Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

MY TAKE: Here’s why we need ‘SecOps’ to help secure ‘Cloud Native’ companiess

By Byron V. Acohido

For many start-ups, DevOps has proven to be a magical formula for increasing business velocity. Speed and agility is the name of the game — especially for Software as a Service (SaaS) companies.

Related: How DevOps enabled the hacking of Uber

DevOps is a process designed to foster intensive collaboration between software developers and the IT operations team, two disciplines that traditionally have functioned as isolated silos with the technology department.

It’s rise in popularity has helped drive a new trend for start-ups to go “Cloud Native,” erecting their entire infrastructure, from the ground up, leveraging cloud services like Amazon Web Services, Microsoft Azure and Google Cloud.

Security burden

Though DevOps-centric organizations can gain altitude quickly, they also tend to generate fresh security vulnerabilities at a rapid clip, as well. Poor configuration of cloud services can translate into gaping vulnerabilities—and low hanging fruit for hackers, the recent Tesla hack being a prime example. In that caper,  a core API was left open allowing them to exploit it and begin using Tesla’s servers to mine cryptocurrency. Rising API exposures are another big security concern, by the way.

Because Amazon, Microsoft and Google provide cloud resources under a “shared responsibility” security model, a large burden rests with the user to be aware of, and mitigate latent security weaknesses.

In fact, it’s much more accurate for organizations tapping into cloud services and utilizing DevOps to think of cloud security as a functioning under …more

NEW TECH: Critical Start applies ‘zero-trust’ security model to managed security services

By Byron V. Acohido

All companies today are exposed to intense cyber-attacks. And yet the vast majority simply do not have the capability to effectively defend their networks.

That’s where managed security services providers, or MSSPs, come in. MSSPs monitor and manage cybersecurity systems as a contracted service. This can include spam filtering, malware detection, firewalls upkeep, vulnerability management and more.

Related: Delivering useful intel to MSSPs

Companies are gravitating to MSSPs in a big way. The global market for managed security services is expected to rise to $48 billion by 2023, up from $24 billion in 2018, according to ReportLinker. That’s a hefty compound annual growth rate of 14 percent.

But not all MSSPs are created equal. And, in fact, it can sometimes be a challenge for a company to find a good fit with a MSSP.

Critical Start, a new MSSP on the scene, is striving to advance the tradition MSSP model. I had the chance to visit with Jordan Mauriello, Critical Start’s Chief Technology Officer, at Black Hat 2018. He told me an interesting tale about his role in helping launch Advanced Threat Analytics, the underlying technology for Critical Start’s MSSP service.

For a full drill down, please listen to the accompanying podcast. Here are the key takeaways:

Rethinking the platform

Five years ago, Mauriello was working at a large global credit bureau, managing the credit monitoring giant’s in-house Security Operations Center. He went shopping for a MSSP to come in and help to reinforce certain security functions. Try as he might, Mauriello couldn’t find precisely what he was looking for.

In 2014, Mauriello joined Critical Start, Inc., a Dallas-based value-added reseller. …more

Q&A: How emulating attacks in a live environment can more pervasively protect complex networks

By Byron V. Acohido

Most large enterprises today can point to multi-millions of dollars expended over the past two decades erecting “layered defenses” to protect their digital systems.

Yet catastrophic network breaches continue apace. Turns out there’s a downside to “defense in depth.”

Related: Obsolecense creeps into legacy systems

There’s no doubt that monitoring and continually updating all parts of a multi-tiered security system is a must-do best practice. But it has also become a delicate balancing act. Tweaking one system can open fresh, unforeseen security holes in another.

Spirent Communications, an 82-year-old British supplier of network performance testing equipment, recently decided to branch into cybersecurity services by tackling this dilemma head on.

Spirent pivoted into security testing two years ago with the launch of its CyberFlood security and application performance testing platform. And at Black Hat USA 2018, the company unveiled a new CyberFlood functionality that makes it possible for an enterprise to emulate a real-world attack in a live environment.

Spirent refers to this as “data breach emulation,’’ something David DeSanto, Spirent’s threat research director, told me is designed to give companies a great advantage; it makes it possible to see precisely how the latest ransomware or crypto mining malware would impact a specific network, with all of its quirky complexity.

Here are excerpts of our full conversation, edited for clarity and length:

LW: How did Spirent come to pivot from network performance testing to security?

DeSanto: When you think about it, security and performance are usually hooked at the hip. For our customers it often comes down to having to make a decision, ‘Do I want the performance or do I want the security?’ . . . …more

NEW TECH: WhiteSource leverages automation to mitigate lurking open-source vulnerabilities

By Byron V. Acohido

Just like the best sourdough bread derives from a “mother” yeast that gets divided, passed around, and used over and over, open-source software applications get fashioned from a  “mother” library of code created and passed around by developers.

Related: Equifax hack highlights open source attack vectors

In today’s world, quick innovations are a necessity, and software developers would rather not lose valuable time reinventing the wheel. Instead, they recycle open-source components when developing new code.

In turn, enterprises of all sizes are accelerating their use of free software that is tethered to their products and services. According to the Linux Foundation, as much as 80 percent of the code in current applications is open source, often buried deep.

But while vulnerabilities are inherent in most software, open source has more attack vectors. Because of its nonproprietary nature, open-source code can be studied, used and altered by anyone for any purpose—and that includes attackers.

Epic Equifax breach

In recent years, hackers weaponized Heartbleed and Shellshock, the two huge security bugs discovered in open-source internet protocols, compromising data confidentiality. Then in 2017, credit-reporting agency Equifax experienced an epic breach that exposed sensitive personal data, including the credit card and Social Security numbers, of some 144 million citizens.

The hackers leveraged a vulnerability in something called Apache Struts, an open-source application framework that supports the credit bureau’s web portal. It is widely used by developers of Fortune 100 companies to build web applications.

In Equifax’s case, hackers used the flaw to access and remove copies of files for over two months, between May 13 and July 30, 2017. When it seemed like the breach couldn’t get any worse for Equifax, the company also revealed that they knew about the vulnerability and tried to patch it in March 2017.

So while open-source software has a long list of advantages and is here to stay, …more

MY TAKE: Can ‘Network Traffic Analysis’ cure the security ills of digital transformation?

By Byron V. Acohido

If digital transformation, or DX, is to reach its full potential, there must be a security breakthrough that goes beyond legacy defenses to address the myriad new ways threat actors can insinuate themselves into complex digital systems.

Network traffic analytics, or NTA, just may be that pivotal step forward. NTA refers to using advanced data mining and security analytics techniques to detect and investigate malicious activity in traffic moving between each device and on every critical system in a company network.

Related: How the Uber hack pivoted off of DevOps

A cottage industry of tech security vendors is fully behind NTA. I recently visited with Jesse Rothstein, co-founder and Chief Technology Officer of ExtraHop, a leading NTA vendor.

It was one of the more fascinating conversations I had on the floor at Black Hat USA 2018. For a full drill down, please listen to the accompanying podcast. Meanwhile, here are key takeaways:

Data ingestion advances

Traditionally, security analytics has revolved around assessing flow data and log data – a record of the movement of data between systems and shorthand notes about activity on a system. SIEM-based detection systems and earlier network-focused security products developed along these lines.

This unfolded, in part, because capturing and storing much richer data sets really wasn’t feasible 10 years ago, Rothstein told me. Then along came advances in data ingestion and processing, or obtaining and preparing data for immediate use.

Advanced data ingestion techniques made it possible to move beyond just monitoring flow data; …more

MY TAKE: The back story on the convergence, continuing evolution of endpoint security

By Byron V. Acohido

No one in cybersecurity refers to “antivirus” protection any more. The technology that corrals malicious software circulating through desktop PCs, laptops and mobile devices has evolved into a multi-layered security technology referred to as ‘endpoint security.’

This designation change unfolded a few years back. It was a reflection of attackers moving to take full advantage of the fresh attack vectors cropping up as companies retooled their legacy networks – comprised of ‘on-premises’ servers and clients – to operate in the expanding world of cloud services, mobile devices and the Internet of Things.

Having covered the Symantec, McAfee, Trend Micro, Sophos, Kaspersky, et. al. since the nascent days of the antivirus market, I find in fascinating that the top dozen or so antivirus players have all managed to remain in the game. What’s more, they’ve all successfully grown into multi-layered full-service endpoint security suppliers.

I visited with Joe Sykora, vice president of worldwide channel development for Bitdefender, at Black Hat USA 2018, and asked him to put the remarkable staying power of endpoint security in context. In 1990, Florin and Mariuca Talpes parlayed a $300 stake borrowed from a relative into a company which would become Bitdefender in 2001. Founded in Bucharest, the company of 1,600 employees is in the thick of reshaping endpoint security.

For a drill down on my discussion with Sykora, please listen to the accompanying podcast. Here are a few big takeaways: …more

Q&A: Here’s how Google’s labeling HTTP websites “Not Secure” will strengthen the Internet

By Byron V. Acohido

In a move to blanket the Internet with encrypted website traffic, Google is moving forward with its insistence that straggling website publishers adopt HTTPS Secure Sockets Layer (SSL).

Related: How PKI can secure IoT

Google’s Chrome web browser commands a 60% market share. So the search giant has been leading the push to get 100% of websites to jettison HTTP and replace it with HTTPS. The former – Hypertext Transfer Protocol – standardized the way web browsers fetch a web page from its host server and thus made the world wide web as we know it today possible.

But HTTP connections are carried out in plain text. This makes it trivial for eavesdroppers to snatch plain-text communications, such as when users fill out forms on web pages or use shopping carts or conduct online banking. This makes any personal information and details of financial transactions typed on HTTP web pages easy pickings.

So along came SSL and its successor, Transport Layer Security (TLS), the underpinnings of secure online transactions. SSL and TLS come into play in the form of digital certificates issued by Certificate Authorities (CAs) —  vendors that diligently verify the authenticity of websites, and then also help the website owners encrypt the information consumers type into web page forms.

The PKI (public key infrastructure) encryption protocol makes all this happen instantaneously, triggering a visual confirmation – the tiny green padlock preceding the HTTPS address in Chrome’s address bar.

With the release its Chrome 68 browser on July 24, any web page not running HTTPS with a valid TLS certificate will display a “Not Secure” warning in Chrome’s address bar. …more