Category: RSA Podcasts

Could cybersecurity someday soon be implemented as a business enabler, instead of continuing to be viewed as an onerous business expense?

Related: Security sea-change wrought by ‘CMMC’

This would fit nicely with the ‘stronger together’ theme heralded at RSA Conference 2023.

WithSecure is one cybersecurity vendor that is certainly on this path. I had a lively conversation at Moscone Center with CEO Juhani Hintikka and CTO Tim Orchard all about something they’re championing as “outcome-based security.” In sum, this refers to the notion of correlating the mix of security tools and services a company has at hand much more directly with precisely defined business targets.

“We actually need to integrate cybersecurity with the business goals of the enterprise,” Hintikka observes.

WithSecure isn’t a startup; it’s the rebranding of Helsinki-based F-Secure, which has been around since 1988 and is well-established as a leading supplier of endpoint security and threat intelligence.

Guest experts: Tim Orchard, CTO, and Juhani Hintikka, CEO, WithSecure

Hintikka and Orchard argue for a more collaborative style of security services; for a drill down on our conversation please give the accompanying podcast a close listen.

The efficacy of this approach, they told me, is proving out in the success WithSecure is having with its customers, especially mid-sized companies. “In Germany, which is famous for mid-market companies, we seamlessly integrate our MDR service on top of our customers’ legacy systems, working alongside their teams,” Hintikka told me. “It’s truly a joint effort.”

The maturation of managed security services continues. There should be plenty more to come. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Attack surface expansion translates into innumerable wide-open vectors of potential unauthorized access into company networks.

Related: The role of legacy security tools

Yet the heaviest volume of routine, daily cyber attacks continue to target a very familiar vector: web and mobile apps.

At RSA Conference 2023, I had the chance to meet with Paul Nicholson, senior director of product marketing and analyst relations at A10 Networks. A10 has a birds eye view of the flow of maliciousness directed at web and mobile apps — via deployments of its Thunder Application Delivery Controller (ADC.)

We discussed why filtering web and mobile app traffic remains as critical as ever, even as cloud migration intensifies; for a full drill down, please give the accompanying podcast a listen.

Companies today face a huge challenge, Nicholson says. They must make ongoing assessments about IT infrastructure increasingly spread far and wide across on-premises and public cloud computing resources.

Guest expert: Paul Nicholson, senior director, product marketing & analyst relations, A10 Networks

The logical place to check first for incoming known-bad traffic remains at the gateways where application traffic arrives.

At RSAC 2023, A10 announced the addition of a next-generation web application firewall (NGWAF,) powered by Fastly, to its core Thunder ADC service. This upgrade, he told me, is expressly aimed at helping companies optimize secure performance of their hybrid cloud environments.

This is another encouraging example of stronger together advancement. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we co

 

Email remains by far the no.1 business communications tool. Meanwhile, weaponized email continues to pose a clear and present threat to all businesses.

Related: The need for timely training

At RSA Conference 2023, I learned all about a new category of email security — referred to as integrated cloud email security (ICES) – that is helping companies more effectively keep email threats in check.

I met with Eyal Benishti, CEO of IRONSCALES, a supplier of ICES tools and cybersecurity training services. For a full drill down on our conversation, please give the accompanying podcast a close listen.

Phishing is still the main way bad actors slip into networks; and Business Email Compromise (BEC) attacks can instantly translate into crippling losses.

Guest expert: Eyal Benishti, CEO, Ironscales

Successful attacks slip past legacy security email gateways (SEGs) and even past the newer ‘cloud-native security’ controls that Microsoft and Google have embedded Microsoft 365 and Google Workspace. These filters look for known bad attachments and links.

ICES solutions vet the messages that slip through. IRONSCALES, for instance, applies natural language processing technology to identify patterns and flush out anything suspicious. And its complementary security awareness training modules encourage employees to participate in isolating anything suspicious that leaks into their inboxes.

“The security gateways and cloud-native security controls look at content but that’s not enough,” Benishti observes. “You also need to look at context; both perspectives are needed.”

It’s clear that layers of protection, along with better-trained employees, have become table stakes. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Software composition analysis — SCA – is a layer of the security stack that, more so than ever, plays a prominent role in protecting modern business networks.

Related: All you should know about open-source exposures

This is especially true as software developers increasingly rely on generic open source and commercial components to innovate in hyperkinetic DevOps and CI/CD mode.

Open source coding has come to dominate business software applications; rising to comprise 75 percent of audited code bases and putting open source on a trajectory to become a $50 billion subsector of technology by 2026.

As RSA Conference 2023 gets underway today at San Francisco’s Moscone Center, advanced ways to secure open source components is getting a good deal of attention. The infamous SolarWinds breach put a spotlight on the risk of malicious open-source components, and the White House has put its weight behind software supply chain best practices.

Guest expert: Rami Sass, CEO, Mend

I had the chance to visit with Rami Sass, CEO of Mend, a Tel Aviv-based supplier of automated remediation technologies designed to help keep open source components as secure as possible. For a full drill down on our conversation please give the accompanying podcast a listen.

Sass filled me in about a trend that started about two and a half years ago; he noted that bad actors have turned their full attention to seeking out and exploiting fresh vulnerabilities in fully updated open-source components in live service.

Mend and other SCA solution vendors are stepping up their game to counter this trend. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Good intelligence in any theater of war is invaluable. Timely, accurate intel is the basis of a robust defense and can inform potent counterattacks.

Related: Ukraine hit by amplified DDoS

This was the case during World War II in The Battle of Midway and at the Battle of the Bulge and it holds true today in the Dark Web. The cyber underground has become a highly dynamic combat zone in which cyber criminals use engrained mechanisms to shroud communications.

That said, there are also many opportunities for companies to glean and leverage helpful intel from the Dark Web. As RSA Conference 2023 gets underway next week at San Francisco’s Moscone Center, advanced ways to gather and infuse cyber threat intelligence, or CTI, into fast-evolving network defenses is in the spotlight.

I had the chance to visit with Jason Passwaters, CEO of Intel 471, a US-based supplier of cyber threat intelligence solutions.

Guest expert: Jason Passwaters, CEO, Intel 471

We discussed how the cyber underground has shifted from being perceived as deep and dark to a well-organized world with defined business models, supply chains, and relatively low barrier of entry.

“As the cyber underground becomes more sophisticated, the level of threat increases exponentially for legitimate businesses and nation-states,” Passwaters told me. “The underground is now the domain of organized cybercriminals with clear hierarchies and targeted revenue goals.”

Intel 471 directs comprehensive threat intelligence at identifying, prioritizing and preventing cyber attacks. For a full drill down, please give the accompanying podcast a listen. Good intel in warfare can’t be overstated. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Embedding security into the highly dynamic way new software gets created and put into service — on the fly, by leveraging ephemeral APIs — has proven to be a daunting challenge.

Related: The fallacy of ‘security-as-a-cost-center’

Multitudes of security flaws quite naturally turn up – and threat actors have become adept at systematically discovering and exploiting these fresh vulnerabilities.

As RSA Conference 2023 gets underway next week at San Francisco’s Moscone Center, advanced application security and API security tools and practices are grabbing a lot of attention.

I had the chance to visit with Scott Gerlach, chief security officer and co-founder of StackHawk, a Denver-based software company launched in 2019 to join the phalanx of vendors innovating like crazy to dial-in meaningful code checks, in just the right measure, at just the right moment.

Guest expert: Scott Gerlach, CSO, StackHawk

We had a great conversation about how the venerable “shift left” security philosophy is being refined so that it better aligns with the way software gets developed today – at light speed. This has led to security vendors, StackHawk among them, putting great energy into weaving security more tightly into DevOps, CICD and more.

“Shift left still applies because you do want to get security processes into the left side where you design, develop, test and deploy,” Gerlach told me. “But it’s really about how can we get security information closer to the people who are writing code, changing code and fixing code.”

In short, “shift everywhere” is the new “shift left.” For a full drill down, please give the accompanying podcast a listen. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

In the age before the cloud, data security was straightforward.

Related: Taming complexity as a business strategy

Enterprises created or ingested data, stored it and secured it in a physical data center. Data security was placed in the hands of technicians wearing tennis shoes, who could lay their hands on physical servers.

Today, company networks rely heavily on hybrid cloud and multi-cloud IT resources, and many startups are cloud native. Business data has been scattered far and wide across cloud infrastructure and just knowing where to look for sensitive data in the cloud, much less enforcing security policies, has become next to impossible for many organizations.

If headline grabbing cyber-attacks weren’t enough, the Biden Administration has begun imposing long-established, but widely ignored data security best practices on any contractor that hopes to do business with Uncle Sam.

Guest expert: Yotam Segev, co-founder and CEO, Cyera

This is where a hot new security service comes into play – designated in 2022 by Gartner as “data security posture management,” or DSPM. With RSA Conference 2023 taking place at San Francisco’s Moscone Center next week, I had the chance to visit with Yotam Segev, co-founder and CEO San Mateo, Calif.-based security startup Cyera, that is making hay in this emerging DSPM space.

Segev and I discussed how, in the rush to the cloud, companies have lost control of data security, especially in hybrid environments. The core value of DSPM systems, he argues, is that they can help demystify data management, with benefits that ultimately should go beyond security and compliance and actually help ease cloud migration.

Please give a listen to the case Segev makes in the accompanying podcast. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Domain Name Service. DNS. It’s the phone directory of the Internet.

Related: DNS — the good, bad and ugly

Without DNS the World Wide Web never would never have advanced as far and wide as it has.

However, due to its intrinsic openness and anonymity DNS has also become engrained as the primary communications mechanism used by cyber criminals and cyber warfare combatants.

If that sounds like a potential choke point that could be leveraged against the bad actors – it is. And this is where a fledgling best practice —  referred to as “protective DNS” – comes into play.

What has happened is this: leading security vendors have begun applying leading-edge data analytics and automated remediation routines to the task of flagging DNS traffic that’s clearly malicious.

Guest expert: David Ratner, CEO, HYAS

One sure sign that protective DNS has gained meaningful traction is that Uncle Sam has begun championing it. Last fall the U.S. Cybersecurity & Infrastructure Security Agency (CISA) began making a protective DNS resolver availabile to federal agencies.

With RSA Conference 2023 taking place at San Francisco’s Moscone Center next week, I had the chance to visit with David Ratner, CEO of Vancouver, Canada-based HYAS, security company whose focus is on delivering protective DNS services. Ratner explains what protective DNS is all about, and why its widespread adaption will make the Internet much safer.

For a full drill down, give the accompanying podcast a listen. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Specialization continues to advance apace in the cybercriminal ecosystem.

Related: How cybercriminals leverage digital transformation

Initial access brokers, or IABs, are the latest specialists on the scene. IABs flashed to prominence on the heels of gaping vulnerabilities getting discovered and widely exploited in Windows servers deployed globally in enterprise networks.

I had the chance at RSA Conference 2022 to visit with John Shier, senior security advisor at Sophos, a security software and hardware company. We discussed how the ProxyLogon/Proxy Shell vulnerabilities that companies have been scrambling to patch for the past couple of years gave rise to threat actors who focus on a singular mission: locating and compromising cyber assets with known vulnerabilities.

For a drill down on IABs, please give the accompanying podcast a listen. Here are the key takeaways:

Sequential specialists

IABs today jump into action anytime a newly discovered bug gets publicized, especially operating system coding flaws that can be remotely exploited. IABs gain unauthorized network access and then they often will conduct exploratory movements to get a sense of what the compromised asset is, Shier told me.

This is all part triangulating how much value the breached asset might have in the Darknet marketplace. “IABs specialize in one specific area of the cybercrime ecosystem where the victims are accumulated and then sold off to the highest bidder,” he says.

To assure persistent access to, say, a compromised web server, an IAB will implant a web shell – coding that functions as a back door through which additional malicious software can be uploaded at a later time. The web shell sits dormant providing a path for other specialists.

The IAB’s job, at this point, is done; access to the compromised server is now ready for sale to another operative. It might be someone who specializes in embedding droppers – a type of malware delivery tool designed to stealthily install the endgame payload, Shier says.

A dropper specialist, in turn, might deliver control of the primed server to a payload specialist. – an operative who’s adept at, say, carrying out a crypto mining routine that saps processing power. Or the payload might be a data exfiltration routine — or a full-blown ransomware attack.

Teeming criminal activity

IABs are giving an already high-functioning cybercriminal underground a turbo boost. This trend is highlighted in Sophos’ recent adversaries report  based on analysis of 144 incidents targeting organizations of varying sizes in the US, Europe, the Middle East, Australia, the Philippines and Japan. IABs contributed to threat actors dwelling longer before detection: the median attacker dwell time was 15 days in 2021, up from 11 days in 2020.

Sophos’ study of adversary activity found that some 47 percent of attacks started with an exploited vulnerability and 73 percent of attacks involved ransomware. Speaking of ransomware, cyber extortion continues to persist at a plague level.

Sophos’ The State of Ransomware 2022 polling of 5,600 IT professionals in 31 countries reveals that 66 percent of organizations were hit by ransomware in 2021 up from 37 percent in 2020. Meanwhile, some 11 percent of victim companies paid ransoms of $1 million USD or more in 2021, a nearly three-fold increase from and the 4 percent that did so in 2020. And the average ransom payment, excluding outliers, rang in at $812,360.

Clearly, the threat landscape is teeming with criminals leveraging proven tools, tactics and procedures to great effect. Forensic evidence analyzed by Sophos’ analysis sheds light on instances where multiple adversaries, including IABs, dropper specialists, ransomware gangs and crypto miners crossed paths. At times, multiple ransomware gangs targeted the same organization simultaneously.

“The IABs are the clearinghouses for all of this access,” Shier says. “The brokering happens in Darknet markets that specialize in the sale of victims.”

If you know where to look in Darknet markets, he says, you can find access to compromised machines listed by company, type of server and level of access. “This allows you, as a criminal, to really understand what it is that you’re buying,” Shier says. “They’ve even got an escrow system to assure that one criminal is not scamming the other criminals.”

Understanding digital assets

This is the flip side of digital transformation. As enterprises drive towards a dramatically scaled-up and increasingly interconnected digital ecosystem, network attack surfaces are expanding exponentially and security gaps are multiplying.

Cybercriminals are merely feasting on low-hanging fruit. It’s not so much that they’re doing anything terribly innovative. It’s just that there are so many blind spots, and in many ways it’s easier than ever for intruders to gain deep access, steal data, spread ransomware, disrupt infrastructure and attain unauthorized presence for an extended period of time.

Shier

Companies need to understand that every organization using digital assets is a target for an adversary somewhere; these days it can be waves of specialists from several different hacking collectives converging on the same target all at once, Shier says.

Constant monitoring and effective detection and response are more vital that ever. And so is reducing the attack surface by configuring systems wisely and managing vulnerabilities well.

Observes Shier: “First and foremost it is important to understand the systems, tools and software you’re using . . . and understand what are the core aspects of your business that you need to protect. Protect the core business first and then start to look at protecting the things that are supporting the core business. The mitigations might be different, but it really comes down to understanding the business itself.”

This much was made clear at RSAC 2022: the technology and security frameworks to do this are readily available. What’s lacking – and why criminal specialists continue to operate with impunity — is uniform adoption. Things are steadily moving in that direction. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Reducing the attack surface of a company’s network should, by now, be a top priority for all organizations.

Related: Why security teams ought to embrace complexity

As RSA Conference 2022 gets underway today in San Francisco, advanced systems to help companies comprehensively inventory their cyber assets for enhanced visibility to improve asset and cloud configurations and close security gaps will be in the spotlight.

As always, the devil is in the details. Connecting the dots and getting everyone on the same page remain daunting challenges. I visited with Erkang Zheng, founder and CEO of JupiterOne, to discuss how an emerging discipline — referred to as “cyber asset attack surface management,” or CAASM – can help with this heavy lifting.

Based in Morrisville, NC, JupiterOne launched in 2020 and last week announced that it has achieved a $1 billion valuation, with a $70 million Series C funding round.

For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Imposing context

Remediating security gaps in modern networks, not surprisingly, can quickly devolve into a tangled mess. Both the technology and the teams responsible for specific cyber assets tend to operate in silos. And because network security teams lack direct control, coordinating people, policies and infrastructure scattered across the organization has become impossible to get done in a timely manner.

This is more so true as organizations accelerate cloud migration and dive deeper into an interconnected digital ecosystem. Software-defined everything is the mantra and mushrooming complexity is the result. On the flip side, security gaps are multiplying as network attack surfaces expand exponentially. These gaps must be closed or digital transformation will be in danger of stalling out.

Enter CAASM which is designed to make it possible for security teams to impose context on the ephemeral connections flying between things like microservices, virtual storage and hosted services. JupiterOne’s platform, for instance, puts a security lens on discovering, managing and governing all types of cyber assets — from software in development to all aspects of private cloud and public cloud IT infrastructure.

CAASM systems leverage APIs to help security teams gain comprehensive visibility of all components of IT infrastructure be they on-premises or in a private, public or hybrid cloud. This enables the implementation of granular policies that can be enforced, at scale, and that each organization can dial in to boost security without unduly hindering agility.

This is the heavy lifting that’s easier said than done, especially in a massively-distributed, fast-changing operating environment. The pressure bears down on security teams from two directions, Zheng says. They must do as much as they can to directly prevent intrusions; and they must also rally the asset owners to prevent breaches as well as respond with alacrity to security incidents as they crop up.

Smart questions

Connecting the dots and getting everyone on the same page comes down to asking the right questions, Zheng observes. And cloud-hosted, data analytics technology is now readily available to ask smart questions about network security, at scale, and get actionable answers.

Zheng

“The concept is simple, but the execution is not,” he says. The first obstacle is the underlying technology; networking infrastructure components come from hundreds of different vendors, each using a proprietary implementation. Then there’s the issue of having to change the behaviors of the asset owners, many of whom are stuck in a siloed mindset.

JupiterOne’s solution prepares the way by discovering, normalizing and consolidating  basic information about all cyber assets, such as what the asset is, who owns it and who can access it. This creates a scenario where the security team can ask simple questions that can and should be directly answered.

“Know what you have and focus on what matters,” Zheng told me. “It really boils down to that.”

By focusing on common-sense questions, legacy workflows can be altered in a way that keeps pace with a fast-changing digital ecosystem – and recalcitrant asset owners will be more likely to take charge of facilitating remediation, he says.

“We can help provide a workflow that focuses on questions like, ‘How do I fix it?’ ‘Who can fix it?’ ‘How do I notify, assign and track and verify?’ ” Zheng observes. “The security team really is the gatekeeper and the auditor and a consultant, to some extent, to the people who must actually do the work . . . CAASM is not only a data platform and an analytical platform, but also a collaboration platform.”

Solutions at hand

Collaborating to swiftly close severe zero-day security gaps that regularly get disclosed, like Log4J, has become a must-have capability, for obvious reasons. Yet there is a much greater impact CAASM systems could have, going forward. CAASM is one slice of a new security architecture that’s taking shape, one in which companies begin to systematically discover and remediate security gaps – gaps threat actors are proactively seeking out.

Zheng walked me through an example of how easy it is for a security team to overlook gaps created, for instance, in the mixing and matching of cloud resources leased from Amazon Web Services:

“Let’s say you have an internal resource that’s not configured to be public facing by itself. However, you have an external-facing workload that has an authentication policy giving it API level access . . . it could be an instance where you have an Internet-facing Lambda function that’s given access to an internal S3 bucket or DynamoDB table. That’s a specific example of identifying a security gap that you previously didn’t see.”

This technical detail vividly illustrates attack surface expansion in action. There are countless more examples like this. Companies absolutely should begin flushing out security gaps and remediating them. The technology to do this at scale and in a timely manner are at hand.

The sooner closing gaps rises to a standard best practice, the more secure we’ll all be. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)