CSOonline: Securing Microsoft Teams

As more remote work from home happens, your collaboration tools need more scrutiny. A popular choice for instant messaging and video conferencing is Microsoft’s Teams, and securing this application will be a challenge. There have been Teams-specific exploits observed, for example. And even if Teams isn’t targeted, it could fall victim to general DDoS or ransomware attacks, which would be an issue if you depend on Teams for internal communications post-attack. And while Microsoft has published numerous suggestions on how to better secure Teams, the process is vexing and error-prone.

You can read my published analysis for CSOonline here. I also compare how Teams security stacks up with Slack. Avanan, pictured above, has versions for both.

Avast blog: Everything you should know about social media scraping

Last month, a massive data leak exposed more than 300 million different accounts from social media platforms. The collection included 192 million records scraped from two different Instagram collections, along with 42 million records scraped from TikTok and an additional 4 million records scraped from YouTube.

The records include usernames, profile photos, emails, phone numbers, age and gender along with specifics about followers and other engagement for each account. The leak involved a set of three open data shares from the company Social Data: a few hours after being notified, the shares were properly secured.

There are several things that are interesting about this leak: its source, how the data was obtained, and what this means for your own social media consumption. You can read more on the Avast blog. 

Network Solutions blog: Understanding SSO

One of the best ways to manage your password collection is to use a single sign-on (SSO) tool. These tools centralize the administration of user authentication services by having one login credential that can be used for multiple applications. 

You might think this creates a security loophole. We all have been drilled into not sharing the same login across multiple apps, right? The way that SSO works is somewhat different. Yes, you have a single login to gain overall access to an SSO tool. But once that is accomplished, the tool then automatically sends out separate credentials to sign in so you can use each of your apps. In many cases, you don’t even know what the details of each credential is — they could be using very complex passwords that are created at random by the tool. The good news is that you don’t need to remember each one, because the SSO does it for you. The bad news is that implementing SSO can be confounding, costly and complex.

You can read more on this topic on my blog post for Network Solutions here.

RSA blog: Why authentication still holds the key for RSA’s success after nearly 40 years

Today, RSA once again becomes an independent company, after being owned by EMC and then Dell Technologies for the past several years. I’m commemorating this milestone by looking at a few of my favorite products from the RSA portfolio and set some context for the longevity of this iconic company.

Ironically, for those of you that might not recall the early days of RSA, you may not realize that the actual “RSA” name almost disappeared altogether. This was as a result of an early acquisition by Security Dynamics in July 1996 – fortunately the RSA name was adopted after the acquisition. Speaking of longevity, the company’s initials of course stand for its three founders:

It has been almost 40 years and RSA is still a significant player in the information security marketplace. Formed back when mainframes walked the earth, it has thrived during the Internet era and continues to innovate with new products and new ways to deliver security.

While RSA offers a range of products – from SIEM to integrated risk management – it’s their authentication and fraud prevention products that have frequently caught my attention. At a time when cybercrime is increasing and organizations need solutions to help them secure the future dynamic workforce, these three products will play a significant role in the future of many businesses:

  1. RSA SecurID with Yubikey

The iconic, one-time-password generator RSA SecurID Access hardware or software token has been around for decades and can be found in the hands (or on the devices) of millions of workers globally. Over the years, the fob form factor has been tweaked, augmented by an added USB port, and other minor changes. This fob can be used in a variety of authentication circumstances, and is a significant multi-factor method. One of the most significant recent developments is something announced last year and involves the Vulcan mind-meld with Yubico’s Yubikey.

What I like about this partnership is that you never have to type another series of PINs ever again. All you need to do is to press the gold-colored button on the Yubikey to acknowledge that you have it in your possession, and the PIN stored within the device will make its way into the RSA SecurID infrastructure and authenticate you.

I like to  think of this offering as a marriage between RSA’s longest running and most famous product and the latest authentication standards. It’s worth taking a closer look, especially if you are an existing RSA SecurID Access customer and want to step up your authentication game. As more passwords find their way to various security leak lists, having a hardware key is still the most secure method to protect all of your logins.

  1. RSA Adaptive Authentication.

If you are using any kind of authentication system, you need to be using adaptive authentication (AA) and the RSA version is a solid product. The issue is that we all have to stop thinking about authentication as a binary event. In the past, you were either authenticated or you were not. What AA does is operate more continuously, checking your actions (defined variously) against trustworthy norms to evaluate whether you are who you should be as you go about your computing daily life. As the criminals get better about compromising our accounts with various phishing lures, AA is going to become an essential defense mechanism.

As I mentioned in a October 2018 blog post, AA can be combined with various RSA multi-factor authentication and biometric tools to beef up your identity and access management strategy and help improve your login security.

As an example of its use, the British credit company New Day has deployed AA to help reduce fraudulent credit card usage. The AA routines pre-screen questionable transactions and determine whether they should be allowed or escalate them to human examiners, thus creating fewer challenges for their customers. These screens include looking for geolocation conflicts (a consumer who is making withdrawals in two different places that aren’t physically near each other) or an odd purchase (someone who hasn’t recently bought a suit such as what happened to me once, which was mildly embarrassing), or making a large cash withdrawal at a new ATM location.

  1. RSA FraudAction.

Speaking of fighting fraud, one of the more interesting RSA offerings is a service called RSA FraudAction. This is not a consumer offering but geared towards defending the consumer’s endpoints which are fraud and phishing targets. It is based on having two operations and command centers that provide fraud intelligence and defense. One of them is outside Tel Aviv (where I visited in 2018 and wrote this report for CSOonline) and another located on the Purdue University campus. The centers proactively monitor (typically) a bank’s transactions and block suspect ones, using the AA products mentioned above to provide the risk scores. The goal is to flag something suspicious before the transaction clears, so that both the consumer and the bank are protected. The team also produces regular intelligence reports (such as this sample report) for customers on the various, real-time threats on the Dark Web.

My point in highlighting these three products or services is that they all work together in an interesting way to help you harden your authentication and reduce potential compromises. It’s also a testament for a company that has helped pave the way for the rest of the information security industry and developed a portfolio of solutions that can work together to help you manage digital risk.

Nearly 40 years after its inception at the MIT campus, RSA remains at the forefront of this market and well positioned to help businesses both large and small addresses security, risk and fraud concerns in a world that’s increasingly complex.

Back to college, Covid-style

As most of you know by now, I live in St. Louis. This is midway between two major rival state schools, in Columbia (Mizzou) and the University of Illinois at Urbana-Champaign. The two schools have markedly different Covid testing policies this semester. I will get to that in a moment, but first, take a look at this dashboard developed by the College Crisis Initiative:

You can see the focus in my metropolitan area of each school and the various policies that have been adopted, ranging from full in-person classes to all-online instruction and various in-between choices. There is a lot of variation among the colleges and universities just on this small portion of the map. This reflects the variation of policies about the pandemic. In my region, we have different policies for mask wearing: a county just south of the city went from masks highly recommended to required to revoking the requirement, all within 24 hours. Such is the toxic mixture of politics and public health, with emphasis quite literally on toxic.

It is certainly a confusing time to be attending college. Mizzou is using a hybrid model: some in-person classes and some online. Each school’s dean makes their own decision. Students are required to report positive tests to the campus health department.

Illinois has gone whole-school testing. They aim to test everyone (including staff and faculty) twice a week, whether or not they show symptoms. They are doing thousands of free tests daily, using a new saliva-based protocol that was developed internally (Yale and the NBA are also doing something similar), with results available in minutes. Students receive results on an app on their phones, which allow them access to classrooms if they test negative. Interestingly, most of their classes are being held online, even though students are living on campus. All this planning didn’t help: students still went to parties and got infected.

Some schools, such as Notre Dame, began their semesters with plans for all in-person but got spikes in infections and then paused these classes to do more testing. The cause appeared to be a combination of large on-campus gatherings of non-mask wearers and two off-campus parties attended by biz school students. I guess the students took to their mirroring of adult life very faithfully.

To show you what shouldn’t be done is the example of Albion College in Michigan. Ironically, it has academic programs to train contact trackers to be hired by health agencies. Last month Zack Whittaker at TechCrunch wrote about a new Covid tracking app from Aura that is being deployed at the college. The app is mandatory for all students and tracks their real-time locations.

If you think you have already heard about Aura, there is another product with this name that is a mood tracker for the Apple Watch. There is also the Oura ring which is another health and activity monitor. But the Albion Aura app is a problem. Like at Urbana, students need to use the app to gain entry to classrooms. If students uninstall the app or don’t share their location with the app, they could be suspended. Its first release contained rookie security errors, one of which was found by one of the college’s compsci students. There is a long list of FAQs on the college website.  I was more confused reading the entries and I can’t imagine what students and parents at Albion might think.

Clearly, we are all feeling our way through these trying times. And the Mizzou link above will take you to a SciAm piece that compares strategies at other schools. If you have a college student in your family, do share your own reactions here about your own perspective.

Marketing in the time of the Covid

I have been doing a couple of podcast interviews with marketing executives over the past couple of weeks: one with Domo (a cloud BI company that I did hands-on tests several years ago) and Talend (a cloud data integration vendor). Both faced big challenges during the pandemic, such as turning their in-person user conferences into all virtual ones and changing their marketing to adjust to the new virtual way of doing business. You would think that the marketing would be pretty much the same even though both companies operate primarily in the cloud. But you would be wrong. When it comes to enterprise B2B software sales, you need road warriors and a personal high-touch. But the old school days of customer wine-and-dine are gone. You have to be more creative about building those connections these days.

Talend hired a completely new leadership team (which interestingly are all women) and as a result went through a series of rebranding efforts. “Data is the difference between surviving and thriving,” says Lauren Vaccarello, the CMO of Talend on our podcast. She watched one of her favorite tea shops close their doors in a couple of weeks and lay off hundreds of their staff. That motivated her to rethink their messaging and start fresh, assuming that everything will change. “We have a product that can help businesses with better and real-time access to their data.”

“We can’t rely on anything, we have to innovate and change what we did a year ago,” she said. For example, they could pull customer executives together in a webinar rather than rely on those who could attend a physical meeting. Not to mention that virtual events were a lot less costly and had a lot higher attendance and engagement too. “From an ROI perspective, we got 5x higher returns than from an in-person event.” Having an all-female executive team at Talend is an interesting experience for all of them. “None of us feel the need to be perfect around each other,” she said. That makes for more intense, authentic and productive collaboration too. “The dynamic is different.”

Domo had a similar experience and just a few days to transform their customer event into a virtual one. It went from about 3,000 attendees to more than 12,000 virtual visitors. And from three days’ worth of sessions to one 90 minute plenary session with dozens of break-out sessions that could be streamed on demand.

One of my biggest beefs with SaaS companies is how hard it is to price their services. Compare Domo’s pricing page with Talend’s  (shown here) — the latter is very transparent and very clear, and a rarity.

I want to bring in a post from Salesforce which talks about ways marketers can fight digital fatigue. The authors cite the average person now spends 7.5 hours daily in front of a screen. They have several suggestions on how to beef up your own marketing efforts during these pandemic times, including:

  • Follow your customers as they change usage patterns and try new products. Stay top of mind and evolve with them. Don’t stop your marketing efforts.
  • Personalization is critical. As customers curate their digital experiences, make sure you have a better understanding of their needs and what matters to them. But don’t cross over into being creepy.
  • Agile is here to stay. Understand this evolution and how customers are responding to your content.
  • Social media matters. Make sure you can engage your customers on the various social platforms where they talk about your products.
  • Empathy is important. Show your customers that you care and respond to their concerns. Above all else, avoid the hard sell and be authentic.

 

FIR B2B podcast #141: How Domo pivoted to a virtual conference — in just 12 days

Business intelligence software firm Domo had been planning its March 18 Domopalooza conference for nearly a year. About 3,000 customers and partners were expected to flock to Salt Lake City for four days of technical training and meetings, capped by a concert by the Black Eyed Peas. But as quarantines and lockdowns began sweeping the world in late February, Domo made the tough call to take the conference virtual, with just 12 days to make the shift.

Chief Strategy Officer John Mellor spearheaded the shift. In this interview he summarizes the rapid series of decisions Domo had to make to pull off a successful virtual event that ultimately attracted more than 12,000 visitors. There are more details in this story that my podcasting partner Paul Gillin wrote for SiliconAngle.

Mellor turned a three-day event into one 90-minute plenary session that mixed live conversations with pre-taped segments, along with a series of dozens of break-out sessions that could be streamed on demand. He focused on delivering great content, driving a higher attendance and better engagement through a well-defined user community. He also saved a bunch of money, even after paying the no-show fees for the various in-person aspects of the event. In our podcast, he discusses his decisions and why he expects to take a “virtual first”  approach to future events.

Listen to our 21-minute podcast here:

Network Solutions blog: How to evaluate a DNS security provider

The Domain Name System (DNS) is the Rodney Dangerfield of Internet protocols. By that, we mean that DNS has trouble getting respect for all the important things that it does. Over the years, the DNS has been abused by spammers, its weaknesses exploited by distributed denial of service (DDoS) attackers and domain hijackers. Given that the spate of attacks is increasing (according to one 2019 IDG report), it is time to get more serious about how you manage your DNS infrastructure and how you can harden it to prevent future threats. DNS attacks are often used by bad actors to reach their victims and do damage to business reputations. In this post for Network Solutions’ blog, I talk about the role that DNS plays and how you can evaluate a potential DNS supplier and use various means to protect your network assets.

RSA blog: Considerations Towards Enabling A Virtual SOC Environment

The role of the security operations center (SOC) is changing in a more distributed world. As businesses continue to support remote operations and staff, they need to start thinking about building out a virtual SOC environment to manage their infrastructure long-term.

In the days before the health crisis, physical SOCs were usually found near the data center in the organization’s headquarters. Sometimes, they were more showplaces for management to bring customers by and reassure everyone that the company was serious about security. Well, we need them more than ever, especially as the threat models have changed as staff now works outside of the physical office walls and uses more cloud-based applications and services.

In the past few years, managed security service providers (such as Dell’s SecureWorks) have come up with cloud-based SOCs used to monitor networks and computing infrastructure – no matter where they’re located. The virtual SOC takes this a step further, and provides a wide range of services such as patching and malware remediation along with threat intelligence and defense. Some of these providers are rebranding their offerings, calling them SOC-as-a-Service.

There are several things to consider in building the right virtual SOC. Some of these choices are not as obvious and will require some effort to plan appropriate actions.

First, you must decide how this virtual SOC is going to augment your existing security infrastructure. If you already have a physical, on-premises SOC, will you need to staff it as your organization moves back into the office once you make your SOC completely virtual? Do you need additional technologies to monitor threats that originate in your collection of cloud apps? How will these interact with your existing tools to identify and resolve these threats? How will you define and monitor normal network behavior and keep your eye on the changing work environment?

As you start thinking about this, review the workflow and processes when a security event does happen: How it is described by the SOC staff or tool and how is it ultimately is resolved? For example, before the pandemic, you may not have a very rigorous bring your own device policy.  Or you may not be operating the most thorough endpoint agents and need to capture all kinds of remote events. Both of these probably need some immediate attention.

That brings me to my next point: Take ownership of your cloud apps. This is something I wrote about previously.  In that blog post, I touch on things like evaluating risk-based access, extending network visibility to the cloud and figuring out ways to manage these applications. Chances are, you will need to consider changes to your identity and authentication infrastructure if you have multiple cloud storage services and after an audit has been completed of the cloud portfolio and the existing security controls. This may even lead you towards thinking about using a cloud access security broker.

Thirdly, focus on a particular perspective before you find the right virtual SOC provider. One of the biggest challenges about a virtual SOC is that vendors come from very different security perspectives and origins that span the security marketplace. If you are going to shop around for a virtual SOC provider, know what you’re lacking and whether the SOC vendor can complement rather than compete with your current toolset. For example, you may have a SIEM in place, but does it have the right level of endpoint protection system to handle the remote population? Or, you may have a network operation center (NOC) that is designed to support a centralized staff but doesn’t give visibility into the work-from-home infrastructure. Or, your tools may not be strong in being able to resolve remote threats that occur  As you can see, this isn’t such a simple series of questions to answer, but it’s important to have direction as you seek the right vendor.

Finally, decide whether a virtual SOC is a near-term fix, or will become the de facto mode of future operations. Given the progress of the current disruption, I think organizations will continue working from home for many months.

I must come clean and tell you that I have flipped my original opinion of SOCs. Five years ago, I wrote that SOCs may be going the way of the dodo bird and cynically suggested that one could end up in the Smithsonian museum. Contrary to that notion, I now feel that SOCs – especially virtual ones – are needed more than ever.

 

 

 

 

 

 

 

 

 

FIR B2B podcast episode #140: Talend’s Lauren Vaccarello On Taking Marketing Virtual

Lauren Vaccarello’s first year as CMO of Talend has been about resilience, psychological trust and safety, along with frequent quick pivots. The former marketing executive at Salesforce.com and Box and host of a Mission.org marketing podcast has had to adjust to working with an entirely new leadership team, leading a full company rebrand (and a second rebrand thanks to COVID-19) and transforming a planned in-person event to a worldwide series of virtual events fielded across three continents in a single day.

In the process, Lauren has learned to think on her feet and how to rewire marketing in this brave new pandemic world. In our interview, we talk with her about the changes COVID-19 has wrought in the B2B world, what marketers still need to learn about digital marketing, how B2B is affected by the surge of e-commerce usage in the consumer world and why Talend is so transparent about pricing (its page is a model of clarity that every SaaS vendor should follow). She also tells why she is excited to be working for an all-female leadership team and the collaboration and shared responsibility they bring to the table. It’s something other Silicon Valley firms could learn from. Listen to our 30 minute podcast here: