CSOonline: 12 Attack Surface Management tools reviewed

Posted on by
Reply

Potential Attack Surface Management buyers need to understand how various network and other infrastructure changes happen and how they can neutralize them.

Periodic scans of the network are no longer sufficient for maintaining a hardened attack surface. Continuous monitoring for new assets and configuration drift are critical to ensure the security of corporate resources and customer data.

New assets need to be identified and incorporated into the monitoring solution as these could potentially be part of a brand attack or shadow IT. Configuration drift could be benign and part of a design change, but also has the potential to be the result of human error or the early stages of an attack. Identifying these changes early allows for the cybersecurity team to react appropriately and mitigate any further damage.

I review 12 different ASM tools and also provide some questions to ask your team and the vendors about their ASM offerings in this updated article for CSOonline.

 

Salesforce behaving badly with Zoomin acquisition

Posted on by
Reply

Last year, Salesforce acquired Zoomin, a company specializing in organizing unstructured data such as documentation and knowledge base repositories. As part of that acquisition, they announced that there would be no further product features (other than bug fixes) added to the Zoomin platform and that it would reach the end of its life in 2027. Eventually, they will replace Zoomin with a yet-to-be-announced new product to be added to their Service Cloud and Agentforce services. The key word in that last sentence is “eventually,” which is why I say they are behaving badly.

This move puts Zoomin customers in a quandary, because Salesforce has asked these customers to decide on renewing their contracts within the next month. One reader, an IT manager at a large tech firm who has been a Zoomin customer, wrote to me, saying “Salesforce wants us to move to a competitor because some genius in their finance department has put some arbitrary date out there that they need to quit providing support by. I’ve never seen something so nuts because it means we are on the hook for an additional 18 months of subscription costs for a product they aren’t improving.” My source was in the middle of an expansion of its Zoomin project, adding new documentation files and features that were part of their development plans. This was one of the reasons why they chose Zoomin to begin with. “We don’t want to keep enhancing a dead platform,” he said. Now they have to look to another vendor. “Killing Zoomin without having something to step in doesn’t make any sense to me.”

My source did get various briefings, roadmaps, and other information, which he shared with me. These plans were short on specifics, such as a “timeline” — the quotes indicate my own skepticism about their plans. Key missing elements are any solid migration plan, or any guarantee how the existing Zoomin data structures would be integrated into Service Cloud, or what the new subscription costs would be, or if there would be additional charges to migrate the Zoomin data. I find this both distressing and somewhat ironic, given that one of the attractions of Service Cloud is its ability to integrate across many different databases and platforms.

You can see one page of this briefing below:

As you can see from this page, there are lots of “upcoming” features that are called out. Both of us have been around the software devops block many times to know these are placeholders in any timeline that indicate these are features that might never happen, or won’t happen any time soon. One other notable curiosity is that this document never mentions Zoomin explicitly.

Salesforce is on a tear to produce an agentic AI-based self-service portal that can be used for all sorts of purposes, including a superset of what Zoomin was starting to do with its platform. You might agree with this direction, even if agentic portals might not be ready for prime time. But whether this is removing a competitor, total vaporware, wishful thinking or an actual service remains to be seen.

Red Cross: Mizzou makes running a large blood drive look easy

Posted on by
Reply

Red Cross phlebotomist Jenise McKee standing next to Jake McCarthy who is sitting in chair about to donate blood.

Setting up a mammoth blood drive is akin to building a 100-bed hospital emergency department from scratch and then taking it down a few days later. I got to see this in person with what is reported to be the largest student-run blood drive in the nation. Columbia is the city where you can find the University of Missouri, popularly called Mizzou, home to more than 30,000 students. For more than 40 years, the school has hosted blood drives in partnership with the American Red Cross. This year they broke their own record, collecting over 5,000 units of blood. You can read my post about the blood drive last month here on the chapter blog.

(photo is of Red Cross phlebotomist Jenise McKee readies Mizzou student donor Jake McCarthy for his Power Red blood donation.)

Book review: Wine Lord

Posted on by
Reply
Wine Load by D.B, Adams is a debut novel which offers an insider’s look at the way wine is made and marketed. The story takes place in Napa Valley, and if you are a wine drinker or if you are interested in that part of the country, this book might resonate with you. While the story is mostly well-written, it has its uneven spots that I will get to in a moment. If you consider yourself a wine aficionado or wine snob, you might find this book either humorous or frustrating. The story seems to be a realistic portrayal of the wine business world and describe a very believable conflict between the owners of the winery and their financial backers.
One notable exception is its stilted dialogue by a major character who is not a native English speaker. This doesn’t read well on the page. There is an impressive amount of words that offer nothing to advance the narrative or add to the enjoyment of the book and detract from the story flow. I found myself skipping whole pages of this dialogue the further into the book I read
Some people think they know more about wine than they actually do. What this novel succeeds at is showing that there are a lot more subtleties involved in the making and enjoying wine than just swirling it in a glass. But there is also a lot more involved in the making and enjoying a great work of fiction, and here this book disappoints.

What becomes a bottom feeder most?

Posted on by
Reply

I ask this question with serious intent and my focus is on vetting the best tech reviews websites. I have written around this problem in the past, but thanks to spending some time with my colleague Sam Whitmore, I have some new things to say. You can read the links to my past posts in the coda below.

With some modesty, I have some familiarity with this particular market, having written reviews for dozens of publications, both online and print, over the decades. When I began at PC Week (now sadly called eWeek) in the mid-1980s, we didn’t have the web, just the dead trees version. About a third of our pages were devoted to reviewing technologies and analyzing trends. These articles were written by people that actually touched the products and understood how enterprise IT folks would use them.

PC Week (and many others at the time) had a terrific business model, which was to charge a lot of money for print advertising, on the promise that our pub would control its circulation among what we would now call influencers. The web was the first big challenge: posting online content, these controls and promises went out the window. So began the fall of the Holy Roman Tech Empire.

In the late 1990s, we got the first wave of bottom-feeder websites, such as those created by Newsfactor and others. Instead of paying experienced writers and analysts to produce articles, they were “pay to play” operations that took pieces submitted by vendors who were anxious to get their names into print, or electrons. You could easily spot these sites because they have three things in common:

  1. Most articles quote no sources, or if they do they don’t actually use quotations,
  2. Most articles have no external links to any supporting materials, and
  3. Most articles have either no byline or no dateline, and as such aren’t tied to a particular news moment or product introduction or something else that would indicate timeliness.

What bugs me the most about these sites is that they are filled with posts which promise an actual review of a product or category. However they usually don’t deliver any insight or evidence that any author actually handled the product. It bugs me because these kinds of articles devalue my own expertise in product handling, and how I translated that to actionable insights for my readers.

Now these three things can happen in legit articles that professional writers create. But taken together they illustrate the pay-for-play milieu.

With the new millennium, we had a different tech publishing model best typified by TechTarget, now part of the Holy Informa Empire. These sites combined organic search with lead generation as their business model, and resulted in sites with domains such as searchsecurity.com and searchcloudcomputing.com. These were combined with print pubs in the beginning and eventually tied to conferences too. In its early years, I was proud to work for them because they emphasized high quality information.

With the advent of AI and LLMs, we now have a new era of tech publishing. Organic search has become a bottom-feeder operation, because queries are now asked and answered in natural language and stay within the confines of the chatbots. This is because AI can spin up batches of words and pictures easily and programmatically, there is no need to go any further. This means people like me have become buggy whips. Or hood ornaments. Or something that you put on a shelf.

Let’s examine one website for further analysis. This is tied to a print publication, so my guess is that many of these pieces were paid for by specific vendors or else generated by AI tools. No datelines. Bylines are suspect: I wasn’t able to ID anyone that I could independently verify is an actual human, and the authors’ pictures seem anodyne. There is a page of conferences that has odd mistakes in it, such as shows held in “Detroit City” and “Seattle City” and broken links. Again, a human proofreader would catch these in about three seconds. Articles are copies of other sites in this vendor’s “network.” The most curious thing is if you try to cut and paste some of the content, you get a popup that prevents you from doing so, saying that the work is copyrighted.

It is clearly the work of AI. The same company that owns this site runs about a dozen other websites, many with the work “review” in their domain names. These sites having a boring sameness about them, with articles that don’t reflect any news moments or trends to current events. These are not reviews.

Welcome to the new bottom-feeders of tech.

Coda: references

CSOonline: 5 steps for deploying agentic AI red teaming

Posted on by
Reply

Building secure agentic systems requires more than just securing individual components; it demands a holistic approach where security is embedded within the architecture itself. For my latest article for CSO Online, I delve into the world of using agentic AI for red teaming exercises. It is very much a work in progress. Many vendors of defensive AI solutions are still in their infancy when it comes to protecting the entirety of a generative AI model and the attack space is enormous.

The latest digital divide spans multiple governance dimensions

Posted on by
2

When we used to talk about the digital divide, we thought about who had what technology and how they used it. A new book has opened my eyes to yet a new series of dimensions, and these take both a closer look at the technology as well as place it in a different and more complex framework of multi-stakeholder inclusion and governance.

The book is Geopolitics at the Internet’s Core, and it is a most unusual and very helpful effort by four co-authors that have been long involved in shaping technology policy and governance: Fiona M. Alexander and Nanette S. Levinson, who both hold various research positions at American University in Washington DC; Laura DeNardis, a professor at Georgetown University and author of numerous books on tech governance; and Francesca Musiani, a researcher at the French National Center for Scientific Research. I got a copy to review and reading this book made me want to talk to Alexander directly about the inclusion issue. (If you would like to purchase the book, use PALAUT to get a 20% discount.)

But first, let me lay some foundations.

If we look at how IP protocols are distributed across the globe, we’ll see that their DARPA origins are still very much in evidence. There are several of ways to measure this. One is by counting Internet Exchange Points — the places where large ISPs can connect to each other. These are still mostly congregated in western countries, and many countries have either no IXPs or a single place. The absence or paucity of an IXP means that residents of that country will have longer latencies, less local content and higher cost of internet access.

There is also measuring the number of available IP address ranges available in any given locality. We know that the IPv4 “classic” address ranges have been mostly consumed, but in Africa there are still many available address ranges.

And then there are the distribution of DNS servers, because having one logically “nearby” also effects traffic latency and resiliency of digital networks. It took until 2022 before Africa had its own managed DNS cluster, meaning that prior to then most of its DNS traffic had to transit to another continent.

If we move our lens to a wider angle to examine the actual languages used online, we see that English dominates, and despite there being thousands of different languages spoken and written, 82% of online content is represented by ten languages: English, Chinese, Spanish, Arabic, Portuguese, Japanese, Russian, German, French and Malaysian. For much of the internet’s early years, non-ASCII domain names weren’t supported, and today there are still gaps in having local character set support.

Let’s move our lens to a still wider angle to internet governance. This is also instructive in showing the unequal distribution of these resources. The various standards bodies that determine internet policy still have a very western bias. And as conflicts spread to the TCP/IP space — such as one country asking to terminate access into another country, who is serving on these bodies can be significant. This is not a new problem.

Geoff Huston, who works for the Asia Pacific Network Information Center, is a keen observer of these and other issues. “The problem is that the distribution of this digital wealth is very uneven, and while a small clique of individuals may live in an extreme level of opulence, large proportions of domestic populations are disenfranchised and marginalized. Having valuable digital enterprises domiciled in a nation does not translate to widespread economic prosperity. It’s extremely challenging to espouse the benefits of an open multi-stakeholder global communications environment when the dream has been so basely corrupted by the exploitative excesses of the small clique of digital megaliths.” He is of course referring to the major US online companies such as Google, Facebook, and Amazon.

These and other issues were part of a chapter of the Geopolitics book. This chapter is devoted to the role of the internet ecosystem to become more inclusive and involve multiple stakeholders in developing technical standards and to be adopted and supported across multiple geographies and cultures. The authors write that “the intersections of the internet with governing bodies are neither hierarchical nor linear. Thus, approaches to inclusion should involve models that complement the kaleidoscopic design of IP and reflect its very nature.”

I spoke to Alexander about her book and her role in shaping US and internet policy over her 20-year government career. “The internet has been a resounding economic success, but what is needed now is a more holistic assessment of policies to forge a path forward,” she said. “There is no singular multi-stakeholder approach — it is the tool and not an outcome, and it works best when more people and more transparency are involved.” She relishes her early years when she worked for the Clinton administration and wishes that we could have more opportunities for bringing the right people from around the world to debate these future policy choices. “Not everyone sees that, but hopefully it will happen. I remain an optimist.”

Huston fears that various national pressures might drive us away from inclusive gains of the recent past. “Maybe it’s the broader challenges of our enthusiastic adoption of computing and communications that have formed a propulsive force for widespread social dislocation in today’s world,” he says.

30 years of Web Informants

Posted on by
6

Break out the candles because this month I will celebrate Web Informant turning 30. What began as an email newsletter back in 1995 and eventually morphed into a blog is still going strong. Ten years ago I wrote this post about my first 20 years of Informants, and included a link to remembering some of the more notable interviews that I conducted from back in that era

So let’s catch up on my last decade. Three years ago, I interviewed several IT managers whom I have kept in touch with in this series, and another notable 2024 interview with Janey Brummett who spent three decades working in the IT department for the Catholic Health Association. Back in 2019, the term digital nomad was just coming into style, just before the worldwide lockdown that made travel difficult. That post has held up well, and I still follow some of the folks — who are now just called content creators — that I originally wrote about, such as Jessica Carroll recently.

During this past decade, I spent a great deal of time being a corporate blogger, including the following stints at major security vendors. Amazingly some of my content is still online from both Avast, from 2020-2022 and  Kaspersky, from 2019-2021. Sadly, some of it has been erased from these sites:

  • RSA, from 2018-2020
  • HPE, from 2017-2019
  • iBoss, from 2016-2018
  • IBM, from 2015-2019, with an excellent site called SecurityIntelligence.com 

You can find a few selected pieces that I have resurrected on my blog if you want to take a deeper historical look.

Looking over this list, there is a lot that I am proud of and that much of this content has held up well. Speaking of corporate blogging, back in 2006 I wrote a piece for Computerworld about best practices for corporate bloggers, and revisited that topic in 2015. Both of those pieces have held up well too.

In addition to this work, over the past decade I have written for various editorial pubs that I either created (such as Inside.com’s email newsletter on security topics) or continue to contribute to, such as CSOonline, NetworkWorld (and other IDG/Foundry pubs) and for SiliconAngle in 2023.

I wrote a few pieces over the years about the lessons that I learned first-hand from web publishing, including this piece for Baseline magazine in 2008 (a Ziff print pub that I contributed to for many years) and more recent advice on this topic that I posted in 2014 on my own blog.

One story that I am particularly proud of was for the Internet Protocol Journal, a pub that I have written numerous stories. This one was about the genesis of the Interop Shownet and its history and role in the development of the internet. I describe my personal involvement with the show when I launched Network Computing magazine back in 1990, and interviewed some of the show’s early participants in creating and maintaining the show’s innovative network. Alas, last year saw the passing of Interop’s guiding light Dan Lynch, who was a giant among us all. 

I will leave you with some words about the current AI context. I have been writing, thinking, and using AI now for some time and see that in particular, cybersecurity stands at a crossroads with agentic AI, LLMs and chatbots. Never have we had such a powerful tool that can create reams of code in a blink of an eye, find and defuse threats, and be used so decisively and defensively. This has proved to be a huge force multiplier and productivity boon for security pros. But while these technologies are powerful, they aren’t dependable, and that is the conundrum. They can quickly spin stories that are fictional narratives, create code that has subtle flaws and ultimately do more harm than good by boosting phishing lures and building new forms of malware. This is the dark side that can undo these gifts. And that is the challenge at hand. 

Thanks for all your attention, comments, brickbats and kudos over the years. 

The countdown to Google Zero approaches

Posted on by
3

We are witnessing the end of the search era when it comes to web technology. The term, coined last year by The Verge’s Nilay Patel was provocatively called Google Zero.It refers to the moment when Google’s SEO is no longer sending the majority — or any — of its traffic offsite, thanks to the AI overviews that now take up the above-the-fold space on search results. As one analyst put it, “years of SEO strategy are now colliding with a system that for many publishers’ traffic is slowing — and in some cases is falling off entirely.”

Some of this is a good thing: the SEO snake oilers will have to reconstitute their potions and come up with new formulations. But it is also a bad thing, because while Google tweaks their search algorithms nearly continually, this is a big jump, and search ads are shifting quickly into AI-powered search. What this means for organic search traffic is doom, as it has already dropped significantly.

As someone who has seen web publishing from its earliest days, back before we even knew that it was a Thing, it is fascinating to watch. But it is also depressing to be working in this Brave New AI World. I was part of the early PC revolution when dead trees were turned into piles of trade magazines that reached dizzying heights. These piles were delivered the old-fashioned way of the US Postal Service to IT workers’ desks every Monday morning. Those were fun times, because contained in that stack of paper were the embodiment of millions of dollars of ads.

That era lasted about 15 years, until the web became a better delivery mechanism, and within a few moments, we went from a huge stack of paper to electrons that could target the digital cookies placed on your hard drive. The magazines went from each employing dozens or hundreds of people to having a single editor and perhaps another person to clean up the digital mess that was unintentionally published. We had companies such as TechTarget that literally had “search” in every one of their 57 (or was it 157?) of their domain names that built a lead-gen empire.

Now TechTarget is just another bauble in the Informa collection of washed-up mags that is quickly moving to an AI underpinning. Do I sound bitter? I guess.

“Nobody is bragging about their custom CMS with a name from Norse mythology. And now they will need a new investment cycle focused on understanding and applying audience data with fewer means,” says Brian Morrissey. I had to look up the Viking reference, and what I got was of course generated from AI. But I did click on the link just to show that I appreciated a little bit of SEO there. Call me old-fashioned.

CSOonline: Seven ASPM products compared

Posted on by
Reply

Having a central protections platform for application security requires a deep understanding of issues and product capabilities. Protecting your enterprise application collection requires near-constant vigilance and a careful choice of the right collection of defensive tools. As threats continue to become more complex and difficult to discover, applications have also become more complex and bridge the worlds of cloud, containers, and on premises. This presents all sorts of challenges for tools which have struggled to keep pace.

The latest category of products goes by the moniker of application security posture managers, or ASPM. I review seven different tools from these vendors in my latest post for CSOonline:

  • ArmorCode
  • Crowdstrike
  • Cycode
  • Ivanti
  • Legit Security
  • Nucleus Security
  • Wiz