Posted by: Greg Ness | April 5, 2019

Will the next war be cyber?

Next War (1)

In 2018 I moderated a Future in Review panel on Russian cyber meddling in Ukraine. One of my comments during the panel (“What happens in Ukraine doesn’t stay in Ukraine.”) ended up making it into Newsweek only to be inadvertently validated by the Russian election interference news cycle. At the time I was referring to the IoT malware outbreaks that had spread from Ukraine to the rest of the world, not the Russian election meddling about to seize headlines for months.

Ten days later another article in Newsweek drove the issue home: UKRAINE WAS PUTIN’S TESTING GROUND FOR HIS HYBRID WAR ON THE WEST. Nolan Peterson, a conflict journalist stationed in Ukraine, had put it all together and called it a hybrid war.

Maybe it doesn’t even need to be a hybrid war. Maybe it will be a cyber war.

You don’t have to be a military history buff to understand the impact of technology on warfare, from Greek fire or even the horse and chariot  in ancient times, to the role of mechanized armor in the lightning fast and virtually painless French capitulation in early WW2. The ongoing pattern of Russian “trust attacks against culture and systems” suggests the world has already entered a new era of vulnerability unlike any other. And we’re not prepared by any means.

Earlier today I listened to a timely podcast on maritime cyber security. About 10 minutes in it gets quite chilling as the discussion shifts to how easy it might be to capsize a ship and similarly attack control systems from factories to power grids.  In other words, widely available knowledge is enough to threaten mayhem. While hackers would have to know how to manipulate specialized systems in some cases, control systems are fairly universal across vessel types and types of land-based smart buildings.

A recent article on health care cyber attacks similarly explored all kinds of IoT attacks, from shutting down hospitals (which has happened) to generating false findings and records. Conclusion: ships, hospitals, factories, buildings are increasingly sharing interconnected device infrastructures which can be compromised with common cyber attack skills.

What happens in Ukraine could happen anywhere else… based on the motives of the attacker.

Last month I wrote about OT/IT convergence and cyber security, or the connection of more smart devices to the Internet, the resulting attack vector sprawl, and how ill-prepared traditional IT processes and solutions are equipped to protect this new converged infrastructure.

Untitled design (22)

After listening to the podcast I wondered if French military leaders watched the rise of the petroleum era and said to themselves “But that couldn’t happen here” (in French, of course), or were they merely preoccupied with what they needed in WW1?  Are we in the West making the same mistake, measuring military capabilities based on past technologies and circumstances? Do we see these tests as Nolan did, as a very disruptive evolution of warfare? (BTW- Nolan is A former U.S. Air Force special operations pilot and a veteran of the wars in Afghanistan and Iraq)

Given the capabilities of an attacker to take down infrastructure, including ships and hospitals, and bring them up again as needed, are we seeing the emergence of something much more powerful and game-changing?

e-Tron Bomb Anyone?

Remember the neutron bomb that would kill people and leave buildings intact?  How about an attack that shuts down everything “smart” and can turn it back on without having to even land on a beach or cross a physical border. If so, would the next war be cyber and end with a whimper instead of a bang, like the fast conquest of a nation with a proud military history?

Bueller, Bueller…Bueller?

Posted by: Greg Ness | March 29, 2019

Converged Infrastructure Cyber Security Accelerated

How to Fight Stack Fatigue and Win

As I mentioned in OT/IT Convergence I had the chance to meet someone responsible for securing and isolating control infrastructure for a state-wide array of more than 600 smart buildings, ranging from campus offices to remote agricultural labs, in a matter of weeks without adding additional headcount.

Today my teammates at Tempered Networks rolled out a 10 page ebook of why he did it and how he did it.  Yes… it’s pretty amazing. Click on the image to get the rest of the story

Smart Buildings 2 Cover Spring 2019

Posted by: Greg Ness | March 20, 2019

Will OT/IT Convergence Force a TCP/IP Transformation?

Will OT_IT Convergence Make TCP_IP Obsolete BW

So much has changed since the creation of the TCP/IP stack. Work on the stack began in 1973 and the first public WAN was initiated in 1982 (see this timeline for a great point of reference). About a decade later network security solutions started appearing in response to various emerging threats.

The “first automated worm appeared on the ARPANET in 1988,” the same year CERT (Computer Emergency Response Team)  came into existence. About this time a NASA employee is credited with creating the first “virtual firewall” in response to a virus.

“…before the 90s, the concept of having a network of computers was fairly uncommon. And, there was a considerably small number of people in the populace who even had access to the internet. So, security at that time was really not a major concern or focus.” – InformationSecurityBuzz

Fast Connectivity Led to Hyper Growth

The TCP/IP stack made it easy for millions and then billions of devices to connect over just a few decades, starting in the 1990s. Now we’re expecting more than 75 billion devices connected by 2025. It would be one thing if all of these connected devices were communicating on consolidated pipes where defense in depth could be enforced. But that’s not the case.

Hyper Growth has Led to Escalating Complexity and Stack Fatigue

Stack Fatigue Cliff for Word

That was then. This is now. While the high growth in connectivity is part of the security problem, the rise of complexity fostered by layers of manually-tuned solutions is driving up costs and demands for security skills well ahead of the supply. Hence the expression expense in depth (versus defense in depth) cited way back in 2012 when these problems were in their infancy, at least compared to today.

Want evidence of stack fatigue? A recent ESG survey found firms reporting problematic shortages of security skills increasing to more than half of those surveyed, up from 42% in 2015. No one is shocked anymore by the skills gap, even as the level of information security spending passes $114B in 2019: more devices + more manual processes = more skilled pro shortages.

“Every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cyber-security related roles, according to cyber security data tool CyberSeek. And for every ten cyber security job ads that appear on careers site Indeed, only seven people even click on one of the ads, let alone apply.” – Jeff Kauflin, The Fast-Growing Job With A Huge Skills Gap: Cyber Security – Forbes

As the gap grows between rising complexity and declining protection, CISOs are forced to expend larger levels of resources simply to preserve protection. Beyond the increase of high prfile (and unreported) successful attacks, there is yet another problem, CISO churn (see CISO careers: Several factors propel high turnover- by Mekhala Roy for SearchCISO):

If the CISOs aren’t demonstrating that their investments and controls are having a positive impact on the organization, their requests for larger budgets or reprioritization of business priorities become more challenging as the years progress, making another job opportunity more enticing.

OT/IT Convergence means New Potentials for Attack Vector Sprawl

BW Sponge shield

Against this backdrop of rising complexity, declining protection, skill shortages and CISO turnover comes a new and more potentially lethal development: the convergence of entire networks of operationally critical one-to-many sensors and control infrastructures with the internet and already overwhelmed enterprise networks.

OT/IT convergence introduces a new sprawl of attack vectors beyond anything a firewall or segmentation solution was ever architected to protect is the next challenge for the TCP/IP stack.

Wondering if your O/T project is at risk?  Read more about the three warning signs of a smart building cyber security failure.

Remember the “dimes” scene from Blazing Saddles when a toll booth in the middle of the desert stops Hedley Lamarr’s army? It’s the ultimate attack vector metaphorical satire.

Perhaps TCP/IP was too good at its mission of establishing radical growth in connectivity, albeit with little regard to security. If so, then the convergence of OT/IT infrastructure won’t be well served by the extension of overtaxed information security infrastructure into complex, noisy and critical sensor and control infrastructures, many of which have never been (or cannot be) patched.

A “Grim Gap” between IT and OT Isolation Requirements

Arm Wrestling Execs

This point and others are well made in A Grim Gap, including conflicting processes and priorities between OT/IT, from security versus safety trade-offs to the nature of the devices connected, especially when it comes to common field devices and networks:

Weiss said he has repeatedly warned… existing cybersecurity and safety standards do not adequately address the security and authentication vulnerabilities of legacy field devices and their networks.

– Sonal Patel, A Grim Gap: Cybersecurity of Level 1 Field Devices, Power

Harbor Networks published a similar insight:

“The tools we are working with today to put sensors on networks were not designed to handle the diversity of devices becoming networked, the scope of new capabilities, the need to carefully manage power requirements, and the massive volume of data-points generated from device interactions.” 

Yet Harbor acknowledges that a few players are flirting with a potential solution. That’s not very comforting as more building and industrial control systems are already being optimized with network and Internet connectivity.

If not TCP/IP layered with defense in depth for smart buildings (for example), then what?  That’s the question, because anything that increases stack fatigue will only widen the gap and produce incremental, declining outcomes. So perhaps it needs to be augmented with a new layer developed for the new control systems and IIoT era.

Host Identity Protocol, anyone?

Check out, for example, what the team at a top Midwest university did to secure and isolate hundreds of smart buildings in days without having to add staff. Disclosure: I connected with the team at Tempered Networks late last year. It gave me the chance to meet the systems design specialist on the building automation team who used a microsegmentation solution based on Host Identity Protocol, a more modern protocol created within the aerospace and national security community to address TCP/IP security shortcomings. He has an amazing and timely story.

==> Follow the thread of comments on LinkedIn.

Posted by: Greg Ness | September 11, 2018

The Top 4 B2B Content Marketing Challenges


Marketer’s Corner

Across 30 years of B2B marketing I’ve seen my fair share of changes.  The last ten years have probably been the most disruptive, especially when it comes to content marketing. Here is a list of the top four reasons why content marketing campaigns fail:

  • Weak prospect engagement. The decline of print publishing combined with the rise of marketing automation tools powered with lists provided by unscrupulous list brokers has created a storm of intent and identity confusion destroying the conditions for real dialogue. The result is a top of funnel “nuclear winter” (see my recent interview with Integrate’s Scott Vaughan) that is degrading prospect engagement, especially at top of funnel.
  • Scarce and expensive sales resources. High caliber sales people are expensive and hard to find. With weak engagement (see #1) those resources become even more expensive, because more time is wasted trying to manually resolve prospect identity and intent.
  • Trust and expertise is hard to establish. Attention spans are getting shorter and prospects are getting bombarded with content. Social bookmarking sites are getting flooded with content, and several are moderated by vendors, limiting dialogue. Some sites have even capped views/shares to encourage sponsored content programs.
  • Irrelevance. Some marketers focus on list and/or lead costs over quality, which leads to wasted sales resources and turnover. I remember getting approached at trade shows to swap badge scan lists so a marketing VP could make an incentive target. I refused, explaining that we only wanted to engage with people qualified at the booth, not attendees in general. The VP didn’t have responsibility for conversion and didn’t care.

Why do these factors matter? Because they have a direct impact on sales conversion rates (meetings, opportunities, win/loss).  Many marketers are improperly evaluated based on cost per lead, when conversion rates matter far more to overall sales and marketing success.

Connect on LinkedIn

Cheap lists can be one of your most expensive investments. Lists generated by media engagement will be filled with false positives and negatives, so the costs of qualification are passed onto your sales team and drive up sales costs.

Defining Excellence

If your sales team is converting more than twenty percent of marketing qualified leads to engagement you’re in pretty good shape. I’ve seen conversion rates approaching fifty percent for some types of advanced campaigns. Even better, the high sales costs issue mentioned above gets resolved if sales people are fully engaged and converting meetings to opportunities and closed/won.

Read more: The Toxic Marketing Cloud

Posted by: Greg Ness | August 27, 2018

VMware: Monetizing the Hybrid Cloud

Watching the strategic and near perfect strategic pivot VMware has made since its failed IaaS venture has been nothing short of awe-inspiring.  Very few companies can make such a shift hence the graveyard of once high growth (and now walking dead) tech companies busy managing layoffs and pension expenses to extend their runways.

You’ve probably forgotten my take on the hybrid cloud meme and the entrance of Azure in Microsoft, Azure and the Hybrid Cloud Race from way back in June 2013.  Here is a highlight:

If VMware could get $2k/year for each server (traditional and x86), that would amount to an additional TAM of $60B based on a three year refresh rate. Yet that would represent a major business model shift and limit the amount of lock-in that VMware would have over its customers operating on its private cloud platform. It could face margin erosion for its core lines.

Who knows if those economic projections from the days of AWS hybrid cloud denial will come to fruition. I think thanks to VMware’s “immaculate hybrid cloud execution” we may find out that  hybrid cloud agility is the game changer of game changers.

That’s why today’s news announcing even cozier relationships between AWS and VMware (Amazon deepens its partnership with VMware to go after companies that don’t use the cloud) doesn’t come off as an anomaly or shallow PR proclamation but rather a careful, long game strategy grounded in execution. It is setting a bigger stage for the cloud, beyond, even, the incredible vision of Amazon. Time will tell, but so far VMware is vying for tech leadership on a new scale. Bravo!

Indeed, while its competitors languish in swirling proclamations obfuscating business as usual and various flavors of entrapment, VMware shifts into higher gears and sets in motion the change it first promised with the lofty acquisition of Nicira and the declaration of the hybrid cloud promise.

Bravo VMware!

Posted by: Greg Ness | August 21, 2018

The Toxic Marketing Cloud

The Big Shift

When tech trade publishers stopped printing B2B magazines they shifted their business models from cultivating carefully validated readers (for print ad revenue) to attracting large, less known populations of hyperactive clickers (for online ad revenue). This has fundamentally changed marketing strategies and tactics, often for the worse.

Toxic Mktg Cloud Banner

Many marketers address the relative anonymity problem (of the online reader) with a growing ecosystem of automated tools which “study, condition and validate” interest based solely on content interactions.  Lists of various kinds are bought from an assortment of providers then pounded with content offers, incentives and cold calls to find out who they are and if they are a legitimate prospect.

When Automation Meets Confusion Nobody Wins

The outputs of this approach aren’t marketing qualified leads, but really toxic marketing clouds with very high levels of identity and intent confusion.  With enough marketers at enough companies doing this you create something even worse: a kind of nuclear winter where legitimate prospects run and hide and vendors are forced to pay more to acquire customers. We’re getting there quickly as automation is amped up in a vain attempt to discover leads in the growing toxic cloud.

In a recent interview with Integrate’s Scott Vaughan I explained how this doomed strategy isn’t just “spray and pray” but “spray and pay.” And everyone is paying, not just those offending parties who are reselling bad lists but those who are hammering them with misplaced telephone outreach. Real buyers are avoiding the hassle outright by not engaging, otherwise they become a flood victim. The good news is that there are a host of new vendors emerging to address the problem.

I remember a customer who had insisted I call him to start a project. I had left a dozen calls and emails then a “last message” more than two months after our initial lunch. He called me a couple days after the last message and apologized saying that he had trouble keeping up with the volume of emails and phone messages.  I nodded sympathetically until he walked me to his office and showed me hundreds of unopened vendor emails from that day and played his voicemail attendant advising of more than a hundred unheard messages.

Connect on LinkedIn

The toxic fog was there in his office, blocking him from legitimate and needed vendor interactions. And blocking us from getting business done.

The List is Key and It Always Has Been

When lists are bad they are not cheap, regardless of how little you paid.  They are costly because they lead to wasted outreach, bad data and fatigued, frustrated and angry sales teams. Clicks, opens and time spent on web pages don’t matter if the visitor is not a prospect. But tell this to the CMO compensated on lead counts and email opens.

In a coming blog I’ll share more about how I’m generating client lists for Actium Bay Group. -G

What Happened to the Art and Science of Tech Marketing?

In the 1990s, just as the data networking business took off and created new avenues for information sharing, marketers embraced the notion of knowing their customers and prospects better than ever, thanks to technology. We could use 1 to 1 marketing strategies to get closer to prospects and customers than ever with specific content, video and real nurturing to establish successful relationships via the new Internet.

My how we’ve regressed from the dream.

When the print publishers succumbed we lost a valuable ally in the marketplace.  We lost contact with validated prospects and substituted repetition with authenticity. We need to get back on strategy.

Let’s change it back…  Interested?  Drop me a line and we can talk about advanced demand generation architectures from Actium Bay Group.

Posted by: Greg Ness | May 22, 2018

The All or Nothing Cyber Security Paradox

Money money money money. Money.

A recent report on cyber attacks covered in ComputerWeekly found friendly terrain for hackers within the perimeter of internal banking networks.  In other words, once you’re in you’re really in.

As soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries, according to a report on cyber attacks on banks by Positive Technologies.

The increasingly bleak history of breaches was enough for me.  Companies underUphillA funding their security teams were accepting higher levels of risk for business reasons. I get that.

When reports emerge indicating that even well-funded financial institutions aren’t faring much better when it comes to their internal networks, the problem looks even bleaker.

Maybe the issue isn’t money after all.  Perhaps it’s a bigger issue.

A few weeks ago Vidder CEO Mark Hoover wrote a blog advising CIOS to Retreat to Higher Ground.

The corporate network, once a great enabler of business productivity, is rapidly becoming an obstacle. This is leaving CIOs with no choice but to make a strategic withdrawal away from defending global and integrated corporate networks, towards more secure-able and relevant perimeters.  There is no other way forward.

Security is Commoditizing while Adversaries are Specializing

In a follow-up blog (Security and the “All or Nothing” Paradox) he explains why things are so screwed up, even at firms with ample security budgets and/or a high correlation between breaches and exec career risks. Vendors don’t want to specialize or innovate away from their core competencies, channels and predictable cash models to guide their customers toward vendor-agnostic best practices.

It has been more than 20 years since The Innovator’s Dilemma was published, yet today it is perhaps more relevant to security companies than ever.

Pressures on Leading Public Vendors are Immense… to Predictably Monetize Past Investments

Today organizations buy commoditized approaches to securing everything equally, never mind the growing burden on the security team and the shrinking value of the corporate network as a strategic choke/monitoring point.  Vendors want their customers to buy more stuff and certify more employees in specific solutions.

Many of these vendors are public companies with heavy pressure on quarter to quarter performance. Some are converting from hardware to SaaS models while trying to keep their channels content. Perhaps the pressures on the vendors are so great they simply cannot innovate, and that keeps their customers in a constant state of need and vulnerability despite their security budget.

Adversaries are Getting More Specialized

At the same time adversaries become even more specialized, attacking specific types of vulnerabilities and leveraging tools that lower the skills or knowledge required for success.

So Hoover wraps up with how we have digressed into “all or nothing” vendor strategies:

The stock price of the vendors that shape corporate IT thinking and spending depends a lot on getting customers to continue to upgrade or modernize their networks on a regular basis. It is not in the best interests of large network and network security vendors to have customers reduce the extent or sophistication of their infrastructure.

In the end, the interests of the large security vendors diverge from the interests of their customers. So enterprises get an “all or nothing” paradox where all is still really nothing.


Posted by: Greg Ness | April 16, 2018

The Beginning of the End of the Corporate Network

High CastleIt’s Time to Seize the High Ground

The cloud and IoT are rendering the corporate network obsolete, with or without the rise of advanced threats.  At least that’s the conclusion I reached after reading a remarkable blog post this weekend followed by a gloomy yet impeccably grounded Paul Gillin article in Silicon Angle on the degrading state of enterprise security.  If you haven’t read them, you should.

The CIOs Inevitable Strategic Withdrawal– by Mark Hoover

The Grim State of Cybersecurity– by Paul Gillin

The blog recommended that CIO’s make a strategic withdrawal from the traditional network to establish a new, tighter perimeter around high value applications.  It argued that it’s now too difficult to protect high value applications in the wilds of the increasingly connected corporate network, evoking images from “Naked and Afraid” except this time set in a server room instead of the jungles of Belize*.

I think it is one of the smartest responses to the specter of radical increases in spending and hiring in a vain effort to temporarily stem the tide.

The traditional network is no longer an efficient, complete, or effective environment on which to deliver the availability, agility and security requirements of the modern enterprise. – Mark Hoover, CEO Vidder

Brian Krebs, recently interviewed by Paul Gillin, really explains why a retreat to higher ground isn’t just imperative, but urgent if there is to be any semblance of protection.  See Silicon Angle’s The Grim State of Cybersecurity:

For criminals, he said, “the barriers to entry have never been lower and the low-hanging fruit never more abundant. The chances of success with low to moderate effort are high and there are seldom consequences for criminals. It’s no wonder that cybercrime is such a fast-growing industry.” – Silicon Angle

The problem at the core isn’t just malicious adversaries and advanced tools that can turn the weakest hackers into advanced threat propagators, but rather the breakdown in network security due to exploding connectivity, from personal devices with more software to partner sites and clouds.

Connect on LinkedIn

Sure, the firewall vendors would love more spending on gear, even if in a vain attempt to imitate effective security, as is the case in much of today’s enterprise network. But they should also applaud the notion of a more efficient approach that doesn’t leave their customers in a constant state of apology.

The inescapable fact is, the state of cybersecurity keeps getting worse despite an explosion in the amount of investment and energy plowed into improving it going years back. And it’s only going to get worse, according to the unanimous assessment of 22 security industry chief executives, chief technology officers, security analysts and independent security experts contacted by SiliconANGLE. – Silicon Angle

Today’s enterprise network, built around a plethora of security appliances architected for much simpler missions, cannot be simply upgraded, even with “an explosion in investment” to scale to address the new jungle. This is where the idea of a strategic withdrawal comes in.

The Strategic Withdrawal has Merits

Why not create a high security zone (sometimes called a “zero trust network”) where it is much easier to scale and secure availability and security without having to spend and hire up to protect the vast jungle of users, devices and external resources. See Seizing the High Ground diagram from The CIO’s Inevitable Strategic Withdrawal.

High Ground Trimmed Circles

Hoover advocates business as usual for the outer circle. In other words, let your employees access the internet and other third party networks with minimal fanfare.  Within reason they can protect their own devices and partners can protect their applications. With workflow efficiency applications security is stepped up, with protection from various vectors with your next gen firewalls and identity and access management solutions keeping most adversaries at bay, versus trying to maintain such a level of security across the entire corporate network.

Then inside create your high ground, a zone where the standard for access is much higher and security and availability are of paramount importance. A high level or proven trust is required before any visibility is given into the zone.

To accomplish a trust barrier to these critical applications, Hoover argues that the network will need to evolve in the application layers. From Hoover’s blog:

It does make sense for enterprises to concentrate their money, time, and expertise to ensure the security, availability, and performance of their core applications. This leads to a careful retreat from the ongoing investments in traditional packet-defined architectures into an architecture that defines and controls connectivity at higher layers (L4-L7). – Mark Hoover

Hoover argues that it’s time to revisit the app layers to enforce trusted access across networks and clouds from a more cohesive control plane.  A kind of high ground where the CIO can exercise greater control of who accesses critical assets.  He is spot on:

This model for connectivity defined and controlled independent from the underlying network allows corporations to focus their security talent and spending only on the subset of the infrastructure related to delivering the core applications.  The network becomes a simpler underlying utility. – Mark Hoover

i-shall-return-againIf Hoover is right, we will see the network evolve again this time on a massive, much-needed scale with more security at the core and business as usual in the firewall jungle of LAN by LAN perimeters. Security returns where it matters and can be managed across LANs, clouds, etc from a single point of visibility, enforcement and control. Only then can security return to the network.





*BTW- in January our family explored the Mayan temples in the ATM Caves in western Belize– but we wore bathing suits.


Posted by: Greg Ness | February 23, 2018

VMware Intends to Buy CloudVelox

VMware 3; Cisco 0 <== More on this later.

Another brilliant move by VMware as it shifts away from competing cloud to cloud with the likes of AWS and Azure and focuses on areas where it has strategic advantage.  Well done!

Read the VMware blog post: VMware Announces Intent to Acquire Technology and Team from CloudVelox

Posted by: Greg Ness | February 23, 2018

Secure Enclaves now on AWS Marketplace


NOTE: Vidder has been acquired by Verizon.

It is great to see secure enclaves now listed in the AWS Marketplace. It’s a big step forward for cloud security and early participants are large enterprises creating highly secure cloud environments.

This is important because it allows organizations to render the AWS boundary invisible (all within the excellent AWS shared security model) and only allows authorized access to the enclave.

Interested in high security AWS cloud environments?

Over the last few years there has been significant security improvements in public clouds.  Secure Enclave (1)For example, AWS now offers transparent data encryption, key management and secure compute features. Unfortunately, even with the advances in public cloud computing, organizations like financial institutions have been unable to leverage these services because many analysts work in secure facilities that have no Internet access. Now they can…

For more information: micro-segmentation for O/T environments.

« Newer Posts - Older Posts »