Identity has become the Gordian knot of cybersecurity. Threat actors no longer need to break in. They log in. As organizations manage increasingly complex ecosystems spanning cloud, on-premises, and hybrid environments, the challenge isn’t just understanding who has access to what. It’s about understanding how an attacker could chain together seemingly innocent permissions to escalate from an initially compromised user to full environment control.
The problem is compounded by privilege creep, where employees accumulate access over time as roles change and exceptions pile up without systematic review. Traditional security tools excel at protecting identities at rest or governing access for individual users. Still, they often miss the needle in the haystack: the cascading attack paths that adversaries actively exploit.
In this episode, Justin Kohler, chief product officer at SpecterOps, explains how Bloodhound Enterprise addresses these challenges by proactively uncovering and eliminating attack paths before adversaries can exploit them. Joining him are Angela Williams, svp and CISO at UL Solutions, and Brett Conlon, CISO at American Century Investments.
Want to know:
- Why does identity security remain such a persistent challenge for organizations?
- What attack path management actually does versus traditional identity governance tools?
- How does Bloodhound Enterprise complement other solutions in your stack?
- How to visualize and prioritize the attack paths that matter most?
- What emerging identity-based threats should CISOs prioritize over the next 12 months?
- How has the definition of “identity” evolved beyond just human users?
- Can continuous attack path mapping keep pace with dynamic cloud environments?
Check out the episode for the answers you need.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SpecterOps
Full Transcript
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host Rich Straffolino, and today we’re going to be talking about Bloodhound Enterprise from SpecterOps and what they’re doing in attack path management. Now the problem that they’re addressing, it is becoming increasingly relevant, it’s identity security and trying to get a handle on that.
That seems to be the Gordian knot in the industry right now. Helping us ask and get some answers to what SpecterOps is doing is Angela Williams, SVP and CISO over at UL Solutions, and Brett Conlon, CISO at American Century Investments. Angela, I’m going to start with you.
Why are we still struggling with identity security?
[Angela Williams] Well, in my opinion, identity is where the source of problems in security starts with. Threat actors are always on the hunt to compromise credentials in order for them to gain access into an environment. And with the ecosystem that we have to manage, with the cloud, whether it’s on-prem, whether it is, I’ll call it agent identities, it just makes the whole landscape very complex.
And so, managing and being able to have a great sense of governance around who has what and what does that access have access to is just crucial as a part of a CISO’s role.
[Rich Stroffolino] Brett, do you agree with that? Why are we still struggling with identity security?
[Brett Conlon] I do. And to add to that, I think that what we’ve seen is over time, we have privilege creep and complexity. Employees are accumulating access, their role changes, they get to new projects, they have one-off exceptions, and there’s no real systematic review around that.
So, as time has gone on, you now got cloud, you have SaaS, you have hybrid environments, you have on-prem environments, and with that sprawl, we’ve just seen that the attackers have gone after that and said, “I don’t even need to break in anymore, I will just log in using stolen, misconfigured, or overprivileged accounts.”
[Rich Stroffolino] Well, I feel properly scared now. This problem seems horrible. So, let’s try and get some answers and figure out what we can do about it because today, we’re going to be talking with Justin Kohler, chief product officer over at SpecterOps.
Now Justin, we got a tall order for you. We need some preliminaries about what you guys are doing, so can you help explain the value of what Bloodhound Enterprise is doing for a CEO, what does your solution do, what does it not do, and what is the pricing model?
Can you give us these preliminaries?
[Justin Kohler] Yeah, so Bloodhound Enterprise helps you see and eliminate attack paths before the adversary can exploit them. So think of your organization like a map of the United States. So instead of cities connected by roads, it’s identities and resources connected by privileges and user behaviors.
And just like Google could find a route from LA to New York, attackers use attack paths to traverse like an initially phished user to full control of the environment and a deployment of ransomware. So, Bloodhound Enterprise uncovers those hidden routes and shows you how you can shut them down at scale and protect critical assets.
What do we do versus what we don’t do? We do proactive prevention, so eliminate that opportunity. We don’t do detection. So, find an attacker as they’re traversing through your environment. You probably have enough detections as it is today. What’s our pricing model?
We charge annually based on the employees at the company, and we don’t care how many identities are behind those so service accounts, NHIs, that kind of thing. We don’t penalize you for that.
[Rich Stroffolino] All right. Well, CISOs, we’ve gotten a little taste of the solution. I’m sure you’ve got a lot of questions. Brett, I’m going to start with you. What other questions do you have for Justin about what they’re doing at SpecterOps?
[Brett Conlon] Sure. So, let’s just start with obviously, it’s focusing on identity attack path management, so I need to know if this complements or replaces tool in my stack and how it addresses gaps in identity-based attacks that tools like SailPoint or CyberArk might miss.
[Justin Kohler] Oh, perfect, okay. It’s usually a complementary solution. It might be a replacement in certain scenarios. So, let’s take SailPoint, for example. SailPoint is excellent at understanding a specific identity and what they might have access to.
And most IGA tools are like that. The problem comes in when one user, I don’t necessarily care what one user has access to right now as an attacker, I care about how I can turn that control into control of a different identity. So maybe I can reset the password of this identity, and then what does that identity allow me to do?
So, it’s typically not like a single or a siloed view. It’s kind of that full comprehensive path and figuring out basically the needle in the haystack you need to worry about. On CyberArk, CyberArk is amazing at protecting what we call identities at rest you haven’t authenticated yet.
Once you log into your computer, there’s credential material that attackers usually abuse, so we show you that attack activity too. So, w we just strengthen your PAM deployment.
[Rich Stroffolino] All right Angela, what questions do you have about SpecterOps?
[Angela Williams] So, how far back does SpecterOps go when it looks at that attack path? Is it within the last 30 days, can it go back almost a year?
[Justin Kohler] So, in the attack path, we give you current view of your environment. So, we’re not like an investigation platform, although our customers have asked us, and probably we’ll build that at some point. But we’re looking at what exists today.
We can show you how many attack paths you’ve removed from the environment over the life of your account with SpecterOps, so that’s usually good for remediation. You know, how much risk have we impacted over time. But we don’t like say, “This is the state of the environment a year ago,” and then like how you would look at a path, if that makes any sense.
[Angela Williams] Yeah. I was actually also trying to think through, if it can find the attack path, which sounds like network crawling almost, but it goes from system to system, in the event that I don’t know in real time, is there the opportunity to go backwards?
Maybe from a recording of an access being used, to identify what was the path traversed to get from one system to the next system?
[Justin Kohler] So, we have been pulled into certain incident response engagements as a what did the attacker have access to. We’ve analyzed their initial foothold and said, “What could they do with the environment?” And actually, our primary value prop is removing the attacker’s ability to move throughout the environment.
Again, shut attack paths down. But on the SOC workflow side, a lot of times you might have an alert that comes in, and you don’t know how bad that is. You don’t know how privileged that identity is maybe, or maybe you don’t know how that could turn into control of more identities and traverse through the environment.
So, that’s another a supplementary use case that usually our customers entertain.
[Angela Williams] How intuitive is the solution? If I throw a team at this and say, “Hey, this is going to help you figure out identity attack paths,” how intuitive is it?
[Justin Kohler] I’d say Bloodhound, if you’re familiar with the open source tool, Bloodhound?
[Brett Conlon] Yeah.
[Justin Kohler] So, we created that, and I think part of how intuitive it was was because it was visual in nature. Bloodhound allowed people to tell a story of how I went from this user to control of your environment visually, versus like a report and it’s all narrative and you’re trying to make sense of it in your head, “Wait, what did they do?” So, Bloodhound, it just kind of explains all those permissions in a visual map, and honestly, we have IT administrators that are like, “Oh, I can understand this system because it draws it out for me.” So, I think it is very intuitive, when you get to it.
It’s just like Google Maps, honestly.
[Brett Conlon] Let me just follow up with that. Attack paths are evolving, right, as the environments change. So how does Bloodhound continuous mapping sort of keep up with dynamic cloud identities and ephemeral workloads without overwhelming the team with alerts?
[Justin Kohler] Yeah, so when we’re trying to protect critical assets, what we’re trying to remove is the ability for… There’s paths all across your environment, and really what we want to shut down is access to your super admin layer or your business-critical layer.
So, like if you’re an investment company, you might want to make sure that somebody can’t take your systems offline, so those super admins, or just take over a trading platform, so that’s a business layer. So, that’s typically what we focus on, so then we’re focused on the what we call choke points.
So, back to my map analogy, think of like Manhattan is an island. I’m going to show you all the bridges into Manhattan and show you how to shut those down. Now, I’m just showing you what best practice has been telling you to do for decades – separate your users from admins – but it’s just buried, like you mentioned, like temporary one-off accepted permissions that sound fine in a silo, but they cascade in crazy ways that we find out in breach reports.
[Angela Williams] I have a question. How would you define identity? We’ve traditionally thought about identity from a person with an account, but in today’s age, identity is beyond just a person. So, how are you defining identity as a part of this solution?
[Justin Kohler] [Laughter] It’s funny. Those of us that have been in this industry, when the term non-human identity got thrown around, I was like, “You mean service accounts?” Like come on. Like let’s not invent something that doesn’t actually exist.
But there is reality to that. I mean, every machine identity is an identity. It’s an identity that I can take over as an attacker and elevate my privilege. So, I can start as a low privilege identity in that system and assume the system identity. And so like when we think of identity, it’s how can I gain more and more privilege?
It’s any identity that gives me that. So like it could be a non-human identity like a service account or a service principal in Azure that’s running on an application. It could be a computer identity or a human identity.
[Brett Conlon] Do you have an example of maybe a critical attack path that Bloodhound uncovered in a real engagement that traditional security tools either missed or didn’t have the right information for the team to act on? And then how did that change the clients defensive strategy?
[Justin Kohler] I’d say every time we deploy. I used to tell this, so we launched in 2021, and people have been using Bloodhound for years, but we would light up Bloodhound Enterprise, and it was almost like a therapy session. And everybody’s like, “Oh, my gosh.
Is everybody this bad?” and I was like, “Yeah, don’t worry about it.” Like this is 20 years of technical debt that you’re just now shining a light on, I’m trying to think of specific scenarios where I can give you like specifics that wouldn’t lead into the company, but I will tell you that our customers usually can make really quick work of these attack paths.
Again, if you can see it, you can focus on it, and you’re not like kind of blindly working around like random misconfigurations. You’re focusing on what matters.
Our average is like 30% risk reduction. I quantify that by how many attack paths to those critical assets exist when we deploy versus when we like finish a trial or a 30-day period. And usually people make really good work of that, but it’s that continuous process.
And that’s what we’re trying to get into customers minds is your environment is always changing, and you’re bolting on new platforms to your identities, you’re acquiring new companies or divesting new companies, and so this picture always changes, and you want to understand what that picture is before the attacker and uses it against you.
[Angela Williams] Now, where does Bloodhound sit in the ecosystem itself? Is it a solution that is being executed as a part of, let’s say, vulnerability scanning? So, you’re looking at attack path from that perspective. Or is it a part of the ecosystem between two systems in order for you to have valid decision-making based upon now new information that’s been uncovered?
[Justin Kohler] That’s a great question. So, Bloodhound was used ubiquitously by red teams, so initially when we launched, all the red teams from internal companies, like it started asking us a bunch of questions. Really where I think it sits is somewhere in a vulnerability management or identity workflow.
So, it depends on if identity rolls up to the CISO. If it does, I think it belongs on that team, right? You need to understand the misconfigurations that are leading to risk within the environment. But it is very vulnerability management-esque or posture management or exposure management.
Aa lot of people are still really focused on the systems and hosts when they think of exposure or vulnerability management, not the identity. So, that’s what we’re trying to bring to the forefront because this is… Honestly, the other half of SpecterOps that doesn’t work on Bloodhound Enterprise breaks into companies, and this is how we break into companies.
By “breaking in,” I mean pentesting.
[Laughter]
[Justin Kohler] I didn’t mean that actually maliciously breaking in.
[Laughter]
[Angela Williams] We read between the lines there. [Laughter]
[Justin Kohler] Yeah.
[Rich Stroffolino] All right, we’ve got time for one more question.
[Brett Conlon] What’s one emerging identity-based threat that you think see so should prioritize over the next 12 months, and how is Bloodhound evolving to stay ahead of it?
[Justin Kohler] I want to do two, but that’s probably unfair. I’d say everybody’s focused on the explosion of AI and the identities that are going to have to power that. So, this problem’s going to get really bad and we’re hyperconnecting our identity platforms to SSO and everything.
So, starting first and having some focus on this problem. Like you’re going to like that you’ve had it for 12 months because at that point, you’re I don’t want to say too late because I don’t want to fear factor, but like it’s going to get really hard to catch up.
I’d say the thing that I always start educating CISOs is back to privilege access management. Things like PAM and MFA and conditional access and all of those features are amazing tools, but once you log in, their job is done. Like, I can take advantage of your login session, and I can replay that and now I am you, even if I have to do it from your laptop.
So, understanding where that risk is in the form of an attack path makes you make better decisions about the risk in your environment.
[Rich Stroffolino] All right. Well, Justin, we’ve covered a wide gamut of questions here from the definition of identity going all the way to kind of the end customer, kind of talking about those journeys there. Really great stuff, but what’s one thing we didn’t ask about that we need to know?
[Justin Kohler] Well, a lot of people know Bloodhound as a Microsoft-centric tool, so whether that be historically, first version was Active Directory, and then we added Entra ID Azure. We now recently in August opened that completely up. So, now we have early models for things like Ping, GCP, AWS, 1Password, GitHub, like the world’s your oyster.
Because again, anywhere where you have identities, this problem is going to repeat itself. So, if you’re like, “Hey, I’ve looked at Bloodhound, but I’m not in a Microsoft-centric environment,” it might be time to look at us again.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head to Specterops.io. And if you have any feedback for this show, send it to us, feedback@CISOseries.com. A huge thanks to Angela and Brett for helping us learn more about what SpecterOps is doing, and a big thank you to Justin for your time and being game to answer all of these questions.
And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.