ISE: A Baltimore-Based Independent IT Security Consulting Firm Focused on Mitigating Vulnerabilities from the Perspective of the Adversary

TL; DR: Independent Security Evaluators (ISE) is a Baltimore-based security consulting firm dedicated to improving security posture through an adversary-centric perspective. The company’s team of analysts and developers provide threat models tailored to each client and driven by a commitment to quality, dedication, integrity, and education. With plans to create even more business advantages for customers, ISE is shaping the future of enterprise-grade digital security.

If your car was manufactured after 2007, it’s likely equipped with an engine immobilizer. The electronic security device, used as an anti-theft system, prevents the engine from starting without an authorized key that contains a transponder chip.

When first introduced to the market, this technology was widely considered impenetrable. But Johns Hopkins Ph.D. candidate Steve Bono and his colleagues begged to differ.

“When hacker-minded computer scientists hear bold claims like this, they will say, ‘Challenge accepted,’” said Ted Harrington, Steve’s business partner at Independent Security Evaluators (ISE). “So we immediately went out to study the system.”

It took a few weeks to reverse-engineer the cryptographic algorithms, and a couple more to build a prototype for a weaponized software radio. But before they knew it, the team started an immobilizer-equipped Ford Escape without an authentic key.

At first, Ford didn’t believe it was possible. But after verifying the action in person, the automaker took things seriously and fixed the problem.

“It became a major story — all types of media outlets wrote about it,” Ted said. “Soon, other companies came calling. They said, ‘You know how hackers think, work, and operate. Can you help us with a security challenge?’ That was essentially how ISE started 14 years ago.”

The company has grown into a firm of security consultants committed to protecting high-priority digital assets and performing groundbreaking research. The organization’s adversary-centric approach and comprehensive training models educate attendees on how to defend against modern threats using scientifically motivated techniques for improving security. Furthering its commitment to shaping the future of enterprise-grade security, ISE is currently exploring even more opportunities to help businesses improve application security.

ISE’s earliest days as a company were spent in a lab at Johns Hopkins before the company purchased office space. Fast forward to today, and ISE is quite a bit more sophisticated but retains the same guiding sentiment.

“If someone asks what drives us,” Ted said, “it’s as simple as this: the relentless pursuit of better.”

This ethos applies throughout the organization, whether in reference to customers, internal personnel, or the company as a whole. “It’s why the company was founded, and it’s also why we have found success,” Ted said.

A decline in resistance to security research has made the job a bit easier over the years. Ted said that many companies used to react with disbelief or animosity when security researchers would disclose vulnerabilities. Some even sued. Today, the general perspective has shifted.

“Instead of suing, companies are becoming more collaborative,” he said. “There are still some that are hostile to security researchers, but it has come a long way. It’s a really positive evolution.”

As security becomes top of mind in industries around the world, companies are increasingly recognizing the value of talented security professionals. Ted said that ISE’s success is dependent upon its ability to hire incredibly smart people who can uncover potentially disastrous vulnerabilities.

“Major tech giants in Silicon Valley could hire the people who work for our company for astronomically higher salaries, but they choose to work for us,” he said. “Were it not for our ability to create a family-like culture defined by excellence, where people are always learning from each other, I don’t see any way we could have succeeded as we have, for as long as we have.”

Ted told us threat modeling is the foundation upon which ISE builds its defense plans. The consulting firm works closely with its customers to understand their assets, adversaries, and attack surfaces, all of which inform how the organization should approach risk.

“We always start by trying to understand what the company does for whom and why,” he said. “Using threat models, we can not only help solve problems, but we can also dictate where the company should invest its resources in terms of trying to defend its assets.”

Ted told us that ISE differs from many security testers in that it helps companies not only identify flaws, but also fix them. “We’re engaged with the customer when it comes to both their mission and their business, so we’re able to help them fix the problem in the context of their business,” he said.

The next step is helping organizations earn the trust they deserve by being able to talk authentically and with authority to current and prospective customers about security — ultimately optimizing investments.

“The company who gets the most value from our services are the ones who are pursuing greatness in some way — trying to achieve their own idea of better,” Ted said. “That thinking typically carries over to how the customer thinks about security.”

Ted told us that education is also essential in moving the market forward.

“A large part of finding success in security is educating the people who need the services about what they actually need, and why,” he said. “But it’s not an indictment on those who don’t understand the difference between a penetration test and vulnerability assessment.”

ISE’s primary offerings are security assessments, primarily application security assessments. “Apps are the future, driving the way business is done,” Ted said. “Keeping these critical applications secure is critical for the success of the business.”

ISE’s training programs also help attendees understand how to defend their organizations against contemporary adversaries through courses in a variety of formats. Classes are either standardized or custom, and they can be tailored to specific audiences, such as software developers, security professionals, and executives.

Private, instructor-led courses are available at ISE or the customer’s location. In addition, conference training is available in conjunction with an ISE conference.

ISE also offers custom hacking workshops complete with onsite instruction. These events gamify private security research on individual products to encourage collaboration among internal teams.

But education is just one of ISE’s core values. The company also espouses a solid ethical foundation; strives for perfection through accuracy, thoroughness, and clarity; and is dedicated to reliability. “We aim to succeed in our mission to achieve ‘better’ through a commitment to our core values of quality, dedication, integrity, and education,” Ted said.

Moving forward, ISE will leverage its robust research division to anticipate future threats, protect digital assets, and develop groundbreaking mitigation strategies.

“One of the things I think that we do pretty well is connect the dots when it comes to the things our customers tell us, what we see happening in the industry around the sectors we serve, and the evolution of technology — and then adapt to those types of things,” Ted said. “We’re always thinking about what’s next.”