Category Archives: Podcasts

MY TAKE: Most companies blissfully ignorant of rising attacks on most-used endpoint: mobile devices

A dozen years after Apple launched the first iPhone, igniting the smartphone market, the Bring Your Own Device to work phenomenon is alive and well.

Related: Stopping mobile device exploits.

The security issues posed by BYOD are as complex and difficult to address as ever. Meanwhile, the pressure for companies to proactively address mobile security is mounting from two quarters.

On one hand, regulators are ahead of the curve on this one; they’ve begun mandating that companies  account for data losses, including breaches in which mobile devices come into play. And on the other hand, cyber criminals are hustling to take full advantage of the corporate world’s comparatively slow response to a fast-rising threat.

Metrics are piling up showing just how pervasive mobile threats have become. Some  33 percent of companies participating in Verizon’s Mobile Security Index 2019 survey admitted to having suffered a compromise involving a mobile device —  and the majority of those affected said that the impact was major.

Verizon’s poll also found that 67 percent of organizations were less confident of the security of mobile devices, as compared to other IT assets. And all of this is unfolding as employees continue to increasingly use both company-issued phones, and their personally-owned devices, to access sensitive data and conduct business.

“The reality is users don’t care whether it’s a corporate-owned device or a BYOD, and neither do the attackers” said J.T. Keating, vice president of product strategy at Zimperium, a Dallas, TX-based supplier of mobile security systems. “Our phones are completely blended, in terms of access to corporate data and personal data.”

I had a lively discussion with Keating at RSA 2019. For a drill down on the full interview, give a listen to the accompanying podcast. Here are a few key takeaways.

Endpoint is an endpoint

That queasy feeling senior execs have about the murkiness of mobile security is well founded, based on the results of a simple experiment Zimperium conducted at the Mobile World Conference (MWC) in Barcelona last February, and repeated at RSA 2019 in San Francisco.

Zimperium paid special attention to forensic data from actual users of its  zIPS mobile intrusion prevention app; it made it a point to analyze mobile device traffic to devices using zIPS at each conference. Zimperium detected more than 7,000 mobile threats in less than four days at MWC; and more that 17,000 threats in that same amount of time at RSA.

Keating

Reliance on smartphones in the enterprise space has skyrocketed in recent years, but it comes at a price. Zimperium estimates that some 60 percent of enterprise endpoints are mobile devices. In most companies, this means that 60 percent of endpoints accessing the enterprise have no visibility on them, making them ripe targets, Keating told me.

Security teams have been slow to address mobile security, but it is inevitable now. After all, if employees have moved tasks like email from desktops to mobile devices, security has to act. However, there is another pressing issue for security teams, said Keating, and that’s compliance.

“If you have patient data sitting on a tablet, it’s no different than you have patient data sitting on a traditional endpoint,” explained Keating. If you have a HIPAA requirement to secure data on one type of endpoint, you have to meet that same HIPAA requirement for all endpoints. “An endpoint is an endpoint is an endpoint.”

Viable threats

All too many organizations still don’t see it that way. This is reflected in the tens of billions of dollars spent on protecting traditional on-premise endpoints, such as laptops and desktop PCs, even as employees are using their unprotected smartphones and tablets as go-to endpoints much of the time. The exposure should be obvious.

Yet, many in leadership still continue to question just how substantive mobile threats really are, Keating said. This skepticism derives from lack of visibility; if you can’t see the threats, you don’t realize they are there, he said.

Make no mistake, the threats are there. They include malicious apps, mobile phishing, network attacks, and device compromise. One big challenge is figuring out the best approaches to mitigate a wide array of attacks targeting mobile device users.

It’s easy to buy into the idea that you only have to worry about one or two of the known threats, and you’re covered. For instance, an app security provider might provide a tool only for malicious apps, and that can lull you into thinking that’s the only threat to worry about.

Most malicious apps, for instance, are spread as widely as possible, and are not part of a campaign to target specific companies. A spear phishing attack or a device compromise attack, however, very well might be, said Keating.

Integrated defense

Also, apps can be risky without being malicious. Many apps in the App Store or Google Play may not be malicious, but they are asking for sensitive phone data, such as geo-location, and then transmitting that unencrypted data back to the app publisher unencrypted. This could be part of targeted intelligence gathering, or, at minimum, it could lead to wider exposure of sensitive data – which could ultimately end up in the hands of a threat actor who decides to target your organization.

For enterprises pushing out apps and depending on mobile devices, integrating with a well-rounded mobile device management (MDM) provider can help manage all of those implementations. Zimperium, for example, has partnered with MobileIron, to improve threat detection and remediation.

Using Zimperium’s detection engine with the MobileIron agent, as soon as someone needs protection, affords 100 percent coverage. From a provisioning standpoint, integrating with an MDM allows for immediate and improved protection.

“We’ve seen a technology curve,” said Keating. “Something starts as a technology, then it becomes a product, and finally it becomes a solution. We’re now at the solution stage.”

The solution stage should look like this: it should be capable of integrated security in any cloud platform, rather than force people to use certain formats; and it should support an organization’s workflow, giving security and mobility teams what they need.

It’s encouraging to see security innovation advancing in the mobile space. Talk more soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(Last Watchdog’s Sue Poremba contributing.)

 

NEW TECH: Brinqa takes a ‘graph database’ approach to vulnerability management, app security

Imposing just the right touch of policies and procedures towards mitigating cyber risks is a core challenge facing any company caught up in digital transformation.

Related: Data breaches fuel fledgling cyber insurance market

Enterprises, especially, tend to be methodical and plodding. Digital transformation is all about high-velocity innovation and on-the-fly change. The yawning gap between the two is where fresh attack vectors are arising, creating a candy-store environment for threat actors.

Brinqa, an Austin, TX-based security vendor has come up with a cyber risk management platform designed to help companies take a much more dynamic approach to closing that gap, specifically in the areas of vulnerability management and application security, to start.

Brinqa was founded in 2009 by Amad Fida and Hilda Perez, industry veterans seeking to leverage their collective expertise in risk management and identity and access management. Early on, a customer of their cyber risk management solution asked if they could assess a physical location, down to the fire extinguishers.

An early version of their platform was already live. But that assignment led Fida and Perez to re-architecture the platform around graph databases and knowledge graphs. It was an approach they felt would be flexible enough to keep up with rapidly-evolving enterprise technology infrastructure.

I had the chance at RSA 2019 to meet with Syed Abdur, Brinqa’s director of products, who provided more background. For a full drill down, please give a listen to the full Last Watchdog interview via the accompanying podcast. Here are the key takeaways:

Blistering pace

On-premises data centers look to remain a big part of hybrid cloud networks, going forward, and keeping these systems up to date, with respect to vulnerability patching, isn’t getting easier.

By many measures, the vulnerability management challenge companies face is getting steeper. The National Institute of Standards and Technology’s National Vulnerbility Database, logged around 14,000 unique vulnerabilities, up from 13,000 in 2017 and 6,000 in 2016.

Abdur

“Hackers are getting more proactive; they’re not only looking for more vulnerabilities to exploit but also spending significant time and resources to identify those that can cause the most damage,” Abdur said. “With cloud, containers, IoT, OT, and mobile devices the enterprise technology infrastructure is expanding really, really rapidly while the policies and processes that we have in place to manage these risks are falling behind.”

So what is Brinqa bringing to the table? Co-founders Fida and Perez realized they had to  materially improve upon the treasure trove of security analytics systems already in the market – technologies that companies have spent billions to install.

 Vulnerability management

Flashback to the assignment Fida and Perez initially took on: to do a physical location risk analysis, down to the fire extinguishers. They quickly learned how difficult it was going to be to correlate a wide variety of evolving component components using a relational database, the traditional approach. So they re-architected Brinqa’s nascent platform, and its underlying technology stack, and pivoted to basing it on a graph database, specifically Neo4J.

Originally designed to digitize paper documents, relational databases remain in universal use in enterprise settings. Their rigid design remains well-suited to structured, on-premise business processes. But graph databases are much more well-suited to making lightning-fast correlations in complex hierarchies.

Graph databases are what major league baseball teams use to calculate how to position infielders with specific hitters, in certain ball parks, facing specific pitchers, in a mid-week night game vs. a weekend day game. Similarly, Brinqa’s platform leverages graph databases to help companies correlate vulnerability, asset, and intelligence data across multiple on-premises and cloud sources — under circumstances that can change day-to-day.

Application security

The company is also focused on helping large enterprises become more agile and effective at assuring all of their business applications are secure, whether those applications are developed internally or supplied by third-parties.

Abdur pointed out how the tools and services companies rely on to test for security flaws often overlap – and just as often result in lingering gaps.

“It has become very important, on the AppSec side of things, to make sure that policies, processes and practices are uniformly applied across the software infrastructure and throughout the SDLC process. We help customers consistently analyze data from all of these different tools – static testing, web application testing, software composition, penetration testing – regardless of where they’re coming from, or what type of application it is, and have a universal approach to effective application risk management.”

Abdur told me Brinqa has received strong positive feedback from its customers, the early adopters to this approach. And he said the company has plans to extend its platform by directing graph databases toward doing risk analysis and management of software containers and other cloud computing components.

What Brinqa is doing makes a lot of sense. Using graph databases to assess security risks is a case of applying the best-available technology to mitigate a complex, rising challenge: helping companies stay secure, while also being able to move fast and grow very big. Talk more soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

Q&A: Researchers find evidence of emerging market for stolen, spoofed machine identities

It’s edifying what you can find shopping in the nether reaches of the dark web.

Related: Why government encryption backdoors should never be normalized.

Academic researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. recently teamed up and found evidence of an emerging market for stolen and spoofed machine identities.

Specifically, the researchers found:

•A ready inventory of stolen SSL/TLS certificates, along with a range of related services and products, for sale, priced from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.

•Extended validation certificates, packaged with services to support malicious websites, such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.

•A vendor offering to issue certificates from reputable Certificate Authorities (CAs), along with forged company documentation, as part of a package of services enabling an attacker to credibly present themselves as a trusted U.S. or U.K. company for less than $2,000.

This emerging black market for machine identities is but a mere starting point for cyber criminals who recognize a huge, unguarded exposure when they see one. Thus, threat actors have begun moving with alacrity to capitalize on it, before companies get around to protecting their exposed machine identity.

Repeated missteps

As a famous American sports hero once said, “It’s Déjà vu all over again.” In cobbling together our classic business networks, we did an imperfect job setting up privileged access for human users – and we continue to pay the price.  And yet, we are about to repeat the same missteps with respect to the over-privileging of non-human, or machine, identities.

Machine identities are what make hybrid business networks possible; they are nothing less than the key to stitching together emerging IoT- and 5G-centric systems. Think about the coming generation of smart homes, public venues, utilities and transportation systems. They will require an exploding number of APIs to connect each microservice, to each software container, to each orchestration tool, on up the software stack, to each new mobile app delivering each of our daily digital experiences.

In order to make all of this dynamic, high-velocity innovation possible, the number of highly privileged machine identities has begun to scale – dramatically. And yet, not nearly enough attention is being paid to the profound privacy and security implications.

I’ve had several invigorating conversations with Jeff Hudson, CEO of Venafi, about this.  The Salt Lake City, UT-based machine identity protection leader sponsored the dark web study. Hudson noted that the number of machine identities is rising exponentially, while the speed at which these machines operate is climbing, as well, asymptotically.

Thus, the monitoring, management and protection of machine identities must be ongoing and automated, he argued. For a full drill down on our most recent conversation, at RSA 2019, give a listen to the accompanying podcast. Below are a few excerpts edited for clarity and length:

LW: Can you give us a fix on where the security of machine identities stands today?

Hudson: There are all kinds of machine identities: certificate keys, API keys, code-signing keys. Machine identities are rampant; they’re everywhere. But we’re just getting started protecting machines. We spend $10 billion a year protecting human identities, but for the most part machine identities are out of sight and out of mind.

LW: Cyber criminals certainly seem to be aware of them.

Hudson: Yes, they are packaging machine identities with company names, addresses and phone numbers with so people can set up faked websites to get people to log on. Some of the faked websites we found are well-known brand names . . . So that’s it’s really important for organizations to keep track of what’s out there, representing their brand name because, and getting in the middle of their traffic.

LW: Can you walk us through an example?

Hudson: You can somebody to click on a website, using a falsified machine identity, and then download them some ransomware, or put keystroke stealer, or any kind of information harvesting malware . . . it’s a full package of how to go steal stuff, or lock up computers, or encrypt data and get ransom. Machine identities have become the foundation of these attacks, that’s how important they are.

LW: What’s the big concern, going forward?

Hudson:  The Government Accountability Office examined the Equifax breach. Their report stated that a machine identity expired, which caused the network surveillance to stop working, and this allowed intruders to get in without begin detected to find and exfiltrate 150 million records. At the end of the day the  CSO the CIO and the CEO all left the company.

Hudson

This is not a unique occurrence; the vast majority of organizations struggle with machine identity protection. Something as simple as that (an expired certificate) is very important, because the bad guys are looking for that. Machine identities are foundational in our digital transformation, because everything that’s going onto the Internet is all built on machines. As a result, protecting machine identities is of paramount importance.

LW: What’s Venafi’s solution all about?

Hudson:  We provide visibility on all of your machine identities, anywhere they appear on the internet – anything that might look like you, give access to you or somehow represent themselves as being part of you. So, visibility is number one.

Then we provide tremendous intelligence around whether an identity is helpful or harmful. And the final thing is automation: machine numbers are exploding, so you have to automate, you can’t really put people into these processing loops. You need to automate. So that’s what we do; we provide visibility, intelligence and automation — in the form of a platform to help corporations protect their machine identities.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

Q&A: How cutting out buzzwords could actually ease implementation of powerful security tools

The central dilemma posed by digital transformation is this: How do companies reap the benefits of high-velocity software development without creating onerous security exposures?

Related: Golden Age of cyber spying dawns

The best practices standards and protocols to pull off this delicate balancing act have been thoroughly vetted and are readily available. And there’s certainly no shortage of sophisticated technology solutions.

So what’s missing? Why have organizations, of all sizes and in all sectors, failed to make more progress shrinking a security gap that appears, in fact, to be inexorably widening?

These were questions I discussed at RSA 2019 with Samantha Madrid, a veteran executive in the enterprise security space, who recently joined Juniper Networks as vice president, security & business strategy. Juniper has been in the vanguard of integrating security deeper into the plumbing of modern business networks.

Madrid observed that the white noise of overlapping marketing messages has not made it any easier for enterprises to chart a truer course for securing their networks. One of the first things Madrid told me she did when she arrived at Juniper was to ask her colleagues to stop using marketing buzzwords.

“A vendor should be able to explain, in simple terms, how they can help solve a customer’s problem,” she said.

Having covered tech security since 2004, I can attest that there is plenty of room for more clarity, and less hype, in security products marketing. To hear my conversation with Madrid in its entirety, please give a listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW:  Can you frame the security challenges companies are facing in today’s very dynamic environment?

Madrid

Madrid: I’ve been in this industry for close to 25 years, and up until this point security has been mostly about packaging various technologies and applying them at various points around the perimeter. But where we are right now is that our customers are trying to wrap their arms around vast amounts of data. From a security standpoint it’s about really thinking through a connected security strategy for your organization.

LW: What are some of the successful approaches gaining traction

Madrid: It’s not about taking a rip and replace strategy. That’s a wrong way of looking at it. It starts with leveraging your existing footprint. A vendor should be coming in and providing an architecture that allows you to leverage your existing investments, and leverage the data coming from digital transformation. It should be about bringing all of that together through a connected design. It’s no longer about just what’s happening at a gateway, it’s about what’s happening at all points of the network.

LW: Because that’s where the threat actors are probing?

Madrid: The folks targeting your environment are persistent and very focused. So you need to have eyes, and intelligence gathering, at all corners of your network, private and public. You need to understand how your apps are behaving, and how your users are behaving. It’s about safeguarding your users, your applications and your infrastructure. You can do this by understanding who, and what, is on the network; and by automating policies. That’s what connected security is about and that’s how we have to start framing the conversation, moving forward.

LW: How do you triage all of these things?

Madrid: A great way to start is by looking at what you have, in terms of security capabilities. And then when you start down a path, like multi-cloud, security needs to be a part of that design. It’s more than just running workloads. It’s about making sure you have the ability to orchestrate and automate policy. Anytime you venture to a new initiative that is a great time to take inventory of what you have, or don’t have, and have these kinds of discussions.

LW: Why does it seem like companies have been slow to grasp the security ramifications of digital transformation?

Madrid: I don’t envy customers, frankly. You walk through a show, or go to a vendor’s website, and you’ll see every vendor out there using the same terminology. So how do you figure it all out? My response is, ‘Don’t try to figure it out.’ Start with the problem you’re trying to solve, and focus on the business outcome you’re looking for.

It might be endeavoring to let users bring any device they want on the network. Or maybe it’s a multi-cloud implementation. So know the problem you want to solve first, and then have the conversation with the vendor.

LW: You’ve just joined Juniper; what does the company bring to the table?

Madrid: If you step back, security in many organizations has been siphoned off, and become a very siloed function. There’s been a lot of repackaging and a lot of buzzwords circling around every year. As an industry, we really have not moved the meter, in terms of helping our customers, by and large.

What excites me about Juniper is the fact that security is a part of the infrastructure, whether it’s distributed, or whether it’s more traditional in design. And, frankly, we’re battle tested. We support the world’s largest networks and we can bring high performance security, at scale; whereas, historically, you’d have to make a tradeoff. With Juniper you don’t have to make that tradeoff. So that’s what excites me.

NEW TECH: Critical Start delivers managed security services with ‘radical transparency’

It was in 2012 that CRITICALSTART burst onto the Managed Security Service Provider (MSSP) scene with bold intentions.

Related: How SMBs can leverage threat intelligence.

The Plano, TX-based company sought to elevate the “MSSP” space high above the accepted standard at the time. It set out to do this by delivering security services based on Zero-Trust and that also provided radical transparency to its customers.

CRITICALSTART has since grown to 105 employees, serving hundreds of customers. In 2018, revenues generated by its core Managed Detection and Response (MDR) service grew 300 percent as compared to 2017.

What struck me most as I prepared to meet up with Jordan Mauriello, CRITICALSTART’s VP of Managed Services, was how the company has been able to stick to its guns providing Zero-Trust and “radical transparency” to its customers.

No one in the cybersecurity community would dispute the fact that widely sharing intel detailing what the bad guys are doing, as well as measures that prove effective in deterring them, should be standard practice – for the greater good.

However, in reality, competitive instincts still get in the way all too often. It was with this in mind that I met with Mauriello at RSA 2019, and he walked me through the path CRITICALSTART has successfully navigated. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Foundation of trust

Radical transparency isn’t a new thing, but we are seeing it more in security, as well as an increase in the need for Zero-Trust model. Mauriello observed that companies shopping for contracted security services are open to taking a trust-but-verify approach, and are looking for service providers to build that trust foundation by operating out in the open.

Mauriello

“One of the chief complaints we heard was that they didn’t have transparency with their service provider,” said Jordan Mauriello. “There has to be a concept beyond just giving them visibility, beyond just giving them metrics and numbers, but something a little more radical.”

It’s what customers want. Traditionally, service providers run platforms in silos – one platform for their analysts, one platform for ticketing and management, one platform for communicating with the customer. If and when a customer wants to see what really happened in their system, there’s no easy way to do that.

Radical transparency gives the customer a clear vision of what the MSSP is doing on their behalf, and thus empowers the customer to be able to hold the service provider accountable. “Shouldn’t they be able to hold us accountable for what they’re paying us?” Mauriello wondered.

Getting radical

The key word here is radical. Being transparent is one thing, but radical transparency opens up a vision in a more thorough way than ever before. It’s, well, a radical shift. In terms of the service provider-customer relationship, it means removing the idea of a multi-tiered platform of systems that are separated from the customer.

Think of it as a parent and child relationship, Mauriello said, where the parent has access to check in on their child’s activities. The organization (parent) can see what the service provider (child) is doing on their behalf.

“They can go in and look at actual work our analysts did for them in the same platform we do it in because it’s the same platform they use,” he added. “If they have child companies – and we do have customers that are parent organizations with child companies – they can go look at the work that’s happening there.”

How Zero-Trust works

Zero-Trust depends on that concept of trust-but-verify. Traditionally, service providers collect a lot of data for an enterprise, brought in from one place, generally a SIEM or some other log management tool. When digging into that data, the rule is to find the bad matches. To do that, you have to assume that everything is good until it’s bad, innocent until proven guilty.

“A Zero-Trust engine is the exact opposite,” said Mauriello. “We’re going to collect all the same events but we’re going to assume every single one of them is bad until we can prove it good.”

With the combination of Zero-Trust and radical transparency, you are verifying the good and you’ve opened up your playbook for your customers to read. That’s a good thing. Customers shouldn’t assume they have to automatically trust what their service provider is doing; they should have the opportunity to verify it, too. Talk more soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(Last Watchdog’s Sue Poremba contributing.)

 

 

NEW TECH: ‘Network Traffic Analysis’ gets to ground truth about data moving inside the perimeter

Digital transformation is all about high-velocity innovation. But velocity cuts two ways.

Related: Obsolescence creeps into perimeter defenses

Yes, the rapid integration of digital technologies into all aspects of commerce has enabled wonderful new services. But it has also translated into an exponential expansion of the attack surface available to cyber criminals.

This has led us to the current environment in which security threats are multiplying even as network breaches grow costlier and more frequent.

However, a newly-minted security sub-specialty —  christened Network Traffic Analysis, or NTA, by Gartner — holds some fresh promise for getting to the root of the problem. I had the chance to sit down at RSA 2019 with ExtraHop Networks, a Seattle-based supplier of NTA systems.

ExtraHop’s CISO Jeff Costlow walked me through what’s different about the approach NTA vendors are taking to help companies detect and deter leading-edge threats. For a drill down, give a listen to the accompanying podcast. Key takeaways:

NTA’s distinctions

Software development today routinely occurs at high velocity in order to build the digital services we can’t live without. Modular microservices, software containers and orchestration tools get spun up, using open source components; all of this mixing and matching occurs in the internet cloud, keeping things moving right along.

The inevitable security gaps that get created as part of this highly dynamic process have been getting short shrift, in deference to shipping deadlines. It’s not as though legacy security vendors are asleep at the wheel; they’ve been applying machine learning and AI to the output of SIEMs, firewalls, intrusion detection and other traditional security products designed to filter and detect malicious traffic directed at, and coming through, the perimeter.

Costlow

By contrast, NTA systems direct a blend of machine learning, advanced-analytics and rule-based detection to the task of continuously analyzing the raw traffic moving to-and-fro inside the network perimeter.

The underlying principle of NTA technology is simple and straight forward. “The network really is where all the relevant data resides,” Costlow told me. “You can get to the ground truth by extracting the metadata about the data that’s traveling on the network . . . you can draw a lot of inferences and pull a lot of analytics out of that information.”

Postman clone

Recently, ExtraHop was monitoring the metadata flowing through its own network when it discovered an anomalous connection that was rather quietly sending data outbound at a low rate.

Follow up forensics revealed the data in question to be Chrome browser histories that had been collected by a malicious Chrome browser extension, called Postman. This malicious Postman extension was a spoofed clone of the legitimate Postman app, a very popular Chrome extension used by software developers for testing and real-time editing of the API requests embedded in newly created apps.

“Postman is a convenient, developer-centric tool that has existed for a long time,” Costlow said.

ExtraHop analysts determined that the malicious Postman clone had been available for download at the official Play Store for about two months, and in that time had been downloaded and installed, some 27,000 times. Google subsequently removed the Postman clone from Play Store.

“So this was very much targeted at developers,” Costlow said. “It had a special little back door; every time you browsed, it would send some of the data that you browsed off to a home base.” This could give an attacker intelligence about code repositories and other tips about the structure of our engineering environment.

Practicing restraint

Imposter apps and browser extensions masquerading as legit tools represent a clear and present risk that companies must account for. NTA technologies have a clear potential to help catch this type of subtle data exfiltration, and the momentum ExtraHop has generated in the past couple of years, suggest that the practice of applying NTA systems to improving security is catching on. The company is in a rapid growth phase, with revenues surpassing $100 million in 2018, bolstered by 10X growth in cybersecurity, and its employee headcount has grown to over 400, with plans to add 150 more in 2019.

Meanwhile, we continue to take browser extensions, in particular, for granted. They have come into common, everyday use. We use them to extend the functionality of our web browsers, for things like developer tools, adware blockers, or tools to browse through CRM applications, like Salesforce.com, for instance.

We’re blissfully ignorant of the fact that threat actors see browser extensions as an opportunity to slip malicious code past state-of-the-art perimeter defenses. An important step to reversing this trend lies with each user. It is left up to each individual, for now, to get proactive about not being victimized.

“Understanding the data that you have, and the applications that you’re using, and understanding how you can use these tools and in a manner that protects you and others is a key,” Costlow says.

Agreed. Reduce your digital footprint. Practice restraint, for your own good, and for the good of the people and organizations you associated with. Talk more soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

MY TAKE: How ‘CASBs’ are evolving to close the security gaps arising from digital transformation

The Cloud Access Security Broker (CASB) space is maturing to keep pace with digital transformation.

Related: CASBs needed now, more than ever

Caz-bees first took shape as a cottage industry circa 2013 to 2014 in response to a cry for help from companies reeling from new Shadow IT exposures: the risk created by early-adopter employees, quite often the CEO, insisting on using the latest smartphone and Software-as-a-Services tools, without any shred of security vetting.

A wave of acquisitions absorbed a half-dozen early CASB startups. One company still actively innovating as an independent CASB is San Jose, CA-based security vendor CipherCloud. I had the chance to visit with CipherCloud CTO Sundaram Lakshmanan at RSA 2019.

We discussed how the basic notion of flowing all data coming into a company’s network — from whatever device or web app — through a cloud gateway for security scanning has become elemental. For a full drill down, give the accompanying podcast a listen. Here are the key takeaways:

Shifting role

As with almost any security solution, the bottom line for CASBs is all about protecting the data — without detracting from users’ experience, and thus eroding productivity.  This is especially important within the cloud. CASBs began by closing glaring security gaps created by the rapid  adoption of mobile devices and cloud tools. Quite naturally, that role is now shifting and expanding.

Now that CASBs have been around for half a decade, companies are figuring out how to utilize them to reinforce specific silos within their IT and security teams. More enterprises are rethinking their internal processes, seeking a more centralized, convenient approach to securing web apps, Lakshmanan told me.

“At the end of the day, it is about business productivity and helping users get their job done,” he said. Enterprises are starting to understand that as they pursue velocity and scale, they also need to ensure a sufficient level of security.

Lakshmanan

Employers and employees like using the cloud, Lakshmanan pointed out, because it completely changes the paradigm of the user’s productivity. Everything they need is there. The security challenge, however, is now much more pronounced.

In the past, for example, companies could get away with using a default password, and depend on firewalls and other internal security tools to provide protection. That’s all out the window with the cloud—no wonder clouds are an increasingly favored attack target.

CASBs offer a security solution that covers the whole cloud and SaaS applications. “What it offers is a suite of enterprise controls to the SaaS and cloud applications, like deep monitoring, behavioral analytics, finding anomalous behaviors, checking for data leaks,” said Lakshmanan.

Deepening services

The cloud presents a dual risk. It creates many more possible ways to get at a company’s systems and data. What’s more threat actors have begun using cloud tools to leverage their malicious activities.

A lot of companies are worried about employees when they leave and the sensitive information that remains on their device, for example. These soon-to-be-former employees download a lot of intellectual property and contact information. Organizations need to protect the digital rights of this data, Lakshmanan observed.

A new use case of CASBs that’s emerging is the capacity to apply digital rights management on sensitive data. It can provide encryption and other protections on data so an employee has access when it is needed, or the access can be easily revoked.

CASBs can now provide protection of access to the data — and to applications – thus providing  protection from threats coming from the clouds, and protection of data on individual devices.

Zero-trust philosophy

While the concept of zero trust is relatively new, it fits very well with CASBs’ approach to security. Zero trust, as defined by CSO, is “a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”

At the heart of zero trust is identity, said Lakshmanan. Prove to me who you are before you access anything. Wide reliance on SaaS tools and services has made that proof of identity more important than ever. Because organizations don’t own or control the infrastructure, trust levels are very low, and maintaining an adequate level of security is made much more difficult, he said.

It is clear to me that, going forward, the policies and practices ushered in by CASBs are destined to become widely engrained. Embracing zero-trust, implementing flexible policies – practices made smarter over time, with the help of machine learning – must run deeper in order for digital commerce to become as private and secure as it needs to be. It will be interesting to watch which direction CASBs take things. Talk more soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(Last Watchdog’s Sue Poremba contributing.)