Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

NEW TECH: Breakthrough ‘homomorphic-like’ encryption protects data in-use, without penalties

By Byron V. Acohido

Homomorphic encryption has long been something of a Holy Grail in cryptography.

Related: Post-quantum cryptography on the horizon

For decades, some of our smartest mathematicians and computer scientists have struggled to derive a third way to keep data encrypted — not just the two classical ways, at rest and in transit.

The truly astounding feat, aka homomorphic encryption, would be to keep data encrypted while it is being actively used by an application to run computations. Cryptographically speaking, this is the equivalent of moving the Himalayas, not just Mt. Everest.

There is an esoteric two-horse race that a small circle of folks in the cybersecurity and venture capital communities are riveted on. The stakes couldn’t be higher. It’s a race to deliver a commercially-viable homomorphic encryption tool – something that’s going to be needed if we are to vault into higher tiers of digital innovation.

Galloping along the rail, Google, Intel and Microsoft are leading a methodical effort to come up with consensus homomorphic encryption standards, even as a handful of VC-backed startups are hustling to overcome limitations in current working versions of their prototype tools.

Charging hard from post position no. 2, another group of start-ups, flush with VC cash, is gaining ground with “homomorphic-like” technologies they claim have the same benefits as the purely homomorphic tools, but none of the performance penalties.

A prominent member of this latter group is Mountain View, CA-based Fortanix, which has attracted $31 million in VC backing and grown to 60 employees since its launch in June 2017. Having written a few stories on homomorphic encryption, I was eager to meet with Fortanix co-founder and CEO Ambuj Kumar at Black Hat 2019. For a full drill down on our wide-ranging discussion, please give a listen to the accompanying podcast. Here are the key takeaways:

Runtime in focus

You might well ask yourself: why is keeping data encrypted while an application is using a data set so vital to the future of computing? It’s because elite threat actors already possess the ability to insinuate themselves deep inside of company networks and launch stealthy, quick-strike attacks – in memory, during runtime. …more

MY TAKE: ‘Perimeter-less’ computing requires cyber defenses to extend deeper, further forward

By Byron V. Acohido

Threat actors are opportunistic, well-funded, highly-motivated and endlessly clever.

Therefore cybersecurity innovations must take hold both deeper inside and at the leading edges of modern business networks.

Related: Lessons learned from Capital One breach

Most of the promising new technologies I’ve had the chance to preview this year validate this notion. The best and brightest security innovators continue to roll out solutions designed to stop threat actors very deep – as deep as in CPU memory — or at the cutting edge, think cloud services, IoT and DevOps exposures.

Juniper Networks, the Sunnyvale, CA – based supplier of networking equipment, I discovered, is actually doing both. I came to this conclusion after meeting with Oliver Schuermann, Juniper’s senior director of enterprise marketing.

We met at Black Hat 2019 and Schuermann walked me through how Juniper’s security play pivots off the evolving infrastructure of a typical corporate network. For a full drill down, please give a listen to the accompanying podcast. Here are the key takeaways:

Deeper sharing

Wider threat intelligence sharing continues to advance apace. I was in the audience at Stanford in 2015 when President Obama signed an executive order urging the corporate sector to accelerate the sharing of threat feeds among themselves and with the federal government.

Since then, a number of threat intel sharing consortiums have either formed or expanded their activities. One recent example is how five midwestern universities – Indiana, Northwestern, Purdue, Rutgers and Nebraska – partnered to create a joint security operation center to gather, analyze and act on threat feeds.

Juniper gathers threat feeds via a security framework, called SecIntl, that runs off servers tied together by Juniper equipment deployed globally in corporate networks. …more

NEW TECH: The march begins to make mobile app security more robust than legacy PC security

By Byron V. Acohido

Is mobile technology on a course to become more secure than traditional computing?

Seven or eight years ago, that was a far-fetched notion. Today, the answer to that question is, “Yes, it must, and soon.”

Related: Securing the Internet of Things

I’ve been writing about organizations struggling to solve the productivity vs. security dilemma that’s part and parcel of the BYOD craze for some time now. I can recall President Obama issuing BlackBerry phones and ordering his administration to copy his personal practice of using only hardened mobile devices. Yet, many of the government-issued BlackBerry phones got used sporadically, as staffers reverted to their personally owned iPhones and Androids.

What has happened over the past couple of years is that mobile computing has become the cornerstone of our work and personal lives. Meanwhile, threat actors, as you might expect, are increasingly probing for, regularly discovering and enthusiastically exploiting mobile security flaws.

The good news is that cybersecurity vendors continue to innovate, as they have all along. And they appear to be closing in on fresh approaches that should translate into solutions for the longer haul. It is early still, but it looks like we may not have to carry two smartphones, after all, a locked-down company phone, as well as our favorite personal device.

I had the chance to discuss this with Jonas Gyllensvaan and Brian Egenrieder, Chief Executive Officer and Chief Revenue Officer, respectively, of mobile security vendor SyncDog. We spoke at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Securing provisioned devices

From the very start of the smartphone era, employees demonstrated that they did not mind paying for the latest, coolest device and use it for both home and work tasks. By 2011 or so, it was clear the BYOD trend was unstoppable, and companies began to impose much tighter security constraints.

Along came MDMs (mobile device management) services to handle the inventorying and provisioning of these new endpoints. MDMs gave companies the ability to micromanage company-issued devices, adding password protection and remote wiping capabilities. A security staffer could remotely “brick” a company device gone temporarily missing, even if it had just slipped under a couch cushion. The employer could even block access to apps stores, disable phone cameras or use the device’s GPS function to monitor where an employee spends work and personal hours.

Employee’s bristled – and companies responded by exerting even more granular control by embedding EMM (enterprise mobility management,) MAM (mobile application management) and UEM (unified endpoint management) systems on provisioned devices. …more

SHARED INTEL: Here’s one way to better leverage actionable intel from the profusion of threat feeds

By Byron V. Acohido

Keeping track of badness on the Internet has become a thriving cottage industry unto itself.

Related: ‘Cyber Pearl Harbor’ is upon us

There are dozens technology giants, cybersecurity vendors, government agencies and industry consortiums that identify and blacklist IP addresses and web page URLs that are obviously being used maliciously; and hundreds more independent white hat hackers are doing much the same.

This activity results in a rich matrix of overlapping threat feeds that, if all of the slices could somehow be combined, would present a heat map of an Internet throbbing with malicious traffic that unceasingly changes and steadily intensifies. Many of the badness trackers do, in fact, publish their blacklists for the greater good. This intel often gets leveraged by firewall suppliers who tap into a small selection of what they figure to be the most helpful threat feeds to configure their products.

Centripetal has gone several steps further. This 10-year-old cybersecurity services vendor pulls in threat feeds from some 90 plus sources, assigns a team of cybersecurity analysts to make sense of this intel, and then makes the output of this heavy lifting available to companies to help them better defend their networks. Byron Rashed, Centripetal’s vice president of marketing, broke this down for me. We had a chance to visit at Black Hat 2019. For a drill down of our conversation, give the accompanying podcast a listen. Here are key takeaways: 

Effective blocking

Centripetal’s CleanINTERNET service is built around correlating and analyzing threat feeds pulled in from some 90 commercial, government and open-source entities. The heavy lifting Centripetal does on behalf of its customers involves correlating billions of threat indicators to derive a set of robust correlation rules that, in turn, become the basis for which traffic is allowed to enter – or leave — a customer’s network.

This rule enforcement is done at Centripetal’s RuleGATE Threat Intelligence Gateway in such a way that minimizes false positives yet doesn’t sacrifice performance. Centripetal also delivers a Splunk-based SIEM (some clients opt for integration into their existing SIEM) that enables the client and Centripetal’s team of cyberthreat analysts to view events and work directly …more

NEW TECH: How ‘cryptographic splitting’ bakes-in security at a ‘protect-the-data-itself’ level

By Byron V. Acohido

How can it be that marquee enterprises like Capital One, Marriott, Facebook, Yahoo, HBO, Equifax, Uber and countless others continue to lose sensitive information in massive data breaches?

Related: Breakdown of Capital One breach

The simple answer is that any organization that sustains a massive data breach clearly did not do quite enough to protect the data itself.

It’s not for lack of trying. Tech consultancy IDC recently estimated that global spending on security-related hardware, software and services is growing at a compound annual growth rate of 9.2% a year and is on a curve to reach $133.8 billion by 2022.

It’s not for lack of best practices frameworks. There are plenty of good ones by government regulators, such as those compiled and distributed for free by NIST; and there’s no end of  rules and guidance issued by a wide variety of industry standards bodies.

And it’s certainly not for lack of technology; just visit the vast exhibitors’ floor at RSA Conference or Black Hat USA. I attended both again this year, and at the latter I had the chance to meet with Paul Russert, vice president of product and compliance with a Rancho Santa Margarita, Calif.-based start-up, SecurityFirst.

We discussed how SecurityFirst set out three years ago to begin commercially distributing something called cryptographic splitting technology. As I came to understand it, this new approach leverages multi-factor secret sharing algorithms previously only used by government entities.

Cryptographic splitting appears to be a very direct, and much more robust, approach to protecting the data itself, in a way that makes good sense in the current environment. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Security benefits

Protect the data itself. Sounds simple enough. Yet in the age of Big Data and digital transformation many organizations still don’t do this very well. Legacy perimeter defenses are rapidly losing efficacy as the landscape shifts to cloud computing and the Internet of Things.

…more

MY TAKE: Local government can do more to repel ransomware, dilute disinformation campaigns

By Byron V. Acohido

Local government agencies remain acutely exposed to being hacked. That’s long been true. However, at this moment in history, two particularly worrisome types of cyber attacks are cycling up and hitting local government entities hard: ransomware sieges and election tampering.

Related: Free tools that can help protect elections

I had a deep discussion about this with Todd Weller, chief strategy officer at Bandura Cyber. We spoke at Black Hat USA 2019. Bandura Cyber is a 6-year-old supplier of  threat intelligence gateway technologies. It helps organizations of all sizes but has a solution that is well suited to enable more resource constrained SMBs, tap into the myriad threat feeds being collected by a wide variety of entities and extract actionable intelligence.

Weller observed that local governments are under pressure to more proactively detect and deter threat actors, which means they must figure out how to redirect a bigger chunk of limited resources toward mitigating cyber threats. Current attack trends add urgency, and catching up on doing basic security best practices isn’t enough. For a drill down on my interview with Weller, give a listen to the accompanying podcast. Here are key takeaways:

Ransomware run

We’ve recently learned just how easy it is for ransomware purveyors to either extract huge extortion payments from local agencies, or worse, cause tens of millions of dollars of damage.

Baltimore city officials declined to pay $76,000 for a ransomware decryption key – and the city ended up absorbing an estimated $18 million in recovery costs. Atlanta refused to pay a $51,000 ransom, and ate $17 million in damage.

Meanwhile, officials from Riviera Beach, Fla., population 35,000, saw fit to cough up a $600,000 payment, and Lake City, Fla., population 12,046, paid $460,000, respectively, for ransomware decryption keys. In each case, after weeks of having city services disrupted, and facing pressure from constituents, city leaders viewed paying a six-figure ransom as the least painful, quickest resolution. …more

MY TAKE: Poll shows senior execs, board members grasp strategic importance of cybersecurity

By Byron V. Acohido

A singular topic has risen to the top of the agenda in executive suites and board rooms all across the planet: cybersecurity.

Related: Security, privacy fallout of IoT

A recent survey by Infosys, a tech consulting and IT services giant based in Bangalore, India, quantifies the degree to which the spotlight has landed on cybersecurity in large organizations.

Infosys polled 867 senior officials from 847 firms in a dozen industries, each with at least $500 million in annual revenue; the companies are based in the US, Europe, Australia or New Zealand. Some 83% of respondents said they viewed cybersecurity as critical to their organization, while 66% of the companies reported having implemented a well-defined cybersecurity strategy.

What jumped out at me was that 60% of C-level executives and 48% of board members indicated they actively participated in formulating cybersecurity strategy. Just five years ago a participation level like this was more of an optimistic hope, than anything else. At least that’s what I took away from a memorable fireside chat I had, back then, with the late Howard Schmidt, former White House Cybersecurity Advisor under Presidents Bush and Obama.

Last week, I had the chance to sit down with Vishal Salvi, Infosys’ chief information security officer. We met at the Infosys Americas Confluence conference in Scottsdale, AZ, and had a well-rounded discussion about the drivers behind this new board-level awareness – and the going forward implications. For a full drill down, please give a listen to the accompanying podcast. Here are a few key takeaways:

Time to execute

Salvi walked me through other survey findings illustrating how pervasively a cybersecurity consciousness has taken hold in the upper echelons of the corporate sector. According to the Infosys poll, these items are on the front burner:

•The top concerns faced by enterprises are hackers and hacktivist (84 percent), low awareness among employees (76 percent), insider threats (75 percent), and corporate espionage (75 percent)

•Challenges in building a security aware culture combined with embedding security into design affects nearly two thirds of enterprises

•Across industries, cybersecurity is consistently viewed as critical in an enterprise’s digital transformation journey. Manufacturing emerged at the top (87 percent), followed by energy and utilities (85 percent), and banking, financial services and insurance (83 percent.) …more