All posts by Cindy Ng

[Podcast] Security and Privacy Concerns with Chatbots, Trackers, and more

[Podcast] Security and Privacy Concerns with Chatbots, Trackers, and more

Leave a review for our podcast & we'll send you a pack of infosec cards.

The end of the year is approaching and security pros are making their predictions for 2018 and beyond. So are we! This week, our security practitioners predicted items that will become obsolete because of IoT devices. Some of their guesses – remote controls, service workers, and personal cars.

Meanwhile, as the business world phase out old technologies, some are embracing the use of new ones. For instance, many organizations today use chatbots. Yes, they’ll help improve customer service. But some are worried that when financial institutions embrace chatbots to facilitate payments, cyber criminals will see it as an opportunity to impersonate users and take over their accounts.

And what about trackers found in apps bundled with DNA testing kits? From a developer’s perspective, all the trackers help improve the usability of an app, but does that mean we’ll be sacrificing security and privacy?

Other articles discussed:

  • Australia government consider allowing firms to buy facial recognition data
  • Replay scripts to track cursor

Tool of the Week: Sword

Panelists: Kilian Englert, Kris Keyser, Mike Buckbee

[Podcast] The Challenges and Promise of Digital Drugs

[Podcast] The Challenges and Promise of Digital Drugs

Leave a review for our podcast & we'll send you a pack of infosec cards.

Recently the Food and Drug Administration approved the first digital pill. This means that medicine embedded with a sensor can tell health care providers – doctors and individuals the patient approves – if the patient takes his medication. The promise is huge. It will ensure a better health outcome for the patient, giving caretakers more time with the ones they love. What’s more, by learning more about how a drug interacts with a human system, researchers might find a way to prevent illnesses that was once believed impossible to cure. However, as security pros there are some in the industry that believe that the potential for abuse might overshadow the promise of what could be.

Other articles discussed:

Tool of the week: Quad9

Panelists: Mike Thompson, Kilian Englert, Mike Buckbee

[Podcast] Privacy Attorney Tiffany Li and AI Memory, Part II

[Podcast] Privacy Attorney Tiffany Li and AI Memory, Part II

This article is part of the series "[Podcast] Privacy Attorney Tiffany Li and AI Memory". Check out the rest:

Leave a review for our podcast & we'll send you a pack of infosec cards.

Tiffany C. Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes and speaks on the privacy implications of artificial intelligence, virtual reality, and other technologies. Our discussion is based on her recent paper on the difficulties of getting AI to forget.

In this second part, we continue our discussion of GDPR and privacy, and examine ways to bridge the gap between tech and law. We then explore some cutting edge areas of intellectual property. Can AI algorithms own their creative efforts? Listen and learn.

Top Azure Active Directory Tutorials

Top Azure Active Directory Tutorials

Remember a few years ago when security pros and IT admins were afraid to store business files on the cloud? Today, the circumstances are different. I recently spoke with an engineer and he said he’s getting more questions about the cloud than ever before.

What’s more, according to Microsoft, 86% of Fortune 500 companies use Microsoft cloud services –  Azure, Office 365, CRM Online etc – all of which sit on Azure AD. And so it’s time that we embrace the future and start learning about the difference between Windows Server Active Directory and Azure AD, Azure AD premium, Azure AD Connect and more.

Yes, there are already many articles and books, but sometimes it’s helpful to have a human explain how things work. So this week, I scoured through hours of Ignite and TechEd videos and found the best Azure AD explainers. By the way, if you’re already using Office 365, you’re already using Azure AD. That seemed to be the same (trick) question asked on almost every video.

Azure Active Directory, described four different ways:

This video also explained Azure AD, but also provided foundational information on the challenges that lead to the creation of Azure AD, ie. the enormous amount of apps, multitude of devices, while maintaining all sorts of credentials and connections with all your Saas applications.

I also really liked the Cloud App Discovery feature. You’re able to get a report of how many SaaS applications your users are using and which users (and how much) are using the applications.

Azure AD Premium: If you’re curious about Azure AD premium, this video is a demo of an enterprise that had data on-prem, but started to move to cloud applications such as Office 365, workday HR, Salesforce and Marketing applications.

Azure AD Connect: The connector is a great tool to integrate your on-premise identity system with Azure AD and Office 365.

Azure AD best practices: It’s extremely helpful to learn from others, especially what worked, what didn’t work, especially circumstances under which important, fundamental security and infrastructure decisions were made.

Authentication on Azure AD: Before federation, a user had to share their username and password with any application that they wanted to use services on their behalf. Users had to trust unknown applications with their credentials, users had to update all their applications if their credentials changed, and once you provided your credentials, they could all do whatever they wanted. See what federation protocols, libraries and directories you’ll be using to authenticate on Azure AD and 101 ways to authenticate with Azure AD.


[Podcast] Privacy Attorney Tiffany Li and AI Memory, Part I

[Podcast] Privacy Attorney Tiffany Li and AI Memory, Part I

This article is part of the series "[Podcast] Privacy Attorney Tiffany Li and AI Memory". Check out the rest:

Leave a review for our podcast & we'll send you a pack of infosec cards.

Tiffany Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes about the privacy implications of artificial intelligence, virtual reality, and other disruptive technologies. We first learned about Tiffany after reading a paper by her and two colleagues on GDPR and the “right to be forgotten”. It’s an excellent introduction to the legal complexities of erasing memory from a machine intelligence.

In this first part of our discussion, we talk about GDPR’s “right to be forgotten” rule and its origins in a law suit brought against Google. Tiffany then explains how deleting personal data is more than just removing it from a folder or directory.

We learn that GDPR regulators haven’t yet addressed how to get AI algorithms to dynamically change their rules when the underlying data is erased. It’s a major hole in this new law’s requirements!

Click on the above link to learn more about what Tiffany has to say about the gap between law and technology.

Continue reading the next post in "[Podcast] Privacy Attorney Tiffany Li and AI Memory"

[Podcast] Bring Back Dedicated and Local Security Teams

[Podcast] Bring Back Dedicated and Local Security Teams

Leave a review for our podcast & we'll send you a pack of infosec cards.

Last week, I came across a tweet that asked how a normal user is supposed to make an informed decision when a security alert shows up on his screen. Great question!

I found a possible answer to that question at New York Times director of infosecurity, Runa Sandvik’s recent keynote at the O’Reilly Security Conference.

She told the attendees that many moons ago, Yahoo had three types of infosecurity departments: core, dedicated and local.

Core was the primary infosec department. The dedicated group were subject matter experts on security, still on the infosec department, but worked with other teams to help them conduct their activities in a secure way. The security pros on the local group are not officially on the infosec department, but they’re the security experts on another team.

Who knew that once upon a time dedicated and local security teams existed?! It would make natural sense that they would be the ones to assist end users on security questions, why don’t we bring them back? The short answer: it’s not so simple.

Other articles discussed:

Panelists: Kilian Englert, Forrest Temple, Matt Radolec

[Podcast] Rita Gurevich, CEO of SPHERE Technology Solutions

[Podcast] Rita Gurevich, CEO of SPHERE Technology Solutions

Leave a review for our podcast & we'll send you a pack of infosec cards.

Long before cybersecurity and data breaches became mainstream, founder and CEO of SPHERE Technology Solutions, Rita Gurevich built a thriving business on the premise of assisting organizations secure their most sensitive data from within, instead of securing the perimeter from outside attackers.

And because of her multi-faceted experiences interacting with the C-Suite, technology vendors, and others in the business community, we thought listening to her singular perspective would be well worth our time.

What stood out in our podcast interview? When others are concerned about limited security budgets, Gurevich envisioned more hands on deck in the field of information security. The reason is that there are more and varied threats, oversaturated vendors in the marketplace, and a cybersecurity workforce shortage.

“What I see happening is that there’s going to be subject matter CISOs across the company; where there will be many people with that title that become experts in very specific domains.”

Also, now that cybersecurity concerns are not as industry specific, Gurevich does recognize that there are certain industries that are more at risk than others.

She approaches all industries with varying degrees of risk and threats, compliance requirements, and disparate systems all in a strategic way – by giving organizations the visibility into their data and systems, what they need to protect and how they need to protect it.


Cindy Ng: Long before data breaches became mainstream, Rita Gurevich, CEO of SPHERE Technology Solutions built a thriving business on the premise of assisting organizations secure their most sensitive data from within. And because of her multifaceted experiences interacting with the C-Suite, technology vendors and others in the business community, we thought listening to her singular perspective would be well worth our time.

Rita, you founded SPHERE in the wake of the 2008 financial crisis when you were just 25 years old. Can you tell us about the process behind how you started your business and what kind of services you provide.

Rita Gurevich: Absolutely, I started the company, essentially, on the collapse of Lehman Brothers. And after the bankruptcy, there were many different firms that bought different areas of Lehman. And I was put on a team to help figure out how to split apart all the different data and assets they owned.

So if you can imagine, up until that point. Lehman was super centralized. It was operating as one company, with lots of shared services.

And overnight, we essentially had to figure out who gets what.

So Barclay’s Capital bought a part of the business. Numera bought a part of the business. Neuberger bought a part of the business. All these different financial services firm that bought different business units from Lehman Brothers.

And what we had to do, was essentially a crash course on deep data analytics. We had to learn how to get a really quick understanding of who uses what, map that to different business entities, to figure out where it needs to go.

So that required a lot of tools, a lot of metrics. We built all these algorithms. And we had to do it almost overnight.

And soon after, slightly a traumatic time, in the history of our country, I had a bit of an ‘aha’ moment when decided to do some independent consulting.

I quickly built a business, and now we focus on cyber security. We have a niche around data governance, identity, and access management, as well as privilege access management. And a lot of the experience that I gained at Lehman was very relevant for what I do now, because you essentially had to figure out how do I capture the information that’s necessary from my environment to create metrics and analytics that are relevant to making sure my information is secure, understanding who owns what, and even potentially preparing myself for some M&A activities.

Cindy Ng: And so, can you describe your work at Lehman Brothers and how that you made the connection that it was important to start your business.

Rita Gurevich: Sure. So, during that time, during the bankruptcy, it was really all about data analytics. It was really about looking at all the different data, all the different assets that Lehman owned and figuring out, “Okay, who gets what?” So, if Barkley’s bought investment banking, how do you know what data belongs to investment banking? If Neuberger Berman bought investment management, the investment management business, how do you figure out what data belongs to investment management? So, it was all around going really deep into the data, and using the right tools to capture all the metadata, all the activity, so you can gain an understanding of who’s using it? Who owns it? and where does it need to go?

So, at that time, not a lot of companies were doing that, and there wasn’t really a lot of need to do that at the time. But around 2008-2009, there was just so much movement within financial services. And there was so much happening in terms of companies going bankrupt, being acquired by other companies, all these different businesses kind of spinning up, and changing, and moving hands that this concept became a lot more relevant. So, when I started the company, it really was around selling myself and my experience that I learned, which was very unique at the time. But over the course of not a very long amount of time, probably two years or so, the focus definitely shifted.

So, initially I was talking to infrastructure people, I was talking to operations people, and I was talking about data analytics. And while it was definitely a nice to have, and people cared about it. Budgets were really tight. We’re still knee-deep in one of the worst recessions in our country. So where are the budgets, where are people focusing, where are, you know, the executives and the board members, you know, allocating resources? And that was for information security. So around 2009-2010, I think the concept of data breaches became a lot more relevant. It became more, kind of, a commonly used word. Companies were starting to actually hire chief information security officers. They were starting to look at data analytics from a security perspective. They wanted to get a better handle to prevent data getting into the wrong hands, and that’s when I shifted the focus from data analytics to data security. And I think that was monumental for me, because really that’s the premise of what my company does today around the data governance program that we implement.

So I think that my experience at Lehman was definitely a blessing in disguise, but I think that probably anybody that was focusing on data analytics, even tangentially, started to think about data security as well.

Cindy Ng: You were 25 when you first started your business. A lot of your college cohorts they were still on their first, second, or third job. Was that relevant or you looked at the opportunity and ran with it?

Rita Gurevich: I think that my age was probably one of my biggest challenges when it came to starting my business and definitely in the earlier years. And you can only imagine, you know, a 25 year old walking into a managing director’s office, and essentially telling them that they can do a better job than his team can do. That’s a really difficult thing to say, and you gotta prove it. So, once you actually start working for them, you better do a good job, which luckily I did and my team did. But as I compare to my other college cohorts, I actually think that because I went to Stevens Institute of Technology, in Hoboken, New Jersey. My business is in Jersey City. My customers are international, but quite a few of them have headquarters in this kind of tri-state area. A lot of my college peers went on to work at all these different companies that could be potential customers at Sphere. So, I think actually it created an opportunity for me because it opened the door to have the right conversations with people in technology to explain, you know, what I’m working on, and what I’m doing.

And, you know, part of having a successful business is not just a good idea, but it’s having people that you can actually sell to, having a relevant problem that’s gonna help people in their professional careers and their professional lives. So I think that my relationship from school and being not so far off from graduating college helped more than hurt. But also from the Lehman bankruptcy, like I mentioned earlier, it was a time where there was a lot of movement, and a lot of people went to all sorts of different firms on the street. And it was different than how it used to be in the past, where people stayed at the same company for a really long time. That movement essentially for me, created an overnight network, where I was able to kind of leverage people that I knew and had worked with for a handful of years across all sorts of different companies within the demographic that I was targeting. So, yeah, I think that the age was definitely sometimes a challenge, but I actually found ways to have it be a benefit as well.

Cindy Ng: But in terms of age, it’s almost non-relevant as long as you have a value proposition, and people are interested.

Rita Gurevich: That’s a really, really good point. So, there’s kind of two aspects to it, right? So, if you have something interesting to say, that’s great, but the way you communicate that message is almost more important, and there has to be a confidence in the way that you present the problem that you’re solving and your solution that’s going to set you apart from others that are knocking on the same people’s doors, maybe for different areas, but are competing for the attention of the people that you’re trying to get in front of. So, I call that, you know, learn confidence. I can’t honestly say that at 25 I felt like I knew everything. I knew I didn’t, but you have to be able to present yourself in a way where the person on the other side of the table knew that, even if you don’t know the answer, you will figure it out, and the other part of that is perseverance. You have to make sure that you continuously have your goals in mind and push forward.

You know, I mentioned that my company focuses on security, and while that’s still relevant and even in 2008, 2009, 2010, it was also very relevant. You can imagine that the people that are in charge of security at these companies have lots of vendors, and lots of partners, and lots of even internal people, knocking on their door vying for their time. So you have to just make sure that your message comes across strong and that, again, there’s a confidence in your approach, and you will deliver when push comes to shove.

Cindy Ng: And when you talk about your learned confidence, when a meeting didn’t go as planned, or a presentation didn’t go as planned, what was your self-talk like?

Rita Gurevich: That’s a great question. So I’ve learned that you have to listen more than you speak. You’re going to learn a lot through osmosis. Just by being in a room, where the conversation is happening. You’re just going to learn and get better. Sometimes, it’s just echoing a common opinion or a common sentiment that the other person has on the other side of the table, and reaffirming them that you’ve also experienced the same problem that they’re sharing. Or you’ve seen it somewhere else. Or you’ve solved that problem with a peer of theirs. So I think that learned confidence isn’t necessarily about having memorized specific compliance requirement or a specific way of doing some task. It’s more about doing a thing more logically. And if you don’t know, it’s okay not to know. Just make sure your follow up and follow through is there. No one expects experts. Data security and cybersecurity as a whole is a very new area. Everyone is learning as we go. It’s all common knowledge. But it’s can you think of solutions in a creative way and that you’re solving the problems that people are having. And sometimes, it’s not reinventing the wheel. Sometimes it’s solving an existing problem in a smarter and more scalable, and a more efficient way. I’ve learned that by failing sometimes. You don’t have to come up with an idea that no one thought of. You just have to come up with a more practical way of doing things sometimes. And the other bit of advice and something that I really believe in is, is becoming kind of a master of some things. So, instead of the “jack-of-all-trades”, focusing in on something and becoming really good at it, and, you know, that’s what I did. So I call Sphere a cybersecurity company, but we’re actually pretty niche. We focus on internal threats, and we specifically focus on putting controls on your data, your systems, and your assets. So, it’s a very kind of narrow piece of the pie when you look at cybersecurity as a whole, but that allows my team, and that allows me to train new personnel really, really effectively because you can hone in on very specific topics. You can give real world examples of very specific things, and people can really start to grasp, you know, the complicated challenges that we’re solving, but also think of them in a more simplistic, logical way.

You know, all these technology challenges from data breaches and around, you know, hackers and all that, it feels very complicated. It really does, but when you break it apart and remove the technical jargon, the problems and the reasons these things are happening are not overly technically challenging problems. A lot of them are profits driven, they’re people driven. They’re not necessarily about, you know, the right configuration of a tool within, you know, this specific domain. It’s a much more kind of systematic issue. So, I think when you start to gain an understanding of this base, you start to figure that out pretty quickly.

Cindy Ng: On top of starting your business at a really young age, there aren’t a whole lot of females in the industry, and we talk a lot about women in tech, but, you know, I wonder how can men join the conversation, because they coexist with us on this planet, and I wanted to hear your perspective in how we can enlist men as allies in our industry?

Rita Gurevich: I definitely get asked a lot about this topic, because, you’re right, there’s not a lot of women in tech, and to be honest there’s not a lot of women CEO’s either, so you kind of merge women, tech, CEO. I guess, I’m a little bit of an anomaly, but I’m hoping that’s not for very long. I think honestly we need to stop caring that the person that’s joining the conversation is a woman, and we know that there’s going to be equality, and we’re not forcing that distinction. And I think more and more women are getting involved in technology early on. And technology is part of nearly every child’s life right now independent of gender, and I think that naturally maybe the next 10 to 20 years. It’s gonna cause dramatic shifts in ratios in the tech workplace.

And I really think that tech is going to be early adopters of inclusiveness of women and inclusiveness across the board. Technology is very interesting because it’s analytical thinking, it’s problem solving, researching. Definitely mixed in sometimes with creativity and out of the box thinking. Maybe I’m partial, but I think these are natural traits of women, and in the end if you work for a big company, managers want successful teams, and their managers want successful orgs, and women will rise through the ranks as there’s just going to be more of them in the running.

Unfortunately, I think that other industries are not as fortunate. And I bring up two specific women whenever I talk about this topic.

One, I met at a panel I was on, “Women In Engineering,” and she’s a civil engineer at a big company, and she works a lot with construction companies. And once she’s on a job site, she’s like they assume that she’s a secretary, and even when she explains herself they just don’t listen to her, and they won’t take direction from her. And she’s expressed how difficult it is for her to advance and these are challenges that have nothing to do with brains, with smarts, with experience. It’s really a people problem, and I don’t envy that. You know, I struggle with even thinking about how do you adjust that mentality.

Another example is a woman that I met as part of the EY Entrepreneur Of The Year Program, which I was on as to be recognized as well there. But she owns a liquor company and half of her job is in a warehouse, and the employees are chain-smoking, they’re, you know, a bunch of old men, no offense to old men, but they kind of act like they’ve never seen a woman with any level of authority before. And it’s sad, and, you know, I’m very fortunate that I work in an industry where technology is definitely going to be on the forefront of diversity and inclusiveness, but you look at some of these other industries, and you hope that they’ll follow suit. You know, hopefully sooner rather than later as more women in general are joining the workforce and taking on careers that aren’t traditionally careers that women participate in.

Cindy Ng: So, let’s go back to the technology, and you work with many different sectors, retail, energy, hospitals, financial. Can you speak to the different industries and what their concerns are regarding security?

Rita Gurevich: I think this is the first time ever that concerns are not as industry specific as they used to be. And I think that’s also due to just the times that we live in. I mean, everybody now cares about cyber security, people are starting to understand how this affects them personally, how it affects them professionally. You know, a year ago, nobody in my family understood what I did for a living, and now, even my grandmother gets it. You know, anytime that there’s like a breach in the news breach or on the front page of the paper, she’ll call me, and she’ll say, “Too bad they didn’t have Sphere”. It’s pretty cute, but I think that just shows that the concept of data breaches and cyber security is part of everybody’s lives. The expectation is that everybody’s going to be involved, and anybody is up for grabs to be affected. And I think the equifax breach is just a prime example. I mean, it was on every news channel we all know that half the country was affected by this. You think about how many people had to, you know, read their credit or react to that event. It’s becoming just common sense that every company, every industry needs to focus on this.

So, sometimes I think that the challenges experienced within the individual industries are scarier than others. So, we all know about financial firms. They’ve been the targets and on the front page of papers for a long time. But if we look at hospitals for example, that can be really scary. So, I’ll give you another anecdote, I love these examples. I use a lot of them, but this one specifically that comes to mind was a panel at an event that we sponsored, and we had a group of CISOs in the front of the room. One of them was a woman, and she was the CISO of a big hospital network, and she explained ransomware and how it affects hospitals differently than, you know, a bank or somewhere else. And she explained, “Imagine you’re a patient about to go into surgery, and the hospital has an attack, and your patient files are now locked down, and you have to now pay ransom in order to get them back, and you’re back going to surgery, the doctors need these records”, and this sounds like a very sci-fi example, and you’re like “that doesn’t really happen”, but it really happens, and that’s how it happens. It’s not even that our wallets are being impacted, it’s our health, it’s our lives, it’s how we receive healthcare is affected by cyber crime. It is so close to home for every single person in the world that I think the industry is just going to massively change. And I thing we’re gonna start to see that almost immediately because it’s just such commonplace knowledge. It’s industry wide, it’s not industry specific, and, again, it’s not just our wallets that are affects, it’s our health.

Cindy Ng: A lot of the problem previously and maybe even now that IT pros are having trouble connecting with the C-Suite, and I’m wondering after the breach, after the ransom, where are CEO’s and individuals in the C-Suite getting more involved in cyber security? What are your recommendations when you’re speaking with the C-Suite versus the IT pros, because you’re kind of like a conduit between the two different channels?

Rita Gurevich: I think the C-Suites, primarily the CISO, has a very different job now than maybe they used to. Honestly, I don’t envy CISO’s right now. You have a bad breach, your whole background is going to be on the front page of the paper. It’s not just that your company will get fined. Your background, your history, where you work, what your college major was is going to be out there for everyone to dissect and criticize, okay? That is not a position that most people are comfortable with. So I think CISO’s now more than ever recognize that the job that they chose and the career that they chose has to be proactive. They have to be on the front lines. They have to think about things in smarter ways. So, I think that we’re going to see a shift in CISO’s where it’s going to be the best of the best of the best. I think that a lot of companies took for granted the need for highly skilled leaders within information security, and they’re starting to see companies and what happens to them once a major attack occurs, and I think that is going to change.

Now, the other challenge was, I think with companies is that many of them placed one person at the helm, and they started to build out these teams, and honestly, it’s not enough. There are way too many threats. There are way too many options. There are honestly way too many vendors that are potentially offering options for one person to be making those decisions. So, what I see happening is that there is going to be subject matter CISO’s across the company, where there’s many people with that title that become experts in very specific domains. So, I think that information security is potentially in terms of employee count is going to eventually exceed all of just general IT, because I think that that’s becoming more of a priority than up time and availability of systems is making sure that the internal people aren’t doing things that they shouldn’t be doing, and that you’re doing everything in your power to prevent anybody from the outside getting in that shouldn’t be getting in.

Cindy Ng: It’s been said that information security is really just compliance but not security. Is that ball thrown out the window after people have realized how serious information security is?

Rita Gurevich: That’s a great question. I’m gonna give you another, another story. I was on the phone with a CISO, he’s the CISO of one of the largest manufacturing companies, and we were talking about his agenda for the year. And he recently started at that company and was told that his mandate was compliance, and maybe this is because the company struggled with compliance in the past, but he immediately said if my mandate is compliance, I don’t want the job. You know, that is not what I should be focusing on. And the challenge with focusing solely on compliance as he put it, is that actually leaves you more exposed. Compliance is about a checklist and often that checklist is very subjective, and often the people who are verifying whether you’ve completed that checklist are ranging in levels of expertise. I mean we have customers that are the 1000 person shop all the way to the 100,000 person shop, and we as outsiders can see the difference in caliber of the people that are coming in from the outside from the regulatory bodies checking on them is vastly different. Just because you’ve checked the box, it doesn’t mean that you have good security. And it’s good security that’s going to minimize your risk. And you have to think about security first. If you think good security will drive compliance and not the other way around, you’re still going to achieve the goal of good compliance, but you’re also going put the right preventative controls to minimize a data breach or some other cybercrime.

Cindy Ng: Lets talk more about your company, SPHERE. I wonder what the mission of your company is?

Rita Gurevich: The mission of SPHERE is to help companies take control of their data, their systems, and their assets. What that means is to give them visibility that they need, understanding what they have, what they need to protect, and how they need to protect it. Along with giving them a SWOT team approach, helping them remediate issues that they have. And also put tooling in place to allow them to manage their environments effectively, in house. A lot of companies have no idea where to start, in terms of looking at data governance. They have no idea what needs to be remediated or fixed or how IAM workflows work. Or they have no idea what threats privileged accounts are posing for their organizations because they don’t have threat level visibility. And once we get them the visibility. A lot of times, they need a one time SWOT team approach to clean up the environment. And it’s something that we also do. And we also partnered with different vendors, and obviously Varonis is one of the most strategic partners we’ve partnered with. We offer tooling to help people manage their environment on their own with their own resources long-term. We also have our own solution called, “Sphereboard”, which integrates with Varonis, along with a handful of other best of technologies to provide a single pane of glass to your data, your system, and your assets.

Cindy Ng: So, you don’t curate a list of vendors for your different clientele to meet their needs? It’s more like here’s what we know all companies need. Here’s what we can provide for you. Because sometimes your clients don’t know that certain technologies might exist, you’re essentially giving them one panel of “here’s everything you need to know.”

Rita Gurevich: Yeah, that’s exactly right, and we’re by no means a VAR where we have a portfolio of, you know, 100 different products, and then we switch them out as we need to. We really invest in the relationship that we built with our partner network, and with the companies that we’ve integrated our solution with, and that’s important because you need to have consistency. And if you want a solution to be sticky, it has to be relevant, and it has to answer the right, the right questions, and there has to be a history of that company doing things the right way. There’s going to be a lot of disruptions within this industry, and there’s going to be a lot of companies that are coming into the space. They’re offering really cool widgets and gadgets and all that good stuff that probably aren’t going to be around in a year or two. That’s just the nature of entrepreneurship and innovation, but they’re are going to be plenty of those that come around and stick around, but the relationship that we formed and the partners that we’ve worked with are ones that we’ve been working with now for a really long time, way before anyone even thought something like Equifax could happen. So, we’ve been solving this problem way before it was cool, and we’re gonna continue to offer that, and be more innovative, and continue to solve problems for our customers.

Cindy Ng: Have you ever figured out in speaking with, say like, after 10 vendors, you realize, “Oh, we’re missing X, Y, and Z products, and I’m gonna go find a vendor to see if there’s anyone I can work with?”

Rita Gurevich: Yeah, at times, but I think it happens a little bit more naturally than that. I think that it’s first about the problem statement, so I’ll give you an example. The last area that we’ve added to our portfolio more officially is privileged access management, and, you know, our focus was, of course, on the traditional challenges with password vaulting and the such, but really from a Sphere perspective, we were noticing challenges of deploying those solutions in terms of understanding what privileged accounts exist in my environment, whether it’s in my Unix environment, on my Window server, my databases, etc., and who owns those accounts, and who do I need to educate on a new way of working? So, it’s not necessarily about the products that will, you know, do password vaulting, or record recessions, or whatever the tools may do, it’s more about kind of the people on the process, and all the work that needs to be done ahead of that. So, I think out expertise comes with that. Now, there’s no doubt in my mind that CyberArk isn’t the leader in that space, and we decided to partner with CyberArk because of that. But, that being said, our solution for privileged access management is not just to recommend a tool, it’s to create a process, to create an end-to-end solution that includes a one time remediation effort. That maybe includes process change that maybe includes training that maybe includes, you know, health checks, and then, of course, there’s also the software element of this. Most companies cannot manage this manually. You need the right tooling, so there’s definitely tooling recommendations. So, I think looking at the problem end-to-end, the products and the vendors who we decide to work with for specific initiatives naturally fall into place.

Cindy Ng: What are upcoming plans for Sphere?

Rita Gurevich: Definitely growth in mind. I get bored easily, so, so growth strategy is always on the forefront of my mind. so, what we’re focusing on is a couple different areas. The first is geographical expansion. We opened up our London office this year. That’s going really well, and essentially just replicating the message here out there. There’s all sorts of requirements out there in terms of GDPR, and just overall data security that companies out there need just as much as they need here. Also, our products, so SPHEREboard is our baby. We came out with our product about two years ago, and it’s a culmination of just years of experience of being in the field from a services perspective, so just building more connectors, having more tools feed into that, and pumping out all sorts of really cool analytics for our customers to leverage. So, those are the two areas that we’re focusing on, and you’re gonna see a lot about Sphere in the next year.

Cindy Ng: Sounds great. Thanks Rita.

Why A Honeypot Is Not A Comprehensive Security Solution

Why A Honeypot Is Not A Comprehensive Security Solution

A core security principle and perhaps one of the most important lesson you’ll learn as a security pro is AHAT, “always have an audit trail”. Why? If you’re ever faced with a breach, you’ll at least know what, where, and when. And some laws and regulations require audit trails as well.

To assist, there’s a smorgasbord of tools to help you monitor devices, systems, apps and logs. Since these tools monitor networks on a 24×7 basis, they generate thousands of log entries daily, often flooding admins with too much data. Beyond the reams of data, there are alerts, raising red flags and flooding in-boxes with SIEM and intrusion detection notifications.

I wonder if it just might be possible to miss the forest because of the trees?

Yes, these tools did what they were told – find this and that and another thing, trigger an alert – but with a deluge of alerts, it’s hard to pinpoint and identify what was important to investigate.

If everything is important to investigate, then nothing is important.

This is why honeypots became a beloved security tool and in some ways, patch the shortcomings of your existing monitoring tools.

What is a Honeypot?

A honeypot is essentially bait (passwords, vulnerabilities, fake sensitive data) that’s intentionally made very tempting and accessible. The goal is to deceive and attract a hacker who attempts to gain unauthorized access to your network. The honeypot is in turn being monitored by IT security. Any one caught dipping their paws into the honeypot is often assumed to be an intruder.

Advantages of a Honeypot

Before we get into why a honeypot shouldn’t be your organization’s only security solution, let’s highlight a few reasons why they are a very effective security measure in IT– especially to learn more about who might be lurking in your environment.

With a honeypot, you can learn about how the attacker entered the system,  from where (e.g., IP addresses of where the stolen data is going to and where it’s from), what’s being deleted or added ( e.g., attacker elevates his privileges to become an admin), keystrokes of a person typing, and what malware is being used (e.g., a Trojan or rootkit was added to the system).

Alerts worth investigating – As mentioned before, IT is often bombarded with thousands of alerts a day, with little or no distinction between high- and low-level risks and threats. Whereas honeypots only log a few hundred events, making it easier for IT to manage, analyze, and act more quickly, and then to evict the intruder before further damage is done.

When it comes to honeypot alerts, beware of a different kind of false positive.

For instance, an attacker can create a diversion, spoofing your production systems that pretends to attack the honeypot. Meanwhile, your honeypot would detect these spoofed attacks, steering your IT admins to investigate the wrong attack – that your production system was attacking your honeypot.  Meanwhile, during this fake alert, an attacker could focus on a real attack. Yes, hackers are clever!

Alternative to prevent ransomware– If you don’t have an automated file monitoring system, you can instead creating a honeypot with fake files, folders and then monitor regularly as, say, an alternative to preventing ransomware. Hey, why not try our home-grown PowerShell-based file monitoring solution?

Sure, you’ll have to enable file system native auditing. Keep in mind that by doing so, it will be a significant overheard on your systems. Instead, try this: prioritize and create an accessible file share that contains files that look normal or valuable, but in reality are fake.

Since no legitimate user activity, in theory, should be associated with a honeypot file share, any activity observed is more likely to be an intruder and treated as a high-level alert. After you’ve enabled native auditing to record access activity, you then can create a script to alert IT when events are written to the security event log (e.g. using dumpel.exe).

Potentially detect insider threats – Yes, it’s often assumed that any interaction with a honeypot is considered to be evidence proving you’re a hacker. After all, there’s no reason for anyone to be there.

Depending on the setup, just because your employees are triggering the alerts, they should not be automatically guilty. In a litigious world, users may argue that the employer violated their privacy because they didn’t give them permission to cull their personal data from the honeypot.

Trust, but verify.

On the other end of the spectrum, behind the firewall, using the company’s account credentials and IP address, it can be difficult to spot malicious and/or disgruntled insiders.


An insider might never use or interact with a honeypot and so it would be of little value as a research tool. Also, honeypots won’t work if the insider is aware of a honeypot or somehow discovers it. The insider will know how to avoid the honeypot, and as a result won’t log and trigger any activity.

Decrypted data – Organizations are beginning to encrypt their data. After all, it’s suggested as a best practice and for some, a compliance requirement. But technologies that protect our data like encryption can’t tell us what’s happening on our networks. That’s when honeypots are helpful. It will capture activity because honeypots act as endpoints, where the activity is decrypted.

But, Honeypots Are Not A Panacea

Try security by design instead – Similar to penetration testing, honeypots are the opposite of security by design. In order to learn more about your organization’s environment, honeypots are often installed after the system is ready. It’s very much an educational exercise, where you bring machines in to tell you where you might be vulnerable.

A more proactive way of thinking about reducing risk and improving security is to conduct the testing before you release a product or new IT environment. Require the same of your IT environment as what you require of light bulbs, food, and buildings. That’s what security by design emphasizes – build security into every part of the IT management process, starting from very beginning of the design phase.

UBA, a better way to detect outsiders, insiders and ransomware – Once an outsider enters through legitimate public ports (email, web, login) and then gains access as users, they’ve gotten very clever at implementing an attack that won’t be easy to monitor.

In fact, to an IT admin who is just monitoring their system activity, the attackers appear as just another user.

That’s where User Behavioral Analytics (UBA) can be really useful, even more effective than a honeypot!

UBA really excels at handling the unknown. In the background, the UBA engine can baseline each user’s normal activity, and then spot variances and report in real time – in whatever form they reveal themselves – Outsider? Insider? Ransomware? – they’ll be spotted. For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time windows.

Liable for damages if your honeypot gets hijacked – Yes, you’ll expect a honeypot to be probed and attacked, but you should also consider the potential for it to be exploited.

However some honeypots introduce very little risk, such as low interaction honeypots. They’re easy to install and isn’t really a functioning operating system that an attacker can operate on. They’re mostly idle, waiting for some kind of activity. It captures very little information, only alerting you when someone visits your honeypot and that you should go observe the activity.

Whereas a high interaction honeypot is much riskier. A real operating system, it has services, programs, emails, and operates just like a real computer. It’s also more complicated to install, deploy, and requires strategic placement. You could either increase the risk of your network as a whole or no one would see it.

However, your high risk honeypot also captures more information – the IP address, in some cases the name of the individual, type of attack, how the attack was executed, and ultimately learn how to better protect your network.

Keep in mind, instead of avoiding detection, an attacker can also feed fake information to a honeypot, leading the security community to make incorrect judgements and conclusions about the attacker.

Back to the hijack.

You will have a serious problem on your hands once a honeypot gets hijacked and used to attack, infiltrate, or harm other systems or organizations. Known as downstream liability, your organization could be held liable for damages.

You’ve been warned.

Be mindful of how you implement your honeypots and choosing your security solutions wisely. Honeypots are not a good substitute if what you really need is a system such as user behavioral analytics. Instead, honeypots add value by working with existing security solutions.


[Podcast] The Moral Obligation of Machines and Humans

[Podcast] The Moral Obligation of Machines and Humans

Leave a review for our podcast & we'll send you a pack of infosec cards.

Critical systems once operated by humans are now becoming more dependent on code and developers. There are many benefits to machines and automation such as increased productivity, quality and predictability.

But when websites crash, 911 systems go down or when radiation-therapy machines kill patients because of a software error, it’s vital that we rethink our relationship with code and as well as the moral obligation of machines and humans.

Should developers who create software that impact humans be required to take a ‘do no harm’ ethics training? Should we begin measuring developers by the functionality they create as well as security and moral frameworks they’re able to provide?

Other articles discussed:

Tool of the week: Assemblyline: Files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues.

Panelists: Kilian Englert, Kris Keyser, Mike Buckbee

The Difference between Windows Server Active Directory and Azure AD

The Difference between Windows Server Active Directory and Azure AD

Once upon a time, IT pros believed that the risks of a data breach and compromised credentials were high enough to delay putting data on the cloud. After all, no organization wants to be a trending headline, announcing yet another data breach to the world. But over time with improved security, wider adoption and greater confidence, tech anxiety subsides and running cloud-based applications such as Microsoft’s subscription-based service Office 365 feels like a natural next step.

Once users start using Office 365, how do they manage AD? Windows Server AD or Azure AD? How are on-premise AD and Azure AD similar, and how are they different?

In this post, I will discuss the similarities, differences, and a few things in between.

What We Know For Sure: Windows Server Active Directory

Let’s start with what we know about Active Directory Domain Services.

First released with Windows 2000 Server edition, Active Directory is essentially a database that helps  organize your company’s users, computers and more. It provides authentication and authorization to applications, file services, printers, and other on-premises resources. It uses protocols such as Kerberos and NTLM for authentication and LDAP to query and modify items in the AD databases.

There’s also that wonderful Group Policy feature to streamline user and computer settings throughout a network.

With so many security groups, user and admin accounts, and passwords stored in Active Directory, as well as identity and access rights  managed there as well, securing AD is key to   safeguarding an organization’s assets.

Now with emails, files, CRM systems and even applications stored in the cloud, can we be as confident they’re as safe as when they were in the company’s own servers?

A Whole New World: AD Service in the Cloud?

As new startups and organizations build their companies, they most likely won’t have any on-premise data and the huge shocker is that they also won’t be creating forests and domains in AD. I’ll get more into this later.

But organizations with existing infrastructure have already made a significant investment in on-premise infrastructure and will have to visualize a new way of operationalizing their business.

Why? Azure AD will likely be a key part of Microsoft’s future. So if you’re already using any of Microsoft’s online services such as Office 365, Sharepoint Online and Exchange online, you’ll have to figure out how to navigate your way around it. And it already looks like organizations are rapidly adopting cloud-based apps and are running them nearly 50% of the time.

What’s different in Azure Active Directory?

First, you should know that Windows Server Active Directory wasn’t designed to manage web-based services.

Azure Active Directory, on the other hand, was designed to support web-based services that use REST (REpresentational State Transfer) API interfaces for Office 365, etc. Unlike plain Active Directory, it uses completely different protocols (Goodbye, Kerberos and NTLM) that work with these services–protocols such as SAML and OAuth 2.0.

As I’ve pointed out earlier, with Azure AD, you won’t be creating forests and domains. Instead, you’ll be a tenant, which represents an entire organization. In fact, once you sign up for an Office 365, Sharepoint or Exchange Online, you’ll automatically be a Azure AD tenant, where you can manage all the users in the company as well as the passwords, permissions, user data, etc.

Besides seamlessly connecting to any Microsoft Online Services, Azure AD can connect to hundreds of SaaS applications using a single sign-on. This lets employees access the organization’s data without repeatedly requiring them to log in. The access token is stored locally on the employee’s device. Plus you can limit access by creating token expiration dates.

For a list on free, basic and premium features, check out this comparison chart.

Introducing Azure AD Connect

For organizations ready to migrate their on-premises structure to Azure AD, try Azure AD Connect. For a great tutorial on integration, read this how-to article.

And in an upcoming post, I’ll curate a list of top Azure AD tutorials to help you transition into a brand new interface and terminology.

With the move to Azure, we bid you farewell Kerberos, forests and domains. And flights of Microsoft angels sing thee to thy rest! 

[Podcast] The Anatomy of a Cybercriminal Startup

[Podcast] The Anatomy of a Cybercriminal Startup

Leave a review for our podcast & we'll send you a pack of infosec cards.

Outlined in the National Cyber Security Centre’s “Cyber crime: understanding the online business model,” the structure of a cybercrime organization is in many ways a lot like a regular tech startup. There’s a CEO, developer, and if there are enough funds, an IT department.

However, one role outlined on an infographic on page nine of the report that was a surprise and does not exist in legitimate businesses. This role is known as a “money mule.” Vulnerable individuals are often lured into these roles with titles such as “payment processing agents” or “money transfer agents.”

But when “money mules” apply for the job and even after they get the job, they’re not aware that they are being used to commit fraud. Therefore if cybercriminals get caught, “money mules” might also get in trouble with law enforcement. The “money mule” can expect a freeze on his bank account, face possible prosecution, and might be responsible for repaying for the losses. It might even be on your permanent record.

Other articles and threads discussed:

Tool of the week: SPF Translator

Panelists: Mike Buckbee, Kilian Englert, Mike Thompson