I am always on the lookout for new, innovative tools especially ones that break new ground in the cybersecurity fight. At a recent conference I ran across a tool that does that – Verodin – but not in your typical “detect” or “protect” roles that most security tools fall into. Instead, Verodin provides evidence-based, continuous validation that the controls you employ for your enterprise are present and working. It also allows the CISO to step back and evaluate his / her security posture for gaps and to prioritize investments. I regard this type of capability as comprising a new and unique category of tools – one that the industry is starting to call “security instrumentation platforms.” Learn more about this new type of tool from Verodin’s Chief Strategy Officer and evangelist – Major General Earl Matthews – a retired USAF general who got started in security at a young age and made it a key part of his career in the Air Force. His excitement about this new capability is quite evident in my discussions with him. You can also click on the ad to the right —>>> to find out more about Verodin’s solutions and stay tuned for an upcoming podcast where General Matthews and I go into more depth on this technology and other cyber topics.

Spotlight on Major General Earl Matthews (USAF Ret.)

» Title: Chief Strategy Officer, Verodin

» Website: https://www.verodin.com

» LinkedIn: linkedin.com/in/earlmatthews

Read his bio below.


Chris Daly, Active Cyber™: Verodin is making itself known as a “Security Instrumentation Platform” or SIP. What is a “security instrumentation platform” and how does it add value to an already crowded mix of security tools that are operated by an enterprise?

Major General Earl Matthews (Ret.), Chief Strategy Officer, Verodin: First and foremost, we are not a defensive security tool. Until the onset of platforms like the Verodin Security Instrumentation Platform or SIP, even with the best tools and the best people, it was almost impossible to validate security controls with any level of empirical evidence on an automated, continuous basis. CISOs had to rely on an Audit or Pentest; but these only provided a snapshot in time. As such, security was, and still is in many cases, assumption-based in regard to how effective security tools are in production across measures like prevention, detection, and correlation. Basing security on assumptions instead of evidence is one of the main causes of reduced value from security tools and reduced overall security effectiveness. 

Verodin SIP’s ongoing approach addresses this specifically, since instrumentation isn’t about highlighting that only 20 percent of your security is effective—it’s about getting the other 80 percent right and keeping it there. The platform instruments customer IT environments to test the effectiveness of network, endpoint, email and cloud controls. Verodin SIP continuously executes tests and analyzes the results to proactively alert on drift from a known-good baseline and validate control configuration. The platform provides evidence demonstrating if a customer’s controls are actually delivering the desired business outcomes — or if they are exposing them to risk. 

Active Cyber™: What are the critical business needs addressed by the Verodin solution? 

MG Matthews: There are 4 key critical needs: 

1. Controls effectiveness – It is critical that businesses have evidence that the controls protecting their critical assets are effective and remain so. Don’t assume controls are working correctly.

2. Optimize & rationalize – It is time to pause and replace assumptions with evidence. Leverage instrumentation to optimize existing controls and rationalize true gaps and overlap before continuing with the next product purchase or resource-intensive project.

3. Environmental drift detection – A fundamental challenge for cybersecurity is that it is burdened with the responsibility of protecting the environment without the corresponding authority to control it. As new systems and applications come into play, the security stack can be affected. Environmental drift detection ensures controls are measured and optimized on an ongoing basis.

4. Understanding risk – The disconnect between an organization’s cybersecurity assumptions and its true posture is generally so vast that any discussion around “cyber risk” is premature. Remove assumptions and validate effectiveness.

Active Cyber™: What is “environmental drift,” why is it detrimental to IT operations, and how does Verodin help enterprises remedy this drift? 

MG Matthews: The IT Operational environment is dynamic. With changes to IT and networks, the environment is never going to be the same as it was the previous day. Even in organizations with rigorous change management processes, all parties must fully understand the scope of a change, clearly communicate its impact and ultimately execute on it with 100 percent perfection.

Verodin SIP allows users to constantly test their environment and know if a security control that has been put in place is no longer functioning because of a change — whether known or unknown — with the use of Verodin monitors. It’s a true game-changer.

Active Cyber™: From your perspective gained through your background and experience in the cyber corps of DoD, what excites you the most about the possibilities that the Verodin solution provides?

MG Matthews: I’ve seen us get better overall on detection capabilities and dwell rates once the enemy has penetrated our networks. However, the same two problems exist – namely, cyber-hygiene issues and the email threat vector. Since 2004, I’ve been speaking about the ever-growing amount of money being spent and the number of products that an organization needs to combat this ever-growing threat. What excites me most about the Verodin platform is that for the first time, CISOs can actually have quantifiable data on a continuous basis knowing that their security controls are being validated and working as they think they should be. Having the ability to actually start measuring how the security products in an environment are performing and determining if a company actually needs them all is critical to overall operations. Then, security professionals can actually start reducing the complexity in security and improve their overall defenses, process and people by increasing ROI through data.

Active Cyber™: What is the Threat Actor Assurance Program developed by Verodin and others, and how can it be used to validate cybersecurity effectiveness? How does it leverage the MITRE ATT&CK model? Who are the other players in the program and how do they contribute? 

MG Matthews: At RSA 2019 we introduced our new Threat Actor Assurance Program (TAAP), which combines industry-leading threat intelligence from a number of industry partners with Verodin’s proven capability to validate cybersecurity effectiveness. This program delivers actionable intelligence on how an organization’s defenses will perform against the threat actors specifically targeting them.

As part of the program, we are planning to introduce our new Threat Actor Assurance Module (TAAM), which will provide customers with the ability to determine if threat actors can get through their defenses before the actual attack by making threat intelligence actionable. TAAM will validate a customer’s defensive stack’s capabilities to prevent, detect, and alert on both indicators of compromise and tactics, techniques, and procedures (TTPs) – including the MITRE ATT&CK™ framework. 

Organizations using Verodin TAAM will also be able to determine if they have gaps in control visibility or misconfigurations that could aid in a threat actor compromise. Once an organization has a baseline understanding of their coverage, they can tune and optimize their security stack to reach a higher level of assurance. This capability extends the functionality of the Verodin MITRE ATT&CK module, launched in August 2018.

Active Cyber™: How does Verodin help to collaborate across functional silos such as dev and ops or network and systems operations centers while managing the effectiveness of security controls of the enterprise?  

MG Matthews: This is all about RISK. In every other risk discipline (finance, HR, operations, manufacturing) that an enterprise is managing, there are hard, quantifiable bits of information that you use to tell if you are making progress. Security instrumentation gives us that quantifiable insight into where we need to invest our time, money and people. 

Many organizations buy a security product based on a specific business goal with no real validation of whether the control is accomplishing what it’s supposed to. They then use this list of controls to make broad statements around risk with no understanding of what each control is actually doing. For example, there is a call to “protect customer data,” so funds are approved for a DLP, which then gets implemented in alerting-only mode. The desire to stop malware and “advanced threat behaviors” generates funds to purchase a Next Generation Firewall (NGFW), which only actually blocks 25 percent of the things it is marketed to do out-of-the-box.

Simply owning a technology means nothing. Technology effectiveness and configuration must be validated, continuously.

Active Cyber™: Cyber resiliency, which involves the ability to safely and securely operate in a degraded mode, is the new buzzword, especially when it comes to IoT and Industrial control systems. How does Verodin account for the measures of resiliency, including safety instrumented systems, as it looks to extend its capabilities to these emerging market segments?

MG Matthews: Verodin’s mission is all about furthering the concept and frameworks behind Cyber Resilience. The concept of Cyber Resiliency is gaining traction because it brings InfoSec and business continuity together. Blending these concepts improves an organization’s ability to operate despite adverse cyber events. If executed properly, Cyber Resiliency frameworks enable organizations to manage information security more like traditional business units.

Active Cyber™: Congratulations on your recent acquisition by FireEye. What type of synergy should customers expect to find as a result of the acquisition? What changes will there be for Verodin as a result of the acquisition?

MG Matthews: Every day, FireEye is on the frontlines of cyber attacks with the same mission as Verodin – to relentlessly protect organizations from the threats that are targeting them. Every day, FireEye Mandiant consultants witness first-hand the world’s most massive breaches that have resulted from exploited, misconfigured or disabled security technologies. The Verodin platform was purpose-built to expose these gaps, which has positioned Verodin as a strong complement to the existing cybersecurity products and technology-enabled services FireEye brings to the table.

By incorporating FireEye frontline intelligence and leading incident response expertise, Verodin SIP will allow organizations to test security environments against both publicly known and newly discovered threats to identify risks in security controls before a breach occurs. By bringing our two organizations together, we will be able to scale our development, quality assurance, customer support, and sales teams with the global reach and extensive resources of FireEye. Our combined goal is to continuously improve our customers’ ability to rapidly adapt defenses to the evolving threat landscape.

The integration of the Verodin platform and FireEye’s technology, intelligence and expertise significantly enhance FireEye’s ability to relentlessly protect our customers. Equipped with FireEye’s leading expertise and frontline intelligence, the Verodin platform tests customers’ security environments against both publicly known and newly discovered threats. 

This proactive, repeatable and measurable approach will allow customers to identify risks in their security controls before a breach occurs and orchestrate the processes needed to optimize their defense. The combination of FireEye and Verodin will empower customers to rapidly adapt their defense to the evolving threat landscape, while also maximizing ROI from their security investments. Further, having FireEye customers use the Verodin platform will help to automate their security effectiveness testing, and that they are constantly getting the most out of their investments.


Thank you MG Matthews for this informative overview of Verodin’s ground-breaking security instrumentation capability. Providing evidence that security controls are in place and working, like that offered by Verodin, is a must-have feature for any CISO given the high visibility of cyber attacks and the pressure on corporate boards to show due diligence in the area of cybersecurity risk management. I believe that the security instrumentation market is about to take off and Verodin seems to be well-positioned with FireEye to take advantage of this uptick. I look forward to hearing more about Verodin’s continued success in the market. And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.

About Major General Earl Matthews (USAF Ret.)

Major General Earl Matthews USAF (Ret) is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead large-scale, diverse, global organizations that operate, extend, maintain and defend global networks. He has earned a reputation as a motivational leader and change agent focused on delivering technical innovations that resolve complex challenges.