IBM this week announced the creation of X-Force Red, a new elite security testing team made up of hundreds of security professionals based in dozens of locations around the world.
The new team will conduct penetration tests to try to uncover security vulnerabilities for IBM clients. Charles Henderson, a penetration testing expert and security professional with more than 20 years of experience in the information security industry, is the team’s leader.
In a blog post, Henderson, who is Global Head of Security Testing and X-Force Red for IBM Security, said he has been working on putting the X-Force Red team together since October of 2015.
“I’ve been involved with security testing long enough that creating one more pen testing team wouldn’t be very challenging or rewarding,” he said in his post. “This is different, mostly because of IBM’s unparalleled stature in technical innovation.”
IBM’s X-Force Red team consists of security experts and ethical hackers familiar with a variety of industries including healthcare, financial services, retail, manufacturing and the public sector. The team will focus its testing on four primary areas—applications, networks, hardware and the human resources that make up an organization’s workforce—to test for vulnerabilities.
“Security vulnerabilities are not always clearly defined or in the places that you would expect, so the insights and curiosity of human penetration testers are vital to a comprehensive testing program,” Henderson told eWEEK. “This is why we’re launching the X-Force Red team—to examine the human security vulnerabilities that attackers often use to break into systems.”
The team will conduct penetration testing and source code reviews on applications on web, mobile, mainframe and other key infrastructure platforms. The team will test internal, external, wireless and other networks. And they will test the broad array of endpoint devices, including testing internet of things (IoT) and wearable devices, point-of-sale systems, ATMs and even automotive systems.
In addition, the team will test human personnel for susceptibility to phishing, social engineering, ransomware, and physical security violations.
“IBM’s new X-Force Red team highlights the critical importance of taking a multi-dimensional approach to enterprise security,” said Charles King, principal analyst at Pund-IT. “They’re deeply knowledgeable in traditional security methodologies. But individual team members’ experience and creativity should deepen X-Force Red’s insights into security threats and enable nimbler effective responses.”
Overall, X-Force Red is a great example of how IBM continues to enhance and advance its already considerable efforts in enterprise security, King noted.
Those existing efforts include IBM X-Force Research, IBM X-Force Threat Intelligence, the IBM X-Force Exchange threat sharing platform, and the IBM Security AppScan security testing platform, all of which the X-Force Red team will use and share information with to improve those platforms.
“Having a machine scan your servers and source code is a great step to help prevent data breaches, but the human element of security testing cannot be overlooked,” Henderson said in a statement. “Elite human testers can learn how an environment works and create unique attacks using techniques even more sophisticated than what the criminals have.”
He added that IBM X-Force Red gives organizations the freedom to stay agile without creating blind spots in their “security posture.”
IBM is offering X-Force Red’s services in three models: individual projects, a subscription model and managed testing programs.
Moreover, “Vulnerability analytics are a key feature of X-Force Red’s offerings,” Henderson said in his post. “They help to prioritize and track work, identify security trends in your organization, map risks based on shared dependencies and much more. The data can come from any source: tests performed by IBM, vulnerabilities discovered by your own internal work or even issues documented by third-party tests.”
Moreover, Henderson said IBM knows that organization’s needs are always changing, so this team will provide security testing services in ways that are most effective.
“Similar to how a company may pull a service from the cloud, X-Force Red is set up to offer human security testing on demand,” he said.
Henderson also noted that many members of IBM’s new X-Force Red team are in Las Vegas this week for the Black Hat and DefCon hacker gatherings.