Akshay Aggarwal

on Entrepreneurship, AI & Security

Perspectives

Zove Security’s AI Technology Unit Acquired To Protect High-Value Targets

Zove Security’s AI unit acquired, enhancing cyber defense for high-value targets with ZoveTrustAI technology

Malicious actors are leveraging AI to scale complex attacks at lower costs. The ZoveTrustAI platform protects critical individuals from sophisticated attacks and paves the path to autonomous defense.” — Akshay Aggarwal, CEO, Zove Security

SEATTLE, WASHINGTON, USA, June 25, 2024 /EINPresswire.com/ — Zove Security, a leading provider of emerging technology and information security capabilities, announced today that its AI technology unit has been acquired by a stealth firm, a subsidiary of a renowned global technology enterprise. The acquisition includes all technology assets, exclusive rights to the ZoveTrustAI platform, and Zove’s dedicated operations team. The integration of Zove’s assets into the acquiring firm will be completed over the third quarter of the calendar year. The financial terms of the acquisition are not being disclosed.

ZoveTrustAI: A Game-Changer in Cybersecurity

The deal encompasses the proprietary ZoveTrustAI platform, an artificial intelligence system for devices that merges generative models with personal context and threat reports. This unique solution delivers incredibly relevant and actionable intelligence, enhancing cyber risk management by combining on-device large language models (LLMs) and server-based models. During field trials, ZoveTrustAI successfully identified multiple instances of previously unknown active attacks, demonstrating its effectiveness in real-world scenarios.

A Fruitful Collaboration

For almost two years, Zove Security co-created the solution with the acquiring firm. This solution protects high-value targets (HVTs), including executives, celebrities, and other sensitive individuals from cybercriminals and adversarial state actors. This partnership has focused on active attack identification, leveraging the strengths of both organizations to develop and refine ZoveTrustAI.

Future Integration and Capabilities

Post-acquisition, ZoveTrustAI will be integrated into a security solution designed to manage cyber risk for high-risk individuals. This technology is poised to revolutionize fraud detection and cyberattack response by utilizing personal context and on-device LLMs to deliver autonomous defense mechanisms. With secure on-device data processing, it will ensure your privacy while providing robust protection. It is designed to be smart, adaptive, and always one step ahead.

CEO Statement

Akshay Aggarwal, Founder and CEO of Zove Security, stated, “Advancements in Artificial Intelligence (AI) are poised to significantly impact cybersecurity. For most enterprises, AI presents both threats and potential. Malicious actors are leveraging AI to scale complex attacks at lower costs. The ZoveTrustAI platform allows enterprises to protect their critical users from sophisticated attacks and paves the path to autonomous defense.”

About Zove Security

Zove Security secures the products and platforms that power innovation and underpin our digital lives. Their mission is Platform Trust through secure engineering and trusted operations, ensuring users trust the technology they use and the companies behind them.

About the Acquiring Firm

The acquiring firm, currently in stealth mode, is part of a leading global tech enterprise known for its innovation and premium consumer electronics, including smartphones, PCs, tablets, wearables, and a range of software and services.

AKSHAY’S UNCERTAINTY PRINCIPLE: OBSERVING SOME METRICS CHANGES THEM

“The more precisely the position is determined, the less precisely the momentum is known in this instant, and vice versa.”
–Heisenberg, uncertainty paper, 1927

The Uncertainty principle is related to the observer effect. In physics, the term observer effect refers to changes that the act of observation will make on the phenomenon being observed.

Ok, now to get to the point. Leaders are often asked to produce several performance metrics or revenue metrics. Some of these metrics are simple and straightforward  Key Performance Indicators (KPIs). KPIs can include net revenue, profit, # of new customers or in our case customer satisfaction numbers.

The problem with metrics crops up when we need to measure a property and no mechanism exists to measure it quickly or the metric is not representative of the property being measured. In general this happens when the following scenarios arise:

Effect of observation
  1. Metric is not available: No mechanism is in place to measure the property at that time.
  2. Property is not measurable: No metrics are available to capture the property.
  3. Deliver unplanned metrics quickly: Metrics that the system was not designed to capture need to be measured quickly.
  4. CSF masquerading as KPI: Critical Success Factors are vital elements for a strategy to be successful and should not be confused with KPIs which quantify strategic performance.  The metric being asked for is a CSF not a KPI.

In simple words, the amount of effort required to measure the metric changes the amount of effort we can dedicate to create the metric. The act of measuring the metric changes it.  For example, in the economic downturn several teams have had to reduce headcount. If this barebones team is now asked to capture  information on how a recently released tool is being used by customers without that mechanism already in place, then they cannot deliver that metric without additional effort that will impact the overall KPIs.The problem that arises is what I’ve dubbed the Akshay’s Uncertainty Principle:

In a resource constrained environment, a new or modified metric cannot be measured without impacting the metric itself.

– Akshay Aggarwal

Finally, an explanation the kxcd way

Avoiding the Security Bottleneck

Digital transformation is the use of digital technology in solving traditional problems where transformation occurs by means of digital innovation, resulting in new solutions. By its nature, it causes constant disruption to new and existing business models, products, services, or experiences enabled by data and technology across the enterprise. The ensuing continuous demand for new capabilities at faster speeds and bigger scales is pushing the limits of traditional development models.

Shahnawaz securedevops industry issues.png

Progress in the age of digital transformation has seen DevOps become the preferred development methodology of market leaders who are constantly adapting to meet fluctuating customer demands. DevOps includes continuous deployment with quick development of new capabilities and constant collaboration. The goal of DevOps is to shorten the systems development life cycle while delivering features, fixes, and updates frequently in close alignment with business objectives.

It is a common mistake to assume that traditional security controls can still be used in this new iterative environment since defects are fixed at a faster rate. While secure development principles still apply, and automated checkpoints do need to be built into each phase, the integration points and methodology need to be changed to adapt to the faster phases and account for the operation’s changes.

DevOps and the Security Challenge

DevOps refers to the combination of development and operations with a focus on cross-departmental integration and automation. The idea of DevOps spawned from the popularity of Agile, but placed greater emphasis on the cultural shifts necessary to sustain faster releases and drive toward a shared goal.  

Screen Shot 2019-02-08 at 3.23.08 PM.png

Security practices need to adapt to the business drivers making these methodologies popular, such as the need to increase speed to market, enhance overall product quality, and address issues in a timely manner. Security must adapt to the requirements that enable the business drivers, such as short iterations, narrow focus, and an ability to quickly accommodate changing demands.

Integrating Security into DevOps

The top changes used by successful organizations to incorporate security into DevOps and overcome the characteristic challenges were identified and are described below:

Screen Shot 2019-02-08 at 3.59.42 PM.png
  • Integrate Security Champions: Security team members need to be an integral part of the DevOps team through a champion/maven model deployment. Structurally, this helps build one cohesive development, operation, and security team, with one overarching objective to achieve business needs. The Security Champion is responsible for iterative threat modeling during the design process, using templates for driving architectural design patterns. The Information Security (InfoSec) team needs to set the standards the application team needs to meet on a periodic basis.
  • Risk-based approach: A risk-based approach to integrating security in the DevOps life cycle must be adopted.
  • Organizations consistently apply a set of security activities to every release. These security activities must scale based on the risk profile of the user story and the associated epic. Defining these parameters is key to understanding the security activities that need to be integrated in the process.
  • Automation: Traditional security activities do not fit the short iterative DevOps cycles. Security methodologies are not being built for DevOps. Organizations are trying to adapt existing security methodologies used in traditional software development life cycle (SDLC) models. Organizations need to leverage automation to integrate security into the DevOps cycle. A couple of ways to do that include:
    • Using Integrated Application Security Testing (IAST) instead of traditional static analysis during automated quality assurance (QA) testing to identify security bugs
    • Leveraging Runtime Application Self-Protection (RASP)-based technologies to help mitigate and monitor product level code
Screen Shot 2019-02-11 at 2.16.32 PM.png
  • Preapproved security patterns: Predefined nonfunctional security requirements need to be created and added to story cycles. Enterprise-approved libraries/functionalities must be available for core functionalities, such as authentication and system accounts management. Any deviation from the approved patterns is typically considered a defect that needs to be tracked to remediation. In addition, security testing results need to be tracked as part of a defect tracking system. Security vulnerabilities need to be considered bugs and added as criteria for automated checkpoints before release.
  • Standardize infrastructure and operational controls: Environment and security controls must be consistent across all environments, including testing and production. Organizations need to have a security baseline for infrastructure that is consistent across environments and can be deployed in an automated manner (e.g. cloud-based deployment activities with scripts can be leveraged for automation and complemented with checks to ensure security baselines are met).
  • Continuous monitoring: In addition to automation and baseline controls, activities to identify security defects must be performed on an ongoing basis. Continuous monitoring needs to include red team testing and fuzzing.
  • Using cloud-based technologies allows teams to take advantage of Security Center detection capabilities built into the platform.

Benefits of This Model

The methods presented above have several key benefits:

Screen Shot 2019-02-08 at 4.08.47 PM.png
Authors Note

This article was originally co-authored by Akshay Aggarwal and Shahnawaz Sabuwala. It has been updated in 2023 with additional analysis.

Navigating the Security Landscape of Blockchains: Understanding Risks and Opportunities

An analysis of the blockchain security landscape by Akshay Aggarwal, CEO of Zove Security, with examples from fintech, banking, insurance, and retail industries. Our experience and insights into the foundational issues, risk factors, and promising use cases associated with blockchain technology.

As the blockchain industry continues to grow, with market projections reaching around $20 billion in the next few years, it is essential for us to understand the security landscape of blockchains. In doing so, we can better leverage this innovative technology across various industries, such as fintech, banking, insurance, and retail.

A key aspect of understanding blockchain security is recognizing the inherent risks associated with its foundational technologies, including decentralized and distributed ledger systems, public-key cryptography, and Merkle trees. By comprehending these risks, we can determine the suitability of use cases and their implementation strategies.

Cross-border B2B payments are one of the most compelling use cases for blockchain technology. Blockchain promises to streamline processes, reduce transaction costs, enhance security, and enable trust through identity management. According to a 2020 report from the World Economic Forum(1), 40% of blockchain use cases are in the financial services sector, with 70% focusing on cost reduction.

For instance, Ripple(2), a global payments network, leverages blockchain technology to provide faster and cheaper cross-border transactions for financial institutions. In the insurance industry, companies like Lemonade(3) use blockchain technology to automate claims processing and reduce fraud, resulting in lower premiums for customers.

In the retail industry, Walmart(4) has partnered with IBM to implement a blockchain-based system for tracking food products in its supply chain. This initiative helps improve transparency, traceability, and efficiency, ensuring that consumers receive safe and high-quality products.

To navigate the blockchain security landscape, we propose a risk criteria model for business decision-makers, as suggested by Aggarwal et al. The Zove Blockchain Risk Framework includes six different criteria:

  1. Legal and Regulatory: This refers to the uncertainty surrounding the use of blockchain technology in various jurisdictions and the potential impact of changing regulations on its value and implementation.
  2. Foundational: This involves the inherent risks associated with the underlying blockchain technology, its fundamental building blocks, and the choice of foundational elements.
  3. Technical Implementation: This refers to the risks related to how the blockchain solution is implemented from both a code and deployment perspective, including adherence to application security practices.
  4. Operational Integrity: This criterion focuses on how the blockchain technology is actually going to work in practice, ensuring its smooth operation.
  5. Scalability: This risk criterion is unique to blockchains and concerns the potential limitations in the foundational technology’s ability to handle increased usage, which may ultimately limit its value.
  6. Future-proofing: This involves considering the evolving nature of the technology and its various foundational elements and implementations, ensuring that the chosen solution remains relevant and adaptable over time.

To make this real, the authors convened a panel of a dozen blockchain, security and legal experts. The panel examined 10 use cases and created a heatmap of the risks associated with various blockchain use cases. In the heatmap, red represents high and unmitigated risk, yellow signifies high risk with some mitigations in place, green indicates managed risk, and white denotes unknown or undetermined risk.

Smart Contracts - Zove Blockchain Risk Framework

For example, the expert panel evaluated risk for smart contracts (see attached heatmap) are as follows:

  1. Legal and Regulatory: Smart contracts are in a better position compared to ICOs from a legal and regulatory perspective, but they still face uncertainties.
  2. Foundational: Smart contracts share some of the same basic foundational issues related to security as other blockchain technologies.
  3. Technical Implementation: The real risk for smart contracts lies in the technical implementation, as poorly implemented contracts may lead to security vulnerabilities and other issues.
  4. Operational Integrity: Ensuring the smooth operation and execution of smart contracts is another area of risk.
  5. Scalability: The scalability of smart contracts can be a significant issue, particularly in an enterprise setting where massive adoption could hamper the effectiveness of the underlying blockchain.
  6. Future-proofing: Smart contracts may require a higher level of future-proofing due to their potential long-term nature, as they need to withstand the temporal aspects of blockchain technology.

As we look to the future, we anticipate the wide acceptance of 20 to 30 enterprise use cases and an increase in legal and regulatory frameworks surrounding blockchain. We are also interested in the security challenges that may arise when a popular blockchain technology loses users and becomes vulnerable to attacks.

Blockchain auditing holds significant value for supply chain management and digital assets. While the technology can be useful in tracing the origin and changes in code for digital products, verifying physical products can be more challenging, as the digital record may not always match the physical reality.

In conclusion, navigating the security landscape of blockchains requires a deep understanding of the technology’s inherent risks and a comprehensive risk criteria model for business decision-makers. By staying informed and anticipating future challenges, we can leverage the power of blockchain technology across various industries while mitigating potential risks.

Sources:

(1) World Economic Forum. (2020). “Unlocking Blockchain for the Underbanked.” Retrieved from https://www.weforum.org/agenda/2020/10/blockchain-technology-financial-inclusion/

(2) Ripple. (n.d.). “RippleNet.” Retrieved from https://ripple.com/ripplenet/

(3) Lemonade. (n.d.). “Powered by Tech, Driven by Social Good.” Retrieved from https://www.lemonade.com/about

(4) IBM. (2017). “Walmart and IBM Are Partnering to Put Chinese Pork on a Blockchain.” Retrieved from https://www.ibm.com/blogs/blockchain/2017/10/walmart-ibm-chinese-pork-on-a-blockchain/

Authors Note:

Reference as Navigating the Security Landscape of Blockchains: Understanding Risks and Opportunities by Akshay Aggarwal, Zove Security

Scaled Programs to Secure Connected Systems and Products

Executive Summary

Industry issues and trends.png

What is the cumulative cybersecurity risk of an organization’s connected systems and products (CSP)? Does everyone agree the company is addressing the right risks at the right time? Do all partners understand their roles in responding to security issues?

CSP are driving industry growth across every sector of the market due to their cost saving and product lifecycle benefits. Security challenges have evolved
in this space and are more complex because security requires a different approach today–one that prioritizes not only availability, integrity, and confidentiality, but also control and safety.

In this article, we outline some of the most prevalent challenges posed by todays CSP–including lack of security integration into the development lifecycle–and provides an overview of an approach to integrating security into the lifecycle.

Table 1.1 - Level of autonomy vs. threat rating
Table 1.1 – Level of autonomy vs. threat rating

CSP and the security challenge

Vuln to remote control.png

The increase in CSP brings mounting risks. In recent years, companies large and small have become susceptible to various attacks and exploits due to open vulnerabilities through their vulnerable CSP. Based on our experience with similar organizations, there are increased risks associated with CSP that send data to other CSP in accordance with their level of autonomy, leading to risks that transcend typical company risks (Table 1.1). These are heightened risks, primarily on disruptions to CSP, in turn causing system/equipment impairment, threat of physical safety, loss of R&D, and other critical issues. These have major consequences such as altered or interrupted automated production processes, and human injury or casualty. In addition, CSP, left unsecured, may affect customer expectations and customer trust. Security concerns have evolved in complexity due to the nature of CSP and the challenges they pose. A shifting paradigm requires that product security prioritizes confidentiality, integrity, availability, control and safety.

Top 5 challenges posed by CSP

Hexagons.png

In an evolving technology landscape driven by CSP, organizations face a myriad of challenges related to incorporating security within the development and post-development phases of CSP. Based on our experience with delivering cybersecurity services to organizations across a variety of industry sectors, we have compiled a list of top 5 CSP security challenges faced by our clients as follows:

Integrating security into CSP

In order to properly identify and mitigate these vulnerabilities, one must understand the environment and technologies that underlie them. Each component has a disparate development methodology, making it essential that the security program be holistic in nature. The final CSP is typically a combination of internally developed and externally sourced components, making it essential to ensure security of the underlying components from the supply chain.

SDL.png

Securing CSPs entails starting an inventory and risk profile, development of policies and procedures around CSPs, security testing, and monitoring. Securing analytics and control backend requires effective practices in software security, continuous monitoring, vulnerability identification and management, and denial of service protection. Finally, securing the operating product involves development of deployment guidance, intellectual property protection, threat intelligence, and incident response capabilities.

A common misconception across organizations is that traditional security controls can still be applied to a CSP environment since defects are fixed at a faster rate. While secure development principles still apply and automated checkpoints need to be built into each phase, the integration point and methodology need to be tailored for adaptation to faster phases and account for the operation’s changes.

Our outlined approach to connected products is unique because it covers the entire product development lifecycle. Maturing risk management is achieved by integrating an advanced risk identification processes into the development lifecycle, and the threat and vulnerability management processes. When implemented correctly, software security effectively manages the total cost of development and strategically aligns information security with business partners. Our approach can be applied to organizations regardless of their development methodologies or whether they build in-house or use vendors.

Author Note: This article and subsequent updates were co-written by Akshay Aggarwal and Shahnawaz Sabuwala.