Tag Archives: Scott Petry

2 Novel Defenses to Hacking of Browsers

Cyber attackers continue to exploit a significant security gap found in a familiar tool used pervasively in all company networks: the common web browser.

Mozilla Firefox, Google Chrome, Microsoft Explorer and Apple Safari all use an architecture that makes it relatively easy for an attacker to embed malicious code on an employee’s computer — and then use that infected machine as a foothold to probe deeper into the breached network.

Here’s the good news: There is a growing cottage industry of security vendors developing sophisticated technology specifically to plug this gaping exposure. Browser security vendors first appeared on the scene about 2010; leading innovators include Invincea, Bromium, Spikes Security and Menlo Security.

ThirdCertainty recently visited with two new entrants, Ntrepid and Authentic8. Here is what each brings to the table:

The morphing of browser usage

Authentic8 recently introduced a service called Silo, which isolates web browser malware code from the targeted computer — and the rest of the company network — by routing all employees’ browsing sessions to dedicated servers.

Authentic8 CEO Scott Petry has a long history helping companies keep intruders out of companies’ networks. Petry founded email-filtering company Postini, which was bought by Google and folded into the search giant in 2007.

Petry, who co-founded Authentic8 with another Postini alum, Ramesh Rajagopal, observes that the arrival of sophisticated browser security tools (like Silo) is a reflection of how web browser usage in corporate settings has morphed over the past couple of decades.

In the 1990s, IT departments “would control how you compute, when you compute and what applications you access,” Petry recalls.

Steadily, the web browser “became such a massive focal point or gravity center for how people consumed different web services,” Petry says. “It became extremely compelling for employees to access the web for personal use and for businesses to start taking advantage of the web as a way to perform business functions.”

Amazon pioneered e-commerce, and Google got businesses and consumers accustomed to quickly searching for, and pinpointing, desired information. All of this leveraged the browser’s capacity to execute code on individual computers in response to users’ clicks.

“As soon as that happened, business data that IT departments used to control in their environment was suddenly scattered across third-party websites that they didn’t control,” Petry says. Then social media, including Facebook and Twitter, appeared, and all bets were off.

See also: 3 Steps to Improve Cyber Security

Routing malware to silos

The environment “is now a mess,” Petry says. “If you think about how the browser is used, it’s a one-size-fits-all solution. People use the same browser with a tab opened to get to Facebook, a tab opened to get to Dropbox and a tab opened to get to wherever. It’s a mix of personal use and business activity, and it’s no wonder that the browser is such a point of vulnerability.”

Venture capitalists are funding tech entrepreneurs and are coming forward with new systems to lock down browsers — because, going forward, how we have come to use browsers is not likely to change.

“I’m sure at some point we will move away from a monolithic browser,” Petry says. “It might change over time, but people have been predicting the death of email for 10 or 15 years, and it is still the most common form of business communication. So, no, I don’t think the browser is going anywhere any time soon.”

Authentic8’s Silo product isolates all web code in a secure, remote container in the cloud, giving users a benign display of web content. Nothing reaches the user’s device except pixels.

“The attack surface area is now ours, and that’s where we deal with it,” Petry says.

Virtual sessions

Instead of moving browser sessions into isolated servers, Ntrepid addresses the problem by inserting a virtual browser into every employee’s computer.

Any malicious code arriving via a web browsing session is isolated from the hard drive or memory of the targeted computer. The machine, in essence, is inoculated against browser malware and cannot be used by the attacker as a beachhead to go deeper into the company’s network.

Web browsers, by design, execute code over which network administrators have zero control. This code execution enables all of the cool, interactive things we can do on our browsers.

Trouble is, criminal hackers can all too easily slip malware into this mix. Like Authentic8’s isolated servers, Ntrepid’s virtual browsers protect the organization from “all web-based attacks, including web-delivered malware, watering hole attacks, spear phishing, passive information leakage and drive-by downloads,” according to Ntrepid.

Ntrepid’s technology, called Passages, enables employees to “safely browse anywhere,” providing them “the freedom to surf online without the risk of infecting their machines or compromising valuable enterprise data.”

To activate Passages, a user simply clicks on it on the desktop instead of Internet Explorer, Firefox or another conventional browser.

See also: How to Measure Data Breach Costs

Any malware encountered on a website is “trapped” inside Passages’ virtual machine and can’t infect anything else on a user’s computer, says Lance Cottrell, Ntrepid’s chief scientist. The malware is destroyed when the browser session is over.

While, for the moment, browser security technology is being marketed to small- and medium-sized businesses and large enterprises, Ntrepid and Authentic8 are both developing marketing efforts to serve individual consumers.

“We’re starting off on enterprises — our early adopters — but they are always saying, ‘What about my wife, what about my kids, can I get this at home?’” Cottrell says.

Cognizant of a massive data breach last year at the U.S. Office of Personnel Management — when hackers accessed personal information of more than 21.5 million employees, family members and others — Ntrepid is accelerating its marketing efforts to consumers, Cottrell says.

ThirdCertainty’s Gary Stoller contributed to this report.

More stories about browser security:
Spikes Security isolates malware, keeps it from hijacking Web browsers
More organizations find security awareness training is becoming a vital security tool
Managed security services help SMBs take aim at security threats

Better Way to Assess Cyber Risks?

As the saying goes, there are two kinds of motorcyclists: Those who have fallen off their bikes and those who will.

The insurance industry assesses the corporate world’s cybersecurity risk much the same way. Everyone is equally at risk, and, therefore, everyone pays the price for higher insurance premiums.

Not a day seems to go by without news of a high-profile security breach. It’s no surprise, then, that the cybersecurity insurance market is expected to rise to $7.5 billion by 2020, according to PwC. Even worse, the industry does not have effective actuarial models for corporate cybersecurity, say Mike Baukes and Alan Sharp-Paul, the co-founders and co-CEOs of UpGuard.

The two audacious Australians have developed what they say is a better way to assess the risk for cybersecurity breaches.

peep

Alan Sharp-Paul (L) and Mike Baukes (R), Co-Founders and CO-CEOs, UpGuard

The pair’s company recently unveiled its Cybersecurity Threat Assessment Rating (CSTAR), the industry’s first cybersecurity preparedness score for businesses. UpGuard’s CSTAR ranking is a FICO-like score that allows businesses to measurably understand the risk of data breaches and unplanned outages because of misconfigurations and software vulnerabilities, while also offering insurance carriers a new standard by which to more effectively assess risk and compliance profiles.

According to Baukes and Sharp-Paul, many companies forego available policies due to perceived high cost and uncertainty that their organizations will suffer an attack. With countless patches and endpoint fixes slapped onto IT infrastructure to hastily remediate breaches, companies have found themselves with less visibility into their core systems than ever before and, as a result, no way to understand how at-risk they are for hacks. With CSTAR, businesses are able to regain transparency into their own stack and take the appropriate steps to bolster their cybersecurity. Insurance carriers, meanwhile, can make smarter underwriting decisions while accelerating the availability of comprehensive and cost-effective cybersecurity insurance policies for businesses. It’s a win-win for both the insurance industry and for businesses.

After spending years in financial services in Australia and the U.K. and witnessing the disarray of corporate IT, Up-Guard’s two co-founders decided they could make a difference by developing a better way for corporations to understand their software portfolios and their associated potential risk for security breaches. Baukes says, “Our experience showed that that there were thousands of applications and thousands of machines powering all of this critical infrastructure. And the thing that we learned throughout all this was just how hard it is for an IT organization to understand and get a handle on what they’ve got.”

“Today, everything is out in the cloud,” Sharp-Paul says. “We’re all more connected. Employees are connected 24 hours a day, seven days a week. Now what keeps CIOs and CEOs up at night is, ‘If we get breached, I could get thrown in jail. I could get sued.’ It’s a very, very different world we live in today. We built a system to help companies understand and prevent downtime, and helping them save on project costs is just as relevant today from a security perspective.”

The two initially started a consulting company to help companies catalogue and manage their software platforms and applications. According to Sharp-Paul, “We realized the biggest problem companies have from an IT perspective is that they don’t really have appropriate visibility into what they’ve got and how it’s changing because so many things are changing daily in these environments that it’s really hard for them to know what ‘good’ looks like.”

Sharp-Paul and Baukes’s consulting led them to develop software to automate the process, providing the means to quickly and effectively crawl every server and software application to present a profile of what needed to be updated or patched and to identify the system holes that allowed for security breaches.

As Baukes tells it, “Getting that all to mix well and be safe, secure and capable of pinpointing where problems go wrong really quickly is an incredibly difficult task. So, we built up the first commercial version of the product—a very rudimentary version—and we shopped it around, and people were very excited at the time.”

From there, the pair realized their software had commercial potential and implications more far-reaching than what they had first thought. “We started with that very simple version with a few sales and no sales force—just Alan and [me] at the time—growing to the point now where we now have 3,000-plus customers, and the team is steadily being built,” Baukes says.

Now, the company has nearly 50 employees and is growing fast. The Mountain View, CA–based company attracted early seed funding from the likes of Peter Thiel, Dave McClure and Scott Petry, leading to a near $9 million Series A funding underwritten by August Capital.

The co-CEOs admit the co-managing arrangement is unconventional and would be challenging to make work under different circumstances. However, Baukes and Sharp-Paul feel their skills and temperament complement each other.

“To be honest, when people ask us about it, my first response is always that it’s a terrible idea,” Sharp-Paul says. “And that’s not because it’s been a horrible experience for us. It’s because I kind of think we’re really the exception. And the only reason I say that is that I know the unique things we went through and the type of people we are that makes this work. I can’t imagine that being a common thing at all.”

Baukes is generally a more aggressive and strategic thinker, while Sharp-Paul describes himself as more pragmatic and conservative.

Sharp-Paul and Baukes first worked together at the Colonial First State Investment firm back in Sydney, where the two lived the DevOps experience before DevOps became the buzzy concept that it is today. There, Sharp-Paul was a web developer, and Baukes was a systems administrator, and they talked a lot about things like continuous integration and continuous delivery.

“Now these are all fantastic things,” Sharp-Paul says. “But you need a foundation or a basis of understanding what you have. I mean, we like to say you can’t automate what you don’t understand. Or you can’t secure or fix what you don’t understand. And that’s always missing. Everyone’s trying to rush to this goal of DevOps or moving to the cloud. Everyone wanted to be there, but companies and vendors in particular weren’t helping businesses on the journey there.”

Baukes says, “Once you have that base understanding of what you have, then that opens everything else up. You can think about DevOps. You can think about automation. At the time, we were thinking, ‘Why hasn’t anyone thought to do this before?’ It seemed like such a foundational, basic thing. It was almost like it was so foundational that everyone just moved past it, and they were looking at the next shiny thing down the road. I think that was the white space. That was our opportunity. We jumped on it.”

As it turns out, in the world of corporate IT, applications never get retired. Even worse, the people who manage them move on because the life cycle of an employee at a company is short. As as result, the institutional knowledge about these applications is lost.

“Corporate memory is so short typically,” Sharp-Paul says. “They often get to this point five years down the track where they rediscover this server or this application, and everyone’s too scared to touch it because they don’t know what it does. They don’t know how it works. The people with the knowledge just left with it all in their heads. We come across that all the time.”

Sharp-Paul and Baukes had always seemed destined to do something on their own.

“I always had a healthy disrespect for authority. Throughout my corporate life, I was looking outside to see what else is [WAS?] out there,” Sharp-Paul says. “I actually started the first step of creating a business on my own—with something as mundane as a French language website that I used when I moved overseas for a couple of years. … It taught me that I can actually build something myself that makes money.”

Baukes agrees.

“The big difference is that I grew up in an immigrant family in the middle of nowhere, effectively. I won’t say the Australian Outback, but really rural,” he says. “We built everything ourselves. My father was a great wheeler and dealer. So, I learned a lot of from him. I fell into all of this by playing computer games and was really good at it, frankly. For me, that was a springboard into an accidental corporate life. I always knew that I would do something else.”

Now, for the future?

Baukes says, “It makes good business sense to quantify the risk in your company’s IT systems and report it effectively. And I think that for us, we could continue growing our business with that in mind—giving people visibility, helping them get to the truth of what they’ve got, teaching them how to configure it, and showing them if they’re vulnerable. That is beginning to accelerate for us, and we’re incredibly proud of that.

“We truly believe that, over time, CSTAR will be adopted as an industry standard that companies and carriers alike can rely on to make critical coverage and cybersecurity decisions.”