Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

RSAC insights: ‘SASE’ disrupts networking by meshing security, connectivity at the services edge

By Byron V. Acohido

It’s accurate to say that security has been bolted onto modern business networks.

It also has become very clear that we won’t achieve the full potential of digital transformation without security somehow getting intricately woven into every layer of corporate IT systems.

We’re still a long way from achieving that, but a promising roadmap has emerged. It’s a new model for architecting enterprise IT systems, dubbed Secure Access Service Edge (SASE), a term coined by top security analysts at tech advisory firm Gartner.

I had the chance to visit with Kelly Ahuja, CEO of Versa Networks, a supplier of SASE systems. For a full drill down on our discussion on why SASE could be game changer, please give a listen to the accompanying podcast. Here are the key takeaways:

Connectivity vs. security

Corporate networks exist to connect users to applications. Traditionally this was done by setting up a datacenter at company headquarters, and having employees enter the building and access applications using company-managed equipment. Thus, local area networks, or LANs, were born.

Then along came wide area networks, or WANs, as a means to securely connect several LANs set up in geographically dispersed branch offices. Over time WANs proved to be expensive and inflexible, so they began to be replaced with software-defined wide area networks, or SD-WANs, which offered heightened data-transfer efficiencies.

However, the first-generation of SD-WAN solutions were notable for one key thing: they were solely focused on improving connectivity and did little to account for security. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

RSAC insights: How the ‘CIEM’ framework is helping companies manage permissions glut

By Byron V. Acohido

A permissions glut is giving rise to an explosion of new exposures in modern business networks.

Related: Securing digital identities

Companies are adopting multi-cloud and hybrid cloud infrastructures and relying on wide-open app development like never before. In doing so, permissions to make myriad software connections are proliferating. Taken together these man-to-machine and machine-to-machine connections result in cool new digital services. But they’ve also dramatically expanded the attack surface and left it wide open to threat actors.

Now comes an emerging security discipline to help companies get a grip on all of these permissions. It’s called “cloud infrastructure entitlement management,” or CIEM, not to be confused with security information and event management, or SIEM, which is something else altogether.

Last Watchdog visited with Raj Mallempati, chief operating officer of CloudKnox Security, aSunnyvale, Calif.-based cybersecurity firm, to get a better understanding of emergent CIEM systems. For a full drill down on our discussion please give a listen to the accompanying podcast. Here are key takeaways:

The permissions glut

Managing permissions in a way that doesn’t unduly tax agility has become a Gordian Knot security challenge. To start, the raw volume of permissions continues to rise exponentially. Consider that global spending on cloud infrastructure services jumped 32 percent to nearly $40 billion in the last quarter of 2020. This reflects the rise in remote work and schooling, as well as spikes in online shopping, gaming and media streaming over the past 12 to 18 months.

RSAC insights: Sophos report dissects how improved tools, tactics stop ransomware attack

By Byron V. Acohido

A new report from Sophos dissects how hackers spent two weeks roaming far-and-wide through the modern network of a large enterprise getting into a prime position to carry out what could’ve been a devasting ransomware attack.

Related: DHS embarks on 60-day cybersecurity sprints

This detailed intelligence about a ProxyLogon-enabled attack highlights how criminal intruders are blending automation and human programming skills to great effect. However, in this case, at least, they were detected and purged before hitting paydirt, demonstrating something that doesn’t get discussed often enough.

Enterprises actually have access to plenty of robust security technology, as well as proven tactics and procedures, to detect and defuse even leading-edge, multi-layered attacks. It’s clear to me that cybersecurity technical innovation and supporting frameworks, which includes wider threat intelligence sharing, are taking hold and making a material difference, albeit incrementally.

I had a lively discussion with Dan Schiappa, Sophos’ chief product officer, about this. For a drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Exploit surge

ProxyLogon refers to the critical vulnerability discovered in Microsoft Exchange mail servers early this year. Criminal hacking rings have been hammering away at this latest of a long line of zero-day flaws discovered in a globally distributed system. The pattern is all too familiar: they marshal their hacking infrastructure to take advantage of the window of time when there is a maximum number of vulnerable systems just begging to be hacked.

RSAC insights: SolarWinds hack illustrates why software builds need scrutiny — at deployment

By Byron V. Acohido

By patiently slipping past the best cybersecurity systems money can buy and evading detection for 16 months, the perpetrators of the SolarWinds hack reminded us just how much heavy lifting still needs to get done to make digital commerce as secure as it needs to be.

Related: DHS launches 60-day cybersecurity sprints

Obviously, one change for the better would be if software developers and security analysts paid much closer attention to the new and updated coding packages being assembled and deployed on the fly, in pursuit of digital agility.

I recently had the chance to discuss this with Tomislav Pericin, chief software architect and co-founder at software security firm ReversingLabs. We talked about how the capacity to, in essence, rapidly reverse engineer new software and software updates — without unduly hindering agility — could make a big difference.

For a full drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Targeting the build

One thing I did not realize about the SolarWinds hack is precisely how the attackers fooled more than 18,000 organizations into accepting an infected update of the widely-used Orion network management tool. I had assumed that they either stole or spoofed a SolarWinds digital certificate, which they then used to authenticate the tainted update. The payload malware: Sunburst, a heavily-obfuscated backdoor.

Actually, these attackers went through a lot of effort to first gain deep access inside of SolarWinds’ network. Next, they located and took control of the build process used to compile the various pieces of coding that SolarWinds’ software developers assembled to make up its Orion software updates.

“People tend to focus on the Sunburst malware, the actual backdoor that ended up in the affected update package,” Pericin told me. “But there was another malicious component, Sunspot, which was a piece of malware specifically designed to run in the Solar Winds environment, on a build machine.

MY TAKE: How consumer-grade VPNs are enabling individuals to do DIY security

By Byron V. Acohido

Historically, consumers have had to rely on self-discipline to protect themselves online.

Related: Privacy war: Apple vs. Facebook.

I’ve written this countless times: keep your antivirus updated, click judiciously, practice good password hygiene. Then about 10 years ago, consumer-grade virtual private networks, or VPNs, came along, providing a pretty nifty little tool that any individual could use to deflect invasive online tracking.

Consumer-grade VPNs have steadily gained a large following. And over the past two to three years, adoption has climbed steeply.

It only recently dawned on me that this rise in popularity of VPNs is probably directly related to the chaotic social unrest, not to mention the global health crisis, we’ve all endured over the past few years.

We’ve become accustomed to hunkering down. As part of this mindset, more consumers are subscribing to a personal VPN service which they use to shield themselves from disinformation sweeps and to protect themselves from Covid 19-related hacks and scams.

ROUNDTABLE: Mayorkas’ 60-day cybersecurity sprints win support; also a prove-it-to-me response

By Byron V. Acohido

The Biden Administration is wasting no time fully re-engaging the federal government in cybersecurity.

Related: Supply-chains become top targets

Homeland Security Secretary Alejandro Mayorkas has assumed a very visible and vocal role. Mayorkas has been championing an extensive portfolio of initiatives to rally public-private collaboration to fend off cyber criminals and state-sponsored threat actors.

The need is great, of course. The Solarwinds hack and Microsoft Exchange breach, not to mention the latest rounds of massive thefts of personal data from Facebook and LinkedIn demonstrate this in spades.

Mayorkas announced a series of 60-day sprints to quell ransomware and to bolster the cyber defenses of industrial control systems, transportation networks and election systems. Mayorkas also pledged to increase the diversity of the Cybersecurity and Infrastructure Security Agency’s workforce, noting that roughly a third of CISA’s workers are part of minority groups.

This reminds me of how President Obama used his bully pulpit back in 2015 to promote accelerated sharing of threat intelligence and to push for a consumers’ bill of rights for online privacy.

GUEST ESSAY: ‘Cybersecurity specialist’ tops list of work-from-home IT jobs that need filling

By Scott Orr

Even before the COVID-19 pandemic turned many office workers into work-from-home (WFH) experts, the trend toward working without having to commute was clear.

Related: Mock attacks help SMBs harden defenses

As internet bandwidth has become more available, with homes having access to gigabit download speeds, a whole new world of career paths has opened for those who want to control their work hours and conditions. Maybe you want better pay, to be home near your kids or you just like the idea of avoiding the daily drive to an office. Whatever the reason, you can likely find work online.

One of the hottest fields right now on the WFH radar is the information technology (IT) sector. But you’ll first need to learn the specifics to get to work. Fortunately, there are online classes you can take to get that knowledge – and best of all, you can take them for free.  Let’s look at what’s available and how you might jumpstart a new career.

Most IT jobs require you to have some sort of experience before you can start charging enough to make them viable as full-time employment. And some are more like a side hustle or temp job.

Having said that, here are some examples of IT careers you can learn online through free courses:

Security specialist

The more we do online, the more criminals want to take advantage of us. That makes fighting cybercrime a definite growth industry. A wide range of companies, in just about every field, are adding computer security specialists. In fact, these jobs are expected to increase a whopping 31% by 2029. This job involves planning and implementing security measures for large and small companies that rely on computer networks. You will need to develop the ability to anticipate techniques used in future cyberattacks so they can be prevented.

MY TAKE: Apple users show strong support for Tim Cook’s privacy war against Mark Zuckerberger

By Byron V. Acohido

Like a couple of WWE arch rivals, Apple’s Tim Cook and Facebook’s Mark Zuckerberg have squared off against each other in a donnybrook over consumer privacy.

Cook initially body slammed Zuckerberg — when Apple issued new privacy policies aimed at giving U.S. consumers a smidgen more control over their personal data while online.

Related: Raising kids who care about their privacy

Zuckerberg then dropped kicked Cook by taking out full-page newspaper ads painting Apple’s social responsibility flexing as bad for business; he then hammered Cook with a pop-up ad campaign designed to undermine Apple’s new privacy policies.

But wait. Here’s Cook rising from the mat to bash Z-Man at the Brussels’ International Privacy Day, labeling his tormentor as an obsessive exploiter who ought to be stopped from so greedily exploiting consumers’ digital footprints for his personal gain.

This colorful chapter in the history of technology and society isn’t just breezing by unnoticed. A recent survey of some 2,000 U.S. iPhone and iPad users, conducted by SellCell.com, a phone and tech trade-in website, shows American consumers are tuned in and beginning to recognize what’s at stake.

Fully 72 percent of those polled by SellCell said they were aware of new privacy changes in recent Apple software updates, not just in a cursory manner, but with a high level of understanding; some 42 percent said they understood the privacy improvements extremely well or at least very well, while 21 percent said they understood them moderately well.

Another telling finding: some 65 percent of respondents indicated they were extremely or very concerned about websites and mobile apps that proactively track their online behaviors, while only 14 percent said they were not at all concerned.

RSAC insights: Security Compass leverages automation to weave security deeper into SecOps

By Byron V. Acohido

In a day and age when the prime directive for many organizations is to seek digital agility above all else, cool new apps get conceived, assembled and deployed at breakneck speed.

Related: DHS instigates 60-day cybersecurity sprints

Software developers are king of the hill; they are the deeply-committed disciples pursuing wide open, highly dynamic creative processes set forth in the gospels of  DevOps and CI/CD.

In this heady environment, the idea of attempting to infuse a dollop of security into new software products — from inception — seems almost quaint. I recently sat down with Rohit Sethi, CEO of Security Compass, to discuss why this so-called “product security” gap inevitably must be narrowed, and why there are encouraging signs that should be what happens, going forward, albeit incrementally.

For a full drill down on our wide-ranging conversation, please give the accompanying podcast a listen. Here are key takeaways.

History of product security

It has become all too common today for an organization to commit to what Sethi calls a “fast-and-risky” approach to building new software products. In a race gain a competitive edge, companies do whatever it takes to deploy new software products as quickly as possible. As a nod to security, nominal static analysis and maybe a bit of penetration testing gets done just prior to meeting a tight deployment deadline.

This, in fact, was  the same general approach to developing and deploying new software that existed in early 2002 when Bill Gates slammed the brakes on all Windows development to focus on implementing Trustworthy Computing. Microsoft, at the time, was on the brink of getting swallowed up by potent self-spreading Windows worms like SirCam, Code Red, ILoveYou and Nimbda. So Gates directed billions of dollars towards the adoption of Security Development Lifecyle, or SDL, a systematic approach to infusing product security at the start of the Windows development process.

RSAC insights: CyberGRX finds a ton of value in wider sharing of third-party risk assessments

By Byron V. Acohido

The value of sharing threat intelligence is obvious. It’s much easier to blunt the attack of an enemy you can clearly see coming at you.

Related: Supply chains under siege.

But what about trusted allies who unwittingly put your company in harm’s way? Third-party exposures can lead to devastating breaches, just ask any Solar Winds first-party customer.

So could sharing intelligence about third-party suppliers help?

With RSA Conference 2021 technical sessions getting underway today, I sat down with Fred Kneip, CEO of CyberGRX, to hash over the notion that a lot of good could come from more systematic sharing of the risk profiles that large enterprises routinely compile with respect to their third-party contractors.

For a full drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

The genesis of risk-profiles

It turns out there is a ton of third-party risk profiles sitting around not being put to any kind of high use. Back in the mid-1990s, big banks and insurance companies came up with something called “bespoke assessments” as the approach for assessing third party vendor risk.

This took the form of programmatic audits. In order to get the blessing of financiers and insurers, enterprises had to set up systems to get their third-party suppliers to fill out extensive risk-profile questionnaires; and this  cumbersome process had to be repeated on a periodic base for as many contractors as they could get to.

CyberGRX launched in 2016 as a clearinghouse for companies to pool and share standardized assessment data and actually analyze the results for action. The idea was to benefit both the first-party contractors and the third-party suppliers, Kneip says. Thus, the Fortune 1,000 companies who collected and consumed the security profiles of major suppliers could see and analyze that data in aggregate and thus conduct a much higher level of risk analysis.

MY TAKE: Agile cryptography is coming, now that ‘attribute-based encryption’ is ready for prime time

By Byron V. Acohido

Encryption agility is going to be essential as we move forward with digital transformation.

Refer: The vital role of basic research

All of the technical innovation cybersecurity vendors are churning out to deal with ever-expanding cyber risks, at the end of the day, come down to protecting encrypted data. But cryptography historically has been anything but agile; major advances require years, if not decades, of inspired theoretical research.

Now comes something called attribute-based encryption, or ABE, a new approach to encrypting data that holds the potential to infuse agility into how encryption gets done online.

I had the chance to learn more about ABE from Brent Waters, a distinguished scientist in the Cryptography & Information Security (CIS) Lab at NTT Research. Waters has been a leading figure in deriving the mathematical concepts behind ABE. For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

PKI basics

If you’re thinking encryption is the polar opposite of agile, you’re correct, historically speaking. Encryption is an arcane science that has long presented an irresistible challenge to the best and brightest researchers. Top mathematicians have been hammering away at improving encryption since before World War II. And since 2005 or so, one area of focus has been on sharpening the math formulas that make attribute-based encryption possible.