FixNix Blog

Dear India, Let's get to action on Cyber Security

Nov 25, 2015 5:20:56 PM / by Shanmugavel Sankaran posted in India, industry, Security Development Lifecycle, stakeholders, training institutions, Blog, cyber security, National Cyber Security Awareness Month


Wanted to dedicate this piece of work to our country India

FixNix Year III Anniversary Celebrations- Part 1

Nov'22 2012 to Nov'22'2015

Member,Cyber Security Task Force of India.

Got invited for few activities of National Cyber Security Awareness Month here in US Last month, October

My frustration level went up when i found billion$ security companies to training institutions to water supply company to defense agencies to 100 other firms joining this effort under one single window all across the country supporting the mission of "National Cyber Security Awareness Month".

America is so successful because they seriously foresee what's coming in the future, be it tech or many other stuffs, get their acts together.


As a country, if we can imbibe in getting all such interested variety of stakeholders to promote Cyber Security to school kids to industry, we'll have better run way.

I am writing this with saddened heart, many months back one of my very well funded entrepreneur friend mocked at me by not responding to my help to fix hi attack thinking security business is all snake oil selling. If that's the maturity of an very well funded entrepreneur, think about others.

Every body in our country takes cyber security as cosmetic, which is not true.

In Microsoft world, I was part of those teams who defined the SDL "Security Development Lifecycle" where security becomes part of applications, products in each and every step of the company.

Let's nix it from Grass Roots !

Read More

What Varuna devan(rainGod), Sinking Chennai Corporation and billion $ cognizant's of the world have in common?

Nov 24, 2015 5:16:07 PM / by Shanmugavel Sankaran posted in ICT, ISO 27001, billion $, Blog, Business continuity planning, Chennai, Corporation, Disaster recovery, rainGod


Business Continuity and Disaster Recovery is the connection !

Read More

what to learn from Zoho ?

Nov 21, 2015 5:11:50 PM / by Shanmugavel Sankaran posted in Security Incident Management, toughest, TRANSPARENCY, unidentified hackers, Zoho, Blog, DDos, Operating System for Businesses


Last week Zoho, the "Operating System for Businesses" got DDos attacked by unidentified hackers. I've been closely observing how the issue was panning out since then. Got opportunity to talk to few people on their engineering world to provide few references voluntarily .

Read More

Indian Security Product Industry

Nov 15, 2015 5:10:05 PM / by Shanmugavel Sankaran posted in Indian, industry, security, silicon valley, banking, Blog, Entrepreneurs, product, Product Ecosystem


Don't know whether i'm the authority to write on this. But As a Security Product Entrepreneur from India, gone global wanted to write about this. It not me(guy who have sold everything for this idea, except my soul and body), then who else ? ;-) There're tons of my friend security entrepreneurs who're also trying to crack this space.

Please take it with a pinch of salt as the passion level may be a little one line more than the others as I've not become glorified employee of a VC on day 1 by taking funds to build this. Wanted to prove our skin in the game and taken it to extreme bootstrapping to get here.

The Pic in the title header shows the 20+ serious guys denting Indian Security Product Ecosystem.

We're here to stay and make a dent. as the domestic market itself is growing phenomenally and entrepreneurs are figuring out how to how to raise, exit, etc

Let's see the industry trend on Security investments

About Silicon Valley angles

There may be cases where the global GRC denters like convercent might have got funded 10.2 million on the day they have started their story. But FixNix may be denting still bootstrapping. Yet to figure out the global institution's take on Indian Security startups on compliance space. Sometimes it may look insulting, but the indian spirit, tenacity, perseverance and local market demand is helping us stay put. "On the day it introduced its service, convercent start-up also said it had received $10.2 million in funding led by Azure Capital Partners, Mantucket Capital and City National Bank, Till todate, the global player has raised 30.72m$" On the contrary, from India we're able to bootstrap with 200k$ debt raised from one of the states of Indian Government. The reason I'm trying to get more into FixNix funding case, it's choice of the entrepreneur. Overall, the Indian funding situation is improving a lot.


Indian banking and securities firms to spend 499 bn rupees on IT in 2015- Gartner

Indian banking and securities companies will spend 499 billion rupees on IT products and services in 2015, an increase of 9.8 percent over 2014 spend of 455 billion rupees, according to Gartner.

India will remain the world’s fastest growing information technology (IT) market in 2016 as it is expected to spend more than $72 billion on IT services, products and hardware, up from 7.2% from the current year, according to research firm Gartner Inc

Some insights from PwC survey for understanding the global picture how security incidents are leading to different programs, budgets, policies, etc

Read More

Who got Security Analytics right ?

Nov 11, 2015 5:07:49 PM / by Shanmugavel Sankaran posted in SANS, security, Security Analytics Survey, Sumo Logics, Analytics, Blog, Click Security Click Commander, EMC RSA Security Analytics, Networks JSA Series Secure Analytics


Our Chairman Prof.Subra and I were white boarding few Security Analytics modules we were envisioning for FixNix GRC platform on Risk, Audit, compliance Analytics. These new modules can drastically help Internal Audit teams and Compliance teams to predict the future areas they need to focus by a proprietary machine learning algorithm we've put together.

I don't know how many except RSA have solved the analytics need of security industry correctly. Even RSA Analytics is more about the IT part of the GRC and its future. Particularly for the GRC world, who has built a great GRC Analytics module ? Whether it's Metricstream, Lockpath, Openpages ? I don't know even anybody has inclination towards innovating towards big data, machine learning, etc. We're seriously trying to innovate and democratize this space.

Make Security Analytics affordable .. is one of our newly added mission now.

Mastering Security Analytics

Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?

Today's enterprise security tools have developed an ability to detect a plethora of anomalies and "events" that indicate an attack is under way. For most companies, the problem is interpreting all of that security data to identify sophisticated threats and eliminate them before a serious data loss occurs.

"We're sort of living in this alert-driven culture, but no one has the resources to respond to every alert," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike, a security intelligence and Analytics firm. "There are a lot of false positives, so not every alert is going to be prioritized."

Innovations within security software, appliances, and services have automated many detection and blocking tasks, resulting in improved protection from next-generation firewalls and intrusion-prevention systems. But no matter how advanced a tool is, it will never block 100% of attacks.

That's why, even with so much sophisticated technology available today, brainpower remains the most effective tool in fighting advanced attacks. Smart analysts can connect the dots among different security alerts and logs, letting analysts hunt down and shut down the sneakiest of exploits. But as security data proliferates, these analysts are being snowed under.

Even the most highly skilled analysts can only sift through so much data per day before they become ineffective. What's more, there are only so many analysts out there -- and they don't come cheap.

For most companies, then, it's not just a matter of hiring more analysts. "It's all about how do you maximize the efficiency of your human analysts -- how you present them with the information that's most relevant to them and most actionable," Alperovitch says.

To do that, IT organizations must rethink the factors that drive their security intelligence and analysis. They need to find ways to digest data more efficiently and automate some of the easier correlations among data sets so that analysts have more time to focus on the complex ones.

There are a number of ways to improve data analysis, and much of it revolves around providing data in better context, automating data flows and mathematical analyses, and improving the way data is presented to humans when it's decision-making time.

The trouble with SIEM
Anyone who has been in IT security for a little while might stop at this point and ask, "Wait, isn't data analysis what security information and event management (SIEM) systems are for?"

When SIEM technology kicked off over a decade ago, the promise was that these platforms would become the catch-all system for storing and correlating security data across the enterprise to help analysts stop attacks in their tracks. But that was a time when the corporate attack surface was fairly limited, and the volume of attacks was still manageable. Many of these SIEM systems had a pedigree in log management, and their underlying architecture was built in a time long before the non-relational database revolutionized big data analysis. As a result, SIEM has a number of weaknesses that keep it from being an analytical superstar.

First, many SIEM platforms still can't pull in all of the necessary feeds to track attacks across the typical attack life cycle, or kill chain, which often spans endpoints, network resources, databases, and so on. Even when they can ingest data from, say, endpoint security systems, they are often unable to normalize it (meaning get the data sets into roughly the same format) and pair it with related network security data that could help analysts correlate separate events into a single attack.

"The challenge is you have endpoint systems that don't talk to log data and don't talk to network data," says Craig Carpenter of AccessData, a forensics and incident response vendor. "It may all be sitting in the SIEM, but it's not being correlated. It's not being translated into a singular language that the analyst can actually look at."

In most cases, Carpenter adds, you'll have two different teams looking at the data: the network team and the endpoint team.

"And the two alerts don't match to each other, so they look like completely different events to the analysts," he says.

As the number of security data feeds increases with more specialized services and products -- be they phishing and malware detection or external threat intelligence data -- it only gets harder to map out a single attack across all of the different infrastructure touch points. It's a case of too many alerts with little to no context.

"There's no prioritization," explains Alperovitch. "So it's easy to say with hindsight that they should have connected the dots because there was one alert, but if there's 5 million dots for you to connect, then it's really, really hard for any organization to make sense of it all."

For example, prior to its breach, the retailer Target did get an alert from its security tool, but it was lost in the noise of many other alerts coming in at a rate of hundreds a day.

IT security analytics: the before, during and after

The scope of IT Security Analytics is broad. In an ideal world, Threat Intelligence, provided in advance, would prevent IT security incidents from occurring in the first place.

However, complete mitigation will never be possible and incidents are inevitable, often with associated data breaches.

Post-event clear up requires intelligence gathering, too. The quicker that can be done, the better; more chance of finding the smoking gun.

The net result of trying to speed up incident response is that an increasing capability to use intelligence as an event is occurring. As one supplier, Cisco’s Sourcefire, puts it: the need for security intelligence is “before, during and after” an incident.

SANS Security Analytics Survey

Results of the current survey show that the market is in need of analytics and intelligence wrapped around the data that is being (and can be) collected in respondent organizations. In it, only 10 percent of respondents felt truly confident in their “Big Data” intelligence and analytics capabilities. Their biggest impediment is in the process of collecting the correct data in order to make the necessary associations, followed by lack of vulnerability awareness and context. Yet these capabilities are important for a comprehensive detection and response system. The system should also be affordable and able to reduce manpower for strapped IT security departments

Security Analytics Platform

Comparing the top Security Analytics tools in the industry

These categories emphasize varying needs for key Security Analytics features, such as deployment models, modularity, scope and depth of analysis, forensics, and monitoring, reporting and visualization. Several products are discussed, including Blue Coat Security Analytics Platform, Lancope Stealth Watch System, Juniper Networks JSA Series Secure Analytics, EMC RSA Security Analytics NetWitness, FireEye Threat Analytics Platform, Arbor Networks Security Analytics, Click Security Click Commander and Sumo Logics' cloud service.

Read More

Color me in the color of sacrifice, Prime Minister..

Nov 4, 2015 5:04:14 PM / by Shanmugavel Sankaran posted in Blog


I'm not a very experienced person to enlighten the administrators of my country...But i feel as part of the gen Y defining my country's what next I felt I should share my thoughts. now or never..

Read More

whether world gets SaaS Security ?

Oct 30, 2015 6:00:07 PM / by Shanmugavel Sankaran posted in Blog


even now if you search "SaaS Security" or "Security SaaS", you get to see how to secure the SaaS applications ;-)

finally my 5th search result showed something relevant to a security company doing SaaS...

May be time to ask SaaS gurus to write about security guys delivering products through SaaS..

Read More

Can India repeat Israel in CyberSecurity ?

Oct 21, 2015 5:57:34 PM / by Shanmugavel Sankaran posted in Blog


year old due post, last year when i went to israel alongwith DSCI, Govt of India as part of a delegation to Israel HLS 2014. Met tons of Political, technology folks of Israel in the meet, with few of our indian security geeks.

Read More

Let's Learn from the Leader...

Oct 10, 2015 5:55:09 PM / by Shanmugavel Sankaran posted in entrepreneur


undisputed fact, USA is the world's Technology Leader.

Don't Know how many china, India, Israel, Singapore, Ireland and London coming together will change this equation.

Few things thought many emerging tech centric governments like India should take leaf from the Leader of Tech, USA

Let us see what are the recent initiatives taken by US govt to promote public private partnership, cyber security, global collaboration, innovation promotion, etc

February 13, 2015

Stanford University

“(S)ince this is a challenge that we can only meet together, I’m announcing that next month we’ll convene a White House summit on cybersecurity and consumer protection. It’s a White House summit where we're not going to do it at the White House; we're going to go to Stanford University. And it’s going to bring everybody together — industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students — to make sure that we work through these issues in a public, transparent fashion.”

— American President Obama, January 13, 2015


1) Cybersecurity Information Sharing

The government and the private sector must work together to protect against today’s fast moving and far reaching cyber threats. Panelists will discuss how new models to help share more information on threats and cybersecurity analysis – including regional and threat-based partnerships – can help better secure our networks. They will also discuss challenges to and opportunities for expanded information sharing, and how we can share cyber threat information without compromising our commitment to privacy and civil liberties.

Moderator: Michael Daniel, National Security Council


  • Michael Brown, CEO, Symantec
  • John Ikard, CEO, FirstBank
  • Jennifer Granick, Stanford University, Director Civil Liberties
  • Matt Olsen, Former Director, National Counterterrorism Center
  • Alejandro Mayorkas, Deputy Secretary, U.S. Department of Homeland Security

2) International Law Enforcement Cooperation

To respond to today’s increasingly transnational cyber threats, law enforcement must work quickly and effectively with partners in other countries, with multinational organizations, and with private sector allies around the world. Countries have had great successes in recent years built on bringing together diverse teams of responders, but we also face significant challenges. Panelists will discuss how best to enhance multinational law enforcement cooperation, and how we can more effectively leverage increased international collaboration when responding to cyber threats.

Moderator: Assistant Attorney General Leslie Caldwell


  • Joseph Demarest, Federal Bureau of Investigation
  • Ed Lowery, U.S. Secret Service
  • Kevin Mandia, Former CEO, Mandiant; Senior VP and COO, FireEye
  • Jamie Saunders, Director National Cyber Crime Unit, United Kingdom National Crime Agency
  • Bilal Sen, United Nations Office of Drug and Crime

About OSTP

Congress established the Office of Science and Technology Policy in 1976 with a broad mandate to advise the President and others within the Executive Office of the President on the effects of science and technology on domestic and international affairs. The 1976 Act also authorizes OSTP to lead interagency efforts to develop and implement sound science and technology policies and budgets, and to work with the private sector, state and local governments, the science and higher education communities, and other nations toward this end.

OSTP's Mission

The mission of the Office of Science and Technology Policy is threefold; first, to provide the President and his senior staff with accurate, relevant, and timely scientific and technical advice on all matters of consequence; second, to ensure that the policies of the Executive Branch are informed by sound science; and third, to ensure that the scientific and technical work of the Executive Branch is properly coordinated so as to provide the greatest benefit to society.

OSTP Divisions

Scientific and technological advances are playing ever-growing roles in American life, helping grow our economy, improve our competitiveness, allow Americans to lead longer and healthier lives, address key energy and climate challenges, and protect ourselves from natural and manmade threats. The work of the Office of Science and Technology Policy touches upon all these areas and many others. The office helps drive science and technology policymaking. And it helps spur U.S. innovation and ingenuity by crafting practical policies aimed at strengthening America’s scientific and technology enterprise.

Broadly speaking, OSTP’s work can be thought of as falling into four main topic areas:


The Obama administration and the Office of Science and Technology Policy are committed to restoring science to its rightful place in America as a tool for crafting smart policies that will strengthen the nation. Learn more...

Technology & Innovation

In the face of unprecedented challenges, technological advances can provide a powerful engine for advancing economic growth and new opportunity. Learn more...

Environment & Energy

Of all the challenges we face as a nation and as a planet, none is as pressing as the three-pronged challenge of climate change, sustainable development and the need to foster new and cleaner sources of energy. Learn more...

National Security & International Affairs

New developments in science and technology (S&T) play a key role in predicting and addressing threats to our national and economic security and in meeting transnational priorities that improve the quality of life and global security. Learn more...

Working with International Partners

OSTP launched the International Affairs Initiative to lead the Administration’s engagement with potential international partners in key areas related to science and technology policy, research, and development. International science and technology partnerships are critical to addressing current and emerging global issues such as transnational terrorism, climate change, armed conflict, pandemic disease, space exploration, and cyberspace security. OSTP has achieved a number of significant international accomplishments over the past six years, including strengthening partnerships with emerging economies, addressing trade policies that hinder US companies, advocating for appropriate funding levels for international programs that carry out Presidential priorities, and addressing problematic legal issues in science and technology agreements.

Growing a High Technology region: Silicon Valley and the role of Stanford university

Startup America !

Startup America is a White House initiative that was launched to celebrate, inspire, and accelerate high-growth entrepreneurship throughout the nation.

"Entrepreneurs embody the promise of America: the idea that if you have a good idea and are willing to work hard and see it through, you can succeed in this country. And in fulfilling this promise, entrepreneurs also play a critical role in expanding our economy and creating jobs."


Startups are engines of job creation. Entrepreneurs intent on growing their businesses create the majority of new jobs, in every part of the country and in every industry. And it is entrepreneurs in clean energy, medicine, advanced manufacturing, information technology, and other innovative fields who will build the new industries of the 21st century, and solve some of our toughest global challenges.

In January 2011, President Obama called on both the federal government and the private sector to dramatically increase the prevalence and success of entrepreneurs across the country.

Since launch, the Obama Administration rolled out a set of entrepreneur-focused policy initiatives in five areas:

  1. Unlocking access to capital to fuel startup growth
  2. Connecting mentors and education to entrepreneurs
  3. Reducing barriers and making government work for entrepreneurs
  4. Accelerating innovation from “lab to market” for breakthrough technologies
  5. Unleashing market opportunities in industries like healthcare, clean energy, and education


Leaders in the private sector launched the Startup America Partnership, an independent alliance of entrepreneurs, corporations, universities, foundations, and other leaders joining together to fuel innovative, high-growth U.S. startups. The Startup America Partnership is now operating around the world as UP Global, which has committed to support and train 500,000 entrepreneurs in 1,000 cities over the next three years.

Read More

what Jayalalithaa, Steve Jobs and the number 35 has in common ?

Oct 6, 2015 5:51:17 PM / by Shanmugavel Sankaran posted in entrepreneur


The secret will be out by another 98 days, on Feb'24 2016. Alternatively read till end of this article.

I've been with the both blessed souls, every year atleast on that day 24 Feb, together, from some other corner of the country & world, doing a same religious thing.. What's that...?

Okay, let's cut the crap and come to the point.

Mashable quoted an article from their publisher muse about 35 things you should do for your career by the time you turn 35.

We're all for flexibility. Going your own way. Paving your own path. Doing what works for you (and not doing what doesn't).

We're also big fans of not putting a timeline on things. We've even said that there are plenty of things you don't have to have by 30 (or 40, or 50, or ever ... ).

But when it comes to your career, there are some things that we do recommend getting started on sooner rather than later. Not because some all-knowing career god out there says you have to, but because you'll make your professional future — not to mention day-to-day work life — a whole lot easier.

Let's c the what to do for our career, life bfor v reach 35..
Tried answering my accomplishment against the 35 advises, mostly somewhat attempted, yet to see results of those attempt. Let's c

35 mantras for age 35

  1. Really refine your elevator pitch-- make a dent ?

  2. Know Your SuperPower--perseverance, optimism

  3. Know your weakness-- perseverance, optimism

  4. Learn how to delegate--learnt 4 diff times. As employee of Microsoft, IBM, friend's startup & my own world finally

  5. Know your career non-negotiables-- empowerment, large complex problems(more the merrier)

  6. Do something you're really, really proud of-- I think entrepreneurship

  7. Learn from something you're not so proud of--don't give up & loose hope in life even u don't have single penny in your pocket. Made a very wrong life changing decision bcos of money matters, but came out. Learnt the no-money thing is a phase of all entrepreneurs life. Never make a mistake bcos of that, will store the detailed story of that for my auto-biography

  8. Stretch your limits--may b I did this too much

  9. Do something that really scares you--taking the family alongside you on bootstrapping entrepreneurship. What would have happened if the bankrupt situation has continued ?

  10. Get comfortable with getting feedback--I've become a good listener these days.

  11. Get comfortable with giving feedback--never feel hesitant to give blunt feedback, don't know whether people tk in good stride. But want to give & move on, instead hanging on

  12.  Get comfortable with saying no--learning still..

  13.  Have a broad network of people you can trust--I think I have one.

  14. Have a couple of specific career advisors-- have few, but very poor in meeting them regularly. Trying to improve.

  15. Scrub your online presence-- I'll not agree with this. The feedbacks should be there so that people know that v r human being with imperfection.

  16. Perfect your LinkedIn profile--trying still..

  17. Have a portfolio of your best work--tried bringing some projects I have got involved my career in LinkedIn, but I think my 65+ endorsements are my portfolio

  18. Know how to sell (yourself or something else)--Learning

  19. Know how to negotiate--Poor negotiator once upon a time, now learnt from mistakes

  20. Know how to manage up-- as an employee it was different. Now it's a different thing

  21. Know how to send a killer email--learning

  22. Master your handshake--used to be firm. Don't know will that suffice.

  23. Find a to-do list system that works for you-- started with asana, Evernote, now back to good old notepads

  24. Know your energy levels — and use them-- usually I used to be infectious & can spread my enthusiasm to my peers. But when I'm down, I'm down. Thou this happens rarely, it happens as I'm made of human flesh.

  25. Know how much sleep you need and commit to getting it--not good in this

  26. Know how to manage stress-- read, read, listen, watch, play with kids. Day by Day it's increasing as the travel & living without family is more now, need to figure out new ways.

  27. Stop over-apologizing--Want to have the fck all American attitude, miserably failing in mimicking that as its not part of the humble Indian blood

  28. Get over impostor syndrome-- in entrepreneurship u try to put a show lot of times where u lack knowledge for the sake of the showmanship & sustaining the game, always feel bad for the gap. But will try to get over

  29. Have a career emergency plan--never had one. Took it as it was intrapreneurial.

  30. Pick up a side project--always was doing some official stretch side project going out of the regular role's boundary. Even post entrepreneurship trying

  31. Invest in your retirement--never thought & planned. Need to.. May love a simple retired life in my hometown.

  32. Invest in yourself--reading, meeting new people

  33. Invest in the world-- helping in own way by promoting entrepreneurship, intrapreneurship, bread getter for few families who trusts me

  34. Know what you don't want--don't know , May be a boring 9-5 career & life

  35. Give yourself permission to go after what you do-- already done, waiting for results to confirm whether the permission I have given myself is right


Secret behind the connection now...

I'll be 35 by Feb 24 along with this two great personalities.

Miss. Jayalalitha and Steve Jobs celebrate their birthday by Feb 24 since 1948 and 1955 respectively.

I heard they're both regretting about the date factor post 1981, not sure whether it's because of this poor crappy writer/ entrepreneur.

Whether I'm really proud because of this fact? yes ! But how it matters ? really it doesn't matter except the small coincidence.

I like both of them in different aspects. The world has tons of complaints ( even me too on few aspects) against them, but i LOVE them both for being rebel in their own nature. If i want to copy 1 quality from both of them, that's being a rebel against the force.

Why such a long story quoting their name then with me ? It's called viral writing ;-)

It's just going to be 12,783 days in the world when i hit 35 in Feb 24 2016. Don't know whether i achieved many things, but confident atleast few dents.

Let's dent together...

Read More

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

see all

Recent Posts