Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



MY TAKE: Why DDoS weapons will proliferate with the expansion of IoT and the coming of 5G

By Byron V. Acohido

A couple of high-profile distributed denial-of-service (DDoS) attacks will surely go down in history as watershed events – each for different reasons.

Related: IoT botnets now available for economical DDoS blasts

In March 2013, several impossibly massive waves of nuisance requests – peaking as high as  300 gigabytes per second—swamped Spamhaus, knocking the anti-spam organization off line for extended periods.

Three years later, October 2016, a DDoS attack, dubbed Mirai, topped 600 gigabytes per second while taking aim at the website of cybersecurity journalist Brian Krebs. His blog, Krebs on Security, was knocked down alright.

The author of Mirai used a sledgehammer to kill a fly: the DDoS bombardment was so large that it also wiped out Dyn, a UK-based internet performance vendor. And since Dyn routed traffic, not just to Krebs’ blog, but also to Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal, those popular websites were offline for some 12 hours, frustrating millions.

I mentioned these attacks now because the cyber weaponry deployed in each of those attacks actually remain in high use today. That’s the upshot of a recent state-of-DDoS Weapons report from A10 Networks, a San Jose, CA-based supplier of advanced DDoS detection and mitigation systems.

I had the chance at RSA 2019 to discuss the wider implications with Don Shin, A10 Networks’ senior product marketing manager. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Reflective attacks

DDoS attacks aren’t going to go away anytime soon. They are easier than ever to spin up; very powerful DDoS tools and for-hire services are widely available to anyone with modest technical skills – weaponry that is still very effective.

The Spamhaus attacker, for instance, noticed that there were literally millions of domain name system (DNS) resolvers that remained wide open all over the internet. DNS resolvers were the early building blocks of the internet: they resolved a domain names, such as spamhaus.org, to a specific IP address.

This threat actor figured out how to route requests to legitimate DNS resolvers in such a way that those servers would reflect and amplify responses to the targeted website — more than 50 times, swamping the site.

Today, the potential for so-called DNS reflective attacks has become pervasive. A10 Networks’ report found 6.3 million open DNS resolvers in position and available to be leveraged by anyone in a similar DDoS attack. …more

NEW TECH: Cequence Security deploys defense against botnets’ assault on business logic

By Byron V. Acohido

One way to grasp how digital transformation directly impacts the daily operations of any organization – right at this moment —  is to examine the company’s application environment.

Related: How new exposures being created by API sprawl

Pick any company in any vertical – financial services, government, defense, manufacturing, insurance, healthcare, retailing, travel and hospitality – and you’ll find employees, partners, third-party suppliers and customers all demanding remote access to an expanding menu of apps — using their smartphones and laptops.

This translates into a sprawling attack surface available to determined, well-funded threat actors. I had the chance at RSA 2019 to visit with Larry Link, CEO of Cequence Security, a Sunnyvale, CA-based startup that has secured $30 million in venture funding to help companies address this exposure.

Cequence’s technology detects and repels bot attacks designed to manipulate business logic. Such attacks can create or takeover accounts, detonate reputation bombs, scrape content, deny inventory and carry out extortion variants. For a full drill down on our discussion, give a listen to the accompanying podcast. Here are the big takeaways:


We live, work and play in a hyper-connected environment. Because we are constantly switched on and tuned in, organizations are now being forced by their customers to provide a much broader suite of access points into their application environment. Customers are all demanding access and requiring access from all of their devices, new and old.

Take the airline industry as an example. A decade ago, purchasing an airline ticket online was straight forward. You found the flight you wanted, …more

NEW TECH: Data Theorem helps inventory sprawling APIs — as the first step to securing them

By Byron V. Acohido

Remember when software used to come on CDs packaged in shrinked-wrapped boxes, or even before that, on floppy disks?

Related: Memory-based attacks on the rise

If you bought a new printer and wanted it to work on your desktop PC, you’d have to install a software driver, stored on a floppy disk or CD, to make that digital handshake for you.

Today software is developed and deployed in the cloud, on the fly. Modular coding components, called microservices, written by far-flung third-party developers, are mixed and matched and reused inside of software containers. And each connection —  each handshake, if you will —  is made possible by a rather delicate piece of coding called an Application Programming Interface, or API.

Without APIs there would be no cloud computing, no social media, no Internet of Things. APIs are the glue that keeps digital transformation intact and steamrolling forward. But APIs also comprise a vast and continually-expanding attack surface.

I had a very informative discussion at RSA 2019 with Himanshu Dwivedi and Doug Dooley, CEO and COO, respectively, of Silicon Valley-based application security startup Data Theorem, which is focused on helping companies come to grips with this humongous exposure. For a full drill down, give a listen to the accompanying podcast. Here’s what I learned from them:

Check please?

APIs have been a cornerstone of our digital economy from the start. Without them, cloud-based software-as-a-services wouldn’t exist. Today APIs are empowering companies to speed up complex software development projects – as part of digital transformation.

Dooley uses the analogy of the relationship between a waiter and a customer. “API is a way to take an order and fulfill that order. You have one microservice and then get another microservice and these pieces want to connect and collaborate with each other, you’re typically going to do that through an API. …more

Web application exposures continue to bedevil companies as digital transformation accelerates

By Byron V. Acohido

As sure as the sun will rise in the morning, hackers will poke and prod at the web applications companies rely on – and find fresh weaknesses they can exploit.

Related: Cyber spies feast on government shutdown

Companies are scaling up their use of web apps as they strive to integrate digital technology into every aspect of daily business operation. As this ‘digital transformation’ of commerce accelerates, the attack surface available to threat actors likewise is expanding.

I had a lively discussion recently with a couple of experts from WhiteHat Security. The San Jose, CA-based security vendor has been helping companies protect their web applications since the company was founded in 2001 by world-renowned ethical hacker Jeremiah Grossman, who also happens to be a black belt in Brazilian Jiu-Jitsu, as well as a native of my home state, Hawaii.

I spoke with WhiteHat Security researchers Bryan Becker and Mark Rogan at RSA 2019. They supplied clarifying context as to why web application vulnerabilities continue bedevil companies of all sizes and in all sectors. For a full drill down, give a listen to the accompanying podcast. Key takeaways:

Myriad vault doors

Thanks to digital transformation, the attack surface available to threat actors, via web interfaces, is larger than many companies realize – and this exposure continues to steadily expand.

“Moving to the cloud, terms like agile development and container-based infrastructure — all of these are different ways to break a large process down into many smaller components which is easier for a management team and a development team to manage and to update quicker,” said Becker.

But what happens is that instead of having one giant application, you end up with a hundred mini applications, and in the long run, that means it is harder to monitor for vulnerabilities in the code. …more

MY TAKE: Get ready to future-proof cybersecurity; the race is on to deliver ‘post-quantum crypto’

By Byron V. Acohido

Y2Q. Years-to-quantum. We’re 10 to 15 years from the arrival of quantum computers capable of solving complex problems far beyond the capacity of classical computers to solve.

PQC. Post-quantum-cryptography. Right now, the race is on to revamp classical encryption in preparation for the coming of quantum computers. Our smart homes, smart workplaces and smart transportation systems must be able to withstand the threat of quantum computers.

Put another way, future-proofing encryption is crucial to avoiding chaos. Imagine waiting for a quantum computer or two to wreak havoc before companies commence a mad scramble to strengthen encryption that protects sensitive systems and data, the longer we wait, the bigger the threat gets.

Related: The case for ‘zero-trust’

The tech security community gets this. One recent report estimates that the nascent market for PQC technology will climb from around $200 million today to $3.8 billion by 2028 as the quantum threat takes center stage.

I had the chance to visit at RSA 2019 with Avesta Hojjati, head of research and development at DigiCert. The world’s leading provider of digital certificates is working alongside other leading companies, including Microsoft Research and ISARA, to gain endorsement from the National Institute of Standards for breakthrough PQC algorithms, including Microsoft’s “Picnic” and ISARA’s qTESLA.

Hojjati outlined the challenge of perfecting an algorithm that can make classical computers resistant to quantum hacking — without requiring enterprises to rip-and-replace their classical encryption infrastructure. For a full drill down of our discussion, give a listen to the accompanying podcast. Below are excerpts edited for clarity and length.

LW: What makes quantum computing so different than what we have today? …more

NEW TECH: Exabeam retools SIEMs; applies credit card fraud detection tactics to network logs

By Byron V. Acohido

Security information and event management, or SIEM, could yet turn out to be the cornerstone technology for securing enterprise networks as digital transformation unfolds.

Related: How NSA cyber weapon could be used for a $200 billion ransomware caper

Exabeam is a bold upstart in the SIEM space. The path this San Mateo, CA-based vendor is trodding tells us a lot about the unfolding renaissance of SIEMs – and where it could take digital commerce.

Launched in 2013 by Nir Polak, a former top exec at web application firewall vendor Imperva, Exabeam in just half a decade has raised an eye-popping $115 million in venture capital, grown to almost 350 employees and reaped over 100 percent revenue growth in each of the last three years.

I had the chance to visit with Trevor Daughney, Exabeam’s vice president of product marketing at RSA 2019. He explained how Exabeam has taken some of the same data analytics techniques that banks have long used to staunch credit card fraud and applied them to filtering network data logs. For a full drill down on our conversation, please listen to the accompanying podcast. Here are a few takeaways:

Very Big Data

The earliest SIEMs cropped up around 2005 or so. Led by the likes of Splunk, LogRhythm, IBM and Exabeam, the global SIEM market is expected to grow to over $5 billion annually in 2022.

Related: Autonomous vehicles are driving IoT security innovation

Fundamentally, SIEMs collect event log data from internet traffic, as well as corporate hardware and software assets. The starting idea was for a security analyst to then sift meaningful security intelligence from a massive volume of potential security events and keep intruders out. Yet, SIEMs never quite lived up to their initial promise.

And now, Big Data is about to become Very Big Data. Consider that 90 percent of the data that exists in the world today was generated in just the past couple of years. That includes everything moving across the internet: email, texting, online searches, social media posts, entertainment streaming, global finance, scientific research and cyber warfare. And on the horizon loom a full blown Internet of Things (IoT) and 5G networks, which will drive data generation to new heights. …more

NEW TECH: SyncDog vanquishes BYOD risk by isolating company assets on a secure mobile app

By Byron V. Acohido

The conundrum companies face with the Bring Your Own Device phenomenon really has not changed much since iPhones and Androids first captured our hearts, minds and souls a decade ago.

Related: Malvertising threat lurks in all browsers

People demand the latest, greatest mobile devices, both to be productive and to stay connected to their personal lives. But big organizations move methodically and in general struggle mightily when it comes to balancing productivity and security. This has led the BYOD dilemma cycling afresh, with each advance of the technology, which is what it’s doing right now.

SyncDog, a Reston, VA-based startup, has jumped into the mobile security space to help companies get a firmer grip on their BYOD exposures. I had the chance to sit down with SynCDog’s founder and CEO, Jonas Gyllensvaan, along with its Chief Revenue Officer, Brian Egenrieder, at RSA 2019.

They dissected the historical context, and conveyed some fresh insights about the societal drivers that make the BYOD such a mercurial operational challenge. A full drill down is worth a listen, and is  accessible via the accompanying podcast. Here are a few key takeaways:

Alphabet soup

When the initial wave of employee-owned iPhones, Androids and Blackberries began turning up in workplace settings, companies reacted by turning to MDM (mobile device management) service providers to handle the inventorying and provisioning of these new endpoints. MDM enabled administrators to oversee smartphones much like desktop PCs.

Soon, the MDMs added password protection and remote wiping capabilities to enable security staff to remotely “brick” a company device gone missing: destroy all apps and files, including any personal data. That was fine – until employees revolted. …more