Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

For technologists


CyberArk shows how ‘shadow admins’ can be created in cloud environments

By Byron V. Acohido

There’s little doubt “digital transformation” is here to stay. And it is equally clear that just about all of the fundamental network vulnerabilities we already know about will escalate, in lockstep, with any benefits accrued.

It turns out that speeding up tech innovation cuts both ways.

Related article: How safeguarding privileged accounts can lower insurance

A vivid illustration of this  truism comes from the rising challenges businesses face locking down privileged accounts. I had the chance to visit with CyberArk security researchers Lavi Lazarovitz and Asaf Hecht just after they carried out a stunning demo at RSA Conference 2018.

The pair showed how threat actors can create all-powerful  “shadow admin” accounts within cloud platforms, such as Amazon Web Services, Microsoft Azure and Google Cloud, simply by manipulating the very design features meant to make cloud services nimble and agile.

For a full drill down on our discussion, please listen to the accompanying podcast. Here are key takeaways.

On-premise vs. cloud

Some context: When I interviewed CyberArk CEO Udi Mokady back in 2013, we discussed how most organizations had a lot to learn about privileged access security best practices. The vast majority of organizations at the time underestimated the number of privileged accounts that existed in their networks, allowed employees to widely share passwords, did not use two-factor authentication much, and changed passwords infrequently.

Since then companies have made substantial progress. Privileged access security technologies and best practices have been more widely adopted with respect to on-premises data centers. Companies are paying much closer attention to the use —  and abuse — of privileged accounts, credentials and secrets, especially those that provide root access to mission-critical systems. …more

NEW TECH: Acalvio weaponizes deception to help companies turn the tables on malicious hackers

By Byron V. Acohido

Differentiating itself in a forest of cybersecurity vendors has not been a problem for start-up Acalvio Technologies. While hundreds of other security companies tout endless types and styles of intrusion detection and prevention systems, Acalvio has staked out turf in a promising new sub-segment: deception-based security systems.

Related article: Hunting for exposed data

Launched in 2015 by a group of cybersecurity veterans, the Santa Clara, Calif.-based start-up has 50 employees and has raised $22 million in venture capital financing to date. It has achieved this by pioneering technology that lays in wait for intruders who manage to get inside a company’s firewall, and then leads them down a path rife with decoy systems and faux data.

I had the chance to visit with Acalvio marketing chief, Rick Moy, at RSA Conference 2018. For a drill down on our conversation please listen to the accompanying podcast. Here are a few high-level takeaways:

Changing tactics

Deception is an age-old stratagem. Animals and insects use it to survive in the wild. Warring nations use it to gain tactical advantage over each other. Cybercrime and cyber warfare, no surprise, largely revolve around deception. Phishers deceive to gain trust; hackers deceive to avoid detection. …more

How ‘identity governance’ addresses new attack vectors opened by ‘digital transformation’

By Byron V. Acohido

Mark McClain and Kevin Cunningham didn’t rest for very long on their laurels, back in late 2003, after they had completed the sale of Waveset Technologies to Sun Microsystems. Waveset at the time was an early innovator in the then-nascent identity and access management (IAM) field.

The longtime business partners immediately stepped up planning for their next venture, SailPoint Technologies, which they launched in 2005 to pioneer a sub segment of IAM, now referred to as identity governance. Today SailPoint has 800-plus employees and growing global sales.

Related article: What the Uber hack tells us about DevOps exposures

The company is coming off a successful initial public offering last November in which it raised $240 million. SailPoint’s share price has climbed from the mid-teens to the mid-twenties since its IPO.

I had the chance to visit with McClain, SailPoint’s CEO – Cunningham serves as chief strategy officer—at RSA Conference 2018. We had an invigorating discussion about how “digital transformation” has intensified the urgency for organizations to comprehensively address network security, and how identity governance is an important piece of that puzzle. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: Your focus is on helping companies do much better at a fundamental security best practice.

McClain: Exactly. Within the big realm of security, we’re within the realm of identity, which is getting a lot of airtime these days.  And within identity, our focus is on what’s called identity governance . . . The company has been around for a while now. We work in almost every industry vertical and focus on mid-sized enterprises with 2,000 to 3,000 employees all the way to the largest global enterprises in the world. …more

PODCAST: Can ‘gamification’ of cyber training help shrink the human attack vector?

By Byron V. Acohido

The human attack vector remains the most pervasively probed path for malicious hackers looking to gain a foothold inside a company’s firewall.

And yet, somehow, cyber awareness training has not kept pace. Circadence hopes to change that. The Boulder, Colo.-based company got its start in the gaming industry 20 years ago, shifted to supplying cyber warfare training ranges to the military, and now is making a push to help companies add truly effective employee cyber awareness training as a key component to keeping their networks safe.

Related article: Why employee cyber training needs an overhaul

For years, teachers told us that learning can be fun. Circadence is taking that philosophy and running with it. The company is seeking to adapt “gamification” technologies to employee cyber awareness training. If it succeeds, it could help set a new paradigm for addressing the “people” component of defending networks.

I had the chance to converse with Keenan Skelly, Circadence vice president of global partnerships and security evangelist, at RSA Conference 2018 in San Francisco. For a drill down on our discussion, give a listen to the accompanying podcast. Here are a few high-level takeaways:

Gamers’ edge

Circadence got its start in the early 1990s as a publisher of one of the earliest massively multiplayer games. It turned out that the company’s expertise in generating and displaying complex graphics and getting high fidelity data from point A to point B in fantasy landscapes had a very useful real-world application – helping U.S. military operatives maintain an edge while engaging in ongoing cyber warfare. …more

PODCAST: How managing ‘privileged accounts’ can help make ‘digital transformation’ more secure

By Byron V. Acohido

One of the most basic things a company can do to dramatically improve their security posture is to keep very close track of who has what access to which privileged accounts inside the company firewall.

This is a best practice of privileged account management, which is a burgeoning sector of the identity and access management (IAM) field. For a variety of reasons, IAM is once again becoming acutely problematic.

Related article: Why savvy companies lock down privileged access

Not nearly enough attention was paid to IAM best practices when we first cobbled together digital business systems 20 years ago — and then piggybacked them onto the Internet. In general, the corporate world still is not very good at enforcing policies that ensure only the proper people have access to an organization’s technology resources.

And now the “digital transformation” of corporate networks is steamrolling downhill. As we meld legacy company systems to cloud services, IAM exposures are flaring up once again. A recent survey of IT organizations in the U.S. and Europe by Atlanta-based security vendor Bomgar found that risky employee password-usage practices continues to be a challenge for a majority of organizations.

Bomgar was founded in 2003 by Joel Bomgar, who was then a college student moonlighting as a techie contractor helping companies update and manage their Windows computers. One day Bomgar realized he was losing valuable time driving from client to client to resolve simple issues. So he developed his own proprietary solution to access his clients’ computers, and began providing his services remotely.

That quickly evolved into a platform of solutions that allow IT administrators and security professionals to securely manage access to systems and privileged accounts. Bomgar (the company) subsequently emerged as a leading provider of IAM and security solutions and has grown to than 300 employees with offices in five countries. …more

PODCAST: That crumbling sound you hear is obsolescence creeping into legacy security systems

By Byron V. Acohido

For more than 20 years companies have, by and large, bought into the notion that they must take a  “defense in depth” approach to network security. The best way to curtail network breaches, companies were told, was to erect strong perimeter firewalls, and then pile on dozens of layers of defenses on endpoint devices, databases, servers and applications.

Related article: Machine learning perfectly suits security analytics

Say goodbye to defense in depth as it swirls down the drain pipe to obsolescence; there is a tectonic shift in the way companies have begun to assemble and use corporate networks. This shift, in turn, has pushed legacy security defenses to the edge of the cliff where they are teetering at the brink of obsolescence.

I had an engrossing and enlightening conversation about this with Jesse Rothstein, CTO of ExtraHop, at the RSA Conference 2018 in San Francisco last week. Rothstein and Raja Mukerji formerly were senior software architects at F5 Networks, the network switching systems supplier that competes against Cisco and Juniper Networks.

One day, Rothstein and Mukerji began noodling a simple question: at a time of unprecedented scale, complexity, and dynamism, how do companies gain an actionable understanding of their IT environments? The answer: they don’t.

So, Rothstein and Mukerji co-founded ExtraHop in 2007 to help companies do just that. By 2014, the company closed a $41 million round of Series C financing, and today has 350 employees delivering network diagnostics and security analytics systems. …more

PODCAST: How freeing security analysts from repetitive tasks can turbo boost SOCs

By Byron V. Acohido

It wasn’t too long ago that security start-up Demisto was merely a notion bantered over at a coffee break. While working at McAfee, Slavik Markovich and Rishi Bhargava would sip espresso and discuss the challenges companies faced getting more effective protection from their Security Operation Centers, or SOCs.

Related article: How MSSPs can help small and mid-sized businesses

They took it a step further by polling security professionals. The feedback they got was consistent. The security pros reported that, despite having invested heavily in SOCs, their organizations continued to struggle making productive sense of endless signals from overlapping detection systems, even as the volume of cyber attacks continues to intensify. What’s more, the shortage of skilled security analysts available to try …more