Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

NEW TECH: Acalvio weaponizes deception to help companies turn the tables on malicious hackers

By Byron V. Acohido

Differentiating itself in a forest of cybersecurity vendors has not been a problem for start-up Acalvio Technologies. While hundreds of other security companies tout endless types and styles of intrusion detection and prevention systems, Acalvio has staked out turf in a promising new sub-segment: deception-based security systems.

Related article: Hunting for exposed data

Launched in 2015 by a group of cybersecurity veterans, the Santa Clara, Calif.-based start-up has 50 employees and has raised $22 million in venture capital financing to date. It has achieved this by pioneering technology that lays in wait for intruders who manage to get inside a company’s firewall, and then leads them down a path rife with decoy systems and faux data.

I had the chance to visit with Acalvio marketing chief, Rick Moy, at RSA Conference 2018. For a drill down on our conversation please listen to the accompanying podcast. Here are a few high-level takeaways:

Changing tactics

Deception is an age-old stratagem. Animals and insects use it to survive in the wild. Warring nations use it to gain tactical advantage over each other. Cybercrime and cyber warfare, no surprise, largely revolve around deception. Phishers deceive to gain trust; hackers deceive to avoid detection. …more

How ‘identity governance’ addresses new attack vectors opened by ‘digital transformation’

By Byron V. Acohido

Mark McClain and Kevin Cunningham didn’t rest for very long on their laurels, back in late 2003, after they had completed the sale of Waveset Technologies to Sun Microsystems. Waveset at the time was an early innovator in the then-nascent identity and access management (IAM) field.

The longtime business partners immediately stepped up planning for their next venture, SailPoint Technologies, which they launched in 2005 to pioneer a sub segment of IAM, now referred to as identity governance. Today SailPoint has 800-plus employees and growing global sales.

Related article: What the Uber hack tells us about DevOps exposures

The company is coming off a successful initial public offering last November in which it raised $240 million. SailPoint’s share price has climbed from the mid-teens to the mid-twenties since its IPO.

I had the chance to visit with McClain, SailPoint’s CEO – Cunningham serves as chief strategy officer—at RSA Conference 2018. We had an invigorating discussion about how “digital transformation” has intensified the urgency for organizations to comprehensively address network security, and how identity governance is an important piece of that puzzle. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: Your focus is on helping companies do much better at a fundamental security best practice.

McClain: Exactly. Within the big realm of security, we’re within the realm of identity, which is getting a lot of airtime these days.  And within identity, our focus is on what’s called identity governance . . . The company has been around for a while now. We work in almost every industry vertical and focus on mid-sized enterprises with 2,000 to 3,000 employees all the way to the largest global enterprises in the world. …more

PODCAST: Can ‘gamification’ of cyber training help shrink the human attack vector?

By Byron V. Acohido

The human attack vector remains the most pervasively probed path for malicious hackers looking to gain a foothold inside a company’s firewall.

And yet, somehow, cyber awareness training has not kept pace. Circadence hopes to change that. The Boulder, Colo.-based company got its start in the gaming industry 20 years ago, shifted to supplying cyber warfare training ranges to the military, and now is making a push to help companies add truly effective employee cyber awareness training as a key component to keeping their networks safe.

Related article: Why employee cyber training needs an overhaul

For years, teachers told us that learning can be fun. Circadence is taking that philosophy and running with it. The company is seeking to adapt “gamification” technologies to employee cyber awareness training. If it succeeds, it could help set a new paradigm for addressing the “people” component of defending networks.

I had the chance to converse with Keenan Skelly, Circadence vice president of global partnerships and security evangelist, at RSA Conference 2018 in San Francisco. For a drill down on our discussion, give a listen to the accompanying podcast. Here are a few high-level takeaways:

Gamers’ edge

Circadence got its start in the early 1990s as a publisher of one of the earliest massively multiplayer games. It turned out that the company’s expertise in generating and displaying complex graphics and getting high fidelity data from point A to point B in fantasy landscapes had a very useful real-world application – helping U.S. military operatives maintain an edge while engaging in ongoing cyber warfare. …more

MY TAKE: Why Google’s move to label non-HTTPS sites ‘not secure’ is a good thing

By Byron V. Acohido

San Francisco-based Cloudflare has traversed an interesting path to becoming a leading cybersecurity vendor. Back in 2004, Matthew Prince and Lee Holloway concocted something called Project Honey Pot to detect and deter email spammers. Prince’s Harvard Business School classmate, Michelle Zatlyn, joined them in 2009, and together they elevated Project Honey Pot into a company launch — at the September 2010 TechCrunch Disrupt conference.

Related article: Vendors make path to compliance easy

Cloudflare today protects websites, APIs, and applications  worldwide from threats that hamper load times, particularly Distributed Denial of Services (DDoS) attacks. I recently had the chance to sit down with Cloudflare’s Product Manager of Security Engineering Patrick Donahue at the DigiCert Security Summit in Las Vegas. Donahue was there to discuss how Cloudflare and  DigiCert are partnering to join the big push–led by Google, Mozilla and Microsoft – to  dramatically increase the presence of HTTPS websites across the Internet.

Wider use of HTTPS is coming, and not because of any regulations. The browser makers are going to increasingly penalize websites not using HTTPS — by flagging them as untrustworthy. This is going to accelerate this summer. The good news is that Cloudflare, DigiCert and a number of other tech companies are collaborating to make it easy and inexpensive for the vast majority of websites to implement HTTPS, as well as keep current on it. …more

MY TAKE: Epiphany strikes Amazon, Google, Microsoft about who bears burden for cloud security

By Byron V. Acohido

Amazon and Google last week very quietly made some moves that signal they’ve been hit by the identical epiphany: they each need to do a helluva lot more to secure cloud computing.

Microsoft was hit by this lightning bolt about a year ago. The Redmond giant all through 2017 took pronounced steps to relieve users of their cloud services of at least some of the responsibility to repel malicious attacks.

Related podcast: Is ‘homomorphic encryption’ the Holy Grail of cloud security?

Current versions of  Office 365 and Windows Defender Advanced Threat Protection have been equipped with new threat intelligence and malware hunting tools, and the security features of Azure Security Center has been similarly beefed up.

Me-too bandwagon

Last week both Amazon and Google climbed on the we-need-to-bake-in-cloud-security-band-wagon.  Amazon did so, fittingly, by going shopping. Its Amazon Web Services division  acquired Sqrrl, a Cambridge, Mass.-based threat detection technology start-up, with an NSA pedigree. That acquisition pairs nicely with AWS’s earlier buyout of Harvest.ai, a security startup that uses machine learning to ferret out anomalous behavior in cloud storage databases .

Meanwhile, it was easy to miss Google’s me-too move last week. That’s because it was made by the search giant’s freshly-minted parent company, Alphabet, which very quietly launched an independent business, dubbed Chronicle. According to Chronicle CEO Stephen Gillett, the service will feature a new cybersecurity intelligence and analytics platform intended to “help enterprises better manage and understand their own security-related data.” Chronicle also leverages VirusTotal, the malware intelligence service Google acquired in 2012.

Ray

“The announcements today by Amazon Web Services and Alphabet/Google are encouraging and demonstrate that more and more, cyber security is at the forefront of corporate agendas,” observes Terry Ray, CTO at Imperva. “Both of these technologies will likely serve as analytic platforms for threat detection, which isn’t necessarily a new idea, though I’m sure they’ll have their differentiators.” …more

Q&A: What CyberX is doing to help address the hackable state of industrial control systems

By Byron V. Acohido

Finally, the profoundly hackable state of industrial control systems (ICS) is being elevated as an issue of substantive concern and beginning to get the level of global attention it deserves.

Nation-state backed hackers knocking out power grids and discombobulating other critical infrastructure – the cyber Pearl Harbor scenario – has been discussed for years in military and intelligence circles. However, skepticism and apathy have been the watchwords among the actual operators of industrial control systems.

Related article: Risking energy plant hacks signal cyber war activity

Discussions about better protecting these uniquely vulnerable specialized networks — now generally referred to as operational technology (OT) or industrial control systems — has historically taken a back seat to mainstream IT security issues, such as phishing, ransomware and denial of service attacks.

Fortuitously, that’s beginning to change. A series of disclosures this past year peeled back the curtain on the extent to which Russia, Iran and North Korea, in particular, have been proactively probing and infiltrating OT networks. On a parallel track, a handful of innovative startups have developed purpose-built platforms to address industrial and critical infrastructure security. …more

MY TAKE: Rising hacks on energy plants suggest ongoing global cyber war has commenced

By Byron V. Acohido

We all fret over the smorgasbord of cultural and geopolitical controversies complicating our daily lives. That being the case, not enough public attention is being paid to the increasingly plausible scenario of an ongoing global cyber war.

I say this because in recent months there has been a series of public disclosures about progressively more sophisticated hacks into power plants and other critical infrastructure. These intrusions clearly are nation-state sponsored, as they require significant resources to orchestrate, and there is no clear financial motivation behind them.

Related podcast: How Russia’s election meddling relates to plant hacks

And one more important thing: each of the power plant hacks we know about to date seem to be mainly about testing weak points, probing for footholds and generally maneuvering to get the strategic upper hand against a rival nation-state.

The ‘Triton’ hack is a case in point, disclosed on Dec. 14 by security vendor FireEye, a global security company with an extensive threat intelligence team (obtained via its acquisition of Mandiant) and a long history of tracking nation-state cyber groups.

Hackers caused an operational outage at a critical infrastructure site by deploying a new form of sophisticated malware. They were able to stealthily – for a while at least — take control of the plant’s Schneider Electric Triconex Safety Instrumented System (SIS). Such systems are used to automatically shut down industrial processes when operating parameters approach a dangerous state. …more