Secure Your Apps (Secure Your Business)
Ed Amoroso outlines a recent lunch discussion with Sameer Malhotra of CIX Software about securing business by securing apps.

Secure Your Apps (Secure Your Business)

In a moment of vain weakness, I recently typed my name into Wikipedia – and to my surprise, I got one modest hit. Nearly a quarter of a century ago, I wrote a chapter on the use of threat trees in my first computer security textbook, and apparently, someone noticed. The result is my one little reference (it’s actually two) in the Encyclopedia of Planet Earth. I will admit that for someone who has authored six books and a zillion articles, this has its bittersweet ironies.

Despite such wild accolades, when lecturing today on threat analysis, rather than sketch a threat tree, I am much more inclined to use a threat-asset matrix as the basis for cyber risk modeling. The columns of the matrix will correspond to the familiar CIA taxonomy, while the rows will correspond to the valued assets of the system, network, or business being examined. And increasingly I’ve noticed that these rows are often just a long list of applications.

This observation matches my own experience starting a business. That is, one must first identify the functions necessary to be a successful capitalist – namely, invoicing, payroll, email, storage, calendars, customer service, and on and on. And then, for each of these, one simply selects a suitable app. For little companies, this means finding apps in the cloud. For larger entities, the selection, development, and procurement are a bit more involved – but the result is the same.

I had this concept on my mind last week while enjoying Indian food from Hoboken’s Karma Kafe with two of my good friends: Sameer Malhotra of CIX Software and Jennifer Bayuk, principal of a consulting firm under her own name. During our lunch, Sameer was explaining progress on his fine BUSHIDO platform, when he said something I considered profound. “We built our platform to secure business apps,” he explained, “because in many cases, your business is your apps.”

The way BUSHIDO works is that it embeds itself into the run-time environment of your business application and then pushes out telemetry based on advanced analytics. This is also profound, because it supports two of the primary cyber security requirements of any business: Real-time analysis and live mitigation. Both are wrapped in automation that creates an environment of detection, prevention, and support for rapid incident response.

Because the CIX Software team is located just stone’s throw from my classroom at Stevens, I’ve had the opportunity to visit their offices several times. And each time, I’ve learned more about how their developers are truly pushing the envelope with their security algorithms. One area that is particularly impressive involves their technical solutions for real-time application self-protection, also referred to commonly in our community as RASP.

“We’ve tried to focus on visibility, application profiling, behavioral analytics, and support for incident response workflow,” Sameer explained. “This allows our customers to implement advanced protection initiatives for their applications. This includes dependency mapping, compliance monitoring, and even support for creating micro-segmentation around enterprise applications – which really helps companies address de-perimeterization.”

My advice is this: It’s time to recognize that your businesses is no longer valued primarily on your tangible assets. This is true for every sector – even ones with massive brick and mortar operations (think Amazon.com). Instead, your business value is much more likely to be based on its virtual capabilities. That is, business value is now based primarily on the quality, power, appropriateness, and yes – the security of your applications.

With this mindset, I think it makes perfect sense to consider implementing a more powerful and automated security solution for your applications – and I am personally kind of partial to self-protecting approaches. So, give Sameer and his CIX Software team a call. And if you visit their offices, ask him to order up some nice box lunches from Karma Kafe. I think that food puts Darbar in Palo Alto to shame.


要查看或添加评论,请登录

Edward Amoroso的更多文章

  • Protecting the U.S. Bitcoin Reserve and Stockpile from Cyber Threats

    Protecting the U.S. Bitcoin Reserve and Stockpile from Cyber Threats

    As you no doubt have heard, plans are in place to establish a Strategic Bitcoin Reserve and Digital Asset Stockpile…

    13 条评论
  • Parable of Network Observability

    Parable of Network Observability

    I’d like to discuss here a common problem we see in our work at TAG every day – namely, the deployment of “network…

    23 条评论
  • Parable of the Cyber Industrial Complex

    Parable of the Cyber Industrial Complex

    Preamble In 1961, Eisenhower gave a famous speech that warned of the dangers of the so-called military-industrial…

    34 条评论
  • The Challenges of CISOs Working for Cybersecurity Vendors

    The Challenges of CISOs Working for Cybersecurity Vendors

    (Note to Reader: Normally these reports are available only to TAG Research as a Service (RaaS) subscribers. But with…

    27 条评论
  • Have Uncle Joe Read This Before He Invests in Crypto

    Have Uncle Joe Read This Before He Invests in Crypto

    I’ve been lecturing to my graduate students on the foundations of cryptocurrency and blockchain for years. Starting…

    15 条评论
  • Why TAG is Now Rating Cybersecurity Vendors

    Why TAG is Now Rating Cybersecurity Vendors

    by Edward Amoroso The first time I ever paid attention to an analyst quadrant – fully two decades ago, I found myself…

    11 条评论
  • Predicting the Impact of Trump’s Election on Cyber

    Predicting the Impact of Trump’s Election on Cyber

    Below are seven predictions from our team at TAG for how the recent Trump election of 2024 will impact U.S.

    83 条评论
  • Five Tips for Working CISOs

    Five Tips for Working CISOs

    Our team at TAG has been coaching CISOs for years – and this includes private discussions just about every day of every…

    11 条评论
  • The SEC is Weakening the Cybersecurity Posture of the United States. Here is Why.

    The SEC is Weakening the Cybersecurity Posture of the United States. Here is Why.

    Preface During May and June of 2024, draft versions of this article were shared with Chief Information Security…

    123 条评论
  • Sad Loss Today

    Sad Loss Today

    Several years ago, before the Pandemic, I received a friendly call from a law firm I’d done some business with – and…

    9 条评论

社区洞察

其他会员也浏览了