Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



MY TAKE: The back story on the convergence, continuing evolution of endpoint security

By Byron V. Acohido

No one in cybersecurity refers to “antivirus” protection any more. The technology that corrals malicious software circulating through desktop PCs, laptops and mobile devices has evolved into a multi-layered security technology referred to as ‘endpoint security.’

This designation change unfolded a few years back. It was a reflection of attackers moving to take full advantage of the fresh attack vectors cropping up as companies retooled their legacy networks – comprised of ‘on-premises’ servers and clients – to operate in the expanding world of cloud services, mobile devices and the Internet of Things.

Having covered the Symantec, McAfee, Trend Micro, Sophos, Kaspersky, et. al. since the nascent days of the antivirus market, I find in fascinating that the top dozen or so antivirus players have all managed to remain in the game. What’s more, they’ve all successfully grown into multi-layered full-service endpoint security suppliers.

I visited with Joe Sykora, vice president of worldwide channel development for Bitdefender, at Black Hat USA 2018, and asked him to put the remarkable staying power of endpoint security in context. In 1990, Florin and Mariuca Talpes parlayed a $300 stake borrowed from a relative into a company which would become Bitdefender in 2001. Founded in Bucharest, the company of 1,600 employees is in the thick of reshaping endpoint security.

For a drill down on my discussion with Sykora, please listen to the accompanying podcast. Here are a few big takeaways: …more

Q&A: Here’s why it has become vital for companies to deter ‘machine-identity thieves’

By Byron V. Acohido

We’re undergoing digital transformation, ladies and gentlemen. And we’re in a nascent phase where clever advances are blossoming even as unprecedented data breaches arise in parallel.

The latest example of this dichotomy comes from Timehop, a service that enables social media users to plug into their past. On Sunday, Timehop shared details about how a hacker got into their network, conducted several reconnaissance forays, and then moved swiftly on July 4th to pilfer personal information for 21 million Timehop users, including their social media “access tokens.”

Related article: How DevOps contributed to the Uber hack

Much like the recent hacks of Uber and Tesla, the Timehop caper revolved around the attackers manipulating admin credentials and maneuvering extensively through Timehop’s cloud environment.

I recently had a fascinating conversation with Jeff Hudson, CEO of Venafi, about why we are currently in a situation where criminally motivated actors are proving to be every bit as innovative as legitimate businesses, when it comes to leveraging cloud services, and developing breakthrough uses of mobile computing and the Internet of things.

Venafi is a leading supplier of machine identity protection; it helps companies secure authentication and privileged access to key components of critical systems. As such, Hudson argues persuasively that the root of the matter comes down to the need for organizations to keep a much closer account of access logons and encryption keys. And they must do this, not just for human users, but especially for machine-to-machine communications.

For a drill down on our conversation, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: Can you frame what’s going on with identities when it comes to digital transformation? …more

As 2-factor authentication falls short, ‘adaptive multi-factor authentication’ goes mainstream

By Byron V. Acohido

The use of an additional form of authentication to protect the accessing of a sensitive digital system has come a long way over the past decade and a half.

Most individuals today are nonplussed when required, under certain circumstances, to retrieve a one-time passcode, pushed out in a text message to their smartphone, and then typing the passcode to gain access to a privileged account.

Related: Why data science is the key to securing networks

An Israeli start-up, Silverfort, is seeking to make a great leap forward in the state-of-the-art of authentication systems. Silverfort has introduced new technology that is designed to help corporations address unprecedented authentication exposures spinning out of ‘digital transformation.’

I recently visited with Silverfort CEO Hed Kovetz, who described how the idea for the company percolated when the co-founders were toiling in the encryption branch of Unit 8200, the elite cybersecurity arm of the Israeli military.

Kovetz recounted how he and two colleagues came up with the idea for a centralized authentication appliance that uses machine learning to recognize the logon patterns of all employees, and then makes strategic use of that analysis in real time.

Having visited with several cybersecurity companies marketing cutting-edge authentication technologies, it has become clear to me that advanced authentication technologies will play an important role, going forward, in helping enterprises build out ‘hybrid’ networks that tap deeper into cloud services and the Internet of Things. This is what digital transformation is all about.

For a drill down on Silverfort’s bold approach to the authentication part of the equation, please listen to the accompanying podcast. Here are excerpts edited for clarity and length:

LW: How did Silverfort get started?

Kovetz: All of us worked together very closely in Unit 8200, a cyber intelligence unit inside the Israeli army. The three of us worked a lot on these areas and really understood some of the challenges that we wanted to handle. …more

VASCO rebrands as OneSpan, makes acquisition, to support emerging mobile banking services

By Byron V. Acohido

Bank patrons in their 20s and 30s, who grew up blanketed with digital screens, have little interest in visiting a brick-and-mortar branch, nor interacting with a flesh-and-blood teller.

This truism is pushing banks into unchartered territory. They are scrambling to invent and deliver a fresh portfolio of mobile banking services that appeal to millennials.

Related articles: Hackers revamp tactics, target mobile wallets

This, of course, is a tall task. Convenience must be delicately balanced against security. Rising regulatory and anti-fraud requirements add to the difficulty factor. However, the economic opportunity is considerable. So banks are all in.

The recent series of strategic moves made by VASCO Data Security underscore this seismic shift in banking services. Chicago-based VASCO has been around since 1991 and has more than 600 employees.

VASCO long ago established itself as a leading supplier of authentication technology to 2,000 banks worldwide. Yet on one day last month the company:

•Changed its name to OneSpan

•Launched its new Trusted Identity platform

•Announced the $55 million acquisition of Dealflo, a U.K.-based supplier of automated identity verification and digital account onboarding technologies.

Just prior to this strategic repositioning, I met with Will LaSala, the company’s security evangelist, at RSA Conference 2018. We had a lively conversation about the advanced attacks threat actors are currently directing at banks.   …more

Why big companies ignore SAP security patches — and how that could bite them, big time

By Byron V. Acohido

Threat actors in the hunt for vulnerable targets often look first to ubiquitous platforms. It makes perfect sense for them to do so.

Related article: Triaging open-source exposures

Finding a coding or design flaw on Windows OS can point the way to unauthorized to access to a treasure trove of company networks that use Windows. The same holds true for probing widely used open source protocols, as occurred when Heartbleed and Shellshock came to light.

There is yet another widely-used business platform that malicious hackers have turned their attention to. It is SAP’s enterprise resource planning (ERP) applications.

SAP serves as the digital plumbing for dozens of multinationals; it is deeply embedded in 87 percent of the top 2000 global companies, enabling and integrating ERP functions, such as sales, production, human resources and finance, as well as other core systems.

SAP is no different than any other complex software. Vulnerability researchers, ranging from penetration testers to threat actors, continually seek out fresh security flaws which SAP subsequently issues patches for. The trouble has been that SAP patches can be troublesome to implement, and so very often get postponed.

In 2016 the U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued three separate security alerts warning SAP customers to install security patches, including one issued six years earlier that had gone widely ignored.

Many large enterprises have been lagging in SAP patches. This exposure is pervasive. And it is only a matter of time before threat actors pull off a high-profile data breach. …more

Mobile security advances to stopping device exploits — not just detecting malicious apps

By Byron V. Acohido

The most profound threat to corporate networks isn’t the latest, greatest malware. It’s carbon-based life forms.

Humans tend to be gullible and impatient. With our affiliations and preferences put in play by search engines and social media, we’re perfect patsies for social engineering. And because we are slaves to convenience, we have a propensity for taking shortcuts when it comes to designing, configuring and using digital systems.

Related article: Is your mobile device spying on you?

This hasn’t worked terribly well for defending modern business networks from cyberattacks. And now we are on the verge of making matters dramatically worse as smartphones and IoT  devices proliferate.

I recently had a chance to discuss this state of affairs with J.T. Keating, vice president of product strategy at Zimperium, a Dallas-based supplier of mobile device security systems. Launched in 2010 by a Samsung consultant who saw the handwriting on the wall, Zimperium has grown to 140 employees and attracted $60 million in venture capital from Warburg Pincus, SoftBank, Samsung, Telstra and Sierra Ventures.

The company is seeking to frame and address mobile security much differently than the traditional approach to endpoint security. “When you have billions of mobile devices that aren’t well protected, and the users are primarily responsible for controlling them, it makes for very ripe targeting,” Keating told me.

For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: What’s most worrisome about mobile security?

Keating: If you’re a consumer, you should really care about malicious apps. The vast majority of the mobile malware we see is designed for fraud. A perfect example of one going around right now is called Bankbot. A user will …more

With passwords here to stay, a ‘Zero Trust’ approach to authentication makes eminent sense

By Byron V. Acohido

When I first started writing about technology for USA Today in 2000, reporters were required to use what at the time was a cutting-edge 2-factor authentication device to securely log into the newspaper’s editing and publishing network.

Related article: The case for rethinking security

It was an RSA SecurID token. I attached it to my key chain, and activated it to issue a one-time 6-digit code, each time I needed to log in to file a story.

Today that same functionality has been vastly improved. One-time security codes routinely get pushed to smartphones to affect a second factor of authentication in a wide array of scenarios. An approach referred to the “Zero Trust” model, takes it a few steps further.

Increasingly, behavior monitoring and machine learning are being brought to bear to assess details of each separate login to each service. This enables companies to make decisions as to whether any specific access request is routine – or suspicious.

Companies can tune such systems to automatically take a range of actions, from requiring a second-factor of authentication, to permitting only very limited access or even blocking access altogether. And they are able to do this at scale, in real time, while watching effectiveness improve as the machine learning algorithms crunch more and more data.

Last Watchdog asked Andy Smith, vice president of product marketing at Centrify, a leading supplier of identity and access management (IAM) technologies, to supply context for the Zero Trust model. One big takeaway was this: the Zero Trust model has come along in perfect timing to support stronger authentication requirements happening on the fly as part of digital transformation.

For a full drill down, please listen to the accompanying podcast. Here are excerpts of our conversation edited for clarity and length.

LW: Keeping track of identities and controlling access has always been a big challenge. Now the challenge is escalating, getting more complex. …more