We're selling cybersecurity insincerely, buying it indiscriminately, and deploying it ineffectively.
My goal with this column is to break down the communications surrounding the methods, services, and technologies that the information security industry offers up for the latest in protecting our businesses, our society. I'll take select briefings from vendors, exploring where their solutions best fit, how their solutions can be operationalized, and call the industry out when confusing, or otherwise misleading, messaging is put out for the world to see and hear. We're all sitting here at the edge - which direction will you take? Hopefully this column can help with that decision.
At the edge podcast series
Alex Horan from Onapsis shares ERP risk insights coming from continuous research his team does
During Black Hat USA, ITSPmagazine's Sean Martin had a chance to connect with Alex Horan from Onapsis. The two had an informative conversation surrounding the risks associated with critical business systems such as those found in the world of enterprise resource planning (ERP).
The main risk inherent in ERP systems - such as Oracle and SAP - is that they can be deployed, configured, and maintained in either secure state or an insecure state. The goal with the Onapsis research released is to provide visibility into these risks. Alex isn't just talking about risks associated with vulnerabilities and patch management; rather that plus how these systems are configured and monitored.
The biggest challenge, Onapsis finds, is that most organizations don’t look at these systems from a security perspective. Why? Alex notes that it’s usually a case of everyone thinking that everyone else has it covered.
Want to learn more about what these risks entail? Listen in as Alex shares some of the findings from their research and the impact these findings can have to the business.
Rick McElroy and Ashwin Krishnan speak w/ Sean Martin about focusing on the high value infosec items
During the Structure Security conference in San Fransisco, CA, Sean Martin, ITSPmagazine's editor-in-chief, catches up with Rick McElroy, security analyst for Carbon Black, and Ashwin Krishnan, SVP product management, strategy, and technical marketing at HyTrust.
Together they explore the idea that information security teams need to stop doing the low value tasks and focus on the high value activities that will make a difference. So, what does this mean, exactly? What do infosec teams stop doing? What do they start doing? How does automation and orchestration fit in?
Listen in to find out.
FunCaptcha's CEO chats with Sean Martin | Humans vs. Bots Online Battle - Most Of The Time We Lose
Consumers and business all over the world find themselves in an online struggle - one might even say they are in an ongoing, online battle; a battle that seems to be intensifying beyond our wildest dreams.
In today’s episode, we won’t be dreaming. Rather, we are going to be looking at some real-world examples where bots are playing the online game against humans and businesses - and are winning far more often than we would like.
To tell these stories, ITSPmagazine's editor-in-chief, Sean Martin, is joined by CEO and founder of Australian-based company, FunCaptcha, Kevin Gosschalk. Kevin's company is dedicated to solving the hardest of the hardest problems in identifying humans and bots.
During our chat, which took place during the OWASP AppSec USA 2017 in Orlando Florida, Kevin shares some real cases where the bots are winning. Legacy technologies are leaving companies open to bad bot activity, oftentimes ruining their business and certainly sticking the consumers with the financial pain and frustration when trying to transact online. As you’ll hear from Kevin, some of the largest companies around the world are tackling this problem head-on. Once you hear his stories, you’ll know why.
Listen in and enjoy.
CA Technologies' Mordecai Rosen talks digital transformation and the trust framework with Sean Martin
In today’s episode of At the Edge with Sean Martin, Sean has the pleasure of speaking with Mordecai (Mo) Rosen, Senior Vice President and General Manager of Cybersecurity at CA Technologies. During their chat, Mo tells us of his early days as a Unix kernel hacker at Bell Labs, later moving on to Sun Microsystems, and ultimately having his privileged access management company be acquired by CA technologies.
An identity expert through and through, Mo reminds us that, as an industry, we need to do our best to remove the friction from security, a goal he holds to the highest level as he and his team at CA work to build a trust framework designed to enable the digital economy. Mo has already done a ton to support some of the largest companies achieve their own digital transformation, but it’s clear from my chat with him that he has a ton more on his cybersecurity bucket list.
Have a listen, enjoy the chat, and you might just get inspired.
Shehzad Merchant from Gigamon says it's time for the defenders to take back their advantage
Bad actors are leveraging scalable frameworks and automation to attack their targets. On the other side, companies are still using human-based, manual processes to combat these attacks. The silos within the organization make this even more challenging for them, leaving them to fall behind and face the inevitable. Because of this, it seems the attackers hold the advantage against their targets. However, according to Shehzad Merchant, CTO for Gigamon, we have a chance to reverse the advantage back to the defender. The trick is to leverage the right technologies - such as machine learning + artificial intelligence + automation and orchestration. In order for this to work, however, we need to move from a prevention mindset to one of protection. Think his advice is to have your battles from the inside out using primarily human-driven means? If so, you might want to listen to Shehzad's interview during Black Hat USA 2017 with ITSPmagazine's editor-in-chief, Sean Martin. What he has to say here is short and sweet, but powerful. Enjoy!
William Dixon [Kroll] and Charly Bun [Rapid7] discuss Managed Security Service Providers [MSSPs]
William Dixon from Kroll and Charly Bun from Rapid 7 share some of their own horror stories about managed security service providers. What mistakes are made? What things are missed? What should the RFP look like? What are some of the common misconceptions? And… more importantly, how can these learnings be applied to making a better, more informed, decision when it comes to outsourcing security management for your organization?
Michael Schell, the Innovate Pasadena event organizer eloquently moderates the discussion (as he always does), drawing out interesting questions from the audience and key points from the 2 experts. While originally geared toward the SMBs, this conversation is spot on for companies of all sizes: small, medium, large, and enterprise.
Travis Smith, Principle Security Researcher at TripWire, continues his work on My Bro the Elk
Travis Smith, Principle Security Researcher at TripWire, continues his work on My Bro the Elk - working on it in the context of the small and medium sized businesses. Sean Martin, ITSPmagazine's editor-in-chief, originally covered this topic with Travis presenting a session during Black Hat 2015. This ended up being ITSPmagazine’s first on-publication article.
Travis is now focusing on the SMB market as they are a targeted entity and are often underfunded and understaffed. Travis' work with the new My Bro the Elk combines technologies to create insights, and combines them as part of what he calls the "Sweet Security" offering, which monitors network traffic while providing protection as well.
During our conversation, during Black Hat 2017 in Las Vegas, Smith also offers some core best practices, including network segmentation, which is handles virtually with the Sweet Security device. Goodness all around from Travis, for sure.
Interested parties can find the application stack here - is absolutely free - github.com/travisfsmith/sweetsecurity
Those interested in the first article on ITSPmagazine covering this topic can find it here.
Mounir Hahad from Cyphort Labs reminds us: the end goal is to protect our customers and users
Mounir Hahad, Sr. Director at Cyphort Labs connected with ITSPmagazine’s Sean Martin at Black Hat 2017 in Las Vegas.
During their conversation, Hahad reminds us all that the end goal for the industry is to protect our customers and provide a safe environment for the end users to conduct their business. With this in mind, Hahad also puts a call out to the industry at large to work together, suggesting that business and technical partnerships should not be limited to the behemoths that want to control the market nor the startups that are looking for a creative, partnership-driven means to enter the market. In other words, it’s going to require all of us to work together if we are to successfully tackle the problem of cybercrime.
As Mounir described the threat landscape for me, he noted that, while accessing malicious content via the web is still a prevalent threat, email seems to be the most common vector for delivery of malicious code - such as that found in some of the recent ransomware attacks. As organizations look to address the threat of ransomware, Mounir offered some fundamental recommendations to help them prepare for a pending ransomware attack: 1) back up your data safely offline, 2) employ a defense in depth model while not relying on a single technology for protection, and 3) patch, patch, patch.
Are We Selling - And Therefore Buying - Information Security Wrong?
Rick McElroy from Carbon Black and Ted Harrington from Independent Security Evaluators sit down with ITSPmagazine's Sean Martin to discuss threat modeling, infosec planning, cutting through the marketing noise, the need to trust but verify, the value of assess and measure, and how critical it is to focus on the things that matter.
Tim Jarret from CA Veracode talks about application security during Black Hat USA 2017
Tim Jarret, CA Veracode, talks about application security with Sean Martin during Black Hat USA 2017. What are the drivers behind organizations choosing to invest in application security and who should lead the application security program? How do companies get on top of the problem of insecure components being used in applications? Tim shares his thoughts with us, tying it all together with the Internet of Things and the impact connected devices have on society - due to the vulnerabilities introduced at the application layer.
Do you have a risk management champion at your company? Why not?
Having been a CISO for a fortune 100, a mid-tier enterprise, and a smaller 3rd-party vendor, Jack Jones of the FAIR Institute tells Sean Martin how organizations can successfully begin to approach risk and apply proven risk management principles. It all starts with a common set of terminology and is lead by a champion within the organization. As a CISO, proper risk management can be used to change the binary conversation surrounding InfoSec into one that leads the business toward better decision making and away from simply blaming a CISO for some cyber risk exposure.
Yuji Ukai & Pablo Garcia, from Tokyo-based endpoint security company, FFRI, from Black Hat USA 2017
Years after working with them at eEye Digital Security, Sean Martin connected with Yuji Ukai and Pablo Garcia, now working for Tokyo-based endpoint security company, FFRI. Yuji is the founder and CEO and Pablo is heading up all of the North American operations for FFRI. During our conversation. we discuss some of the challenges small and medium sized businesses face, with the pair offering some suggestions and tips for this massive group of organizations to consider.
The Moral Compass: Autonomous vehicles… whose life is worth more?
When software determines how autonomous vehicles behave - both in normal situations and in life-and-death situations - what can we expect as a society. What will these vehicles “know” about us, the other vehicles, and the the passengers in the surrounding area such that moral decisions can be made on the fly? Will we have control over this moral compass - or are we set to live in a world controlled by machines and software? Ashwin Krishnan, SVP of product and strategy at HyTrust chats about this new world with ITSPmagazine's Sean Martin.
Jeremiah Grossman chats with ITSPmagazine’s Sean Martin about security software guarantees
Jeremiah Grossman, Chief of Security Strategy at SentinelOne, chats with ITSPmagazine’s editor-in-chief, Sean Martin, about security software guarantees and the need to shift the minds, culture and expectations on both sides of the table during the security software purchasing process. How can companies connect the dots (and conversations) between the Chief Risk Officer, Chief Information Officer, Chief Security Officer, and Chief Financial Officer such that the company's security product purchases can have a direct impact on the types and levels of coverage required for their cyberinsurance policy? Listen in and hear how Jeremiah’s crusade to make security product guarantees part of every risk management and security management program will help businesses understand and mitigate their risk much more effectively and accurately.
To view the list mentioned in this podcast, please visit: blog.jeremiahgrossman.com/2017/02/info…rantees.html
Would you like to be notified when a new episode is posted?
How about upcoming ones and other news related to #AtTheEdge Podcast?
Well, problem solved. Subscribe to The At The Edge Mailing List.