Category: New Tech

In an increasingly interconnected world, the evolution of the automotive industry presents an exciting yet daunting prospect.

Related: Privacy rules for vehicles

As vehicles continue to offer modern features such as app-to-car connectivity, remote control access, and driver assistance software, a huge risk lurks in the shadows.

The physical safety of things like airbags, rearview mirrors, and brakes is well accounted for; yet cybersecurity auto safety concerns are rising to the fore.

What used to be a focus on physical safety has now shifted to cybersecurity due to the widened attack surface that connected cars present. The rapid advancements in electric vehicles (EVs) has only served to heighten these concerns.

Funso Richard, Information Security Officer at Ensemble, highlighted the gravity of these threats. He told Last Watchdog that apart from conventional attacks, such as data theft and vehicle theft, much more worrisome types of attacks are emerging. These include ransomware targeting backend servers, distributed denial of service (DDoS) attacks, destructive malware, and even weaponizing charging stations to deploy malware.

Risk of compromise

The National Highway Traffic Safety Administration defines automotive cybersecurity as the protection of automotive electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation. The risk of compromise is not just theoretical; there have been instances where vehicles were momentarily commandeered.

Notably, in 2016, Nissan suspended a remote telematics system in its all-electric hatchback, the Leaf, due to a vulnerability in the NissanConnect app’s server. More recently, Sultan Qasim Khan, a principal security adviser with a UK-based security firm, tricked a Tesla into thinking the driver was inside by rerouting communication between the automaker’s mobile app and the car.

Rising regulations

As the attack surface broadens, original equipment manufacturers (OEMs) find themselves in a unique position. Roy Fridman, CEO at C2A Security, emphasized the complexity of the automotive industry, citing the intricate supply chain, the exponential growth of software in modern vehicles, and the heavily regulated environment as contributing factors.

In terms of regulations, Fridman highlighted WP.29 UN R155, for which C2A Security’s David Mor Ofek helped to draft, as a key regulation that makes car manufacturers liable for the entire supply chain of their products. However, he warned against a cursory compliance just to satisfy the regulatory bodies, emphasizing the need for OEMs to truly understand and address the threats.

“These laws imply that whether in design, development, production, or post-production, car manufacturers must have full visibility into the security of their software products through a cybersecurity management system (CSMS),” Fridman says.

Richard

Richard echoed this sentiment, emphasizing the importance of secure design principles and the need for evidence of implemented cybersecurity controls from third-party suppliers. He noted the temptation for OEMs to kit up new models with the latest features without assessing their security implications, but urged manufacturers to prioritize security.

“It’s not enough that smart automakers are doing their best to secure their products, a supplier could be the weakest link,” Richard says.

Consumer trust

This increased focus on automotive cybersecurity is also reflected in the consumer market, with customers putting more emphasis on their security posture and overall risk management. Fridman suggested that this trend presents an excellent opportunity for OEMs to build trust with their customers, and he expects to see more of this development in the future.

Fridman

According to Fridman, there will be a shift from the mechanical side of car development to the software side, with the industry witnessing a proliferation of the Software Defined Vehicle (SDV). This implies an even greater potential for cyberattacks as more devices get connected and the demand for software-powered smart cars increases in an IoT-powered world.

The Automotive Cybersecurity Market Global Forecast by MarketandMarkets corroborates this, predicting a rising demand for automotive cybersecurity solutions among OEMs globally – and noting that a passenger car equipped with modern connected features already has more than 100 million lines of code.

Richard added that smart vehicles will play a significant role in smart city development and the “connected everything” concept. This means that smart cars will redefine how we understand IoT in the next few years, becoming one of the leading data generators of connected devices and internet activities.

The comments of Fridman and Richard show consensus gelling in the cybersecurity community that connected vehicle safety  must jump ahead of emerging regulations.

“The EV charging grid is left estranged from any formal guidelines, despite recent security breaches, increased interest from malicious hackers, and FBI warnings,” notes Fridman, “We should all double down on this front.”

Editor’s note: Kolawole Samuel Adebayo is a Last Watchdog special correspondent based in Lagos, Nigeria.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Email remains by far the no.1 business communications tool. Meanwhile, weaponized email continues to pose a clear and present threat to all businesses.

Related: The need for timely training

At RSA Conference 2023, I learned all about a new category of email security — referred to as integrated cloud email security (ICES) – that is helping companies more effectively keep email threats in check.

I met with Eyal Benishti, CEO of IRONSCALES, a supplier of ICES tools and cybersecurity training services. For a full drill down on our conversation, please give the accompanying podcast a close listen.

Phishing is still the main way bad actors slip into networks; and Business Email Compromise (BEC) attacks can instantly translate into crippling losses.

Guest expert: Eyal Benishti, CEO, Ironscales

Successful attacks slip past legacy security email gateways (SEGs) and even past the newer ‘cloud-native security’ controls that Microsoft and Google have embedded Microsoft 365 and Google Workspace. These filters look for known bad attachments and links.

ICES solutions vet the messages that slip through. IRONSCALES, for instance, applies natural language processing technology to identify patterns and flush out anything suspicious. And its complementary security awareness training modules encourage employees to participate in isolating anything suspicious that leaks into their inboxes.

“The security gateways and cloud-native security controls look at content but that’s not enough,” Benishti observes. “You also need to look at context; both perspectives are needed.”

It’s clear that layers of protection, along with better-trained employees, have become table stakes. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

“Stronger together” was the theme of RSA Conference 2023, which returned to its pre-Covid grandeur under the California sunshine last week at San Francisco’s Moscone Center.

Related: Demystifying ‘DSPM’

Rising from the din of 625 vendors, 700 speakers and 26,000 attendees came the clarion call for a new tier of overlapping, interoperable, highly automated security platforms needed to carry us forward.

Defense-in-depth remains a mantra — but implemented much differently than the defense-in- depth strategies of the first decade and a half of this century. Machine learning, automation and interoperability must take over and several new security layers must coalesce and interweave to protect the edge.

To keep the momentum going, business rivals and regulators are going to have to find meaningful ways to co-ordinate and cooperate at an unprecedented level. Here are three evolving themes reverberating from RSAC 2023 that struck me:

Getting a grip on identities

Password enabled access will endure for the foreseeable future. Multi-factor authentication (MFA) has raised the bar, but MFA alone is not enough to slow, much less stop, moderately-skilled bad actors.

New security platforms that can set cloud configurations wisely, automate detection and response and manage vulnerabilities continuously are needed to form the front line of defense. One nascent approach that shows promise:  cloud native application protection platform (CNAPP.)

For a drill down on how the CNAPP space is rapidly evolving, stay tuned for my upcoming RSA Fireside Chat podcasts with a couple of vendors on the leading edge. I had enlightening discussions with Elias Terman and Sudarsan Kannan, of Uptyks, and Markus Strauss and Michiel De Lepper of Runecast.

Identities – or to put it more precisely, user access management — is a fundamental weakness that must be shored up. This is where advanced identity and access management (IAM) tools and practices comes into play.

I spoke at length with  Ravi Srivatsav and Venkat Thummisi of  InsideOut Defense, and separately with  Venkat Raghavan, founder and CEO of Stack Identity, all about reconstituting IAM. My Fireside Chat podcasts to come will get into their insights about reducing the risk of access manipulation by continuously and comprehensively monitoring access patterns.

I also had quick meetings with  Bernard Harguindeguy and Barber Amin, senior execs at Veridium ID, on the latest advances in passwordless authentication and I got the back story about a brand new smart ring (yes, of the Tolkien variety) introduced at the conference by security start-up Token; I spoke with Token CEO John Gunn and his  engineering VP Evan K. about the role of advanced wearable authentication devices, going forward.

Operationalizing threat intel

Collecting and using good threat intelligence has always been important — and never been easy to do well. Two impromptu meetings I had touched on this. I spoke with Rohan Spledewinde of security start-up CTM360 – which crawls the public Internet for every and every reference to a company’s IP addresses, and uses graph database technology to present useful correlations; and I also had another very lively discussion with Snehal Antani, CEO of Horizon3 about the value of continuous, well-informed penetration testing.

Leveraging threat intelligence at the platform level, or course, remains vital, as well. The trick in today’s operating environment is how to do this well with cloud migration accelerating. There’s a danger of leaving legacy on-premises systems twisting in the wind. And that’s why emerging frameworks like Secure Services Edge (SSE) and Zero Trust Network Access (ZTNA) got a lot of attention at RSAC 2023, and deservedly so.

In the weeks ahead, be on alert for my deep-dive podcast discussions, with vendors that are shaping the security platforms of the near future. The perspectives I heard from two leading vendors in the security platform space were very similar.

I spoke at length to WithSecure CEO Juhani Hintikka and CTO Tim Orchard, as shown above in the main photo atop this column.

And I had a deep dive discussion with Cyware’s Willy Leichter and Neal Dennis. While WithSecure is approaching the task at hand from a slightly different angle than Cyware, both rely on interoperability of multiple systems, i.e. ‘stronger together.’

Our smartphone symbiosis

If you’re like me, you’ll lose track of where you last set down your room key, wallet or coat before you misplace your smartphone.

Our mobile devices, and the mobile apps on them, have become our digital appendages. We feel lost without them. And thus they are destined to endure as our primary user interface.

Yet the security of mobile apps hasn’t advanced much in the past 10 years; bad actors don’t really have to work all that that hard, or expend much resources, to exploit how we’ve come to use mobile apps.

I spoke with two vendors that are introducing promising innovation to that addresses this. Verimatrix CEO Asaf Ashkenazi described for me how his company is leveraging technologies perfected by the entertainment industry to protect mobile apps.

And Approov CEO Ted Miracco told me how his company’s solution is borrows from design principles used to lock down semiconductors.

It’s easier than ever for malicious hackers to get deep access, steal data, spread ransomware, disrupt infrastructure and attain long run unauthorized access. What I saw and heard at RSAC 2023 leaves me encouraged, more so than ever before, that this widening of the security gap will be slowed — and ultimately reversed. I’ll keep watch and keep reporting

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as

 

 

 

In the age before the cloud, data security was straightforward.

Related: Taming complexity as a business strategy

Enterprises created or ingested data, stored it and secured it in a physical data center. Data security was placed in the hands of technicians wearing tennis shoes, who could lay their hands on physical servers.

Today, company networks rely heavily on hybrid cloud and multi-cloud IT resources, and many startups are cloud native. Business data has been scattered far and wide across cloud infrastructure and just knowing where to look for sensitive data in the cloud, much less enforcing security policies, has become next to impossible for many organizations.

If headline grabbing cyber-attacks weren’t enough, the Biden Administration has begun imposing long-established, but widely ignored data security best practices on any contractor that hopes to do business with Uncle Sam.

Guest expert: Yotam Segev, co-founder and CEO, Cyera

This is where a hot new security service comes into play – designated in 2022 by Gartner as “data security posture management,” or DSPM. With RSA Conference 2023 taking place at San Francisco’s Moscone Center next week, I had the chance to visit with Yotam Segev, co-founder and CEO San Mateo, Calif.-based security startup Cyera, that is making hay in this emerging DSPM space.

Segev and I discussed how, in the rush to the cloud, companies have lost control of data security, especially in hybrid environments. The core value of DSPM systems, he argues, is that they can help demystify data management, with benefits that ultimately should go beyond security and compliance and actually help ease cloud migration.

Please give a listen to the case Segev makes in the accompanying podcast. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Massively interconnected digital services could someday soon save the planet and improve the lives of one and all.

Related: Focusing on security leading indicators

But first, enterprises and small businesses, alike, must come to grips with software vulnerabilities that are cropping up – and being exploited – at a blistering pace.

Innovative vulnerability management solutions are taking shape to meet this challenge. One the newest and most promising spins out of the emerging discipline of machine learning operations, or MLOps.

One supplier in the thick of this development is a Seattle-based start-up, Protect AI.

Guest expert: D Dehghanpisheh, co-founder and CRO, Protect AI

I had the chance recently to visit with Daryan Dehghanpisheh, whose professional experience prior to co-founding Protect AI includes four years as the Global Leader of AI/ML Solution Architects at Amazon Web Services.

Protect AI launched in December 2022 with a  $13.5 million seed round stake, co-led by Acrew Capital and boldstart ventures, on the basis of  developing advanced tools to protect AI systems and machine learning models.

We discussed how the fledgling field of MLSecOps parallels the arrival and maturation of DevSecOps. “DevSecOps is putting security at the heart of everything you do from a DevOps perspective,” Dehghanpisheh told me. “We want to do the same thing with MLOps . . . treat security as an integral part of development, not just as an afterthought”

For a full drill down on how Protect AI hopes to mainstream MLSecOps – and how that could accelerate the arrival of massively interconnected digital systems — please give the accompanying podcast a listen.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

To get network protection where it needs to be, legacy cybersecurity vendors have begun reconstituting traditional security toolsets.

The overarching goal is to try to derive a superset of very dynamic, much more tightly integrated security platforms that we’ll very much need, going forward.

Related: The rise of security platforms

This development has gained quite a bit of steam over the past couple of years with established vendors of vulnerability management (VM,) endpoint detection and response (EDR,) and identity and access management (IAM) solutions in the vanguard.

And this trend is accelerating as 2023 gets underway. DigiCert’s launch today of Trust Lifecycle Manager, is a case in point. I had the chance to get briefed about this all-new platform, which provides a means for companies to comprehensively manage their Public Key Infrastructure (PKI) implementations along with the associated digital certificates.

I visited with Brian Trzupek, DigiCert’s senior vice president of product. As a leader of digital trust, DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage PKI. We drilled down on why getting a much better handle on PKI has become vital in a massively interconnected operating environment. DigiCert’s new solution is designed to “unify PKI services, public trust issuance and CA-agnostic certificate lifecycle management,” he told me.

Here are the main takeaways from our discussion:

PKI sprawl

Where would we be without PKI, the framework used to issue and manage digital certificates? We’ve come to rely on PKI to validate and authenticate all connections on websites and mobile apps – as well as all of the internal IT activity, company-to-company, that supports the digital services we now take for granted.

PKI is robust and ubiquitous; and it’s destined to serve that same essential role — as a linchpin validation and authentication mechanism – the further we progress into massively interconnected, highly interoperable digital services.

First, however, PKI sprawl must be mitigated, Trzupek argues. The problem looks something like this, he says: In today’s operating environment, PKI payloads arrive moment-to-moment from myriad sources: to and from web portals and mobile apps; in between cloud vs. on-premises IT infrastructure; up and down the software development supply chain. What’s more, digital certificates can get issued by different CAs, or by components manufacturers, or even internally by the enterprise itself.

Trzupek

“You’ve got this big, dynamic spaghetti of stuff coming into the network and interacting, using PKI to authenticate and there is very little the enterprise actually controls,” Trzupek observes. “Often times, the company doesn’t even realize all of these PKI interactions are taking place until something breaks and there’s an outage.”

Outages and attacks

DigiCert’s newest service, Trust Lifecycle Manager, tackles this connections chaos head on, by establishing a hub into which all PKI validation routines can get inventoried and continually managed.

The reduced risk of a major outage caused by an expiring digital certificate alone should grab attention. Just ask Epic Games. An expired certificate triggered an outage that caused Fortnite, its cash-cow video game, to go dark for several hours.

And then there’s the risk of ransomware purveyors or a nation state-backed spy flushing out and exploiting a weak seam in an obscure PKI connection, instigating a nightmare scenario. Just ask SolarWinds.

The SolarWinds attackers, believed to be Russian-backed, had to have subverted PKI at multiple levels. They were able to gain control of the build process that SolarWinds used to create and automatically issue software updates to its bread-and-butter Orion network management tool. This enabled the attackers to subsequently breach the networks of 18,000 Orion users.

PKI outages and attacks happen much more often than gets publicly disclosed, Trzupek says. The fundamental reason, he says, is the non-existence, at this point in time, of a practical way to compile a comprehensive PKI inventory across a typical enterprise.

“The guy who’s running identity access management is different than the guy in charge of encryption or the guy running DevOps,” he says. “And they’re not talking to each other . . . the encryption guys might be well-versed in PKI management policy, but the DevOps guys probably aren’t –and even if they were, they’re focused on getting code out and moving workloads a fast as possible.”

Taking a platform approach

With Trust Lifecyle Manager, DigiCert is making a lane change from a product company to a platform company. This new offering is something truly unique – a comprehensive service designed to foster centralized monitoring and management of all digital certificates throughout an enterprise. To start, DigiCert is partnering with Microsoft Azure, Amazon Web Services and Google Cloud to integrate PKI telemetry generated by those top-tier cloud infrastructure providers.

On the horizon, Trust Lifecycle Manager will be able to receive and process PKI-related telemetry originating from just about any private or public source, Tzupek told me.

“We already have about 100 integrations and later this year we’ll be opening up publicly so that anybody can come in and ride on top of the system,”  Trzupek says.

By leveraging APIs, DigiCert intends to make it possible to “glue in without any help from us,” he says. “The idea is to create a centralized hub where you can see all those digital trust assets across the environment, regardless of where they are.”

The Internet of Everything lies ahead — and brims with promise. A radical new approach, supported by bold new security platforms, coming at it from several angles, must take hold. That’s how we’ll be able to protect company networks, and preserve individual privacy, in a massively interconnected, highly interoperable digital world.

I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Ever feel like your smart home has dyslexia?

Siri and Alexa are terrific at gaining intelligence with each additional voice command. And yet what these virtual assistants are starkly missing is interoperability.

Related: Why standards are so vital

Matter 1.0 is about to change that. This new home automation connectivity standard rolls out this holiday season with sky high expectations. The technology industry hopes that Matter arises as the  lingua franca for the Internet of Things.

Matter certified smart home devices will respond reliably and securely to commands from Amazon AlexaGoogle Assistant,  Apple HomeKit or Samsung SmartThings. Think of it: consumers will be able to control any Matter appliance with any iOS or Android device.

That’s just to start. Backed by a who’s who list of tech giants, Matter is designed to take us far beyond the confines of our smart dwellings. It could be the key that securely interconnects IoT systems at a much deeper level, which, in turn, would pave the way to much higher tiers of digital innovation.

I had the chance to sit down, once more, with Mike Nelson, DigiCert’s vice president of IoT security, to discuss the wider significance of this milestone standard.This time we drilled down on the security pedigree of Matter 1.0. Here are the main takeaways:

Pursuing interoperability

Connectivity confusion reigns supreme in the consumer electronics market. From wrist watches to refrigerators and TVs to thermostats, dozens of smart devices can be found in a typical home. Each device tends to be controlled by a separate app, though many can now also respond to one proprietary virtual assistant or another.

And then there’s Zigbee, Z-Wave and Insteon. These new personal networking protocols have caught fire with tech-savvy consumers hot to pursue DIY interoperability.

The tech giants saw this maelstrom coming. Google, Amazon, Apple, Samsung and others have spent nearly three years hammering out Matter. 1.0. What they came up with is an open-source standard designed to ensure that smart home devices from different manufacturers can communicate simply and securely via an advanced type of mesh network. 

Nelson

“Matter will create a level of interoperability that makes it so that a consumer can control any Matter-compliant device with whatever virtual assistant they might have,” Nelson says. “It’s going to become a product differentiator because it’s going to create so much value for them.”

This fall, certain brands of smart light bulbs, switches, plugs, locks, blinds, shades, garage door openers, thermostats and HVAC controllers will hit store shelves bearing the Matter logo. If all goes well, soon thereafter Matter-compliant security cameras, doorbells, robot vacuums and other household devices will follow.

Industry work groups already have started brainstorming future iterations of Matter that will make IoT systems in commercial buildings and healthcare facilities much more interoperable – and secure – than is the case today. Beyond that, Matter could bring true interoperability and more robust security to smart cities and autonomous transportations systems. Someday, perhaps, Matter might help to foster major medical breakthroughs and much-needed climate change mitigation.

Preserving digital trust

It’s not too difficult to visualize how imbuing true interoperability into advanced IoT systems, starting small with smart homes, can take us a long way, indeed. It’s also crystal clear that to get there, security needs to become much more robust.

Matter seeks to achieve this right out of the gate by leveraging and extending the public key infrastructure (PKI) — the tried-and-true authentication and encryption framework that underpins the legacy Internet.

PKI preserves digital trust across the Internet by designating a Certificate Authority (CA) to issue digital certificates, which are then relied upon to authenticate user and machine identities during the data transfer process. PKI also keeps data encrypted as it moves between endpoints.

Matter sets forth a similar approach for preserving trust, going forward, of the data transfers that will take place across advanced IoT systems. An extensive process for issuing a “device attestation certificate” for each Matter-approved device has been put into place. DigiCert, which is a globally leading provider of digital trust and happens to be a leading Certificate Authority, recently became the first organization approved to serve much the same role when it comes to issuing Matter attestation certificates.

With respect to Matter, DigiCert has met the requirements to be designated as the first Product Attestation Authority (PAA.) This boils down to DigiCert taking extensive measures to create, preserve and distribute, at scale, an instrument referred to as a ‘root of trust.

Nelson described for me how these roots of trust are at the core of each certificate issued for every smart device that meets the Matter criteria.

Observes Nelson: “The root of trust creates an immutable identity . . . So when you have a Yale lock trying to connect to an Amazon virtual assistant, the first thing it does is look to see if there’s a trusted signature from a trusted root. If it’s there, it greenlights the communication and now two secure, compliant devices can interoperate. So these roots of trust become the magic of secure interoperability.”

It’s encouraging to see security baked in at the ground floor level of a milestone standard; Matter could pave the way for the full fruition of an  Internet of Everything that’s as secure as it ought to be. For that to happen, wide consumer adoption must follow; hardware manufacturers and software developers must jump on the Matter band wagon. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Standards. Where would we be without them?

Universally accepted protocols give us confidence that our buildings, utilities, vehicles, food and medicines are uniformly safe and trustworthy. At this moment, we’re in dire need of implementing standards designed to make digital services as private and secure as they need to be.

Related: How matter addresses vulnerabilities of smart home devices

A breakthrough is about to happen with the roll out this fall of Matter, a new home automation connectivity standard backed by Amazon, Apple, Google, Comcast and others.

Matter is intended to be the lingua franca for the Internet of Things. It’s only a first step and there’s a long way to go. That said, Matter is an important stake in the ground. To get a full grasp on why Matter matters, I recently visited with Steve Hanna, distinguished engineer at Infineon Technologies, a global semiconductor manufacturer based in Neubiberg, Germany.

For a full drill down on our evocative discussion, please watch the accompanying videocast. Here are the main takeaways:

Great leap coming

We’ve only scratched the surface in terms of bringing advanced digital technologies to bear solving humankind’s most profound challenges. Data gathering, data analytics, machine learning and digital automation have advanced to the level where they could be leveraged to accomplish much greater things.

Climate change solutions, driverless vehicles and stupendous medical breakthroughs are close at hand. Likewise, it’s no longer the stuff of science fiction to imagine how advanced digital services could be directed at making water, food, health services and even economic stability readily available to every inhabitant of the planet.

However, before any of these great leaps forward can happen, organizations must achieve digital resiliency. The only way for digital innovation to achieve its full potential is if enterprises and small businesses alike embrace technologies and best practices that support agility, while at the same time choking off any unauthorized network access.

“The Internet of Things is a huge new platform for amazing innovation,” Hanna observes. “But none of it will happen if we don’t get cybersecurity right and people have confidence in the safety and security of every domain the Internet of Things will be present in, whether it’s smart homes, smart vehicles or smart cities.”

Interoperability needed

At present, it’s easier than ever for malicious hackers to breach business networks and gain a foothold from which to steal data, spread ransomware, disrupt infrastructure and attain long-run unauthorized access.

Hanna

This is the consequence of rapid migration to cloud-centric IT resources, a trend that has only accelerated as organizations come to rely more heavily on a remote workforce and a globally-scattered supply chain.

Today, processing power and data storage gets delivered virtually from Amazon Web Services (AWS), Microsoft Azure or Google Cloud, and communication and collaboration tools are supplied by dozens to hundreds of mobile and web apps. Modern digital services are the product of far-flung software code interconnecting dynamically. This has resulted in an exponential expansion of a network’s attack surface; every connection represents an attack vector that must be accounted for.

The problem isn’t a dearth of telemetry, nor a lack of data analytics know-how; we’ve got plenty of both. The reason threat actors are having a field day is because of a fundamental lack of interoperability between legacy and next-gen security tools delivered by highly competitive technology vendors.

Meshing agility, security

Matter signals the start of addressing this interoperability conundrum, Hanna told me. Here’s how:

Google, Amazon and Apple, arguably the most competitive tech giants, have spent nearly three years hammering out Matter, a global open-source standard designed to ensure that smart home devices from different manufacturers can communicate simply and securely.

Starting this fall, smart light bulbs, thermostats and garage door openers using the Matter standard will start appearing on store shelves. Matter devices will be compatible with Amazon AlexaGoogle Assistant, or Apple HomeKit. Notably, they’ll connect to the Internet – and to each other – via an advanced type of mesh network. 

This mesh network will be both agile and secure, fostering both convenience and security. Consumers will be able to control their IoT devices with any phone, without necessarily having to connect to the Internet.

This ability for a consumer to disconnect smart home devices from the Internet, yet still operate them locally, should enhance convenience while also boosting security. By using Matter devices offline, most of the time, i.e. when at home, a consumer can directly eliminate a primary attack vector.

Baked-in security

Thus Matter is a template and a harbinger. Hardware manufacturers, Infineon among them, as well as security software developers, are already off and running. They’re designing and testing prototype components for the coming generation of interoperable network security solutions that, if all goes well, should extend from Matter, Hanna says.

At one level, Matter provides a model for how rival tech vendors can, and must, collaborate to derive a new tier of standards for highly-interconnected digital services. At another level, Matter tangibly demonstrates how convenience and security can be two sides of the same coin.

For its part, Infineon is pioneering a way to bake-in advanced security controls at the chip level. Please do watch the accompanying video for Hanna’s deeper dive into work that’s underway to set up a cloud-based “resiliency engine” that can keep close track of things like real-time threat intelligence and vulnerability patching – and then automatically update systems at the chip level, as needed. In order to do this comprehensively, industry-wide consensus needs to gel around several more levels of connectivity standards. Matter is the first baby step.

“The Internet of Things needs a full set of interoperability standards in order for new applications to be invented,” Hanna observes. “Then the more interesting innovation can happen. We’re creating a platform for innovation and none of us can predict what those innovations will be, any more than Vint Cerf knew what the Internet would become when he was involved in creating it in 1969.”

The traction Matter gains in the coming months will tell us a lot about whether companies understand what it will take to get us to the next level of digital innovation. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Network security has been radically altered, two-plus years into the global pandemic.

Related: Attack surface management’ rises to the fore

The new normal CISOs face today is something of a nightmare. They must take into account a widely scattered workforce and somehow comprehensively mitigate new and evolving cyber threats.

Criminal hacking collectives are thriving, more  than ever. Security teams are on a mission to push network defenses to the perimeter edges of an open, highly interconnected digital landscape; the defenders are under assault and running hard to stay one step ahead.

Managed Security Services Providers have been steadily evolving for two decades; they now seem poised to help large enterprises and, especially, small to mid-sized businesses manage their cybersecurity.

The global market for managed security services is estimated to be growing at a compound annual rate of 14 percent and should climb to $44 billion by 2026, up from $23 billion in 2021, says research firm MarketsandMarkets.

Jimenez

“Managed security service providers are rising to meet a need that’s clearly out there,” observes Elizabeth Jimenez, executive director of market development at NeoSystems, an MSP and systems integrator. “We can plug in parts or all of a complete stack of cutting-edge security technologies, and provide the expertise an organization requires to operate securely in today’s environment.”

MSSPs arrived on the scene some 17 years ago to help organizations cope with the rising complexity of their IT infrastructure. The focus in those early days was on compliance and device management. MSSPs have since broadened and advanced their services, a trend that continues as cloud migration gained momentum in the 2010s — and then accelerated with the onset of Covid 19.

Today, it’s feasible for an enterprise or SMB to outsource just about any facet of their security program — much the same as outsourcing payroll or human services functions.

I’ve a had a couple of deep discussions about this trend with NeoSystems. The company is based in Washington D.C. and one of its specialties is helping government contractors continuously monitor and manage their networks, systems and data. For more info, visit neosystemscorp.com.

A drill-down on MSSPs is coming tomorrow in a news analysis column and podcast. Stay tuned.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Penetration testing – pen tests – traditionally have been something companies might do once or twice a year.

Related: Cyber espionage is on the rise

Bad news is always anticipated. That’s the whole point. The pen tester’s assignment is to seek out and exploit egregious, latent vulnerabilities – before the bad guys — thereby affording the organization a chance to shore up its network defenses.

Pen testing has limitations, of course. The probes typically take considerable effort to coordinate and often can be more disruptive than planned.

These shortcomings have been exacerbated by digital transformation, which has vastly expanded the network attack surface.

Guest expert: Snehal Antani, CEO, Horizon3.ai

I had the chance at Black Hat 2022 to visit with Snehal Antani and Monti Knode, CEO and director of customer success, respectively, at Horizon3.ai, a San Francisco-based startup, which launched in 2020. Horizon3 supplies “autonomous” vulnerability assessment technology.

Co-founder Antani previously served as the first CTO for the U.S. Joint Special Operations Command (JSOC)  and Knode was a commander in the U.S. Air Force 67th Cyberspace Operations Group. They argue that U.S. businesses need to take a wartime approach the cybersecurity. For a full drill down, please give the accompanying podcast a listen.

Horizon3’s flagship service, NodeZero, is designed to continuously assess an organization’s network attack surface to identify specific scenarios by which an attacker might combine stolen credentials with misconfigurations or software flaws to gain a foothold.

Will pen testing make a great leap forward? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)