Using a white-box perspective, our security assessments seek to identify all ways in
which asset compromise might be possible. The objective of a security assessment is to determine the
full scope of exposures that exist, to understand risk, and to mitigate it. A security assessment
seeks to identify all ways in which asset compromise might be possible, not just those most
readily identified via automated scan tools or other cursory efforts. The security assessment
considers assets, threats, workflow, whole system configuration, and internal defenses, as well as
future developments of the infrastructure or application. The threats addressed go beyond the
drive-by adversary, and consider the more likely adversaries who would be interested in compromising
high-value assets: targeted attacks, insider threats, and advanced persistent threats.
System resiliency doesn’t happen by chance; instead, its’ roots can be traced directly
back to threat modeling. A threat model is a critical aspect of any security program, and is the
foundation upon which any resilient system must be built. In most engagements, ISE works with the
customer to build out the threat model, identifying and describing the three primary components of
this crucial security plan: assets, adversaries, and attack surfaces. Without a threat model, an
organization does not have a security plan in place. With a threat model, an organization can
effectively consider risk and make informed decisions about how to reduce it.
Adversaries are human. As such, we use human intelligence to perform manual assessments
to discover all possible ways compromise could occur. Manual assessment entails thorough
investigation of ways in which a dedicated adversary could manipulate a system’s functionality for
unintended consequences. ISE investigates manually in order to emulate the level of care that a
committed adversary would apply in the pursuit of an attack. Automated tools do serve a purpose in
any investigation, as running such tools is the first step that any attacker would take. However, it
is only with manual assessment that higher level, sophisticated, custom attacks can be defended
We dig deeper because it matters. Customization is a critical component to any
successful security assessment. As all systems are custom, so, too, are all ISE security hardening
processes. ISE utilizes a white box methodology, wherein ISE reviews all publicly and privately
available documentation and design documents, workflow diagrams, firewall rules, and any other
supporting documentation. ISE interfaces with key engineers as well as business and technical
leadership. From there, ISE designs and performs custom tests, both to gather more information about
how a system operates and is implemented, as well as to test for custom-tailored, unique security
vulnerabilities. These assessment tasks are predominantly manual, and involve strategic thinking
from the perspective of the adversary.
ISE does not perform security assessments for the sole purpose of finding problems.
Instead, we do it to provide solutions. While it is important to identify security problems, it is
equally important to identify effective solutions. ISE devises proven mitigation strategies that
dovetail with business objectives, and then works with client engineers to ensure they are well
understood, properly implemented, and do not introduce any new vulnerabilities. ISE assists the
customer in developing and adapting the mitigation roadmap as business needs, industry conditions,
and stakeholder demands evolve over time.