Connect with us


Log4j lesson: Cybersecurity defense isn’t just about tech



Aside from stolen data and money, perhaps the greatest impact of massive attacks like SolarWinds, Colonial Pipeline, and the current Log4j vulnerability, is that people are beginning to realize that cyber attacks and cyber damages are inevitable. But while breaches have always been as sure as death and taxes, we can reduce the frequency and success of disruptive events, and control the degree to which they cause a negative impact. ­­­­

Despite what most vendors and pundits will tell you, the answer isn’t simply “buy more tools.” Though technology and tooling play a valuable role in protecting an organization, we don’t talk enough about the non-tech tactics businesses can take to improve their security stance. Based on my experience as a CISO and a former incident responder, I want to offer advice on practices I think IT and security teams should consider in order to reclaim control and take a more proactive approach to cybersecurity.

Best practices to consider

1. Build a diverse team

The security industry is largely homogenized. For example, women make up only 20% of the information security workforce. Women and minority groups are wildly under-represented in the field, and that needs to change not only to help relieve the skills shortage but also to create higher performing teams. You don’t want a group of people with similar backgrounds who think the same way. By bringing in a more diverse group of people, you’ll have more perspectives — people who will challenge your assumptions and introduce new ways of thinking. In a fast-moving, always-changing field like cybersecurity, that’s exactly what you need.

This work starts in the hiring process. Aim to foster a talent pipeline that’s diverse across gender, age, experience, education, geography, race, and orientation. And if you’re still clinging to the fear that prioritizing diversity could lead to “missing out” on more qualified candidates, it’s time to let go. There are plenty of incredibly qualified diverse candidates; you just need to put in the effort to find them.

Lastly, consider whether you need to hire security practitioners (those with existing experience or those with relevant degrees), or whether you can hire adaptable critical thinkers and provide the necessary “cyber” training.  Expanding your aperture for what is considered a “qualified” candidate, especially for more junior roles, will yield a far more diverse workforce.

2. Don’t be afraid to outsource

The skills gap in cybersecurity has been discussed for years, but unfortunately, it’s only becoming more acute. Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs by the end of 2021. I know that those in the infosec field are notoriously paranoid and distrustful — those traits are often beneficial in our line of work! — and want to keep as much work in-house as possible. But my advice, especially to smaller organizations, is to strongly consider bringing on a managed service provider to help bolster your team. Organizations can not allow themselves to be short-staffed in IT and security roles, and MSPs offer a quality complement to your existing team. The key is ensuring you’re doing excellent vetting, getting peer references, ensuring your MSP has a proven security practice, and still maintaining enough knowledgeable internal talent to exercise oversight for your outsourced services.

3. Train like you fight

Tooling is important, but nothing is more important than your people on the ground. Based on my experience as a security engineer and investigator earlier in my career and now as a leader, you need to train like you fight and fight like you train. The most critical skills you need to train for are incident response and crisis management. Red team/blue team, capture the flag (CTF), and tabletop exercises are excellent simulations to help you do this. In addition to testing the strength of your organization’s security capabilities, these exercises can tell you a lot about your team. Who is good under pressure? Who emerges as a leader? How does your team adapt and communicate when faced with obstacles? Perhaps most importantly where do you have gaps in your existing plans? From there, you can organize your team in a way that leaves you best prepared if and when a real attack takes place.

Assumptions to (re)consider

The three points above are practices that can help organizations improve their cybersecurity posture. Additionally, I believe it’s necessary to evolve some of our outdated cybersecurity assumptions, including the following tired tropes we need to retire this year.

  • “Security is everyone’s job” — This is true in many respects. Every single employee must be vigilant and play an active role in ensuring a more secure enterprise, but we do very little to help people contextualize their role in security. Most people don’t see themselves as targets because they’re not “important enough,” when in reality they might just be a convenient path to attack the ultimate victim. We also need more people whose sole job is cybersecurity. The skills shortage is an existential threat, and it should be a CEO and board priority to hire, recruit, and retain as many cybersecurity professionals as possible in 2022.
  • “People are the weakest link” — People are attack entry points and do make mistakes (like clicking on phishing emails, which is unfortunately still too common), but this argument overlooks and de-emphasizes the many weaknesses and vulnerabilities in hardware and software. How many security updates has Zoom or Microsoft issued in the last month, for example? Answer: A lot. Employees are still our greatest protectors in many cases, so don’t disempower or shame them. Let’s compassionately provide employee cyber education training, and not turn a blind eye to other weak links in the chain. 

The hypercompetitive cybersecurity industry often devolves into “silver bullet” promises that X or Y solution alone can “save your organization.” Technology is imperative to cybersecurity, and there’s incredible innovation being done by vendors that will help businesses protect their infrastructure, assets, employees, and customers. But remember that technology alone is insufficient. Building a proactive, effective cybersecurity playbook will always boil down to people and practices.

Chris Hallenbeck is Chief Information Security Officer for the Americas at Tanium. He previously worked at the U.S. Department of Homeland Security’s US-CERT, where he designed and built incident response capabilities and restructured the team’s focus toward strategic remediation with a goal of building more resilient organizations. Prior to that, he worked for RSA Security as a security engineer and with AOL/Time Warner on their global incident response team.

Source link


Snowflake 101: 5 ways to build a secure data cloud 



Today, Snowflake is the favorite for all things data. The company started as a simple data warehouse platform a decade ago but has since evolved into an all-encompassing data cloud supporting a wide range of workloads, including that of a data lake

More than 6,000 enterprises currently trust Snowflake to handle their data workloads and produce insights and applications for business growth. They jointly have more than 250 petabytes of data on the data cloud, with more than 515 million data workloads running each day.

Now, when the scale is this big, cybersecurity concerns are bound to come across. Snowflake recognizes this and offers scalable security and access control features that ensure the highest levels of security for not only accounts and users but also the data they store. However, organizations can miss out on certain basics, leaving data clouds partially secure. 

Here are some quick tips to fill these gaps and build a secure enterprise data cloud.


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

1. Make your connection secure

First of all, all organizations using Snowflake, regardless of size, should focus on using secured networks and SSL/TLS protocols to prevent network-level threats. According to Matt Vogt, VP for global solution architecture at Immuta, a good way to start would be connecting to Snowflake over a private IP address using cloud service providers’ private connectivity such as AWS PrivateLink or Azure Private Link. This will create private VPC endpoints that allow direct, secure connectivity between your AWS/Azure VPCs and the Snowflake VPC without traversing the public Internet. In addition to this, network access controls, such as IP filtering, can also be used for third-party integrations, further strengthening security.

2. Protect source data

While Snowflake offers multiple layers of protection – like time travel and fail-safe – for data that has already been ingested, these tools cannot help if the source data itself is missing, corrupted or compromised (like malicious encrypted for ransom) in any way. This kind of issue, as Clumio’s VP of product Chadd Kenney suggests, can only be addressed by adopting measures to protect the data when it is resident in an object storage repository such as Amazon S3 – before ingest. Further, to protect against logical deletes, it is advisable to maintain continuous, immutable, and preferably air-gapped backups that are instantly recoverable into Snowpipe.

3. Consider SCIM with multi-factor authentication

Enterprises should use SCIM (system for cross-domain identity management) to help facilitate automated provisioning and management of user identities and groups (i.e. roles used for authorizing access to objects like tables, views, and functions) in Snowflake. This makes user data more secure and simplifies the user experience by reducing the role of local system accounts. Plus, by using SCIM where possible, enterprises will also get the option to configure SCIM providers to synchronize users and roles with active directory users and groups.

On top of this, enterprises also should use multi-factor authentication to set up an additional layer of security. Depending on the interface used, such as client applications using drivers, Snowflake UI, or Snowpipe, the platform can support multiple authentication methods, including username/password, OAuth, keypair, external browser, federated authentication using SAML and Okta native authentication. If there’s support for multiple methods, the company recommends giving top preference to OAuth (either snowflake OAuth or external OAuth) followed by external browser authentication and Okta native authentication and key pair authentication.

4. Column-level access control

Organizations should use Snowflake’s dynamic data masking and external tokenization capabilities to restrict certain users’ access to sensitive information in certain columns. For instance, dynamic data masking, which can dynamically obfuscate column data based on who’s querying it, can be used to restrict the visibility of columns based on the user’s country, like a U.S. employee can only view the U.S. order data, while French employees can only view order data from France.

Both features are pretty effective, but they use masking policies to work. To make the most of it, organizations should first determine whether they want to centralize masking policy management or decentralize it to individual database-owning teams, depending on their needs. Plus, they would also have to use invoker_role() in policy conditions to enable unauthorized users to view aggregate data on protected columns while keeping individual data hidden.

5. Implement a unified audit model

Finally, organizations should not forget to implement a unified audit model to ensure transparency of the policies being implemented. This will help them actively monitor policy changes, like who created what policy that granted user X or group Y access to certain data, and is as critical as monitoring query and data access patterns. 

To view account usage patterns, use system-defined, read-only shared database named SNOWFLAKE. It has a schema named ACCOUNT_USAGE containing views that provide access to one year of audit logs.

Source link

Continue Reading


WhatsApp rolls out new ‘Message Yourself’ feature globally • TechCrunch



To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PDT, subscribe here.

We’re joining the Cyber Monday fun with 25% off annual subscriptions to TechCrunch+ content and analysis starting today until Wednesday, November 30. Plus, today only, get 50% off tickets to discover the vast unknown and attend TechCrunch Sessions: Space in Los Angeles!

Okay, we haven’t done a newsletter since Wednesday, and while the U.S. team was chillin’ like villains, the rest of the team was hard at work, so here’s some of the highlights from the last half-week of TechCrunchy goodness! — Christine and Haje

The TechCrunch Top 3

  • Talking to yourself just went digital: Instead of having that internal monologue stay in your head, now you can play out all of your thoughts to yourself in WhatsApp, Jagmeet writes. The messaging platform began rolling out an easier way to talk to yourself today after completing beta testing.
  • Great Wall of porn: That’s how Rita and Catherine describe the bot surge in China that is making it difficult to get any legitimate Twitter search results when trying to find out something about Chinese cities. Why, you ask? Rita writes that “the surge in such bot content coincides with an unprecedented wave of (COVID) protests that have swept across major Chinese cities and universities over the weekend.”
  • Your calendar, only more productive: Get ready for your calendar to be more than just a place to record things you have to do that day. Romain writes about Amie, a startup that grabbed $7 million to link your unscheduled to-do list with your calendar. The app also enables users to be social with coworkers.

Startups and VC

Dubai-based mass transit and shared mobility services provider SWVL has carried out its second round of layoffs, affecting 50% of its remaining headcount, Tage reports. The news is coming six months after SWVL laid off 32% (over 400 employees) of its workforce in a “portfolio optimization program” effort geared toward achieving positive cash flow next year.

There’s a couple of new funds in town, too! Harri reports that Early Light Ventures plots a second, $15 million fund for software ‘underdogs,’ while Mike writes that BackingMinds raises a new €50 million fund to fund normally overlooked entrepreneurs. He also writes about Pact, an all-women led VC for mission-driven startups, backed by Anne Hathaway.

And we have five more for you:

Lessons for raising $10M without giving up a board seat

Blackboard showing soccer strategy

Image Credits: Ihor Reshetniak (opens in a new window) / Getty Images

Over the last two years, intelligent calendar platform raised $10 million “using a more incremental approach,” writes co-founder Henry Shapiro.

“We’ve done all this without giving up a single board seat, and Reclaim employees continue to own over two-thirds of the company’s equity,” rejecting conventional wisdom that founders should “raise as much as you can as fast as you can.”

In a TC+ post, Shapiro reviews the process they used to identify follow-on investors, shares the email template used to pitch the SAFE, and explains why “a larger cap table means more founder control.”

Three more from the TC+ team:

TechCrunch+ is our membership program that helps founders and startup teams get ahead of the pack. You can sign up here. Use code “DC” for a 15% discount on an annual subscription!

Big Tech Inc.

Amazon’s recent cost-cutting measures seem to be affecting more than just its delivery business. Manish writes that the company is shutting down its wholesale distribution business, called Amazon Distribution, in India. Amazon had started this unit to help neighborhood stores secure inventory. The company didn’t say why it was closing this particular business down, but Manish notes that this is the third such Amazon unit to be shuttered in India.

Meanwhile, Natasha L reports that Meta has gotten itself into trouble again with the European Union’s General Data Protection Regulation (aka, the agency that regulates data protection). Facebook’s parent company is being hit with $275 million in penalties for what the agency said was breaches in data protection that resulted in some 530 million users’ personal information being leaked.

Now enjoy six more:

Source link

Continue Reading


French Court Says Man Was Wrongfully Fired For Not Being ‘Fun’



You can’t be fired because a company doesn’t think you’re “fun” enough.

Frédéric Soltan I Getty Images

The Court of Cassation in Paris.

At least, that’s according to France’s highest court, The Court of Cassation, which ruled earlier this month that a man who was fired for not wanting to participate in certain company activities billed as part of their “fun” culture was wrongfully terminated, according to The Washington Post.

The man’s legal team said their client wasn’t seen as “fun” because he refused to engage in corporate events with large amounts of drinking. The man also claimed a work culture where people did activities such as miming sexual acts, sharing beds with other employees at work events, and giving people uncouth nicknames, per the outlet.

A Google translation of the court documents characterized these acts as “practices advocated by the associates linking promiscuity, bullying, and incitement to various excesses.”

The decision says the man was fired in March 2015 for not embracing the company’s “fun” culture (calling it “professional incompetence,”) as well as being more rigid of personality, the documents claim.

The company in question is Cubik Partners, a management consulting firm. It did not respond immediately to a request for comment.

France is known for its pro-employee labor laws and well-known jokes about how it’s impossible to get fired there. That is also generally true for other countries in Europe, including Ireland, where Elon Musk’s Twitter has already faced a temporary injunction for firing an executive based there.

In this case, the court ruled that firing an employee for not doing the activities in question constituted a violation of “his freedom of expression,” and that it is a “fundamental freedom” to not engage in some sort of social activity.

The fired employee had asked for over $400,000 USD, which the Paris Court of Appeals rejected last year. This ruling turned over that court’s rejection in part, ordered the company to give the former employee $3,000 euros, and said it would look at his demand for damages at some point in the future, per Insider.

Continue Reading