. In Tanium’s case they could look for hashes of files that we transfer to end-points. That’s always a nice capability to have and this can be used in incident response to discover the scope of intrusions.

What is the worse kind of gap you’ve seen at one of your customers to date?
The worse kind of gaps are the ones that an organization think they have coverage for. We have several of our customers using DLP products that still allow data out such as PII if they trust default configurations. That’s why it’s important to test and calibrate all security solutions on a regular basis.

Do you believe security operation centers will start to look for gaps in their defenses and monitoring with as much effort they put into looking for malware and insider threats?
Absolutely they should be looking for gaps. Those gaps are the basic security blocking and tackling that all organizations should be really proficient at. The more coverage that the SOC has the better they’ll be able to spot malware and insider threats. The only way to truly develop a home field advantage for the SOC is to maximum effective of people, the products, and sound processes.

What does a deployment look like and how can organizations learn more?
We’ve created an awesome web application solution that runs in browsers that allows organizations to immediately start validating their cybersecurity without having to deploy agents or servers. People are shocked that they don’t have to download and install software to get started. Organizations can visit to find out more about our solution.