Noah Johnson of Dasera: 5 Things You Need To Know To Tighten Up Your Company’s Approach to Data Privacy and Cybersecurity
An Interview With Jason Remillard
Establish an audit trail. Should you experience a breach, an audit trail will help to quickly assess the extent of the breach and necessary remediation. When designing your auditing system, especially consider the question of attribution. Quickly identifying the compromised accounts will support a targeted remediation to contain damage and minimize business disruption.
In many organizations, access to sensitive data is intermediated by applications and services, making it difficult to reconstruct the steps of an attack. For example, a database log won’t tell you which employee’s account is compromised if queries were executed via a shared service account. Internal services should maintain logs allowing every action to be attributed to a specific employee.
As a part of our series about “5 Things You Need To Know To Tighten Up Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Noah Johnson, a security researcher, entrepreneur, and co-founder & CTO of Dasera. Noah received his Ph.D. in Computer Science from UC Berkeley and has founded three companies based on his academic research. Noah recently developed the first practical system to provide differential privacy for general SQL queries. This work was featured in Wired and Gizmodo, and serves as the technical foundation of Dasera’s products. Previously Noah led a team of students in developing a platform for automated security analysis of mobile apps. Noah commercialized this work by co-founding Ensighta Security, which was acquired by FireEye in 2012. Noah received several awards as a graduate student including the Signature Innovation Fellowship, Sevin Rosen Award for Innovation, and the Tony Leong Lim Pre-Doctoral Award.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Palo Alto with two siblings and my mother, an engineer. My school years were probably typical Silicon Valley in the 90s: my friends’ parents all worked in tech, we had one computer in the house, and I downloaded music through Napster using a dial-up modem.
I traveled often, including a year in France and two years in China, which allowed me to experience the world outside the Silicon Valley bubble.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I became interested in computers at a young age and taught myself programming as a hobby long before I was old enough to choose a career in the field.
In high school, I became fascinated with computer security and understanding how systems could be broken. To me, discovering new vulnerabilities was a form of art because it required creativity and ingenuity, in addition to technical knowledge.
Computer security became my passion. I would often ditch class to read cybersecurity books at the local bookstore. I ran scanning tools on the school’s network, discovering flaws and testing popular exploits. Of course, I’ve since developed more stringent ethical standards.
In high school, I published software that removed many restrictions on a popular file-sharing program. My software was downloaded over a million times, and donations allowed me to spend my time programming instead of working an after-school job.
I studied electrical engineering as an undergraduate. At the time, cybersecurity was still developing as a field of study; many colleges didn’t have computer security courses or degree programs. I was still passionate about cybersecurity but didn’t consider it a viable career path.
During my junior year, Professor Dawn Song joined the Berkeley faculty from Carnegie Mellon and formed a new cybersecurity research group. I began working in her group as an undergraduate researcher and immediately realized how much I had yet to learn about the field.
I applied to graduate school in the Computer Science department to continue working in computer security, and it’s been a thrilling ride ever since.
Can you share the most interesting story that happened to you since you began this fascinating career?
My lawyer advises against it. ;)
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’ve been able to work with an incredible and diverse group of researchers in data privacy. I would particularly like to acknowledge the support of my academic advisor, Professor Dawn Song at UC Berkeley, who helped guide my academic studies and professional development. In addition to 6 years of research collaboration, I’ve had the opportunity to co-found two startups with Professor Song. She created exceptional research opportunities for me and also helped me develop my entrepreneurial instincts and skills.
Are you working on any exciting new projects now? How do you think that will help people?
We’re at a critical time for data security and privacy. Data breaches continue to increase each year and consumers are distrustful about how companies collect and use their data.
My research focuses on techniques that provide strong, verifiable security and privacy guarantees which I think are crucial for restoring this trust.
In my academic work, I developed a system to enable flexible data analytics while ensuring the privacy of individuals. I co-founded Dasera to bring this solution to companies in need of an alternative to today’s status quo.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Burn out is definitely a challenge for many in the tech industry, myself included. My advice is to find a hobby that you enjoy, especially one that forces you to take your mind off work.
I enjoy relaxing activities, like going on a hike with my wife and our dogs, but too often I spend the time thinking about work. This is especially true during a crunch or when I’m stuck on a difficult problem — the exact times I most need a mental break.
Rather than trying to force myself to stop thinking about work, I’ve found hobbies that do it for me. During college I played racquetball competitively. Although physically demanding, it was meditative because of the intense focus required: during a game I didn’t have time to think about anything except how to win the next point. I had to be fully present in the moment. I’ve recently been learning how to ride an electric unicycle. When I’m concentrating on maintaining my balance to avoid falling, it’s easy not to worry about emails and software releases!
These mental breaks help me return to work more energized and productive.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I enjoy the practical challenges of cybersecurity: building systems that can be deployed in the real world, operate in real time, and protect real people’s information.
I also enjoy the constant need to innovate in this space. Security is never a solved problem. It’s a cat and mouse game, with the goal of staying a few steps ahead of the adversary. Security products and processes must be continuously updated to address new threats. The constantly changing threat landscape makes this industry exciting for cybersecurity professionals because it requires us to keep learning and adapting.
I’m excited about the enormous impact of cybersecurity in 2020 and beyond. We’re facing urgent problems in health, governance, infrastructure, environment, and communications. Solutions to these problems will need the advances in cybersecurity we are developing today.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
I think companies need to prepare for the growing threat of users revolting against the misuse of their data. Most companies tend to focus on black swan events — like industrial espionage and massive breaches — and underestimate the business risk of consumer backlash due to persistent privacy failures.
A glaring example of this is a recent study which showed only 25% of consumers believe companies are handling their personal data responsibly.
How many people do you know that have deleted a social media account within the past year because of privacy concerns? How does that compare to 5 years ago?
Last year Apple began emphasizing the privacy features of iPhones in their commercials, clearly finding privacy is driving sales as much as a new camera or a bigger screen.
Consumer mistrust isn’t just a risk for businesses — it’s an opportunity cost for society as well.
Consider contact tracing for COVID-19. Government health organizations have worked with tech companies to develop apps for real-time tracing and exposure notification. Despite their potential to save lives during the pandemic, these apps are rarely used in the United States because consumers are wary of sharing their information. In fact, 71% of Americans say they’ll never use a contact tracing app due to privacy and security concerns.
These are just a few examples resulting from the erosion of consumer trust in the past few years. Reversing this trend will require companies to adopt better security and privacy practices. Privacy should be built into the design of data systems, and the way data is used should be transparent and comprehensible to the average consumer, not just cybersecurity experts.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I started working on privacy-preserving analytics as part of my Ph.D. work at UC Berkeley. This research led to a collaboration with a Fortune 500 tech company. They had vast amounts of sensitive data about their customers, and thousands of employees and contractors who needed access to this data. There were several publicly reported incidents of employees misusing the data — snooping on individuals and celebrities or accessing more data than they needed for their job.
The solution I helped develop was deployed at this company and processes half a million queries per day. There haven’t been any publicly reported incidents since my solution was deployed.
The collaboration provided an opportunity to develop and test my research at scale using real-world data. It also showed me the impact that technology can have in addressing privacy risks.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I strongly recommend everyone use a password manager to ensure they have a unique password for every website. This reduces the risk of a single password breach compromising multiple accounts.
I also suggest configuring multi-factor authentication on important websites. This ensures that someone who steals your password can’t access your account without also having access to your configured device. Most services like email and banking support multi-factor authentication.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Data breaches can result in fines, lost revenue and brand reputation damage. Investing in data security personnel and products will save companies time and money in the long run. Any company that handles consumer data should consider this as a cost of doing business. Think of consumer data as a new bike. You wouldn’t agonize over the decision to invest in a bike lock.
Look to software as a way of increasing efficiency. Manual processes are error-prone and difficult to scale; you should consider them an organizational liability. Software is more effective and efficient than a human at many security tasks.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
It’s difficult to generalize, but a few obvious signs are unusual access, changes in behavior, and credentials no longer working. These deserve closer scrutiny whether you’re a CISO responsible for data protection at a Fortune 500 company or a consumer logging into your bank account.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Once a breach is detected, it’s critical to identify the source and extent of the attack as quickly as possible to contain the breach before more customers are impacted. This might seem obvious, but I’m often surprised at the number of CISOs who focus most of their attention and budget on preventing breaches, and overlook the requirements for effective containment and timely remediation after a breach.
Companies can take steps now to make this easier, including establishing an audit trail with forensic capabilities. Don’t wait for the aftermath of a breach to learn that the information you need for a rapid response isn’t being logged or isn’t readily accessible.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
These laws reflect ongoing concerns from consumers about losing control of their data. I think these measures are just the beginning.
Our business at Dasera is founded on addressing these concerns, and many of our customers have asked for automated solutions to help with compliance.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common mistake I’ve seen is an over-reliance on data anonymization.
Anonymization involves the removal or sanitization of identifying information from a dataset. HIPAA health regulations, for example, require the removal of 18 identifiers including names, dates, and addresses before health records can be used for research purposes.
There’s a common misconception that anonymized datasets are safe for analysis. In fact, anonymization doesn’t ensure privacy. Most anonymized datasets can be broken by what are known as re-identification attacks.
For example, consider the outcome of the Netflix Prize. In 2006, Netflix began a competition to improve its movie rating system. They created a dataset of customer movie ratings, which they released in a public contest to improve their recommendation system. Despite Netflix’s careful efforts to anonymize the dataset before release, researchers were able to successfully re-identify several users. This privacy breach led to a class-action lawsuit against Netflix, and they canceled a follow-on contest in 2009 due to warnings from the FTC.
There are many more examples of re-identification attacks on anonymized datasets including taxi trips, search logs, and health data. In fact, researchers have shown that 87% of the population in the United States can be uniquely identified from only their ZIP code, gender and date of birth. In other words, these 3 demographic markers alone can identify an individual with high probability even if all other identifying markers are removed.
Datasets can be further scrubbed, sanitized or redacted to mitigate this risk, but this approach is a losing battle: making a dataset truly anonymous requires removing so much information that the utility of the data is compromised.
Since the COVID-19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Many companies have reported an increase in attacks during the COVID-19 pandemic. This is in part because it’s harder to protect the network when access is distributed. But there is also a human element. While companies try to continue business as usual, they should remember that in the midst of an unprecedented global pandemic people are understandably distracted and emotional, and therefore less vigilant. Companies may want to turn to automated security solutions to compensate for this increased risk.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Look for tasks you can automate.
Security teams are almost always overworked and under-resourced, which frequently leads to oversights and mistakes. Much of the day-to-day work of a security team can be effectively performed by automated tools. For every critical security task in your organization, look for a product that can perform that task automatically. This will tighten up your security posture and free your team to focus on mission critical tasks.
2. Think beyond access control.
Companies typically restrict access to sensitive data through identity and access management. Unfortunately, access control rules are binary: an employee either has access or doesn’t. These measures can’t control how employees actually use the data once authorized.
This is analogous to a lock on a front door, which limits entry to authorized people but provides no control for what they do inside. To reduce security risk, companies should supplement access control measures with solutions that restrict how sensitive data can be used. In the house analogy, a plumber fixing the kitchen sink shouldn’t be found rifling through your desk.
3. Establish an audit trail.
Should you experience a breach, an audit trail will help to quickly assess the extent of the breach and necessary remediation. When designing your auditing system, especially consider the question of attribution. Quickly identifying the compromised accounts will support a targeted remediation to contain damage and minimize business disruption.
In many organizations, access to sensitive data is intermediated by applications and services, making it difficult to reconstruct the steps of an attack. For example, a database log won’t tell you which employee’s account is compromised if queries were executed via a shared service account. Internal services should maintain logs allowing every action to be attributed to a specific employee.
4. Don’t rely solely on anonymization.
Companies frequently rely on anonymization to protect privacy for sensitive datasets. Anonymization is based on the erroneous assumption that a lack of identifying information makes it impossible to learn anything about an individual. As I mentioned earlier, individuals are often easily identifiable in anonymized datasets.
Anonymization is important and useful for highly sensitive datasets, but it’s not a panacea and should not be viewed as a substitute for strict access control and monitoring.
5. Trust but verify.
Companies trust their employees to behave responsibly. This is reasonable, as most employees are honest and well-intentioned. Too often, however, companies rely on trust and training as their primary security control for insider access. This results in insufficient internal safeguards.
Employees are human. Invariably they make mistakes, act carelessly, or exhibit lapses in judgement. Without any ill-intent, an employee can introduce major security and compliance risks.
Additionally, external threat actors often use insider accounts as an attack vector via phishing attacks and credential theft. Even if the employee is trustworthy, an attacker assuming control of their account is not.
It’s critical that companies monitor internal access and limit each employee’s access to the minimum necessary for their job. This will help deter misuse of data and minimize the impact of a breach.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. (Think, simple, fast, effective and something everyone can do!)
Vote your values.
Legislation will play an increasingly important role in protecting consumer privacy. Effective legislation requires well-informed representatives who understand these issues. When electing your next representative, consider their position on consumer data rights.
How can our readers further follow your work online?
https://blog.dasera.com/author/noah-johnson
https://www.linkedin.com/in/noah-johnson-914262198
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.
