Category: For technologists

Your go-to mobile apps aren’t nearly has hackproof as you might like to believe.

Related: Fallout of T-Mobile hack

Hackers of modest skill routinely bypass legacy security measures, even two-factor authentication, with techniques such as overlay attacks. And hard data shows instances of such breaches on the rise.

I had an evocative conversation about this at RSA Conference 2023 with Asaf Ashkenazi, CEO of Verimatrix, a cybersecurity company headquartered in southern France. We discussed how the Dark Web teems with hackers offering targeted mobile app attacks on major companies.

Many corporations outsource their mobile app development, and these apps often exhibit poor security practices, making them easy targets for cybercriminals, he says.

Verimatrix is coming at this problem with a fresh approach that has proven its efficacy in Hollywood where the company has long helped lock down content such as premium movies and live streamed sporting events.

Guest expert: Asaf Ashkenazi, CEO, Verimatrix

Its technology revolves around application-level protection and monitoring, which allows Verimatrix to collect data on app behavior without invading user privacy.

Coding embedded in the app provide a granular level of insight into what’s happening — when the app is actually running — and a degree of control that’s simply not doable with legacy mobile app security solutions, he told me.

For a full drill down, please give the accompanying podcast a close listen. Ashkenazi argues that we need better security solutions in general to mitigate the AI-generated threats running on our most cherished devices.

He observes that threat actors already use generative AI tools like  ChatGPT, Google Bard and Microsoft Edge to innovate malware; to keep pace, companies are going to have to get much better at not just identifying, but predicting attacks, especially on mobile apps. Agreed. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Could cybersecurity someday soon be implemented as a business enabler, instead of continuing to be viewed as an onerous business expense?

Related: Security sea-change wrought by ‘CMMC’

This would fit nicely with the ‘stronger together’ theme heralded at RSA Conference 2023.

WithSecure is one cybersecurity vendor that is certainly on this path. I had a lively conversation at Moscone Center with CEO Juhani Hintikka and CTO Tim Orchard all about something they’re championing as “outcome-based security.” In sum, this refers to the notion of correlating the mix of security tools and services a company has at hand much more directly with precisely defined business targets.

“We actually need to integrate cybersecurity with the business goals of the enterprise,” Hintikka observes.

WithSecure isn’t a startup; it’s the rebranding of Helsinki-based F-Secure, which has been around since 1988 and is well-established as a leading supplier of endpoint security and threat intelligence.

Guest experts: Tim Orchard, CTO, and Juhani Hintikka, CEO, WithSecure

Hintikka and Orchard argue for a more collaborative style of security services; for a drill down on our conversation please give the accompanying podcast a close listen.

The efficacy of this approach, they told me, is proving out in the success WithSecure is having with its customers, especially mid-sized companies. “In Germany, which is famous for mid-market companies, we seamlessly integrate our MDR service on top of our customers’ legacy systems, working alongside their teams,” Hintikka told me. “It’s truly a joint effort.”

The maturation of managed security services continues. There should be plenty more to come. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Attack surface expansion translates into innumerable wide-open vectors of potential unauthorized access into company networks.

Related: The role of legacy security tools

Yet the heaviest volume of routine, daily cyber attacks continue to target a very familiar vector: web and mobile apps.

At RSA Conference 2023, I had the chance to meet with Paul Nicholson, senior director of product marketing and analyst relations at A10 Networks. A10 has a birds eye view of the flow of maliciousness directed at web and mobile apps — via deployments of its Thunder Application Delivery Controller (ADC.)

We discussed why filtering web and mobile app traffic remains as critical as ever, even as cloud migration intensifies; for a full drill down, please give the accompanying podcast a listen.

Companies today face a huge challenge, Nicholson says. They must make ongoing assessments about IT infrastructure increasingly spread far and wide across on-premises and public cloud computing resources.

Guest expert: Paul Nicholson, senior director, product marketing & analyst relations, A10 Networks

The logical place to check first for incoming known-bad traffic remains at the gateways where application traffic arrives.

At RSAC 2023, A10 announced the addition of a next-generation web application firewall (NGWAF,) powered by Fastly, to its core Thunder ADC service. This upgrade, he told me, is expressly aimed at helping companies optimize secure performance of their hybrid cloud environments.

This is another encouraging example of stronger together advancement. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we co

 

In an increasingly interconnected world, the evolution of the automotive industry presents an exciting yet daunting prospect.

Related: Privacy rules for vehicles

As vehicles continue to offer modern features such as app-to-car connectivity, remote control access, and driver assistance software, a huge risk lurks in the shadows.

The physical safety of things like airbags, rearview mirrors, and brakes is well accounted for; yet cybersecurity auto safety concerns are rising to the fore.

What used to be a focus on physical safety has now shifted to cybersecurity due to the widened attack surface that connected cars present. The rapid advancements in electric vehicles (EVs) has only served to heighten these concerns.

Funso Richard, Information Security Officer at Ensemble, highlighted the gravity of these threats. He told Last Watchdog that apart from conventional attacks, such as data theft and vehicle theft, much more worrisome types of attacks are emerging. These include ransomware targeting backend servers, distributed denial of service (DDoS) attacks, destructive malware, and even weaponizing charging stations to deploy malware.

Risk of compromise

The National Highway Traffic Safety Administration defines automotive cybersecurity as the protection of automotive electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation. The risk of compromise is not just theoretical; there have been instances where vehicles were momentarily commandeered.

Notably, in 2016, Nissan suspended a remote telematics system in its all-electric hatchback, the Leaf, due to a vulnerability in the NissanConnect app’s server. More recently, Sultan Qasim Khan, a principal security adviser with a UK-based security firm, tricked a Tesla into thinking the driver was inside by rerouting communication between the automaker’s mobile app and the car.

Rising regulations

As the attack surface broadens, original equipment manufacturers (OEMs) find themselves in a unique position. Roy Fridman, CEO at C2A Security, emphasized the complexity of the automotive industry, citing the intricate supply chain, the exponential growth of software in modern vehicles, and the heavily regulated environment as contributing factors.

In terms of regulations, Fridman highlighted WP.29 UN R155, for which C2A Security’s David Mor Ofek helped to draft, as a key regulation that makes car manufacturers liable for the entire supply chain of their products. However, he warned against a cursory compliance just to satisfy the regulatory bodies, emphasizing the need for OEMs to truly understand and address the threats.

“These laws imply that whether in design, development, production, or post-production, car manufacturers must have full visibility into the security of their software products through a cybersecurity management system (CSMS),” Fridman says.

Richard

Richard echoed this sentiment, emphasizing the importance of secure design principles and the need for evidence of implemented cybersecurity controls from third-party suppliers. He noted the temptation for OEMs to kit up new models with the latest features without assessing their security implications, but urged manufacturers to prioritize security.

“It’s not enough that smart automakers are doing their best to secure their products, a supplier could be the weakest link,” Richard says.

Consumer trust

This increased focus on automotive cybersecurity is also reflected in the consumer market, with customers putting more emphasis on their security posture and overall risk management. Fridman suggested that this trend presents an excellent opportunity for OEMs to build trust with their customers, and he expects to see more of this development in the future.

Fridman

According to Fridman, there will be a shift from the mechanical side of car development to the software side, with the industry witnessing a proliferation of the Software Defined Vehicle (SDV). This implies an even greater potential for cyberattacks as more devices get connected and the demand for software-powered smart cars increases in an IoT-powered world.

The Automotive Cybersecurity Market Global Forecast by MarketandMarkets corroborates this, predicting a rising demand for automotive cybersecurity solutions among OEMs globally – and noting that a passenger car equipped with modern connected features already has more than 100 million lines of code.

Richard added that smart vehicles will play a significant role in smart city development and the “connected everything” concept. This means that smart cars will redefine how we understand IoT in the next few years, becoming one of the leading data generators of connected devices and internet activities.

The comments of Fridman and Richard show consensus gelling in the cybersecurity community that connected vehicle safety  must jump ahead of emerging regulations.

“The EV charging grid is left estranged from any formal guidelines, despite recent security breaches, increased interest from malicious hackers, and FBI warnings,” notes Fridman, “We should all double down on this front.”

Editor’s note: Kolawole Samuel Adebayo is a Last Watchdog special correspondent based in Lagos, Nigeria.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Email remains by far the no.1 business communications tool. Meanwhile, weaponized email continues to pose a clear and present threat to all businesses.

Related: The need for timely training

At RSA Conference 2023, I learned all about a new category of email security — referred to as integrated cloud email security (ICES) – that is helping companies more effectively keep email threats in check.

I met with Eyal Benishti, CEO of IRONSCALES, a supplier of ICES tools and cybersecurity training services. For a full drill down on our conversation, please give the accompanying podcast a close listen.

Phishing is still the main way bad actors slip into networks; and Business Email Compromise (BEC) attacks can instantly translate into crippling losses.

Guest expert: Eyal Benishti, CEO, Ironscales

Successful attacks slip past legacy security email gateways (SEGs) and even past the newer ‘cloud-native security’ controls that Microsoft and Google have embedded Microsoft 365 and Google Workspace. These filters look for known bad attachments and links.

ICES solutions vet the messages that slip through. IRONSCALES, for instance, applies natural language processing technology to identify patterns and flush out anything suspicious. And its complementary security awareness training modules encourage employees to participate in isolating anything suspicious that leaks into their inboxes.

“The security gateways and cloud-native security controls look at content but that’s not enough,” Benishti observes. “You also need to look at context; both perspectives are needed.”

It’s clear that layers of protection, along with better-trained employees, have become table stakes. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

One meeting I had at RSA Conference 2023, was a briefing about a  new  partnership, announced this morning, between a top-rung Silicon Valley tech giant and the leading provider of digital trust.

Related: Centralizing control of digital certificates

I had the chance to sit down with Deepika Chauhan, DigiCert’s Chief Product Officer, and Mike Cavanagh, Oracle’s Group Vice President, ISV Cloud for North America. They walked me through a partnership that gives their joint customers the option to deploy Oracle Cloud Infrastructure (OCI) combined with  DigiCert ONE. Here are a few of my takeaways:

Seeds of the partnership

In 2017, DigiCert acquired and commenced reviving Symantec’s PKI business. This was all part of the Lehi, Utah-based vendor’s efforts to support enterprise cloud migration and the rise of IoT systems, which were both gaining steam.

This ultimately resulted in the 2020 roll out of DigiCert ONE, a new platform of tools and services aimed at “embedding digital trust across the board within the enterprise and between all parts of the cloud ecosystem,” Chauhan says.

Back in Silicon Valley, Oracle was playing catchup. Amazon had introduced Amazon Web Services in 2006 and Microsoft Azure became commercially available in 2010. Oracle launched OCI in October 2016.

Cavanagh

As a latecomer to the hyperscale data center market, Oracle focused on its heritage of helping large enterprise customers securely and efficiently run their mission critical systems and applications, Cavanagh told me.

“We went out and hired engineering talent from our competitors, gave them a clean slate and tremendous executive commitment,” he says. “We told them, ‘If you had a chance to build a hyperscaler where security, performance, and high availability were priorities, with our enterprise customers in mind, what would you do?’ And that was the design point we gave them.”

Extending ‘digital trust’

As DigiCert and Oracle separately headed down these paths, digital transformation shifted into high gear and massive interconnectivity built off of wide distribution of ephemeral APIs took center stage.

In the past, APIs mainly connected users to websites and mobile apps. But APIs have come to be relied upon to hook company networks into AWS,  Azure and Google Cloud resources as well as to enable wide-open, rapid-fire software development practices, i.e. DevOps and CI/CD.

This highly dynamic, intensely complex operating environment has translated into an exponentially larger attack surface. So it was a natural progression for traditional PKI solution providers to extend digital certificates and PKI — the tried-and-true form of authenticating and securing digital connections – into this realm of hyperconnectivity.

DigiCert launched DigiCert ONE to innovate a more holistic approach to digital trust, Chauhan says, and the company has continued to innovate on that platform.

Today, DigiCert is focused on defining standards for digital trust, global compliance and operations, she says. This includes centralizing management of digital certificates and PKI across software supply chains, edge devices, remote users and evolving digital ecosystems.

“We understand the problem our customers need to solve,” Chauhan told me.  “Our focus has been on reducing the risk of business disruption, protecting attack surfaces and delivering identity-based digital innovation with ease.”

Late mover advantage

As DigiCert was innovating in the digital trust space, Oracle’s engineers filled their blank slate with a meticulous plan to distribute leading-edge  hyperscaler services globally — much more nimbly than Amazon, Microsoft or Google.

They divided the planet into 55 “public cloud regions” spread across 22 nations on five continents. The plan called for well-equipped, optimally sized hyperscaler data centers to be put on the ground near where demand could be anticipated.

Today Oracle delivers OCI services from 41 data centers in locales like South Africa, Spain, Serbia, Colombia, Paris and Chicago; secondary facilities are in the works for Chile, Saudi Arabia, Mexico and Singapore.

“We can quickly roll out new data centers and deploy all 300 OCI services across each of those data centers,” Cavanagh says. “Our vision is to open up small to medium sized data centers in as many strategic geolocations as we can, based on input from our customers, and then scale those data centers out over time as the demand increases.”

Honoring data sovereignty

Name any business use case: banking, retail, healthcare, government, military, entertainment, elections. They’re all becoming increasingly dependent on hyperconnectivity. Oracle’s global deployment of OCI services clearly gives its customers more flexibility by giving them the option to deploy DigiCert’s digital trust platform.

Chauhan

With this partnership, DigiCert, which also operates regional data centers, gains an expanded capacity to localize the delivery of its DigiCert ONE platform to more locations outside of the U.S. This is a very big deal because of the “data sovereignty” rules emerging in Europe and the Middle East that require cloud-centric services to physically remain inside national borders, Chauhan observes.

To account for data sovereignty, Oracle has set up “sovereign cloud regions” in Germany and Spain to meet new data privacy rules.

“Oracle already is an undisputedly a leader in enterprise security with a software stack that now has jurisdictional sensitivity, as well,” she says. “If you combine a digital trust offering like ours with a really scalable infrastructure that you can take to any country, any region and provide services across different verticals, that’s a real strength.”

This is yet another terrific example of “stronger together.” I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

There is no doubt there is a constant and growing concern amongst CEO’s, and particularly CISO’s, concerning the hiring of the cybersecurity talent their organizations require to safeguard against cyberattacks.

According to Cybersecurity Ventures, by 2025 there will exist a gap of over 3.5 million unfilled cybersecurity positions. Moreover, of the current worldwide workforce, surveys conducted by PwC have shown that there is only a 38 percent ‘availability of key skills’, considering the new and more sophisticated emerging threats developed by
malicious actors.

These stats are both alarming, and pose an important question that we will try to help you figure out : Where are you supposed to find the right cybersecurity talent for your organization?

Various industries, particularly those that have been recently targeted the most by cyber attackers (such as critical infrastructure and even governmental entities) have increased their need for hiring cybersecurity talent.

And even though people are becoming increasingly aware of the immense possibilities that exists when starting a career in the field, the pace at which they are gaining the required skills and knowledge to meet the security needs of organizations is not as high as the growing demand for their assistance.

To ensure your organization hires the best cybersecurity talent currently available in the market, we have gathered a list of tips that can be helpful during this critical process:

•Leverage specialized platforms. Posting your job vacancies on any online job board will possibly limit your stakes at finding top cybersecurity talent.

Try reaching out to the best, consider specialized job boards such as Seccuri or hiring a professional recruiter, since both options already gather experience in the field and a strong network with attractive contacts.

•Look in-house. Analyze your current cybersecurity team and define interesting career paths for each of them that align with your organization’s current and future cybersecurity needs. Take it from there to start investing in your current team and focus on training!

•Make vacancies appealing. Attracting top cybersecurity talent to your organization will be a challenge if your job proposal is not strong and competitive enough.

Make sure you reach out to new talent with both interesting vacancies and career growth opportunities to ensure a higher positive response rate.

•Try non-traditional channels. Consider approaching cybersecurity talents though non-traditional channels, such as social media, cybersecurity events and forums. Use these spaces wisely to scout new prospects.

•Train prospects. Cybersecurity is a field anyone is welcome to explore, no matter their current or past careers. Enthusiasts can come from a variety of different fields, which means you should not limit yourself to finding talent potential in those who have sought careers in STEM or InfoSec.

Velasquez

Becoming a highly skilled cybersecurity professional is all about having the motivation to learn, challenging yourself to new and complex scenarios, and constantly being trained on the latest cybersecurity trends that relate to your area of interest.

In case you do consider hiring people with high potential in cybersecurity and seek to train them once they become part of your organization, problem-solving abilities, and team collaboration, as they will become essential when becoming part of your cybersecurity team.

About the essayist: Sara Velasquez Posada is part of Seccuri, the Global Cybersecurity Talent Platform, where she works as a Growth Lead helping cybersecurity professionals upscale their career paths through job opportunities and training. By focusing on closing the cybersecurity talent gap that exists worldwide, she helps companies find the professionals they require and supports the growth of the cybersecurity talent pool.

The rising complexity and prevalence of cybersecurity threats are making experts anxious.

Related: Training employees to mitigate phishing

It pressures working analysts to perform 24 hours’ worth of work in an 8-hour day. Automation could alleviate the burden on IT teams and cybersecurity professionals by shouldering some monotonous, time-consuming tasks.

An increasingly digitized world means analysts can’t rest. Nobody knows when a threat will strike, and professionals might feel they’re running on an endless hamster wheel. Experts must monitor firewalls, test business continuity plans and identify vulnerabilities with seemingly little payoff.

These feelings are a side effect of cybersecurity burnout. It can be one of the most toxic barriers in a robust cybersecurity strategy, especially if analysts can’t keep a level head in the face of prospective threats. If analysts become exhausted, pessimistic or overwhelmed trying to keep up with relentless and innovative hackers, companies and customer data could be at risk.

Automation is the key to removing most of the burnout. Analysts could delegate repetitive, mindless tasks to AI or software that could perform just as well — if not better — than humans. Every automation tool is like an added employee, strengthening SOCs and empowering individual analysts to find more valuable ways to employ their expertise or receive additional training on more complex topics.

Here are some of the jobs automation tools could execute that can optimize triage and help analysts stay focused:

•Send threat notifications to teams, management and stakeholders.

•Isolate threats in pre-programmed environments for assessment.

Amos

•Run test scenarios to prove the validity of incident response.

•Classify threat data.

•Enforce strict authentication and verification measures for server access requests.

•Notify technicians and programmers of compliance changes.

•Install software and hardware updates to minimize vulnerabilities.

•Execute data minimization protocol by backing up and deleting data as needed.

•Submit, close or escalate case tickets.

Organizations must leverage automation tools to keep system issues in a constant state of self-healing from diagnosis detection to patching. So, where and how can professionals incorporate them into an existing risk management plan?

Cybersecurity staff can incorporate automation tools into every risk management process step. For example, automated programs informed by machine learning can review historical and modern data against incoming access requests, judging their threat intensity so analysts don’t struggle with alert fatigue.

These are some of the most popular tools for automating the vast majority of cybersecurity work:

•eXtended Detection and Response: Analyzes endpoints, clouds and other silos for sneaky threat actors that hide between perimeter and internal security.

•Security Orchestration, Automation and Response: Cross-platform tech stacks that can do tasks like remediation and submitting security alerts.

•Robotic process automation: Programs that simulate rudimentary cybersecurity tasks requiring a specific outcome, such as running security scans.

•Cyber risk quantification: Collects and translates risk information into currency, informing boards and stakeholders of the threats from a monetary perspective.

•Security information and event management: Standardizes data into patterns from security protocols — like firewalls — for cohesive contextual threat analysis.

There is a need for automation to fill job demands, as threats arrive nonstop and job vacancies plague desperate enterprises. Businesses can employ all or one of these tools to kickstart their automation implementation, as each tool works best in specific scenarios.

Embracing automation will increase the resilience of teams and digital environments. It will free analysts to deepen their knowledge instead of wasting resources on lesser threats, instilling a more meaningful sense of purpose in a job otherwise tainted by burnout.

Using automation to supplement teams now will foster more proficient and optimistic analysts for the future because they’re entering the field with more tangible, beneficial tasks than tedious data management or playing hide-and-seek with threat actors.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

The theme of RSA Conference 2023 — ‘stronger together’ — was certainly well chosen.

Related: Demystifying ‘DSPM’

This was my nineteenth RSAC. I attended my first one in 2004, while covering Microsoft for USA TODAY. It certainly was terrific to see the cybersecurity industry’s premier trade event fully restored to its pre-Covid grandeur at San Francisco’s Moscone Center last week.

Rising from the din of 625 vendors, 700 speakers and 26,000 attendees came the clarion call for a new tier of overlapping, interoperable, highly automated security platforms needed to carry us forward.

Defense-in-depth remains a mantra — but implemented much differently than the defense-in- depth strategies of the first decade and a half of this century. Machine learning, automation and interoperability must take over and several new security layers must coalesce and interweave to protect the edge.

Getting a grip on identities

To keep the momentum going, business rivals and regulators are going to have to find meaningful ways to co-ordinate and cooperate at an unprecedented level. Here are three evolving themes reverberating from RSAC 2023 that struck me:

Password enabled access will endure for the foreseeable future. Multi-factor authentication (MFA) has raised the bar, but MFA alone is not enough to slow, much less stop, moderately-skilled bad actors.

New security platforms that can set cloud configurations wisely, automate detection and response and manage vulnerabilities continuously are needed to form the front line of defense.

Consolidating cloud postures

One nascent approach that shows promise:  cloud native application protection platform (CNAPP.)

For a drill down on how the CNAPP space is rapidly evolving, stay tuned for my upcoming RSA Fireside Chat podcasts with a couple of vendors on the leading edge. I had enlightening discussions with Elias Terman and Sudarsan Kannan, of Uptyks, and Markus Strauss and Michiel De Lepper of Runecast.

Identities – or to put it more precisely, user access management — is a fundamental weakness that must be shored up. This is where advanced identity and access management (IAM) tools and practices comes into play.

I spoke at length with  Ravi Srivatsav and Venkat Thummisi of  InsideOut Defense, and separately with  Venkat Raghavan, founder and CEO of Stack Identity, all about reconstituting IAM. My Fireside Chat podcasts to come will get into their insights about reducing the risk of access manipulation by continuously and comprehensively monitoring access patterns.

I also had quick meetings with  Bernard Harguindeguy and Barber Amin, senior execs at Veridium ID, on the latest advances in passwordless authentication and I got the back story about a brand new smart ring (yes, of the Tolkien variety) introduced at the conference by security start-up Token. I spoke with Token CEO John Gunn and his  engineering VP Evan K. about the role of advanced wearable authentication devices, going forward.

Operationalizing threat intel

Collecting and using good threat intelligence has always been important — and never been easy to do well. Two impromptu meetings I had touched on this. I spoke with Rohan Spledewinde of security start-up CTM360 – which crawls the public Internet for every and every reference to a company’s IP addresses, and uses graph database technology to present useful correlations; and I also had another very lively discussion with Snehal Antani, CEO of Horizon3 about the value of continuous, well-informed penetration testing.

Leveraging threat intelligence at the platform level, or course, remains vital, as well. The trick in today’s operating environment is how to do this well with cloud migration accelerating.

There’s a danger of leaving legacy on-premises systems twisting in the wind. And that’s why emerging frameworks like Secure Services Edge (SSE) and Zero Trust Network Access (ZTNA) got a lot of attention at RSAC 2023, and deservedly so.

In the weeks ahead, be on alert for my deep-dive podcast discussions, with vendors that are shaping the security platforms of the near future. The perspectives I heard from two leading vendors in the security platform space were very similar.

I spoke at length to WithSecure CEO Juhani Hintikka and CTO Tim Orchard; this is the recent rebrand of F-Secure, a longstanding, widely respected cybersecurity systems vendor from Finland.

And I had a deep dive discussion with Cyware’s Willy Leichter and Neal Dennis. While WithSecure is approaching the task at hand from a slightly different angle than Cyware, both rely on interoperability of multiple systems, i.e. ‘stronger together.’

Our smartphone symbiosis

If you’re like me, you’ll lose track of where you last set down your room key, wallet or coat before you misplace your smartphone.

Our mobile devices, and the mobile apps on them, have become our digital appendages. We feel lost without them. And thus they are destined to endure as our primary user interface.

Yet the security of mobile apps hasn’t advanced much in the past 10 years; bad actors don’t really have to work all that that hard, or expend much resources, to exploit how we’ve come to use mobile apps.

I spoke with two vendors that are introducing promising innovation to that addresses this. Verimatrix CEO Asaf Ashkenazi described for me how his company is leveraging technologies perfected by the entertainment industry to protect mobile apps.

And Approov CEO Ted Miracco told me how his company’s solution is borrows from design principles used to lock down semiconductors.

It’s easier than ever for malicious hackers to get deep access, steal data, spread ransomware, disrupt infrastructure and attain long run unauthorized access. What I saw and heard at RSAC 2023 leaves me encouraged, more so than ever before, that this widening of the security gap will be slowed — and ultimately reversed. I’ll keep watch and keep reporting

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as

 

 

 

“Stronger together” was the theme of RSA Conference 2023, which returned to its pre-Covid grandeur under the California sunshine last week at San Francisco’s Moscone Center.

Related: Demystifying ‘DSPM’

Rising from the din of 625 vendors, 700 speakers and 26,000 attendees came the clarion call for a new tier of overlapping, interoperable, highly automated security platforms needed to carry us forward.

Defense-in-depth remains a mantra — but implemented much differently than the defense-in- depth strategies of the first decade and a half of this century. Machine learning, automation and interoperability must take over and several new security layers must coalesce and interweave to protect the edge.

To keep the momentum going, business rivals and regulators are going to have to find meaningful ways to co-ordinate and cooperate at an unprecedented level. Here are three evolving themes reverberating from RSAC 2023 that struck me:

Getting a grip on identities

Password enabled access will endure for the foreseeable future. Multi-factor authentication (MFA) has raised the bar, but MFA alone is not enough to slow, much less stop, moderately-skilled bad actors.

New security platforms that can set cloud configurations wisely, automate detection and response and manage vulnerabilities continuously are needed to form the front line of defense. One nascent approach that shows promise:  cloud native application protection platform (CNAPP.)

For a drill down on how the CNAPP space is rapidly evolving, stay tuned for my upcoming RSA Fireside Chat podcasts with a couple of vendors on the leading edge. I had enlightening discussions with Elias Terman and Sudarsan Kannan, of Uptyks, and Markus Strauss and Michiel De Lepper of Runecast.

Identities – or to put it more precisely, user access management — is a fundamental weakness that must be shored up. This is where advanced identity and access management (IAM) tools and practices comes into play.

I spoke at length with  Ravi Srivatsav and Venkat Thummisi of  InsideOut Defense, and separately with  Venkat Raghavan, founder and CEO of Stack Identity, all about reconstituting IAM. My Fireside Chat podcasts to come will get into their insights about reducing the risk of access manipulation by continuously and comprehensively monitoring access patterns.

I also had quick meetings with  Bernard Harguindeguy and Barber Amin, senior execs at Veridium ID, on the latest advances in passwordless authentication and I got the back story about a brand new smart ring (yes, of the Tolkien variety) introduced at the conference by security start-up Token; I spoke with Token CEO John Gunn and his  engineering VP Evan K. about the role of advanced wearable authentication devices, going forward.

Operationalizing threat intel

Collecting and using good threat intelligence has always been important — and never been easy to do well. Two impromptu meetings I had touched on this. I spoke with Rohan Spledewinde of security start-up CTM360 – which crawls the public Internet for every and every reference to a company’s IP addresses, and uses graph database technology to present useful correlations; and I also had another very lively discussion with Snehal Antani, CEO of Horizon3 about the value of continuous, well-informed penetration testing.

Leveraging threat intelligence at the platform level, or course, remains vital, as well. The trick in today’s operating environment is how to do this well with cloud migration accelerating. There’s a danger of leaving legacy on-premises systems twisting in the wind. And that’s why emerging frameworks like Secure Services Edge (SSE) and Zero Trust Network Access (ZTNA) got a lot of attention at RSAC 2023, and deservedly so.

In the weeks ahead, be on alert for my deep-dive podcast discussions, with vendors that are shaping the security platforms of the near future. The perspectives I heard from two leading vendors in the security platform space were very similar.

I spoke at length to WithSecure CEO Juhani Hintikka and CTO Tim Orchard, as shown above in the main photo atop this column.

And I had a deep dive discussion with Cyware’s Willy Leichter and Neal Dennis. While WithSecure is approaching the task at hand from a slightly different angle than Cyware, both rely on interoperability of multiple systems, i.e. ‘stronger together.’

Our smartphone symbiosis

If you’re like me, you’ll lose track of where you last set down your room key, wallet or coat before you misplace your smartphone.

Our mobile devices, and the mobile apps on them, have become our digital appendages. We feel lost without them. And thus they are destined to endure as our primary user interface.

Yet the security of mobile apps hasn’t advanced much in the past 10 years; bad actors don’t really have to work all that that hard, or expend much resources, to exploit how we’ve come to use mobile apps.

I spoke with two vendors that are introducing promising innovation to that addresses this. Verimatrix CEO Asaf Ashkenazi described for me how his company is leveraging technologies perfected by the entertainment industry to protect mobile apps.

And Approov CEO Ted Miracco told me how his company’s solution is borrows from design principles used to lock down semiconductors.

It’s easier than ever for malicious hackers to get deep access, steal data, spread ransomware, disrupt infrastructure and attain long run unauthorized access. What I saw and heard at RSAC 2023 leaves me encouraged, more so than ever before, that this widening of the security gap will be slowed — and ultimately reversed. I’ll keep watch and keep reporting

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as