October 13, 2020
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
MLOps: More Than Automation
For MLOps to learn from DevOps, we must center the needs of data scientists and the people that are impacted by their models first. It isn’t enough to say that practicing MLOps means advocating for automation and monitoring at all steps to do things faster. Without this focus, we will see an increase in the deployment of models that have uninspected and unintended consequences that often disproportionately impact marginalized communities. So, as a data scientist, what is it that I need? Keeping up with the latest and greatest event streaming services, distributed systems or methods of continuous deployment of integration isn’t where my mind lights up. I would like to spend most of my time understanding the domain space of the model I’m about to build, the nuanced impact of that model and whether it’s going to meet the needs of my customers and the people they serve. There are a few ways to notice if you’re applying MLOps basically as a Band-Aid, a way to just go faster, that will ultimately break down. When looking for a solution to automate, consider if you’re only reducing the work required for manual processes or if you’re also enabling data scientists to focus on the hard problems they’re trained to tackle.
6 Signs DevSecOps Maturity Has a Long Way to Go
Nevertheless, AppSec teams still struggle on many fronts to bake security into the process of delivering software, and the vast majority of organizations are early on in their DevSecOps journey. According to another recent study conducted WhiteSource, only 20% of organizations believe they’ve reached full DevSecOps maturity. And 73% of respondents say they feel forced to compromise on security to meet short development lifecycles. Which is fine in a lot of situations, because what is risk management but a constant exercise in compromise? It’s all about weighing the risks against the benefits of a certain activity, and coming up with a balance in action and controls that minimize the risk while maximizing the benefits. The problem for DevSecOps today is that the indicators show there’s still little rigor or due diligence to come up with a disciplined method for determining that balance, let alone executing on it. ... The disconnect on what DevOps pros prioritize over time—security work versus innovation and feature delivery—ultimately comes down to how they’re measured and incentivized by their bosses. Many executive teams may pay lip service to the need of better cooperation between security , 44% according to security pros interviewed in the Ponemon study.
Half of all virtual appliances have outdated software and serious vulnerabilities
"Poor processes account for the product age problem in many cases," Orca said in its report. "Out-of-date products remain available after they’ve reached their end-of-life. The overall product is no longer supported, the operating systems may be unsupported, and/or updates and patches are no longer being applied. As a result of Orca Security’s research, 39 products have been removed from distribution." Commercial appliances scored about the same on average as free and open-source ones, with the latter having a slight advantage. However, hardened virtual appliances whose operating systems and software stacks had been stripped down to minimize attack surface, scored much higher than all other appliances -- 94.2 on average. Over half of tested appliances came from system integrators. These images have all the necessary components to run certain Web applications -- for example an image with WordPress, but also the Apache Web server and MySQL database and the OpenSSL security library. Their average score was 77.6, which is close to the overall average score for all appliances, but lower than those from security vendors.
CPRA: More opportunity than threat for employers
The CPRA is actually a lot more lenient than the GDPR in regard to how it polices the relationship between employers and employees’ data. Unlike for its EU equivalent, there are already lots of exceptions written into the proposed Californian law acknowledging that worker-employer relations are not like consumer-vendor relations. Moreover, the CPRA extends the CCPA exemption for employers, set to end on January 1, 2021. This means that if the CPRA passes into law, employers would be released from both their existing and potential new employee data protection obligations for two more years, until January 1, 2023. This exemption would apply to most provisions under the CPRA, including the personal information collected from individuals acting as job applicants, staff members, employees, contractors, officers, directors, and owners. However, employers would still need to provide notice of data collection and maintain safeguards for personal information. It’s highly likely that during this two-year window, additional reforms would be passed that might further ease employer-employee data privacy requirements. While the CPRA won’t change much overnight, impacted organizations shouldn’t wait to take action, but should take this time to consider what employee data they collect, why they do so, and how they store this information.
Digital transformation: 3 hard truths
Digital transformation projects that are born as “IT initiatives†run the risk of being viewed as changes for the sake of new technology. Digital transformations must be viewed as business transformations, with business leaders not only buying into the proposed plans and value but driving the organizational and process changes that are needed to be successful. The widespread adoption of technologies means an organization doesn’t gain a competitive edge when it uses them, but rather how it uses them. Success lies in creating balanced IT-business partnerships that provide experts from both technical and business domains so new technologies can be integrated deep into the business. Intel’s AI projects are a perfect example of this in practice. Together, IT and the business have been able to achieve over $500 million in business value in 2019. Digital transformation isn’t a “from->to†process that reaches a static, determined “end state.†Today’s competitive pressures and the pace of technological change are simply too great to allow for a transformation to ever be “finished.†We need to view digital transformation as always evolving, always underway – with leaders and businesses embracing a dynamic state of constant disruption.
Ransomware operators now outsource network access exploits to speed up attacks
"Since the start of 2020 and the emergence of the now-popular "ransomware with data theft and extortion" tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise," the researchers say. "A successful ransomware attack hinges on the development and maintenance of stable network access which comes with a higher risk of detection and requires time and effort. Access sellers fill this niche market for ransomware groups." As of September this year, Accenture has tracked over 25 persistent network access sellers -- alongside the occasional one-off -- and more are entering the market on a "weekly basis." Many of the sellers are active on the same underground forums haunted by ransomware groups including Maze, NetWalker, Sodinokibi, Lockbit, and Avaddon. Sellers have now begun touting their offerings on single forum threads, rather than separate posts, and RDP remains a popular option for network access. In an interesting twist, rather than sell-off a zero-day vulnerability to one seller, some traders are using these unpatched bugs to exploit numerous corporate networks and sell access to threat actors in separate bundles to generate additional revenue.
Read more here ...