Category: Steps forward

The theme of RSA Conference 2023 — ‘stronger together’ — was certainly well chosen.

Related: Demystifying ‘DSPM’

This was my nineteenth RSAC. I attended my first one in 2004, while covering Microsoft for USA TODAY. It certainly was terrific to see the cybersecurity industry’s premier trade event fully restored to its pre-Covid grandeur at San Francisco’s Moscone Center last week.

Rising from the din of 625 vendors, 700 speakers and 26,000 attendees came the clarion call for a new tier of overlapping, interoperable, highly automated security platforms needed to carry us forward.

Defense-in-depth remains a mantra — but implemented much differently than the defense-in- depth strategies of the first decade and a half of this century. Machine learning, automation and interoperability must take over and several new security layers must coalesce and interweave to protect the edge.

Getting a grip on identities

To keep the momentum going, business rivals and regulators are going to have to find meaningful ways to co-ordinate and cooperate at an unprecedented level. Here are three evolving themes reverberating from RSAC 2023 that struck me:

Password enabled access will endure for the foreseeable future. Multi-factor authentication (MFA) has raised the bar, but MFA alone is not enough to slow, much less stop, moderately-skilled bad actors.

New security platforms that can set cloud configurations wisely, automate detection and response and manage vulnerabilities continuously are needed to form the front line of defense.

Consolidating cloud postures

One nascent approach that shows promise:  cloud native application protection platform (CNAPP.)

For a drill down on how the CNAPP space is rapidly evolving, stay tuned for my upcoming RSA Fireside Chat podcasts with a couple of vendors on the leading edge. I had enlightening discussions with Elias Terman and Sudarsan Kannan, of Uptyks, and Markus Strauss and Michiel De Lepper of Runecast.

Identities – or to put it more precisely, user access management — is a fundamental weakness that must be shored up. This is where advanced identity and access management (IAM) tools and practices comes into play.

I spoke at length with  Ravi Srivatsav and Venkat Thummisi of  InsideOut Defense, and separately with  Venkat Raghavan, founder and CEO of Stack Identity, all about reconstituting IAM. My Fireside Chat podcasts to come will get into their insights about reducing the risk of access manipulation by continuously and comprehensively monitoring access patterns.

I also had quick meetings with  Bernard Harguindeguy and Barber Amin, senior execs at Veridium ID, on the latest advances in passwordless authentication and I got the back story about a brand new smart ring (yes, of the Tolkien variety) introduced at the conference by security start-up Token. I spoke with Token CEO John Gunn and his  engineering VP Evan K. about the role of advanced wearable authentication devices, going forward.

Operationalizing threat intel

Collecting and using good threat intelligence has always been important — and never been easy to do well. Two impromptu meetings I had touched on this. I spoke with Rohan Spledewinde of security start-up CTM360 – which crawls the public Internet for every and every reference to a company’s IP addresses, and uses graph database technology to present useful correlations; and I also had another very lively discussion with Snehal Antani, CEO of Horizon3 about the value of continuous, well-informed penetration testing.

Leveraging threat intelligence at the platform level, or course, remains vital, as well. The trick in today’s operating environment is how to do this well with cloud migration accelerating.

There’s a danger of leaving legacy on-premises systems twisting in the wind. And that’s why emerging frameworks like Secure Services Edge (SSE) and Zero Trust Network Access (ZTNA) got a lot of attention at RSAC 2023, and deservedly so.

In the weeks ahead, be on alert for my deep-dive podcast discussions, with vendors that are shaping the security platforms of the near future. The perspectives I heard from two leading vendors in the security platform space were very similar.

I spoke at length to WithSecure CEO Juhani Hintikka and CTO Tim Orchard; this is the recent rebrand of F-Secure, a longstanding, widely respected cybersecurity systems vendor from Finland.

And I had a deep dive discussion with Cyware’s Willy Leichter and Neal Dennis. While WithSecure is approaching the task at hand from a slightly different angle than Cyware, both rely on interoperability of multiple systems, i.e. ‘stronger together.’

Our smartphone symbiosis

If you’re like me, you’ll lose track of where you last set down your room key, wallet or coat before you misplace your smartphone.

Our mobile devices, and the mobile apps on them, have become our digital appendages. We feel lost without them. And thus they are destined to endure as our primary user interface.

Yet the security of mobile apps hasn’t advanced much in the past 10 years; bad actors don’t really have to work all that that hard, or expend much resources, to exploit how we’ve come to use mobile apps.

I spoke with two vendors that are introducing promising innovation to that addresses this. Verimatrix CEO Asaf Ashkenazi described for me how his company is leveraging technologies perfected by the entertainment industry to protect mobile apps.

And Approov CEO Ted Miracco told me how his company’s solution is borrows from design principles used to lock down semiconductors.

It’s easier than ever for malicious hackers to get deep access, steal data, spread ransomware, disrupt infrastructure and attain long run unauthorized access. What I saw and heard at RSAC 2023 leaves me encouraged, more so than ever before, that this widening of the security gap will be slowed — and ultimately reversed. I’ll keep watch and keep reporting

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as

 

 

 

“Stronger together” was the theme of RSA Conference 2023, which returned to its pre-Covid grandeur under the California sunshine last week at San Francisco’s Moscone Center.

Related: Demystifying ‘DSPM’

Rising from the din of 625 vendors, 700 speakers and 26,000 attendees came the clarion call for a new tier of overlapping, interoperable, highly automated security platforms needed to carry us forward.

Defense-in-depth remains a mantra — but implemented much differently than the defense-in- depth strategies of the first decade and a half of this century. Machine learning, automation and interoperability must take over and several new security layers must coalesce and interweave to protect the edge.

To keep the momentum going, business rivals and regulators are going to have to find meaningful ways to co-ordinate and cooperate at an unprecedented level. Here are three evolving themes reverberating from RSAC 2023 that struck me:

Getting a grip on identities

Password enabled access will endure for the foreseeable future. Multi-factor authentication (MFA) has raised the bar, but MFA alone is not enough to slow, much less stop, moderately-skilled bad actors.

New security platforms that can set cloud configurations wisely, automate detection and response and manage vulnerabilities continuously are needed to form the front line of defense. One nascent approach that shows promise:  cloud native application protection platform (CNAPP.)

For a drill down on how the CNAPP space is rapidly evolving, stay tuned for my upcoming RSA Fireside Chat podcasts with a couple of vendors on the leading edge. I had enlightening discussions with Elias Terman and Sudarsan Kannan, of Uptyks, and Markus Strauss and Michiel De Lepper of Runecast.

Identities – or to put it more precisely, user access management — is a fundamental weakness that must be shored up. This is where advanced identity and access management (IAM) tools and practices comes into play.

I spoke at length with  Ravi Srivatsav and Venkat Thummisi of  InsideOut Defense, and separately with  Venkat Raghavan, founder and CEO of Stack Identity, all about reconstituting IAM. My Fireside Chat podcasts to come will get into their insights about reducing the risk of access manipulation by continuously and comprehensively monitoring access patterns.

I also had quick meetings with  Bernard Harguindeguy and Barber Amin, senior execs at Veridium ID, on the latest advances in passwordless authentication and I got the back story about a brand new smart ring (yes, of the Tolkien variety) introduced at the conference by security start-up Token; I spoke with Token CEO John Gunn and his  engineering VP Evan K. about the role of advanced wearable authentication devices, going forward.

Operationalizing threat intel

Collecting and using good threat intelligence has always been important — and never been easy to do well. Two impromptu meetings I had touched on this. I spoke with Rohan Spledewinde of security start-up CTM360 – which crawls the public Internet for every and every reference to a company’s IP addresses, and uses graph database technology to present useful correlations; and I also had another very lively discussion with Snehal Antani, CEO of Horizon3 about the value of continuous, well-informed penetration testing.

Leveraging threat intelligence at the platform level, or course, remains vital, as well. The trick in today’s operating environment is how to do this well with cloud migration accelerating. There’s a danger of leaving legacy on-premises systems twisting in the wind. And that’s why emerging frameworks like Secure Services Edge (SSE) and Zero Trust Network Access (ZTNA) got a lot of attention at RSAC 2023, and deservedly so.

In the weeks ahead, be on alert for my deep-dive podcast discussions, with vendors that are shaping the security platforms of the near future. The perspectives I heard from two leading vendors in the security platform space were very similar.

I spoke at length to WithSecure CEO Juhani Hintikka and CTO Tim Orchard, as shown above in the main photo atop this column.

And I had a deep dive discussion with Cyware’s Willy Leichter and Neal Dennis. While WithSecure is approaching the task at hand from a slightly different angle than Cyware, both rely on interoperability of multiple systems, i.e. ‘stronger together.’

Our smartphone symbiosis

If you’re like me, you’ll lose track of where you last set down your room key, wallet or coat before you misplace your smartphone.

Our mobile devices, and the mobile apps on them, have become our digital appendages. We feel lost without them. And thus they are destined to endure as our primary user interface.

Yet the security of mobile apps hasn’t advanced much in the past 10 years; bad actors don’t really have to work all that that hard, or expend much resources, to exploit how we’ve come to use mobile apps.

I spoke with two vendors that are introducing promising innovation to that addresses this. Verimatrix CEO Asaf Ashkenazi described for me how his company is leveraging technologies perfected by the entertainment industry to protect mobile apps.

And Approov CEO Ted Miracco told me how his company’s solution is borrows from design principles used to lock down semiconductors.

It’s easier than ever for malicious hackers to get deep access, steal data, spread ransomware, disrupt infrastructure and attain long run unauthorized access. What I saw and heard at RSAC 2023 leaves me encouraged, more so than ever before, that this widening of the security gap will be slowed — and ultimately reversed. I’ll keep watch and keep reporting

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as

 

 

 

Patch management has always been time-consuming and arduous. But it gets done, at least to some degree, simply because patching is so crucial to a robust cybersecurity posture. Patch programs are rarely perfect though, and imperfect patching arguably enables successful cybersecurity breaches – it’s an ever-growing concern for countless IT teams.

Related: MSSPs shift to deeper help

Managed Security Service Providers (MSSPs) do their best to patch their client’s systems while also juggling a long list of other tasks associated with developing, monitoring, and maintaining their client’s overall security and compliance program.

The resources an MSSP can dedicate to patching are, however, limited: MSSPs operate within a fixed client servicing budget, and no client will accept being billed whenever a vulnerability needs to be patched.

To patch or not to patch?

It poses a huge conundrum for MSSPs: patching everything everywhere sounds like a great idea because, after all, a single failure to patch can lead to a breach. Thorough patching means secure client systems. But patching that thoroughly isn’t economical. Some vulnerabilities are more critical – and some systems are more central to operations than others.

There is a balance to strike, but choosing where to prioritize is a tough call. Absent a game-changing technology the best solution would be to simply throw more resources at the patching problem, but that would drive up costs for MSSPs which could lead them to become uncompetitive.

There’s another problem that makes consistent patching tough to achieve: pushback from the client. Patching disrupts user workflows, causing frustration and impacting productivity. After all, patching commonly requires that the MSSP takes a service offline, restarting to apply the patch.

Jackson

A competently managed patching process should lead to no more than performance degradation, but manage patching poorly and it means downtime and big chunks of potential revenue loss. Companies need to plan for these disruptions which makes for a complex conversation between MSSP and their client.

Again, there’s a trade-off. Patching more can translate into more disruption, but patching less means taking a larger risk. The net effect is often less patching because MSSPs may judge that preserving the client relationship matters more than closing just one more vulnerability.

Enter live patching

Clearly, the patching conundrum needs a solution. Patching automation helps, and so does a sophisticated patch management program. But neither negates the labor hours involved in patching nor do these methods eliminate the disruption. Someone still needs to double-check that a restarted system goes back online correctly, and downtime must be managed (or tolerated).

There is a cybersecurity approach that changes the game. It’s called live patching, a patching method that applies updates to a running software system, typically an operating system or a kernel, without requiring reboots.

When MSSPs implement live patching it enables continuous system operation, particularly useful for critical systems and servers where uptime matters – but of value everywhere because it reduces the staff-hour workload and virtually eliminates disruption.

Several vendors developed live patching solutions. For Linux systems that includes Ksplice, offered by Oracle, which live patches Oracle Linux and a few other Linux distributions. Canonical offers Livepatch, compatible with Ubuntu.

IBM offers a live patching solution called Kernel Live Patching for IBM Z and LinuxONE systems. Microsoft introduced Azure Hotpatching which allows Azure users to apply security updates to their virtual machines (VMs) with zero downtime.

Integrated toolsets

Vendor solutions are, however, often tied to expensive support contracts and commonly compatible with just the vendor’s product. Third-party providers can sometimes offer a better package. For example, TuxCare’s KernelCare product covers the most commonly-used enterprise Linux distributions – while also delivering live patching across open-source databases, libraries, and virtual environments.

The best live patching tools integrate with vulnerability scanners and other automation tools to speed up the security and compliance process. MSSPs can therefore efficiently identify, prioritize, and remediate vulnerabilities all through a centralized platform.

This integration allows MSSPs to patch consistently, reducing the compromises inherent to patching programs so that clients can readily meet standards such as NIST 800-53 and PCI DSS. MSSPs also worry less about costs and maintain excellent client relationships because live patching removes friction.

By including live patching in the process, MSSPs minimize disruption and ensure the needed security updates are applied promptly and consistently. Thanks to the time saved, MSSPs can now allocate more resources to other aspects of cybersecurity.

About the essayist: Jim Jackson serves as President and Chief Revenue Officer at TuxCare.

 

Managed Security Service Providers, MSSPs, have been around for some time now as a resource to help companies operate more securely.

Related: CMMC mandates best security practices

Demand for richer MSSP services was already growing at a rapid pace, as digital transformation gained traction – and then spiked in the aftermath of Covid 19. By one estimate, companies are on track to spend $77 billion on MSSP services by 2030, up from $22 billion in 2020.

At RSA Conference 2023 , which gets underway next week at San Francisco’s Moscone Center, I expect that there’ll be buzz aplenty about the much larger role MSSPs seem destined to play.

I had the chance to visit with Geoff Haydon, CEO of Ontinue, a Zurich-based supplier of a managed extended detection and response (MXDR) service. We discussed the drivers supporting the burgeoning MSSP market, as well as where innovation could take this trend.

Guest expert: Geoff Haydon, CEO, Ontinue

For its part, Ontinue is leveraging Microsoft collaboration and security tools and making dedicated cyber advisors available to partner with its clients. “Microsoft has emerged as the largest, most important cybersecurity company on the planet,” Haydon told me. “And they’re also developing business applications that are very conducive to delivering and enriching a cyber security program.”e

I covered Microsoft as a USA TODAY technology reporter when Bill Gates suddenly ‘got’ cybersecurity, so this part of our discussion was especially fascinating. For a drill down, please give the accompanying podcast a listen. Meanwhile, I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Good intelligence in any theater of war is invaluable. Timely, accurate intel is the basis of a robust defense and can inform potent counterattacks.

Related: Ukraine hit by amplified DDoS

This was the case during World War II in The Battle of Midway and at the Battle of the Bulge and it holds true today in the Dark Web. The cyber underground has become a highly dynamic combat zone in which cyber criminals use engrained mechanisms to shroud communications.

That said, there are also many opportunities for companies to glean and leverage helpful intel from the Dark Web. As RSA Conference 2023 gets underway next week at San Francisco’s Moscone Center, advanced ways to gather and infuse cyber threat intelligence, or CTI, into fast-evolving network defenses is in the spotlight.

I had the chance to visit with Jason Passwaters, CEO of Intel 471, a US-based supplier of cyber threat intelligence solutions.

Guest expert: Jason Passwaters, CEO, Intel 471

We discussed how the cyber underground has shifted from being perceived as deep and dark to a well-organized world with defined business models, supply chains, and relatively low barrier of entry.

“As the cyber underground becomes more sophisticated, the level of threat increases exponentially for legitimate businesses and nation-states,” Passwaters told me. “The underground is now the domain of organized cybercriminals with clear hierarchies and targeted revenue goals.”

Intel 471 directs comprehensive threat intelligence at identifying, prioritizing and preventing cyber attacks. For a full drill down, please give the accompanying podcast a listen. Good intel in warfare can’t be overstated. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Domain Name Service. DNS. It’s the phone directory of the Internet.

Related: DNS — the good, bad and ugly

Without DNS the World Wide Web never would never have advanced as far and wide as it has.

However, due to its intrinsic openness and anonymity DNS has also become engrained as the primary communications mechanism used by cyber criminals and cyber warfare combatants.

If that sounds like a potential choke point that could be leveraged against the bad actors – it is. And this is where a fledgling best practice —  referred to as “protective DNS” – comes into play.

What has happened is this: leading security vendors have begun applying leading-edge data analytics and automated remediation routines to the task of flagging DNS traffic that’s clearly malicious.

Guest expert: David Ratner, CEO, HYAS

One sure sign that protective DNS has gained meaningful traction is that Uncle Sam has begun championing it. Last fall the U.S. Cybersecurity & Infrastructure Security Agency (CISA) began making a protective DNS resolver availabile to federal agencies.

With RSA Conference 2023 taking place at San Francisco’s Moscone Center next week, I had the chance to visit with David Ratner, CEO of Vancouver, Canada-based HYAS, security company whose focus is on delivering protective DNS services. Ratner explains what protective DNS is all about, and why its widespread adaption will make the Internet much safer.

For a full drill down, give the accompanying podcast a listen. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

One of the nascent security disciplines already getting a lot of buzz as RSA Conference 2023 gets ready to open next week at San Francisco’s Moscone Center is “software supply chain security,” or SSCS.

Related: How SBOMs instill accountability

Interestingly, you could make the argument that SSCS runs counter-intuitive to the much-discussed “shift left” movement.

Shift left advocates driving code testing and application performance evaluations as early as possible in the software development process.

By contrast, SSCS vendors are innovating ways to direct automated inspections much later in DevOps, as late as possible before the new software application is deployed in live service.

Guest expert: Matt Rose, Field CISO, ReversingLabs

I had the chance to visit with Matt Rose, Field CISO at ReversingLabs, which is in the thick of the SSCS movement. We discussed why reducing exposures and vulnerabilities during early in the coding process is no longer enough.

“True software supply chain security is about looking at the application in a holistic way just prior to deployment,” Rose told me. “Most software supply chain issues are novel, so looking for problems too early, before the code is compiled, won’t tell you much.”

Like everyone else, SSCS solution vendors are leveraging machine learning and automation – to focus quality checks and timely remediation in very specific lanes: on open-source components, microservices containers and compiled code, for instance. For a drilll down please give a listen to the accompanying podcast.

I’m looking forward to attending RSAC in person, after a couple of years of remote participation. No doubt there’ll be some thoughtful discussion about how best to protecting software in our software defined world.

I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Modern cyber attacks are ingenious — and traditional vulnerability management, or VM, simply is no longer very effective.

Related: Taking a risk-assessment approach to VM

Unlike a typical cyber attack that exploits a software vulnerability, recent cyber attacks exploit other security risks, such as misconfigurations, security deviations, and posture anomalies. But VM vendors tend to focus more on software vulnerabilities and leave out everything else.

SecPod’s research shows some 44 percent of the total vulnerabilities in a typical IT infrastructure don’t have a Common Vulnerabilities and Exposure (CVE) designation.

The consequences of a cyber attack can be devastating; from a rapid drop in brand reputation to loss of business and sensitive data. Cyber attacks can also invite lawsuits and can even be fatal.

In addition to real-time protection, effective VM can also help with compliance at a time when data security rules are increasing in regulatory policies like NIST, PCI, HIPAA and GDPR.

With traditional VM, achieving compliance is a struggle. But advanced VM provides an actionable way of adhering to regulations and policies mandates that call for risks to be identified and detected as part of ongoing data security.

While traditional VM is herky-jerky, advanced VM is a continuous and smooth process that results in much more efficient and detection, integration, and automation.

Further, effective VM can be very cost-effective; the potential cost saved in preventing cyberattacks is enormous when compared to total security expenditures.

Reinventing VM

The importance of effective VM can’t be overstated. Yet given the evolving IT environment, CISOs, sysadmins, and IT security teams are struggling to protect their networks.

Basavanna

Ideally, VM should be continuous and proactive, but traditional VM is jagged, broken, insufficient — and in desperate need of reinvention.

With traditional VM, detection is limited to software vulnerabilities, assessment and prioritization to a common vulnerability scoring system (CVSS) ranking, as well as remediation to patching. This approach only provides superficial visibility into IT infrastructure, and does not take into account lateral attack vectors.

Without automation, the laborious task of scanning and remediation is difficult. Additionally, multiple teams use multiple tools in traditional VM, leading to a disconnect and friction between them, further reducing the effectiveness of traditional VM.

The Jira misconfiguration leaks highlight the devastating impact vulnerabilities beyond those called on in CVEs can have in a modern environment. Modern cyberattacks exploit misconfigurations and other security risks, and research reflects the same. Some 31 percent of respondents to a recent ESG survey pointed to misconfigurations as the initial point of compromise for a successful ransomware attack.

Advanced capabilities

Advanced VM computes high-fidelity attacks and criticality to mitigate risks effectively. Traditional VM can only remediate software vulnerabilities with patches, while advanced VM fixes misconfigurations, normalizes deviations, and eliminates other security risks. So a dangerous new exploit that lacks a CVE designation and registers a low CVSS score can still be detected and remediated in a timely manner.

The lack of the right tools with enough capabilities and the inertia to shift to new technology are the main reasons why advanced VM is not yet adapted universally. But it’s only a matter of time before it gets widespread adoption.

Modern networks are becoming increasingly interconnected and massive. This means a larger attack surface, numerous security risks, and more work for IT security teams.

Advanced VM, with its broader detection, faster scans, and integrated remediation, is the only way of combating modern cyberattacks. Clearly, advanced VM is well positioned to be a core component of combating ever-evolving cyber attacks.

About the essayist: Chandrashekhar Basavanna is the founder and CEO SecPod Technologies, a cybersecurity technology company creating solutions for enterprise IT Security teams to prevent cyberattacks on the computing environments.

Imagine being a young person who wants a career, of whatever type you can find, as a cybersecurity professional.

Related: Up-skilling workers to boost security

Related Although you were born with an agile and analytical mind, you have very limited financial resources and few, if any, connections that can open doors to your future ambitions.

Dennis

If you were born in a country such as the US, Canada or the UK, you might have a wider range of options despite your financial limitations.  But if you are born in Antigua, which is a small Caribbean island way out in the Atlantic, your options can be quite limiting.  Even if you managed to get a range of certifications which show that you have some skills, finding a job in your field is extremely unlikely because the market is so small and undeveloped.

High concept

Now enter AntiguaRecon which was created to teach a group of young Antiguans cybersecurity skills so that it could offer cybersecurity services around the region and in the US, Canada, and elsewhere.  It is not enough to just educate the students.  Our proof of concept will come when we get them jobs too.

The founder, Adam Dennis (that’s me!), has experience running training organizations directed at young people AND a lot of experience running startups.  In the late 1990s (yes, that long ago), I created a youth training program called YouthLink that worked with at-risk youth in Washington, DC. The program operated for five years and was covered by the Washington Post and a number of other news outlets.  Over my career, I have created three non-profits and two SaaS for profits, one of which I sold in 2005.

AntiguaRecon has been operating since early last year and has trained 14 students averaging in age of around 20 years old.  Since cybersecurity is a massive field, and broad skill building can be an even bigger challenge, the program has focused on web attacks and simulated phishing training, since these vulnerabilities are common in this region.

The program would not have been possible were it not for volunteer cybersecurity mentors from around the world.  We have mentors from Canada, the US, Argentina, Dubai, India, and Antigua.  Senior talent is critical since they give perspective that our young students wouldn’t otherwise have.

Critical support has also been provided by a local school called Island Academy, who raised the funds to start the program and supplies classroom space for face-to-face learning.  Island Academy’s founder, Bernadette Sherman, has been hugely supportive from the start.

Pairing plan

2023 is THE critical year.  The organization is educating its next group of students supported by “seniors” from the previous year who are paired 1-on-1 with a partner.  The purpose of this model is to build teamwork and depth.  The expectation is that we will have sufficient depth of knowledge to begin offering limited web attack and simulated phishing skills by mid-year.

Our pairing model seeks to get a team built up and optimized as quickly as possible.  I did this with one of my previous jobs running Agile software teams and it worked quite well.  As it stands right now, we already have 2 potential customers that are waiting in the wings so things are looking up.

How can you help?  AntiguaRecon needs four things:

•Expert mentor support.  The key need at the moment are professionals who do social engineering, particularly with simulated phishing skills (and ideally with Gophish experience).

•Promotional support, such as what has been provided here (thank you!), so that they can get the word out about the project.

•Financial support to eventually secure a cyber security expert as a core trainer and senior for the service offerings.  This one is very important since potential customers will want to see a person at the center of the program with deep cybersecurity experience.

•Opportunities to secure nearshore customers in the US, Canada, and elsewhere.  Getting customers, especially a customer who sees the opportunity for them to build with us over time, is absolutely critical.  When we get our customers, we will deliver to our students a real hope for their future.

We will prove that their efforts were worth it, and we will establish an organization that can survive and continue training more students, not based on donations, but on the money earned by its graduates.  That’s the future we want, and it’s the future we are working towards.

Feel free to visit AntiguaRecon on LinkedIn, the web, or email me at adam@antiguarecon.com.

About the essayist: Adam Dennis the founder of AntiguaRecon.  Launched in January 2022,  this initiative provides cybersecurity training on the Caribbean Island nation of Antigua and Barbuda. The goal is to offer the services around the region and then as a near shore solution for the US and Canada, and offshore for other locations around the world.  

APIs have been a linchpin as far as accelerating digital transformation — but they’ve also exponentially expanded the attack surface of modern business networks.

Related: Why ‘attack surface management’ has become crucial

The resultant benefits-vs-risks gap has not surprisingly attracted the full attention of cyber criminals who now routinely leverage API weaknesses in all phases of sophisticated, multi-stage network attacks.

The collateral damage has escalated to the point where federal regulators have been compelled to step in.

Last October the FFIEC explicitly called out APIs as an attack surface that must, henceforth, comply with a new set of API management practices.

Guest expert: Richard Bird, Chief Security Officer, Traceable

I had the chance to visit with Richard Bird, Chief Security Officer at Traceable.ai, which supplies security systems designed  to protect APIs from the next generation of attacks.

We discussed, in some detail, just how far the new rules go in requiring best practices for accessing and authenticating APIs. Bird also enlightened me about how and why this is just a first step in comprehensively mitigating API exposures. For a full drill down, please give the accompanying podcast a listen.

There’s little doubt that the new FFIEC rules will materially raise the bar for API security. In the short run companies subject to federal financial institution jurisdiction will have to hustle to get their API act together; and in the long run other companies in other verticals should follow suit.

I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)