The industrial metaverse is further ahead on the 3D front, with simulations and digital twins. The industrial metaverse is ahead on the standards front, with companies like Nvidia pushing potential standards such as Universal Scene Description (USD) through its Omniverse platform. USD has been characterized as doing for the metaverse what HTML did for the internet. In this regard, USD can lead to greater interoperability, [connecting] formerly disparate applications or ecosystems … to make workflows more seamless. ... Digital assets, similarly, are typically locked to a particular ecosystem, servicer or game. Many of the most transformative opportunities in the consumer space will also come with mainstream smart glasses, which are still years away before we see a stronger impact. The enterprise and industrial metaverses are also better grounded in ROI, meaning more trials and initial deployments have a higher potential to succeed or lead to more adoption compared to consumer efforts, which have seen more pushback, such as the addition of NFTs in games in Western markets [gaining] limited traction.
The next step to the IR playbook is to identify the "crown jewels" of the organization — the critical systems, services, and operations that, if impacted by a cyber event, would disrupt business operations and cause a loss of revenue. Similarly, understanding the collected data type, how it is transmitted and stored, and who should access it must be mapped to ensure data security. Identifying and mapping critical systems can be accomplished through penetration tests, risk assessments, and threat modeling. A risk assessment is often the first tool to identify potential attack vectors and prioritize security events. However, to achieve a proactive stance, organizations are increasingly leveraging threat intelligence and modeling to identify and address vulnerabilities and security gaps early on before a known attack occurs. The primary goal is to identify weaknesses or vulnerabilities with assets to reduce the attack surface and close all the security gaps. This guide will focus on web application security as our attack scenario. Why web application security?
Most of what we know as AI today has narrow intelligence – where a particular system addresses a particular problem. Unlike human intelligence, such narrow AI intelligence is effective only in the area in which it has been trained: fraud detection, facial recognition or social recommendations, for example. AGI, however, would function as humans do. For now, the most notable example of trying to achieve this is the use of neural networks and “deep learning” trained on vast amounts of data. Neural networks are inspired by the way human brains work. Unlike most machine learning models that run calculations on the training data, neural networks work by feeding each data point one by one through an interconnected network, each time adjusting the parameters. As more and more data are fed through the network, the parameters stabilise; the final outcome is the “trained” neural network, which can then produce the desired output on new data – for example, recognising whether an image contains a cat or a dog. The significant leap forward in AI today is driven by technological improvements in the way we can train large neural networks, readjusting vast numbers of parameters in each run thanks to the capabilities of large cloud-computing infrastructures.
Organizations smell potential here, with 23% responding that they are already developing initiatives even as basic specifications are still firming up. Of the respondents that expressed a desire to do business in the metaverse, the leading interest (44%) was customer engagement opportunities. Other popular areas are learning/training measures and workplace collaboration. But when asked about their concerns about expanding into this new area, respondents said that metaverse security was item #1 on the list. By and large, today’s security solutions have not yet considered the prospect of metaverse integration. Nevertheless, 86% of the respondents said that they would feel comfortable sharing user personal information between different metaverse services. Security providers may be waiting to see what users settle on in the metaverse before tailoring their products accordingly. Of the products available thus far, online games are the only ones drawing mass amounts of users (particularly the pre-existing Roblox and Fortnite) along with simple 3D world chat apps that allow users to appear as an avatar.
The big companies that have historically dominated AI research are implementing massive layoffs and hiring freezes as the global economic outlook darkens. AI research is expensive, and as purse strings are tightened, companies will have to be very careful about picking which projects they invest in—and are likely to choose whichever have the potential to make them the most money, rather than the most innovative, interesting, or experimental ones, says Oren Etzioni, the CEO of the Allen Institute for AI, a research organization. That bottom-line focus is already taking effect at Meta, which has reorganized its AI research teams and moved many of them to work within teams that build products. But while Big Tech is tightening its belt, flashy new upstarts working on generative AI are seeing a surge in interest from venture capital funds. Next year could be a boon for AI startups, Etzioni says. There is a lot of talent floating around, and often in recessions people tend to rethink their lives—going back into academia or leaving a big corporation for a startup, for example.
It’s common to find product managers and product owners in SaaS, technology, ecommerce, retail, and other B2C companies. Leadership in these companies long realized that understanding markets, determining product-market fits, defining customer personas, and understanding value propositions are all key to developing minimally viable solutions and delivering ongoing product enhancements. But identifying product managers and owners in non-tech companies, B2B businesses, SMBs, and the government remains a long-running work in progress. To start innovating, it comes down to transforming from stakeholder-led backlogs to product-managed, market-driven roadmaps. Tech, media, and ecommerce companies figure this out right away because chasing stakeholder-driven features often yields subpar results. More traditional businesses are likely to misdiagnose the problems with stakeholder-driven backlogs as a technology execution or platform issue. But there are a few secrets to making product management work even in the most traditional businesses.
Even as those layoff announcements were rolling in, the US Bureau of Labor Statistics job report for October showed a strong job market for tech pros and continued growth for remote jobs. In November that growth continued with IT industry association CompTIA reporting that US tech companies added 14,400 workers during the month, marking two consecutive years of monthly job growth in the sector. Tech jobs in all industry sectors increased by 137,000 positions. And while job postings for future hiring slipped in November, they still totaled nearly 270,000. As the tech sector heads into a changed 2023 employment market, it’s unclear how all these mixed signals will play out, although experts are starting to weigh in on best practices. Employers are likely looking carefully at budgets and head counts. But it will be a challenging line to walk. Employers have spent the past few years investing in employee experience programs and focusing on retaining their valuable talent. An abrupt change in direction such as mass layoffs will likely sour companies’ reputations as employers.
Besides the operation being stacked with technology know-how, Michael Pezely, Signifyd's director of risk intelligence, tells Dark Reading that the e-commerce threat group has sheer speed and volume of scam transactions on its side. "E-commerce orders — particularly at the enterprise level — arrive at dizzying speed," Pezely says. "Signifyd, for instance, processed as much as $42 million an hour in orders during Cyber Week. It would be virtually impossible for a human team to review that volume of orders for signs of fraud." Pezely added that merchants are on the lookout for goods being shipped to a foreign country, but this group of scammers places orders that appear to originate from the US and ship to US addresses. "Furthermore, if a merchant is relying on only its own transaction data, there likely will be a lag between the time a fraud attack begins and when it is recognized," Pezely explains. "Without having the benefit of seeing millions of transactions across thousands of merchants, a novel fraud attack might not be in plain sight for some time."
The reason for the continued bombardment, said Moore, is increasing reliance on third-party code (including Log4j). This makes distributors and suppliers ever more vulnerable, and vulnerability is often equated with a higher payout, he explained. Also, “ransomware actors are increasingly thorough and use non-conventional methods to reach their targets,” said Moore. For example, using proper segmentation protocols, ransomware agents target IT management software systems and parent companies. Then, after breaching, they leverage this relationship to infiltrate the infrastructure of that organization’s subsidiaries and trusted partners. “Supply chain attacks are unfortunately common right now in part because there are higher stakes,” said Moore. “Extended supply chain disruptions have placed the industry at a fragile crossroads.” Supply chain attacks are low cost and can be minimal effort and have potential for high reward, said Crystal Morin, threat research engineer at Sysdig. And, tools and techniques are often readily shared online, as well as disclosed by security companies, who frequently post detailed findings.
The first generation of cybersecurity detection technology is rules, but rules only detect known patterns. Individualized rules require expensive experts to maintain: each application is unique, and one must be extremely familiar with its business logic, log formats, how it is used, etc., in order to write and manage rules for detecting application breaches. ... Over a decade ago, the security market adopted statistical analysis to augment rule-based solutions in an attempt to provide more accurate detection for the infrastructure and access layers. However, UEBA failed to deliver as promised to dramatically increase accuracy and reduce false positive alerts due to a fundamentally mistaken assumption – that user behavior can be characterized by statistical quantities, such as the average daily number of activities. ... The main criteria for success in a detection solution is accuracy, which is dictated by the number of false positives, and the number of false negatives. The evolution of detection solutions led to the third generation of solutions analyzing Sequences of Activity, i.e. Journeys, to contextualize activity and improve detection accuracy.
Quote for the day:
"Before you revel in the anticipation of tomorrow, toil in the preparation of today." -- Tim Fargo