Haventec is on a roll: the first quarter of 2017 saw us roll out our two flagship products, Secure Wallet and Authenticate, both built on our core concept of truly decentralised security.
We’ve also begun going public about our inventions, including presentations at the massive RSA Conference in San Francisco, the UK Start Up Games in Melbourne and a Cyber Round Table with the Australian Prime Minister Turnbull.
Follow our recent exploits below, plus unlock fascinating insights from our chief inventor Ric Richardson on how different software engineers’ brains really work.
Robert Morrish, CEO of Haventec
[Approximate reading time: 10 minutes]
AUSTRALIA’S CYBER SECURITY STRATEGY A YEAR ON
By Robert Morrish, CEO
Australia’s national strategy for cyber security will continue to expand in scope as government, public sector and private enterprises like Haventec collaborate more.
This is partly a natural progression, as more intelligence is shared, more opportunities are identified; though it’s also because the real innovations in this field are very new.
On 19 April I was invited by Craig Davies, CEO of the Cyber Security Growth Network, to participate in a roundtable with PM Malcolm Turnbull and a handful of CEOs about challenges and opportunities in Australia’s cyber security industry.
In his introduction to the report the PM noted: “The conversation has shifted – in government, in business and for individuals. Trust and confidence through cyber security is becoming economic and security currency for Australia…
…The cooperation between government and business is stronger and deeper; boardrooms and Commonwealth agency heads are more attuned to cyber risks. State and territory governments are engaged; and the tempo of international engagement is quickening.”
The Prime Minister interviewed me about the trials faced by Haventec and other cyber security start-ups in selling to Australian enterprise, remarking that reports from the February RSA Conference in San Francisco suggest US enterprises are keener to get ahead of the curve.
Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security Department of the Prime Minister and Cabinet, pointed to the fact Australia now ranks fourth globally in patent filings in cyber security research and development as a very positive sign we’re making progress.
Though he also commented we need more collaboration between public and private sectors, and more investment in innovative technologies if we’re to deliver on early promise.
SANCTUM: DECENTRALISED PAYMENTS
By Robert Morrish, CEO, and John Kelaita, product owner on Sanctum at Haventec
We’re pleased to announce Haventec is making one-click transactions safer and easier with our Sanctum product launched in April 2017.
Sanctum is a revolution in the handling of critical data such as personal credit information (PCI), personal health information and other forms of personally identifiable information.
In short: we’ve decentralised payments and other transactions.
Each user keeps control of their own PCI and other transaction data on their own secure devices.
The sensitive personal information and the security keys to ‘unlock’ transaction authorisations are kept apart – even when money is being transferred from a customer to a merchant, the merchant doesn’t collect PCI.
As soon as a transaction is verified with a unique one-time-only key both the lock and the key are instantly replaced.
Therefore, we’re not only doing away with the need for organisations to manage and protect any central store of critical data, we’re also helping enterprises reduce their compliance costs and fraud risks.
Sanctum gives customers a fast and secure one-click transaction method, which improves the customer experience. Meanwhile, we make it easier for organisations to safely handle those transactions.
The end result: Haventec Sanctum helps build trust in every transaction.
AUTHENTICATE: SAFER ID AND ACCESS CONTROL
By John Kelleher, product owner on Authenticate at Haventec
Our Authenticate product does what its name suggests: it Authenticates users through a new and highly secure system that is passwordless and easy to use.
Authenticate is built on our concept of properly decentralising data security so that organisations can offer safer identity and access control while protecting users’ privacy.
By ‘properly decentralised’ we mean that it does more than keep keys and locks apart – although those elements are essential – we mean we’ve not only killed the ancient idea of passwords, central username/password stores, our system asserts itself in every interaction by making entirely new keys and locks from scratch every time you Authenticate.
As there is no central honeypot of valuable and sensitive data (such as usernames, passwords and permissions), Authenticate helps organisations avoid common data security risks simply because they no longer have attractive central targets that cyber criminals go for.
Ongoing benefits include reduced liability and costs associated with looking after those sensitive records, and less exposure to breach attempts.
Customers or members of organisations that offer Authenticate regain control of their own valuable and sensitive personal information.
An Authenticate organisation simply needs to know the user is legitimate so that it can provide authorisation – say, to access a specific system or record – it doesn’t need to store a lot of sensitive data anymore.
In each instance, Authenticate creates a one-time lock and key which it breaks up using Haventec’s patented algorithm and safely shares the parts to authorised parties. The original key is then destroyed.
When the user Authenticates an interaction, they enter their fragment of the decentralised broken key via a secure app on their pre-approved device by entering a PIN only known to them (no record of the PIN is kept by any party).
We regenerate the key using the decentralised fragments to provide the appropriate level of access at a pre-sanctioned gateway.
The interaction is secure at all times, and the keys and locks are replaced every time.
It’s a simple solution to many big, common challenges for organisations that need to confirm they can trust the people they’re dealing with as well as maintain control of every touch point.
Authenticate efficiently helps individuals build up a personal trust profile based on their safe and legitimate interactions; and by allowing them to secure their own sensitive information on their own devices, Authenticate also removes friction.
It’s simply a safer, more convenient way to manage network trust and security for everyone.
INTRODUCING CHRIS POGUE, CISO
Chris Pogue joins Haventec as Chief Information Security Officer (CISO) with close to 20 years’ experience in cybersecurity, including working with Haventec’s security partner Nuix.
Chris began his career in the US Army Field Artillery as a munitions specialist and reconnaissance Sergeant, later becoming a Warrant Officer and transitioning into the Signal Corps, working on investigations for the Army Criminal Investigation Division and Army Reserve Information Operations Command.
After 13 years of service, Chris left the military and began working for IBM Global Services as an ethical hacker (Pentester) and incident response analyst. Upon leaving IBM he went to work for Trustwave SpiderLabs, ultimately becoming US Director of Operations and global head of investigations.
During his tenure as an investigator, Chris led or oversaw more than 2,500 investigations ranging from a single piece of digital media, to thousands of servers located around the globe.
In 2010 he developed a new method of conducting digital investigations known as ‘Sniper Forensics” which uses logic and the Scientific Method to identify conclusions based on salient data points, rather than the ‘shotgun forensics’ based only on simply looking at data without an investigation plan. Since its introduction, Sniper Forensics has become a standard methodology of investigators at all levels across government, law enforcement and corporate organisations.
Chris was named a SANS Thought Leader in 2010, launched an award-winning security blog (The Digital Standard), and has contributed to more than 100 security publications. Chris has also been a Law Enforcement instructor, training more than 1,000 police officers and federal agents the nuances of cybercrime investigations and the Sniper Forensics methodology; and he is an expert witness in the United States at state and federal levels.
Chris holds a Master’s Degree in Information Security and is an adjunct professor of Cybersecurity at Southern Utah University.
In a recent article about the changing role of technology in uncovering crime, Chris draws interesting parallels with the role of a Chief Information Security Officer in the corporate world and a Warrant Officer in the army:
“Located at the entrance to Headquarters Division of First Warrant Officer Company, Ft. Rucker, Alabama, is a quote that all Warrant Officers are sworn to uphold: ‘I will not lie, cheat, steal, or tolerate others who do’.
“For me, as a former Warrant Officer, and for many of my comrades in arms, this motto has become much more than words written on a monument. It is a way of life. I wish the world had more Warrant Officers.”
AUSTRALIAN CYBERSECURITY ON SHOW AT RSA CONFERENCE IN SF
By Robert Morrish, CEO
We already suspected it, though it was still eye-opening to experience first-hand just how novel our technology is in the cyber security world.
When we joined Austrade’s delegation to the RSA Conference in San Francisco mid-February 2017 our aim was mostly to build Haventec’s company profile, as well as making quality connections with potential partners and clients.
Equally importantly, we were able to fine-tune our pitch for the US market in early meetings with new clients introduced by AMP Technologies and Nuix before heading out to meet other organisations with Austrade. Listening to questions from new acquaintances as well as ongoing feedback from other members of the delegation was invaluable – pitching our story is simply the best way to refine it.
We’re very happy that we heard very few objections (and those we did helped us adjust our pitch further). The American market is very open and receptive to our technology, on a bigger scale than Australia, and we’ve gained fantastic insights into industry best practice and trends, particularly in finance, defence, healthcare and critical infrastructure.
CYBER SECURITY TECH TRENDS AT RSA
By Naveen Neti, Chief Engineer, at Haventec
Although I’d never experienced anything like the huge RSA Conference in San Fran, I was already confident we’d gain a lot from the trip as all my research showed the US is very positive and supportive of technology start-ups. The short version of this report is that the US security tech industry ‘gets us’.
The big technology trends being talked about at the RSA Conference circle some of the challenges in our industry:
(1) Endpoint security – the basic concept is that because a lot of common attacks happen on the user’s device itself, such as a laptop or smartphone, more needs to be done about both hardware and software security on portable devices and their connections to the outside world (via WiFi, Bluetooth and SIM cards). There are plenty of products in this space already, though still a lot of market opportunity as most people own multiple devices and haven’t done much to secure them.
(2) Artificial Intelligence and machine learning for server log management – tracking activity on a server or network is a huge chore well beyond human capability as we just can’t process the mass of information ourselves to spot most of the malicious behaviour. While most corporate users already expect all interactions to be monitored, some people are a bit slack about data security. As it only takes one device to be compromised to do damage to an organisation, smarter AI is being used to help close the gap.
There are still a lot of vendors making and selling password managers, though everyone we spoke with seemed very interested in the possibilities of password-less authentication. Our technology is in a very new market, with no big competitors. It’s a good position to be in.
PITCH FRENZY AT THE UK START UP GAMES
By Edora David, Strategic Support at Haventec
A full day of competitive pitching can be nerve-wracking though it should also be fun. That’s the advice from Trish Fowler at the UK Department for International Trade, British Consulate-General, which hosts the Startup Games around the world:
“The start-up games includes full day of coaching, teaching, mentoring and practical sessions, cunningly disguised within an absorbing game, simulating the highs and lows of start-up life,” explains Trish. “It’s a good fit for Haventec, as we are aiming at different start up stages including more mature ones”.
Trish was right. It was less like the Hunger Games and more like the friendlier Commonwealth Games, with fast-paced pitch and feedback sessions to help us sharpen our game.
Pitching alongside 50 other Aussie startups Haventec gained plenty of fresh perspectives on how we can sell cyber security innovation to a variety of audiences, including technologists who want to understand how it all works, to C-level execs who want it to deliver results.
NEW DATA BREACH NOTIFICATION REGULATIONS
By Stuart Ridley, Content Strategist at Haventec
After several years of debate the Federal Government passed a bill early in 2017 that tightens the rules around data breach notifications.
Most organisations covered by the Privacy Act (including businesses with more than $3million annual turnover, government agencies and NPOs) will be legally required to announce data breaches to the Australian Privacy and Information Commissioner and all people affected by a breach.
All affected clients, customers and members will need to be alerted as soon as possible (within 30 days) if there is any risk of serious harm.
A data breach notification should be delivered through the usual expected channels – the key word is ‘expected’ – in short, whichever channel/s people are used to, to help cut the risk of people dismissing a notification as a scam.
The notification needs to include:
- Clear description of the data breach – when, where and who is affected
- Disclosure of the nature of information exposed (e.g. names and contact details)
- Instructions on what affected people need to do to respond (including recovery and/or protection)
Failure to comply with the new notification rules could lead to fines of up to $360,000 for individuals and $1.8million for organisations.
Haventec clearly has an interest in preventing data breaches happening in the first place.
While our focus is mainly helping organisations and individuals better protect their sensitive data, we are working with our partners to help customers improve security practices overall, including:
- Who has access and how much access are they given?
- How are ongoing security behaviours monitored and responded to? (e.g. Do users have to prove trustworthiness before they are given higher access?)
- Where is data held (including with external data hosts) and who has the keys?
- How is data catalogued and identified?
- How is data handled within the organisation ‘off network’ (i.e. What are the risks of data being leaked inadvertently or deliberately by staff who have printed or copied records?)
- How is every item protected, from access point or gateway to database to individual record?
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 is expected to become law within the year.
DESIGNING STRONG SOFTWARE ENGINEER TEAMS
By Ric Richardson
Early in 2017 we started arranging our engineering talent at Haventec into three teams, each playing to their personal strengths.
Firstly let me say all our engineers are A players. They all have great abilities. I also know that people are happiest when they do things they are good at.
Here’s how we’ve arranged our engineering teams:
- Red Team – R&D – This team can handle fast iterations and quickly assess, test and dump ideas while trying to break the back of bigger problems. The Red team must also be able to handle continuous disappointment. (Read more about the Red Team dynamic and Haventec’s Chief Engineer.)
- Blue Team – Production – This engineering team focuses on production code, drawing on personal strengths like attention to detail and tenacity for quality output. Documenting, quantifying and articulating customer product requirements demands patience and relentlessness.
- Green Team – Customer focus – This team is made up of release code engineers who are sympathetic to customer needs and challenges. They fix and refine code to improve the user experience.
This approach is working well and everyone gets in and helps each other when needed – we don’t have silo builders at Haventec.
I’ve recently researched some interesting viewpoints on the difference between engineering for Proof Of Concept (POC) and Minimum Viable Product (MVP) relevant to our team.
One viewpoint explained the difference simply as: a POC proves a function or technology’s validity (i.e. whether it can be done and will work) whereas a MVP proves a product’s market viability (i.e. will someone pay for it).
Validity and viability are two completely different things.
Production readiness and tasks such as resilience testing, intrusion testing and hardening are part of delivering a minimum viable product / MVP. As we are catering to banks and larger corporations resilience testing and pen testing are part of the MVP.
Originally we thought of the Red Team as the MVP team but really they are the POC team. By the above definition the Blue Team is the MVP team and the Green Team helps mature and flesh out the products with the aid of paying customer feedback.
The other thing that became clear is how important prospective customer feedback and beta testing is to the MVP process.
It’s where all the customers’ questions get asked and answered:
- What is the minimum API set we need to run on an enterprise network?
- What is the minimum feature set needed for someone to use and pay for our product?
- How good does our documentation have to be? What is the minimum pen testing we need to do?
So besides making rock solid quality code, the Blue team also has to have constant feedback from marketing, sales and beta testers, all the while developing reliable and provable answers to all these questions.
So here is a question: could a proof of concept team also do a minimum viable product?
Probably not. But it’s worth tinkering over.