Exclusive: Yahoo CISO Bob Lord discusses historic breach, security culture at Structure Security 2016

Yahoo’s security team has learned a lot of hard lessons over the past month. While Yahoo CISO Bob Lord didn’t shed a ton of new light on some of the security issues recently suffered by the company during his appearance last week at Structure Security, he did vow to share more information about how the theft of personal information from nearly 500 million Yahoo users occurred once the investigations are complete.

I interviewed Lord for about 20 minutes on stage at Structure Security last Wednesday, after the company disclosed that historic privacy breach, but before we learned this week that Yahoo has been scanning incoming emails at the behest of the U.S. government using a tool that was reportedly modified without the knowledge of its security team and later discovered by that team, which is kind of crazy.

We rushed the video into production, and it’s embedded below. Lord clarified the timeline of the incidents to some extent, and reiterated that be believes “state-sponsored” attackers were behind the theft, but was restricted by what he could say in public. Honestly, I didn’t completely believe he was going to show up until he walked in the door, and I would like to thank Bob and Yahoo for showing up and taking questions; I’m pretty sure this is the only interview Yahoo has granted since the breach was disclosed.

We also spent some time talking about our original subject, which took on new meaning in light of the breach: how do security professionals convince product-driven companies to take security seriously? The New York Times and others reported ahead of Structure Security that Yahoo CEO Marissa Mayer was loath to employ security measures that might frustrate Yahoo users right as she was trying to sell the company, and while Lord wouldn’t comment directly on that article, he acknowledged that convincing executives obsessed with product details to put the same value on security is one of the biggest parts of his job.

Check out our full Structure Security 2016 coverage here, and a video embed of the session follows below: the video below.

Are the Demands on High-Profile Product Development Teams Making Us Less Secure? from Structure on Vimeo.

Level3 and Akamai previewed the Mirai botnet IoT attack at Structure Security 2016

A few seconds before Dale Drew of Level3 and Andy Ellis of Akamai took the stage at Structure Security 2016 about a month ago, I whispered my last-minute suggestion for their discussion: “Krebs!” I was referring, of course, to what was considered (at the time) a massive botnet of hijacked Internet of Things devices that took down a site belonging to security journalist Brian Krebs.

What followed during their session was an eerie preview of the Mirai botnet attack on Dyn last Friday that brought the internet to a crawl. That attack, which Dyn said used “10s of millions” of IP cameras and other devices that were easily exploited and harnessed, brought hundreds of sites that used Dyn’s DNS services to their knees

“When we look at the history of DDoS attacks, we see these harbinger things come up,” Ellis said, referring to a few much smaller but interesting botnet attacks in recent years. Turns out, he was quite right, but the Krebs attack was a preview of the damage that could be caused by such an attack, not the main event.

“I don’t think we’re going to stop the expansion of the internet of things,” Davis said. The problem, as we learned over the weekend, is that some fledgling IoT companies “deploy (a product) before securing it.”

“What’s happened over the last few years, because the largest DDoS attacks weren’t growing, everybody assumed that the age of big DDoS was over,” Ellis said. Clearly, that’s not the case.

Check out the rest of our Structure Security 2016 coverage here, and a video embed of the session follows below.

Keeping The Pipelines Secure from Structure on Vimeo.

Structure Security 2016 full event coverage

Our first security conference couldn’t have come at a better time. Amid Russian hacks on the U.S. political system, the debate over encryption on the iPhone, Yahoo’s historic privacy breach, and the rise of the long-predicted Internet of Things attacks, 2016 might be seen as an inflection point by computer security historians in how we responded to those challenges.

We featured dozens of the best and brightest minds in security — the ones who will have to figure this out — at Structure Security 2016, last September in San Francisco. On this page, we’ll feature links to a writeup and video embed of every single session, just in case you missed it the first time around.

Thanks to all the speakers, sponsors, moderators, and (of course) attendees who made Structure Security 2016 such an awesome event.

Day One:

Day Two:
Exclusive: Yahoo CISO Bob Lord discusses historic breach, security culture at Structure Security 2016
Level3 and Akamai previewed the Mirai botnet IoT attack at Structure Security 2016

Five things we learned planning Structure Security 2016

A very interesting year unfolded as we planned our first security conference.

It’s a year that witnessed a showdown over the right to encryption between the FBI and Apple, two of the most important organizations in their respective fields. It’s a year in which, at this point, it’s fairly well understood that Russian hacking groups — working with or without the knowledge of the Russian government — have attempted to interfere with a presidential election. And it was a year in which even the NSA itself was hacked, making it clear that a determined adversary will find its way into targets that take security as seriously as oxygen.

Next week Structure Security will bring together the people who are setting the tone for the future of information security, and you shouldn’t miss it. Security industry legend Art Coviello will kick off the conference next Tuesday, Sept. 27th, with a presentation on the state of modern information security. Alex Polvi, CEO of CoreOS, will close the conference on Sept 28th by emphasizing how one of the hottest developments in cloud computing can make us more secure. And we’ll showcase dozens of security leaders in between, from RSA Chief Strategy Officer Niloofar Howe to FBI CISO Arlette Hart to Okta CEO Todd McKinnon.

We’ve learned five things about the modern information security world over the last six months of planning, ranked in no particular order.

  • There is a massive shortfall of qualified information security professionals expected over the next five years.

    If you’re oriented toward a technical career, and have a good head on your shoulders, you might want to consider working in security. Rich companies are throwing money at the best of the best information security engineers, the same way Ruby on Rails experts made bank in the Web 2.0 era and Java engineers outperformed their peers in the first dot-com boom. But this is a little different: security thinking requires a unique set of skills and a different way of approaching software development, and companies desperately trying to improve their information security practices are finding it very hard to hire qualified people on in both leadership and day-to-day roles.

  • The frantic pace of modern tech development often forces security to be an afterthought or a bolted-on-later solution.

    Product development engineers have ruled Silicon Valley for a long time now, and inside many companies, those engineers are evaluated on how quickly they can ship projects to market. There are a lot of very good reasons why speed is so valuable, but the need for speed can create vulnerabilities; not just in your code, but in how you respond to security issues. Solving this tension between your engineering department and your security department will not be easy, but it will be harder the longer you wait.

  • Your security people don’t have all the answers. They need to share information with others and employ crowd-sourced bug testing.

    Information security is one of those difficult fields in which you’re only really noticed when you screw up, despite how many times you’ve saved your company or client from serious harm. That unfortunate reality creates a bunker mentality in which security professionals in similar industries are very reluctant to share information about attacks and threats with each other, making everyone less secure. Yet at the same time, more and more companies are realizing that they can’t expect their own security teams to catch everything. If Apple, Google, and the Department of Defense are willing to embrace bug bounty programs, then everyone should at least consider the benefits of crowd-sourced bug hunting.

  • Just as open-source software took over the enterprise computing market over the last decade, open-source software is poised to take over the information security market.

    The maturation of open-source enterprise software revolutionized the practice of building and scaling information technology departments; this year, Microsoft employees became the leading contributor to open-source projects on Github, which is a staggering change to anyone who remembers the software giant’s epic battles against the very nature of open-source software. We believe that something similar is going to happen to the information security market as well, and you’ll see a preview of that future at Structure Security.

  • Machine learning and cloud computing are changing how information security tools are designed, developed, and deployed.

    One of the biggest problems in modern information security is that it’s nearly impossible to protect yourself against the sheer number of threats and exploits out in the wild, not even counting the ones we don’t know about yet. But what if we could train powerful systems to understand threat and vulnerability patterns? And is putting our workloads in the cloud making us more secure, or concentrating of some of the world’s most valuable data in three or four places that will be irresistible to the best criminals? We don’t know yet, because these trends are still evolving in the mass market, but we’re going to talk about it.

Security is one of the most fascinating subject areas in technology. It’s full of heroes and charlatans, stone-faced government automatons and delightfully punk-rock hackers, and, for the most part, hard-working people who are trying to protect our most valuable institutions and organizations against a growing tide of determined attackers.

They know that our world will only become more and more digital every year until Earth gets hit by an asteroid or runs out of energy. Willie Sutton, when asked why he became the most notorious bank robber of the 1930s, supposedly said “because that’s where the money is.” In 2016, the money is in our networks, and protecting it against the spiritual heirs of Willie Sutton is one of the most important jobs in technology.

Join us at Structure Security next week to learn more about the future of information security. I’d like to thank all the advisors and friends who helped us plan this important conference, and we promise two days of stimulating discussion at the beautiful Golden Gate Club in San Francisco’s Presidio district.

Why CISOs should take a page from the Secret Service when securing their networks

A human being with relatively modest athletic ability can scale the fence that surrounds the White House in Washington, D.C. Once inside, though, good luck getting more than twenty feet from that perimeter before being tackled by a Secret Service agent who played linebacker in high school.

Nathaniel Gleicher, who saw firsthand the obsession with physical security that surrounds the White House while developing information security policies for the Obama Administration, doesn’t understand why more of us aren’t taking the same approach to cybersecurity.

“The job of the Secret Service is managing risk,” said Gleicher, now the head of cybersecurity for Illumio. The federal agency that protects the president is one of those groups that only makes the news when it screws up; however, the Secret Service has prevented an untold number of attacks on presidents and other government officials through careful analysis of threats and by understanding that you can’t lock down the entire area in which a president moves. In other words, you don’t invest all your resources in protecting the perimeter, you identify the key strategic points that you simply can’t allow any threat to access and employ more basic protection tactics to the outer rings of that location.

Makes sense, right? This is a topic that’s come up time and time again as we get ready for Structure Security, September 27th and 28th at the Golden Gate Club in San Francisco, and Gleicher plans to expand on it in a talk at the conference. Art Coviello touched on it last month, and several other members of our advisory board are focused on getting companies to move past perimeter defense and focus on more layered approaches to securing their data.

As with most things that make sense, it’s easier said than done. If the Secret Service needs to prepare for a presidential address at a football stadium, for example, it can obtain detailed maps of that stadium and make educated decisions about which parts of that stadium to defend. But your average IT organization doesn’t have quality maps.

“Most defenders don’t know what the interior of their datacenter looks like, and most people don’t know what’s connected to their network,” Gleicher said. Say an attacker manages to get control of a server: what else can they access from there? What kind of paths can they carve to the truly sensitive data? An awful lot of tech organizations can’t answer that question with the speed required in an active situation, and even if they had that map at their disposal, they often lack the tools needed to cordon off the compromised parts of their network from the crown jewels.

“Attackers think in graphs. Defenders think in lists,” Gleicher said, as a way of illustrating how defensive security needs to understand how its adversaries operate in order to properly defend their networks.

So how can you start thinking strategically about defending your networks? Gleicher plans to outline several steps you can take, and I won’t spoil the surprise here. But he’ll explain how to set up real-world defenses that work across multiple datacenters and public cloud providers as well as the tons of devices that have legitimate reasons to access your corporate network. Don’t miss his talk, scheduled for Day One (9/27) at 3:15 p.m.

Gleicher is just one of dozens of amazing speakers we’ll feature at Structure Security, including Bugcrowd CEO Casey Ellis, Okta CEO Todd McKinnon, and Ixia CEO Bethany Meyer. The complete agenda for the show can be found here, and you can register for tickets here.

Where machine learning helps enhance information security, and where it doesn’t

Machine learning is transforming almost every area of computing; the natural evolution of big data, advances in computing power, and a growing understanding of how to train machines to anticipate external events and react accordingly. This movement is starting to have a big impact on security thinking, and we plan to showcase several companies and individuals working on machine-learning advances this September at Structure Security.

I recently had a chance to chat with Kevin Mahaffey, CTO and co-founder of Lookout Security (pictured), about the rise of machine learning in security applications. Mahaffey will be on a panel discussion with Carson Sweet of Cloud Passage and Mark Terenzoni of SQRRL during Structure Security that will give us more details on the current state of machine learning in security applications.

It’s quite trendy in 2016 to use “machine learning” as an adjective for any tech startup’s products or services (“it’s like the truffle oil of security,” Mahaffey joked), but Lookout has been working on machine-learning applications for its mobile security products for years, and the results are starting to show.

It turns out that machine learning is useful for a set of security applications, but doesn’t necessarily help you solve all security problems, Mahaffey said. Machine learning is very good at finding zero-day threats that we haven’t seen before: they’re brand-new, and therefore deviate from existing patterns, which is something that can be spotted by computers trained to look for deviations from existing patterns, he said.

This could be especially helpful for securing the internet of things. Most connected devices on the internet of things or in industrial internet deployments have limited tasks and therefore will have relatively simple and consistent data flows. If you see even a small deviation in data that is almost always constant, you know you’ve got a problem, and that’s something sophisticated machines can do with ease.

However, machine learning doesn’t really help the threats faced by most organizations, which are usually older and less sophisticated than eye-popping zero-day threats. Channeling the hacker mentality, Mahaffey explained, “I don’t come in everyday and try to find the hardest possible surface to bang my head against. I try to find the easiest exploit and drive a semi truck through it.”

Machine learning also has the tendency to produce a lot of false positives or false negatives, time wasters that create headaches for information security professionals. And you still need a good team of professionals to train and evaluate your machine-learning activities. Proper machine learning requires a ton of clean, reliable data (which requires human intervention) and clever analysts to make sure the learning model is on track.

But as we talked about last week with Art Coviello, the more forward-thinking security organizations at companies are starting to deal much more in risk assessment than playing whack-a-mole with perimeter security holes. Machine learning is great for this, especially at financial institutions that are constantly under attack and need to know when they are dealing with something unique and dangerous.

At Structure Security, you’ll have a chance to listen to several experts in machine learning in security explain how machine learning can benefit your organization, or why you can probably afford to spend your security budget on more basic defenses. In addition to the panel mentioned above, Stuart McClure, CEO of Cylance, and Oren Falkowitz, CEO of Area1 Security, will talk about their work on machine learning techniques for security applications. Don’t miss this chance to separate the hype from the reality when it comes to machine learning and security.

More information on Structure Security, scheduled for September 27th and 28th in San Francisco, can be found here. You can register for tickets here.

Former RSA chairman Art Coviello: Security is too confusing, and that needs to change

If you’re in charge of keeping your company’s information assets secure, and you think the state of modern information security is overly and needlessly confusing, you’re not alone.

With over 30 years of insight into information security triumphs and failures in his mental database, Art Coviello has been in a unique position to observe how technology and security companies have responded to the explosion in internet connectivity and criminal activity. The former chairman and longtime executive at RSA Security is one of our principal advisors involved in the planning of Structure Security, and we’re thrilled that he’ll be kicking off the conference on September 27th with a talk on the modern state of security.

Coviello observed a shift in security thinking about five or six years ago from reactive security (finding and plugging holes in perimeter defenses) to intelligence-based security, in which the notion of risk is much more thoroughly identified and analyzed. However, while that concept has been embraced by the information security world, applying that concept to real-world situations has proven more difficult, he said in a recent interview.

“The problem isn’t just expanding attack surfaces,” he said, referencing the explosive growth of cloud and mobile computing as well as the coming challenge of the internet of things, “but the ability to take the model from the 50,000-foot level to street level.”

There are three somewhat-overlapping issues that contribute to that problem, Coviello said:

  • The Skills Shortage: I’ve heard this time and time again in conversations leading up to Structure Security, and it’s going to be discussed in several sessions: information security leaders are having an extremely difficult time finding (and retaining) qualified security professionals. (Coviello’s fellow Structure Security advisor, Jay Leak of Blackstone, touched on this earlier this year.) All the modern proactive security-focused thinking in the world doesn’t matter if you can’t find people who understand how to make those concepts work in practice.
  • The Firefighters: Assume you’ve managed to hire the right people to implement the right risk-based strategy. Can you figure out a way to allow those people the time and space to get that job done while making sure your organization is safe in the interim? People like to bemoan “fighting fires” — the notion of dashing around fixing security problem after security problem — but deciding which fires can quietly smolder and which fires need attention right now (after all, fires are bad) is not a simple process.
  • The Decision-Makers: Information security has been treated as an afterthought in many organizations for too long, and the people who are running those companies — executives and board members — can have wildly different perspectives on the importance of security thinking balanced against time to market, overhead, or strategic focus. Think about financial services companies, which purchase and implement a ton of technology products and services every year to manage vast amounts of money, yet who are often run by people that lack technology expertise, let alone security knowledge.

So how do we move forward? Coviello plans to outline some strategies for getting past these obstacles in his talk, and I won’t spoil the surprise here. But here’s a hint: strategies you consider vital to your core business — such as careful resource planning and treating your vendors with healthy skepticism — will serve you well as you look to protect your organization in a world of growing threats.

Join Art Coviello at Structure Security this September 27th and 28th at the Golden Gate Club in San Francisco. More details about the event are available here, and you can register for tickets here.

Okta CEO Todd McKinnon is building tools that help secure the cloud and mobile revolutions

As he watched Salesforce.com’s cloud services really take off around a decade ago, Okta CEO Todd McKinnon recalls that he and his colleagues soon realized that literally every aspect of enterprise technology was going to be overturned by the promise of cloud computing. McKinnon, who oversaw software development at Marc Benioff’s company until 2009, then noticed that this explosion in cloud services was catching many CIOs off guard.

“They didn’t know what they had,” McKinnon said in a recent interview. “There was no rhyme or reason to what they had, and there was no security.”

McKinnon, who will be one of our featured speakers at Structure Security this September, has turned that realization into one of the hottest companies in security and cloud computing at the moment and a likely IPO candidate right around the time of the conference. Okta, which has around 800 employees, helps companies develop ways to better secure their cloud applications with identity management technology, and CIOs are responding.

“We enable companies to roll out services and applications faster,” said McKinnon, who co-founded the company in 2009 along with current COO Frederic Kerrest, another Salesforce alum.

Once a CIO has even figured out which cloud services his or her employees are using — which was sometimes no small feat in the era of rogue IT — the next step is to make sure those employees are following proper security practices while logging into and using those applications. Single sign-on and identity management technology has been around for a while, but products like Microsoft’s Active Directory were built for a different era of computing.

A sample dashboard of Okta's identity management product.

A sample dashboard of Okta’s identity management product.

“It was like, ‘my 20 years of (security and identity management) stuff doesn’t work,’” McKinnon said, quoting the CIOs he talked to in the early days of Okta as they struggled with balancing the need to provide their employees with state-of-the-art cloud services while ensuring that company data was being used properly inside those services. And it’s not just employees: a lot of companies have close partnerships with other companies that require data sharing in cloud apps, and even if you’ve locked down your own data, there’s no guarantee that the company on the other side of your partnership is as diligent.

That’s part of the problem that has allowed Okta to thrive: the original internet protocols designed in that era of computing didn’t have secure identity services built directly into the protocol, McKinnon said. SSL helped amend this situation, but that only addressed server-side identity, not user identity.

So we’re stuck with usernames and passwords as the primary authentication process in just about every web service we use, and managing those passwords is pretty difficult for people who aren’t software engineers or information security professionals. That has a lot of ramifications in our personal computing lives, and CIOs and CISOs are looking for ways to securely use the cloud services that have allowed companies to get off the ground with a fraction of the investment once required to scale a technology company.

Several large, complex technology organizations have adopted Okta’s products and services, including MGM Resorts, Western Union, and Dish Network. The company has raised around $230 million in funding at a valuation that grants it unicorn status, and is widely expected to be planning for an IPO at some point in 2016. (McKinnon won’t talk about these plans right now, of course, but maybe we can wrangle more out of him at Structure Security.)

McKinnon and Okta would like to build a better protocol for managing identity on the internet, but that is going to take a while. Smartphones can do a lot of interesting things to verify and manage identity data, and machine learning is allowing companies like Okta to try different strategies to manage the back end of identity verification and quickly spot problems or opportunities. A consumer identity management or password manager isn’t on the product roadmap right now, he said, but Okta is focused on connections.

“At work, we’re making a lot of progress, people have less passwords at work because of us,” McKinnon said. He believes, however that he opportunity is bigger than just your work dashboards; it’s likely there are lots of great ideas for products and services that haven’t taken off because of cumbersome identity verification technology.

Join Okta CEO Todd McKinnon at Structure Security this September 27th and 28th at the Golden Gate Club in San Francisco. More details about the event are available here, and you can register for tickets here.

Four more reasons why Structure Security should be on your calendar this September

With two months to go before Structure Security, we’re putting the finishing touches on the lineup for what promises to be a great show in the beautiful Presidio district of San Francisco this September 27th and 28th. We’ve outlined a few themes in the past here, but I wanted to showcase a few new speakers we’ve added as the agenda settles out.

Andy Ellis, CSO, Akamai

Andy Ellis, CSO, Akamai

— Andy Ellis, CSO of Akamai (pictured), will be joining us at Structure Security. Akamai is uniquely positioned to see the threat landscape and its effects on global networks, and networking security is an extremely important part of the company’s mission. We’ll try and wrangle a few war stories out of Andy about defensive strategies and try to understand where tomorrow’s threats will surface.

— We’ve tapped Jessy Irwin, security advocate extraordinaire, and Stacy Stubblefield, CEO of TeleSign, to lead a discussion on the future of the password. Busy people with poor security awareness tend to have very poor password hygiene, but do we try to fix that problem or do we try to find another way to authenticate ourselves online?

— And Asheem Chandra, one of our advisors and a partner with Greylock, has agreed to join us on stage to talk about investment opportunities in security. Asheem, who has shepherded prominent security companies like Palo Alto Networks and Sourcefire into success, was also a key executive in the rise of CheckPoint Software as a security force.

Stay tuned for a few more speakers over the next few weeks, as we have a few more ideas for great sessions that will improve your perspective on information security and the pressures of modern tech product development. But there are more than enough great speakers already booked for you to register right now, and save yourself a little money before the prices go up as we get closer to the show.

Employees are the weakest link in computer security

More than 20 years on, people have definitely gotten savvier when it comes to using the internet. Attachments and links from unknown sources are treated more suspiciously, and IT departments have found better ways to protect their corporate users from malicious web sites. But it only takes one slip to cause huge security problems within your network.

The weakest link in your security plan is still the person who clicks on the wrong link, and dealing with that reality is one of our key themes for Structure Security this September in San Francisco. You can spend millions on security products and consultants only to be foiled by the most basic of spear-phishing attacks. But you’re not helpless: in this post for Fortune, an official media partner of Structure Security, I outline a few speakers and companies who are working on solutions to this problem, and we plan to discuss this at length in September at the Golden Gate Club.

More information on Structure Security can be found here, and you can register for tickets here.

Now speaking at Structure Security: Gerhard Eschelbeck, Google’s security chief

Google’s mission has always been to do cool things, and to do them “at scale,” or across hundreds of millions of users. That effort produces a ton of extremely valuable information across a variety of platforms that an awful lot of criminals and foreign governments would like to obtain, and keeping that information safe and secure is a monumental task.


This September at Structure Security, we’ll interview the man charged with that task: Gerhard Eschelbeck, vice president of security engineering at Google (pictured). We’re thrilled to announce that Gerhard will be joining us September 27th and 28th at the Golden Gate Club in San Francisco’s beautiful Presidio, and we think his session will be one of the most interesting of the whole week.

If you attended the RSA Conference in San Francisco earlier this year, you might have seen an enormous line snaking through the second floor of Moscone West, as if free iPhones were being given out. Those people were lining up for a talk given by Gerhard entitled “My Life as Chief Security Officer at Google.” I couldn’t make it into the room before it filled up completely, but eWeek did, and Gerhard’s talk was easily one of the most attended sessions that wasn’t featured in the main auditorium (maybe next year, it will be).

We’ll definitely ask him to recap a few highlights of that talk, but I’m also interested in the practical advice he can offer our attendees about securing an organization: Google was probably attacked twice in the time it’s taken you to read this far. I also want to ask if his experience working for security vendors has served him well as a security buyer, and how Google’s love of open source technology has played into its security strategies.

Gerhard joins an impressive group of speakers, including Arlette Hart of the FBI, Todd McKinnon of Okta, and Marten Mickos of HackerOne. You can register here for Structure Security, and more information is available here.

Higher payouts and greater participation highlight Bugcrowd’s “State of the Bug Bounty 2016” report

Have you started paying someone to find flaws in your technology? If you haven’t already, data compiled by Bugcrowd suggests you will.

The startup, led by Structure Security adviser Casey Ellis, has released its second annual bug bounty report detailing trends and developments in the hacking-for-cash-or-cool-stickers marketplace. The full report can be found here, and is definitely worth your time if you’re considering setting up such a program at your own company or looking for a fun activity in your spare time, but here are a few highlights:

— 62 percent of participants in bug bounty programs worked on private projects, as opposed to the remainder, working on public projects. Nearly 40 percent of all respondents were in India, with 12 percent from the U.S.

Bugcrowd 2016 bug bounty report

— After kicking the tires on bug bounty programs, 63 percent of users thought the wisdom of this particular crowd was superior to traditional methods of finding bugs, and 64 percent said they would spend at least the same amount of money, or more, on future programs.

— Cross-site scripting (XSS) vulnerabilities were the largest group by a large margin, with cross-site request forgery (CSRF) vulnerabilities coming in second.

— There’s a big “long tail” effect in bounty payouts: the top payment was $15,000 for the successful identification of a bug, but the average payment is only $294.70, which is a small price to pay to find problems in your software. But that number is growing: this report only looked at 2015, but Bugcrowd said that in the first quarter of 2016, the average payout is up to $505.79.

There’s a lot more in the report, which is a great introduction to the state of the bug bounty market for anybody considering such a program and a great update for those already well underway with bug bounty programs. We’re looking forward to Ellis’ appearance at Structure Security this September, where we’ll be sure to get an update on these trends as 2016 evolves.

You can find more information about Structure Security here.

Blackstone’s Leek: Solve security inefficiencies, and the world will beat a path to your door

It’s no longer enough for information security providers to promise their customers total protection: now they have to save them time and money, too.

structuresecurityconf-jay-leekThe practice of information security is extremely inefficient at the moment, according to Jay Leek, chief information security officer for Blackstone Group, one of the largest private equity firms in the world. Leek, who is one of our advisors for Structure Security this September in San Francisco, should know: Blackstone not only faces the same internal security challenges as any large financial institution, it also invests in security companies.

The problem is severalfold: a lack of qualified information security talent leads companies to throw lavish compensation packages at people believed to have promise in the field, hoping they’ll grow into their roles over time. Those who can’t afford those types of compensation packages wind up relying on a mishmash of third-party contractors that introduce all sorts of complexities and (believe it or not) security challenges.

And the success that security vendors have enjoyed selling their products inside Fortune 500 companies means that someone has to be responsible for making sure all those products play nicely together and actually work, which is not as easy as it sounds.

“This is a big issue,” Leek said. “It’s amazing how well we sleep at night thinking something is working as advertised when in reality it’s not.”

With that in mind, which vendors and investment opportunities are on Blackstone’s radar? Leek won’t name names, of course, but any company that is working on security technology that moves the needle while being easier to implement than whatever is currently being used is going in the right direction, he said. This includes companies that are focused on user-friendly analytics and technical support as much as product development. And the nice thing about investing in security startups and buying their products or services is the degree to which you can shape their product roadmap, as opposed to working with more established security vendors, which tend to have their own way of doing things.

We’re looking to showcase several of those companies this fall at Structure Security with the help of Leek and the rest of our board of advisors, who are listed here. You can register for the event, scheduled for September 27th and 28th at the Golden Gate Club in San Francisco, here.

Bridging the gap between infosec and tech at Structure Security

Golden Gate Club

One important reason why the modern technology industry has become so powerful is the speed at which it has unleashed life-altering innovation, forever changing the world in less than a generation. Very few people are able to keep up with the speed at which we manipulate technology to solve our problems, and some of those people just want to watch the world burn.

As we get ready for Structure Security this September in San Francisco, we’re building a thesis on the state of information security in 2016. While it’s clear that the architects of tech innovation take security as seriously as they ever have, it’s also clear there remains a disconnect between the day-to-day lives of information security professionals and the engineers who are moving fast and breaking things.

A hyper-connected world means danger can enter your corporation (or bank account) without leaving a trace, through vectors you would have never considered dangerous a few years ago. Software that wasn’t written with security in mind, or with a cursory nod towards security, can suddenly present a massive problem when it becomes widely used across an enterprise. And one of the main threats to corporate security in 2016 remains the people who click on links or attachments they have no excuse clicking on in 2016.

One benefit from this scourge of cyber criminals (as well as inquisitive governments around the world)? A ton of data is being produced that information security professionals can use in evaluating threats and recommending countermeasures. Yet too many in the security world are reluctant to share that information that could address the problems with external organizations (or even within their own company) given concerns about the negative implications of sharing data on breaches.

Everyone with a vested interest in information security — CISOs, CIOs, tech companies, security vendors, and investors — needs to come together to discuss these issues and learn from each other. Along those lines, a world-class team of advisors is helping Structure Security set the stage for discussions about these topics, because we all believe very strongly that more discussion between those creating technology and those protecting us from harm is the only way to ensure effective information security in the 21st century. Those advisors include:

Read more


Introducing Structure Security: Mapping the future of security

By its nature, technology is the world’s fastest-moving industry. And making sure our events keep pace with (or stay ahead of) that change is job #1 at Structure.

Since relaunching the Structure series last year we have been planning to expand our roster of events beyond the ones you already know so well: Structure Data (less than a month away in San Francisco), Structure Connect, and of course, Structure.

And over the last eight months, as we talked about key industry trends with the industry leaders, technology visionaries and investors that make up the Structure community, one topic came up in almost every conversation: cybersecurity. Our mothers did not raise fools: we’re very excited to announce the launch of Structure Security, scheduled for September 27th and 28th, at San Francisco’s Golden Gate Club.

Why now? Many of today’s biggest cybersecurity issues can be attributed to the failure of technology companies to keep up with the advances of cyber threats or, in too many cases, failing to prioritize these threats as a core part of their operational plan. Our goal with Structure Security is to elevate the focus on cybersecurity beyond the professionals who work on it every day, bringing together the broader technology community to be a part of this important conversation.

Read more