Tanium CEO’s Refreshingly Honest Take on the State of Internet Security

This is your Cyber Saturday edition of Fortune’s tech newsletter for October 7, 2017.

On Tuesday, the wood-smoke air of California’s wildfires descended on the Bay Area as cybersecurity professionals gathered at the Palace Hotel for an industry event.

I spent the morning interviewing Orion Hindawi, CEO of Tanium, the world’s highest privately valued cyber startup (worth $ 3.75 billion at last appraisal in May), for a fireside chat at his company’s second annual conference, Converge 2017. Hindawi has a no-nonsense approach to business—a suffer-no-fools attitude that landed him in the sights of a couple of unflattering stories about his management style earlier this year. (He later apologized for being “hard-edged.”)

On stage the chief exec delivered his peculiarly unvarnished view of the state of Internet security. “The idea that we’re going to give you a black box and it auto-magically fixes everything, that’s a lie,” Hindawi told the audience. (One could almost hear a wince from part of the room seating his PR team.) “All I can tell you is we can give you better and better tooling every day. We can make it harder for the attackers to succeed. That’s the best I can offer.”

Hindawi is a realist through-and-through. His outlook is perhaps best summed up by his response to a question about whether he subscribes to a glass-half-full or glass-half-empty view of the cyber threatscape. His reply would become a running joke for the rest of the conference. He said simply, “It’s just a glass, dude.”

Other tidbits of wisdom from Hindawi: not all hackers are Russian spies (the majority are lowly criminals). Unsecured Internet of Things devices pose a risk to everyone. And sometimes cyber insurance is the way to go when old systems are all but impossible to patch; the decision boils down to managing “operational risk, like earthquakes,” he said.

Hacking is not a dark miasma that penetrates all things, although it can sometimes feel that way. Companies, like Tanium, that are building the tools to swing the balance back in defenders’ favor without over-promising provide hope. Enjoy the weekend; I will be heading north of San Francisco, visiting friends who, luckily, were unharmed by the area’s recent conflagrations.

Robert Hackett

@rhhackett

[email protected]

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Always use (advanced) protection. Google debuted an opt-in mode for high-risk users who wish to lock down their accounts on services such as Gmail, Google Drive, and YouTube with extra security. (Paging John Podesta.) The feature requires people to log-in using a special USB key (or Bluetooth dongle for mobile devices), it prevents third-party applications from accessing your Google data, and it adds beefed up malware-scanning of incoming documents. This author plans to sign up.

Gather ’round the good stuff. Pizza Hut warned customers that their personal information and payment card data may be at risk after hackers gained access to the company’s website and app for a 28-hour period starting on Oct. 1. An estimated 60,000 customers are thought to have been impacted. The company is offering victims free credit monitoring for a year.

Unicorn? More like Duo-corn. Duo Security, a Mich.-based cybersecurity startup whose tools help companies manage people’s digital identities, said it raised $ 70 million at a $ 1.17 billion valuation (including the capital raised) this week. Th round catapults the firm into “unicorn” territory, the swelling ranks of private firms occupied by young guns valued at $ 1 billion or more. Alex Stamos, Facebook’s security chief, recently praised Duo as the maker of his favorite cybersecurity product.

KRACKing Wi-Fi. A couple of Belgian researchers published a paper containing proof of concept code that exploits vulnerabilities in the way cryptographic keys are exchanged over Wi-Fi, allowing hackers to steal people’s data. Big tech companies like Microsoft issued a patch for the so-called KRACK bug on Oct. 10, Apple is in the middle of testing patches for iOS and macOS, and Google, whose Android 6.0 devices are the most vulnerable, said it would release a patch in early Nov.

Cyber insurers are going to get Mercked. Cyber insurers might be on the hook to cough up $ 275 million to cover damage to drugmaker Merck as a result of a June cyber attack, dubbed “NotPetya,” according to one firm’s forecast. The companies at issue have not yet disclosed figures themselves.

Surprise! It is depressingly easy for penetration testers to break into places where they are not supposed to be.

Share today’s Data Sheet with a friend:

http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.

ACCESS GRANTED

Boycotts are hardly an option: To opt out of a credit score is to opt out of modern financial life itself. As Equifax’s now former CEO Richard Smith testified in October, if consumers were allowed to abandon the credit system, it would be “devastating to the economy.” The better answer is systemic reform to the credit oligopoly.

—Fortune’s Jeff John Roberts and Jen Wieczner explain what practical recourse consumers and regulators have when it comes to dealing with the major credit bureaus in the wake of a massive data breach at Equifax. 

ONE MORE THING

The adventures of John Titor.  Namesake of a bygone Internet hoax, “John Titor” claimed to be a man sent from the future to retrieve a portable computer. Titor sent faxes to an eccentric radio program, Coast to Coast AM, that specialized in the paranormal. Here’s an oral history of that running joke; the pseudo-scientific explanations of time travel are delightful.

Tech

Fed to step-up focus on payment security with study, working groups: Fed's Powell

WASHINGTON (Reuters) – The U.S. Federal Reserve is stepping-up its focus on payment security as the industry reaches a “critical juncture” driven by new technologies, Federal Reserve board governor Jerome Powell said on Wednesday.

Speaking at a conference in New York, Powell said the U.S. central bank would early next year launch a study analyzing payment security vulnerabilities and also planned to create new working groups focused on reducing the industry costs associated with securing payments.

“Rapidly changing technology is providing a historic opportunity to transform our daily lives, including the way we pay. Fintech firms and banks are embracing this change, as they strive to address consumer demands for more timely and convenient payments,” said Powell.

“It is essential, however, that this innovation not come at the cost of a safe and secure payment system that retains the confidence of its end users.”

The Fed does not have complete authority over the U.S. payment system, but it has led industry efforts to make it faster and easier to use. The central bank also leads the 160-member Secure Payments Task Force.

Powell’s comments underline growing concerns among financial market participants and regulators about the risks cyber thieves pose to the financial system following a series of recent incidents.

Last year, SWIFT, the global financial messaging system, disclosed it had suffered hacking attacks on its member banks including the high-profile $ 81 million heist at Bangladesh Bank.

During that incident, hackers broke into the computers of Bangladesh’s central bank and sent fake payment orders, tricking the Federal Reserve Bank of New York into transferring the funds. [here]

Powell said on Wednesday new fintech payment companies posed “significant challenges to traditional banking business models” and that the payment system was reaching a “critical juncture.”

His comments echoed those of Barclays Chief Executive Officer Jes Staley who on Saturday warned payments would be the next battleground for banks amid increasing competition from fintech players and tech giants including Amazon and Facebook.

Reporting by Michelle Price; Editing by Chris Reese

Tech

3 Tips for Making Better Investments in Security

Information security’s role is becoming more strategic, but its approach to making investment decisions hasn’t kept pace. To better align security investments with enterprise strategy, IT and security leaders must stay focused on the right risks, add rigor to decision making processes, and give stakeholders opportunities for input.
InformationWeek: Cloud

iCloud security: How (and why) to enable two-factor authentication

Given that so many of the details of our digital lives are either with us (on our smartphones) or easily accessible (via the web), you should be doing everything you can to protect that information and data. On iPhones and iPads, data is largely kept in a vault, sealed behind strong encryption and (hopefully) a strong password. Even if the device is lost or stolen, chances are good that encryption will keep data safe. (That vault is secure enough to frustrate even the FBI.)

Although iOS devices are designed and built to be secure, data is also stored and accessible online. With security breaches occurring routinely, your data is vulnerable to anyone in the world with an internet connection and a halfway decent browser. If a breach occurs and thieves gain access to your email and password, they can easily reset any account linked to that email, change the password, and lock you out of your own data.

To read this article in full or to leave a comment, please click here

Computerworld Cloud Computing

IDG Contributor Network: Cloud security: Trends and strategy

Cloud computing can generate mixed feelings. Corporate leaders generally welcome technologies that produce efficiency, agility and speed. Cloud services deliver those benefits, yet many are concerned about security, even while being often uninformed about how widely the cloud is used within their own businesses.

Executives of large companies, for instance, tell us that they are holding back on the cloud because of security concerns. But when our professional services teams engage with them, we generate log files and find evidence of large numbers of cloud services the company’s employees are using every day.

It is easy to understand the disconnect. Consider a simple example: a director of HR, tasked with filling several critical positions as quickly and confidentially as possible, turns to a low-cost SaaS recruiting tool. Job descriptions, resumes, cover letters, job offers and other documents are shared and possibly uploaded to a third-party server. Soon enough, candidates arrive for interviews. Mission accomplished, thanks to an efficient cloud-based business tool, with the C-suite never needing to know all the details.

To read this article in full or to leave a comment, please click here

CIO Cloud Computing

Monitor cloud services for compliance, security from a single view

Moving to the cloud is supposed to reduce the headaches for IT administrators, but often it has the opposite effect of increasing their workload, especially around security and visibility. Not only do they have to make sure on-premises systems adhere to regulatory compliance, but that their cloud services do as well.

Security specialist Qualys addresses these issues of security and visibility with its new app framework, CloudView, which complements existing Qualys services for security, compliance and threat intelligence with real-time monitoring of all enterprise cloud services from a single dashboard.

+ Also on Network World: 18 free cloud storage options +

“Accelerated cloud adoption requires new adaptive security solutions that support fast-moving digital transformation efforts,” said Philippe Courtot, Qualys CEO, in a statement. “Our new CloudView and its apps add unparalleled visibility and continuous security of all cloud workloads to provide customers complete cloud security in a single, integrated platform and drastically reduce their spend.”

To read this article in full or to leave a comment, please click here

Network World Cloud Computing

The 2 cloud security myths that must die

There seem to be two groups of people out there when it comes to cloud security: There are those who believe that public clouds are systemically unsafe, and those who believe clouds are impenetrable.

They’re both wrong. Both of these myths are dangerous, and so they need to die.

Kill this myth: If my data is in a public cloud, it’s inherently unsafe

The thinking goes like this: Because I can’t see it or touch it, others can steal it.

To read this article in full or to leave a comment, please click here

InfoWorld Cloud Computing

IDG Contributor Network: Stay out of security breach headlines: 3 things that must be addressed in your cloud agreement

It seems like you can’t go a day without reading a headline regarding yet another high-profile mass data and security breach. Security and data breaches are a concern for corporations, universities, individual consumers, and even the US government. Some recent examples making headlines include Chipotle, Kmart, Zomato, as well as OneLogin, and if you are not aware, there are concerns over Russia’s military intelligence executing a cyberattack on at least one U.S. voting software supplier.

There is no question the risk of security and data breaches must be considered an extremely serious matter and remain top of mind at the executive and board levels within all organizations.

To read this article in full or to leave a comment, please click here

CIO Cloud Computing

VeloCloud launches an SD-WAN security ecosystem

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

It’s a great time to be in the SD-WAN business. IDC estimates that worldwide SD-WAN revenues will exceed $ 6 billion in 2020, with a compound annual growth rate of more than 90% over the 2015-to-2020 forecast period. According to IHS, as of the end of 2016, 13% of North American enterprises already have the technology in production and 62% are in lab trials. By 2018, 82% are expected to be using SD-WAN.

Those are some pretty remarkable adoption rates for a technology that is still in its early days.

To read this article in full or to leave a comment, please click here

Network World Cloud

5 must-have security tools

New York’s Montgomery County, located at the foot of the Adirondacks, consists of 10 towns, one city and 50,000 residents. To protect the data that pertains to its citizens and operations, Montgomery County added DatAdvantage from Varonis to its arsenal of security wares. The data security platform is designed to show organizations where sensitive data exists, who is accessing it, and how to keep it safe.

To read this article in full or to leave a comment, please click here