After Equifax: Should Tech Entrepreneurs Design The Next-Gen Credit Agency?

  |   Uncategorized




Xconomy | By Bernadette Tansey | September 15, 2017


Personal financial data for as many as 143 million Americans, inadequately guarded by credit bureau Equifax and stolen by hackers, can never be sheltered again under an umbrella of privacy. Those victims could face dire consequences, such as raids on their bank accounts and identity theft, for the rest of their lives. The losses for Equifax shareholders have already reached into the billions. The company’s stock value plunged after it disclosed the huge breach on Sept. 7. By then, some Equifax executives had already sold their shares in the company. Equifax says it had discovered the cyber intrusion on July 29.


The Equifax hack—possibly resulting from a software vulnerability for which a patch was available two months before mid-May, when the company now says the cyberattack began—is also a watershed event that is eroding confidence in the overall credit reporting industry.


It has raised calls for increased regulation, not only on cybersecurity standards, but also on the core business model of credit bureaus. The security failure of Equifax, founded in 1899, may stimulate 21st century technologists to design new safeguards that would bolster Equifax and its two major competitors, TransUnion and Experian. But some tech innovators may also see opportunities to disrupt the dominance of the “big three” in an industry that dates back to the late 19th century.


“We’re operating with a legacy paradigm that just doesn’t scale to the digital economy,” says Robert Ackerman, founder and managing director of venture capital firm Allegis Capital, which concentrates on cybersecurity investments. “Equifax is going to start a lot of people thinking about solutions,” he says.


What would a new rival to Equifax look like? One response to that question came from Simon Peel, chief strategy officer at Alameda, CA-based Jitterbit, which helps banks and other customers adopt advanced technologies more quickly through the use of Application Programming Interfaces (APIs).


“A competitor to Equifax would integrate the current best-of-breed technologies, in fraud detection, security and analytics, while also ensuring that they are remaining agile as new and improved technologies are being developed—such as predictive analytics, deep learning and AI,” Peel says in an e-mail exchange with Xconomy.


Peel says financial institutions are already using technology to move well beyond the metrics often relied on by credit reporting agencies to help lenders assess risks—that is, borrowers’ payment histories for loans and credit card debt. He points to the 2016 annual report by JPMorgan Chase, in which the bank described its use of a machine learning tool called COiN, which analyzed “12,000 annual commercial credit agreements in seconds compared with as many as 360,000 hours per year under manual review.”


Cybersecurity innovations are top of mind for Ackerman in the wake of the Equifax breach—not surprising, given his firm’s focus. But Ackerman also identified other pain points that entrepreneurs, as well as governments, could evaluate as they look to improve the credit reporting industry.


Decentralizing data
Hackers may have been able to abscond with their massive data trove more easily if Equifax was keeping the personal information of millions of people in a central repository, Ackerman says. “It is folly to collect everything and put it together,” he says. The idea of maintaining a complete set of valuable data in one hardened silo may seem more secure, but distributed data storage would limit the haul for each hack, he says. As it is, criminals may now be in possession of the Social Security numbers, dates of birth, credit card numbers, and drivers license numbers of millions of Americans.


Regardless of the storage strategy, a business model that calls for assembling all that consumer data under the control of one company is asking for trouble, two University of Houston computer science professors write in a commentary this week for The Hill.


“What Equifax and others have done in concentrating massive quantities of personal data simply is not desirable in our time of cyber insecurity,” according to the commentary’s authors, professors Wm. Arthur Conklin, director of the university’s Center for Information Security Research and Education, and Christopher Bronk, the associate director of the center. “Private firms and government agencies that maintain such data stores need to be regulated concerning protection and isolation of the data.”


All of that sensitive data held by credit reporting agencies should be encrypted, wherever it’s stored, Ackerman says. Hackers may inevitably get into any data cache, but companies can make it less useable for them by encrypting it. IBM and other companies are working on methods to encrypt data even when it’s in use, he says. That could be a key improvement for the credit reporting industry, he says.


“If I were building a company in that space, that’s where I’d be going,” Ackerman says.


Open source software
Equifax says hackers were able to overcome the company’s defenses by taking advantage of a vulnerability called Apache Struts CVE-2017-5638. Even if that vulnerability in open source software was the gateway for the breach, it’s no excuse for Equifax, Ackerman says. Users of open source software must constantly probe and validate it, using a variety of methods such as code scanners, white hat hackers, and diligent adoption of security patches when they’re released. According to a story by Ars Technica, a patch was available to fix the software flaw in March, two months before the time period in May when Equifax says the breach began.


Monitoring of company systems for security breachesAckerman says the hackers may have been operating inside Equifax’s defense perimeters for a longer period than the company has acknowledged. Companies holding that much sensitive data should be vigilantly monitoring the data leaving the network to detect the exfiltration of information by cybercriminals, he says.


Social Security numbers
A fundamental weakness in the U.S. financial services system is the widespread use of Social Security numbers as a means to identify customers, Ackerman says. Those numbers were originally intended to be used only for communications about government benefits, not as an identifier demanded by private vendors, such as utilities and credit card companies, he says.
“The fact that we’ve allowed people to use it as a national identity is a tragedy,” Ackerman says. Unlike account numbers, Social Security numbers can’t be easily changed once they’ve been stolen.


Now that criminals may hold the Social Security numbers of more than 44 percent of the U.S. population, lenders will be much less certain that a person who can provide a valid number is the real owner of that identity. Millions of spoofed identities could be created based on filched Social Security numbers, Ackerman says.


“What we clearly need is a much more rigorous regime of identity authentication,” Ackerman says. Technology could help with that, by creating methods of authentication that can scale to an almost unlimited number of factors without slowing transactions, he says. Novel authentication factors made possible by technology include the location where a user logs into an account; the angle at which a cell phone is held; the user’s thumb pressure; and a customer’s walking gait, Ackerman says.


Jitterbit’s Peel says smartphones themselves provide the means for verifying the identities of their users.


“Two-factor authentication simply sends an SMS message containing a password to the mobile phone that is on record for that person at the credit agencies,” Peel says. “With the iPhone 6, 7 or 8 it would be simply a matter of putting your thumb on the fingerprint reader. With the newly announced iPhone X it could be as simple as holding up the phone to your face and using your face as the password to prove your identity.”


Such technology solutions can produce good outcomes, but they can also lead to some of the downsides consumers now resent about traditional credit agencies, says professor R.A. Farrokhnia, a member of Columbia University’s business and engineering faculty, and executive director of Advanced Projects and Applied Research in Fintech at Columbia.


Just as the credit agencies sweep up our financial information without our permission, new technologies can monitor personal behaviors such as our Internet search histories, which have also been proposed as possible indicators of creditworthiness—or a lack of it, Farrokhnia says.


Government response
Ackerman sees regulatory actions by governments as one of the important ingredients in re-engineering the credit reporting industry for the 21st century. That also goes for other sectors responsible for safeguarding the valuable data of individuals, in his book. He admires the EU General Data Protection Regulation (GDPR) data privacy scheme that will be enforced starting in May 2018. It will impose substantial penalties on companies that fail to safeguard the data of EU residents, no matter where the company is located.


Multiple functions of credit bureaus
Ackerman and others see problems worth solving due to the array of different roles filled by credit bureaus. The primary function of the agencies is to help banks and other lenders to determine whether a borrower is creditworthy; these entities report back to the credit bureau on each consumer’s track record of repayment.


The credit agencies also offer services to consumers, by helping them correct inaccuracies in their credit reports. But Ackerman sees these efforts as half-hearted.


“Their interest in our privacy and security and accuracy of information is lip service,” Ackerman says. “They care only if (an inaccuracy) reduces the value of information they’re selling. They collect your information without your permission, and they only work with you in response to regulatory pressure.”


As an investor, Ackerman says he’s been talking to colleagues for some years now about possible business models for an independent company that would protect consumer privacy and identity.


“I think there’s an opportunity,” he says. “More than an opportunity; there’s a need.”


University of Houston professors Conklin and Bronk think regulators should peel away another of the multiple functions of the credit bureaus: they sell the sensitive financial information of consumers to marketers.


“Lawmakers should consider investigating and possibly banning data brokering by the credit bureaus,” the professors suggest. “It is one thing for credit bureaus to inform lending establishments of consumer creditworthiness, but another for them to serve as behind the scenes marketing intelligence firms. So long as these companies cannot protect their data resources, they will harm U.S. consumers, financial institutions, and government through the countless cases of identity theft that incidents like the Equifax breach enable.”


Currently, U.S. government regulations applying to credit agencies are scanty, as detailed by the New York Times.


Farrokhnia, the fintech expert at Columbia, says the chance of a U.S. regulatory overhaul of the credit reporting industry may be slim, given the many distractions on the political scene and the current administration’s inclination to reduce regulation rather than expand it. Even so, the Federal Trade Commission has announced that it is investigating the Equifax hack, Reuters reported. Pressure is coming from other government sources, including investigations and lawsuits by state attorneys general. Class action law firms are lining up to sue Equifax on behalf of consumers.


Equifax’s management of the crisis is adding to public outrage. It delayed announcing the cyberattack after discovering it, and during that delay, company executives sold some of their share holdings. Equifax offered consumers free credit monitoring for a year, but at first made it a condition that they give up their right to sue the company for damages due to the data breach. Equifax later removed that condition under pressure.


The fallout from the huge breach could end up imposing substantial costs not only on Equifax, but also on most businesses, according to a report by the financial institution UBS.


“Major high profile attacks involving consumer data, like this Equifax incident, tend to lead to reevaluation of industry wide security practices and the architecture of digital security,” according to the UBS report. The result could be higher spending not only on cybersecurity measures, but also on insurance to cover the potentially devastating financial impact of a cyberattack, UBS stated. Citing a Gartner report, UBS says global cybersecurity spending could grow to $170 billion by 2020.


“I can tell you, the cybersecurity budgets for Experian and TransUnion are now unlimited,” Ackerman says.


Find article here: www.xconomy.com

Read More

Cybersecurity Automation is Coming to the Rescue

  |   Uncategorized




RSA Conference | By Bob Ackerman | September 7, 2017


Every now and then, it may seem as though the explosive growth of increasingly sophisticated, novel and successful cyberattacks is overwhelming. Who can keep up and fend off the attacks? Certainly not the federal government, and certainly not most major corporations.


Further undermining a strong defensive posture is the swelling shortage of cybersecurity specialists– more than 1 million globally today, according to multiple cyber experts, and a number expected to nearly double by 2021.


Is there any light at all at the end of the tunnel?


Fortunately, there is. Organizations are turning to automation and analytics to aid cyber specialists and, increasingly, to “force multiply” the effective size of cyber staffs. Automation can help spot attacks before they begin and save time for IT staffers, enabling them to focus on other tasks. Already, automation is accomplishing faster detection and remediation of cyber threats, courtesy of emerging providers that leverage advanced technologies, including user behavioral analytics, machine learning and real-time, automated remediation.


Cybersecurity automation was predictable


This development should come as no surprise. Look around and you see automation everywhere – in, among other areas, manufacturing, finance, marketing, transportation and in social networking. Even cars – i.e., autonomous vehicles – are becoming automated.


All forms of successful automation substantially improve efficiency. How this is accomplished depends on the specifics of different industries. In the case of cybersecurity, the role of automation boils down to better and far faster management of complexity. Bigger networks, mobile devices and multiple cloud services are making the workload for IT teams unmanageable. This becomes a crisis during a cyberattacks, when time is of the essence.


When a data breach occurs, organizations must respond immediately. Credentials are compromised in minutes, and typically most of an organization’s critical data or intellectual property is lost within the first day. Verizon’s 2016 Data Breach Investigation Report highlights this sad realty. It found that 82% of organizations surveyed said that a compromise took only minutes to infiltrate company systems, and 68% said associated data was breached within days.


Threat detection must be rapid


The obvious upshot is that a threat detection solution that cannot detect and remediate threats in near real-time is of little use. This is where cybersecurity automation enters the picture. It doesn’t replace cyber specialists. Rather, it massively extends their reach.


A good automated cybersecurity system detects an alert immediately and assesses it for legitimacy and severity. Real threats are prioritized and steps are taken to address the problem. If the incident can be resolved automatically, without the need for human input, it will be.


Typically, customizable and scalable automated incident response “playbooks” are built and deployed. Their development is usually based on real-life scenarios and actual incidents, enhancing their effectiveness in detecting and resolving legitimate incidents quickly. Automated incident response helps substantially reduce the time it takes to resolve an issue from weeks and sometimes months to hours and sometimes even minutes.


As such, a cyber breach that slips through the cracks can often be isolated and nullified before it has time to wreak havoc. This is a rarity for an IT staff without the aid of automation, which all too often finds itself weeding through scores of potential threats while the one truly dangerous incident busts through the defensive perimeter. In addition, automated incident response can also be used for protection 24/7.


Not all players in cybersecurity automation are young companies. Microsoft, for example, recently bought U.S.-Israeli artificial intelligence cybersecurity firm Hematite, reportedly for $100 million. More common, however, is activity among startups and in academia.


Carnegie Mellon and cyber automation


Carnegie Mellon University, for instance, has employed the attributes of web servers, such as the software they use, as variables to predict how likely a server is to be hacked. A model developed by researchers there successfully predicted 66% of future attacks.


In addition, software vendors are stepping into the breach and employing software and modeling approaches applicable to cyberattack behavior, stemming from efforts to identify credit card fraud. Both are a form of anomaly detection and can be unusually speedy and highly effective.


None of this should suggest that cybersecurity automation is a panacea. It still produces too many false positives and false negatives and misses some intrusions altogether. And some cyber pros are uncomfortable with it, fearing it could cost them their jobs. The latter, at least, is an unfounded concern. Humans are still best at identifying previously unknown threats. Cybersecurity automation must be woven into the fabric of a team; it is not a stand-alone solution and probably never will be.

Cybersecurity automation inevitable


In any case, there is really no alternative but to embrace automation. Statista, a statistics portal, estimates there were 23 billion connected devices in 2016 – a number that it adds will grow to 50 billion by 2020, reflecting an avalanche of Internet of Things (IoT) devices. In addition, there is an urgent need to reduce the time it takes to spot and contain organizational breaches – commonly 200 days-plus to spot them and another 69 days to contain them, according to Ponemon Institute. The longer the timeframe, typically the worse the financial consequences.


Not far away will be the application of artificial intelligence to automation. Human analysts, however, will go nowhere. They know their own environment, and they have intuition about how their system operates, making it relatively easy to distinguish between what is normal and what is questionable. Humans are also good at quickly adapting to rapidly changing conditions and, unlike software, are usually good communicators.


What humans cannot do, of course, is scale, and they often make mistakes. They are relatively slow, too. This is why they need to team up with cutting-edge software. The best cybersecurity systems are a union of analyst and machine.



Find Article Here: www.rsaconference.com 

Read More

Bridging the gap between government and Silicon Valley

  |   Uncategorized


DataTribe pairs up, invests in experts from public, private industry


Third Certainty | Rebecca Theim | April 3, 2017


If you know where to look, there is a rich vein of venture capital looking to back innovative cybersecurity technologies.

One hot spot is the “Cyber Corridor” around Washington, D.C., where venture capitalists are looking to combine Silicon Valley startup know-how with cybersecurity advances coming out of the country’s military industrial complex.

Bob Ackerman, Allegis Capital founder and DataTribe co-founder

“When you hear the term ‘government innovation,’ it sounds like an oxymoron, except when you’re talking about cybersecurity capabilities and data analytics,” says Bob Ackerman, founder of Allegis Capital. “In those arenas, government is five to seven years ahead of private industry.”

Allegis is a backer of DataTribe, which seeks out government experts with special security know-how and pairs them with mentors from the defense and intelligence communities, as well as from the world of Silicon Valley’s venture capitalists.

Finding a niche

Rather than taking the shotgun approach of traditional start-up incubators, Ackerman said DataTribe looks “down the road and anticipates market needs and identifies where appropriate and relevant technology has been developed. We’ve created a watering hole for the deep technology thinkers.”

Ackerman co-founded DataTribe with former CIA information technology officer Steve Witt, founder and former CEO of Onyara, a data analytics firm that was acquired by Hortonworks in 2015, and Mike Janke, a former Navy SEAL and founder and former CEO of secure communications service Silent Circle.

DataTribe will invest between $1 million and $1.5 million in seed money and another $600,000 in operating support in the startups it backs, and up to an additional $1.5 million in later-stage, Series A funding. The average seed round capital is usually about $225,000, and a Silicon Valley investment is, on average, about $1 million, Ackerman says.

DataTribe’s portfolio includes:

Dragos, which was created by three former U.S. intelligence analysts to develop software to protect critical, privately owned infrastructure, such as the electric grid. Dragos’ CEO was part of the response team to the 2016 attack on Ukraine’s power centers—the first confirmed hack to disable a power grid.

Enveil, which uses homomorphic encryption that allows the processing of data without ever decrypting it. It was the runner-up among the 10 companies that presented at RSA’s 2017 Innovation Sandbox in February. Enveil was launched by a team of doctorate-level mathematicians and computer scientists from the U.S intelligence community.

Kesala, which draws on recent U.S intelligence community advancements to provide VPN-level security through its cloud security and data analytics software.

“There’s some really great stuff in government labs, but there’s no commercial infrastructure around it,” Ackerman says, “If we can find a way to bridge government innovation with Silicon Valley, we have a business.”

Another player active in the Cyber Corrider is MACH37, a Herndon, Virginia-based cybersecurity accelerator.

Trial by fire

Twice annually, MACH37 competitively selects eight start-ups willing to participate in an intense 14-week program in which founders are mentored and coached into creating a sustainable company. They interact with domain experts, successful security entrepreneurs, buyers and cybersecurity investors.

The start-ups also receive a $50,000 investment and access to mentors throughout the life of their companies.

Rick Gordon, MACH37 managing partner

“We help them define what the minimum viable product needs to be, and what the backlog needs to be,” says MACH37 managing partner Rick Gordon. This is done before the focus shifts to the business model, pricing, go-to-market strategy, and developing a compelling proposition for seed investors.

MACH37 has graduated 40 start-ups in its three-year existence.

These start-ups include:

Virgil Security, which develops cryptographic software for developers. It raised $4 million in October, led by KEC Ventures, founded by Jeff Citron, founder of internet telephony company Vonage and other technology companies.

Atomicorp, a cloud-based server security software developer, which has 2,000 customers in sectors including universities, consumer products, medical devices and the U.S. government. It raised $1 million in seed funding late last year, led by Washington, D.C.-based VC Blu Ventures.

Cyber Algorithms, which develops behavioral analytics that dramatically reduce how long it takes to detect cyber attacks. It was acquired in December by enterprise password management provider Thycotic, whose 7,500-client roster includes Chevron, Gap, Deloitte and Adobe.

Both DataTribe and MACH37 are working diligently to overcome geographic and cultural hurdles that tend to separate the rigid world of government contracting from the fast-moving technology industry.

“There’s this incredible disconnect between this intellectual capital base and the people who know how to scale a commercial software business,” Gordon says. “We still have to work very hard to get institutional venture capital to invest. You have to be involved, and it’s not easy to do from Palo Alto.”

Find article here: www.thirdcertainty.com

Read More

Silcon Valley Business Journal | “VC confidence rebounds as late-stage venture competition eases”

  |   Uncategorized
Silicon Valley Business Journal, By: Cromwell Schubarth | Posted: 4 Feb 2016

Logo_SVBJVenture investors may be taking hope in the dwindling interest in their portfolio that they are seeing among hedge funds, private equity and mutual fund investors.

VC confidence ended a three-quarter slide at the end of last year, according to a quarterly survey done by Mark V. Cannice, a professor at the University of San Francisco.

“VCs tend to see hope when there is a bit of panic and have caution when the punch bowl is full,” Cannice told me, explaining that his survey of investors looks ahead at what they think is coming in the next six to 18 months.

Recent reports on startup investing in the fourth quarter and start of this year indicate that fewer deals are being done while valuations and amounts invested are dropping slightly.

A 5-point index from the survey, where 5 indicates high confidence, came in at 3.59 in the fourth quarter. That’s up from a three-year low of 3.39 in the third quarter but below recent highs above 4 in 2013 and 2014.

Venky Ganesan of Menlo Ventures and chairman-elect of the National Venture Capital Association said the late stage market has been due for a correction, urging, “Caution ahead!”

“The heady cocktail of easy money due to the Fed, high burn rates, and questionable gross margins is going to give a massive hangover to a bunch of companies,” Ganesan said in the report. “We will see a pullback in late stage financings and even some layoffs, but the long-term value proposition of technology driven change remains intact.”

“The public markets cannot possibly absorb the current batch of unicorns at their current valuations, not to mention the thundering herd of unicorn wannabes,” he said. “There will be more disappointment than celebration over the next 18 months. Still, there is plenty of room for creating real value and building great companies. We just need to adjust expectations.”

Dixon Doll, DCM founder emeritus, said, “In this frothy environment with way too many unicorns and public markets receding, I’m long-term optimistic … short term pessimistic because of contracting liquidity alternatives.”

Bob Ackerman of Allegis Capital wrote, “All that glitters is not gold and the hens of excess are coming homing to roost. The massive influx of outside capital into the venture ecosystem, which has inflated a broad spectrum of valuations, has once again validated the ‘Greater Fool Theory.” The venture community is actively pulling in its investment horns which will reinforce the inevitability of the correction. The good news – with the reset come excellent opportunities for those that know the difference between FeS2 and Au.”

“VC confidence rebounds as late-stage venture competition eases.” Silicon Valley Business Journal, 4 Feb 2016. Web. 5 Feb 2016. 

Read More