Skip to main content
close search
site logo

How Verizon Media beefs up cybersecurity with red teams and bounties

CISO Chris Nims looks for a security team that "doesn't grade its own homework."

Published March 1, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Verizon

By and large, security teams prioritize software patches for the rest of the company while it's up to individual departments to deploy them.

Still, when something goes wrong, the security team is the first to shoulder the blame. 

Traditional cyber defense organizations are usually comprised of "folks that have the great privilege of being woken up at 2 a.m. on a Sunday morning because something is happening," said Chris Nims, CISO of Verizon Media, in an interview with CIO Dive.

Even with a diverse cybersecurity workforce, security teams can often feel the burden of skill gaps, a lack of outside eyes or extra backup. The companies that can't hire the people that think like hackers can outsource to ones that do — enter bug bounty programs. 

Go for red

Companies as large as Verizon Media have a broad attack surface, presenting numerous opportunities for malicious activity. In the name of defense, bug bounty programs are meant to complement in-house security teams. 

Nims looks for a security team that "doesn't grade its own homework," he said. Though there are frameworks like NIST, Nims never wants to assume following those guidelines is adequate. 

The companies that can't hire the people that think like hackers can outsource to ones that do — enter bug bounty programs.

Formal frameworks give security experts a common language so they can share industry best practices but "kind of fall into the category that I consider necessary but insufficient," Nims said. The solution for the gaps in frameworks is a "red team" where there's an intersection of security capabilities.

Nims tells his security organization to always challenge assumptions. This means, just because a software update was deployed doesn't mean potential exploits have been eliminated. Challenging assumptions leaves space for healthy skepticism. 

Companies can assume the antivirus software they put on employee laptops will be sufficient for detecting malware. The red team tests those assumptions. 

In addition to Verizon Media's bug bounty program, its red team is "a team of folks that behave as our adversaries behave," Nims said. "Their job is super fun because they attack the company all day long, that's all they do." 

The red team will drop malware on an employee's device to see if the security organization can actually find it. Other scenarios take months, requiring the team to take on the persona of a particular adversary, from a specific country, with outlined objectives to achieve. 

From there, Nims can assess if Verizon Media's cyber defense team detected the malware, how long it took and what can be done to expedite detection. "If our cyber defense team can catch our red team, then in theory, we should catch a real adversary as well," Nims said.

Temptations of the dark side

Diversity of thought is welcomed and crucial in cybersecurity, and though hackers tend to get a bad reputation, many act in a just manner when hired by companies to test their systems.

Security teams have skill gaps and on occasion, bug bounty hackers act more like the red team than the red team itself, according to Deloitte Cyber Risk Services. 

"If our cyber defense team can catch our red team, then in theory, we should catch a real adversary as well."

Chris Nims

CISO of Verizon Media

"It is more a natural evolution of the security research community, which has undergone a transition from effectively back water emailing lists," according to a spokesperson for Deloitte Cyber Risk Services, and "into a cottage industry, into arguably an important part of a testing program with well recognized and maturing providers and evolving standards around their use." 

There are still risks companies run when using bug bounty programs. Hackers can effectively call out a company for failing to live up to expectations or if a hacker finds a vulnerability severe enough customers begin to question the integrity of a company's security, according to Deloitte Cyber Risk Services. 

There is also the question of internal fraud if an employee finds a vulnerability. Companies have to decide whether or not they can receive bug bounty compensation. Likewise, if a true bad actor were to join a bug bounty program, it is likely they will continue to act maliciously. 

However, "there's no incentive for hackers with malicious intent to participate in a bug bounty program," said Ben Sadeghipour, hacker and Hacker Operations lead at HackerOne, in an email to CIO Dive.

Most bug bounty programs have limitations on accessing data, like having an acceptable amount of data to convey a realistic impact, according to Deloitte Cyber Risk Services. 

If there is a case of disagreement between hackers and a company with a vulnerability disclosure program, HackerOne's operation team intervenes.

"Typically, it's not that one party hasn't played by the rules, it's usually a misunderstanding that can be quickly resolved, and this is something we can offer as the platform," Sadeghipour said.

Bounties are an industry affair 

Yahoo, a brand within the Verizon Media portfolio, started its public bug bounty program in 2013. A public bug bounty program allows anyone on the internet to go through the HackerOne platform to help companies scope vulnerabilities. 

Other brands owned by Verizon Media, like AOL, had invitation-only, private bug bounty programs accessible through HackerOne. AOL's program focused on specific products and applications in its portfolio.

Detection for even the slightest anomalies or abuse requires technology experts, engineers, software developers and members fluent in governance and compliance to oversee risk management.

Chris Nims

CISO of Verizon Media

But in April 2018, Verizon Media, then Oath, consolidated into a single program. By the end of the year, the company awarded $5 million in bounties, which is five times the amount awarded in 2017 and 10 times the amount paid in 2016.

Companies across sectors have vulnerability disclosure programs, including 21st Century FoxAirbnb and Google, which shelled out about $3 million in rewards and wishes hackers "happy hunting."

Detection for even the slightest anomalies or abuse requires technology experts, engineers, software developers and members fluent in governance and compliance to oversee risk management, though those are often considered less technical roles, Nims said

However, an in-house cyber team doesn't always suffice and outside eyes and ears can fill the gap. From organized crimes, hacktivists and nation-state sponsored attacks, companies have to be aware all kinds of threats and what eyes they have on their assets. 

Filed Under: IT Strategy, Security

Editors' picks

  • Google's headquarters
    Image attribution tooltip
    Justin Sullivan via Getty Images
    Image attribution tooltip

    Google ties billions in revenue this year to generative AI

    Alphabet CEO Sundar Pichai said underinvesting in the technology is a larger risk than overinvesting, as vendors pour resources into developing chips, models and infrastructure. 

    By Lindsey Wilkinson • July 24, 2024
  • A group of flags on flag poles stand underneath one large blue flag, which features a circle of gold stars in the middle.
    Image attribution tooltip
    Johannes Simon via Getty Images
    Image attribution tooltip

    The EU AI Act is here: What can CIOs expect?

    The act took effect Thursday, but enforcement deadlines are spread out through 2027. The act could have a similar global influence to GDPR.

    By Lindsey Wilkinson • Aug. 1, 2024

Company Announcements

View all | Post a press release
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Editors' picks
  • Google's headquarters
    Image attribution tooltip
    Justin Sullivan via Getty Images
    Image attribution tooltip

    Google ties billions in revenue this year to generative AI

    Alphabet CEO Sundar Pichai said underinvesting in the technology is a larger risk than overinvesting, as vendors pour resources into developing chips, models and infrastructure. 

    By Lindsey Wilkinson • July 24, 2024
  • A group of flags on flag poles stand underneath one large blue flag, which features a circle of gold stars in the middle.
    Image attribution tooltip
    Johannes Simon via Getty Images
    Image attribution tooltip

    The EU AI Act is here: What can CIOs expect?

    The act took effect Thursday, but enforcement deadlines are spread out through 2027. The act could have a similar global influence to GDPR.

    By Lindsey Wilkinson • Aug. 1, 2024
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell