Category: Podcasts

For a couple of decades now, the web browser has endured in workplace settings as the primary employee-to-Internet interface. It’s really just assumed to be a given that a browser built for consumers is an acceptable application for employees to use to work.

And despite advances, like sandboxing, browser isolation and secure gateways, the core architecture of web browsers has remained all-too vulnerable to malicious attacks.

There was a lot of buzz at Black Hat USA 2023 about advanced “enterprise browsers.” I visited with Uy Huynh, vice president of solutions engineering at Island.io, to discuss this. For a full drill down please give the accompanying podcast a listen.

Built on the Chromium open source code, Island’s Enterprise Browser recognizes the identity and considers the role of each user—be it an employee, contractor, or HR personnel. This granular visibility aids in rapid onboarding while also bolstering security protocols, Huynh explained.

This can serve as a “last mile” checkpoint to curtail Shadow IT; in particular, the exploding popularity of generative AI.

Guest expert: Uy Huynh, VP of solutions engineering, Island.io

Island’s solution prevents sensitive data from slipping out from a web browser into services like ChatGPT, or through downloads, screen shots, printing or copy/paste.

“With generative AI, you could inadvertently be placing your intellectual property or other sensitive information into large language models that anyone can access,” Huynh warns.

Meanwhile, a specific alert can be communicated to the user, enhancing awareness training, and reinforcing compliance.

“In essence, what we’re trying to do is to offer enterprises granular control over their browser environment,” Huynh says.

Anything that can improve security while preserving a high-quality user experience has a place in networks, going forward. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

API security has arisen as a cornerstone of securing massively interconnected cloud applications.

At Black Hat USA 2023, I had a great discussion about API security with Data Theorem COO Doug Dooley and Applovin CISO Jeremiah Kung. For a full drill down, please give the accompanying podcast a listen.

As a fast-rising mobile ad network going toe-to-toe with Google and Facebook, Applovin has been acquiring advanced security tools and shaping new practices to manage its API exposures. Kung described for me how Data Theorem’s API Secure is proving to be a vital weapon in Applovin’s security arsenal.

APIs have become the “lifeblood” of apps and thus a prime target for cyber criminals, Kung says. AppLovin has learned that it must mitigate API exposures from multiple angles, he told me.

Robust API security has become table stakes – for cloud-native companies like AppLovin as well as for legacy enterprises stepping up their cloud plays, Dooley argues.

Guest experts: Doug Dooley, COO, Data Theorem; Jeremiah Kung, CISO, Applovin

“The moment you go cloud, the number of attack surfaces explodes and there’s really no way to stop it, because it’s like trying to stop innovation,” Dooley says. “As long as you let feature development happen with modern techniques of cloud services and third-party software suppliers, you’re going to have more APIs than you even realize you have embedded and exposed throughout your application stacks.”

Securing APIs is even more vital as generative AI takes center stage, giving attackers one more powerful tool to scale up their campaigns. Yes,  AI is bolstering hacking techniques; but it can also strengthen defensive capabilities by security teams, programs, and products Dooley observes.

The arms race is just warming up, folks. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

LAS VEGAS — Shadow IT and BYOD security exposures have long bedeviled businesses – ever since the iPhone and Dropbox first came on the scene.

Covid 19 only intensified the problem of how to securely manage the personally owned devices and unvetted apps employees gravitate to.

At Black Hat USA 2023, taking place here this week, suppliers of unified endpoint management (UEM) solutions collectively will lay out a roadmap for resolving Shadow IT and BYOD once and for all.

UEM vendors range from tech giants IBM, Microsoft and Google to a swelling cottage industry of startups and mid-sized suppliers of mobile device and vulnerability management services.

I had the chance to visit with Ashley Leonard, CEO of Syxsense, a Newport Beach, Calif.-based vendor in this space. For a full drill down, please give the accompanying podcast a listen.

Guest expert: Ashley Leonard, CEO, Syxsense

Protecting endpoints without frustrating employees can be done, Leonard argues. Towards that end, Syxsense this week is announcing new capabilities that leverage AI to automate continuous monitoring and real-time remediation of endpoints.

“We’re truly in an arms race,” he says. “As the bad guys deploy new weapons, like generative AI, the good guys have to equally use the power of technology to detect threats and protect their organization.”

Reliance on machine learning and automation continues to quicken. There’s a long road ahead. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

 

The rise of the remote workforce, post Covid-19, did nothing to make the already difficult task of doing Identity and Access Management (IAM) any easier for CISOs.

With Black Hat USA 2023 ramping up in Las Vegas next week, cybersecurity startup Trustle is championing a new product category—Identity Threat Detection & Response (ITDR)—which aims to enhance the capabilities of legacy IAM solutions.

Companies today are struggling to answer fundamental questions about their cloud environments, such as, who are my users and what can they access? How did they obtain this access? When they don’t need this access, do their identities still exist? Questions like these are a driving force behind the adoption of ITDR, which is becoming a crucial component in the realm of Cloud Infrastructure Entitlement Management (CIEM) and access management.

I had the chance to sit down with Trustle CEO Emiliano Berenbaum to learn just how ITDR Tcan help companies much more efficiently manage user identities and access privileges, while also strengthening security, in an increasingly complex operating environment. For a drill down, please give the accompanying podcast a listen.

Guest expert: Emiliano Berenbaum, CEO, Trustle

For its part, Trustle is focused on taking a more advanced approach to needs-based access control. Trustle feels that if it’s easy for employees to obtain the access they need to do their job, it will be easy to give it up when they are done needing it. Alternatively, if it’s hard to get access because the process is complicated and slow, those employees are going to push back harder on giving up the access once they get it, yet may no longer need it – posing access-at-risk to the organization.

“The big thing is managing entitlements across multiple SaaS applications,” Berenbaum told me. “Today, it’s more of a manual process and we’re trying to automate that more and more with machine learning.”

As we move deeper into massively interconnected services, more granular vetting of user identities and access privileges surely makes good sense. Will ITDR arise as a critical component of securing modern networks. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

SMS toll fraud is spiking. I learned all about the nuances of deploying – and defending – these insidious attacks in a recent visit with Arkose Labs CEO, Kevin Gosschalk, who explained how the perpetrators victimize businesses that use text messages to validate phone users signing up for a new account.

Related: Countering Putin’s weaponizing of ransomware

The fraudsters set themselves up as “affiliates” of phone companies in Indonesia, Thailand and Vietnam and then use bots to apply for online accounts, en masse, at a targeted business. The con: each text message the business then sends in return —  to validate the applicant — generates a fee for the phone company which it shares with the affiliate.

This fraudulent activity usually remains undetected until the business receives a bill for an unusually high number of text messages sent to seemingly legitimate users.

As a solution, Arkose Labs aims to increase the cost of attacks, making them less profitable for the fraudsters.

Guest expert: Kevin Gosschalk, CEO, Arkose Labs

Their technology detects malicious actions and offers differing levels of challenges, based on a risk threshold. They also provide their customers with threat intelligence that can be used to prevent attackers from profiting. For a full drill down on our discussion, please give the accompanying podcast a listen.

This is one more example of cybercriminals cleverly exploiting the flaws in a convenient business process. It surely won’t be the last. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Back in 2002, when I was a reporter at USA Today, I had to reach for a keychain fob to retrieve a single-use passcode to connect remotely to the paper’s publishing system.

Related: A call to regulate facial recognition

This was an early example of multifactor authentication (MFA). Fast forward to today; much of the MFA concept is being reimagined by startup Circle Security to protect data circulating in cloud collaboration scenarios.

I learned about this at RSA Conference 2023 from company Co-founder and CEO Phani Nagarjuna, who explained how Circle extends the use of encryption keys fused to biometrics and decentralizes where copies of the keys are stored. For a full drill down, give the accompanying podcast a listen.

Guest expert: Phani Nagarjuna, CEO, Circle Security

According to Nagarjuna, Circle’s technology places a small agent on the endpoint device. This facilitates the creation of an asymmetric key pair and a symmetric AES256 key. Together these keys authenticate the user’s identity and enable secure and private access to cloud-stored data and resources.

Access to cloud-stored files can then be shared widely. But only authorized individuals, with proof of identity originating from their authenticated device, can open the files. All access attempts get audited using a built-in distributed ledger, allowing policy enforcement and quick remediation.

This iteration of my old-school keychain fob thus eliminates the need for usernames and passwords while much more robustly protecting sensitive data, Nagarjuna asserts. How much traction will it get? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

A cloud migration backlash, of sorts, is playing out.

Related: Guidance for adding ZTNA to cloud platforms

Many companies, indeed, are shifting to cloud-hosted IT infrastructure, and beyond that, to containerization and serverless architectures.

However, a “back-migration,” as Michiel De Lepper, global enablement manager, at London-based Runecast, puts it, is also ramping up. This is because certain workloads are proving to be too costly to run in the cloud — resource-intensive AI modeling being the prime example.

I had an evocative discussion about this with De Lepper and his colleague, Markus Strauss, Runecast product leader, at RSA Conference 2023. For a full drill down, please give the accompanying podcast a listen. The duo outlined how a nascent discipline — Cloud-Native Application Protection Platforms (CNAPP) – factors in.

Guest experts: Markus Strauss, Product Leader, and Michiel De Lepper, Global Enablement Manager, Runecast

CNAPP solutions focus on monitoring and enforcing security policies on workloads and in applications – during runtime. This is no small feat in an operating environment of co-mingled on-prem and cloud-hosted resources.

Runecast, for instance, takes a proactive approach to risk-based vulnerability management, configuration management, container security, compliance auditing, remediation and reporting.

This helps with compliance, at one level, but also continually improves detection of any soft spots and/or active attacks, while also paving the road to automated  remediation.

“It’s no longer about creating shields,” De Lepper told me, “Instead, we’re helping our customers plug all the gaps the bad guys can use.”

CNAPP solutions show promise for helping overcome the complexities of fragmented defenses; will they ultimately lead to more resilient business networks?  I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

The world of Identity and Access Management (IAM) is rapidly evolving.

Related: Stopping IAM threats

IAM began 25 years ago as a method to systematically grant human users access to company IT assets. Today, a “user” most often is a snippet of code seeking access at the cloud edge.

At the RSAC Conference 2023, I sat down with Venkat Raghavan, founder and CEO of start-up Stack Identity. As Raghavan explained, the rapid growth of data and subsequent application development in the cloud has led to a sprawling array of identities and access points. This, he warned, has created a new problem: shadow access.

Shadow access refers to ungoverned and unauthorized access that arises due to the speed and automation of cloud deployment.For a drill down, please give the accompanying podcast a listen.

Guest expert: Venkat Raghavan, CEO, Stack Identity

Stack Identity’s solution quickly onboards a customer’s cloud accounts, methodically identifies potential pathways to data and comprehensively assesses risk. Once all human and non-human access points are identified, automated remediation kicks in to eliminate shadow access.

Notably, this process happens at runtime, watching access in real-time, and looking at how access is utilized, Raghavan told me.

“We have seen that in live customer environments that over 50 percent of identities are over-permissioned and should have access permissions revoked,” he says.”This represents a substantial risk for companies.”

This risk is material; just ask Capital One or LastPass. Here’s another example of directing ML and automation at shrinking the attack surface. Stack Identity emerged from stealth just last month with $4 million in seed funding. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

The inadequacy of siloed security solutions is well-documented.

Related: Taking a security-first path

The good news is that next-gen security platforms designed to unify on-prem and cloud threat detection and remediation are, indeed, coalescing.

At RSA Conference 2023 I visited with Elias Terman, CMO, and Sudarsan Kannan, Director of Product Management, from Uptycs, a Walthan, Mass.-based supplier of “unified CNAPP and EDR ” services.

They described how Uptycs is borrowing proven methodologies from Google, Akamai, SAP and Salesforce to harness normalized telemetry that enables Uptycs to correlate threat activity — wherever it is unfolding. Please give a listen to the accompanying podcast for a full drill down.

Guest experts: Elias Terman, CMO, Sudarsan Kannan, Director of Product Management, Uptycs

Kannan described how Uptycs technology platform was inspired by Google’s dynamic traffic monitoring, Akamai’s content distribution prowess and Salesforce’s varied use cases based on a single data model, to help companies materially upgrade their security posture. The aim, he says, is to think like attackers, who certainly don’t operate in silos.

Terman offered the analogy of a “golden thread” stitching together varied threat activities and serving as a cloud security early warning system. The entire value chain is thereby protected, Kannan added, from the developers writing the code to automated connections to critical cloud workloads.

Terman detailed how Uptycs’ platform, indeed, touches everything within the modern attack surface and, in doing so, breaks down legacy silos and facilitates  better security outcomes.

This is part and parcel of the helpful dialogue that will carry us forward. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

As digital transformation accelerates, Application Programming Interfaces (APIs) have become integral to software development – especially when it comes to adding cool new functionalities to our go-to mobile apps.

Related: Collateral damage of T-Mobile hack

Yet, APIs have also exponentially increased the attack vectors available to malicious hackers – and the software community has not focused on slowing the widening of this security gap.

Mobile apps work by hooking into dozens of different APIs, and each connection presents a vector for bad actors to get their hands on “API secrets,” i.e. backend data to encryption keys, digital certificates and user credentials that enable them to gain unauthorized control.

I learned this from Ted Miracco, CEO of Approov, in a discussion we had at RSA Conference 2023. For a full drill down, please give the accompanying podcast a listen.

Guest expert: Ted Miracco, CEO, Approov

He also explains how hackers are carrying out “man in the middle” attacks during a mobile app’s runtime in ways that enable them to manipulate the communication channel between the app and the backend API.

Hackers know just how vulnerable companies are at this moment. Approov recently did a deep dive study of 650 financial services mobile apps of financial institutions across Europe and the US. The results were startling: the researchers could access API secrets in 95 percent of the apps, including “high value” secrets” in 25 percent of them.

Until API security generally gains a lot more ground, and next gen solutions achieve critical mass, the risk level will remain high. So be careful out there. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)