CSOonline: Homomorphic encryption tools find their niche

Organizations are starting to take an interest in homomorphic encryption, which allows computation to be performed directly on encrypted data without requiring access to a secret key. While the technology isn’t new (it has been around for more than a decade), many of its implementations are, and most of the vendors are either startups or have only had products sold within the past few years. While it’s difficult to obtain precise pricing, most of these tools aren’t going to be cheap: Expect to spend at least six figures and sign multi-year contracts to get started.

I review the early products in this market for CSOonline, describe some of the typical use cases, and provide some suggestions on how to evaluate them for enterprise uses.

Review of Thales’ SafeNet Trusted Access

Thales SafeNetTrusted Access (STA) offers a compelling blend of security solutions that bridge the MFA, SSO and access management worlds in a single, well-integrated package. STA does this by offering policy-based access controls and SSO with very strong authentication features. These policies are flexible and powerful enough that you can address a broad range of access scenarios.

Because STA covers multiple security workflows, there are several places that it can fit into your overall data protection needs. Part of your own motivation for using this product will depend on the particular direction that you are coming from. What you need STA to do will depend on what you have already purchased and where your existing security tools are weakest.

If you presently use another SSO tool, or if you aren’t happy with your existing identity management product, you might examine whether they can support or integrate with STA and use it as your principal identity provider. This will give you greater automation scope and move towards better MFA coverage for your consolidated logins.

If delivering MFA is your primary focus for purchasing a new identity product, STA should be on your short list of vendors. If you are rolling out MFA protection as part of a larger effort to secure your users and logins, then things get more interesting and the case for using STA becomes more compelling. For example, it can handle a variety of application authentication situations and be granular enough to deploy these methods for particular user collections and circumstances. Many older IAM products bolted-on their MFA methods with cumbersome or quirky integration methods or required you to purchase separate add-on products for these features. STA has had this flexibility built-in from the get-go and has a well-integrated MFA set of solutions.

If you presently use another vendor’s authentication app or have a collection of hardware tokens that you are trying to migration away from, you might want to examine whether STA’s MobilePass+ offers improvements to the user workflows that could increase MFA coverage across your application portfolio.

Thales SafeNetTrusted Access is available at this link. Pricing starts at $3.50 /user/month, which includes access management, SSO, authentication tokens and services support. A premium subscription which adds PKI MFA support is also available.

You can read my full report here. And here is my screencast video that points out the major product features:

 

CSOonline: The top 5 email encryption tools: More capable, better integrated

I have updated my review of top email encryption tools for CSOonline/Network World this week. Most of the vendors have broadened the scope of their products to include anti-phishing, anti-spam and DLP. I last looked at these tools a few years ago, and have seen them evolve:

  • HPE/Voltage SecureMail is now part of Micro Focus, part of an acquisition of other HPE software products
  • Virtru Pro has extended its product with new features and integrations
  • Inky no longer focuses on an endpoint encryption client and has instead moved into anti-phishing
  • Zix Gateway rebranded and widened its offerings
  • Symantec Email Security.cloud has added integrations

In my post today, I talk about recent trends in encryption and more details about each of these five products.

 

CSOonline: Best tools for single sign-on

I have been reviewing single sign-on (SSO) tools for nearly seven years, and in my latest review for CSOonline, I identify some key trends and take a look at the progress of products from Cisco/Duo, Idaptive, ManageEngine, MicroFocus/NetIQ, Okta, OneLogin, PerfectCloud, Ping Identity and RSA. You can see the product summary chart here.

If you have yet to implement any SSO or identity management tool, or are looking to upgrade, this roundup of SSO tools will serve as a primer on where you want to take things. Given today’s threat landscape, you need to up your password game by trying to rid your users of the nasty habit of reusing their old standby passwords.

I also look at five different IT strategies to improve your password and login security, the role of smartphone authentication apps, and what is happening with FIDO.

 

CSOonline: How to beef up your Slack security

When it comes to protecting your Slack messages, many companies are still flying blind. Slack has become the defacto corporate messaging app, with millions of users and a variety of third-party add-on bots and other apps that can extend its use. It has made inroads into replacing email, which makes sense because it is so immediate like other messaging apps. But it precisely because of its flexibility and ubiquity that makes it more compelling to protect its communications.


In this post for CSOonline, I take a closer look at what is involved in securing your Slack installatio nand some of the questions you’ll want to ask before picking the right vendor’s product. You can see some of the tools that I took a closer look at too in the chart above.

HID ActivID Authentication Server: A very capable and comprehensive IAM product

If you are looking for a comprehensive identity and access management (IAM) tool that can cover just about any authentication situation and provide ironclad security for your enterprise, you should consider HID Global’s ActivID product line.

Even if you are an IAM specialist, it will take days and probably weeks of effort to get the full constellation of features setup properly and tested for your particular circumstances. There is good news though: you would be hard pressed to find an authentication situation that it doesn’t handle. t has a wide range of tools that can lock down your network, covers a variety of multifactor authentication methods and token form factors (as shown here below), and provides single sign-on (SSO) application protection.

f you are rolling out MFA protection as part of a larger effort to secure your users and logins, then the case for using HID’s product becomes very compelling.

I was hired to take a closer look at their product earlier this year, and came away impressed with the level of thoroughness and comprehensive protective features. You can download my report here and learn more about this tool and what it can do.

How Tachyon brings a fresh perspective on keeping your endpoints healthy

If you run the IT security for your organization, you probably are feeling two things these days. First, you might be familiar with the term “box fatigue,” meaning that you have become tired of purchasing separate products for detecting intrusions, running firewalls, and screening endpoints for malware infections. Secondly, you are probably more paranoid too, as the number of data breaches continues unabated, despite all these disparate tools to try to keep attackers at bay.

I spent some time last month with the folks behind the Tachyon endpoint management product. The vendor is 1E, which isn’t a name that you often see in the press. They are based in London with a NYC office, and have several large American corporations as customers. While they paid me to consult with them, I came away from my contact with their product genuinely impressed with their approach, which I will try to describe here.

A lot of infosec products try to push the metaphor of searching for a needle (such as malware) in a haystack (your network). That notion is somewhat outdated, especially as malware authors are getting better at hiding their infections in plain sight, reusing common code that is part of the Windows OS or chaining together what seems like innocuous routines into a very destructive package. These blended threats, as they are known, are very hard to detect, and often live inside your network for days or even months, eluding most security scanners. This is one of the reasons why the number of breaches continues to make news.

What Tachyon does isn’t trying to find that needle, but instead figures out that first you need to look for something that doesn’t appear to be a piece of hay. That is an important distinction. In the memorable words of Donald Rumsfeld, there are unknown unknowns that you can’t necessary anticipate. He was talking about the fog of war, which is a good analogy to tracking down malware.

The idea behind Tachyon is to help you discover all sorts of ad hoc and serendipitous things out of your collection of computers and networks that you may not even have known required fixing. Often, issues that start out with some security problem end up becoming general IT operations related when they need to be fixed. Tachyon can help bridge that gap.

Today’s enterprise has an increasingly more complex infrastructure. As companies move to more virtual and cloud-based servers and more agile development, there are more moving parts that can be very brittle. Some cloud-based businesses have hundreds of thousands of servers running: if just a small fraction of a percent of that gear has a bug, it becomes almost impossible to ferret out and fix. This post on LinkedIn’s engineering blog is a good case in point. “Any service that is live 24/7 is in a state of change 24/7, and with change comes failures, escalations, and maybe even sleepless nights spent firefighting.” And that is just dealing with production systems, rather than any deliberate infections.

Unlike more narrowly-focused endpoint security products, Tachyon operates in a wider arena that responds to a lot of different events that deal with the entire spectrum of IT operations– not just related to your security posture. Does it matter if you have been infected with malware or have a problem because of an honest mistake by someone with setting up their machine? Not really: your environment isn’t up to par in either situation.

So how does Tachyon do this? It is actually quite simple to explain, and let me show you their home screen:

Does that query box at the top remind you of something? Think about Tachyon as what Google was trying to do back in the late 1990s. Back then, no one knew about search engines. But we quickly figured out that its simple query interface was more than an affectation when we got some real utility out of those queries. That is where we are today with Tachyon: think of it as the search tool for finding out the health of your network. You can ask it a question, and it will tell you what is happening.

Many security products require specialized operators that need training to navigate their numerous menus and interpret their results. What Tachyon is trying to do is to use this question-and-answer rubric that can be used by almost anyone, even a line manager, to figure out what is ailing your network.

But having a plain Jane home page is just one element of the product. The second important difference with Tachyon is how it automates finding and updating that peculiar piece of hay in the stack. I won’t get into the details here, but Tachyon isn’t the only tool in the box that has automation. While there are many products that claim to be able to automate routine IT functions, they still require a lot of manual intervention. Tachyon takes its automation seriously, and puts in place the appropriate infrastructure so it can automate the non-routine as well, to make it easier for IT staffs to do more with fewer resources. Given the reduced headcounts in IT, this couldn’t come at a better time.

If you would like to learn more about Tachyon and read the full review that I wrote about the product, download the PDF here and you’ll see why I think highly of it. And here is a short video about my thoughts on the product.

Now I realize that having 1E as a client could bias my thinking. But I think they are on to something worthwhile here. if you are looking for way to respond and resolve network and endpoint problems at scale,  they deserve a closer look.

CSOonline: 4 open source red-team ATT&CK-based tools reviewed

In an article that I wrote last week for CSOonline, I described the use of a red team framework from Mitre called ATT&CK. in my post this week, I compare four free open source tools that leverage this framework and how they can be deployed to help expose your network vulnerabilities. The four tools are:

  • Endgame’s Red Team Automation (RTA),
  • Mitre’s own Caldera,
  • Red Canary’s Atomic Red, and
  • Uber’s Metta

Each have their good and bad points. You can read my review here.

Netgear’s Arlo Pro security cameras: Better than before but pricey

This article is the latest installment in my smart home series. A natural addition to any smart home would be to use security cameras to monitor your entry points. I tested the latest Netgear Arlo cameras, including the Arlo Pro and the Arlo Go. Overall, my review is mixed.   

Netgear has had its Arlo line for several years. What is new with these two units is the rechargeable batteries, so you don’t spend a small fortune on replacing the ones in the cameras. The design goal with Arlo is that you can run them completely cable-free, so you can place them optimally without regard to wiring. By that they mean that you don’t have to run any wires to them, either for power or network connectivity.

But there are two different battery sizes for the Pro and the Go models. Go includes a slightly larger unit that comes with its own stand. Pro has a smaller magnetic attachment device to be mounted on the wall.Either Pro or Go batteries can be recharged outside the camera with an optional $60 charging dock, which is included in some of the multiple-camera kits.  

The older Arlo models used ordinary batteries that drained quickly. These newer models use rechargeable ones that last a couple of weeks, depending on usage, and connect via Wi-Fi networks (in the case of the Pro) or Go has its own AT&T SIM card. That means the Go can be placed anywhere that has a cell signal, and if you don’t have any indoor Wifi. You can see the signal strength on its web portal page. This is great for a remote cabin the woods, as long as it isn’t too far afield from a cell tower.

Both of the newer cameras can record ambient audio and can see a 130 degree video view in HD quality, along with night vision rather at 850 nm that can see things up to 25 feet away. You can also control a 8x zoom lens in real time. The original Arlo cameras has a 110 degree view and no audio capabilities.  

Camera setup is very simple. You connect the controller to your wired network, download the smartphone app, and press the button on the controller and then on each camera for it to be recognized by the system. You need to create a login ID with the web service. One ID per system only. Once you have setup the cameras with this login, you can use the smartphone app outside of your home network.

You can only be logged in at one location: either via the smartphone app or the web portal. This is a security feature. The web and smartphone app controls are almost the same, with the exception of geo-fencing mode that is available on the phone app only.

The cameras have four different detection modes: armed, schedule, geo, and disarmed. The schedule mode allows you to turn off the detection during the weekend or when motion sensing would kick off too many alerts. You can also set up your own custom rules for all the cameras connected to your hub or for particular Go cameras.

You can set various thresholds — for motion (the claim is 23 feet from the camera) or sound detection. Then the cameras record the next ten seconds. When you purchase the camera, you get a free week’s worth of video storage in the cloud, after that you have to purchase a storage plan if you want to keep the videos for any length of time. (You can access your video library easily at any time, shown here.) You can download these videos as MP4s, and also share them with Netgear. If you use the Pro models, they attach to a local controller, which has two USB slots where you can fit a USB thumb drive for local storage. The Go units have a microSD slot where you can store your video recordings.

The biggest new feature of the Pro/Go cameras is audio, and it is two-way so you can get an alert via email and then talk remotely to someone who has stopped by your lake house and knocked on your door when you aren’t home as an example. You can also set off a very loud alarm remotely if you see something amiss.

The Arlo setup comes with a free basic subscription plan. This covers up to five cameras and up to seven days of 1 GB of cloud storage for your recordings. There are a variety of paid consumer and business plans that up the level and duration of storage and the number of cameras per account, these start at $100/year per account. The cameras retail for $950 in a kit that includes six Pro cameras, several wall mount options, power chargers and a base station. A single camera system is $250. The Go camera on the Verizon cellular network retails for $350, plus $85 a month, provided you sign a two-year contract.

If you have an older Arlo setup, it probably isn’t worth it to upgrade to Pro or Go collection. If you are looking for a smart home webcam, you can certainly find cheaper models that will require some wiring, or use ordinary batteries. It might be worthwhile to have a single Arlo Pro or a Go in the case of the remote cabin without any Internet connection. If you don’t mind replacing batteries and don’t need the two-way audio, you should stick with the older Arlo models.

Is iOS more secure than Android?

I was giving a speech last week, talking about mobile device security, and one member of my audience asked me this question. I gave the typical IT answer, “it depends,” and then realized I needed a little bit more of an explanation. Hence this post.

Yes, in general, Android is less secure than All The iThings, but there are circumstances where Apple has its issues too. A recent article in ITworld lays out the specifics. There are six major points to evaluate:

  1. How old is your device’s OS? The problem with both worlds is when their owners stick with older OS versions and don’t upgrade. As vulnerabilities are discovered, Google and Apple come out with updates and patches — the trick is in actually installing them. Let’s look at the behavior of users between the two worlds: The most up-to-date Android version, Nougat, has less than 1% market share. On the other hand, more than 90% of iOS users have moved to iOS v10. Now, maybe in your household or corporation you have different profiles. But as long as you use the most recent OS and keep it updated, right now both are pretty solid.
  2. Who are the hackers targeting for their malware? Security researchers have seen a notable increase in malware targeting all mobile devices lately (see the timeline above), but it seems there are more Android-based exploits. It is hard to really say, because there isn’t any consistent way to count. And a new effort into targeting CEO “whale” phishing attacks or specific companies for infection isn’t really helping: if a criminal is trying to worm their way into your company, all the statistics and trends in the universe don’t really matter. I’ve seen reports of infections that “only” resulted in a few dozen devices being compromised, yet because they were all from one enterprise, the business impact was huge.
  3. Where do the infected apps come from? Historically, Google Play certainly has seen more infected apps than the iTunes Store. Some of these Android apps (such as Judy and FalseGuide) have infected millions of devices. Apple has had its share of troubled apps, but typically they are more quickly discovered and removed from circulation.
  4. Doesn’t Apple do a better job of screening their apps? That used to be the case, but isn’t any longer and the two companies are at parity now. Google has the Protect service that automatically scans your device to detect malware, for example. Still, all it takes is one bad app and your network security is toast.
  5. Who else uses your phone? If you share your phone with your kids and they download their own apps, well, you know where I am going here. The best strategy is not to let your kids download anything to your corporate devices. Or even your personal ones.
  6. What about my MDM, should’t that protect me from malicious apps? Well, having a corporate mobile device management solution is better than not having one. These kinds of tools can implement app whitelisting and segregating work and personal apps and data. But an MDM won’t handle all security issues, such as preventing someone from using your phone to escalate privileges, detecting data exfiltrations and running a botnet from inside your corporate network. Again, a single phished email and your phone can become compromised.

Is Android or iOS inherently more secure? As you can see, it really depends. Yes, you can construct corner cases where one or the other poses more of a threat. Just remember, security is a journey, not a destination.