When technical debt strikes the security stack
“Security professionals are not immune from acquiring their own technical
debt. It comes through a lack of attention to periodic reviews and maintenance
of security controls,” says Howard Taylor, CISO of Radware. “The basic rule is
that security rapidly decreases if it is not continuously improved. The time
will come when a security incident or audit will require an emergency
collection of the debt.” ... The paradox of security technical debt is that
many departments concurrently suffer from both solution debt that causes gaps
in coverage or capabilities, as well as rampant tool sprawl that eats up
budget and makes it difficult to effectively use tools. ... “Detection
engineering is often a large source of technical debt: over the years, a great
detection engineering team can produce many great detections, but the
reliability of those detections can start to fade as the rest of the
infrastructure changes,” he says. “Great detections become less reliable over
time, the authors leave the company, and the detection starts to be ignored.
This leads to waste of energy and very often cost.” ... Role sprawl is another
common scenario that contributes significantly to security debt, says Piyush
Pandey, CEO at Pathlock.
Google Announces New Gmail Security Move For Millions
From the Gmail perspective, the security advisor will include a security
sandbox where all email attachments will be scanned for malicious software
employing a virtual environment to safely analyze said files. Google said the
tool can “delay message delivery, allow customization of scan rules, and
automatically move suspicious messages to the spam folder.” Gmail also gets
enhanced safe browsing which gives additional protection by scanning incoming
messages for malicious content before it is actually delivered. ... A Google
spokesperson told me that the AI Geminin app is to get enterprise-grade
security protections in core services now. With availability from October 15,
for customers running on a Workspace Business, Enterprise, or Frontline plan,
Google said that “with all of the core Workspace security and privacy controls
in place, companies have the tools to deploy AI securely, privately and
responsibly in their organizations in the specific way that they want it.” The
critical components of this security move include ensuring Gemini is subject
to the same privacy, security, and compliance policies as the rest of the
Workspace core services, such as Gmail and Dos.
The Next Big Interconnect Technology Could Be Plastic
e-Tube technology is a new, scalable interconnect platform that uses radio
wave transmission over a dielectric waveguide made of – drumroll – common
plastic material such as low-density polyethylene (LDPE). While waveguide
theory has been studied for many years, only a few organizations have applied
the technology for mainstream data interconnect applications. Because copper
and optical interconnects are historically entrenched technologies, most
research has focused on extending copper life or improving energy and cost
efficiency of optical solutions. But now there is a shift toward exploring the
e-Tube option that delivers a combination of benefits that copper and optical
cannot, including energy-efficiency, low latency, cost-efficiency and
scalability to multi-terabit network speeds required in next-gen data centers.
The key metrics for data center cabling are peak throughput, energy
efficiency, low latency, long cable reach and cost that enables mass
deployment. Across these metrics, e-Tube technology provides advantages
compared to copper and optical technologies. Traditionally, copper-based
interconnects have been considered an inexpensive and reliable choice for
short-reach data center applications, such as top-of-rack switch
connections.
From Theory to Action: Building a Strong Cyber Risk Governance Framework
Setting your risk appetite is about more than just throwing a number out
there. It’s about understanding the types of risks you face and translating
them into specific, measurable risk tolerance statements. For example, “We’re
willing to absorb up to $1 million in cyber losses annually but no more.” Once
you have that in place, you’ll find decision-making becomes much more
straightforward. ... If your current cybersecurity budget isn't sufficient to
handle your stated risk appetite, you may need to adjust it. One of the best
ways to determine if your budget aligns with your risk appetite is by using
loss exceedance curves (LECs). These handy charts allow you to visualize the
forecasted likelihood and impact of potential cyber events. They help you
decide where to invest more in cybersecurity and perhaps where even to cut
back. ... One thing that a lot of organizations miss in their cyber risk
governance framework is the effective use of cyber insurance. Here's the
trick: cyber insurance shouldn’t be used to cover routine losses. Doing so
will only lead to increased premiums. Instead, it should be your safety net
for the larger, more catastrophic incidents – the kinds that keep executives
awake at night.
Is Prompt Engineering Dead? How To Scale Enterprise GenAI Adoption
If you pick a model that is a poor fit for your use case, it will not be good
at determining the context of the question and will fail at retrieving a
reference point for the response. In those situations, the lack of reference
data needed for providing an accurate response contributes to a hallucination.
While there are many situations where you would prefer the model to give no
response at all rather than fabricate one, what happens if there is no exact
answer available is that the model will take some data points that it thinks
are contextually relevant to the query and return an inaccurate answer. ... To
leverage LLMs effectively at an enterprise scale, businesses need to
understand their limitations. Prompt engineering and RAG can improve accuracy,
but LLMs must be tightly limited in domain knowledge and scope. Each LLM
should be trained for a specific use case, using a specific dataset with data
owners providing feedback. This ensures no
chance of confusing the model with information from different domains. The
training process for LLMs differs from traditional machine learning, requiring
human oversight and quality assurance by data owners.
AI disruption in Fintech: The dawn of smarter financial solutions
Financial institutions face diverse fraud challenges, from identity theft to
fund transfer scams. Manual analysis of countless daily transactions is
impractical. AI-based systems are empowering Fintechs to analyze data, detect
anomalies, and flag suspicious activities. AI is monitoring transactions,
filtering spam, and identifying malware. It can recognise social engineering
patterns and alert users to potential threats. While fraudsters also use AI
for sophisticated scams, financial institutions can leverage AI to identify
synthetic content and distinguish between trustworthy and untrustworthy
information. ... AI is transforming fintech customer service, enhancing
retention and loyalty. It provides personalised, consistent experiences across
channels, anticipating needs and offering value-driven recommendations.
AI-powered chatbots handle common queries efficiently, allowing human agents
to focus on complex issues. This technology enables 24/7 support across
various platforms, meeting customer expectations for instant access. AI
analytics predict customer needs based on financial history, transaction
patterns, and life events, enabling targeted, timely offers.
CIOs Go Bold
In business, someone who is bold is an individual who exudes confidence and
assertiveness and is business savvy. However, there is a fine line between
being assertive and confident in a way that is admired and being perceived as
overbearing and hard to work with. ... If your personal CIO goals include
being bolder, the first step is for you to self-assess. Then, look around. You
probably already know individuals in the organization or colleagues in the
C-suite who are perceived as being bold shakers and movers. What did they do
to acquire this reputation? ... To get results from the ideas you propose, the
outcomes of your ideas must solve strategic goals and/or pain points in the
business. Consequently, the first rule of thumb for CIOs is to think beyond
the IT box. Instead, ask questions like how an IT solution can help solve a
particular challenge for the business. Digitalization is a prime example.
Early digitalization projects started out with missions such as eliminating
paper by digitalizing information and making it more searchable and
accessible. Unfortunately, being able to search and access data was hard to
quantify in terms of business results.
What does the Cyber Security and Resilience Bill mean for businesses?
The Bill aims to strengthen the UK’s cyber defences by ensuring that critical
infrastructure and digital services are secure by protecting those services
and supply chains. It’s expected to share common ground with NIS2 but there
are also some elements that are notably absent. These differences could mean
the Bill is not quite as burdensome as its European counterpart but equally,
it runs the risk of making it not as effective. ... The problem now is that
many businesses will be looking at both sets of regulations and scratching
their heads in confusion. Should they assume that the Bill will follow the
trajectory of NIS2 and make preparations accordingly or should they assume it
will continue to take a lighter touch and one that may not even apply to them?
There’s no doubt that NIS2 will introduce a significant compliance burden with
one report suggesting it will cost upwards of 31.2bn euros per year. Then
there’s the issue of those that will need to comply with both sets of
regulations i.e. those entities that either supply to customers or have
offices on the continent. They will be looking for the types of commonalities
we’ve explored here in order to harmonise their compliance efforts and achieve
economies of scale.
3 Key Practices for Perfecting Cloud Native Architecture
As microservices proliferate, managing their communication becomes
increasingly complex. Service meshes like Istio or Linkerd offer a solution by
handling service discovery, load balancing, and secure communication between
services. This allows developers to focus on building features rather than
getting bogged down by the intricacies of inter-service communication. ...
Failures are inevitable in cloud native environments. Designing microservices
with fault isolation in mind helps prevent a single service failure from
cascading throughout the entire system. By implementing circuit breakers and
retry mechanisms, organizations can enhance the resilience of their
architecture, ensuring that their systems remain robust even in the face of
unexpected challenges. ... Traditional CI/CD pipelines often become
bottlenecks during the build and testing phases. To overcome this, modern
CI/CD tools that support parallel execution should be leveraged. ... Not every
code change necessitates a complete rebuild of the entire application.
Organizations can significantly speed up the pipeline while conserving
resources by implementing incremental builds and tests, which only recompile
and retest the modified portions of the codebase.
Copilots and low-code apps are creating a new 'vast attack surface' - 4 ways to fix that
"In traditional application development, apps are carefully built throughout
the software development lifecycle, where each app is continuously planned,
designed, implemented, measured, and analyzed," they explain. "In modern
business application development, however, no such checks and balances exists
and a new form of shadow IT emerges." Within the range of copilot solutions,
"anyone can build and access powerful business apps and copilots that access,
transfer, and store sensitive data and contribute to critical business
operations with just a couple clicks of the mouse or use of natural language
text prompts," the study cautions. "The velocity and magnitude of this new
wave of application development creates a new and vast attack surface." Many
enterprises encouraging copilot and low-code development are "not fully
embracing that they need to contextualize and understand not only how many
apps and copilots are being built, but also the business context such as what
data the app interacts with, who it is intended for, and what business
function it is meant to accomplish."
Quote for the day:
“Winners are not afraid of losing. But
losers are. Failure is part of the process of success. People who avoid
failure also avoid success.” -- Robert T. Kiyosaki
No comments:
Post a Comment