Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

SHARED INTEL: FireMon survey shows security lags behind fast pace of hybrid cloud deployments

By Byron V. Acohido

Corporate America’s love affair with cloud computing has hit a feverish pitch. Yet ignorance persists when it comes to a momentous challenge at hand: how to go about tapping the benefits of digital transformation while also keeping cyber exposures to a minimum level.

Related: Why some CEOs have quit tweeting

That’s the upshot of FireMon’s second annual State of Hybrid Cloud Security Report of 522 IT and security professionals, some 14 percent of whom occupy C-suite positions.

Nearly 60 percent of the respondents indicated the pace of their cloud deployments have surpassed their ability to secure them in a timely manner. Notably, that’s essentially the same response FireMon got when it posed this same question in its inaugural hybrid cloud survey some 14 months ago.

That’s not a good thing, given migration to cloud-based business systems, reliance on mobile devices and onboarding of IoT systems are all on an upward sweep. “It doesn’t seem like we’ve moved the needle on security at all,” says Tim Woods, vice president of technology alliances at FireMon, the leading provider of automated network security policy management systems.

I had the chance to visit with Woods at RSAC 2020 in San Francisco recently. For a full drill down on our discussion, please give a listen to the accompanying podcast. Here’s a summary of key takeaways:

Shared burden confusion

Hybrid cloud refers to the mixing and matching of on-premise IT systems, aka private clouds, with processing power, data storage, and collaboration tools leased from public cloud services, such as Amazon Web Services, Microsoft Azure and Google Cloud. Hybrid clouds are being leveraged to refresh legacy networks, boost productivity and innovate new software services at breakneck speed, to keep pace with rivals.

SHARED INTEL: Bogus Coronavirus email alerts underscore risk posed by weaponized email

By Byron V. Acohido

It comes as no surprise that top cyber crime rings immediately pounced on the Coronavirus outbreak to spread a potent strain of malware via malicious email and web links.

Related: Credential stuffing fuels cyber fraud

IBM X-Force researchers shared details about how emails aimed at Japanese-speaking individuals have been widely dispersed purporting to share advice on infection-prevention measures for the disease. One of the waves of weaponized emails actually is designed to spread a digital virus: the notorious Emotet banking Trojan designed to steal sensitive information.

One cybersecurity company, Tel Aviv-based Votiro, is taking a different approach to strengthen protection against such weaponized documents, using technology that disarms files before they are delivered to the recipient’s inbox.   I had the chance to visit with Votiro CEO and founder Aviv Grafi at RSA 2020. For a full drill down give a listen to the accompanying podcast. Here are a few key takeaways:

Filtering falls short

As a former penetration tester who specialized in testing employees aptitude for resisting email lures, Grafi saw time-and-again how – and why – attackers leverage timely events, such as celebrity deaths, holidays or tax deadlines to lure email recipients to click on corrupted Word docs or PDF attachments.

Votiro introduced their ‘Disarmer’ technology, called CDR, for “content, disarm and reconstruction” to the U.S. market in 2019. CDR takes a prevention, instead of detection, approach to disarming weaponized email and deterring document-delivered malware.

MY TAKE: Why speedy innovation requires much improved cyber hygiene, cloud security

By Byron V. Acohido

Speed is what digital transformation is all about. Organizations are increasingly outsourcing IT workloads to cloud service providers and looking to leverage IoT systems.

Related: The API attack vector expands

Speed translates into innovation agility. But it also results in endless ripe attack vectors which threat actors swiftly seek out and exploit. A big challenge security executives face is balancing speed vs. security.

I spoke with Greg Young, Cybersecurity Vice President at Trend Micro about this. We met at RSA 2020 in San Francisco. Trend Micro has evolved from one of the earliest suppliers of antivirus suites to a provider of a broad platform of systems to help individuals and organizations reduce cyber exposures.

For a full drill down of our discussion, please give the accompanying podcast a listen. Here are a few key takeaways.

Teeming threat landscape

Security leaders’ key priority is reducing exposures to the cyber risks they know are multiplying. Compliance penalties, lawsuits, loss of intellectual property, theft of customer personal data, and reputational damage caused by poor cyber defenses are now top operational concerns. Yet many organizations continue to practice poor cyber hygiene.

Cyber hygiene basics revolve around aligning people, processes and technologies to adopt a security-first mindset. In the current environment, it is vitally important for companies to secure vulnerabilities in their mission-critical systems, while at the same time remaining vigilant about detecting intruders and recovering quickly from inevitable breaches.

SHARED INTEL: Survey shows some CEOs have quit Tweeting, here’s why they were smart to do so

By Byron V. Acohido

Cyber threats now command the corporate sector’s full attention. It’s reached the point where some CEOs have even begun adjusting their personal online habits to help protect themselves, and by extension, the organizations they lead. Corporate consultancy PwC’s recent poll of 1,600 CEOs worldwide found that cyber attacks are now considered the top hinderance to corporate performance, followed by the shortage of skilled workers and the inability to keep up with rapid tech advances.

Related: How ‘credential stuffing’ enables online fraud

As a result, some CEOs admit they’ve stopped Tweeting and deleted their LinkedIn and other social media accounts – anything to help reduce their organization’s exposure to cyber criminals. “Senior C-level executives and board members are paying more attention now to cybersecurity than two years ago, by far,” observes Jeff Pollard, vice president and principal analyst at tech research firm Forrester.

Awareness is a vital step forward, no doubt. But it’s only a baby step. Corporate inertia still looms large. For many Chief Information Security Officers, having the CEO’s ear, at the moment, is proving to be a double-edged sword, Pollard told me. “We find many CISOs spend their time explaining what threats matter and why, as opposed to why cybersecurity matters in the first place,” he says. “Security leaders must also find ways to explain why budgets that have steadily increased, year after year, have not solved the security problems”.

SHARED INTEL: Former NSA director says cybersecurity solutions need to reflect societal values

By Byron V. Acohido

Is America’s working definition of “national security” too narrow for the digital age?

Yes, observes retired Admiral Michael Rogers, who served as a top White House cybersecurity advisor under both Presidents Obama and Trump. 

Related: The golden age of cyber espionage

The United States, at present, operates with a “nebulous” definition of what constitutes a cyber attack that rises to the level of threatening national security, asserts Rogers, who was   commander, U.S. Cyber Command, as well as director, National Security Agency, and chief, Central Security Service, from March 2014 until he retired from military service in May 2018.

“National security in the digital age, to me, is the confluence of the traditional ways we used to look at security issues as a nation-state, as well as taking into consideration how economic-competitiveness and long-term economic viability play in,” Rogers told an audience of cybersecurity executives, invited to attend the grand opening of Infosys’ state-of-the art Cyber Defense Center in Indianapolis earlier this week.

Rogers made his remarks as part of a panel discussion on securing digital transformation moderated by Infosys CISO Vishal Salvi. It was a wide-ranging, eye-opening discussion. Here are a few key takeaways I came away with:

Rising cyber exposures

Enterprises today are engaged in a struggle to balance security and agility. Leveraging cloud services and IoT systems to streamline workloads makes a ton of sense. Yet cyber exposures are multiplying. Compliance penalties, lawsuits, loss of intellectual property, theft of customer personal data and loss of reputation — due to poor cyber defenses — are now getting board level attention.

MY TAKE: Why IoT systems won’t be secure until each and every microservice is reliably authenticated

By Byron V. Acohido

Wider use of Internet of Things systems that can make daily living safer, healthier and more convenient is on the immediate horizon. However, to fully capture the benefits of an IoT-centric economy, a cauldron of privacy and security concerns must first be quelled.

Related: The promise and pitfalls of IoT

At the technology level, two fundamental things must get accomplished. First, the identities of any two digital entities – a sensor and a control server, for instance, or even a microservice and a container —  must be authenticated, and, second, the data exchanged between any two such digital instances must be encrypted.

The good news is that the technology to do this – on the fly and at the massive scale required — exists and is being reinforced. I’m referring to the Public Key Infrastructure, or PKI, and the underlying TLS/SSL authentication and encryption protocols.

The PKI framework revolves around distributing and continually managing digital certificates, issued by Certificate Authorities (CAs). PKI today appears to be in very good shape (link) and is on track to become even more robust, which it will have to be in order to function seamlessly at the massive scale required.

Consider this: just five years ago, a large enterprise was typically responsible for managing, at most, a few million digital certificates. But as IoT systems gain more and more traction, that number will climb into the hundreds of million, per company.

Setting priorities

The core IoT challenge, going forward, is not about technology —  it’s about corporate priorities. It is incumbent upon enterprises plunging forward with digital transformation to embed security and emphasize cyber hygiene – much more so than they generally do today.  IoT device manufacturers must embed basic security protocols at a granular level, and corporate captains must instill a security-first culture — to a level much deeper than is common today.

“If you’re not authenticating connections and you’re not encrypting your … more

MY TAKE: PKI, digital certificates now ready to take on the task of securing digital transformation

By Byron V. Acohido

Just five years ago, the Public Key Infrastructure, or PKI, was seriously fraying at the edges and appeared to be tilting toward obsolescence. Things have since taken a turn for the better.

Related: Why PKI is well-suited to secure the Internet of Things

PKI is the authentication and encryption framework on which the Internet is built. The buckling of PKI a few years back was a very serious matter, especially since there was nothing waiting in the wings to replace PKI. Lacking a reliable way to authenticate identities during the data transfer process, and also keep data encrypted as it moves between endpoints, the Internet would surely atrophy – and digital transformation would grind to a halt.

The retooling of PKI may not be sexy to anyone, outside of tech geeks. Nonetheless, it is a pivotal chapter in the evolution of digital commerce. One of several notable contributors was DigiCert, the world’s leading provider of digital certificates and certificate management solutions.

I had a chance to interview Brian Trzupek, DigiCert’s senior vice president of emerging markets products, at the company’s Security Summit 2020 in San Diego recently. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are a few key takeaways:

PKI’s expanding role

PKI revolves around the creation, distribution and management of digital certificates issued by companies known as certificate authorities, or CAs. In the classic case of a human user clicking to a website, CAs, like DigiCert, verify the authenticity of the website and encrypt the data at both ends.

Today, a much larger and rapidly expanding role for PKI and digital certificates is to authenticate devices and encrypt all sensitive data transfers inside highly dynamic company networks. We’re not just talking about website clicks; PKI comes into play with respect to each of the millions of computing instances and devices continually connecting to each other – the … more