Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Podcasts

 

SHARED INTEL: How NTA/NDR systems get to ‘ground truth’ of cyber attacks, unauthorized traffic

By Byron V. Acohido

The digital footprints of U.S. consumers’ have long been up for grabs. No one stops the tech giants, media conglomerates and online advertisers from intensively monetizing consumers’ online behaviors, largely without meaningful disclosure.

Related: The state of ransomware

Who knew that much the same thing routinely happens to enterprises? A recent report by network detection and response vendor ExtraHop details how third-party security and analytics tools routinely “phone home” in order to exfiltrate network behavior data back to their home base, without explicitly asking permission.

It’s tempting to chalk this up to competitive frenzy – a simple case of third-party suppliers seeking whatever edge they can get away with. But there is a larger lesson here. ExtraHop’s finding vividly shows how, as digital transformation ramps up, companies really have no clue what moves back and forth, nor in and out, of their networks on a daily basis.

In one case, ExtraHop tracked a made-in-China surveillance cam sending UDP traffic logs, every 30 minutes, to a known malicious IP address with ties to China. It appears the cam in question was unwittingly set up by an employee for personal security reasons.

In another case, a device management tool was deployed in a hospital and used the WiFi network to insure data privacy, as it provisioned connected devices. But ExtraHop noticed that the tool also opening encrypted connections to vendor-owned cloud storage, a major HIPAA violation.

Getting to ground truth

I had a chance to discuss the wider implication of these findings with Raja Mukerji, co-founder and chief customer officer at ExtraHop. We met at Black Hat 2019. Mukerji and fellow co-founder Jesse Rothstein, ExtraHop’s chief technology officer, were colleagues at Seattle-based network switching systems supplier F5 Networks.

Launched in Seattle in 2007, ExtraHop set out to help companies gain an actionable understanding of their IT environments. Since then it has raised $61.6 million in VC backing, grown to more than 450 employees and now finds itself in the thick of a hot emerging cybersecurity space, Network Traffic Analysis (NTA,) as so declared by tech industry consultancy Gartner. ExtraHop refers to what it does as Network Detection and Response (NDR.) …more

MY TAKE: CASBs help companies meet ‘shared responsibility’ for complex, rising cloud risks

By Byron V. Acohido

Cloud Access Security Brokers – aka “caz-bees” — have come a long way in a short time.

CASBs, a term coined by tech industry consultancy Gartner, first cropped about seven years ago to help organizations enforce security and governance policies as they commenced, in earnest, their march into the cloud.

Related: Implications of huge Capital One breach

CASBs supplied a comprehensive set of tools to monitor and manage the multitude of fresh cyber risks spinning out of the rise in in corporate reliance on cloud services. In doing so, CASBs became the fastest growing security category ever, as declared by Gartner. Yet, somehow, catastrophic cloud breaches continued to occur, ala Capital One recently losing 100 million customer records kept in its Amazon Web Services S3 data storage buckets.

I had the chance to speak with Mahesh Rachakonda, vice president of products and solution engineering at CipherCloud, a San Jose, CA-based CASB, about this. We met at Black Hat 2019 and had a wide ranging discussion about the complex challenges companies face meeting their end of the security burden, while using cloud services. For a drill down, give a listen to the accompanying podcast. Here are key takeaways:

Fresh attack tiers

CASBs innovated like crazy to make it OK for enterprises to steadily move more and more of their on-premises operations onto a cloud service. Leading-edge CASB systems gave companies granular visibility and control over infrastructure (IaaS,) platform (PaaS) and software applications (SaaS) supplied by a cloud services vendor.

Still, the added complexities of cloud migration translated into fresh tiers of wide-open attack vectors. It turned out that moving traditional on-premises systems for HR, IT services, management, finance, accounting, ERP and CRM onto a cloud service run by a third party – made it much more difficult to implement a unified enforcement policy, Rachakonda says. …more

SHARED INTEL: What it takes to preserve business continuity, recover quickly from a cyber disaster

By Byron V. Acohido

To pay or not to pay? That’s the dilemma hundreds of organizations caught in the continuing surge of crippling ransomware attacks have faced.

Related: How ransomware became such a scourge

The FBI discourages it, as you might have guessed. What’s more, the U.S. Conference of Mayors this summer even passed a resolution declaring paying hackers for a decryption key anathema.

Yet there are valid arguments for what scores of municipalities and businesses caught with their networks frozen by extortionist hackers have been compelled to do: pay the ransom demand. Tech industry consultancy Forrester has even seen fit to issue guidance to help companies figure out whether paying the ransom demand might actually be their best option.

That pay or not to pay debate aside, there’s a more central question raised by the ransomware plague. Company decision makers need to be asking themselves this: just how good is their organization’s business continuity and disaster recovery preparedness?

This issue is in Mickey Bresman’s wheelhouse. Bresman is co-founder and CEO of Semperis, an identity-driven cyber resilience company based in the new World Trade Center in Lower Manhattan. Semperis helps companies running Microsoft Windows-based networks preserve and protect Active Directory, or AD.

AD is the administrative software that directs access to servers and applications across the breadth of Windows in tens of thousands of companies and agencies. As such it variably gets caught in the crossfire of ransomware strikes. It’s here that Semperis is helping companies build resiliency. I had the chance to visit with Bresman at Black Hat 2019. For a full drill down, please give a listen to the accompanying podcast. Here are key takeaways:

An attack scenario

Due to the ubiquitous use of Windows networks, Active Directory functions as the keys to the kingdom all across enterprise networks — in 90 percent of organizations. Hackers recognize this and so AD has become a favorite target. Here’s a scenario for how AD is factoring into ransomware attacks: …more

NEW TECH: Human operatives maintain personas, prowl the Dark Net for intel to help companies

By Byron V. Acohido

It seems like any discussion of cybersecurity these days invariably circles back to automation.

Our growing fixation with leveraging artificial intelligence to extract profits from Big Data – for both constructive and criminal ends—is the order of the day.

Related: Why Cyber Pearl Harbor is upon us

Vigilante is a cybersecurity startup that cuts against that grain. With an operational launch in October, Vigilante is the spin-off of an elite intelligence unit of InfoArmor, the identity monitoring technology supplier that was acquired by Allstate late last year.

At its core, Vigilante is comprised of operative teams who’ve spent years deeply-embedded in the virtual threat space, nurturing their dark net personas and proactively gathering intelligence on behalf of specific clients.

“We go out into the criminal space, on our clients’ behalf, to gather threat intelligence and put it into useful context,” Adam Darrah, Vigilante’s director of intelligence, told me. “This gives our clients an advantage in their security decision making.”

I met with Darrah at Black Hat 2019. We had a fascinating discussion about the distinctive services Vigilante will now seek to make more widely available on a commercial basis. For a full drill down, please give a listen to the accompanying podcast. Here are key takeaways:

Fresh feeds

Threat intelligence feeds gathered from automated defenses, such as next-gen firewalls and SIEMs, make up the vast majority of information companies have in hand depicting the activity of threat actors. In order to better defend their networks, companies struggle on a daily basis with the massive challenge of ingesting and extracting actionable insights from a fire hose.

Vigilante directs a team of operatives who serve, in effect, as intelligence gathering agents on patrol on the ground floor of the cyber underground. “We operate exclusively outside of our clients’ networks,” Darrah told me. “We don’t touch their networks. …more

MY TAKE: The case for assessing, quantifying risks as the first step to defending network breaches

By Byron V. Acohido

It’s clear that managed security services providers (MSSPs) have a ripe opportunity to step into the gap and help small- to medium-sized businesses (SMBs) and small- to medium-sized enterprises (SMEs) meet the daunting challenge of preserving the privacy and security of sensitive data.

Related: The case for automated threat feeds analysis

Dallas-based Critical Start is making some hay in this space — by striving to extend the roles traditionally played by MSSPs. The company has coined the phrase managed detection and response, or MDR, to more precisely convey the type of help it brings to the table.

I had the chance to meet with Randy Watkins, Critical Start’s chief technology officer at Black Hat USA 2019. Since its launch in 2012, the company has operated profitably, attracting customers mainly in Texas, Oklahoma, Louisiana and Arkansas and growing to 131 employees.

With a recent $40 million Series A equity stake from Bregal Sagemount, and fresh partnerships cemented with tech heavyweights Microsoft, Google Chronicle and Palo Alto Networks, among others, Critical Start is on a very promising trajectory. It wants to grow nationally and globally, of course.

Even more ambitiously, the company wants to lead the way in pivoting network security back to a risk-oriented approach, instead of what Watkins opines that it has all too often become: a march toward meeting controls-based checklists. We had a fascinating discussion about this. For a full drill down, give a listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW:  What’s the difference between taking a ‘risk-oriented’ versus a ‘controlled-based’ approach to security?

Watkins: Security really is the art of handling risk. We used to enumerate the risks that exist inside of an organization, try to assign a value to the impact it would have, if that risk was exploited. And then we’d assign either mitigation or acceptance or transference of the risk, based on potential impact and the probability that it would happen. …more

SHARED INTEL: Threat actors add a human touch to boost effectiveness of automated attacks

By Byron V. Acohido

Trends in fashion and entertainment come and go. The same holds true for the cyber underground.

Related: Leveraging botnets to scale attacks

For a long while now, criminal hackers have relied on leveraging low-cost botnet services to blast out cyber attacks as far and wide as they could, indiscriminately. Over the past 18 months or so, a fresh trend has come into vogue. It essentially involves applying hands-on human cleverness to the task of extracting highest value from assets gained in the automated sweeps.

British antimalware and network security vendor Sophos refers to this new tactic as “automated, active attacks.” Sophos Senior Security Advisor John Shier broke it down for me. We met at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Human touch

It has long been common practice to use botnets to blast out wave after wave of e-mails carrying tainted PDFs or Word docs, or a web link pointing to a booby-trapped page – and seeing who would bite. Lately, progressive criminal rings are taking a page out of the playbook of nation-state sponsored APT strikes — by adding more human nuances to their attacks.

“They may discover their targets through some sort of automated technique, which gets them a toehold into the company, or they might just simply go to Shodan (search engine) to discover open, available RDP hosts,” Shier told me. “Once they’re in the front door, now the humans get involved.”

Related: How ransomware became a scourge

Specialists get assigned to poke around, locate key servers and find stealthy paths to send in more malware. They’ll take more manual steps to encrypt servers, exfiltrate data – or do both.

“Cyber criminals are getting into the environment, elevating privileges as much as they can and moving laterally to other segments of the network,” Shier says. “And then, instead of encrypting one or two or ten machines, they’ll encrypt everything.”

The wave of catastrophic ransomware attacks that wrought tens of millions in recovery costs for the cities of Baltimore and Atlanta and prompted numerous small cities to pay six figure ransoms for decryption keys is a prime example of this, Shier says. …more

NEW TECH: Breakthrough ‘homomorphic-like’ encryption protects data in-use, without penalties

By Byron V. Acohido

Homomorphic encryption has long been something of a Holy Grail in cryptography.

Related: Post-quantum cryptography on the horizon

For decades, some of our smartest mathematicians and computer scientists have struggled to derive a third way to keep data encrypted — not just the two classical ways, at rest and in transit.

The truly astounding feat, aka homomorphic encryption, would be to keep data encrypted while it is being actively used by an application to run computations. Cryptographically speaking, this is the equivalent of moving the Himalayas, not just Mt. Everest.

There is an esoteric two-horse race that a small circle of folks in the cybersecurity and venture capital communities are riveted on. The stakes couldn’t be higher. It’s a race to deliver a commercially-viable homomorphic encryption tool – something that’s going to be needed if we are to vault into higher tiers of digital innovation.

Galloping along the rail, Google, Intel and Microsoft are leading a methodical effort to come up with consensus homomorphic encryption standards, even as a handful of VC-backed startups are hustling to overcome limitations in current working versions of their prototype tools.

Charging hard from post position no. 2, another group of start-ups, flush with VC cash, is gaining ground with “homomorphic-like” technologies they claim have the same benefits as the purely homomorphic tools, but none of the performance penalties.

A prominent member of this latter group is Mountain View, CA-based Fortanix, which has attracted $31 million in VC backing and grown to 60 employees since its launch in June 2017. Having written a few stories on homomorphic encryption, I was eager to meet with Fortanix co-founder and CEO Ambuj Kumar at Black Hat 2019. For a full drill down on our wide-ranging discussion, please give a listen to the accompanying podcast. Here are the key takeaways:

Runtime in focus

You might well ask yourself: why is keeping data encrypted while an application is using a data set so vital to the future of computing? It’s because elite threat actors already possess the ability to insinuate themselves deep inside of company networks and launch stealthy, quick-strike attacks – in memory, during runtime. …more