Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Most companies blissfully ignorant of rising attacks on most-used endpoint: mobile devices

By Byron V. Acohido

A dozen years after Apple launched the first iPhone, igniting the smartphone market, the Bring Your Own Device to work phenomenon is alive and well.

Related: Stopping mobile device exploits.

The security issues posed by BYOD are as complex and difficult to address as ever. Meanwhile, the pressure for companies to proactively address mobile security is mounting from two quarters.

On one hand, regulators are ahead of the curve on this one; they’ve begun mandating that companies  account for data losses, including breaches in which mobile devices come into play. And on the other hand, cyber criminals are hustling to take full advantage of the corporate world’s comparatively slow response to a fast-rising threat.

Metrics are piling up showing just how pervasive mobile threats have become. Some  33 percent of companies participating in Verizon’s Mobile Security Index 2019 survey admitted to having suffered a compromise involving a mobile device —  and the majority of those affected said that the impact was major.

Verizon’s poll also found that 67 percent of organizations were less confident of the security of mobile devices, as compared to other IT assets. And all of this is unfolding as employees continue to increasingly use both company-issued phones, and their personally-owned devices, to access sensitive data and conduct business.

“The reality is users don’t care whether it’s a corporate-owned device or a BYOD, and neither do the attackers” said J.T. Keating, vice president of product strategy at Zimperium, a Dallas, TX-based supplier of mobile security systems. “Our phones are completely blended, in terms of access to corporate data and personal data.”

I had a lively discussion with Keating at RSA 2019. For a drill down on the full interview, give a listen to the accompanying podcast. Here are a few key takeaways.

Endpoint is an endpoint

That queasy feeling senior execs have about the murkiness of mobile security is well founded, based on the results of a simple experiment Zimperium conducted (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Comment | Read | April 18th, 2019 | For consumers | For technologists | My Take | Podcasts | RSA Podcasts | Top Stories

BEST PRACTICES: How to protect yourself from the enduring scourge of malvertising

By Byron V. Acohido

Malvertising is rearing its ugly head – yet again. Malicious online ads have surged and retreated in cycles since the earliest days of the Internet. Remember when infectious banner ads and viral toolbars cluttered early browsers?

Related: Web application exposures redouble

Historically, with each iteration of malicious ads, the online advertising industry, led by Google, has fought back, and kept this scourge at a publicly acceptable level.

However, malvertising has never been as dynamic, stealthy and persistent as it is today. Here’s what you should know about this enduring online threat:

Gaming the ecosystem

Malvertising has become enmeshed in the highly dynamic online advertising, shopping and banking ecosystem we’ve come to rely on. It has accomplished this by leveraging the openness of the browsers on our go-to computing devices, namely our smartphones and PCs.

Malvertising code often circulates in tiny iframes, the HTML element that enables objects to appear on a webpage without changing the page. This bad code comes and goes, circulating to even well-known, high-traffic websites as part of the flow of web ads being placed dynamically by the online advertising networks, of which Google is the largest.

Malvertisers game this ecosystem in several ways. There are endless ways for them to hack into websites and ad networks directly. Doors and windows are left wide open in the software applications being rapidly developed to support a swelling army of third-party contractors who supply shopping cart services, data management platforms, retargeting enablement systems, and the like.

“The bad guys are insinuating their malicious code as part of the code that renders on the victim’s device during fulfillment,” says Chris Olson, CEO of the Media Trust, a McLean, VA-based website security vendor. “If you visit a large retail website, you may encounter 100 or 150 third party companies that get access to your computing device. For the most part, no one is really thinking about the security of all of these third-party apps. It’s only lightly monitored.”

Another gambit favored by threat actors is to set up shop as an independent ad network, and then patiently behave as a model citizen in order to gain trust. Once good-standing is achieved, the attacker begins to slip malicious ads into the daily flow of the ecosystem.

…more

Comment | Read | March 22nd, 2019 | My Take | Top Stories

NEW TECH: Brinqa takes a ‘graph database’ approach to vulnerability management, app security

By Byron V. Acohido

Imposing just the right touch of policies and procedures towards mitigating cyber risks is a core challenge facing any company caught up in digital transformation.

Related: Data breaches fuel fledgling cyber insurance market

Enterprises, especially, tend to be methodical and plodding. Digital transformation is all about high-velocity innovation and on-the-fly change. The yawning gap between the two is where fresh attack vectors are arising, creating a candy-store environment for threat actors.

Brinqa, an Austin, TX-based security vendor has come up with a cyber risk management platform designed to help companies take a much more dynamic approach to closing that gap, specifically in the areas of vulnerability management and application security, to start.

Brinqa was founded in 2009 by Amad Fida and Hilda Perez, industry veterans seeking to leverage their collective expertise in risk management and identity and access management. Early on, a customer of their cyber risk management solution asked if they could assess a physical location, down to the fire extinguishers.

An early version of their platform was already live. But that assignment led Fida and Perez to re-architecture the platform around graph databases and knowledge graphs. It was an approach they felt would be flexible enough to keep up with rapidly-evolving enterprise technology infrastructure.

I had the chance at RSA 2019 to meet with Syed Abdur, Brinqa’s director of products, who provided more background. For a full drill down, please give a listen to the full Last Watchdog interview via the accompanying podcast. Here are the key takeaways:

Blistering pace

On-premises data centers look to remain a big part of hybrid cloud networks, going forward, and keeping these systems up to date, with respect to vulnerability patching, isn’t getting easier.

By many measures, the vulnerability management challenge companies face is getting steeper. The National Institute of Standards and Technology’s National Vulnerbility Database, logged around 14,000 unique vulnerabilities, up from 13,000 in 2017 and 6,000 in 2016. …more

Comment | Read | April 18th, 2019 | For technologists | New Tech | Podcasts | RSA Podcasts

Q&A: Researchers find evidence of emerging market for stolen, spoofed machine identities

By Byron V. Acohido

It’s edifying what you can find shopping in the nether reaches of the dark web.

Related: Why government encryption backdoors should never be normalized.

Academic researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. recently teamed up and found evidence of an emerging market for stolen and spoofed machine identities.

Specifically, the researchers found:

•A ready inventory of stolen SSL/TLS certificates, along with a range of related services and products, for sale, priced from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.

•Extended validation certificates, packaged with services to support malicious websites, such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.

•A vendor offering to issue certificates from reputable Certificate Authorities (CAs), along with forged company documentation, as part of a package of services enabling an attacker to credibly present themselves as a trusted U.S. or U.K. company for less than $2,000.

This emerging black market for machine identities is but a mere starting point for cyber criminals who recognize a huge, unguarded exposure when they see one. Thus, threat actors have begun moving with alacrity to capitalize on it, before companies get around to protecting their exposed machine identity.

Repeated missteps

As a famous American sports hero once said, “It’s Déjà vu all over again.” In cobbling together our classic business networks, we did an imperfect job setting up privileged access for human users – and we continue to pay the price.  And yet, we are about to repeat the same missteps with respect to the over-privileging of non-human, or machine, identities.

Machine identities are what make hybrid business networks possible; they are nothing less than the key to stitching together emerging IoT- and 5G-centric systems. Think about the coming generation of smart homes, public venues, utilities and transportation systems. They will require an exploding number of APIs to connect each microservice, to each software container, to each orchestration tool, on up the software stack, to each new mobile app delivering each of our daily digital experiences. …more

Comment | Read | April 17th, 2019 | For technologists | Podcasts | Q & A | RSA Podcasts | Top Stories

Q&A: How AI, digital transformation are shaking up revenue management in high tech, life sciences

By Byron V. Acohido

A recent poll of some 300 senior executives from U.S.-based life sciences and high-tech manufacturing companies sheds light on how digital transformation – and the rising role of third-party partners – have combined to create unprecedented operational challenges in the brave new world of digital commerce.

Related: AI one-upsmanship prevails in antivirus field

Model N’s 2019 State of Revenue Report surveyed CEOs, CMOs and senior sales executives from leading pharmaceutical, medical devices, high-tech manufacturing and semiconductor companies. Model N is a San Mateo, CA-based supplier of revenue management systems.

Some 78 percent of respondents said AI has altered the way they do revenue management,  while 69 percent identified digital transformation as a revenue management game changer. Meanwhile, some 90 percent of respondents reported reliance on 20 or more partners, while 70 percent said they work with 40 or more partners.

Model N’s study provides yet another perspective on the unprecedented complexities organizations must navigate to compete in an internet-centric business environment. The core challenge for just about any company seeking top line and bottom line growth boils down to solving two intricate puzzles: how to deploy advanced digital systems in just the right measure; and how to collaborate, effectively and securely, with third-party partners.

And, of course, this must be done while defending the company’s digital assets against rising cyber attacks, launched by skilled, determined threat actors.

With that in mind, Last Watchdog sat down with Model N CEO Jason Blessing to drill down on a few instructive findings from Model N’s poll — and connect the dots to some wider. Here are excerpts edited for clarity and length.

LW: How has the revenue generation landscape shifted over the past few years? …more

Comment | Read | April 16th, 2019 | Best Practices | For technologists | Q & A | Top Stories

Q&A: How cutting out buzzwords could actually ease implementation of powerful security tools

By Byron V. Acohido

The central dilemma posed by digital transformation is this: How do companies reap the benefits of high-velocity software development without creating onerous security exposures?

Related: Golden Age of cyber spying dawns

The best practices standards and protocols to pull off this delicate balancing act have been thoroughly vetted and are readily available. And there’s certainly no shortage of sophisticated technology solutions.

So what’s missing? Why have organizations, of all sizes and in all sectors, failed to make more progress shrinking a security gap that appears, in fact, to be inexorably widening?

These were questions I discussed at RSA 2019 with Samantha Madrid, a veteran executive in the enterprise security space, who recently joined Juniper Networks as vice president, security & business strategy. Juniper has been in the vanguard of integrating security deeper into the plumbing of modern business networks.

Madrid observed that the white noise of overlapping marketing messages has not made it any easier for enterprises to chart a truer course for securing their networks. One of the first things Madrid told me she did when she arrived at Juniper was to ask her colleagues to stop using marketing buzzwords.

“A vendor should be able to explain, in simple terms, how they can help solve a customer’s problem,” she said.

Having covered tech security since 2004, I can attest that there is plenty of room for more clarity, and less hype, in security products marketing. To hear my conversation with Madrid in its entirety, please give a listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW:  Can you frame the security challenges companies are facing in today’s very dynamic environment? …more

Comment | Read | April 12th, 2019 | For technologists | Podcasts | Q & A | RSA Podcasts | Steps forward | Top Stories

NEW TECH: Critical Start delivers managed security services with ‘radical transparency’

By Byron V. Acohido

It was in 2012 that CRITICALSTART burst onto the Managed Security Service Provider (MSSP) scene with bold intentions.

Related: How SMBs can leverage threat intelligence.

The Plano, TX-based company sought to elevate the “MSSP” space high above the accepted standard at the time. It set out to do this by delivering security services based on Zero-Trust and that also provided radical transparency to its customers.

CRITICALSTART has since grown to 105 employees, serving hundreds of customers. In 2018, revenues generated by its core Managed Detection and Response (MDR) service grew 300 percent as compared to 2017.

What struck me most as I prepared to meet up with Jordan Mauriello, CRITICALSTART’s VP of Managed Services, was how the company has been able to stick to its guns providing Zero-Trust and “radical transparency” to its customers.

No one in the cybersecurity community would dispute the fact that widely sharing intel detailing what the bad guys are doing, as well as measures that prove effective in deterring them, should be standard practice – for the greater good.

However, in reality, competitive instincts still get in the way all too often. It was with this in mind that I met with Mauriello at RSA 2019, and he walked me through the path CRITICALSTART has successfully navigated. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Foundation of trust

Radical transparency isn’t a new thing, but we are seeing it more in security, as well as an increase in the need for Zero-Trust model. Mauriello observed that companies shopping for contracted security services are open to taking a trust-but-verify approach, and are looking for service providers to build that trust foundation by operating out in the open. …more

Comment | Read | April 11th, 2019 | For technologists | New Tech | Podcasts | RSA Podcasts | Steps forward | Top Stories

NEW TECH: ‘Network Traffic Analysis’ gets to ground truth about data moving inside the perimeter

By Byron V. Acohido

Digital transformation is all about high-velocity innovation. But velocity cuts two ways.

Related: Obsolescence creeps into perimeter defenses

Yes, the rapid integration of digital technologies into all aspects of commerce has enabled wonderful new services. But it has also translated into an exponential expansion of the attack surface available to cyber criminals.

This has led us to the current environment in which security threats are multiplying even as network breaches grow costlier and more frequent.

However, a newly-minted security sub-specialty —  christened Network Traffic Analysis, or NTA, by Gartner — holds some fresh promise for getting to the root of the problem. I had the chance to sit down at RSA 2019 with ExtraHop Networks, a Seattle-based supplier of NTA systems.

ExtraHop’s CISO Jeff Costlow walked me through what’s different about the approach NTA vendors are taking to help companies detect and deter leading-edge threats. For a drill down, give a listen to the accompanying podcast. Key takeaways:

NTA’s distinctions

Software development today routinely occurs at high velocity in order to build the digital services we can’t live without. Modular microservices, software containers and orchestration tools get spun up, using open source components; all of this mixing and matching occurs in the internet cloud, keeping things moving right along.

The inevitable security gaps that get created as part of this highly dynamic process have been getting short shrift, in deference to shipping deadlines. It’s not as though legacy security vendors are asleep at the wheel; they’ve been applying machine learning and AI to the output of SIEMs, firewalls, intrusion detection and other traditional security products designed to filter and detect malicious traffic directed at, and coming through, the perimeter. …more

Comment | Read | April 11th, 2019 | For technologists | New Tech | Podcasts | RSA Podcasts | Steps forward | Top Stories

Older Articles »