Offering something truly unique in the tech industry is becoming harder and harder to do, but Austin-based NSS Labs can rightfully say it’s one of the only companies doing what it does.
“Where else can you get paid to continually do threat research, develop attacks and test them against virtually every security product on the market?” says NSS Labs’ Senior Manager of Offensive Research, Ty Smith.
We spoke with three team members from NSS Labs on their efforts in the cybersecurity arena, the ever-shifting landscape of their work and how the team stays ahead of the curve.
EMPLOYEES: 80 (73 locally)
FOUNDED: 2007
WHAT THEY DO: NSS Labs provides enterprise customers with timely and relevant cybersecurity product testing, research and advisory services in efforts to manage cybersecurity risk and make informed security decisions.
WHERE THEY DO IT: Austin
PERKS ON PERKS: In NSS Labs' long list of perks, they offer unlimited paid time off, free daily meals, a pet-friendly office and an annual performance bonus.
Ty Smith, Senior Manager, Offensive Research
Ty works to develop content and automate “live” security test frameworks for various test methodologies, such as next-generation firewall and next-generation intrusion prevention systems. In general, the team looks to further improve the quality of NSS Labs’ testing.
BEYOND WORK: It wasn’t too long ago that Ty was running marathons and competing in triathlons but since purchasing a fixer-upper in central Austin, he’s been spending his spare time working around the house and hanging out with family.
Tell us about a project or challenge you’re working on. How are you solving it
Evasions testing. We developed an automated test framework in-house that we call Evader++ that simulates actual attacks using live “victims” and “attackers.” Current evasions categories include HTTP, HTML and network evasions, along with resilience and combination categories. You basically feed Evader++ an exploit, and it mutates it into dozens or even hundreds of ways depending on the categories selected. For defensibility, we deliver payloads that provide absolute proof of exploitation, automatically take packet captures of each attack attempt, and record timestamps and IP addresses that can be compared with product event logs.
It’s a virtualized environment, so we’re able to quickly add attackers and victims or additional test lanes. And since it was developed in-house, we have complete autonomy and control. We can modularly add categories and toolkits and easily add or change things like exploits used, payloads, post-exploitation activity and TCP or UDP ports over which attacks are delivered. This framework has been extremely effective in our testing, and we are continuing to expand its capabilities.
We’re essentially doing everything you would do as a nation state or criminal — without having to worry about going to prison — with security products as our adversary and ultimately helping to advance and improve the quality of cybersecurity product offerings.”
Cybersecurity seems to be an ever-evolving field. How do you and the team at NSS Labs stay ahead of the curve?
Continuous threat research is part of the job and essential to the production of relevant and impactful content for testing. There are ebbs and flows with our various methodology test cycles and associated content deliverables, so there are opportunities to step back and take a broad view of the threat landscape between particular technologies. During testing of a specific platform, we gain insight into a variety of different vendor solutions — like which are most effective and how and why — and have an opportunity to interact with the vendor developers and engineers who are on the cybersecurity front lines creating and implementing these solutions.
What excites you about working at NSS Labs?
Where else can you get paid to continually do threat research, develop attacks and test them against virtually every security product on the market? We’re essentially doing everything you would do as a nation state or criminal — without having to worry about going to prison — with security products as our adversary and ultimately helping to advance and improve the quality of cybersecurity product offerings.
Jason Pappalexis, Managing Director of Enterprise Architecture Research Group
Jason has had several roles at NSS Labs, but he currently oversees a team that analyzes data coming out of the company’s testing and research programs and communicates it to their enterprise clients.
BEYOND WORK: Jason enjoys spending time with family, repairing classic cars, woodworking, metalworking, reading, running and mountain biking — but “not all at the same time,” he says.
Your team develops research that guides your enterprise clients and testing methodologies. Can you lead us through how that process has played out from start to finish?
We recently completed a product selection inquiry motion with a client involved in swapping out an endpoint protection product. We were involved from the beginning — from request for proposal development to response review to recommendations, you name it. It was satisfying to see it play out, bring people together internally, and have aha moments together.
Describe your ideal candidate. What characteristics or skills do they possess?
They have real-world practical experience administrating cybersecurity technologies for an enterprise-grade organization, as well as a willingness to go the last mile, dedication to accuracy, willingness to stretch and learn, and excitement for the cause. They inherently understand that presentation is as important as content and be willing to complete all steps to achieve your goal. A positive attitude is a huge component of what I look for in a candidate.
We were involved from the beginning — from request for proposal development to response review to recommendations, you name it. It was satisfying to see it play out, bring people together internally, and have aha moments together.”
What kinds of collaboration takes place on your team?
We share insight frequently, whether that be through chat clients, hall conversations, during weekly team meetings or even at the lunch table. If team members have different opinions on how to solve technical challenges, we’ll have round table discussions where everybody has an opportunity to talk.
John Whetstone, Domain Manager, Security Architect – Cloud
As the domain manager for cloud security testing at NSS Labs, John is responsible for the design and execution of NSS Labs’ test plan as it relates to cloud security products.
BEYOND WORK: John is typically accompanied by his daughters on freshwater kayak fishing excursions, which is a constant teaching and learning experience. “My youngest is quick to let me know that her fishing skills are superior to mine,” John says.
Can you speak to the importance of cybersecurity in today’s world?
I think you can gain a pretty clear picture of the importance of cybersecurity simply by turning on the news or reading the paper. Breaches are occurring weekly, if not daily, and the World Economic Forum estimates global losses due to cybercrime are $500 billion. These losses are expected to reach $3 trillion by 2020. Cleary, we’ve got our work cut out for ourselves.
You recently transitioned within the cloud security team at NSS Labs. Does that speak to the kinds of growth opportunities available for the team at NSS Labs?
Absolutely — I’ve seen quite a few of my coworkers’ transition into different roles here at NSS Labs. I think leadership does a great job of allowing people to move into new positions based on their experience with a certain technology or their willingness to learn something new.
Technology aside, I’m always impressed with the emphasis the company puts on finding a balance between your work life and your personal life.”
What excites you about working at NSS Labs? How is it different from anything you’ve done prior?
NSS Labs has been a great place to spend the last three years. I’m constantly presented with new opportunities to learn and better myself through my research or hands-on experience with new technologies. Technology aside, I’m always impressed with the emphasis the company puts on finding a balance between your work life and your personal life. The company’s unlimited PTO policy is an example of this — you can get your work done and go have fun.
Where do you see the industry of cybersecurity going in the next several years? Where does NSS Labs fit within that shift?
The cybersecurity industry is going in a lot of different directions right now, with cybersecurity products becoming increasingly more complicated for enterprise security professionals to select and implement. NSS Labs’ product testing and research aims to arm security leaders and practitioners with the information they need to select the right technology for the job.