CSOonline: The state of the CASB market

In just a few years,a lot has happened in the Cloud Access Security Broker (CASB) market.

Most of the main-line security vendors have purchased CASB solutions: Oracle (Palerra), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Skycure) and McAfee (Skyhigh Networks). The three independent vendors still standing include CipherCloud, Netskope, and Bitglass. The market has matured, although this is a matter of degree since even the longest-running vendors have only been selling products for a few years. It has also evolved to the point where many analysts feel CASB will be just as important in the near future just as firewalls once were back in the day when PCs were being bought by the truckloads. Gartner predicts that by 2020, more enterprises will use CASBs than not, which represents a big jump from the 10% that used them at the end of 2017.

Four things also helped the CASB cause: First was its quick learning curve by security personnel. Second was that they became more inclusive in terms of applications support. Third was the beginnings of a managed service provider business, and finally, multimode operation has become more prevalent. 

In this story for CSOonline, I talk about what are these products, why enterprises are motivated to purchase and deploy them,  what features you should look for that are appropriate for your network. what are your decision points in the purchase process, and links to many of the major CASB vendors.


Why isn’t marketing attracting more college grads? That’s the topic Paul Gillin and I explore this week, starting with the results of a study commissioned by Marketing Week earlier this year which  found that just 3% of undergraduates think marketing offers them the best career opportunities.

The publication held a seminar to try to explore ways to better engage Gen Z, and we have several thoughts on the matter too. Colleges need to have more focused marketing programs, and businesses need to show that a wide range of skills and talents can be put to best use with marketing programs. Certainly there are obstacles, such as CEOs who think they are good marketers when they aren’t, or conflicts between sales and marketing staffs. But with big data becoming an essential part of the marketing discipline, there’s more opportunity for marketing to impact a company’s future than we’ve seen since the dawn on TV advertising.

Listen to our 14 min. podcast here:

Security Intelligence (IBM) blog: Space Rogue, A Security Rebel Turned Pen Tester

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s. In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years and was recently back in DC to talk about what has changed, and what hasn’t, in terms of infosec. My interview with Thomas can be found in IBM’s Security Intelligence blog.

Having better risk-based analysis for your banks and credit cards

When someone tries to steal money from your bank or credit card accounts, these days it is a lot harder, thanks to a number of technologies. I recently personally had this situation. Someone tried to use my credit card on the other side of Missouri on a Sunday afternoon. Within moments, I got alerts from my bank, along with a toll-free number to call to verify the transactions. In the heat of the moment, I dialed the number and started talking to my bank’s customer service representatives. Then it hit me: what if I were being phished? I told the person that I was going to call them back, using the number on the back of my card. Once I did, I found out I was talking to the right people after all, but still you can’t be too careful.

This heat-of-the-moment reaction is what the criminals count on, and how they prey on your heightened emotional state. In my case, I was well into my first call before I started thinking more carefully about the situation, so I could understand how phishing attacks can often work, even for experienced people.

To help cut down on these sorts of exploits, banks use a variety of risk-based or adaptive authentication technologies that monitor your transactions constantly, to try to figure out if it really is you doing them or someone else. In my case, the pattern of life didn’t fit, even though it was a transaction taking place only a few hundred miles away from where I lived. Those of you who travel internationally probably have come across this situation: if you forget to tell your bank you are traveling, your first purchase in a foreign country may be declined until you call them and authorize it. But now the granularity of what can be caught is much finer, which was good news for me.

These technologies can take several forms: some of them are part of identity management tools or multi-factor authentication tools, others come as part of regular features of cloud access security brokers. They aren’t inexpensive, and they take time to implement properly. In a story I wrote last month for CSOonline, I discuss what IT managers need to know to make the right purchasing decision.

In that article, I also talk about these tools and how they have matured over the past few years. As we move more of our online activity to mobiles and social networks, hackers are finding ways at leveraging our identity in new and sneaky ways. One-time passwords that are being sent to our phones can be more readily intercepted, using the knowledge that we broadcast on our social media. And to make matters worse, attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications.

Of course, all the tech in the world doesn’t help if your bank can’t respond quickly when you uncover some fraudulent activity. Criminals specifically targeted a UK bank that was having issues with switching over its computer systems last month, knowing that customers would have a hard time getting through to its customer support call centers. The linked article documents how one customer waited on hold for more than four hours, watching while criminals took thousands of pounds out of his account. Other victims were robbed of five and six-figure sums after falling for phishing messages that asked them to input their login credentials.

Steve Ragan in a screencast below shows you the phishing techniques that were used in this particular situation.

The moral of the story: don’t panic when you get a potentially dire fraud alert message. Take a breath, take time to think it through. And call your bank when in doubt.


Finding the right escape room for your group

I am a bit slow to the whole escape room phenomenon, but it seems like a great idea to me. While I am not a computer gamer, I have run sites with that editorial content and know many professional gamers as a result. I am also a big Sudoku and crossword fan, having done those puzzles for more than a decade.

The idea, if you are still not tuned in, is to bring a few friends to a facility and try to escape from a locked room within an hour. You have to solve various puzzles. Actually, you have to find the clues and then figure out the puzzle, without a lot of guidance. If you haven’t ever done a room, you first have to be very observant, looking at what objects have been placed in the room, what information is written on the walls or displayed on various monitor screens, and what objects might lead you to other things. For those of you that don’t like solving puzzles, this is probably not something you are going to like. If you do like puzzles, or if you go to haunted houses every fall (or even build your own), this is probably something you have already checked out.

While I am not a computer gamer, I recognize that many years ago I spent weeks of my life trying to solve the puzzles of Myst. Back then, I said that “Myst starts out a total puzzle, and as you gain skills and understand the sequence of play involved, you get drawn into the universe of the game and lose track of real life and elapsed time.” You can say that about many modern computer games too. The problem with this is that you only have an hour to escape your particular room, and you don’t know how many puzzles you will have along your journey.

Given that there are thousands of rooms in cities all over the world, if you want to try one out the next hurdle is going to be to find one that suits your particular skills, experience, and group. Wouldn’t it be nice if someone reviewed rooms with some sort of consistency? Fortunately, there is a site that does called EscRoomAddict. I spoke to one of their editors, named Jeremie Wood. (You can see a sample of one review here.)

The site has teams of reviewers in LA, Chicago, New York, Kansas City, Denver and Toronto, which is where they began four years ago. They have reviewed more than 400 rooms in North America. There are other sites that have reviews, but not as well organized or as consistent in their evaluations as ERA, as they call themselves. The site doesn’t pay their reviewers, but usually the room operator comps the reviewers to do the room. Many of his reviewers have played 50 or more rooms during their tenure, and Wood himself has lost count but thinks he has been party to at least 180 room reviews.

He told me based on his experience that he doesn’t think the escape room craze has peaked yet, and there are still new rooms being built. One opportunity is to try to attract more corporate customers, who use the room as a team-building exercise. And part of that effort is what motivated the founders to start ERA, so that corporate customers could find the best rooms in a particular location.

The escape room landscape is also changing. “Many of the early operators have closed, mainly because the standards for the best experience keep going up.” You might think that the best rooms are the ones that take the most money to build, but that hasn’t been his observation. “I have seen great rooms that didn’t cost much, and lousy rooms that were very expensive,” he said. ”You don’t have to spend huge amounts of cash, but you do have to know what you are doing and design something that has really great puzzles and a great story.”

One of the reasons I like the ERA site is that it attempts to have consistent review metrics for all of its room reviews. The teams from the various cities met earlier this year here in St. Louis to try to iron out consistent style and to set up minimum requirements for their reviews. The reviewers also try to take into account a wide range of puzzle solving ability in their write-ups. Each room is done by at least three different people, who then collaborate on the review, and they usually agree on their evaluation.

Having been to so many rooms, Wood told me that the average Canadian rooms are smaller and more suitable for 4 to 6 people, whereas in the States, they can hold more participants. Also, in Canada, you usually book a room exclusively for your own group, even if it is smaller than the room capacity. In the US, your team is sharing the room with others if the demand is there.

If you have particular room experiences and want to share them with my readers, please post a comment here.

Why your networking future shouldn’t include NAT

This post is taken from a recent issue of the Internet Protocol Journal and reused with permission. It is written by Leroy Harvey, a data network architect.

The networking world seems to be losing sight that NAT is a crutch of sorts, a way of dealing with the primary problem of a lack of IPv4 addresses. An earlier article in IPJ stated that NAT provides a firewall function. I think NATs and firewalls are mutually exclusive, even if they are found on the same networking device. This is because NATs don’t by themselves provide any natural protection from the host on the other side of a protection point. The two can operate independently.

NAT does present real-world problems with a number of products, such as Microsoft AD Replication and IBM’s Virtual Tape Library. Passing through a NAT breaks the application’s intended communication model and requires compensating mechanisms.

We are asking the wrong question if we say, “should I deploy IPv6 now”. Someone once told me that IPv6 was here to stay. To my way of thinking, it has not arrived after 25 years.

Let’s look at the situation where we want to merge two large company networks together that both make extensive use of NAT. This becomes more complex than if the two networks were originally using a valid replacement for IPv4 and sadly, that protocol doesn’t exist. While I agree with the notion that the Internet can’t be completely stateless, this doesn’t justify using NAT as middleware. Justifying NAT for the sake of IPv4 life-support is nonsensical.

We should appreciate NAT for its role as a tactical compensating mechanism for IPv4 address depletion, not a a strategic future-proofing scalability mechanism for IPv4. Really what many are saying about NAT is just putting lipstick on the IPv4 pig. Unfortunately, in IT there is nothing more permanent than a temporary solution. Let us not fall victim to this easy psychological trap only because we seem to have collectively painted ourselves into a corner of sorts.


In my role as a journalist, I’ve been deluged with hundreds of pitches for GDPR-related stories, which went into effect last week. It didn’t help matters that on the first day the UK commissioner’s website was down for a couple of hours, an Austrian privacy advocate hit Facebook and Google with billions of euros in lawsuits and the privacy browser plug in Ghostery sent out emails about its change in policy, but inadvertently cc’d 500 user names in each batch of email.

In this episode of FIR B2B podcast (19 min.), I discuss the impact of GDPR with my partner Paul Gillin, who has seen his fair share of pitches as well. We discuss some of the best and worst PR pitches we received in the months running up to the launch of the General Data Privacy Regulation, and why a handful stood out.

SecurityIntelligence (IBM blog): Are ransomware attacks rising or falling?

There are conflicting reports over whether or not ransomware attacks are growing. Many organizations state (quite convincingly) that it’s the most popular malware form and that ransom-related attacks have been increasing at a rapid rate over the past year. However, other reports offer a more nuanced point of view.While the raw number of ransom-based attacks is increasing, the proportion of ransom-related attacks is dropping over the last part of 2017. Many businesses are not paying out the ransoms, motivating criminals to try other malware methods.

I compare the results and show how they differ in my latest blog post for IBM”s Security Intelligence blog.

Hedy Lamarr, The First Geek Movie Star

The story sounds almost like a Hollywood plot, except it is true: A young starlet doing nude scenes as a teenager, goes on to invent a critical wartime technology that is ignored by the US Navy but ultimately forms the basis of WiFi and cell phones that we use today. Of course, I am talking about the life and times of Hedy Lamarr, the subject of a 2017 documentary film called Bombshell that is available from the streaming services.

She was also the subject of a 2011 biography from Richard Rhodes. I heard Rhodes back when he was promoting his book. Rhodes is the author of many intriguing history of science works, including the story of the Manhattan Project, and his book is worth reading. So is the film, which is also based on a 1990 taped interview that was recently found.

She is a fascinating study in how someone with both beauty and brains can not necessarily make the best of both thee worlds, but was constantly reinventing herself.

The movie traces her acting career and has various clips, including scenes from the provocative film Ecstasy, the one cited earlier that began her career and was banned by Hitler eventually. Lamarr was even the basis of one character in Mel Brooks’ Blazing Saddles.

Both the film and the book show how one of Lamarr’s many inventions, which she developed with her music composer neighbor George Antheil, came about through an odd inquiry. Lamarr was interested in a boob job and Antheil had written about early efforts in that area, again presaging another important intersection of Hollywood and technology. The duo went on to get a patent for a new technique for frequency-hopping radio communications. While not taken seriously at the time, it ultimately was deployed by the military in the 1960s during the cold war. While the technique involved piano rolls, the basis of frequency hopping continues to be used as part of spread-spectrum radio communications that are in common use today. Along the way, Lamarr made many movies and married and divorced six husbands, the first of whom was a Nazi arms merchant that got her interested in developing new technology for the war effort once she fled to America. She lived to be honored by the Electronic Frontier Foundation a few years before she died in 2000.

It is hard for many of us to grok a movie star with her trips to the patent office and test tube rack in her trailer on the movie set, but she was the real deal.

Lamarr once said that “Any girl can be glamorous. All you have to do is stand still and look stupid.” She was anything but.

SecurityIntelligence blog: What Are the Legalities and Implications of Hacking Back?

Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of hacking back opens up a wide range of cyber defense tools to IT and security managers. Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

In this post for IBM’s Security Intelligence blog, I review some of the early hacking back efforts by both private and government entities and discuss some of the recent legislation.