Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

RSAC Fireside Chat: A breakthrough in securing cloud collaboration — decentralized key storage

By Byron V. Acohido

Back in 2002, when I was a reporter at USA Today, I had to reach for a keychain fob to retrieve a single-use passcode to connect remotely to the paper’s publishing system.

Related: A call to regulate facial recognition

This was an early example of multifactor authentication (MFA). Fast forward to today; much of the MFA concept is being reimagined by startup Circle Security to protect data circulating in cloud collaboration scenarios.

I learned about this at RSA Conference 2023 from company Co-founder and CEO Phani Nagarjuna, who explained how Circle extends the use of encryption keys fused to biometrics and decentralizes where copies of the keys are stored. For a full drill down, give the accompanying podcast a listen.

Guest expert: Phani Nagarjuna, CEO, Circle Security

According to Nagarjuna, Circle’s technology places a small agent on the endpoint device. This facilitates the creation of an asymmetric key pair and a symmetric AES256 key. Together these keys authenticate the user’s identity and enable secure and private access to cloud-stored data and resources.

Access to cloud-stored files can then be shared widely. But only authorized individuals, with proof of identity originating from their authenticated device, can open the files. All access attempts get audited using a built-in distributed ledger, allowing policy enforcement and quick remediation.

This iteration of my old-school keychain fob thus eliminates the need for usernames and passwords while much more robustly protecting sensitive data, Nagarjuna asserts. How much traction will it get? I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

RSAC Fireside Chat: Dealing with the return of computing workloads to on-premises datacenters

By Byron V. Acohido

A cloud migration backlash, of sorts, is playing out.

Related: Guidance for adding ZTNA to cloud platforms

Many companies, indeed, are shifting to cloud-hosted IT infrastructure, and beyond that, to containerization and serverless architectures.

However, a “back-migration,” as Michiel De Lepper, global enablement manager, at London-based Runecast, puts it, is also ramping up. This is because certain workloads are proving to be too costly to run in the cloud — resource-intensive AI modeling being the prime example.

I had an evocative discussion about this with De Lepper and his colleague, Markus Strauss, Runecast product leader, at RSA Conference 2023. For a full drill down, please give the accompanying podcast a listen. The duo outlined how a nascent discipline — Cloud-Native Application Protection Platforms (CNAPP) – factors in.

Guest experts: Markus Strauss, Product Leader, and Michiel De Lepper, Global Enablement Manager, Runecast

CNAPP solutions focus on monitoring and enforcing security policies on workloads and in applications – during runtime. This is no small feat in an operating environment of co-mingled on-prem and cloud-hosted resources.

Runecast, for instance, takes a proactive approach to risk-based vulnerability management, configuration management, container security, compliance auditing, remediation and reporting.

This helps with compliance, at one level, but also continually improves detection of any soft spots and/or active attacks, while also paving the road to automated  remediation.

“It’s no longer about creating shields,” De Lepper told me, “Instead, we’re helping our customers plug all the gaps the bad guys can use.”

CNAPP solutions show promise for helping overcome the complexities of fragmented defenses; will they ultimately lead to more resilient business networks?  I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

RSAC Fireside Chat: Reinforcing ‘Identity and Access Management’ to expose ‘shadow access’

By Byron V. Acohido

The world of Identity and Access Management (IAM) is rapidly evolving.

Related: Stopping IAM threats

IAM began 25 years ago as a method to systematically grant human users access to company IT assets. Today, a “user” most often is a snippet of code seeking access at the cloud edge.

At the RSAC Conference 2023, I sat down with Venkat Raghavan, founder and CEO of start-up Stack Identity. As Raghavan explained, the rapid growth of data and subsequent application development in the cloud has led to a sprawling array of identities and access points. This, he warned, has created a new problem: shadow access.

Shadow access refers to ungoverned and unauthorized access that arises due to the speed and automation of cloud deployment.For a drill down, please give the accompanying podcast a listen.

Guest expert: Venkat Raghavan, CEO, Stack Identity

Stack Identity’s solution quickly onboards a customer’s cloud accounts, methodically identifies potential pathways to data and comprehensively assesses risk. Once all human and non-human access points are identified, automated remediation kicks in to eliminate shadow access.

Notably, this process happens at runtime, watching access in real-time, and looking at how access is utilized, Raghavan told me.

“We have seen that in live customer environments that over 50 percent of identities are over-permissioned and should have access permissions revoked,” he says.”This represents a substantial risk for companies.”

This risk is material; just ask Capital One or LastPass. Here’s another example of directing ML and automation at shrinking the attack surface. Stack Identity emerged from stealth just last month with $4 million in seed funding. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


RSAC Fireside Chat: Uptycs emulates Google, Akamai to protect cloud-native apps and endpoints

By Byron V. Acohido

The inadequacy of siloed security solutions is well-documented.

Related: Taking a security-first path

The good news is that next-gen security platforms designed to unify on-prem and cloud threat detection and remediation are, indeed, coalescing.

At RSA Conference 2023 I visited with Elias Terman, CMO, and Sudarsan Kannan, Director of Product Management, from Uptycs, a Walthan, Mass.-based supplier of “unified CNAPP and EDR ” services.

They described how Uptycs is borrowing proven methodologies from Google, Akamai, SAP and Salesforce to harness normalized telemetry that enables Uptycs to correlate threat activity — wherever it is unfolding. Please give a listen to the accompanying podcast for a full drill down.

Guest experts: Elias Terman, CMO, Sudarsan Kannan, Director of Product Management, Uptycs

Kannan described how Uptycs technology platform was inspired by Google’s dynamic traffic monitoring, Akamai’s content distribution prowess and Salesforce’s varied use cases based on a single data model, to help companies materially upgrade their security posture. The aim, he says, is to think like attackers, who certainly don’t operate in silos.

Terman offered the analogy of a “golden thread” stitching together varied threat activities and serving as a cloud security early warning system. The entire value chain is thereby protected, Kannan added, from the developers writing the code to automated connections to critical cloud workloads.

Terman detailed how Uptycs’ platform, indeed, touches everything within the modern attack surface and, in doing so, breaks down legacy silos and facilitates  better security outcomes.

This is part and parcel of the helpful dialogue that will carry us forward. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


GUEST ESSAY: A primer on NIST 207A — guidance for adding ZTNA to cloud-native platforms

By Zack Butcher

Zero trust networking architecture (ZTNA) is a way of solving security challenges in a cloud-first world.

Related: The CMMC sea change

NIST SP 800-207A (SP 207A), the next installment of Zero Trust guidance from the National Institute of Standards and Technology (NIST), has been released for public review.

This special publication was written for security architects and infrastructure designers; it provides useful guidance when designing ZTNA for cloud-native application platforms, especially those in enterprises where applications are hosted in multi-cluster and multi-cloud deployments.

I co-authored SP 207A, and it’s a great blueprint for any organization working to implement a ZTNA, whether they’re working with the U.S. federal government or not.

The 4th Annual Multi-Cloud Conference and Workshop on ZTNA is an upcoming event for anyone interested in how the federal government is advancing standards in ZTNA. The event—May 24-25; in-person and virtual—is hosted by NIST and Tetrate.

RSAC Fireside Chat: The need to stop mobile apps from exposing API keys, user credentials in runtime

By Byron V. Acohido

As digital transformation accelerates, Application Programming Interfaces (APIs) have become integral to software development – especially when it comes to adding cool new functionalities to our go-to mobile apps.

Related: Collateral damage of T-Mobile hack

Yet, APIs have also exponentially increased the attack vectors available to malicious hackers – and the software community has not focused on slowing the widening of this security gap.

Mobile apps work by hooking into dozens of different APIs, and each connection presents a vector for bad actors to get their hands on “API secrets,” i.e. backend data to encryption keys, digital certificates and user credentials that enable them to gain unauthorized control.

I learned this from Ted Miracco, CEO of Approov, in a discussion we had at RSA Conference 2023. For a full drill down, please give the accompanying podcast a listen.

Guest expert: Ted Miracco, CEO, Approov

He also explains how hackers are carrying out “man in the middle” attacks during a mobile app’s runtime in ways that enable them to manipulate the communication channel between the app and the backend API.

Hackers know just how vulnerable companies are at this moment. Approov recently did a deep dive study of 650 financial services mobile apps of financial institutions across Europe and the US. The results were startling: the researchers could access API secrets in 95 percent of the apps, including “high value” secrets” in 25 percent of them.

Until API security generally gains a lot more ground, and next gen solutions achieve critical mass, the risk level will remain high. So be careful out there. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


RSAC Fireside Chat: Counteracting Putin’s weaponizing of ransomware — with containment

By Byron V. Acohido

The ransomware plague endures — and has arisen as a potent weapon in geopolitical conflicts.

Related: The Golden Age of cyber espionage

Cyber extortion remains a material threat to organizations of all sizes across all industries. Ransomware purveyors have demonstrated their capability to endlessly take advantage of a vastly expanded network attack surface – one that will only continue to expand as the shift to massively interconnected digital services accelerates.

Meanwhile, Russia has turned to weaponing ransomware in its attempt to conquer Ukraine, redoubling this threat. Now that RSA Conference 2023 has wrapped, these things seem clear: ransomware is here to stay; it is not, at this moment, being adequately mitigated; and a new approach is needed to slow, and effectively put a stop to, ransomware.

I had the chance to visit with Steve Hahn, EVP Americas, at Bullwall, which is in the vanguard of security vendors advancing ways to instantly contain threat actors who manage to slip inside an organization’s network.

Guest expert: Steve Hahn, EVP Americas, Bullwall

Bullwall has a bird’s eye view of Russia’s ongoing deployment of ransomware attacks against Ukraine, and its allies, especially the U.S.

Weaponized ransomware doubly benefits Russia: it’s lucrative, generating  billions in revenue and thus adding to Putin’s war chest; and at the same time it also weakens a wide breadth of infrastructure of Putin’s adversaries across Europe and North America.

Containment is a logical tactic that could make a big difference in stopping ransomware and other types of attacks. For a full drill down, please give the accompanying podcast a listen. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



RSAC Fireside Chat: Deploying Hollywood-tested content protection to improve mobile app security

By Byron V. Acohido

Your go-to mobile apps aren’t nearly has hackproof as you might like to believe.

Related: Fallout of T-Mobile hack

Hackers of modest skill routinely bypass legacy security measures, even two-factor authentication, with techniques such as overlay attacks. And hard data shows instances of such breaches on the rise.

I had an evocative conversation about this at RSA Conference 2023 with Asaf Ashkenazi, CEO of Verimatrix, a cybersecurity company headquartered in southern France. We discussed how the Dark Web teems with hackers offering targeted mobile app attacks on major companies.

Many corporations outsource their mobile app development, and these apps often exhibit poor security practices, making them easy targets for cybercriminals, he says.

Verimatrix is coming at this problem with a fresh approach that has proven its efficacy in Hollywood where the company has long helped lock down content such as premium movies and live streamed sporting events.

Guest expert: Asaf Ashkenazi, CEO, Verimatrix

Its technology revolves around application-level protection and monitoring, which allows Verimatrix to collect data on app behavior without invading user privacy.

Coding embedded in the app provide a granular level of insight into what’s happening — when the app is actually running — and a degree of control that’s simply not doable with legacy mobile app security solutions, he told me.

For a full drill down, please give the accompanying podcast a close listen. Ashkenazi argues that we need better security solutions in general to mitigate the AI-generated threats running on our most cherished devices.

He observes that threat actors already use generative AI tools like  ChatGPT, Google Bard and Microsoft Edge to innovate malware; to keep pace, companies are going to have to get much better at not just identifying, but predicting attacks, especially on mobile apps. Agreed. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make … more

RSAC Fireside Chat: Achieving ‘outcome-based security’ by blending cybersecurity, business goals

By Byron Acohido

Could cybersecurity someday soon be implemented as a business enabler, instead of continuing to be viewed as an onerous business expense?

Related: Security sea-change wrought by ‘CMMC’

This would fit nicely with the ‘stronger together’ theme heralded at RSA Conference 2023.

WithSecure is one cybersecurity vendor that is certainly on this path. I had a lively conversation at Moscone Center with CEO Juhani Hintikka and CTO Tim Orchard all about something they’re championing as “outcome-based security.” In sum, this refers to the notion of correlating the mix of security tools and services a company has at hand much more directly with precisely defined business targets.

“We actually need to integrate cybersecurity with the business goals of the enterprise,” Hintikka observes.

WithSecure isn’t a startup; it’s the rebranding of Helsinki-based F-Secure, which has been around since 1988 and is well-established as a leading supplier of endpoint security and threat intelligence.

Guest experts: Tim Orchard, CTO, and Juhani Hintikka, CEO, WithSecure

Hintikka and Orchard argue for a more collaborative style of security services; for a drill down on our conversation please give the accompanying podcast a close listen.

The efficacy of this approach, they told me, is proving out in the success WithSecure is having with its customers, especially mid-sized companies. “In Germany, which is famous for mid-market companies, we seamlessly integrate our MDR service on top of our customers’ legacy systems, working alongside their teams,” Hintikka told me. “It’s truly a joint effort.”

The maturation of managed security services continues. There should be plenty more to come. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

RSAC Fireside Chat: How a well-placed ‘NGWAF’ can staunch the flow of web, mobile app attacks

By Byron V. Acohido

Attack surface expansion translates into innumerable wide-open vectors of potential unauthorized access into company networks.

Related: The role of legacy security tools

Yet the heaviest volume of routine, daily cyber attacks continue to target a very familiar vector: web and mobile apps.

At RSA Conference 2023, I had the chance to meet with Paul Nicholson, senior director of product marketing and analyst relations at A10 Networks.

A10 has a birds eye view of the flow of maliciousness directed at web and mobile apps — via deployments of its Thunder Application Delivery Controller (ADC.)

We discussed why filtering web and mobile app traffic remains as critical as ever, even as cloud migration intensifies; for a full drill down, please give the accompanying podcast a listen.

Companies today face a huge challenge, Nicholson says. They must make ongoing assessments about IT infrastructure increasingly spread far and wide across on-premises and public cloud computing resources.

Guest expert: Paul Nicholson, senior director, product marketing & analyst relations, A10 Networks

The logical place to check first for incoming known-bad traffic remains at the gateways where application traffic arrives.

At RSAC 2023, A10 announced the addition of a next-generation web application firewall (NGWAF,) powered by Fastly, to its core Thunder ADC service. This upgrade, he told me, is expressly aimed at helping companies optimize secure performance of their hybrid cloud environments.

This is another encouraging example of stronger together advancement. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we co


SHARED INTEL: From airbags to malware: vehicle cyber safety arises in the age of connected cars

By Kolawole Samuel Adebayo

In an increasingly interconnected world, the evolution of the automotive industry presents an exciting yet daunting prospect.

Related: Privacy rules for vehicles

As vehicles continue to offer modern features such as app-to-car connectivity, remote control access, and driver assistance software, a huge risk lurks in the shadows.

The physical safety of things like airbags, rearview mirrors, and brakes is well accounted for; yet cybersecurity auto safety concerns are rising to the fore.

What used to be a focus on physical safety has now shifted to cybersecurity due to the widened attack surface that connected cars present. The rapid advancements in electric vehicles (EVs) has only served to heighten these concerns.

Funso Richard, Information Security Officer at Ensemble, highlighted the gravity of these threats. He told Last Watchdog that apart from conventional attacks, such as data theft and vehicle theft, much more worrisome types of attacks are emerging. These include ransomware targeting backend servers, distributed denial of service (DDoS) attacks, destructive malware, and even weaponizing charging stations to deploy malware.

RSAC Fireside Chat: Keeping persistent email threats at bay requires deeper, cloud-layer vigilance

By Byron V. Acohido

Email remains by far the no.1 business communications tool. Meanwhile, weaponized email continues to pose a clear and present threat to all businesses.

Related: The need for timely training

At RSA Conference 2023, I learned all about a new category of email security — referred to as integrated cloud email security (ICES) – that is helping companies more effectively keep email threats in check.

I met with Eyal Benishti, CEO of IRONSCALES, a supplier of ICES tools and cybersecurity training services. For a full drill down on our conversation, please give the accompanying podcast a close listen.

Phishing is still the main way bad actors slip into networks; and Business Email Compromise (BEC) attacks can instantly translate into crippling losses.

Guest expert: Eyal Benishti, CEO, Ironscales

Successful attacks slip past legacy security email gateways (SEGs) and even past the newer ‘cloud-native security’ controls that Microsoft and Google have embedded Microsoft 365 and Google Workspace. These filters look for known bad attachments and links.

ICES solutions vet the messages that slip through. IRONSCALES, for instance, applies natural language processing technology to identify patterns and flush out anything suspicious.

And its complementary security awareness training modules encourage employees to participate in isolating anything suspicious that leaks into their inboxes.

“The security gateways and cloud-native security controls look at content but that’s not enough,” Benishti observes. “You also need to look at context; both perspectives are needed.”

It’s clear that layers of protection, along with better-trained employees, have become table stakes. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

MY TAKE: DigiCert and Oracle partner to extend digital trust and scalable infrastructure globally

By Byron V. Acohido

One meeting I had at RSA Conference 2023, was a briefing about a  new  partnership, announced this morning, between a top-rung Silicon Valley tech giant and the leading provider of digital trust.

Related: Centralizing control of digital certificates

I had the chance to sit down with Deepika Chauhan, DigiCert’s Chief Product Officer, and Mike Cavanagh, Oracle’s Group Vice President, ISV Cloud for North America. They walked me through a partnership that gives their joint customers the option to deploy Oracle Cloud Infrastructure (OCI) combined with  DigiCert ONE. Here are a few of my takeaways:

Seeds of the partnership

In 2017, DigiCert acquired and commenced reviving Symantec’s PKI business. This was all part of the Lehi, Utah-based vendor’s efforts to support enterprise cloud migration and the rise of IoT systems, which were both gaining steam.

This ultimately resulted in the 2020 roll out of DigiCert ONE, a new platform of tools and services aimed at “embedding digital trust across the board within the enterprise and between all parts of the cloud ecosystem,” Chauhan says.

Back in Silicon Valley, Oracle was playing catchup. Amazon had introduced Amazon Web Services in 2006 and Microsoft Azure became commercially available in 2010. Oracle launched OCI in October 2016.

MY TAKE: A few reasons to believe RSAC 2023’s ‘stronger together’ theme is gaining traction

By Byron V. Acohido

The theme of RSA Conference 2023 — ‘stronger together’ — was certainly well chosen.

Related: Demystifying ‘DSPM’

This was my nineteenth RSAC. I attended my first one in 2004, while covering Microsoft for USA TODAY. It certainly was terrific to see the cybersecurity industry’s premier trade event fully restored to its pre-Covid grandeur at San Francisco’s Moscone Center last week.

Rising from the din of 625 vendors, 700 speakers and 26,000 attendees came the clarion call for a new tier of overlapping, interoperable, highly automated security platforms needed to carry us forward.

Defense-in-depth remains a mantra — but implemented much differently than the defense-in- depth strategies of the first decade and a half of this century. Machine learning, automation and interoperability must take over and several new security layers must coalesce and interweave to protect the edge.

Getting a grip on identities

To keep the momentum going, business rivals and regulators are going to have to find meaningful ways to co-ordinate and cooperate at an unprecedented level. Here are four evolving themes reverberating from RSAC 2023 that struck me:

Password enabled access will endure for the foreseeable future.

RSAC Fireside Chat: Turning full attention to locking down the security of ‘open source’

By Byron V. Acohido

Software composition analysis — SCA – is a layer of the security stack that, more so than ever, plays a prominent role in protecting modern business networks.

Related: All you should know about open-source exposures

This is especially true as software developers increasingly rely on generic open source and commercial components to innovate in hyperkinetic DevOps and CI/CD mode. Open source coding has come to dominate business software applications; rising to comprise 75 percent of audited code bases and putting open source on a trajectory to become a $50 billion subsector of technology by 2026.

As RSA Conference 2023 gets underway today at San Francisco’s Moscone Center, advanced ways to secure open source components is getting a good deal of attention.

Guest expert: Rami Sass, CEO, Mend

The infamous SolarWinds breach put a spotlight on the risk of malicious open-source components, and the White House has put its weight behind software supply chain best practices.

I had the chance to visit with Rami Sass, CEO of Mend, a Tel Aviv-based supplier of automated remediation technologies designed to help keep open source components as secure as possible. For a full drill down on our conversation please give the accompanying podcast a listen.

Sass filled me in about a trend that started about two and a half years ago; he noted that bad actors have turned their full attention to seeking out and exploiting fresh vulnerabilities in fully updated open-source components in live service.

Mend and other SCA solution vendors are stepping up their game to counter this trend. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

RSAC Fireside Chat: Here’s why companies are increasingly turning to MSSPs for deeper help

By Byron V. Acohido

Managed Security Service Providers, MSSPs, have been around for some time now as a resource to help companies operate more securely.

Related: CMMC mandates best security practices

Demand for richer MSSP services was already growing at a rapid pace, as digital transformation gained traction – and then spiked in the aftermath of Covid 19. By one estimate, companies are on track to spend $77 billion on MSSP services by 2030, up from $22 billion in 2020.

At RSA Conference 2023 , which gets underway next week at San Francisco’s Moscone Center, I expect that there’ll be buzz aplenty about the much larger role MSSPs seem destined to play.

I had the chance to visit with Geoff Haydon, CEO of Ontinue, a Zurich-based supplier of a managed extended detection and response (MXDR) service. We discussed the drivers supporting the burgeoning MSSP market, as well as where innovation could take this trend.

Guest expert: Geoff Haydon, CEO, Ontinue

For its part, Ontinue is leveraging Microsoft collaboration and security tools and making dedicated cyber advisors available to partner with its clients. “Microsoft has emerged as the largest, most important cybersecurity company on the planet,” Haydon told me. “And they’re also developing business applications that are very conducive to delivering and enriching a cyber security program.”e

I covered Microsoft as a USA TODAY technology reporter when Bill Gates suddenly ‘got’ cybersecurity, so this part of our discussion was especially fascinating. For a drill down, please give the accompanying podcast a listen. Meanwhile, I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


RSAC Fireside Chat: Cybersixgill crawls the Dark Web to uncover earliest signs of companies at risk

By Byron V. Acohido

Adopting personas and rubbing elbows with criminal hackers and fraudsters is a tried-and-true way to glean intel in the Dark Web.

Related: In pursuit of a security culture

It’s not at all unusual to find law enforcement agents and private sector threat intelligence analysts concocting aliases that permit them to lurk in unindexed forums, vetted message boards and encrypted code repositories.

This boots in the underground approach, of course, has its limitations.

At RSA Conference 2023 , which gets underway on Monday, Apr. 24, at San Francisco’s Moscone Center, the latest innovations in gathering and leveraging intel — at a scale that can make a material difference — will be in the spotlight.

I had the chance to visit with Delilah Schwartz, security strategist at Cybersixgill, a Tel Aviv-based cybersecurity company that supplies this type of threat intelligence.

Guest expert: Delilah Schwartz, security strategist, Cybersixgill

We discussed how her company is leveraging essentially the same automated crawling tools and techniques used by the big search engines to gather and supply actionable threat intelligence to its customers.

“We gain fully automated access to these very difficult to navigate Dark Web platforms, extract that useful intel, analyze it using AI and ML, and then we translate that into concrete insights in our data lake,” Schwartz says.

For a drill down, please give the accompanying podcast a listen. Good intel can only help inform smarter, more effect network defenses – and ultimately reinforce resiliency.

I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



RSAC Fireside Chat: How timely intel from the cyber underground improves counter measures

By Byron V. Acohido

Good intelligence in any theater of war is invaluable. Timely, accurate intel is the basis of a robust defense and can inform potent counterattacks.

Related: Ukraine hit by amplified DDoS

This was the case during World War II in The Battle of Midway and at the Battle of the Bulge and it holds true today in the Dark Web. The cyber underground has become a highly dynamic combat zone in which cyber criminals use engrained mechanisms to shroud communications.

That said, there are also many opportunities for companies to glean and leverage helpful intel from the Dark Web. As RSA Conference 2023 gets underway next week at San Francisco’s Moscone Center, advanced ways to gather and infuse cyber threat intelligence, or CTI, into fast-evolving network defenses is in the spotlight.

I had the chance to visit with Jason Passwaters, CEO of Intel 471, a US-based supplier of cyber threat intelligence solutions.

Guest expert: Jason Passwaters, CEO, Intel 471

We discussed how the cyber underground has shifted from being perceived as deep and dark to a well-organized world with defined business models, supply chains, and relatively low barrier of entry.

“As the cyber underground becomes more sophisticated, the level of threat increases exponentially for legitimate businesses and nation-states,” Passwaters told me. “The underground is now the domain of organized cybercriminals with clear hierarchies and targeted revenue goals.”

Intel 471 directs comprehensive threat intelligence at identifying, prioritizing and preventing cyber attacks. For a full drill down, please give the accompanying podcast a listen. Good intel in warfare can’t be overstated. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


RSAC Fireside Chat: StackHawk helps move the application security needle to ‘shift everywhere’

By Byron V. Acohido

Embedding security into the highly dynamic way new software gets created and put into service — on the fly, by leveraging ephemeral APIs — has proven to be a daunting challenge.

Related: The fallacy of ‘security-as-a-cost-center’

Multitudes of security flaws quite naturally turn up – and threat actors have become adept at systematically discovering and exploiting these fresh vulnerabilities.

As RSA Conference 2023 gets underway next week at San Francisco’s Moscone Center, advanced application security and API security tools and practices are grabbing a lot of attention.

I had the chance to visit with Scott Gerlach, chief security officer and co-founder of StackHawk, a Denver-based software company launched in 2019 to join the phalanx of vendors innovating like crazy to dial-in meaningful code checks, in just the right measure, at just the right moment.

Guest expert: Scott Gerlach, CSO, StackHawk

We had a great conversation about how the venerable “shift left” security philosophy is being refined so that it better aligns with the way software gets developed today – at light speed. This has led to security vendors, StackHawk among them, putting great energy into weaving security more tightly into DevOps, CICD and more.

“Shift left still applies because you do want to get security processes into the left side where you design, develop, test and deploy,” Gerlach told me. “But it’s really about how can we get security information closer to the people who are writing code, changing code and fixing code.”

In short, “shift everywhere” is the new “shift left.” For a full drill down, please give the accompanying podcast a listen. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


RSAC Fireside Chat: Demystifying cloud-stored data via ‘data security posture management’

By Byron V. Acohido

In the age before the cloud, data security was straightforward.

Related: Taming complexity as a business strategy

Enterprises created or ingested data, stored it and secured it in a physical data center. Data security was placed in the hands of technicians wearing tennis shoes, who could lay their hands on physical servers.

Today, company networks rely heavily on hybrid cloud and multi-cloud IT resources, and many startups are cloud native. Business data has been scattered far and wide across cloud infrastructure and just knowing where to look for sensitive data in the cloud, much less enforcing security policies, has become next to impossible for many organizations.

If headline grabbing cyber-attacks weren’t enough, the Biden Administration has begun imposing long-established, but widely ignored data security best practices on any contractor that hopes to do business with Uncle Sam.

Guest expert: Yotam Segev, co-founder and CEO, Cyera

This is where a hot new security service comes into play – designated in 2022 by Gartner as “data security posture management,” or DSPM. With RSA Conference 2023 taking place at San Francisco’s Moscone Center next week, I had the chance to visit with Yotam Segev, co-founder and CEO San Mateo, Calif.-based security startup Cyera, that is making hay in this emerging DSPM space.

Segev and I discussed how, in the rush to the cloud, companies have lost control of data security, especially in hybrid environments. The core value of DSPM systems, he argues, is that they can help demystify data management, with benefits that ultimately should go beyond security and compliance and actually help ease cloud migration.

Please give a listen to the case Segev makes in the accompanying podcast. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the … more

RSAC Fireside Chat: ‘Protective DNS’ directs smart audits, automated remediation to IP addresses

By Byron V. Acohido

Domain Name Service. DNS. It’s the phone directory of the Internet.

Related: DNS — the good, bad and ugly

Without DNS the World Wide Web never would never have advanced as far and wide as it has.

However, due to its intrinsic openness and anonymity DNS has also become engrained as the primary communications mechanism used by cyber criminals and cyber warfare combatants.

If that sounds like a potential choke point that could be leveraged against the bad actors – it is. And this is where a fledgling best practice —  referred to as “protective DNS” – comes into play.

What has happened is this: leading security vendors have begun applying leading-edge data analytics and automated remediation routines to the task of flagging DNS traffic that’s clearly malicious.

Guest expert: David Ratner, CEO, HYAS

One sure sign that protective DNS has gained meaningful traction is that Uncle Sam has begun championing it. Last fall the U.S. Cybersecurity & Infrastructure Security Agency (CISA) began making a protective DNS resolver availabile to federal agencies.

With RSA Conference 2023 taking place at San Francisco’s Moscone Center next week, I had the chance to visit with David Ratner, CEO of Vancouver, Canada-based HYAS, security company whose focus is on delivering protective DNS services. Ratner explains what protective DNS is all about, and why its widespread adaption will make the Internet much safer.

For a full drill down, give the accompanying podcast a listen. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

RSAC Fireside Chat: Extending ‘shift left’ to achieve SSCS — ‘software supply chain security’

By Byron V. Acohido

One of the nascent security disciplines already getting a lot of buzz as RSA Conference 2023 gets ready to open next week at San Francisco’s Moscone Center is “software supply chain security,” or SSCS.

Related: How SBOMs instill accountability

Interestingly, you could make the argument that SSCS runs counter-intuitive to the much-discussed “shift left” movement. I think it’s fair to say, at the very least, SSCS extends shift left a bit more to the right.

Shift left advocates driving code testing and application performance evaluations as early as possible in the software development process.

By contrast, SSCS vendors are innovating ways to direct automated inspections much later in DevOps, as late as possible before the new software application is deployed in live service.

Guest expert: Matt Rose, Field CISO, ReversingLabs

I had the chance to visit with Matt Rose, Field CISO at ReversingLabs, which is in the thick of the SSCS movement. We discussed why reducing exposures and vulnerabilities during early in the coding process is no longer enough.

“True software supply chain security is about looking at the application in a holistic way just prior to deployment,” Rose observes. “Most software supply chain issues are novel, so looking for problems too early, before the code is compiled, won’t tell you much.”

Like everyone else, SSCS solution vendors are leveraging machine learning and automation – to focus quality checks and timely remediation in very specific lanes: on open-source components, microservices containers and compiled code, for instance. For a drilll down please give a listen to the accompanying podcast.

I’m looking forward to attending RSAC in person, after a couple of years of remote participation. No doubt there’ll be some thoughtful discussion about how best to protecting software in our software defined world.

I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make … more

GUEST ESSAY: Cyber hygiene need not be dreary — why engaging training is much more effective

By Lise Lapointe

Instilling a culture of cyber security at your organization requires your people to maintain a high level of knowledge and awareness about cyber security risks—and that takes an effective, impactful, and ongoing security awareness program.

Related: Deploying employees as human sensors

However, a security awareness program is only as good as its content. To ensure that your end users retain core concepts and knowledge, it’s important to contextualize topics and keep your people engaged during the entire training process.

Additionally, to hold their interest, the content must be fun.These results are achieved in a few different ways. Let’s take a closer look.

Make it engaging!

First and foremost, your security awareness program’s content must be engaging. Break up lessons into bite-size morsels, and carefully divide them by topics. Keep the interface simple, and include an interactive component, such as a short quiz, in each lesson.

Also, tailor content to the user’s specific role within the organization. You might show someone in a manager role, for example,

GUEST ESSAY: AntiguaRecon – A call to train and promote the next generation of cyber warriors

By Adam Dennis

Imagine being a young person who wants a career, of whatever type you can find, as a cybersecurity professional.

Related: Up-skilling workers to boost security

Although you were born with an agile and analytical mind, you have very limited financial resources and few, if any, connections that can open doors to your future ambitions.

If you were born in a country such as the US, Canada or the UK, you might have a wider range of options despite your financial limitations.  But if you are born in Antigua, which is a small Caribbean island way out in the Atlantic, your options can be quite limiting.  Even if you managed to get a range of certifications which show that you have some skills, finding a job in your field is extremely unlikely because the market is so small and undeveloped.

High concept

Now enter AntiguaRecon which was created to teach a group of young Antiguans cybersecurity skills so that it could offer cybersecurity services around the region and in the US, Canada, and elsewhere.  It is not enough to just educate the students.  Our proof of concept will come when we get them jobs too.

The founder, Adam Dennis (that’s me!), has experience running training organizations directed at young people AND a lot of experience running startups.  In the late 1990s (yes, that long ago), I created a youth training program called YouthLink that worked with at-risk youth in Washington, DC. The program operated for five years and was covered by the Washington Post and a number of other news outlets.  Over my career, I have created three non-profits and two SaaS for profits, one of which I sold in 2005.

FIRESIDE CHAT: U.S. banking regulators call out APIs as embodying an attack surface full of risk

By Byron V. Acohido

APIs have been a linchpin as far as accelerating digital transformation — but they’ve also exponentially expanded the attack surface of modern business networks.

Related: Why ‘attack surface management’ has become crucial

The resultant benefits-vs-risks gap has not surprisingly attracted the full attention of cyber criminals who now routinely leverage API weaknesses in all phases of sophisticated, multi-stage network attacks.

The collateral damage has escalated to the point where federal regulators have been compelled to step in.

Last October the FFIEC explicitly called out APIs as an attack surface that must, henceforth, comply with a new set of API management practices.

Guest expert: Richard Bird, Chief Security Officer, Traceable

I had the chance to visit with Richard Bird, Chief Security Officer at Traceable.ai, which supplies security systems designed  to protect APIs from the next generation of attacks.

We discussed, in some detail, just how far the new rules go in requiring best practices for accessing and authenticating APIs. Bird also enlightened me about how and why this is just a first step in comprehensively mitigating API exposures. For a full drill down, please give the accompanying podcast a listen.

There’s little doubt that the new FFIEC rules will materially raise the bar for API security. In the short run companies subject to federal financial institution jurisdiction will have to hustle to get their API act together; and in the long run other companies in other verticals should follow suit.

I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

SHARED INTEL Q&A: Bi-partisan report calls for a self-sacrificing approach to cybersecurity

By Byron V. Acohido

A new report from the Bipartisan Policy Center (BPC) lays out — in stark terms – the prominent cybersecurity risks of the moment.

Related: Pres. Biden’s impact on cybersecurity.

The BPC’s Top Risks in Cybersecurity 2023 analysis calls out eight “top macro risks” that frame what’s wrong and what’s at stake in the cyber realm. BPC is a Washington, DC-based think tank that aims to revitalize bipartisanship in national politics.

This report has a dark tone, as well it should. It systematically catalogues the drivers behind cybersecurity risks that have steadily expanded in scope and scale each year for the past 20-plus years – with no end yet in sight.

Two things jumped out at me from these findings: there remains opportunities and motivators aplenty for threat actors to intensify their plundering; meanwhile, industry and political leaders seem at a loss to buy into what’s needed: a self-sacrificing, collaborative, approach to systematically mitigating a profoundly dynamic, potentially catastrophic threat.

Last Watchdog queried Tom Romanoff, BPC’s technology project director about this analysis.  Here’s the exchange, edited for clarity and length:

GUEST ESSAY: Could CISOs be on the verge of disproving the ‘security-as-a-cost-center’ fallacy?

By Jess Burn

This year has kicked off with a string of high-profile layoffs — particularly in high tech — prompting organizations across all sectors to both consider costs and plan for yet another uncertain 12 or more months.

Related: Attack surface management takes center stage.

So how will this affect chief information security officers (CISOs) and security programs? Given the perennial skills and staffing shortage in security, it’s unlikely that CISOs will be asked to make deep budget or staffing cuts, yet they may not come out of this period unscathed.

Whether the long anticipated economic downturn of 2023 is a temporary dip lasting a couple quarters or a prolonged period of austerity, CISOs need to demonstrate that they’re operating as cautious financial stewards of capital, a role they use to inform their choices regardless of the reality — or theater — of a recession.

This is also a time for CISOs to strengthen influence, generate goodwill, and dispel the perception of security as cost center by relieving downturn-induced burdens placed on customers, partners, peers, and affected teams.

AUTHOR Q&A: China’s spy balloons reflect a cyber warfare strategy America must counter

By Byron V. Acohido

The attack surface of company networks is as expansive and porous as ever.

Related: Preparing for ‘quantum’ hacks

That being so, a new book, Fixing American Cybersecurity, could be a long overdue stake in the ground.

This is a well-reasoned treatise collaboratively assembled by board members of the Internet Security Alliance (ISA.) Laid out in two parts, Fixing American Cybersecurity dissects the drivers that got us here and spells out explicitly what’s at stake. It also advocates a smarter, more concerted public-private partnership as the core solution.

Part one of the book catalogues how cyber criminals and US adversaries have taken full advantage of systemic flaws in how we’ve come to defend business and government networks. Part two is comprised of essays by  CISOs from leading enterprises outlining what needs to get done.

I had the chance to query Larry Clinton, ISA’s president and CEO, about the main themes laid out in Fixing American Cybersecurity. ISA is a multi-sector trade group focused on policy advocacy and developing best practices for cybersecurity.

We discussed this book’s core theme: a fresh set of inspired public-private strategies absolutely must arise and gain full traction, going forward, or America’s strategic standing will never get healed.

SHARED INTEL: The common thread between China’s spy balloons and Congress banning Tik Tok

By Dan Meyer and Lachlan McKinion

The decision by the House of Representatives to ban  TikTok  from federal devices is noteworthy, especially as the Chinese spy balloon crisis unfolds.

Related: The Golden Age of cyber espionage

On December 23, 2022, Congress, in a bipartisan spending bill, banned TikTok from all government devices. The White House, the Pentagon, the Department of Homeland Security, and the State Department have already banned the social media app, as have more than a dozen other states.

The Tik Tok decision combines national security, social media, and “China” in only one institution’s change of policy. It reflects the challenge that continued use of social media presents to those within the federal circle of trust.

The Chinese government, as well as other foreign powers, actively probe all aspects of American life for information useful in compromising the Republic’s national security interests. They are active not only in stealing the federal government’s data, but also doing the same in our private and public corporations.

NEW TECH: DigiCert unveils ‘Trust Lifecyle Manager’ to centralize control of digital certificates

By Byron V. Acohido

To get network protection where it needs to be, legacy cybersecurity vendors have begun reconstituting traditional security toolsets.

The overarching goal is to try to derive a superset of very dynamic, much more tightly integrated security platforms that we’ll very much need, going forward.

Related: The rise of security platforms

This development has gained quite a bit of steam over the past couple of years with established vendors of vulnerability management (VM,) endpoint detection and response (EDR,) and identity and access management (IAM) solutions in the vanguard.

And this trend is accelerating as 2023 gets underway. DigiCert’s launch today of Trust Lifecycle Manager, is a case in point. I had the chance to get briefed about this all-new platform, which provides a means for companies to comprehensively manage their Public Key Infrastructure (PKI) implementations along with the associated digital certificates.

I visited with Brian Trzupek, DigiCert’s senior vice president of product. As a leader of digital trust, DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage PKI. We drilled down on why getting a much better handle on PKI has become vital in a massively interconnected operating environment. DigiCert’s new solution is designed to “unify PKI services, public trust issuance and CA-agnostic certificate lifecycle management,” he told me.

Here are the main takeaways from our discussion:

NEW TECH: How I started a company to supply democratized pentests to immunize websites

By Eden Zaraf

My name is Eden Zaraf. I’ve been driven by my passion for technology for as long as I can remember. Somewhere around the age of 13, I learned to code. I developed scripts, websites and got involved in security which led me to penetration testing.

Related: Leveraging employees as detectors

Penetration Testing is a never-ending challenge. Five years ago, my friend Sahar Avitan, who is the co-founder and CEO of Kayran, began developing an automatic penetration testing tool for our own use.

A year and a half ago, we decided to turn it into a commercial platform. I was sitting in a classroom when I had this Eureka moment. I realized that our technology could actually help people. I decided to meet with my neighbor, Arik Assayag. I said to myself, if he thinks we can market it, let’s go for it. He did and, together with Sahar and I, co-founded  Kayran.

We supply an advanced web application scanner that’s unique in the world of web penetration testing.

GUEST ESSAY: How preserving trust — in a tumultuous 2023 to come — can lead to success

By Enza Iannopollo

The 2020s are already tumultuous.

Related: The Holy Grail of ‘digital resiliency’

Individuals are experiencing everything from extraordinary political and social upheaval to war on the European continent to the reemergence of infectious diseases to extreme weather events.

Against this unsettling backdrop, citizens, consumers, employees, and partners will look to organizations that they trust for stability and positive long-term relationships.

Not every organization knows how to cultivate trust, however, or that it’s even possible to accomplish. As a result, in 2023, specific industries that normally experience healthy levels of trust will see major declines in trust that will take years to repair. Others will buck historical trends just to simply maintain their current trust levels.

Organizations should take into account the following predictions as they plot out the next steps of their trust journey in the year ahead:

•Trust in consumer technology will decline by 15 percent.

Over the past three years, technology has proven critical to consumers’ daily lives — from remote working and home-schooling to entertainment and e-commerce.

MY TAKE: Poll shows consumers won’t patronize companies that fail to assure ‘digital trust’

By Byron V. Acohido

It’s all too easy to take for granted the amazing digital services we have at our fingertips today.

Related: Will Matter 1.0 ignite the ‘Internet of Everything’

Yet, as 2022 ends, trust in digital services is a tenuous thing. A recent survey highlights the fact that company leaders now understand that digital trust isn’t nearly what it needs to be. And the same poll also affirms that consumers will avoid patronizing companies they perceive as lacking digital trust.

DigiCert’s 2022 State of Digital Trust Survey polled 1,000 IT professional and 400 consumers and found that lack of digital trust can drive away customers and materially impact a company’s bottom line

“It’s clear that digital trust is required for organizations to instill confidence in their customers, employees and partners,” Avesta Hojjati, DigiCert’s vice president of Research and Development, told me. “Digital trust is the foundation for securing our connected world.”

I recently had the chance to visit with Hojjati. We conversed about why digital trust has become an important component of bringing the next iteration of spectacular Internet services to full fruition. And we touched on what needs to happen to raise the bar of digital trust. Here are a few key takeaways from our evocative discussion:

MY TAKE: The role of semiconductors in bringing the ‘Internet of Everything’ into full fruition

By Byron V. Acohido

The Internet of Everything (IoE) is on the near horizon.

Related: Raising the bar for smart homes

Our reliance on artificially intelligent software is deepening, signaling an era, just ahead, of great leaps forward for humankind.

We would not be at this juncture without corresponding advances on the hardware side of the house. For instance, very visibly over the past decade, Internet of Things (IoT) computing devices and sensors have become embedded everywhere.

Not as noticeably, but perhaps even more crucially, big advances have been made in semiconductors, the chips that route electrical current in everything from our phones and laptops to automobile components and industrial plant controls.

I recently visited with Thomas Rosteck, Division President of Connected Secure Systems (CSS) at Infineon Technologies, a global semiconductor manufacturer based in Neubiberg, Germany. We discussed how the Internet of Things, to date, has been all about enabling humans to leverage smart devices for personal convenience.

“What has changed in just the past year is that things are now starting to talk to other things,” Rosteck observes. “Smart devices and IoT systems are beginning to interconnect with each other and this is only going to continue.”

FIRESIDE CHAT: Anchoring security on granular visibility, proactive management of all endpoints

By Byron V. Acohido

Endpoints are where all are the connectivity action is.

Related: Ransomware bombardments

And securing endpoints has once more become mission critical. This was the focal point of presentations at Tanium’s Converge 2022 conference which I had the privilege to attend last week at the Fairmont Austin in the Texas capital.

I had the chance to visit with Peter Constantine, Tanium’s Senior Vice President Product Management. We discussed how companies of all sizes and across all industries today rely on a dramatically scaled-up and increasingly interconnected digital ecosystem.

The attack surface of company networks has expanded exponentially, and fresh security gaps are popping up everywhere.

Guest expert: Peter Constantine, SVP Product Management, Tanium

One fundamental security tenant that must take wider hold is this: companies simply must attain and sustain granular visibility of all of their cyber assets. This is the only way to dial in security in the right measure, to the right assets and at the optimum time.

The technology and data analytics are readily available to accomplish this; and endpoints – specifically servers and user devices – represent a logical starting point.

“We have to make sure that we truly know what and where everything is and take a proactive approach to hardening security controls and reducing the attack surface,” Constantine observes. “And then there is also the need to be able to investigate and respond to the complexities that come up in this world.”

For a full drill down on Tanium’s approach to network security that incorporates granular visibility and real-time management of endpoints please give the accompanying podcast a listen.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.



MY TAKE: Can Matter 1.0 springboard us from truly smart homes to the Internet of Everything?

By Byron V. Acohido

Ever feel like your smart home has dyslexia?

Siri and Alexa are terrific at gaining intelligence with each additional voice command. And yet what these virtual assistants are starkly missing is interoperability.

Related: Why standards are so vital

Matter 1.0 is about to change that. This new home automation connectivity standard rolls out this holiday season with sky high expectations. The technology industry hopes that Matter arises as the  lingua franca for the Internet of Things.

Matter certified smart home devices will respond reliably and securely to commands from Amazon AlexaGoogle Assistant,  Apple HomeKit or Samsung SmartThings. Think of it: consumers will be able to control any Matter appliance with any iOS or Android device.

That’s just to start. Backed by a who’s who list of tech giants, Matter is designed to take us far beyond the confines of our smart dwellings. It could be the key that securely interconnects IoT systems at a much deeper level, which, in turn, would pave the way to much higher tiers of digital innovation.

I had the chance to sit down, once more, with Mike Nelson, DigiCert’s vice president of IoT security, to discuss the wider significance of this milestone standard.

FIRESIDE CHAT: Timely employee training, targeted testing needed to quell non-stop phishing

By Byron V. Acohido

Humans are rather easily duped. And this is the fundamental reason phishing persists as a predominant cybercriminal activity.

Related: How MSSPs help secure business networks

Tricking someone into clicking to a faked landing page and typing in their personal information has become an ingrained pitfall of digital commerce.

The deleterious impact on large enterprises and small businesses alike has been – and continues to be — profound. A recent survey of 250 IT and security professionals conducted by Osterman Research for Ironscales bears this out.

The poll found that security teams are spending one-third of their time handling phishing threats every week. The battle has sprawled out beyond email; phishing ruses are increasingly getting seeded via messaging apps, cloud-based file sharing platforms and text messaging services.

Guest expert: Ian Thomas, VP of Product Marketing, Ironscales

Some 80 percent of organizations reported that phishing attacks have  worsened or remained the same over the past 12 months, with detection avoidance mechanisms getting ever more sophisticated.

I had the chance to visit with Ian Thomas, vice president of product marketing at  Ironscales, an Atlanta-based email security company.

We discussed advances in cybersecurity training that combine timely content and targeted training to combat the latest phishing campaigns. For a full drill down, please give the accompanying podcast a listen.

Timely, effective security training of all employees clearly must continue to be part of the regimen of defending modern business networks, even more so as cloud migration accelerates. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


SHARED INTEL: A breakout of how Google, Facebook, Instagram enable third-party snooping

By Federico Morelli

More and more consumers are using apps every year. In fact, Google Play users downloaded 111.3 billion apps in 2021 alone, up more than 47 percent since 2018.

Related: Microsoft CEO calls for regulating facial recognition.

This increased demand for apps also raises the need for improved data protection measures, which Google took steps to address with the new data safety section they launched in July 2022.

This data safety section aims to help users understand how apps handle their data (especially when it comes to collection and sharing) and make more informed decisions about which apps to download.

To provide even further insight into the data safety and privacy practices of app developers, researchers at Incogni conducted a study of the top 500 paid and top 500 free Google Play Store apps. The results shed light on how much data apps really share, which apps pose the biggest risks to data privacy, and how transparent developers are about their practices.

Rampant ‘sharing’

The study revealed that more than half (55.2 percent) of the apps share user data with third parties.

FIRESIDE CHAT: Why ‘digital resiliency’ has arisen as the Holy Grail of IT infrastructure

By Byron V. Acohido

Digital resiliency has arisen as something of a Holy Grail in the current environment.

Related: The big lesson of Log4j

Enterprises are racing to push their digital services out to the far edge of a highly interconnected, cloud-centric operating environment. This has triggered a seismic transition of company networks, one that has put IT teams and security teams under enormous pressure.

It’s at the digital edge where all the innovation is happening – and that’s also where threat actors are taking full advantage of a rapidly expanding attack surface. In this milieu, IT teams and security teams must somehow strike a balance between dialing in a necessary level of security — without unduly hindering agility.

Digital resiliency – in terms of business continuity, and especially when it comes to data security — has become a must have. I had the chance to visit with Paul Nicholson, senior director of product at A10 Networks, a San Jose, Calif.-based supplier of security, cloud and application services.

Guest expert: Paul Nicholson, Senior Director of Product, A10 Networks

We discussed how and why true digital resiliency, at the moment, eludes the vast majority of organizations. That said, advanced security tools and new best practices are gaining traction.

There is every reason to anticipate that emerging security tools and practices will help organizations achieve digital resiliency in terms of supporting work-from-home scenarios, protecting their supply chains and mitigating attack surface expansion. As part of this dynamic, Zero Trust protocols appear to be rapidly taking shape as something of a linchpin.

“When you say Zero Trust, people’s ears perk up and they understand that you’re basically talking about making sure only the right people can get to the digital assets which are required,” Nicholson told me.

For more context on these encouraging developments, please give the accompanying podcast a listen. Meanwhile, I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is … more

SHARED INTEL: The cybersecurity sea change coming with the implementation of ‘CMMC’

By Byron V. Acohido

Finally, Uncle Sam is compelling companies to take cybersecurity seriously.

Related: How the Middle East paved the way to CMMC

Cybersecurity Maturity Model Certification version 2.0 could  take effect as early as May 2023 mandating detailed audits of the cybersecurity practices of any company that hopes to do business with the Department of Defense.

Make no mistake, CMMC 2.0, which has been under development since 2017, represents a sea change. The DoD is going to require contractors up and down its supply chain to meet the cybersecurity best practices called out in the National Institute of Standards and Technology’s SP 800-171 framework.

I sat down with Elizabeth Jimenez, executive director of market development at NeoSystems, a Washington D.C.-based supplier of back-office management services, to discuss the prominent role managed security services providers (MSSPs) are sure to play as CMMC 2.0 rolls out. For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Black Hat Fireside Chat: Replacing VPNs with ZTNA that leverages WWII battlefield tactics

By Byron V. Acohido

The sunsetting of Virtual Private Networks is underway.

Related: VPNs as a DIY tool for consumers, small businesses

VPNs are on a fast track to becoming obsolete, at least when it comes to defending enterprise networks. VPNs are being replaced by zero trust network access, or ZTNA.

VPNs encrypt data streams and protect endpoints from unauthorized access, essentially by requiring all network communications to flow over a secured pipe. VPNs verify once and that’s it. This was an effective approach when on-premises data centers predominated.

By contrast, ZTNA never trusts and always verifies. A user gets continually vetted, per device and per software application — and behaviors get continually analyzed to sniff out suspicious patterns.

Guest expert: Rajiv Pimplaskar, CEO, Dispersive

This new approach is required — now that software-defined resources scattered across hybrid and public clouds have come to rule the day.

I had the chance at Black Hat 2022 to visit with Rajiv Pimplaskar, CEO at Dispersive,  an Alpharetta, GA-based supplier of advanced cloud obfuscation technology. We discussed how ZTNA has emerged as a key component of new network security frameworks, such as secure access service edge (SASE) and security service edge (SSE)

We also spoke about how Dispersive is leveraging spread spectrum technology, which has its roots in World War II submarine warfare, to more effectively secure modern business networks. For a full drill down on our forward-looking discussion, please give the accompanying podcast a listen.

Black Hat Fireside Chat: MSSPs are well-positioned to help companies achieve cyber resiliency

By Byron V. Acohido

Network security is in dire straits. Security teams must defend an expanding attack surface, skilled IT professionals are scarce and threat actors are having a field day.

Related: The role of attack surface management

That said, Managed Security Services Providers – MSSPs —  are in a position to gallop to the rescue.

MSSPs arrived on the scene 15 years ago to supply device security as a contracted service: antivirus, firewalls, email security and the like.

They’ve progressed to supplying EDR, SIEM, threat intel platforms and numerous other advanced network security services on an outsourced basis.

Guest expert: Chris Prewitt, CTO, Inversion6


Today, big IT services companies, as well as legacy cybersecurity vendors, are hustling to essentially give shape to the next-gen MSSP, if you will. The leading players are partnering and innovating to come up with the optimum portfolio of services.

I had the chance to visit at Black Hat 2022 with Christopher Prewitt, CTO at Inversion6, a Cleveland-based supplier of managed IT security services. We discussed how far MSSPs have come since the early 2000s, when the focus was on helping companies do check-the-box compliance. For a full drill down on our forward-looking discussion, please give the accompanying podcast a listen.

Going forward, MSSPs seemed destined to play a foundational role in enabling digital commerce. They could help enterprises and SMBs overcome the IT skills shortage, truly mitigate cyber risks and comply with audit requirements, to boot.

Black Hat insights: Getting bombarded by multiple ransomware attacks has become commonplace

By Byron V. Acohido

The top ransomware gangs have become so relentless that it’s not unusual for two or more of them to attack the same company within a few days – or even a few hours.

Related: How ‘IABs’ foster ransomware

And if an enterprise is under an active ransomware attack, or a series of attacks, that’s a pretty good indication several other gangs of hacking specialists came through earlier and paved the way.

In short, overlapping cyber attacks have become the norm. This grim outlook is shared in a new white paper from Sophos. The report paints a picture of ransomware gangs arriving on the scene typically after crypto miners, botnet builders, malware embedders and initial access brokers may have already profited from earlier intrusions.

I had the chance to discuss these findings last week at Black Hat USA 2022, with John Shier, senior security advisor at Sophos, a next-generation cybersecurity leader with a broad portfolio of managed services, software and hardware offerings. For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Common infection paths

Security teams face a daunting challenge. They must detect and remediate multiple cyber attacks by numerous, determined hacking groups, sometimes coming at them simultaneously and quite often seeking different objectives.

GUEST ESSAY: How to detect if a remote job applicant is legit — or a ‘Deepfake’ candidate

By Zac Amos

Technology provides opportunities to positively impact the world and improve lives.

Related: Why facial recognition ought to be regulated

It also delivers new ways to commit crimes and fraud. The U.S. Federal Bureau of Investigation (FBI) issued a public warning in June 2022 about a new kind of fraud involving remote work and deepfakes.

The making of Deepfakes

The world is on track to see around 50% of workers transition to sustained, full-time telecommuting. Conducting job interviews online is here to stay, and deepfakes may be part of that new normal.

The term refers to an image or video in which the subject’s likeness or voice was manipulated to make it look like they said or did something they didn’t.

The deepfake creator uses “synthetic media” applications powered by machine learning algorithms. The creator trains this algorithm on two sets of videos and images. One shows the target’s likeness as they move and speak in various environments. The second shows faces in different situations and lighting conditions. The application encodes these human responses as “low-dimensional representations” to be decoded into images and videos.

The result is a video of one individual convincingly overlaid with the face of another. The voice is more difficult to spoof.

FIRESIDE CHAT: ‘Attack surface management’ has become the centerpiece of cybersecurity

By Byron V. Acohido

Post Covid 19, attack surface management has become the focal point of defending company networks.

Related: The importance of ‘SaaS posture management’

As digital transformation continues to intensify, organizations are relying more and more on hosted cloud processing power and data storage, i.e. Platform as a Service (PaaS,) as well as business tools of every stripe, i.e. Software as a Service (SaaS.)

I had the chance to visit with Jess Burn, a Forrester senior analyst, about the cybersecurity ramifications.

Guest expert: Jess Burn, Senior Analyst, Forrester Research

We discussed how the challenge has become defending the cloud-edge perimeter. This entails embracing new security frameworks, like Zero Trust Network Access, as well as adopting new security tools and strategies.

This boils down to getting a comprehensive handle on all of the possible connections to sensitive cyber assets, proactively managing software vulnerabilities and detecting and responding to live attacks.

A new category of attack surface management tools and services is gaining traction and fast becoming a must-have capability. To learn more, please give the accompanying Last Watchdog Fireside Chat podcast a listen.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Q&A: Here’s why VPNs are likely to remain a valuable DIY security tool for consumers, SMBs

By Byron V. Acohido

It is astounding that billions of online accounts have been breached over the past 18 years and that US consumer accounts are by far the most compromised.

Related: VPNs vs ZTNA

Now comes hard metrics quantifying the scope of this phenomenon. It’s in findings of a deep dive data analytics study led by Surfshark, a supplier of VPN services aimed at the consumer and SMB markets.

Surfshark partnered with a number of independent cybersecurity researchers to quantify the scope and pattern of data breaches over the past couple of decades. For this study, a data breach was defined as an intruder copying or leaking user data such as names, surnames, email addresses, passwords, etc. Much of the hard evidence came from correlating breached databases sitting in the open Internet.

Data scientists sorted through 27,000 leaked databases and created 5 billion combinations of data. Researchers could then sort those combinations based on specific data points, such as countries, and perform a statistical analysis of their findings.

The data analytics show:

•A total 2.3 billion U.S. accounts have been breached so far. The scale is so massive that it makes up 15 percent of all breached users globally since 2004 (the year data breaches became widespread)

•More than two thirds of American accounts are leaked with the password, putting breached users in danger of account takeover.

FIRESIDE CHAT: New ‘SASE’ weapon chokes off ransomware before attack spreads laterally

By Byron V. Acohido

It’s stunning that the ransomware plague persists.

Related: ‘SASE’ blends connectivity and security

Verizon’s Data Breach Incident Report shows a 13 percent spike in 2021, a jump greater than the past  years combined; Sophos’ State of Ransomware survey shows victims routinely paying $1 million ransoms.

In response, Cato Networks today introduced network-based ransomware protection for the Cato SASE Cloud. This is an example of an advanced security capability meeting an urgent need – and it’s also more evidence that enterprises must inevitably transition to a new network security paradigm.

Guest expert: Etay Maor, Senior Director of Security Strategy, Cato Networks

I had the chance to visit with Etay Maor of Cato Networks. We discussed how Secure Access Services Edge – SASE – embodies this new paradigm. In essence, SASE moves the security stack from the on-premises perimeter far out to the edge, just before the cloud.

This gives security teams comprehensive visibility of all network activity, in real time, which makes many high-level security capabilities possible. For a full drill down on my conversation with Etay Maor, please give the accompanying podcast a listen.

Network security developments are progressing. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

RSAC insights: ‘CAASM’ tools and practices get into the nitty gritty of closing network security gaps

By Byron V. Acohido

Reducing the attack surface of a company’s network should, by now, be a top priority for all organizations.

Related: Why security teams ought to embrace complexity

As RSA Conference 2022 convenes this week (June 6 -9) in San Francisco, advanced systems to help companies comprehensively inventory their cyber assets for enhanced visibility to improve asset and cloud configurations and close security gaps will be in the spotlight.

As always, the devil is in the details. Connecting the dots and getting everyone on the same page remain daunting challenges. I visited with Erkang Zheng, founder and CEO of JupiterOne, to discuss how an emerging discipline — referred to as “cyber asset attack surface management,” or CAASM – can help with this heavy lifting.

Based in Morrisville, NC, JupiterOne launched in 2020 and last week announced that it has achieved a $1 billion valuation, with a $70 million Series C funding round.

For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

MY TAKE: Log4j’s big lesson – legacy tools, new tech are both needed to secure modern networks

By Byron V. Acohido

Log4j is the latest, greatest vulnerability to demonstrate just how tenuous the security of modern networks has become.

Related: The exposures created by API profileration

Log4j, aka Log4Shell, blasted a surgical light on the multiplying tiers of attack vectors arising from enterprises’ deepening reliance on open-source software.

This is all part of corporations plunging into the near future: migration to cloud-based IT infrastructure is in high gear, complexity is mushrooming and fear of falling behind is keeping the competitive heat on. In this heady environment, open-source networking components like Log4j spell opportunity for threat actors. It’s notable that open-source software vulnerabilities comprise just one of several paths ripe for malicious manipulation.

By no means has the cybersecurity community been blind to the complex security challenges spinning out of digital transformation. A methodical drive has been underway for at least the past decade to affect a transition to a new network security paradigm – one less rooted in the past and better suited for what’s coming next.

Log4j bathes light on a couple of solidifying developments. It reinforces the notion that a new portfolio of cloud-centric security frameworks must take hold, the sooner the better. What’s more, it will likely take a blend of legacy security technologies – in advanced iterations – combined with a new class of smart security tools to cut through the complexities of defending contemporary business networks.

GUEST ESSAY: Embracing ‘Zero Trust’ can help cloud-native organizations operate securely

By Jawahar Sivasankaran

Some 96 percent of organizations — according to the recently released 2021 Cloud Native Survey — are either using or evaluating Kubernetes in their production environment, demonstrating that enthusiasm for cloud native technologies has, in the words of the report’s authors, “crossed the adoption chasm.”

Related: The targeting of supply-chain security holes

It’s easy to understand why a cloud-native approach elicits such fervor. By using flexible, modular container technologies such as Kubernetes and microservices, development teams are better equipped to streamline and accelerate the application lifecycle, which in turn enables the business to deliver on their ambitious digital transformation initiatives.

However, despite cloud-native’s promise to deliver greater speed and agility, a variety of legitimate security concerns have kept IT leaders from pushing the throttle on their cloud-native agenda.

According to the most recent State of Kubernetes Security report, more than half (55 percent) of respondents reported that they have delayed deploying Kubernetes applications into production due to security concerns (up 11 percent from the year prior) while 94 percent admitted to experiencing a security incident in their Kubernetes or container environment in the past year.

It’s clear that until we can deliver security at the same velocity in which containers are being built and deployed that many of our cloud-native aspirations will remain unfulfilled.

Cloud-native requirements

Traditionally, developers didn’t think much about application security until after deployment. However, as DevOps and modern development practices such as Continuous Integration and Continuous Delivery (CI/CD) have become the norm, we’ve come to appreciate that bolting security on after the fact can be a recipe for future application vulnerabilities.

Security must be ‘baked in’ rather than ‘brushed on’—and this current ethos has given rise to the DevSecOps movement where security plays a leading role in the DevOps process. However, it’s not enough to simply shoehorn these practices into the dynamic cloud-native development lifecycle.

SHARED INTEL: Can Apple’s pricey ‘Business Essentials’ truly help SMBs secure their endpoints?

By Apu Pavithran

Today’s operating system battleground has long been defined by the warfare between the top three players—Microsoft’s Windows, Google’s Android, and Apple’s iOS.

Related: Adroid vs. iOS – battle of the OS giants

While each of them has its distinguishing features, Apple’s privacy and security are what makes it the typical enterprise’s pick. Tim Cook, CEO of Apple, could be heard stating in the virtual Computers, Privacy, and Data Protection Conference, “Privacy is one of the top issues of the century and it should be weighed as equal as climate change.”

In June 2020, Apple’s intention of expanding in the enterprise space was made evident by the acquisition of Fleetsmith, a Mobile Device Management (MDM) solution for Apple devices. What would unfold next with Fleetsmith on their team was the most anticipated question.

In effect, Apple launched Apple Business Essentials (ABE). Let’s take a look at whether ABE will suffice enterprises’ demands.

Apple eyes SMBs

In recent years, we have seen diverse initiatives, including the Apple Business Manager (ABM) app launched in spring 2018 and Apple Business Essentials (ABE) in 2021, clearly showing Apple’s desire to conquer the enterprise market.

MY TAKE: What if Big Data and AI could be intensively focused on health and wellbeing?

By Byron V. Acohido

Might it be possible to direct cool digital services at holistically improving the wellbeing of each citizen of planet Earth?

Related: Pursuing a biological digital twin

A movement aspiring to do just that is underway — and it’s not being led by a covey of tech-savvy Tibetan monks. This push is coming from the corporate sector.

Last August, NTT, the Tokyo-based technology giant, unveiled its Health and Wellbeing initiative – an ambitious effort to guide corporate, political and community leaders onto a more enlightened path. NTT, in short, has set out to usher in a new era of human wellness.

Towards this end it has begun sharing videos, whitepapers and reports designed to rally decision makers from all quarters to a common cause. The blue-sky mission is to bring modern data mining and machine learning technologies to bear delivering personalized services that ameliorate not just physical ailments, but also mental and even emotional ones.

That’s a sizable fish to fry. I had a lively discussion with Craig Hinkley, CEO of NTT Application Security, about the thinking behind this crusade. I came away encouraged that some smart folks are striving to pull us in a well-considered direction. For a full drill down, please give the accompanying podcast a listen. Here are a few key takeaways:

A new starting point

Modern medicine has advanced leaps and bounds in my lifetime when it comes to diagnosing and treating severe illnesses. Even so, for a variety of reasons, healthcare sectors in the U.S. and other jurisdictions have abjectly failed over the past 20 years leveraging Big Data to innovate personalized healthcare services.

GUEST ESSAY: 5 tips for ‘de-risking’ work scenarios that require accessing personal data

By Alexey Kessenikh

Working with personal data in today’s cyber threat landscape is inherently risky.

Related: The dangers of normalizing encryption for government use

It’s possible to de-risk work scenarios involving personal data by carrying out a classic risk assessment of an organization’s internal and external infrastructure. This can include:

Security contours. Setting up security contours for certain types of personal data can be useful for:

•Nullifying threats and risks applicable to general infrastructural components and their environment.

•Planning required processes and security components when initially building your architecture.

•Helping ensure data privacy.

Unique IDs. It is also possible to obfuscate personal data by replacing it with unique identifiers (UID). This de-risks personal data that does not fit in a separate security contour.

Implementing a UID system can reduce risk when accessing personal data for use in analytical reports, statistical analysis, or for client support.

SHARED INTEL: Log4j vulnerability presents a gaping attack vector companies must heed in 2022

By Byron V. Acohido

As we close out 2021, a gargantuan open-source vulnerability has reared its ugly head.

Related: The case for ‘SBOM’

This flaw in the Apache Log4J logging library is already being aggressively probed and exploited by threat actors — and it is sure to become a major headache for security teams in 2022.

“This vulnerability is so dangerous because of its massive scale. Java is used on over 3 billion devices, and a large number of those use Log4j,” says Forrester cybersecurity analyst Allie Mellen, adding that crypto miners and botnet operators are already making hay.

“We can expect more devastating attacks, like ransomware, leveraging this vulnerability in the future,” Mellen adds. “This vulnerability will be used for months if not years to attack enterprises, which is why security teams must strike while the iron is hot.”

This Log4j vulnerability was disclosed to Apache on Nov. 24 by the Alibaba Cloud Security team. Then on Dec. 9, the vulnerability, formally designated CVE-2021-44228, was disclosed on Twitter; meanwhile a  proof-of-concept exploit got posted on GitHub.

This flaw in an open-source web server software used far and wide  puts open-source risks in the spotlight – yet again. Companies will have to deal with Log4J in much the same manner as they were compelled to react to the open source flaws Heartbleed and Shellshock in 2014.

ROUNDTABLE: Cybersecurity experts reflect on 2021, foresee intensifying challenges in 2022

By Byron V. Acohido

Privacy and cybersecurity challenges and controversies reverberated through all aspect of business, government and culture in the year coming to a close.

Related: Thumbs up for Biden’s cybersecurity exec order

Last Watchdog sought commentary from technology thought leaders about lessons learned in 2021– and guidance heading into 2022. More than two dozen experts participated. Here the first of two articles highlighting what they had to say. Comments edited for clarity and length. The second roundtable column will be published on Dec. 27th.

Paul Ayers, CEO, Noetic Cyber

In 2021, large supply chain attacks successfully exploited critical vulnerabilities.  Patching is hard and prioritization is key. By mapping cyber relationships to business context, security teams can focus on a smaller number of critical assets and vulnerabilities.

The cyber industry swings back and forth between prevention and response. A renewed focus on preventative approaches, like security posture management, cyber hygiene and cyber asset management shows organizations are trying to anticipate these problems. Forward thinking security teams working to unlock siloed telemetry and generate a wider cybersecurity view of the organization.

Dr. Darren Williams, CEO, BlackFog

We’re seeing ransomware gangs morph into savvy businesses, with one going so far as to create a fake company to recruit talent. In 2022, we’ll see this trend continue to pick up steam, with greater coordination between gangs, double extortion evolving to triple extortion, and short selling schemes skyrocketing.

Additionally, we will see a shift in threat actors coming from Southeast Asia and Africa. As cyber criminals look to find cheaper labor and technical expertise, we’ll see activity pick up in these regions in 2022 and beyond.

SHARED INTEL: Here’s why it has become so vital to prioritize the security-proofing of APIs

By Byron V. Acohido

Application Programming Interface. APIs. Where would we be without them?

Related: Supply-chain exposures on the rise

APIs are the snippets of code that interconnect the underlying components of all the digital services we can’t seem to live without. Indeed, APIs have opened new horizons of cloud services, mobile computing and IoT infrastructure, with much more to come.

Yet, in bringing us here, APIs have also spawned a vast new tier of security holes. API vulnerabilities are ubiquitous and multiplying; they’re turning up everywhere. Yet, API security risks haven’t gotten the attention they deserve. It has become clear that API security needs to be prioritized as companies strive to mitigate modern-day cyber exposures.

Consider that as agile software development proliferates, fresh APIs get flung into service to build and update cool new apps. Since APIs are explicitly used to connect data and services between applications, each fresh batch of APIs and API updates are like a beacon to malicious actors.

Organizations don’t even know how many APIs they have, much less how those APIs are exposing sensitive data. Thus security-proofing APIs has become a huge challenge. APIs are like snowflakes: each one is unique. Therefore, every API vulnerability is necessarily unique. Attackers have taken to poking and prodding APIs to find inadvertent and overlooked flaws; even better yet, from a hacker’s point of view, many properly designed APIs are discovered to be easy to  manipulate — to gain access and to steal sensitive data.

Meanwhile, the best security tooling money can buy was never designed to deal with this phenomenon.

MY TAKE: lastwatchdog.com receives recognition as a Top 10 cybersecurity webzine in 2021

By Byron V. Acohido

Last Watchdog’s mission is to foster useful understanding about emerging cybersecurity and privacy exposures.

Related article: The road to a Pulitzer

While I no longer concern myself with seeking professional recognition for my work, it’s, of course, always terrific to receive peer validation that we’re steering a good course.

That’s why I’m thrilled to point out that Last Watchdog has been recognized, once again, as a trusted source of information on cybersecurity and privacy topics. The recognition comes from Cyber Security Hub, a website sponsored by IQPC Digital. We’ve been named one of the Top 10 cybersecurity webzines in 2021.

Here is their very gracious description of what Last Watchdog is all about:

“Founder, contributor and executive editor of the forward-thinking Last Watchdog webzine, Byron V. Acohido is a Pulitzer-winning journalist and web producer. Visit Last Watchdog to view videos, surf cyber news, gain informative analysis and read guest essays from leading lights in the cybersecurity community. Expect content that is always accurate and fair, with recent posts exploring the monitoring of complex modern networks, telecom data breaches that expose vast numbers of mobile users, efforts to make software products safer and ransomware attacks on global supply chains.”

MY TAKE: For better or worse, machine-to-machine code connections now form much of the castle wall

By Byron V. Acohido

Managing permissions is proving to be a huge security blind spot for many companies.

Related: President Biden’s cybersecurity order sets the stage

What’s happening is that businesses are scaling up their adoption of multi-cloud and hybrid-cloud infrastructures. And in doing so, they’re embracing agile software deployments, which requires authentication and access privileges to be dispensed, on the fly, for each human-to-machine and machine-to-machine coding connection.

This frenetic activity brings us cool new digital services, alright. But the flip side is that companies have conceded to a dramatic expansion of their cloud attack surface – and left it wide open to threat actors.

“The explosion in the number of human and non-human identities in the public cloud has become a security risk that businesses simply can’t ignore,” observes Eric Kedrosky, CISO at Sonrai Security.

I’ve had a couple of deep discussions with Kedrosky about this. Based in New York City, Sonrai is a leading innovator in a nascent security discipline, referred to as Cloud Infrastructure Entitlement Management (CIEM,)

MY TAKE: Can Project Wildland’s egalitarian platform make Google, Facebook obsolete?

By Byron V. Acohido

Most of the people I know professionally and personally don’t spend a lot of time contemplating the true price we pay for the amazing digital services we’ve all become addicted to.

Related: Blockchain’s role in the next industrial revolution

I’ll use myself as a prime example. My professional and social life revolve around free and inexpensive information feeds and digital tools supplied by Google, Microsoft, Amazon, LinkedIn, Facebook and Twitter.

I’m productive. Yet, I’m certainly not immune to the clutter and skewed perspectives these tech giants throw at me on an hourly basis — as they focus myopically on monetizing my digital footprints. I don’t know what I’d do without my tech tools, but I also have a foreboding sense that I spend way too much with them.

Technologically speaking, we are where we are because a handful of tech giants figured out how to collect, store and monetize user data in a singular fashion. Each operates a closed platform designed to voraciously gather, store and monetize user data.

SHARED INTEL: Reviving ‘observability’ as a means to deeply monitor complex modern networks

By Byron V. Acohido

An array of promising security trends is in motion.

New frameworks, like SASE, CWPP and CSPM, seek to weave security more robustly into the highly dynamic, intensely complex architecture of modern business networks.

Related: 5 Top SIEM myths

And a slew of new application security technologies designed specifically to infuse security deeply into specific software components – as new coding is being developed and even after it gets deployed and begins running in live use.

Now comes another security initiative worth noting. A broad push is underway to retool an old-school software monitoring technique, called observability, and bring it to bear on modern business networks. I had the chance to sit down with George Gerchow, chief security officer at Sumo Logic, to get into the weeds on this.

Based in Redwood City, Calif., Sumo Logic supplies advanced cloud monitoring services and is in the thick of this drive to adapt classic observability to the convoluted needs of company networks, today and going forward. For a drill down on this lively discussion, please give the accompanying podcast a listen. Here are the main takeaways:

ROUNDTABLE: Why T-Mobile’s latest huge data breach could fuel attacks directed at mobile devices

By Byron V. Acohido

TMobile has now issued a formal apology and offered free identity theft recovery services to nearly 48 million customers for whom the telecom giant failed to protect their sensitive personal information.

At the start of this week, word got out that hackers claimed to have seized personal data for as many as 100 million T-Mobile  patrons.

Related: Kaseya hack worsens supply chain risk

This stolen booty reportedly included social security numbers, phone numbers, names, home addresses, unique IMEI numbers, and driver’s license information.

Once more, a heavily protected enterprise network has been pillaged by data thieves. Last Watchdog convened a roundtable of cybersecurity experts to discuss the ramifications, which seem all too familiar. Here’s what they had to say, edited for clarity and length:

Allie Mellen, analyst, Forrester

According to the attackers, this was a configuration issue on an access point T-Mobile used for testing. The configuration issue made this access point publicly available on the Internet. This was not a sophisticated attack. T-Mobile left a gate left wide open for attackers – and attackers just had to find the gate.”

T-Mobile is offering two free years of identity protection for affected customers, but ultimately this is pushing the responsibility for the safety of the data onto the user. Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say, ‘This is the best we can do.’

Chris Clements, VP of Solutions Architecture, Cerberus Sentinel

Author Q&A: In modern cyberwarfare ‘information security’ is one in the same with ‘national security’

By Byron V. Acohido

What exactly constitutes cyberwarfare?

The answer is not easy to pin down. On one hand, one could argue that cyber criminals are waging an increasingly debilitating economic war on consumers and businesses in the form of account hijacking, fraud, and extortion. Meanwhile, nation-states — the superpowers and second-tier nations alike — are hotly pursuing strategic advantage by stealing intellectual property, hacking into industrial controls, and dispersing political propaganda at an unheard-of scale.

Related: Experts react to Biden’s cybersecurity executive order

Now comes a book by John Arquilla, titled Bitskrieg: The New Challenge of Cyberwarfare, that lays out who’s doing what, and why, in terms of malicious use of digital resources connected over the Internet. Arquilla is a distinguished professor of defense analysis at the United States Naval Postgraduate School. He coined the term ‘cyberwar,’ along with David Ronfeldt, over 20 years ago and is a leading expert on the threats posed by cyber technologies to national security.

Bitskrieg gives substance to, and connects the dots between, a couple of assertions that have become axiomatic:

•Military might no longer has primacy. It used to be the biggest, loudest weapons prevailed and prosperous nations waged military campaigns to achieve physically measurable gains. Today, tactical cyber strikes can come from a variety of operatives – and they may have mixed motives, only one of which happens to be helping a nation-state achieve a geo-political objective.

•Information is weaponizable. This is truer today than ever before. Arquilla references nuanced milestones from World War II to make this point – and get you thinking. For instance, he points out how John Steinbeck used a work of fiction to help stir the resistance movement across Europe.

Steinbeck’s imaginative novel, The Moon is Down, evocatively portrayed how ordinary Norwegians took extraordinary measures to disrupt Nazi occupation. This reference got me thinking about how Donald Trump used social media to stir the Jan. 6 insurrection in … more

Black Hat insights: How to shift security-by-design to the right, instead of left, with SBOM, deep audits

By Byron V. Acohido

There is a well-established business practice referred to as bill of materials, or BOM, that is a big reason why we can trust that a can of soup isn’t toxic or that the jetliner we’re about to board won’t fail catastrophically

Related: Experts react to Biden cybersecurity executive order

A bill of materials is a complete list of the components used to manufacture a product. The software industry has something called SBOM: software bill of materials. However, SBOMs are rudimentary when compared to the BOMs associated with manufacturing just about everything else we expect to be safe and secure: food, buildings, medical equipment, medicines and transportation vehicles.

An effort to bring SBOMs up to par is gaining steam and getting a lot of attention at Black Hat USA 2021 this week in Las Vegas. President Biden’s cybersecurity executive order, issued in May, includes a detailed SBOM requirement for all software delivered to the federal government.

ReversingLabs, a Cambridge, MA-based software vendor that helps companies conduct deep analysis of new apps just before they go out the door, is in the thick of this development. I had the chance to visit with its co-founder and chief software architect Tomislav Pericin. For a full drill down on our discussion please give the accompanying podcast a listen. Here are the big takeaways:

Gordian Knot challenge

The software industry is fully cognizant of the core value of a bill of materials and has been striving for a number of years to adapt it to software development.

FIRESIDE CHAT: All-powerful developers begin steering to the promise land of automated security

By Byron V. Acohido

Software developers have become the masters of the digital universe.

Related: GraphQL APIs pose new risks

Companies in the throes of digital transformation are in hot pursuit of agile software and this has elevated developers to the top of the food chain in computing.

There is an argument to be made that agility-minded developers, in fact, are in a terrific position to champion the rearchitecting of Enterprise security that’s sure to play out over the next few years — much more so than methodical, status-quo-minded security engineers.

With Black Hat USA 2021 reconvening in Las Vegas this week, I had a deep discussion about this with Himanshu Dwivedi, founder and chief executive officer, and Doug Dooley, chief operating officer, of Data Theorem, a Palo Alto, CA-based supplier of a SaaS security platform to help companies secure their APIs and modern applications.

For a full drill down on this evocative conversation discussion please view the accompanying video. Here are the highlights, edited for clarity and length:

LW:  Bad actors today are seeking out APIs that they can manipulate, and then they follow the data flow to a weakly protected asset. Can you frame how we got here?

Dwivedi: So 20 years ago, as a hacker, I’d go see where a company registered its IP. I’d do an ARIN Whois look-up. I’d profile their network and build an attack tree. Fast forward 20 years and everything is in the cloud. Everything is in Amazon Web Services, Google Cloud Platform or Microsoft Azure and I can’t tell where anything is hosted based solely on IP registration.

So as a hacker today, I’m no longer looking for a cross-site scripting issue of some website since I can only attack one person at a time with that. I’m looking at the client, which could be an IoT device, or a mobile app or a single page web app (SPA) or it could be an … more

NEW TECH: How the emailing of verified company logos actually stands to fortify cybersecurity

By Byron V. Acohido

Google’s addition to Gmail of something called Verified Mark Certificates (VMCs) is a very big deal in the arcane world of online marketing.

Related: Dangers of weaponized email

This happened rather quietly as Google announced the official launch of VMCs in a blog post on July 12. Henceforth companies will be able to insert their trademarked logos in Gmail’s avatar slot; many marketers can’t wait to distribute email carrying certified logos to billions of inboxes. They view logoed email as an inexpensive way to boost brand awareness and customer engagement on a global scale.

However, there is a fascinating back story about how Google’s introduction of VMCs – to meet advertising and marketing imperatives — could ultimately foster a profound advance in email security. Over the long term, VMCs, and the underlying Brand Indicators for Message Identification (BIMI) standards, could very well give rise to a bulwark against email spoofing and phishing.

I had a chance to sit down with Dean Coclin, senior director of business development at DigiCert, to get into the weeds of this quirky, potentially profound, security development. DigiCert is a Lehi, Utah-based Certificate Authority (CA) and supplier of Public Key Infrastructure services.

Coclin and I worked through how a huge email security breakthrough could serendipitously arrive as a collateral benefit of VMCs. Here are the main takeaways from our discussion:

ROUNDTABLE: Kaseya hack exacerbates worrisome supply-chain, ransomware exposures

By Byron V. Acohido

It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.

Related: The targeting of supply chains

Last Friday, July 2, in a matter of a few minutes,  a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs)  as their primary tool to remotely manage IT systems on behalf of SMBs.

REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs —  for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.

Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a  crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.

MY TAKE: Why monetizing data lakes will require applying ‘attribute-based’ access rules to encryption

By Byron V. Acohido

The amount of data in the world topped an astounding 59 zetabytes in 2020, much of it pooling in data lakes.

Related:  The importance of basic research

We’ve barely scratched the surface of applying artificial intelligence and advanced data analytics to the raw data collecting in these gargantuan cloud-storage structures erected by Amazon, Microsoft and Google. But it’s coming, in the form of driverless cars, climate-restoring infrastructure and next-gen healthcare technology.

In order to get there, one big technical hurdle must be surmounted. A new form of agile cryptography must get established in order to robustly preserve privacy and security as all this raw data gets put to commercial use.

I recently had the chance to discuss this with Kei Karasawa, vice president of strategy, and Fang Wu, consultant, at NTT Research, a Silicon Valley-based think tank which is in the thick of deriving the math formulas that will get us there.

They outlined why something called attribute-based encryption, or ABE, has emerged as the basis for a new form of agile cryptography that we will need in order to kick digital transformation into high gear.

For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Cloud exposures

Data lakes continue to swell because each second of every day, every human, on average, is creating 1.7 megabytes of fresh data. These are the rivulets feeding the data lakes.

A zettabyte equals one trillion gigabytes. Big data just keeps getting bigger. And we humans crunch as much of it as we can by applying machine learning and artificial intelligence to derive cool new digital services. But we’re going to need the help of quantum computers to get to the really amazing stuff, and that hardware is coming.

As we press ahead into our digital future, however, we’ll also need to retool the public-key-infrastructure. PKI is the authentication and encryption framework … more

GUEST ESSAY: ‘Cybersecurity specialist’ tops list of work-from-home IT jobs that need filling

By Scott Orr

Even before the COVID-19 pandemic turned many office workers into work-from-home (WFH) experts, the trend toward working without having to commute was clear.

Related: Mock attacks help SMBs harden defenses

As internet bandwidth has become more available, with homes having access to gigabit download speeds, a whole new world of career paths has opened for those who want to control their work hours and conditions. Maybe you want better pay, to be home near your kids or you just like the idea of avoiding the daily drive to an office. Whatever the reason, you can likely find work online.

One of the hottest fields right now on the WFH radar is the information technology (IT) sector. But you’ll first need to learn the specifics to get to work. Fortunately, there are online classes you can take to get that knowledge – and best of all, you can take them for free.  Let’s look at what’s available and how you might jumpstart a new career.

Most IT jobs require you to have some sort of experience before you can start charging enough to make them viable as full-time employment. And some are more like a side hustle or temp job.

Having said that, here are some examples of IT careers you can learn online through free courses:

Security specialist

The more we do online, the more criminals want to take advantage of us. That makes fighting cybercrime a definite growth industry. A wide range of companies, in just about every field, are adding computer security specialists. In fact, these jobs are expected to increase a whopping 31% by 2029. This job involves planning and implementing security measures for large and small companies that rely on computer networks. You will need to develop the ability to anticipate techniques used in future cyberattacks so they can be prevented.

MY TAKE: Apple users show strong support for Tim Cook’s privacy war against Mark Zuckerberger

By Byron V. Acohido

Like a couple of WWE arch rivals, Apple’s Tim Cook and Facebook’s Mark Zuckerberg have squared off against each other in a donnybrook over consumer privacy.

Cook initially body slammed Zuckerberg — when Apple issued new privacy policies aimed at giving U.S. consumers a smidgen more control over their personal data while online.

Related: Raising kids who care about their privacy

Zuckerberg then dropped kicked Cook by taking out full-page newspaper ads painting Apple’s social responsibility flexing as bad for business; he then hammered Cook with a pop-up ad campaign designed to undermine Apple’s new privacy policies.

But wait. Here’s Cook rising from the mat to bash Z-Man at the Brussels’ International Privacy Day, labeling his tormentor as an obsessive exploiter who ought to be stopped from so greedily exploiting consumers’ digital footprints for his personal gain.

This colorful chapter in the history of technology and society isn’t just breezing by unnoticed. A recent survey of some 2,000 U.S. iPhone and iPad users, conducted by SellCell.com, a phone and tech trade-in website, shows American consumers are tuned in and beginning to recognize what’s at stake.

Fully 72 percent of those polled by SellCell said they were aware of new privacy changes in recent Apple software updates, not just in a cursory manner, but with a high level of understanding; some 42 percent said they understood the privacy improvements extremely well or at least very well, while 21 percent said they understood them moderately well.

Another telling finding: some 65 percent of respondents indicated they were extremely or very concerned about websites and mobile apps that proactively track their online behaviors, while only 14 percent said they were not at all concerned.

GUEST ESSAY: Using generative AI to support — not replace — overworked cybersecurity pros

By Zac Amos

As the threat of cybercrime grows with each passing year, cybersecurity must begin utilizing artificial intelligence tools to better combat digital threats.

Related: Leveraging human sensors

Although AI has become a powerful weapon, there’s concern it might be too effective compared to human cybersecurity professionals — leading to layoffs and replacements.

However, the truth is that automated AI tools work best in the hands of cybersecurity professionals instead of replacing them. Rather than trying to use AI to get rid of your security team, seek to use automated tools in conjunction with your existing professionals to ensure the strongest cybersecurity defense.

Generative AI wild card

The newest breakthrough in artificial intelligence technology is machine learning and generative AI. Unlike traditional AI, machine learning can be taught to act on data sets and make accurate predictions instead of being limited to only analyzing.

Machine learning programs use highly complex algorithms to learn from data sets. In addition to analyzing data, they can use that data to observe patterns. Much like humans, they take what they have learned to “visualize” a model and take action based on it.

Author Q&A: Former privacy officer urges leaders to prioritize security as part of cloud migration

By Byron V. Acohido

Cyber threats have steadily intensified each year since I began writing about privacy and cybersecurity for USA TODAY in 2004.

Related: What China’s spy balloons portend

A stark reminder of this relentless malaise: the global cyber security market is on a steady path to swell to $376 billion by 2029 up from $ 156 billion in 2022, according to Fortune Business Insights.

Collectively, enterprises spend a king’s ransom many times over on cyber defense. Yet all too many companies and individual employees till lack a full appreciation of the significant risks they, and their organizations, face online. And as a result, many still do not practice essential cyber hygiene.

Perhaps someday in the not-too-distant future that may change. Our hope lies in leveraging machine learning and automation to create very smart and accurate security platforms that can impose resilient protection.

Until we get there – and it may be a decade away — the onus will remain squarely on each organization — and especially on individual employees —  to do the wise thing.

A good start would be to read Mobilizing the C-Suite: Waging War Against Cyberattacks, written by Frank Riccardi, a former privacy and compliance officer from the healthcare sector.