Comedian Colin Quinn says identity is a big thing. “Your id is who the government says you are. Your personality is the people who know you think you are, your reputation is the people who don’t know you think you are, your social media profile is who you think you are, and your browser history is who you really are.”

While my writing about identity management isn’t going to make the comedy circuit, I  recently updated my explainer piece for CSOonline. Identity is even more important these days, as enterprises move into more cloudy and virtual infrastructures, federate apps with their partners and customers, and try to protect themselves against supply-chain attacks that can tie them in knots for weeks and months.  And thanks to poor multi-factor implementations, more sophisticated phishing methods, more automated credential stuffing techniques and numerous legacy IAM systems that haven’t been updated, bad actors can often find easy entries with minimal effort into corporate systems to ply their exploits.

IAM needs to be a well-integrated fabric or mesh of architectures and processes that connect everything together into a coherent whole that can protect the entire digital surface of an enterprise. This fabric uses adaptive risk assessments to authenticate and connects both people and machines and uses information collected from continuous threat detection and operations visibility. My post explains how to get to this state, and some things that enterprise IT managers need to consider in their evaluations.

Attacks against the Domain Name System (DNS) are numerous and varied, so organizations have to rely on layers of protective measures, such as traffic monitoring, threat intelligence, and advanced network firewalls, to act in concert. With NXDOMAIN attacks on the rise, organizations need to strengthen their DNS defenses.

Akamai has released a new tool to help, as my story for Dark Reading describes.

Tracking down sensitive data across your cloud estate can be vexing. By their very nature, cloud computing is dynamic and ephemeral. Cloud data is easily created, deleted or moved around. Correspondingly, the cloud attack surface area is equally dynamic, making protection measures more difficult. Over the past few years, a group of tools called data security posture management (DSPM) have been developed to discover both known  and unknown data, provide some structure and manage the security and privacy risks of its potential exposure. In my post for CSOonline today, I look at a dozen different tools from Concentric AI, Cyera, Eureka Security, Normalyze, OneTrust, Palo Alto Networks, IBM, Securiti, Sentra, Symmetry Systems, Varonis and Wiz. (A summary comparison table can be found here.)

These tools will require a significant amount of staffing resources to evaluate because they touch so many different aspects of an enterprise’s IT infrastructure. And that is a good thing, because you want them to seek out and find data no matter under what digital rock they could be hiding. So having a plan that prioritizes which data is most important will help focus your evaluation. Also a good thing is to document how each DSPM creates its data map and how to interpret it and subsequent dashboards. Finally, you should understand the specific cloud services that are covered and which ones are on the vendor’s near-term product roadmap too.

Public corporations have mostly ignored SEC regs published years ago for improving cybersecurity governance. And while the requirements can be difficult to satisfy, companies that have made the effort created nearly four times their shareholder value compared to those that haven’t. That’s the conclusion of a new survey jointly conducted by Bitsight and Diligent Institute, entitled “Cybersecurity, Audit, and the Board.”  According to the Bitsight report, having separate board committees focused on specialized risk and audit compliance produces the best outcomes. 

You can read my analysis of this report for Dark Reading here.

Since 2005, the National Vulnerability Database (NVD) has been posting details about the hundreds of daily common vulnerabilities and exposures (CVEs) discovered by security researchers from around the globe. But last month, the critical government-sponsored database went from being an essential tool to a nearly dark destination. That is when any details in the NVD have been omitted, details that make the vulnerability data useful to enterprise security managers and to the numerous vulnerability management tools that can help prevent potential damages from attackers. My story in Dark Reading tells this sad tale.

CISOs can successfully make their business operations more secure and play a larger role in the organization’s overall strategy, but there are pitfalls to avoid.

According to Forrester’s recent security program recommendations report, “the eyes of the world are on CISOs — but not in a good way. There is now a long list of sacrificial CISOs who have either been fired or left due to disagreements with their firms.”

Navigating what comes next isn’t easy, but in my post today for Dark Reading are five takeaways from Forrester’s analysis that might help identify some pathways to success.

A spate of recent typosquatting attacks shows the scourge of this type of attack is still very much with us, even after decades of cyber defender experience with it.

Ever since the Internet became a commercial entity, hackers have been using it to impersonate businesses through a variety of clever means. And one of the most enduring of these exploits is the practice of typosquatting — i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts. In my latest post for Dark Reading, I talk about the recent series of attacks, why they continue to persist, and ways that enterprise security managers can try to prevent them from happening, although the fight isn’t an easy one.