Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Podcasts

 

SHARED INTEL: What it takes to preserve business continuity, recover quickly from a cyber disaster

By Byron V. Acohido

To pay or not to pay? That’s the dilemma hundreds of organizations caught in the continuing surge of crippling ransomware attacks have faced.

Related: How ransomware became such a scourge

The FBI discourages it, as you might have guessed. What’s more, the U.S. Conference of Mayors this summer even passed a resolution declaring paying hackers for a decryption key anathema.

Yet there are valid arguments for what scores of municipalities and businesses caught with their networks frozen by extortionist hackers have been compelled to do: pay the ransom demand. Tech industry consultancy Forrester has even seen fit to issue guidance to help companies figure out whether paying the ransom demand might actually be their best option.

That pay or not to pay debate aside, there’s a more central question raised by the ransomware plague. Company decision makers need to be asking themselves this: just how good is their organization’s business continuity and disaster recovery preparedness?

This issue is in Mickey Bresman’s wheelhouse. Bresman is co-founder and CEO of Semperis, an identity-driven cyber resilience company based in the new World Trade Center in Lower Manhattan. Semperis helps companies running Microsoft Windows-based networks preserve and protect Active Directory, or AD.

AD is the administrative software that directs access to servers and applications across the breadth of Windows in tens of thousands of companies and agencies. As such it variably gets caught in the crossfire of ransomware strikes. It’s here that Semperis is helping companies build resiliency. I had the chance to visit with Bresman at Black Hat 2019. For a full drill down, please give a listen to the accompanying podcast. Here are key takeaways:

An attack scenario

Due to the ubiquitous use of Windows networks, Active Directory functions as the keys to the kingdom all across enterprise networks — in 90 percent of organizations. Hackers recognize this and so AD has become a favorite target. Here’s a scenario for how AD is factoring into ransomware attacks: …more

NEW TECH: Human operatives maintain personas, prowl the Dark Net for intel to help companies

By Byron V. Acohido

It seems like any discussion of cybersecurity these days invariably circles back to automation.

Our growing fixation with leveraging artificial intelligence to extract profits from Big Data – for both constructive and criminal ends—is the order of the day.

Related: Why Cyber Pearl Harbor is upon us

Vigilante is a cybersecurity startup that cuts against that grain. With an operational launch in October, Vigilante is the spin-off of an elite intelligence unit of InfoArmor, the identity monitoring technology supplier that was acquired by Allstate late last year.

At its core, Vigilante is comprised of operative teams who’ve spent years deeply-embedded in the virtual threat space, nurturing their dark net personas and proactively gathering intelligence on behalf of specific clients.

“We go out into the criminal space, on our clients’ behalf, to gather threat intelligence and put it into useful context,” Adam Darrah, Vigilante’s director of intelligence, told me. “This gives our clients an advantage in their security decision making.”

I met with Darrah at Black Hat 2019. We had a fascinating discussion about the distinctive services Vigilante will now seek to make more widely available on a commercial basis. For a full drill down, please give a listen to the accompanying podcast. Here are key takeaways:

Fresh feeds

Threat intelligence feeds gathered from automated defenses, such as next-gen firewalls and SIEMs, make up the vast majority of information companies have in hand depicting the activity of threat actors. In order to better defend their networks, companies struggle on a daily basis with the massive challenge of ingesting and extracting actionable insights from a fire hose.

Vigilante directs a team of operatives who serve, in effect, as intelligence gathering agents on patrol on the ground floor of the cyber underground. “We operate exclusively outside of our clients’ networks,” Darrah told me. “We don’t touch their networks. …more

MY TAKE: The case for assessing, quantifying risks as the first step to defending network breaches

By Byron V. Acohido

It’s clear that managed security services providers (MSSPs) have a ripe opportunity to step into the gap and help small- to medium-sized businesses (SMBs) and small- to medium-sized enterprises (SMEs) meet the daunting challenge of preserving the privacy and security of sensitive data.

Related: The case for automated threat feeds analysis

Dallas-based Critical Start is making some hay in this space — by striving to extend the roles traditionally played by MSSPs. The company has coined the phrase managed detection and response, or MDR, to more precisely convey the type of help it brings to the table.

I had the chance to meet with Randy Watkins, Critical Start’s chief technology officer at Black Hat USA 2019. Since its launch in 2012, the company has operated profitably, attracting customers mainly in Texas, Oklahoma, Louisiana and Arkansas and growing to 131 employees.

With a recent $40 million Series A equity stake from Bregal Sagemount, and fresh partnerships cemented with tech heavyweights Microsoft, Google Chronicle and Palo Alto Networks, among others, Critical Start is on a very promising trajectory. It wants to grow nationally and globally, of course.

Even more ambitiously, the company wants to lead the way in pivoting network security back to a risk-oriented approach, instead of what Watkins opines that it has all too often become: a march toward meeting controls-based checklists. We had a fascinating discussion about this. For a full drill down, give a listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW:  What’s the difference between taking a ‘risk-oriented’ versus a ‘controlled-based’ approach to security?

Watkins: Security really is the art of handling risk. We used to enumerate the risks that exist inside of an organization, try to assign a value to the impact it would have, if that risk was exploited. And then we’d assign either mitigation or acceptance or transference of the risk, based on potential impact and the probability that it would happen. …more

SHARED INTEL: Threat actors add a human touch to boost effectiveness of automated attacks

By Byron V. Acohido

Trends in fashion and entertainment come and go. The same holds true for the cyber underground.

Related: Leveraging botnets to scale attacks

For a long while now, criminal hackers have relied on leveraging low-cost botnet services to blast out cyber attacks as far and wide as they could, indiscriminately. Over the past 18 months or so, a fresh trend has come into vogue. It essentially involves applying hands-on human cleverness to the task of extracting highest value from assets gained in the automated sweeps.

British antimalware and network security vendor Sophos refers to this new tactic as “automated, active attacks.” Sophos Senior Security Advisor John Shier broke it down for me. We met at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Human touch

It has long been common practice to use botnets to blast out wave after wave of e-mails carrying tainted PDFs or Word docs, or a web link pointing to a booby-trapped page – and seeing who would bite. Lately, progressive criminal rings are taking a page out of the playbook of nation-state sponsored APT strikes — by adding more human nuances to their attacks.

“They may discover their targets through some sort of automated technique, which gets them a toehold into the company, or they might just simply go to Shodan (search engine) to discover open, available RDP hosts,” Shier told me. “Once they’re in the front door, now the humans get involved.”

Related: How ransomware became a scourge

Specialists get assigned to poke around, locate key servers and find stealthy paths to send in more malware. They’ll take more manual steps to encrypt servers, exfiltrate data – or do both.

“Cyber criminals are getting into the environment, elevating privileges as much as they can and moving laterally to other segments of the network,” Shier says. “And then, instead of encrypting one or two or ten machines, they’ll encrypt everything.”

The wave of catastrophic ransomware attacks that wrought tens of millions in recovery costs for the cities of Baltimore and Atlanta and prompted numerous small cities to pay six figure ransoms for decryption keys is a prime example of this, Shier says. …more

NEW TECH: Breakthrough ‘homomorphic-like’ encryption protects data in-use, without penalties

By Byron V. Acohido

Homomorphic encryption has long been something of a Holy Grail in cryptography.

Related: Post-quantum cryptography on the horizon

For decades, some of our smartest mathematicians and computer scientists have struggled to derive a third way to keep data encrypted — not just the two classical ways, at rest and in transit.

The truly astounding feat, aka homomorphic encryption, would be to keep data encrypted while it is being actively used by an application to run computations. Cryptographically speaking, this is the equivalent of moving the Himalayas, not just Mt. Everest.

There is an esoteric two-horse race that a small circle of folks in the cybersecurity and venture capital communities are riveted on. The stakes couldn’t be higher. It’s a race to deliver a commercially-viable homomorphic encryption tool – something that’s going to be needed if we are to vault into higher tiers of digital innovation.

Galloping along the rail, Google, Intel and Microsoft are leading a methodical effort to come up with consensus homomorphic encryption standards, even as a handful of VC-backed startups are hustling to overcome limitations in current working versions of their prototype tools.

Charging hard from post position no. 2, another group of start-ups, flush with VC cash, is gaining ground with “homomorphic-like” technologies they claim have the same benefits as the purely homomorphic tools, but none of the performance penalties.

A prominent member of this latter group is Mountain View, CA-based Fortanix, which has attracted $31 million in VC backing and grown to 60 employees since its launch in June 2017. Having written a few stories on homomorphic encryption, I was eager to meet with Fortanix co-founder and CEO Ambuj Kumar at Black Hat 2019. For a full drill down on our wide-ranging discussion, please give a listen to the accompanying podcast. Here are the key takeaways:

Runtime in focus

You might well ask yourself: why is keeping data encrypted while an application is using a data set so vital to the future of computing? It’s because elite threat actors already possess the ability to insinuate themselves deep inside of company networks and launch stealthy, quick-strike attacks – in memory, during runtime. …more

MY TAKE: ‘Perimeter-less’ computing requires cyber defenses to extend deeper, further forward

By Byron V. Acohido

Threat actors are opportunistic, well-funded, highly-motivated and endlessly clever.

Therefore cybersecurity innovations must take hold both deeper inside and at the leading edges of modern business networks.

Related: Lessons learned from Capital One breach

Most of the promising new technologies I’ve had the chance to preview this year validate this notion. The best and brightest security innovators continue to roll out solutions designed to stop threat actors very deep – as deep as in CPU memory — or at the cutting edge, think cloud services, IoT and DevOps exposures.

Juniper Networks, the Sunnyvale, CA – based supplier of networking equipment, I discovered, is actually doing both. I came to this conclusion after meeting with Oliver Schuermann, Juniper’s senior director of enterprise marketing.

We met at Black Hat 2019 and Schuermann walked me through how Juniper’s security play pivots off the evolving infrastructure of a typical corporate network. For a full drill down, please give a listen to the accompanying podcast. Here are the key takeaways:

Deeper sharing

Wider threat intelligence sharing continues to advance apace. I was in the audience at Stanford in 2015 when President Obama signed an executive order urging the corporate sector to accelerate the sharing of threat feeds among themselves and with the federal government.

Since then, a number of threat intel sharing consortiums have either formed or expanded their activities. One recent example is how five midwestern universities – Indiana, Northwestern, Purdue, Rutgers and Nebraska – partnered to create a joint security operation center to gather, analyze and act on threat feeds.

Juniper gathers threat feeds via a security framework, called SecIntl, that runs off servers tied together by Juniper equipment deployed globally in corporate networks. …more

NEW TECH: The march begins to make mobile app security more robust than legacy PC security

By Byron V. Acohido

Is mobile technology on a course to become more secure than traditional computing?

Seven or eight years ago, that was a far-fetched notion. Today, the answer to that question is, “Yes, it must, and soon.”

Related: Securing the Internet of Things

I’ve been writing about organizations struggling to solve the productivity vs. security dilemma that’s part and parcel of the BYOD craze for some time now. I can recall President Obama issuing BlackBerry phones and ordering his administration to copy his personal practice of using only hardened mobile devices. Yet, many of the government-issued BlackBerry phones got used sporadically, as staffers reverted to their personally owned iPhones and Androids.

What has happened over the past couple of years is that mobile computing has become the cornerstone of our work and personal lives. Meanwhile, threat actors, as you might expect, are increasingly probing for, regularly discovering and enthusiastically exploiting mobile security flaws.

The good news is that cybersecurity vendors continue to innovate, as they have all along. And they appear to be closing in on fresh approaches that should translate into solutions for the longer haul. It is early still, but it looks like we may not have to carry two smartphones, after all, a locked-down company phone, as well as our favorite personal device.

I had the chance to discuss this with Jonas Gyllensvaan and Brian Egenrieder, Chief Executive Officer and Chief Revenue Officer, respectively, of mobile security vendor SyncDog. We spoke at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Securing provisioned devices

From the very start of the smartphone era, employees demonstrated that they did not mind paying for the latest, coolest device and use it for both home and work tasks. By 2011 or so, it was clear the BYOD trend was unstoppable, and companies began to impose much tighter security constraints.

Along came MDMs (mobile device management) services to handle the inventorying and provisioning of these new endpoints. MDMs gave companies the ability to micromanage company-issued devices, adding password protection and remote wiping capabilities. A security staffer could remotely “brick” a company device gone temporarily missing, even if it had just slipped under a couch cushion. The employer could even block access to apps stores, disable phone cameras or use the device’s GPS function to monitor where an employee spends work and personal hours.

Employee’s bristled – and companies responded by exerting even more granular control by embedding EMM (enterprise mobility management,) MAM (mobile application management) and UEM (unified endpoint management) systems on provisioned devices. …more