Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

STEPS FORWARD: How the Middle East led the U.S. to implement smarter mobile security rules

By Byron V. Acohido

We’ve come to rely on our smartphones to live out our digital lives, both professionally and personally.

When it comes to securing mobile computing devices, the big challenge businesses have long grappled with is how to protect company assets while at the same time respecting an individual’s privacy.

Reacting to the BYOD craze, mobile security frameworks have veered from one partially effective approach to the next over the past decade. However, I recently learned about how federal regulators in several nations are rallying around a reinvigorated approach to mobile security: containerization. Containerizing data is a methodology that could anchor mobile security, in a very robust way, for the long haul.

Interestingly, leadership for this push came from federal regulators in, of all places, the Middle East.  In May 2017, the Saudi Arabian Monetary Authority (SAMA) implemented its Cyber Security Framework mandating prescriptive measures, including a requirement to containerize data in all computing formats. A few months later the United Arab Emirates stood up its National Electronic Security Authority (NESA) which proceeded to do much the same thing.

Earlier this year, US regulators essentially followed the Middle East’s lead by rolling out sweeping new rules — referred to as Cybersecurity Maturity Model Certification (CMMC)  — which require use of data containerization along much the same lines as Saudi Arabia and the UAE mandated some three years ago. The implementation of CMMC represents a big change from past U.S. federal data handling rules for contractors, for which compliance was by-and-large voluntary.

MY TAKE: ‘Network Detection and Response’ emerges as an Internet of Things security stopgap

By Byron V. Acohido

There’s no stopping the Internet of Things now.

Related: The promise, pitfalls of IoT

Companies have commenced the dispersal of IoT systems far and wide. Data collected by IoT devices will increasingly get ingested into cloud-centric networks where it will get crunched by virtual servers. And fantastic new IoT-enabled services will spew out of the other end.

The many privacy and security issues raised by IoT, however, are another story. The addressing of IoT privacy and security concerns lags far, far behind. Commendably, the global cybersecurity community continues to push companies to practice cyber hygiene. And industry groups and government regulators are stepping up efforts to incentivize IoT device makers to embed security at the device level.

Very clearly, something more is needed. That’s where a cottage industry of security companies in the Network Detection and Response (NDR) space comes into play. NDR vendors champion the notion that it’s a good idea for someone to be keeping an eagle eye on the rivers of packets that crisscross modern enterprise networks, especially packets flooding in from IoT systems. That can be done very efficiently today, and would markedly improve network security without waiting for better security practices or tougher industry standards to take hold, they argue.

I had a fascinating discussion about this with Sri Sundaralingam, vice president of cloud and security solutions at ExtraHop, a Seattle-based supplier of NDR technologies. We spoke at RSA 2020. For a full drill down on our conversation, give the accompanying podcast a listen. Here are the key takeaways:

IoT surge

According to Fortune Business Insights, the global IoT market will top $1.1 trillion by 2026, up from $190 billion in 2018. That’s a compounded annual growth rate of a whopping 24.7 percent.

BEST PRACTICES: Mock attacks help local agencies, schools prepare for targeted cyber scams

By Byron V. Acohido

Cyber criminals who specialize in plundering local governments and school districts are in their heyday.

Related: How ransomware became a scourge

Ransomware attacks and email fraud have spiked to record levels across the U.S. in each of the past three years, and a disproportionate number of the hardest hit organizations were local public agencies.

Lucy Security, a security training company based in Zug, Switzerland that works with many smaller public entities, has been in the thick of this onslaught. The company’s software is used to run public servants and corporate employees through mock cyberattack training sessions. There’s an obvious reason smaller public entities have become a favorite target of cybercriminals: most are run on shoestring budgets and corners tend to get cut in IT security, along with everything else operationally.

I had a chance to discuss this with Lucy Security Inc. CEO Colin Bastable at RSA 2020. Another factor I never thought about, until meeting with Bastable, is that public servants typically possess a can-do work ethic. This can make them particularly susceptible to social engineering trickery, the trigger for online extortion and fraud campaigns, Bastable told me.

For a drill down on my full interview with Bastable, give the accompanying podcast a listen. Here are the key takeaways:

Simple, lucrative fraud

What happened in the state of Texas earlier last January is a microcosm of intensifying pressure all local agencies face from motivated hackers and scammers.

Fraudsters did enough online intelligence gathering on the Manor Independent School District, in Manor, Texas, to figure out which vendors were in line to receive large bank transfers as part of the school district spending the proceeds of a large school bond. They also studied the employees who handled the transactions.

BEST PRACTICES: Why pursuing sound ‘data governance’ can be a cybersecurity multiplier

By Byron V. Acohido

Deploying the latest, greatest detection technology to deter stealthy network intruders will take companies only so far.

Related: What we’ve learned from the massive breach of Capitol One

At RSA 2020, I learned about how one of the routine daily chores all large organizations perform — data governance — has started to emerge as something of a cybersecurity multiplier.

It turns out there are some housekeeping things companies can do while ingesting, leveraging and storing all of the data churning through their complex hybrid cloud networks. And by doing this housekeeping – i.e. by improving their data governance practices — companies can reap higher efficiencies, while also tightening data security.

This nascent trend derives from a cottage industry of tech vendors in the “content collaboration platform” (CCP) space, which evolved from the earlier “enterprise file sync and share”  (EFSS) space. I had the chance to sit down with Kris Lahiri, CSO and co-founder of Egnyte, one of the original EFSS market leaders. For a drill down on our discussion about how data governance has come to intersect with cybersecurity, give a listen to the accompanying podcast. Here are key takeaways:

Storage efficiencies

With so much data coursing through business networks, companies would be wise to take into consideration the value vs. risk proposition of each piece of data, Lahiri says. The value of data connected to a live project is obvious. What many organizations fail to do is fully assess – and set policies for — data they hang on to after the fact.

One reason for this is storage is dirt cheap. It has become common practice for companies to store a lot of data without really thinking too hard about it. In fact, there’s a strong case to be made for meticulously archiving all stored data, as well as getting on a routine of purging unneeded data on a regular basis.

NEW TECH: Security Compass streamlines the insertion of security best practices into DevOps

By Byron V. Acohido

DevOps is now table stakes for any company hoping to stay competitive. Speed and agility is the name of the game. And everyone’s all-in.

Related: A firewall for microservices

DevSecOps arose to insert security checks and balances into DevOps, aiming to do so without unduly degrading speed and agility.

If you’re thinking that speed and security are like oil and water, you’re right. At RSA 2020, I had an eye-opening discussion with Rohit Sethi, CEO of Security Compass, about this. Sethi walked me through some of the limitations of DevSecOps, as well as the approach Security Compass is taking to help shore it up. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are key takeaways:

The speed imperative

Software has become the life blood of virtually all industries. As companies have come to realize how pivotal software is, an urgency has arisen to develop code as quickly as humanly possible.

Fail fast. That’s become the mantra of DevOps. Pour everything into quickly deploying minimally viable software to learn where it works or fails, and then iterate and remediate on the fly. Fail fast has replaced the methodical, linear approach to developing software, which sought to achieve a perfect product.

NEW TECH: ‘Micro-segmentation’ security vendor Guardicore seeks to disrupt firewall market

By Byron V. Acohido

Agile software innovation is the order of the day. Wonderous digital services are the result.

Related: Micro-segmentation taken to the personal device level

The flip side, of course, is that an already wide-open attack surface – one that has been getting plundered for the past two decades by criminal hacking groups — is getting scaled up, as well.

Enter micro-segmentation; or microsegmentation, depending on which cybersecurity vendor you’re talking to.

Micro-segmentation is a fresh approach to defending company networks that is actually a throwback to a 30-year-old security concept, called network segmentation. It’s a way to replace the clunky controls that were designed to cordon off certain zones of on-premises IT infrastructure with sleek, software-defined controls that are more fitting for the hybrid cloud networks that will take us forward.

Micro-segmentation got a lot of attention at RSA 2020. I had the chance to learn more about how it works, and why it holds so much promise, in a visit with Pavel Gurvich, co-founder and chief executive officer of Tel Aviv, Israel-based Guardicore, one of the leading players in this space. For a full drill down on our conversation, give the accompanying podcast a listen. Here are the key takeaways:

Micro-managing workloads

Companies today are immersed in digital transformation; they’re migrating to cloud-based business systems, going all in on mobile services and embracing Internet of Things systems whole hog. DevOps has taken center stage. Software innovation happens by combining “microservices” within “software containers” that circulate in virtual “storage buckets,” spun up in Amazon Web Services (AWS,) Microsoft Azure and Google Cloud.

Q&A: Accedian’s Michael Rezek on using ‘Network Traffic Analysis’ to defend hybrid networks

By Byron V. Acohido

Defending business networks isn’t getting any easier. Companies can have the latest, greatest perimeter defenses, intrusion detection systems and endpoint protections – and attackers will still get through. Just ask Equifax or Capital One.

Related: Why cybersecurity should reflect societal values

An emerging approach, called Network Traffic Analysis, is gaining traction as, in effect, a catch-all network security framework positioned at the highest layer of the networking stack. Heavyweights Cisco and FireEye are playing in this space. And so are a couple of dozen other vendors, many of them extending over from the network performance monitoring arena.

I had a lively discussion at RSA 2020 with one of these vendors, Accedian, a 15-year-old company based in Montreal, Canada. For a full drill down on my discussion with Michael Rezek, Accedian’s vice president of business development and cybersecurity strategy, give a listen to the accompanying podcast. Here are excerpts of my interview with Rezek, edited for clarity and length.

LW: How would you frame the security challenge companies are facing today?

Rezek: IT infrastructure today is more distributed than it has ever been, whether it’s Platform as a Service, Infrastructure as a Service, or cloud, multi-cloud, or hybrid cloud. This distribution of IT assets creates far more network dependencies than it ever has before.