Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For technologists

 

Web application exposures continue to bedevil companies as digital transformation accelerates

By Byron V. Acohido

As sure as the sun will rise in the morning, hackers will poke and prod at the web applications companies rely on – and find fresh weaknesses they can exploit.

Related: Cyber spies feast on government shutdown

Companies are scaling up their use of web apps as they strive to integrate digital technology into every aspect of daily business operation. As this ‘digital transformation’ of commerce accelerates, the attack surface available to threat actors likewise is expanding.

I had a lively discussion recently with a couple of experts from WhiteHat Security. The San Jose, CA-based security vendor has been helping companies protect their web applications since the company was founded in 2001 by world-renowned ethical hacker Jeremiah Grossman, who also happens to be a black belt in Brazilian Jiu-Jitsu, as well as a native of my home state, Hawaii.

I spoke with WhiteHat Security researchers Bryan Becker and Mark Rogan at RSA 2019. They supplied clarifying context as to why web application vulnerabilities continue bedevil companies of all sizes and in all sectors. For a full drill down, give a listen to the accompanying podcast. Key takeaways:

Myriad vault doors

Thanks to digital transformation, the attack surface available to threat actors, via web interfaces, is larger than many companies realize – and this exposure continues to steadily expand.

“Moving to the cloud, terms like agile development and container-based infrastructure — all of these are different ways to break a large process down into many smaller components which is easier for a management team and a development team to manage and to update quicker,” said Becker.

But what happens is that instead of having one giant application, you end up with a hundred mini applications, and in the long run, that means it is harder to monitor for vulnerabilities in the code. …more

NEW TECH: Exabeam retools SIEMs; applies credit card fraud detection tactics to network logs

By Byron V. Acohido

Security information and event management, or SIEM, could yet turn out to be the cornerstone technology for securing enterprise networks as digital transformation unfolds.

Related: How NSA cyber weapon could be used for a $200 billion ransomware caper

Exabeam is a bold upstart in the SIEM space. The path this San Mateo, CA-based vendor is trodding tells us a lot about the unfolding renaissance of SIEMs – and where it could take digital commerce.

Launched in 2013 by Nir Polak, a former top exec at web application firewall vendor Imperva, Exabeam in just half a decade has raised an eye-popping $115 million in venture capital, grown to almost 350 employees and reaped over 100 percent revenue growth in each of the last three years.

I had the chance to visit with Trevor Daughney, Exabeam’s vice president of product marketing at RSA 2019. He explained how Exabeam has taken some of the same data analytics techniques that banks have long used to staunch credit card fraud and applied them to filtering network data logs. For a full drill down on our conversation, please listen to the accompanying podcast. Here are a few takeaways:

Very Big Data

The earliest SIEMs cropped up around 2005 or so. Led by the likes of Splunk, LogRhythm, IBM and Exabeam, the global SIEM market is expected to grow to over $5 billion annually in 2022.

Related: Autonomous vehicles are driving IoT security innovation

Fundamentally, SIEMs collect event log data from internet traffic, as well as corporate hardware and software assets. The starting idea was for a security analyst to then sift meaningful security intelligence from a massive volume of potential security events and keep intruders out. Yet, SIEMs never quite lived up to their initial promise.

And now, Big Data is about to become Very Big Data. Consider that 90 percent of the data that exists in the world today was generated in just the past couple of years. That includes everything moving across the internet: email, texting, online searches, social media posts, entertainment streaming, global finance, scientific research and cyber warfare. And on the horizon loom a full blown Internet of Things (IoT) and 5G networks, which will drive data generation to new heights. …more

MY TAKE: Microsoft’s Active Directory lurks as a hackers’ gateway in enterprise networks

By Byron V. Acohido

Many of our online activities and behaviors rely on trust. From the consumer side, for example, we trust that the business is legitimate and will take care of the sensitive personal information we share with them. But that level of trust goes much deeper on the organizational side.

Related: The case for ‘zero-trust’ authentication

Employees are given credentials that allow them authorized access to corporate networks and databases. IT leadership has to trust that those credentials are used properly.

That need for trust also make credentials one of the most difficult areas to secure. When someone is using the right user name and password combination to gain access, it is very difficult to tell if the user is legitimate or a bad guy. It is why credential theft has become a lucrative attack vector for cybercriminals, with credential stuffing attacks compromising billions of accounts last year.

Credential theft has led to a rise in attacks on tool that’s pervasively used in companies running Microsoft Windows-based networks. That tool is Active Directory. And because Active Directory is an almost universally-used tool in enterprise settings, it has, quite naturally, emerged as a favorite target of threat actors.

I had the chance to sit down with Rod Simmons, vice president of product strategy at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data, to discuss this at RSA 2019. For a full drill down, listen to the accompanying podcast. Key takeaways: …more

NEW TECH: CyberGRX seeks to streamline morass of third-party cyber risk assessments

By Byron V. Acohido

When Target fired both its CEO and CIO in 2014, it was a wake-up call for senior management.

The firings came as a result of a massive data breach which routed through an HVAC contractor’s compromised account. C-suite execs across the land suddenly realized something similar could happen to them. So they began inundating their third-party suppliers with “bespoke assessments” – customized cyber risk audits that were time consuming and redundant.

Out of that morass was born CyberGRX, a Denver, CO-based start-up that’s seeking to dramatically streamline third-party risk assessments, and actually turn them into a tool that can help mitigate cyber exposures.

I had the chance to visit with CyberGRX CEO Fred Kneip at RSA 2019 at San Francisco’s Moscone Center last week. He shared a telling anecdote about how CyberGRX got its start — essentially from backlash to the milestone Target breach.

Kneip also painted the wider context about why effective third-party cyber risk management is an essential ingredient to baking-in security at a foundational level. For a full drill down, please listen to the accompanying podcast. The key takeaways:

Rise of third parties

In 2016, Jay Leek – then CISO at the Blackstone investment firm, and now a CyberGRX board member —  was collaborating with CSOs at several firms Blackstone had invested in when a common theme came up. The CSOs couldn’t scale their third-party risk assessment programs to keep up with growth. The problem had become untenable.

The Target firings lit a fire under senior management to make third-party security audits standard practice. But they did so without taking into account the hockey-stick rise in reliance on third-party suppliers. No one thought deeply enough about how they were distributing privileged access to innumerable third-party vendors.

Facilities repairman, like the HVAC vendor, was a small part of this trend. The corporate sector’s pursuit of digital transformation had given rise to new cottage industries of third-party contractors for everything from payroll services, accounting systems and HR functions to productivity suites,  customer relationship services and analytics tools.

“Think about the CEO who’s overstretched and one step removed . . . the problem of how  third-parties might be exposing company data became, not so much neglected, as de-prioritized, even as companies became more and more dependent on these third party providers,” Kneip told me. …more

NEW TECH: Votiro takes ‘white-listing’ approach to defusing weaponized documents

By Byron V. Acohido

It’s hard to believe this month marks the 20th anniversary of the release of the devastating Melissa email virus which spread around the globe in March 1999.

Related: The ‘Golden Age’ of cyber espionage is upon us

Melissa was hidden in a weaponized Word document that arrived as an email attachment. When the recipient clicked on the Word doc, a macro silently executed instructions to send a copy of the email, including the infected attachment, to the first 50 people listed as Outlook contacts.

Unfortunately, despite steady advances in malware detection and intrusion prevention systems, and much effort put into training employees to be wary of suspicious email, weaponized email and document-based malware remain as virulent as pervasive as it was two decades ago.

The Defense Department, for instance, detects 36 million malware-infested emails arriving from hackers, terrorists and foreign adversaries every 24 hours. That translates into an onslaught of some 13 billion weaponized emails raining down on Pentagon on an annual basis. This gives you an idea of the steady flow of weaponized email attacks against companies of all sizes and in all sectors, with certain verticals, namely financial services, healthcare companies and tech firms bearing the brunt.

I had a revelatory discussion about this with Aviv Grafi, CEO of Votiro, at RSA 2019 in San Francisco last week. Votiro is a Tel Aviv-based security startup that is pioneering a new white-listing approach to help companies mitigate their exposure to weaponized email and document-distributed malware. For a full drill down, please listen to the accompanying podcast. The key takeaways:

Productivity vs. security

Threat actors fully grasp that humans will forever remain the weak link in any business network. And they’re accomplished at sidestepping the latest perimeter and near-perimeter defenses. Meanwhile, they’ve also become adept at manipulating widely-used, legitimate workplace tools, for instance, …more

MY TAKE: Memory hacking arises as a go-to tactic to carry out deep, persistent incursions

By Byron V. Acohido

A common thread runs through the cyber attacks that continue to defeat the best layered defenses money can buy.

Related: We’re in the midst of ‘cyber Pearl Harbor’

Peel back the layers of just about any sophisticated, multi-staged network breach and you’ll invariably find memory hacking at the core. In fact, memory attacks have quietly emerged as a powerful and versatile new class of hacking technique that threat actors in the vanguard are utilizing to subvert conventional IT security systems.

In a sense, memory attacks are a reflection of what has been left out of the $216 billion companies spent over the past two years on security products and services. That’s Gartner’s estimate of global spending on cybersecurity in 2017 and 2018. Memory hacking is being carried out across paths that have been left comparatively wide open to threat actors who are happy to take full advantage of the rather fragile framework of processes that execute deep inside the kernel of computer operating systems.

Last Watchdog recently sat down with Satya Gupta, founder and CTO of Virsec, a San Jose-based supplier of advanced data protection systems. Virsec is a leading innovator of memory protection technologies. Gupta put memory attacks in context of the complexity that has overtaken modern business networks. Here’s what I took away from our discussion:

Transient hacks

Memory hacking has become a go-to technique used both by common cybercriminals, as well as nation-state backed hacking specialists. Threat actors are crafting memory attacks designed to help them gain footholds, move laterally and achieve persistence deep inside well-defended enterprise networks.

Microsoft, supplier of the Windows operating system used ubiquitously in enterprise networks, recently disclosed that fully 70% of all security bugs pivot off what the software giant refers to as “memory safety issues.”

These are issues that are coming into play in all other major OSs, as well as at the processing chip level of computer hardware.

For instance, major vulnerability was discovered lurking in the GNU C Library, or GLIBC, an open source component that runs deep inside of Linux operating systems used widely in enterprise settings. GLIBC keeps common code in one place, thus making it easier for multiple programs to connect to the company network and to the Internet. Turns out it was possible for a threat actor to flood GLIBC with data, take control of it, and then use it as a launch point for stealing passwords, spying on users and attempting to usurp control of other computers. …more

Q&A: Why SOAR startup Syncurity is bringing a ‘case-management’ approach to threat detection

By Byron V. Acohido

There’s a frantic scramble going on among those responsible for network security at organizations across all sectors.

Related: Why we’re in the Golden Age of cyber espionage

Enterprises have dumped small fortunes into stocking their SOCs (security operations centers) with the best firewalls, anti-malware  suites, intrusion detection, data loss prevention and sandbox detonators money can buy. But this hasn’t done the trick.

There is a gaping shortage of analysts talented enough to make sense of the rising tide of data logs inundating their SIEM (security information and event management) systems. In many cases the tedious, first-level correlating of SIEM logs to sift out threats has moved beyond human capability. Some 27 percent of IT professionals who partook in a survey conducted by next-gen firewall supplier Imperva at RSA 2018 reported receiving more than 1 million security alerts daily.

Now toss in the fact that digital transformation is redoubling software development and data handling complexities. This has exponentially expanded the attack surface available to motivated, well-funded threat actors. This, in short, is the multi-headed hydra enterprises must tame in order to mitigate rising cyber risks.

Smart money

Enter SOAR, the acronym for “Security Orchestration, Automation & Response.”  SOAR, if you haven’t heard, is a hot new technology stack that takes well-understood data mining and business intelligence analytics methodologies —  techniques that are deeply utilized in financial services, retailing and other business verticals  – and applies them to cybersecurity. …more