Technology is taking over the world, one smart device at a time. Whether it be millennials staring at their phone screens all day, to self-driving cars, it is fair to say that in 10 years, there will be a great increase in unemployment. In fact, artificial intelligence is already giving us a sneak peak of the future tech run world. Though many are very cautious and frightened by the idea that technology could one day fix a car or even perform surgery, they are not aware of the large role artificial intelligence has already been playing in their everyday life for years.

Hack/Reduce recently hosted John T. Langton, Director of Applied Data Science at Wolters Kluwer, who spoke at its quarterly dinner event for Boston technologists about the application of AI in the enterprise. While we are far from “Strong AI” (walking and talking robots), John acknowledges the “behind the scene” role AI has been playing, mentioning its day to day presence in image searches, elevators, thermostats, Netflix recommendations, and so much more. Artificial Intelligence has continuously been improving, taking on more and more extreme roles as the years pass, but the second something goes wrong, people are so quick to criticize. One very good point Langton brought up was how AI is not a walking talking robot, and should not be treated as such. They are not “human replacements”, the goal is not to program technology to do whatever we want, but rather teach the technology to sense and reason in situations, and ultimately, accomplish a goal, and adapt over time.

AI also functions on all verticals including cybersecurity, finance, and health. Funny enough, Langton told the audience that if any of their children were interested in radiology, to veer them away from that field. Artificial Intelligence is not only more accurate and efficient, but also already FDA approved, therefore limiting jobs in the radiology field.

If you’re interested in joining a future Hack/Reduce dinner please sign up!

Last Tuesday we heard from four panelists working in the insurance industry on how data science is transforming their businesses:

Marc Light (BitSight) - Director of Data Science

John Langton (Wolters Kluwer) - Director of Applied Data Science

Andrew Campbell (Sun Life Financial) - Director of Analytics and Insights

Satadru Sengupta (DataRobot) - GM and Data Scientist for Insurance

Moderated by Bobby Brennan who runs a data science consulting firm in Boston.

The panel began by discussing an exciting and important line of insurance that has recently emerged: cybersecurity insurance. Marc talked about how BitSight works with insurers to determine a company's risk of being breached; by creating automated tools for probing a company's defenses - without needing access to the company's internal resources - BitSight is able to accurately measure their level of security, allowing insurers to make informed decisions on whom they should underwrite and for how much. John also drew from his experience at VisiTrend and Carbon Black to discuss what he saw as unique challenges in measuring cybersecurity risk.

A common focus for each of the panelists is the way humans and machines can interact to create positive outcomes. Insurance decisions often carry large financial burdens and can have a huge impact on the livelihood of individuals and businesses, so it's crucial that the decision making process retains a human component. Andrew spoke about how his team enables human actuaries to make more informed decisions by drawing on machine-driven analysis. The panel seemed to be in agreement that together, humans and machines can drive better outcomes than either alone.

The panel concluded with a general discussion on the impact of data science in the insurance industry, both at the present moment and moving forward, and each of the panelists agreed that data science has been nothing short of transformative. Satadru pointed out that machine-driven statistical insights had ameliorated billions of dollars worth of insurance fraud committed every year, and expressed hope that we'd only just scratched the surface of what's possible. The consensus was that, while data science has had a massive impact on the insurance industry, the focus thus far has been on relatively simple methodologies and easily accessible data. Each of the panelists agreed that there are still vast improvements on the horizon, particularly as we uncover new data sources and learn to capture more signal from unstructured data.

Thank you to Marc, John, Andrew, Satadru and Bobby for an engrossing discussion and some fascinating insights on how data science is transforming insurance.

This is guest post written by Hack Secure's Matt Lynch, a recent graduate of Bentley University. Check out his perspective on how educational institutions can do a better job preparing their students for the very real cyber threats they face.

While at school, there is one thing I had always felt, safe. The campus had its own Police Department and emergency crews were no more than a few minutes away at any given time, a fact that was tested several times given the number of new cooks. However, looking back after my time working within the cybersecurity industry, I feel I may not have been as safe as I had thought. While they may have been doing everything they could to physically protect, I was left vulnerable online. Cybercrime is an ever-present threat to today's society, and schools are the new target that cybercriminals are exploiting.

Hackers are getting smarter every day, developing new methods and techniques to break into systems undetected. As companies begin to view cybercrime as the threat that it is, they realize that their old endpoint protection from software like McAfee, Sophos, Norton, and others just does not cut it anymore. They are now beginning to look towards scaling their security at the same rate that the hackers develop their new tricks. They are doing this through software developed by the likes of Carbon Black, CrowdStrike, and Cylance.

Schools, on the other hand, continue to use antiquated software every day. Even a smaller university with a few thousand students and a couple of hundred faculty members has potentially tens thousands of unsecured endpoints at any given moment. Most schools will provide a computer for each student and faculty member with Sophos, McAfee or Norton pre-downloaded on it as its default anti-virus protection. Students and faculty alike will also often bring their personal computers, tablets, and phones with them, all of which are connected to the school's network. Being that the user of most of these devices is most likely a young adult between the ages of 18 and 22, it is not crazy to assume that they may be used to enter some less than legitimate sites to stream Game of Thrones or watch a basketball game. These sites often pose a high risk of containing malware, which is not always detected by over the counter security products. This type of attacks is one of the passive ways that hackers can get into the system because the school's endpoints have either the minimum protection or even no protection at all. 

It is now time for schools to realize that they are in fact a business and that they need to act like it. All schools hold mountains of valuable information to hackers. They have records of all of their customers' and employees' social security numbers, bank accounts, credit cards, and addresses. If a hacker were to hack a school, all of the students, their parents, and the faculty would be at risk of identity fraud, credit card fraud, and several other crimes.  By switching over to more modern tactics of endpoint security, schools will be less vulnerable to attacks as it will limit the potential of future attacks by making it more difficult for the infiltrator to break into the network in the first place, and detect it faster if a breach does occur.

What companies like Carbon Black do is make it simple for large businesses such as schools to get high-quality, next-gen anti-virus software, by having it be one agent, one console, and cloud delivered. The next-gen antivirus will automatically detect ransomware, malware, and non-malware attacks on any of the endpoints connected to the network. The agent that is on the device will then send it through the cloud, to the console, which will be under the control of the head of cybersecurity. From there, they can decide to shut down the device remotely to prevent any harm from being done to the network.

If schools were to invest the money in next-gen cybersecurity detection products, then they will significantly decrease the likelihood of any cyber attack from happening at all, and reduce the potential risk from any attack that does occur; allowing them to worry about education first, and safety second.

Are you looking to hire entry level cyber security practitioners? Help the Boston community understand the type of traits you look for in a job candidate by participating in our short cyber security hiring survey.

In collaboration with Northeastern University's College of Computer and Information Science, we've developed a short 7 question survey to help candidates understand how they can be best prepared to work at your company!

Cyber Security Practitioner Series brought to you by Reverb Advisors

In this week's interview for the Cyber Security Practitioner Series, we talked with Tom McLaughlin from CloudZero about serverless architecture.

Tom talks about what serverless architecture, how it is utilized, the risks it poses as a security issue, and why it is still worth it in the end.

Tell us about yourself, your background, and how it pertains to serverless architecture.

I’m an operations engineer by profession, which in lay terms translates to, “I make the cloud run.” While software engineers are writing the products that we use, I’m the person who’s been responsible with ensuring that these engineers are able to deliver features and ensuring a stable and reliable service so users (or customers) are able to use those features.  Your killer product feature is useless if customers can’t access it reliably.

These days I do developer relations (DevRel) for an early stage startup, CloudZero, that is building a site reliability platform on an AWS serverless architecture.  I engage with our market as an engineer peer to discuss the issues we’re solving, like site reliability and serverless, and learn from those engineers how we can solve their problems better.  The work is (and I’d argue if it’s going to be done right) should be a mixture of Engineering and Product functions with Marketing strategy and tactics mixed in.

What exactly is serverless architecture and why does it matter?

“Serverless” is currently one of the most nerd-rage inducing terms; in a tie with “observability”. (We’ve grown tired of arguing what “DevOps” is and fortunately new terms have come along.) We call it “serverless” because because the host layer (server) has been abstracted away from us and is entirely handled by the cloud provider.  We have no responsibility for host maintenance in this model.  The general maintenance tasks we’re used to, e.g. OS patching, performance monitoring, debugging is handled by the cloud provider and opaque to us.  This is a good thing because it forces us to focus our effort on technology that advances our core business.  More resources can be spent on developing the product features that increase adoption than patching your hosts.  No one buys your product because of your internal patch management strategy. They buy your product becuse it does something useful.

What differentiates this from a PaaS is the execution model of the technology.  With PaaS platforms you’re paying for hosting and you’re whether people are using your product or not. This is not the case with serverless platforms.  With serverless you pay when your service is actually used.  A serverless system costs you nothing if no one is using it.  Your bill has gone from a capacity based model (paying for resources to support a theoretical load) to a capacity based model (how many people are actually using my service.)

We could have called it Jeff.

What has adoption been like for serverless architecture?

Serverless adoption is still in the early phase.  Think of maybe where containerization (eg. Docker) was 3 or 4 years ago or even AWS public cloud 7 or 8 years ago.  Serverless is I think still the domain of the early adopters.  I joke that much of the leaders in the serverless ecosystem can all be found at the ServerlessConf events.  Think of that, a single event can still draw most of the leaders in that space.  I had severe FOMO missing this past one in NYC.  My twitter timeline was filled with the people whose twitter and blogs I follow and along with people I regularly engage with on a dedicated serverless Slack group.

The organizations I’ve found to be adopting serverless are quite diverse.  They range from large companies like Nordstrom, to sizeable companies like iRobot, and finally early stage startups like CloudZero.  Because of the leap serverless provides over microservices (which containerization doesn’t provide) I think you will begin to see many organizations come to a fork in the road as they look to modernize their software stack and IT services delivery; go primarily containerization or go primarily serverless.  More aggressive organizations may decide to leapfrog over containerization and directly into serverless.  While moving applications to containers may be easier up front than re-architecting them for serverless, containerization comes with the overhead of maintaining container management platforms.  AWS provides ElasticBeanstalk where you can host your Docker containers but people will still need platforms like Kubernetes to handle large scale container deployment.  Contrast that with serverless where you’re making a conscious decision to offload the platform management to your cloud provider. If you’re no longer trying to operate a containerization platform you can perhaps redirect those engineering resources towards your application re-architecture efforts.

For some people this time may be too early for them to care about serverless.  For others this is exactly the right time.  The architecture changes bring so many new opportunities and questions that are waiting to be solved.

What potential security risks does this technology pose? Do you feel the rewards outweigh the potential risks? Why?

With every new layer of cloud abstraction you have to ask yourself how comfortable you are with outsourcing a part of your security.  There are people who believe they can provide physical security to a data center better than public cloud providers.  There are people who believe they can provide better security at the virtualization layer (eg. preventing cross VM or cross container attacks) better than the public cloud providers.  The same questions arise for serverless. Underneath AWS Lambda is a container that AWS manages.  Do you feel you can keep engineer a more secure container that is patched appropriately better than Amazon?  And is your time spent on that a better use of time than addressing other issues?  You have to ask yourself these questions and provide realistic answers.  Just because you own and control something in no way means you can do it better.  I legitimately trust public cloud providers to do a lot of this work better than me.  They hire specialists for this work for for me I’m at best a generalist.

If you make the jump to serverless a positive I see coming is increased focus on application layer security.  Ask yourself at what maturity a company starts doing application security and pen testing.  Ideally they start doing it when they have the time and resources and have addressed other lower hanging fruit and more damaging issues in their environment.

If you’re no longer managing and patching OS vulnerabilities, redirect you time to patching application dependency vulnerabilities.  A service like Snyk is I think poised to make a major impact in the serverless space.  It’s an easy to use service that for me, as a non-security specialist, can get started with.

If you’re no longer worried about ensuring that your NoSQL platform is properly patched and not exposed to the internet, refocus your efforts on ensuring your AWS S3 buckets aren’t publicly exposed. Or better yet, focus on application pentesting earlier.  I would love a service that constantly probed my infrastructure for vulnerabilities.  It’s not that I didn’t want it before, it’s that with serverless architecture I now have time to potentially make use of the data the service found.

By allowing your public cloud provider to address more of the security of your stack you can focus on the more sophisticated security issues earlier.  This is a good thing for security so long as people recognize the opportunity to fill this new space.

Is there anything that you have not gotten to talk about that you feel is important for people to know?

I just want to reiterate that serverless really is different and represents a major jump in cloud computing compared to what we’ve seen with containers.  The architecture is so different from what we’re used to that it’s mass adoption leads to so much potential disruption.  You can look at almost every area of cloud technology and given enough thought and time see endless possibility.  The shift from capacity to consumption based billing I think will lead to the measurement of cost more closely with how we measure performance.  In fact, I think cost will more directly factor into performance choices.  We’re still building management tools that are configuration file based, but I can see a trend towards more graphically oriented design.  The opportunities are endless in this area if you take the time to rethink ideas instead of just implementing what we’ve been doing.  If you’re having a hard time coming up with ideas, I touch on some areas in my presentation “Serverless Ops: What do we do when the server goes away?”