SAN FRANCISCO — An internal culture change can help organizations put end-user security on the front burner.
If an organization only addresses security once a problem arises, it’s already too late. But it’s common for companies, especially startups, to overlook security because it can get in the way of productivity. That’s why it’s important for IT departments to create a company culture where employees and decision-makers take security seriously when it comes to end-user data and devices.
“Security was definitely an afterthought,” said Keane Grivich, IT infrastructure manager at Shorenstein Realty Services in San Francisco, at last week’s BoxWorks conference. “Then we saw some of the high-profile [breaches] and our senior management fully got on board with making sure that our names didn’t appear in the newspaper.”
How to create a security-centric culture
Improving end-user security starts with extensive training on topics such as what data is safe to share and what a malicious website looks like. That forces users to take responsibility for their actions and understand the risks of certain behaviors.
Plus, if security is a priority, the IT security team will feel like a part of the company, not just an inconvenience standing in users’ way.
“Companies get the security teams they deserve,” said Cory Scott, chief information security officer at LinkedIn. “Are you the security troll in the back room or are you actually part of the business decisions and respected as a business-aligned person?”
Brian Roddyengineering executive, Cisco
When IT security professionals feel that the company values them, they are more likely to stick around as well. With the shortage of qualified security pros, retaining talent is key.
Keeping users involved in the security process helps, too. Instead of locking down a user’s PC when a user accesses a suspicious file, for example, IT can send him a message checking if he performed a certain action. If the user says he accessed the file, then IT knows someone is not impersonating the user. If he did not, then IT knows there is an intruder and it must act.
To keep end-user security top of mind, it’s important to make things such as changing passwords easy for users. IT can make security easier for developers as well by setting up security frameworks that they can apply to applications they’re building.
It’s also advisable to take a blameless approach when possible.
“Finger-pointing is a complete impediment to learning,” said Brian Roddy, an engineering executive who oversees the cloud security business at Cisco, in a session. “The faster we can be learning, the better we can respond and the more competitive we can be.”
Don’t make it easy for attackers
Once the end-user security culture is in place, IT should take steps to shore up the simple things.
Unpatched software is one of the easiest ways for attackers to enter a company’s network, said Colin Black, COO at CrowdStrike, a cybersecurity technology company based in Sunnyvale, Calif.
IT can also make it harder for hackers by adding extra security layers such as two-factor authentication.
SAN FRANCISCO — Box shops will be able to help users gain more intelligent insight into their content with new machine learning technology in the content management tool.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Box Skills, introduced here at the company’s annual BoxWorks conference, makes it easier to search for visual and audio content and view information about it. Box Feed uses machine learning to curate content for specific users. Plus, new features in Box Relay aim to improve employee workflows. These capabilities caught the interest of attendees at the show.
“It was kind of nice to see Box incorporating [AI] to start relaying things to certain people at the right time in the right place,” said Ryan Foltz, business systems engineer at Barnhardt Manufacturing Company in Charlotte, N.C.
How Box Skills works
Box Skills is a framework that serves as a layer of abstraction between the content organizations upload to Box and the machine learning. It focuses on three areas: Image Intelligence, Audio Intelligence and Video Intelligence.
With the Image Intelligence component, based on Google Cloud Platform technology, Box automatically tags aspects of an image such as the subject, colors and logos, as well as uploads any text from it. Users can click the tags to access other images with similar contents.
Will Sheppardtechnical support specialist, The Enthusiast Network
Video Intelligence uses Microsoft Cognitive Services to provide facial recognition to identify people in a video. It also can show users where repeated phrases come up, and extracts a transcript of the video that users can apply as closed captioning. Audio Intelligence functions similarly, without the visual aspect, and is based on IBM Watson technology.
Using the new Box Skills Kit for developers, organizations can also customize what information within a file the machine learning technology tracks. The tool can track tone of voice in a phone conversation, for example, or pull out specific words a company is interested in and show within the Box content when those words were said. Developers can also customize information in documents such as invoices or contracts, and have Box extract information such as dates, signatures, payment amounts and vendor names. That not only extracts the data, but allows users to fill that information in automatically moving forward.
Image Intelligence is currently in beta, and Video Intelligence and Audio Intelligence will come to beta in 2018, Box said.
Box Feed puts relevant information in front of users
Box Feed, powered by Box Graph machine learning technology, was also previewed at the conference and will be available next year. This feature can help users find the content most relevant to them. It shows users active content — files they have been working on or are mentioned in — as well as other relevant content, which appears in a feed based on who is working on the file and what the content is. If a user generally collaborates with another user who is working on a document, for example, it will likely show up in the relevant section. It also shows trending files, or ones that many users throughout the organization are accessing.
As interesting as these new features are, some companies might need some time to apply them. Barnhardt Manufacturing Company, for instance, is an old organization, but its leaders are getting more and more interested in business data intelligence, said Pete Chantry, application systems manager at the company.
“We’ve got to allow a little bit of time for them to get accustomed to the basic [enterprise content management] features of Box,” Chantry said.
Updates to Box Relay
Box Relay for workflow automation, announced last year and generally available next month, will get some enhancements as well.
First, the add-on will allow workflows to launch automatically, so if a user uploads a resume of a prospective employee for example, the workflow associated with that kind of document will start automatically. Box also plans to release APIs so IT can integrate Relay with existing third-party applications and automated processes. In addition, users will be able to e-sign documents directly in Box. Finally, a new dashboard will let users manage multiple workflows at the same time by showing every active workflow and what step it is on.
“I like the way that all ties together,” said Will Sheppard, technical support specialist at The Enthusiast Network based in Los Angeles. “The whole workflow looks really nice.”
Other new features in Box Relay include the ability to invite other users to edit a document and assign them tasks with due dates within the document. There is also a new annotation tool that allows users to write a comment on a specific aspect of a document and tag other users to look at that exact area.
In addition, users no longer have to download previous versions of a document; they can preview them with a single click. Plus, when a user accesses a document, Box will highlight any changes that other users have made since the last time he was in it, and show which user made the edits. Finally, users can thread comments and mark them as resolved.
Like Box Skills, Relay presents some enticing features for IT, but those at Barnhardt Manufacturing Company are unsure of how to apply Relay immediately.
“I don’t know how often we’d use it, but if we had it, it’d certainly be a nice feature for us,” Foltz said.
This month at Bing we continued our momentum by shipping several new experiences that help you quickly find what you’re looking for.
New entertainment answers
We expanded our carousel coverage to help you find new types of entertainment content.
We’re continuing to deliver up-to-date information for popular topical searches, such as “new movie releases” and “2017 fall TV premieres”, but on top of that, we’re also covering new and trending content on streaming services Netflix and Amazon Prime.
We’re also introducing a tabbed experiences on mobile, so when you’re looking for more information on movies and artists, you’ll see rich visual content in context of what tab you’re on.
My saves is another new Bing feature that makes it easier to find what you’re looking for.
Now, you can create individual collections of the videos and images you find on Bing and want to reference later.
Simply click the plus sign in the bottom left of an image of video you want to revisit later, and Bing saves it for you.
From there, you can organize your saves into individual collections to make future retrieval even easier.
We hope you’re as excited by these releases as we are; we’d love to hear your thoughts and feedback at User Voice!
For technology to truly help people achieve their potential, it has to be able to help everyone. And the people creating that technology must reflect the people who will use it. Technology needs to work across what Jenny Lay-Flurrie calls “the spectrum of being human.”
“By having people with disabilities in the fabric of our company, [we’re] building in a diverse workforce that then represents the one billion people with disabilities out there,” said Lay-Flurrie, Microsoft’s chief accessibility officer. “We’re going to be building better products, better services, websites . . . anything we do will work across the spectrum of being human.”
That spectrum includes many types of people who have talent and passion and who can help change the world. People like Joey Chemis, who came to work at Microsoft through the company’s program to recruit and hire people with autism, a program that started two years ago.
Researchers estimate the unemployment and underemployment rates for people on the autism spectrum are 70–90 percent. That was the frustrating reality for Chemis: he had advanced skills in math and was excited to put them to use, but he couldn’t get interviews. While he was working minimum-wage jobs, he knew he was “destined for something more.”
To connect with candidates like Chemis, recruiters first focus on the “front door,” explains Jen Guadagno, senior inclusive hiring program manager. Standard recruiting practices are not always accommodating for people on the autism spectrum. Recruiters receive training and guidance on how to best engage and interact with people based on their communication styles. For example, a candidate might have a tendency to answer questions exactly and succinctly, so learning to drive the conversation deeper and ask more questions is important for the employees and hiring managers who conduct the interviews.
Through Microsoft’s efforts to hire employees on the autism spectrum, recruiters and hiring managers also put an emphasis on looking at a candidate’s background holistically. For instance, someone might have advanced degrees but be working at a big-box store. “Because of that, there might be this perception of why someone doesn’t have a job in their field,” Guadagno said. To better assess experience, recruiters also look at technical projects and relevant volunteer work. “Just because you’re not working in your desired career, it doesn’t eliminate you.”
“I could feel that I was destined for something more.”
Once the candidate is invited to a hiring event, a process that includes team-building exercises and mock interviews with feedback helps them feel supported. A technical skills assessment “helps to drive more insight into someone’s skills and experience and puts more focus on their ability to do the job,” Guadagno said.
The program is part of Microsoft’s broader inclusive hiring for people with disabilities.
Being inclusive means support like interview accommodations based on people’s needs and educating interviewing teams on disabilities and etiquette. “We want to set a candidate up for the best possible experience to showcase their skills,” Guadagno said.
Inclusive hiring helps bring talented employees such as Chemis, Amos Miller, Jessica Rafuse, and Swetha Machanavajhala to Microsoft. Being inclusive not only reflects our culture and our mission of empowerment, but it also makes good business sense, says Lay-Flurrie.
“A diverse and talented workforce brings new perspectives that help advance our ability to delight all of our customers,” she said.
Messages of inclusion appear around Microsoft’s Redmond campus.
From the beginning of his interview process, soon after the program was launched, Chemis felt that people at Microsoft were really interested in getting to know his strengths and passions. “You played with a bunch of tools. You had an assignment where you had to demonstrate your coding skills . . . you had some informal interviews called chats to figure out if you’d be a fit for the company.” The process allows people with autism to “shine and show their true colors and abilities,” he said.
Chemis still feels the same commitment today that he felt during his interviews, from the work he now does talking to new recruits going through the program to the way the Redmond campus regularly reminds him of how Microsoft supports employees. “I love the fact that it’s an inclusive culture and that inclusion is written all over the elevators and all over the walls,” he said. “You’re going to come here, you’re going to try things, you’re going to experiment. Some of the experiments won’t work out, but it’s OK because the end goal is for you to learn and develop and make great stuff.”
If Chemis could somehow go back and advise his younger self about the future, he says that he would say this: “You’re going to do really cool things. You’re going to end up getting a really cool job at Microsoft.”
The Department of Homeland Security has undertaken a long-term cyberinsurance study to determine if insurance can help improve cybersecurity overall, but experts said that will depend on the data gathered.
The DHS began researching cyberinsurance in 2014 by gathering breach data into its Cyber Incident Data and Analysis Repository (CIDAR). DHS uses CIDAR to collect cyber incident data along 16 categories, including the type, severity and timeline of an incident, the apparent goal of the attacker, contributing causes, specific control failures, assets compromised, detection and mitigation techniques, and the cost of the attack.
According to the DHS, it hoped to “promote greater understanding about the financial and operational impacts of cyber events.”
“Optimally, such a repository could enable a novel information sharing capability among the federal government, enterprise risk owners, and insurers that increases shared awareness about current and historical cyber risk conditions and helps identify longer-term cyber risk trends,” the DHS wrote in a report about the value proposition of CIDAR. “This information sharing approach could help not only enhance existing cyber risk mitigation strategies but also improve and expand upon existing cybersecurity insurance offerings.”
The full cyberinsurance study by the DHS could take 10 to 15 years to complete, but Matt Shabat, strategist and performance manager in the DHS Office of Cybersecurity and Communications, told TechRepublic that he hopes there can be short-term improvements to cybersecurity with analysis of the data as it is gathered.
Shabat said he hopes the added context gathered by CIDAR will improve the usefulness of its data compared to other threat intelligence sharing platforms. Experts said this was especially important because as Ken Spinner, vice president of global field engineering at Varonis, told SearchSecurity, “A data repository is only as good as the data within it, and its success will likely depend on how useful and thorough the data is.”
“Sector-based Information Sharing and Analysis Centers have been implemented over a decade ago, so creating a centralized cyber incident data repository for the purpose of sharing intelligence across sectors is a logical next step and a commendable endeavor,” Spinner added. “A data repository could have greater use beyond its original intent by helping researchers find patterns in security incidents and criminal tactics.”
Philip Lieberman, president of Lieberman Software, a cybersecurity company headquartered in Los Angeles, said speed was the key to threat intel sharing.
“The DHS study on cyberinsurance is a tough program to implement because of missing federal laws and protocols to provide safe harbor to companies that share intrusion information,” Lieberman told SearchSecurity. “The data will be of little use in helping others unless threat dissemination is done within hours of an active breach.”
Scott Petryco-founder and CEO of Authentic8
Scott Petry, co-founder and CEO of Authentic8, a secure cloud-based browser company headquartered in Mountain View, Calif., said the 16 data elements used by the DHS could provide “a pretty comprehensive overview of exploits and responses, if a significant number of organizations were to contribute to CIDAR.”
“The value of the data would be in the volume and its accuracy. Neither feel like short term benefits, but there’s no question that understanding more about breaches can help prevent similar events,” Petry told SearchSecurity. “But many organizations may be reluctant to share meaningful data because of the difficulty in anonymizing it and the potential for their disclosure to be used against them. It goes against their nature for organizations to share detailed breach information.”
The DHS appears to understand these concerns and outlined potential ways to overcome the “perceived obstacles” to enterprises sharing attack data with CIDAR, although experts noted many of the suggestions offered by the DHS may not be as effective as desired because they tend to boil down to working together with organizations rather than offering innovative solutions to these longstanding issues.
DHS did not respond to requests for comment at the time of this post.
Using cyberinsurance to improve security
Still, experts said if the DHS can gather quality data, the cyberinsurance study could help enterprises to improve security.
Spinner said cyberinsurance is a valid risk mitigation tool.
“Counterintuitively, having a cyberinsurance policy can foster a culture of security. Think of it this way: When it comes to auto insurance, safer drivers who opt for the latest safety features on their vehicles can receive a discount,” Spinner said. “Similarly, organizations that follow best practices and take appropriate steps to safeguard the data on their networks can also be rewarded with lower a lower rate quote.”
Lieberman said the efficacy of cyberinsurance on security is limited because the “industry is in its infancy with both insurer and insured being not entirely clear as to what constitutes due and ordinary care of IT systems to keep them free of intruders.”
“Cyberinsurance does make sense if there are clear definitions of minimal security requirements that can be objectively tested and verified. To date, no such clear definitions nor tests exist,” Lieberman said. “DHS would do the best for companies and taxpayers by assisting the administration and [the] legislative branch in drafting clear guidelines with both practices and tests that would provide safe harbor for companies that adopt their processes.”
Petry said the best way for cyberinsurance to help improve security would be to require “an organization to meet certain security standards before writing the policy and by creating an ongoing compliance requirement.”
“It’s a big market, and insurers are certainly making money, but that doesn’t mean it’s a mature market. Many organizations require their vendors to carry cyberinsurance, which will continue to fuel that growth, but the insurers aren’t taking reasonable steps to understand the exposure of the organizations they’re underwriting. When I get health insurance, they want to know if I’m a smoker and what my blood pressure is. Cyberinsurance doesn’t carry any of the same real-world assessments of ‘the patient.'”
Spinner said the arrangement between the cybersecurity industry and cyberinsurance is “very much still a work in progress.”
“The cybersecurity market is evolving rapidly, to some extent it is still in the experimental phase in that providers are continuing to learn what approach works best, just as companies are trying to figure out just how much insurance is adequate,” Spinner said. “It’s a moving target and we’ll continue to see the industry and policies evolve. The industry needs to work towards a standard for assessing risk so they can accurately determine rates.”
Aruba Networks has rolled out a network security framework that it believes can help its partners expand customer reach.
The Aruba security framework, dubbed 360 Secure Fabric, combines the vendor’s networking products with the user and entity behavior analytics (UEBA) technology it acquired from Niara in February. Secure Fabric offerings include Aruba’s IntroSpect UEBA and ClearPass access control and policy management product lines.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
According to the vendor, the security fabric signifies a shift in company strategy, which has up until now focused mainly on the networking side of customer organizations.
“We now have for our partners who may only be selling networking products … a way to bridge between [a customer’s] networking group and the security group in an elegant way,” said Larry Lunetta, vice president of marketing for security solutions at Aruba, a Hewlett Packard Enterprise company.
Lunetta said the 360 Secure Fabric aims “to deal with the new kind of threat environment that organizations are facing,” characterized by an “expanded and expanding attack surface” due to burgeoning trends, such as mobility, cloud and internet of things.
IntroSpect software is central to the Aruba security framework, he said. “The idea is that we are using … machine learning and artificial intelligence to detect attacks that have evaded the rest of the security infrastructure … typically in place in an enterprise.”
IntroSpect is available in a new entry-level Standard edition, as well as an Advanced version, and it integrates with Aruba ClearPass.
Larry Lunettavice president of marketing at Aruba Networks
The Aruba security framework also features Aruba Secure Core, the foundational security capabilities embedded in Aruba’s Wi-Fi access points, wireless controllers and switches, according to the vendor.
Functionality in multivendor environments is a key aspect of the Aruba 360 Secure Fabric strategy. Through Aruba’s 360 Security Exchange Program, customers and partners can integrate Aruba’s portfolio with more than 120 non-Aruba security and infrastructure products, Lunetta said.
“Our partners sell a wide variety of products. Our customers use a wide variety of products. So, the idea is that any of the elements of the [360 Secure Fabric] can … interact [with] a wide variety of non-Aruba technologies.”
He noted Aruba is updating its training and certification program to bring partners up to speed on the Aruba security framework.
Bing is adding a new UX element to the search results, called the “Fact Check” label, to help users find fact checking information on news, and with major stories and webpages within the Bing search results. The label may be used on both news articles and web pages that Bing has determined contain fact check information to allow users to have additional information to judge for themselves what information on the internet is trustworthy. The label may be used on a broad category of queries including news, health, science and politics. Bing may apply this label to any page that has schema.org ClaimReview markup included on the page.
Example of the Fact Check label for a news article in the SERP:
Example of the Fact Check label on a website:
When determining if you should use this tag for your articles or webpages, consider whether it meets the following criteria, which are characteristics we consider for fact-checking sites:
• The analysis must be transparent about sources and methods, with citations and references to primary sources included.
• Claims and claim checks must be easily identified within the body of fact-check content. Readers should be able to determine and understand what was checked and what conclusions were reached.
• The page hosting the ClaimReview markup must have at least a brief summary of the fact check and the evaluation if not the full text.
Bing determines whether an article might contain fact checks by looking for the schema.org ClaimReview markup. In addition to the ClaimReview markup being contained on page, Bing also looks for sites that follow commonly accepted criteria for fact checks including of third-party fact checking organizations.
Please note that we may not show the Fact Check label for all pages that include the ClaimReview schema markup. If we find sites not following the criteria for the ClaimReview markup, we might ignore the markup. We will consider the reputation of the site as well as other factors to determine if and when the tag should show. Use of the Claim Review tag when appropriate fact checking has not been done is a violation of our webmaster guidelines and Bing may penalize sites for such abuse or take other actions.
More information on how to implement and use this tag can be found at https://schema.org/ClaimReview