Roger Thornton

IDTrust is an SSI (Self-Sovereign Identity) framework deployed on the Hedera Hashgraph network, leveraging distributed ledger consensus for high throughput, low-latency credential issuance and verification. It enables decentralized identifiers (DIDs) and verifiable credentials (VCs) in line with W3C standards, allowing identity proofs to be cryptographically signed and verified without a central authority. WISeID is WISeKey’s PKI and credential management infrastructure, which uses an X.509 certificate hierarchy anchored in the WISeKey Root of Trust. It supports multi-factor authentication, strong cryptographic key storage (including on secure hardware elements), and issuance of device/user certificates via OCSP/CRL for revocation control. It also includes mobile and hardware token integration for signing and encryption, allowing it to bind identities securely to both humans and IoT endpoints. SEALCOIN is a DePIN (Decentralized Physical Infrastructure Network) and IoT transaction platform that runs on Hedera. It uses the QAIT token for micropayments, metering, and autonomous machine-to-machine transactions. SEALCOIN’s architecture integrates post-quantum cryptography and WISeID PKI to authenticate devices before allowing them to transact, ensuring integrity of both the transaction metadata and payload. Transactions are recorded on Hedera’s gossip-about-gossip consensus layer, providing tamper-evident logs while keeping computational overhead low compared to proof-of-work chains. From a technical standpoint, WISeID could interoperate with IDTrust by acting as a trusted credential issuer (anchoring PKI certificates as verifiable credentials on Hedera) and SEALCOIN could serve as the settlement layer for identity-driven transactions within IDTrust-enabled ecosystems. https://lnkd.in/eqWPXjMF

12

3 Comments

After lengthy late-night discussions with Cédric Bonhomme on sightings and KEV formats, we produced a first draft of a generic format for Known Exploited Vulnerabilities (KEV).  Initially, we considered extending GCVE BCP-05 using the CVE Record format. However, we ultimately concluded that it may be more appropriate to define a standalone format, allowing sources to publish their KEV data independently. Feel free to comment on the discourse link below. KEV Assertion Format – Draft Specification (potential BCP?) This format describes a generic KEV (Known Exploited Vulnerability) assertion format. The goal is to express who claims exploitation, when, based on what, where it was observed, and with which level of confidence, without turning KEV into full threat intelligence. A KEV assertion is usually very binary and lacking some meta-information. The format adds some information which could better capture details about the exploitation. A majority of the fields are optional except vulnerability, status and evidence.[].source which are recommended. 🔗 https://lnkd.in/eaBUFXie GCVE-EU CIRCL (Computer Incident Response Center Luxembourg) CVE Program

145

11 Comments

For SOCs, it’s not just the hackers that pose a threat - it’s the avalanche of data that buries real signals under noise. Security logs, once the fuel for detection, are now both an asset and a liability. The flood of redundant, misaligned, or uncurated telemetry drains not just budgets - but analysts. The challenge isn’t just collecting data - it’s collecting the right data, in the right shape, at the right time. Security tools generate logs by the terabyte. Yet most organizations lack a strategy to qualify, contextualize, or prioritize what enters their SIEMs. As a result: ▪ Real threats get buried in noise. ▪ False positives clutter dashboards, wasting attention. ▪ Costs balloon from excessive licensing and storage. To move from reactive firefighting to proactive defense, SOCs must elevate telemetry management as a core security function. Here's how leading teams do it: 1. Precision Filtering, Not Blanket Collection Start with a threat-informed view: what data truly supports detections? Eliminate noise - e.g., suppress successful login logs unless from unusual geographies or times. 2. Normalization and Enrichment as Multipliers Standardize formats and enrich with business context - asset criticality, user identity, threat intel, geolocation. This transforms raw logs into events that trigger rules more accurately and reduce triage ambiguity. 3. Retention That Reflects Risk Abandon “store everything” habits. Align retention with risk: real-time detection data stays hot; compliance data can go cold. 4. Use Case-Driven Collection Let strategy guide ingestion. Data should map to real correlation rules, MITRE ATT&CK coverage, or compliance needs. If it doesn’t, reconsider ingesting it. Log optimization isn’t just about saving money, it enables: ▪ Faster decision-making ▪ Reduced alert fatigue ▪ Stronger detection fidelity When telemetry pipelines are treated with the same rigor as detection logic or incident response, the SOC becomes sharper and more effective. Final thought…. Data isn't your greatest asset - useful data is. 👉Ask Yourself Are you collecting data to feel secure - or to be secure? #CyberSecurity #SOC #SecOps #ThreatDetection #Telemetry #DataStrategy #DataQuality #OptimizeLogs #LogReduction #SecurityEfficiency #SIEMOptimization #AlertFatigue #TelemetryPipeline

33

4 Comments

A Message to C-Suites of Regulated Industry and Critical Infrastructure: Every encryption key begins with entropy. Not the algorithm. Not the key length. Entropy. And yet most enterprises cannot answer basic questions about it: Where does our entropy originate? How is it generated across our infrastructure? Is it hardware dependent? Is it stateful? Is it testable beyond statistical randomness? Or most importantly: Is it learnable under machine pressure? We govern access control. We govern identity. We govern cryptographic algorithms. Very few organizations govern entropy. That gap is going to matter in the AI era.

17

2 Comments

Capability in security is an unforgeable, transferable cryptographic token that encodes permissions and authorization policies on the resource that it designates. @Alan Karp suggests that #capability can solve most of the #IAM use cases.

3

Security stacks keep growing, yet data exfiltration remains one of the hardest problems to solve. The issue isn’t tooling. It’s shared data context. Most architectures were built around infrastructure - endpoints, networks, workloads. But risk follows data: where it lives, who can access it, and how it moves across cloud, SaaS, and AI systems. A data-first model connects four capabilities: ✔️ DSPM: discover and classify sensitive data ✔️ DAG: enforce least privilege ✔️ DLP: control data in motion and in use ✔️ DDR: detect abnormal data activity This isn’t DSPM vs DLP. They address different parts of the lifecycle. The opportunity is aligning them around a unified understanding of the data. When that foundation exists, prevention improves, noise drops, and response becomes precise. I shared a deeper look at how this architecture comes together here 👇 https://lnkd.in/d4KusXBZ

34

2 Comments

PwC reports that Koi — formerly the commodity stealer KPOT — has evolved into a privately run, custom infostealer ecosystem (loader + backdoor + stealer) operated by a single actor (White Dev 192), making it far harder for defenders to track or detect. Blog: https://lnkd.in/eGFtQW7g IOCs: https://lnkd.in/eu3EF2ri #PwC #Koi #KPOT #Infostealer #Malware #CTI #CyberThreats #CredentialTheft #MaaS

23

Anthropic published a report today detailing distillation attacks, and the scale of what they uncovered is worth paying attention to. They identified three Chinese AI labs (DeepSeek, Moonshot, and MiniMax) running what were essentially industrial-scale data extraction campaigns against Claude. Over 16 million exchanges, generated through roughly 24,000 fraudulent accounts, using proxy services and "hydra cluster" architectures, distributed account networks with no single point of failure. When one account gets banned, another takes its place. Sound familiar? It's the same resilience model we see in botnets and C2 infrastructure. The goal of distillation is to train a weaker model on the outputs of a stronger one, essentially cloning capabilities at a fraction of the development cost. That part is legitimate and widely used. The problem is what gets stripped out in the process. Anthropic, and the other US labs, (supposedly) build controls specifically to prevent misuse for things like bioweapon development or offensive cyber operations. Distill the model without those safeguards, and you've got something that looks capable but has had its controls surgically removed. That's not a theoretical risk — it's a capability proliferation problem with real national security implications. MiniMax's campaign is the most operationally interesting to me. Anthropic actually caught it while it was still running, which gave them visibility into the full lifecycle. When Anthropic released a new model mid-campaign, MiniMax pivoted within 24 hours and redirected nearly half their traffic to the new system. That's not opportunistic, but rather a disciplined, adversarial operation. From a detection standpoint, what makes these campaigns identifiable is the pattern. Massive volume, repetitive structures, narrow capability targeting across coordinated accounts. Classic indicators of purpose-built automated activity. The same fundamentals we apply to detecting malicious network traffic. No single vendor solves this. Anthropic is calling for a coordinated response across the AI industry, cloud providers, and policymakers, which is exactly the right framing. This is an ecosystem problem, not a product problem. Worth a read if you're tracking the intersection of AI and security. https://lnkd.in/gEaeSs4x

5

H33-Vault: Cryptographic Contract Validation for Banking                                                                                                        Every mortgage closing, insurance claim, and government contract shares the  same vulnerability: the sensitive fields inside those documents - SSNs, bank accounts, medical records - sit in plaintext databases, protected by nothing more than access controls and audit logs.                                                                                                                       When a breach happens, the data is already in the clear. When aregulator audits, they're trusting the honesty of the system - not the mathematics.                                                                                       We built H33-Vault to fix this.                                                                                                                                 H33-Vault is a joint product from H33.ai and Cachee.ai that brings real cryptography to document validation pipelines. Not checkbox compliance.  Mathematical                                                                                                                                 Here's what happens when an operator reviews a document in H33-Vault:                                                                                             - Every sensitive field (SSN, bank account, DOB, medical record) is  FHE-encrypted at extraction. The plaintext value never touches a database,  never enters a log, never appears in a cache key.                                - Every validation decision generates a SHA3-256 commitment proof with a   Fiat-Shamir challenge — cryptographically binding the operator, the document,   the field, and the decision into a single non-interactive proof. No trusted      setup. No external ceremony. Under 5 microseconds.                               - Operator behavior is monitored with FHE-encrypted velocity counters — the   system tracks validations per hour, SSN views per hour, and edit rates without    ever decrypting the actual count. Even we can't see the number without an   explicit admin decryption step.   - Document finalization computes a SHA3-256 Merkle root over all field hashes   and signs the entire package with CRYSTALS-Dilithium (ML-DSA-65, NIST FIPS   204) — a post-quantum signature.   - Critical fields (SSN, tax ID, bank accounts) require biometric step-up authentication within a 15-minute freshness window. The decrypted value displays in a vault overlay that auto-hides after 30 seconds. (MORE BELOW) h33.ai/h33-vault

1

1 Comment