Connect with us


Better cybersecurity means finding the “unknown unknowns”



Better cybersecurity means finding the “unknown unknowns”

During the past few months, Microsoft Exchange servers have been like chum in a shark-feeding frenzy. Threat actors have attacked critical zero-day flaws in the email software: an unrelenting cyber campaign that the US government has described as “widespread domestic and international exploitation” that could affect hundreds of thousands of people worldwide. Gaining visibility into an issue like this requires a full understanding of all assets connected to a company’s network. This type of continuous tracking of inventory doesn’t scale with how humans work, but machines can handle it easily.

For business executives with multiple, post-pandemic priorities, the time is now to start prioritizing security. “It’s pretty much impossible these days to run almost any size company where if your IT goes down, your company is still able to run,” observes Matt Kraning, chief technology officer and co-founder of Cortex Xpanse, an attack surface management software vendor recently acquired by Palo Alto Networks.

You might ask why companies don’t simply patch their systems and make these problems disappear. If only it were that simple. Unless businesses have implemented a way to find and keep track of their assets, that supposedly simple question is a head-scratcher.

But businesses have a tough time answering what seems like a straightforward question: namely, how many routers, servers, or assets do they have? If cybersecurity executives don’t know the answer, it’s impossible to then convey an accurate level of vulnerability to the board of directors. And if the board doesn’t understand the risk—and is blindsided by something even worse than the Exchange Server and 2020 SolarWinds attacks—well, the story almost writes itself.

That’s why Kraning thinks it’s so important to create a minimum set of standards. And, he says, “Boards and senior executives need to be minimally conversant in some ways about cybersecurity risk and GFN of those metrics.” Because without that level of understanding, boards aren’t asking the right questions—and cybersecurity executives aren’t having the right conversations.

Kraning believes attack service management is a better way to secure companies with a continuous process of asset discovery, including the discovery of all assets exposed to the public internet—what he calls “unknown unknowns.” New assets can appear from anywhere at any time. “This is actually a solvable problem largely with a lot of technology that’s being developed,” Kraning says. “Once you know a problem exists, actually fixing it is actually rather straightforward.” And that’s better for not just companies, but for the entire corporate ecosystem.

Show notes and links:

A leadership agenda to take on tomorrow,” Global CEO Survey survey, PwC

Full transcript

Laurel Ruma: From MIT Technology Review, I’m Laurel Ruma, and this is Business Lab, the show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace.

Our topic today is attack surface management. Where will your next cybersecurity breach come from? Enterprises have more and more things attached to their internet, including ever-expanding networks and aging infrastructure. And as attackers become more creative, executives will have to as well.

Two words for you: unknown unknowns.

My guest is Matt Kraning, who is the chief technology officer and co-founder of Expanse, which was recently acquired by Palo Alto Networks. Matt is an expert in large-scale optimization, distributed sensing, and machine learning algorithms run on massively parallel systems. Prior to co-founding Expanse, Matt worked for DARPA, including a deployment to Afghanistan. Matt holds PhD and master’s degrees from Stanford University. This episode of Business Lab is produced in association with Palo Alto Networks. Welcome, Matt.

Matt Kraning: Thank you so much. Very happy to be here.

Laurel: From the very beginning, you’ve been an expert in large-scale distributed sensing and machine learning algorithms run on massively parallel systems. How did that expertise lead you to co-found a company in the field of attack surface management?

Matt: Well, I’ll say a few things. Attack surface management is what we wound up calling it, but it was actually a very long journey to that and we didn’t really set out knowing that that’s exactly what it would be called or what precisely we would be doing. So there’s not even a Gartner category, which is a certain way of validating the existence for a market segment. That is actually still coming out. So the field of attack surface management, we actually invented ourselves. And a lot of invention means that there’s a lot of discovery going into that.

Unlike a lot of enterprise security and IT companies where, in a lot of cases, most companies founded are usually going into an existing market—they’re doing usually an incremental or evolutionary advancement on top of what has already been invented—we actually took another approach and said, “We’re really, with fresh eyes, asking, ‘What is not being served in the market today?’” And came up with the idea of, “Is the internet, with all of its promise, actually going to be a strategic liability for organizations, no longer just a strategic asset?”

We developed a lot of techniques and technologies to basically look at all of the internet as a dataset: to gather, continuously, information about the internet, which is really where our backgrounds came in both from academia and then also from our work in the defense and intelligence communities, in places like DARPA, and at various places in the US intelligence agencies. And we said, actually, there seems to be a whole bunch of stuff broken on the internet, and surprisingly, a lot of it is actually associated with very large, very important companies. It was scratching on that question that actually led us to both founding Expanse and then also creating what would be the first and is the leading product in what is now known as attack surface management, which is really understanding all of the assets that you have, understanding the risks that they might pose and then also fixing problems.

But when we founded Expanse back in 2012, we didn’t know that it was going to be attack surface management. We didn’t even have the name attack surface management. Instead it was very problem-focused on, “We’re seeing a lot of weird and dangerous things on the internet and a lot of security vulnerabilities. Let’s double-click on that a lot and actually see if there’s a way to build a business around that.”

Laurel: And how much the internet has changed in these nine short years, right? When you talk about that data set and in trying to find information of where the biggest security risks are, how hard was it to find? Did you look around and see, “Oh, look, there are entire datasets, you could track back easily to these companies. They’re leaking.” Or, “Things aren’t secure.”

Matt: I love the phrase, “Everything is obvious once you know the answer.” I think initially one of the main challenges is that in order to even show how large this problem is, you actually need to gather the data. And gathering the data is not easy, especially on a continuous or regular basis, you actually have to have a lot of systems engineering background, a lot of distributed systems background to actually gather data on everything. I think what made our approach unique is that we actually said, “What if we gather data on every single system on the internet?” Which is actually enabled by a lot of both cost advantages enabled by things like cloud computing, but also software advantages both in open source and things that we would write ourselves. And then, rather than starting from things that you know about a company and trying to assess their risks, we said, “Why don’t we start with everything on the internet and then try to whittle it down to what is interesting?”

And a lot of very good insights came out of that where again, almost by accident, we started discovering that we would actually find many, many more security problems than organizations actually knew about themselves. When I’m talking to organizations, I’m not talking to small businesses. I’m talking military services. I am talking Fortune 500 companies, Fortune 100 companies, Fortune 10 companies. Even the largest, most complex, but also the best finance, most elite customers had problems for security. And what really our discovery and our journey in creating the category, in creating attack surface management as an idea was that we find all of these security vulnerabilities and all of these assets in far-flung places anywhere on the internet, and they will occur for a multitude of reasons.

But it was actually interesting because while the security challenges and security risks were very real, the real symptoms that we found, that we discovered, were actually that organizations did not have an effective means to track all of the assets that they had online and to simultaneously assess the security posture of those assets and to simultaneously fix and remediate and mitigate the risks of those opposed to the organization.

And I think that was one of the very interesting things was that looking back, we can now say, “Obviously, you want to do all of these activities.” But because we were actually doing something new that had never been done before, it was a new category, we had to discover all of that starting from the point of really, “There seems to be a lot of stuff broken on the internet. We don’t exactly know why, but let’s go investigate.”

Laurel: That’s a good way of thinking of it, starting with a different place and then working your way backwards. So Matt, according to a recent PwC survey of more than 5,000 CEOs around the world, 47% are extremely concerned about cybersecurity. Now, 47% doesn’t sound like a large number to me, shouldn’t it be closer to 100%?

Matt: I would say that every CEO I’ve talked to is concerned about it on some level. And I think a lot depends on where they are. Overall, what we’ve noticed is a very large uptick, especially in the last five years, of the attentiveness of the CEOs and boards of directors to cybersecurity issues. Where I think we’ve seen a lag, though I think there are a few exceptions in this area, is that a lot of both tools and presentations that go, especially for executive audiences, for cybersecurity risks do not effectively convey everything that those people need to make effective decisions. And I think this is challenging for a variety of reasons, especially that a lot of CEOs and boards do not necessarily have the full technical background in order to do so. But I think it’s also been a failure to date in industry to be able to provide those tools. And I think we’re going to see more and more changes there.

I equate it to really the state of finance before Sarbanes-Oxley that basically started to require CEOs to get training, and boards as well, to start to understand certain financial metrics, to actually have certain controls in place. I think at the high level, we are going to have to see something like that in the coming years be implemented in some way to say that there are a minimum set of standards and that boards and senior executives need to be minimally conversant in some ways about cybersecurity risk and GFN of those metrics. Right now, I’ve seen a lot of people say, “I am concerned about this, but then I also don’t really know where to go next” or, “I’m conversant. We got a report. We hired some firm. They had this presentation that had a whole bunch of PowerPoint slides with a lot of charts that would have Christmas tree lights that made my brain melt. And I could not really understand the concepts.”

I think people get it, but we’re still in the early days of, How do you have effective controls over this? And then how do you actually have programs that are robust around it? Again, we need to move in that direction because more and more boards need to see this as a foundational aspect of their company, especially as pretty much all companies today, I don’t care what industry you’re in, what size, your company actually runs on IT. It’s pretty much impossible these days to run almost any size company where if your IT goes down, your company is still able to run. And as a result of the understanding of cybersecurity at those levels, with attack surface being now a part of that, is very important for organizations to be able to understand, because otherwise you will put your organization at a very large amount of risk by not being able to properly assess things like that.

Laurel: Yeah. And that gets back to the old adage, every company is a technology company. But maybe this is a more specific example of how it is. Could you briefly describe what attack surface management is, maybe perhaps for that executive audience?

Matt: The way that we describe attack surface management is it’s effectively a three-step process where all steps are done continuously in the form of cycle, but it is a process and procedure by which you, or really a vendor, in this case Expanse or Palo Alto Networks, continuously discover all assets that an organization has. In our case, from external attack surface, all assets that you have on the public internet. And that is a continuous process because at any given time, and I can go into this later, but at any given time, new assets could appear from anywhere on the internet. So you need to have a continuous discovery process that says, “At any given time, I might not know everything about my assets so I should have mechanisms to gather information about anywhere that they could be and try to associate them to my organization.”

At the same time as soon as an asset is discovered, you have to have means to evaluate it across a variety of different characteristics. In many cases, if I’ve discovered a new asset, is this asset actually truly new? And if it is not, then matching, normalizing, deduplicating that with other things. If it is a new asset, then in most cases, it’s actually going to be unmanaged. So how do I actually start a slew of activities to say, “This is an asset that exists with mine, but it usually exists outside of an intended set of security controls. So how do I start a process to both assess what controls need to be put in place and then bring it under management.” And the third part of evaluation is also understanding what is the risk that this poses immediately to my organization to help me prioritize activities.

The final step is what we call mitigation. Once you’ve evaluated everything that you’ve discovered, what do you actually do about it? What actions do you take and how do you do so in highly automated and effective ways. And for us, there are two primary steps that mitigation involves. I mentioned prioritization, but it’s one, bringing systems under management. In a lot of cases, what that also means is that for most systems associated with our large customers, it actually means taking them either off the internet directly, so we’re putting them behind a VPN or other sort of corporate device, or making sure that they are then known and then up-to-date because in a lot of cases, the real symptom of security problems that we find happens to be around the fact that an asset was just unmanaged for a very long time and may contain security vulnerabilities that were later discovered simply because you would have security patches that exist for known security issues that had not been applied.

In certain cases, such as zero-day attacks, it’s actually just much more important to know where all the assets are so you can patch them as soon as possible. But for the larger majority of assets that we discover for our customers and help manage their attack surface, the real problem is that the assets are just not known. And for executives, the real key is that the existing processes and tools that a lot of companies use can be very good from this certain side of security, but they assume that networks are effectively a lot more static.

Laurel: So what are the ramifications of an enterprise not knowing their actual attack surface?

Matt: The large, most obvious one is an increased risk of breach. I think it was an adage throughout a lot of the 2000s, helped on in no small part by vendors, that everything started from email phishing. And there’s very, very large email security vendors that still pumped this message that it’s every single security incident is effectively a phishing email and that humans are the weakest link when they’re clicking on things, and therefore buy more email security.

I don’t think that’s wrong. I think it’s actually correct that security is a big thing, you can buy it. But it’s also much easier to mitigate especially now with a lot of good tools, like you actually have full visibility over all emails being sent to employees because they have to go through a central mail server. It’s actually a question of just being able to detect bad things but not actually needing to find out that there were, say, emails being sent that you didn’t have visibility into.

I think in contrast, what we’ve seen, especially more recently over the last decade and really even the last five years, is some of the absolute worst breaches, the ones that cause hundreds of millions to billions of dollars damage, are not coming from phishing. They are actually coming from usually unknown and unmonitored assets and that in many cases, were actually on the public internet. So I think some of the largest examples of this are actually things like the WannaCry attack, which caused, it’s estimated over $10 billion worldwide in damage, shut down entire companies, putting most of the health-care system of the United Kingdom back on pen and paper for actual days.

And the real ramifications are, you have all these extra avenues to get in because there are so many more assets that are online that are not being tracked by organizations, and that is actually how attackers are getting in because it turns out that there are very efficient, automated ways for attackers to understand and probe for and exploit these attacks surfaces. And the ramifications are quite bold. You see most of the healthcare of a first-world country reduced to pen and paper for days. Very, very serious because it’s not just hacking someone’s email, it’s actually hacking the critical infrastructure of the network itself.

Laurel: Speaking of critical infrastructure, another recent attack is the water treatment plant in Florida, where an attacker was able to remotely change the chemical makeup of the water to add lye to it, which could have poisoned an entire community. So then, infrastructure is an enormous issue for very large companies, like water treatment plants or oil and gas companies, etc.?

Matt: Absolutely. In that case, to the best of my understanding, the attack vector there was actually a remote access server that someone at that plant left open, was on the internet, and allowed someone to go in. What our tech services are about is we’re finding ways in that are effectively tools of IT convenience but that are able to be subverted by attackers because the tools of IT convenience are not hardened to the same degree as other things that are meant to be on the internet and are left out as a matter of course. We have this line that we like to view the internet in most ways as what most of us experienced through our web browsers or on our phone. It’s this really nice setup consumer experience and all of the webpages we view looks very nice and pleasing and we go there.

And it’s a good analogy to the physical world like I guess, soon after we’re all vaccinated from covid-19, we’ll be back shopping outside. You might go to a Starbucks and the store is really nice, you have this great experience, you get your latte, you go out, but then if you look beneath all of the glitz on the streets, you actually have much older infrastructure. You have things like no sewer pipes and other things that are greasy and cracking. And that’s the infrastructure that supports the more beautiful world on top.

A lot of what we see as part of attack surface is an IT analogy that most people view the internet really as just, “What’s in their web browser? What’s on the phone, these nice consumer websites?” But there’s entire backend IT infrastructure that supports that. And it’s somewhat creaky and it’s not always well-configured. Without something like ASM, you have problems that you don’t actually know the state of your network because it’s so large, distributed, and complex. And as in the case with Florida, which by the way was a smaller organization, it goes to the heart of how do you know that something is not going on? Under any IT security policy, having a remote access service on the internet should not be allowed. But it’s very hard even for smaller organizations to get that continuous visibility of, what do I actually look like from the outside? What do I look like to an attacker with legacy tools?

Laurel: And that’s a good example of an attack that’s not a phishing attack. It has nothing to do with the email. While we’re on the discussion of attacks, most memorably this year again, SolarWinds and Exchange, how would implementing ASM have changed those outcomes for organizations? Or how about those lucky organizations that actually understood their attack surface management options and were able to find this and thwart the attack?

Matt: I’ll speak to both because a number of our customers had both of those kinds of systems and we helped them respond. I think the Microsoft Exchange hacks, and for your listeners, a bit of background: there was actually a set of zero-days announced for the sets of versions of the Microsoft Exchange email services earlier in February and March of this year. Very, very dangerous because in effect, these are the mail servers of an organization and if you followed this XY chain, what it basically allowed you to do was send a message to a mail server to grant you effectively unfettered administrative access to the entire mail server. And there were actually hundreds of thousands of these that we detected online. And effectively, if you think about it, having an attacker being able to download all or most of the corporate mail server and with all of these sensitive information that’s stored there, is a very serious attack.

So what we noticed were actually two things, which was, for large organizations, they were very aware of this and they were patching very, very rapidly. But there were a number of customers that we were able to help where they’re so large that they actually don’t even have one central set of mail servers. So without Expanse, they wouldn’t have been able to find even all of their mail servers and be able to patch them in time because they are so distributed, they actually needed an inventory of even their mail servers. And it’s very hard to aggregate that in one central way unless you’re using an ASM tool like Expanse. Because instead, in a lot of cases, you’re usually using Microsoft Outlook and Microsoft Excel. You’re going to be sending emails to different business units. You’re going to be asking IT leaders in those different business units. If they’re patched, they will be sending emails and spreadsheets back. It’s a very, very manual process.

So able to actually identify that and really help them in a very short order of, like, a day, find and be able to fix every single server they had on their estate, which we think really, really changed the outcome, because they could have been vulnerable for weeks in certain cases. For SolarWinds as well, I think the details are a bit different because not all SolarWinds assets are necessarily exposed to the internet. And also in a lot of cases, they’d been there for months. As part of broader Palo Alto, we had other products that were able to stop SolarWinds: the SolarWinds attack in particular, our endpoint framework called XDR. But even there for SolarWinds, once the attack was known, customers still have the problem of, they didn’t even know where all of their SolarWinds servers were, which again goes back to this inventory problem and choosing capabilities, both like Expanse and other capabilities we now have as part of Palo Alto, we were able to actually help customers very rapidly understand everywhere they had a SolarWinds exposure so that they could mitigate that very quickly. So there was effectively a two-step process. At Palo Alto, we were able to prevent the attack on our customers even without knowing that the supply chain had been breached. And then once it was more public, we were actually able to then also help everyone identify all of the servers that they had and make sure that they were all up to date and not infected with the supply-chain Trojan.

Laurel: That’s really interesting because some companies may be thinking, “Oh, well, we don’t have water plants and aging infrastructure to worry about.” But do you actually know where all your mail is stored and how many different servers it may be on and different cloud instances or wherever? And when you do only have a matter of hours to make this critical patch, how quickly can you do it?

Matt: Exactly. And a lot of the questions that I asked our customers are just, “How do you have confidence that, effectively, your systems are up to date?” Answering even seemingly basic sounding questions with existing IT, if you don’t have Expanse or ASM, is actually surprisingly hard. I’ll give another fun example. I ask chief information security officers this all the time: “How many routers does your organization have?” It seems like a pretty basic question, seems like they’d know, at least to a very good approximation, the IT team should probably know exactly how many routers they have. They’re very important pieces of networking equipment, especially at the enterprise level, they’re more expensive. So it’s not just like that home Wi-Fi hotspot that we’re used to. These things can cost tens, in some cases, hundreds of thousands of dollars to handle enterprise-grade workloads.

And what we find is that when you ask that question, there’s actually usually not one central place where all that’s tracked. Instead, it will be tracked by local development and IT teams in different ways. It will be tracked in multiple spreadsheets. There may be certain local IT management systems that know that, but at the end of it, if you said like, “How many routers do you have right now?” The process that they would use to answer that is not going into a system or logging in, it’s actually starting an email chain. That’s actually the one of the main problems that attack surface management attempts to solve, is, How do you have an accurate and up-to-date inventory of everything so that you can then build a variety of processes on top of that, including security? But if you don’t have an up-to-date inventory or you think you do, but you don’t, then when you start to pull on that thread, a lot of business processes, a lot of IT processes, a lot of security processes that you want to have apply across your entire enterprise, all of a sudden you’re realizing, “Wait, this actually is only being partially implemented because if I don’t have a full inventory, how do I actually know what’s going over all of my assets as opposed to just the assets I know about?” And that’s what we talk about when we say “unknown unknowns.” As you mentioned at the top, it’s, “I know some degree of my systems, but do I know all of them?” That delta can be everything for organizations because most of their risk is in the parts of their network they did not even know to investigate.

Laurel: What other data-driven decisions can be made from this sort of focus on actually knowing where all your assets are. How else can this help the business?

Matt: Two areas that this really helps organizations with is actually cloud governance and M&A. Particularly, these are very sprawling enterprises. So for a lot of our customers, they might actually have hundreds of different cloud accounts in the public cloud providers, so AWS, Azure, Oracle, Google, Alibaba in a lot of cases, and they had no way to actually rationalize this because they would have a whole bunch of different development teams and they couldn’t get something. And so, when they say that they are moving to the cloud, a typical refrain from our customers will be like, “Yes, we are. We have deals with Amazon and we’re hedging our bets a little bit. We’re also exploring Azure so we’re not solely locked into one cloud.” What we find is that the average customer for Expanse is in 11 different infrastructure providers.

I’m not talking SaaS, I’m talking in places that you actually get like renting a server, putting data on yourself. It’s amazing and astronomical and we could say, “Well, yeah, you are on Azure. You’re also on AWS. Did you know that you’re also in DigitalOcean? You’re also in Linode. Your general manager in Europe probably put you in OVH or Orange hosting. You have something else in the Malaysian data center. I’m not exactly sure what that is.” And that’s typical. One customer for us was actually in over a hundred different providers because they’re a very large multinational. I think that’s when we see that people’s cloud governance plans versus cloud reality are dramatically different. And helping them with that will enable them to move both securely and quickly to the cloud.

Second one is mergers and acquisitions. I think this is something that is increasingly happening. As a lot of industries are consolidating, there’s a lot of M&A activity more recently. But when you think about it, an M&A is one of the largest IT change events an organization can have, especially if it’s a large acquisition. So I know a little bit about this, having recently gone through this process with Palo Alto Networks on ourselves on the other side of the table, but the number of things you have to integrate is quite large. And in the case of Expanse, we’re integrated with a top security company in the world and also we are relatively small. So the integration headaches have been almost nonexistent, and it’s been a really great process.

But for larger organizations where you might, an organization with 50,000 people is acquiring an organization with 10,000 people, the number of different steps you have to go through, the amount of IT that you have to transfer, the amount of legacy that you have to understand is gigantic. And in a lot of ways, these are in many cases only partially implemented because as an acquirer, you might not even know where all the assets you’re acquiring are. As an example, for an airline, there was a series of mergers and we’re actually able to find assets of the merged airline that no longer exists, but were still on the internet more than a decade after the merger.

Which gives you an idea of just how long some of these things take. That’s the other side of, how we really help with our customers, is actually understanding, “When you actually acquire an asset, how do you actually complete that process? How do you measure it? How do you monitor it and how do you do that at the scale of the internet rather than with a lot of consultants, Excel spreadsheets, pieces of paper and emails?”

Laurel: So from our conversation today, I feel like this is the, “If you don’t know what you don’t know, you should really figure it out” warning, if you haven’t heard it before. But there are glimmers of hope in this, right? Because if the asset exists, you can at least find it, track it and assess what you’re going to do with it, mediate any changes you need to make or assess it to bring it back to full cybersecurity compliance. What gives you hope about what’s possible after seeing the first three months of this year and what’s happened with attacks, the ongoing issues that we’re going to have? But there is opportunity there, right? There is hope. What are you seeing that makes you optimistic about cybersecurity and what we’re looking forward to in the next five years?

Matt: Yeah, I’m actually quite optimistic in not even the long-term but even in the medium term I think, even three, four years out. Near-term, definitely there’s going to be some rough seas ahead, but here’s what makes me most optimistic. One, I think that this is actually a solvable problem largely with a lot of technology that’s being developed. And by that, it is clear that once you know a problem exists, actually fixing it is actually rather straightforward. There’s a lot of mechanistic steps to get better at that. There’s a lot of automations that can be put on that. And there’s a lot of things coming to bear. But in many cases, the actual hard part is seeing what you actually need to fix and knowing all of the set of problems and then being able to prioritize them effectively and then start working on them.

And I think in particular, the things that I’ve seen are within the industry, I think there are a lot of technologies in the few years that are going to meet the marketing hype that has been around for years. I talk a lot with industry partners. We use substantial amounts of data. With my background where I have a PhD from Stanford in operations research and machine learning, we actually do use some real actual machine learning in our products. We also use a lot of heuristics as well. I joke that we sometimes have machine learning classifiers to solve a problem. Other times we have SQL queries that solve the problem.

We have some really well-written SQL queries. I’m very proud of those. But I think that the industry itself, especially in marketing material, you would think that everything in cybersecurity is this automated AI, ML-enabled everything. In most cases, but not all, but in a lot across the industry, and this is especially true in startups, it’s just a line to pitch. And what companies really call AI are just standard software rules and there’s really nothing special going on.

Or there’s an old joke that, “Oh, I have this great AI thing. What is it? Well, we have a bunch of analysts that are former intelligence officers, usually in Maryland or outside of Tel Aviv and they’re the ones doing everything. But we have a system that efficiently routes work to them and that’s our AI.” And they’re like, “Wait, that’s people.” I think what I’ve seen is that one, automation broadly defined is a real thing. But automation actually means on the ground, is you take something that previously took hours and days and 10 people. And then with software right now, it’s more so how do you take that down to 15 minutes and two or three people?

I think that we’re going to see even larger gains or even start to take humans out of the loop entirely in certain business processes. And I think what we’re seeing and this is a lot of what we’re working on and I’m working on now is that over the next months and years, actual large-scale machine learning capability is actually being deployed in production. I think there are some that are out there in piecemeal. There’s a lot more rules than anyone wants to talk about, but we are now seeing there’s enough assemblage of data, there’s enough normalization of data in that, especially at the larger companies, and that enterprises are more willing to share information with vendors if it demonstrably improves the security service that they are getting, that we are actually going to be able to deploy increasingly sophisticated capabilities along those lines and have the product/reality match. I think that’s what at least the broader industry marketing zeitgeist had been.

I’ve seen a lot of them, they are very, very real and they’re very much coming. And they’re coming at an industrial scale for defenders. And I think that’s what I’m most excited about because despite the fact that there’s the old adage of, attackers need to be right once, defenders need to be right all the time, increasingly, it is now more scalable for defenders to be right much of the time and to actually set up very vast monitoring networks so that if the attackers slip up once, the defenders can completely wipe them out in that attack. And that both asymmetrically affects cost and also I think will help tilt the field back to defense.

Matt: I think when you had partial AI solutions and ML solutions and partial automation, it helped attackers much more because they could duct-tape together a few different parts, scale up certain things very highly and then just see what came back to them in a great way. I think defenders are going to be able to have similar capabilities that are effective because they actually cover everything going on in an enterprise. And that’s going to allow us to turn the tide.

Laurel:Matt, thank you so much for joining us today in what has been a fantastic conversation on the Business Lab.

That was Matt Kraning, the chief technology officer and co-founder of Expanse, who I spoke with from Cambridge, Massachusetts, the home of MIT and MIT Technology Review, overlooking the Charles River.

That’s it for this episode of Business Lab. I’m your host, Laurel Ruma. I’m the director of Insights, the custom publishing division of MIT Technology Review. We were founded in 1899 at the Massachusetts Institute of Technology. And you can also find us in print, on the web, and at events each year around the world.

For more information about us and the show, please check out our website at

This show is available wherever you get your podcasts. If you enjoyed this episode, we hope you’ll take a moment to rate and review us. Business Lab is a production of MIT Technology Review. This episode was produced by Collective Next. Thanks for listening.

This podcast episode was produced by Insights, the custom content arm of MIT Technology Review. It was not produced by MIT Technology Review’s editorial staff.


Leveraging Health Care Reform To Address Underinsurance In Working Families




Leveraging Health Care Reform To Address Underinsurance In Working Families

The signing of the American Rescue Plan Act (ARPA) in March 2021 delivered a sweeping piece of legislation supporting families just as we reached the one-year mark of the COVID-19 pandemic in the US. The $1.9 trillion package includes a number of measures that provide direct support to families, including several new provisions that make historic strides to reduce childhood poverty. Also within the ARPA are many provisions on health insurance coverage focused on making coverage options for individuals and families more affordable as the country emerges from the pandemic.

As necessary as the ARPA’s coverage provisions and other federal pandemic relief packages have been, they do not address fundamental weaknesses in family and dependent health insurance coverage that have worsened in recent years. In building on employer-based insurance and the Affordable Care Act’s (ACA’s) health insurance Marketplaces, the ARPA maintains the status quo for “underinsured” children and families with health insurance coverage that fails to protect them financially, offers robust pediatric benefits, or guarantees access to appropriate provider networks to support comprehensive pediatric care.

This blog post explores what this vulnerability means for dependent coverage in particular, including how our own research shows that working parents have been seeking alternatives to employer-based dependent coverage for years. Future reforms need to focus on the challenges that underinsurance poses to families, which may mean difficult conversations about the role and future of employer-based insurance in its current form.

Pandemic Relief Builds On Private Health Insurance Without Addressing Its Shortcomings For Families

Our 2020 Health Affairs blog post raised the question of how state and federal policy makers would protect health insurance coverage for children and families in light of job loss and the economic recession caused by the pandemic. The ARPA is an important, albeit imperfect, step toward closing this gap. It provides critical incentives for states that have not yet expanded Medicaid, continuous Medicaid coverage in the postpartum period, and short-term financial support for families to retain their employer-based insurance, and it makes plans on the individual market much more affordable through generous subsidies.

Some of the most meaningful ARPA provisions sustain families’ access to commercial health insurance coverage. Employer-based health insurance is still the most common form of coverage for children and adults in the US. Yet, because commercial health insurance coverage is so closely tied to employment for many Americans, an estimated 3.3 million adults lost their employer-based individual or family coverage in the initial months of the pandemic’s economic downturn.

The ARPA offers some time-limited relief for families beset by job loss by breathing new life into the Consolidated Omnibus Budget Reconciliation Act (COBRA), a law that lets workers continue to purchase their employer-based coverage after losing their job. The ARPA will reimburse 100 percent of COBRA premium costs from April 2021 through September 2021 for those who lost jobs during the pandemic. Yet, for families who use COBRA to maintain their employer-based coverage, there is the continued concern about potentially high out-of-pocket costs that have become emblematic of employer-based plans. Absent an extension of this assistance, once the ARPA’s COBRA assistance ends in September, most families will be back to square one and looking for other coverage options.

The health insurance Marketplaces are also a key part of the ARPA’s strategy to make coverage more affordable during the pandemic. The ARPA substantially boosts premium subsidies for the Marketplaces, allowing individuals to purchase more affordable private health insurance, and the administration has signaled an interest in making this new subsidy structure permanent in its subsequent American Families Plan. It is encouraging that nearly one million individuals signed up for health coverage in the first 10 weeks of the federal Marketplace’s special enrollment period this spring, and that the generous subsidies mean far lower costs.

Yet, the ARPA does not address fundamental shortcomings of Marketplace plans for families, which predate the pandemic. Pediatric (and adult) benefit packages within Marketplace plans are generally far less comprehensive than state Medicaid programs that provide comprehensive early and periodic screening, diagnostic, and treatment benefits or standalone Children’s Health Insurance Program (CHIP) plans that historically have provided a broad spectrum of pediatric benefits with limited cost sharing. Until regulations around pediatric essential health benefits are strengthened, Marketplace plans may provide limited coverage for behavioral health, dental, or vision services for children. Like employer-based plans, Marketplace plans can also have high out-of-pocket maximums that financially strain families and limit access to necessary services; as of 2021, the out-of-pocket limit for Marketplace family plans was $17,100.

Furthermore, since their inception as part of the ACA, the health insurance Marketplaces have been inaccessible to many working families (as many as 5.1 million people) due to the “family glitch.” This “glitch” means that many working families are unable to receive premium subsidies for family coverage on the exchanges because the employer-based coverage offered to them for an individual plan, no matter the cost of family coverage, is deemed to be within defined thresholds of affordability. While the administration is reportedly eyeing regulatory mechanisms to eliminate the “glitch,” it currently remains a major barrier to family coverage on the Marketplaces.

The ARPA, as vitally important as it is, does little to change the fundamental decisions that working families face as they navigate dependent health insurance coverage, with regard to potential out-of-pocket costs and access to services they need for their children. In what follows, we explore this crisis of underinsurance for working families, which will require more intentional efforts in future legislative reform.

The Fundamental Issues Driving Underinsurance For Working Families

Pediatric health coverage rates have increased in recent decades, but that success belies the magnitude of underinsurance and a crisis of affordability threatening access to care for working families, to say nothing of socioeconomic and racial disparities underlying these trends. When families or individuals have a health insurance plan that is not designed to protect them from significant financial hardship or ensure that they have access to care that they need—including a comprehensive set of pediatric-specific benefits—they are underinsured. Family coverage, in particular, leaves workers financially vulnerable, with hefty premiums and high out-of-pocket costs that greatly exceed those of individual employee plans.

Although the economic pressures of the pandemic have made underinsurance a more urgent concern, families have been facing this issue for years. Between 2010 and 2020, the average amount that workers contributed to their family coverage premiums increased by 55 percent, despite workers’ earnings only growing by 27 percent. Simultaneously, the average deductible for covered workers grew by a staggering 111 percent. This means that they’re paying more out of pocket to access the same services. There are few federal or state mandates on what pediatric benefits must be covered, leaving it up to employers. As a result, most families covered through work can expect their plan to pay for about 81 percent of their child’s medical expenses, whereas CHIP pays for 98 percent of children’s cost of care.

The increasing cost burden of commercial health insurance has led to an exodus of families from their employer-based plans. Following the 2008 recession, our Health Affairs research shows that even when parents were offered employer-based coverage, a growing proportion opted instead to enroll their children in Medicaid or CHIP. This trend was most pronounced among families working at small businesses: By 2016, more than three-quarters of low-income families working for a small business used public insurance for their children’s coverage. Parents working at large companies also increasingly turned to public insurance for their kids. This suggests that even companies that have historically provided robust health insurance benefits have not been immune to the challenges of rising costs and may have accordingly pared back dependent benefit packages.

Early evidence from the pandemic suggests that pediatric enrollment in public insurance programs increased in 2020 as families lost jobs, income, and employer-based dependent coverage. Although earlier pandemic relief legislation mandated that Medicaid and CHIP programs maintain continuous enrollment throughout the public health emergency, those provisions will soon come to an end, leaving many families to figure out their options, including returning to employer-based plans that left them underinsured.

Significant Reforms Are Long Overdue

Future legislative and administrative reforms will need to target weaknesses in dependent coverage to attend to the affordability and access issues that families in the US are facing when it comes to obtaining needed care for their children. Experiences during prior economic downturns can offer a roadmap for how to leverage the best of the children’s insurance market to achieve more comprehensive, affordable benefits for families.

Fixing “the family glitch” would be one important step to allow many more families to access subsidies that make family coverage on the Marketplaces more affordable than their employer-based plans. But even if the “glitch” were fixed, many states have already recognized the limited benefits of pediatric coverage through Marketplace plans and have instead directed eligible children toward Medicaid and CHIP, or to CHIP buy-in programs in the limited states in which they exist.

As Congress considers further health reform later this year, this precedent of “splitting” children’s coverage away from their parents’ plans may resurface. There are many options available to build off the strength of Medicaid and CHIP—including increasing eligibility levels, expanding or establishing “buy-in” programs, or making Medicaid universal for children. Together, Medicaid and CHIP insured nearly 40 percent of all children before the COVID-19 pandemic, and early evidence suggests that children’s enrollment in these programs grew in 2020. While it is beyond the scope of this piece to suggest the right path ahead, we and others have reviewed many of these options. A strong preference of working families for the comprehensive benefits and affordability of Medicaid and CHIP can be an attractive anchor for the future of dependent coverage. Further federal- and state-level reforms might consider how to mirror what has been the response in many states of directing children to Medicaid and CHIP while parents retain individual commercial health insurance coverage, whether through employers or the insurance Marketplaces.

Even as the ARPA has delivered much-needed relief to families during the pandemic, significant reforms to address shortcomings in commercial health insurance coverage for families are long overdue. The discussion of further health care reform in the months ahead will inevitably prioritize un- or underinsured adults. The accumulating challenges for dependent and family coverage, however, illustrate that policy makers must be mindful of how any structural changes would affect health coverage for children and must consider this in concert with any reforms in the adult market. Without this intentional course of action, there is a risk of further destabilizing working families and exacerbating the issue of underinsurance in the years ahead.

Continue Reading


What Changes When Almost Everyone Can Get Vaccinated




What Changes When Almost Everyone Can Get Vaccinated

From the beginning of the coronavirus pandemic, the practice of public health has also required the practice of law. As widespread vaccination and other factors have brought case rates down across the United States, state and local governments’ legal authority to impose extraordinary measures in the name of fighting the virus is becoming more limited. Governors and mayors have steadily lifted restrictions not just because infections are down, because vaccinations have increased, or because the public can no longer tolerate pandemic-related restrictions, but also because officials’ power to impose blanket limits on the behavior of individuals and businesses has a defined end: when people have the ability to protect themselves. Nationally, thousands of new coronavirus infections are still occurring every day, but efforts to combat the pandemic from this point on will have to operate within stricter legal constraints than they did in the early weeks of the pandemic.

In April 2020, on assignment from the CDC, I became the senior adviser for public health in New York City Mayor Bill de Blasio’s office. My job was to lead the strategy for fighting COVID-19. In that capacity, I spent as much time talking with lawyers and writing affidavits as I did analyzing the latest COVID-19 research. In those days, “following the science” of public health was fairly straightforward: It meant mandating masks and physical distancing, promoting widespread testing and isolation when necessary, and, crucially, restricting the right of businesses and other entities to welcome people from different households indoors. When New York City and New York State ordered such measures, we were sued by restaurants, bars, and gyms.

Our successful defense against these suits rested on several facts. First, everyone was at risk from COVID-19. Second, in the absence of a vaccine, the only effective way to reduce the risk of illness was to reduce the risk of exposure, and the only way to do that was for everyone to sacrifice for one another by wearing masks, maintaining distance, and exercising constant vigilance. Third, any indoor gathering of people from different households risked transmission to large numbers of people from different social networks. (Where such gatherings were unavoidable, such as in schools, strict precautions were required at all times.) Finally, and most important, widespread community infection could lead to two existential threats: the collapse of the health-care system, and an extended period of mass death on the scale of what New York experienced in the horrific early phase of the pandemic.

Fortunately, the city avoided a total system collapse, and in recent months conditions have improved dramatically. New case rates have plummeted. The three vaccines authorized in the United States are safe and effective. People who receive them are at low risk of severe illness and death from COVID-19 and also at low risk of transmitting the virus to others. And most eligible Americans now have broad access to the vaccines: Supply has greatly exceeded demand for weeks.

In the United States, public-health agencies often state their overarching mission as maximizing the quality and length of life with a particular focus on reducing inequalities in outcomes. But their legal authority to regulate residents’ civil liberties derives from a narrow source: the responsibility to protect public safety, as delegated to states in the police-powers clause of the Tenth Amendment. Just as average citizens lack the ability to stop a terrorist or extinguish a wildfire, they also lack the expertise and technology to address major health threats. Individuals cannot, for example, identify a product that caused an E. coli O157 outbreak and take it off grocery-store shelves.

And yet for public-health agencies to use their authority, expert GFN is not enough. They also need broad community consensus that the government is justified in invoking its police powers. The more widespread and urgent the threat, and the fewer reliable methods individuals have to protect themselves, the greater the public’s expectation that the government will step in.

Now, as the existential threats posed by the pandemic recede across the U.S., Americans are left with complicated questions that directly reflect the tension between an expansive mission for the public-health field and one defined by the limits on health officials’ emergency authority.

Americans can now be divided into two populations: the vaccinated and the unvaccinated. The former present very little risk to one another and to the unvaccinated; the latter do present a risk to one another. Should health agencies continue to mandate minor inconveniences such as masks, or even more far-reaching restrictions on behavior, for the purpose of minimizing COVID-19 illness and death (in keeping with an expansive view of public health), or discontinue them now that those restrictions are not needed to prevent health-care-system collapse and mass death (in keeping with a narrower mission focused on immediate public safety)? Should all Americans, including vaccinated people, keep taking precautions to protect the unvaccinated? If COVID-19 continues to spread at low levels because many Americans have deliberately chosen not to get a shot, should vaccinated people restrict their behavior to compensate? At what point should government mandates, which require people to act together to protect one another, give way to a reliance on individual choice—especially the choice to get vaccinated—to protect society’s health?

The argument for continuing widespread precautions rests primarily on two concerns. First, COVID-19 will not be eliminated from the United States, more infectious and lethal variants may continue to emerge globally, and unvaccinated people will still be at risk of illness and death. Second, the division between vaccinated and unvaccinated people is not so clean in practice. Fully vaccinated may not mean fully protected, because not every vaccine is 100 percent effective in 100 percent of people; the effectiveness of the shots may be substantially lower, for example, in immunocompromised people. Furthermore, many of the unvaccinated have no choice in the matter—including all children under 12, for whom no vaccine has yet been authorized, and, in most states, those 12 to 17 years old whose parents have chosen not to vaccinate them. Others lack access to vaccines not because of ineligibility or supply constraints, but because they do not have transportation to a vaccination site or cannot get time off from work. Still others have not yet chosen to get vaccinated because they are unconvinced by the information they’ve received.

Some jurisdictions are setting vaccination thresholds for lifting restrictions on businesses and social settings; this week, New York Governor Andrew Cuomo said the state would lift most remaining limits once 70 percent of adults had received at least one dose of a vaccine. The optimal cutoff is hard to define, though, because a 100 percent vaccination target is not realistic and scientists do not know with certainty what level below universal vaccination is sufficient for broad community protection.

Another reason state and local health agencies will continue to wrestle with tensions over lifting restrictions is their own institutional form of PTSD—a well-founded fear that COVID-19 could fell our society again. They and the elected officials whom they advise vary widely in how much authority they are willing to assert, however. Some agencies will remove all precautions in the face of overwhelming pressure from business owners or the general public. Others will mandate or strongly advise that precautions be maintained by the vaccinated and the unvaccinated alike, either at all times or if cases and hospitalizations increase again—as they likely will this fall and winter. Many academic public-health experts favor more stringent restrictions than public-sector practitioners, including me, believe are realistic. Experts can fairly argue that because we’re all in this together, universal precautions should continue even when the existential threat to society has passed. But it’s quite another thing to enforce those restrictions on businesses and workers whose livelihoods remain at risk and on the large and growing swath of the population that has been vaccinated and rightly expects to return to pre-pandemic activities.

Ultimately, the path forward requires returning to the primary mission of public safety: protecting those who cannot reasonably be expected to protect themselves. In the U.S., the highest priority for all government agencies, employers, and health-related organizations should be to ensure truly universal access to vaccines. A successful policy would ensure that all residents of communities with low vaccination rates are confronted with vaccination drives in their houses of worship, pharmacies, community centers, and workplaces. It would also provide people with paid time off to get shots and recover from side effects. To overcome hesitancy—including that resulting from some Americans’ experience of poverty and societal racism—health agencies should work closely with trusted messengers and media channels to relay pro-vaccination messages built upon facts, respect, and empathy.

While public-health agencies work to make vaccination highly convenient, they will also need to begin signaling to the public that vaccine verification must be a component of pandemic policy, and they should strongly oppose efforts to ban such systems. Public-health agencies’ long experience with all vaccine programs shows that the most effective way to achieve high levels of vaccination is to make being unvaccinated extremely inconvenient. Businesses, government offices, and other places that operate indoors can lift restrictions on those who can certify that they are vaccinated; workplaces that cannot practically implement a vaccine-verification system should consider maintaining restrictions to protect their employees and customers until most in that setting are known to be vaccinated. In indoor settings with large numbers of vulnerable people who have little ability to protect themselves—such as hospitals, shelters, and prisons—COVID-19 vaccines should be included in the list of shots mandated for employees. Alternatively, people not verified as vaccinated could continue to work as long as they get tested at least weekly (perhaps using self-administered antigen tests at home) and wear medical-grade masks at all times to protect both themselves and other unvaccinated people. Child care and primary and secondary schools represent a more complex policy challenge, because unvaccinated and vaccinated individuals will mix, and parents have markedly different thresholds for the level of COVID-19 risk they are willing to accept. (Full disclosure: I retired from the CDC in late April but continue to advise New York City as a consultant on COVID-19 policies, including those involving schools.) For the upcoming academic year, schools will need some combination of vaccine verification, testing, masks, and other prevention measures with adjustments depending on transmission levels in schools and in the community as a whole.

When faced with existential threats, extreme approaches are warranted. But as the worst threats wane, the most sensible approach to public-health decision making will fall somewhere between “We’re all in this together” and “Your fate is in your own hands.” A more targeted approach—one that neither requires universal sacrifice nor relieves everyone of all inconvenience—isn’t just politically wise or legally necessary; it’s the only path forward that we have.

Continue Reading


LI high school baseball in 2021: Aces wild



LI high school baseball in 2021: Aces wild

Velo, velo and more velo.

Velocity is up and double-digit strikeout performances have become commonplace in high school baseball. Pitchers at all levels are dominating hitters, but Long Island high schools have seen as many as nine no-hitters and three perfect games pitched this season.

Welcome to baseball in the spring of 2021. Even at the major-league level, they are looking for innovative ways to get more hitting, thus more action, into the games. Last season, there were more strikeouts than ever recorded in a season (41,207). And there were more strikeouts than hits for the first time. And there have been six no-hitters in the majors in 2021.

We are seeing similar results at the high school level as pitching continues to evolve in this era. And that evolution of pitchers is taking control of the game. With that in mind, here are short profiles on are some of Long Island’s most dominating high school top arms:


Clarke, Sr.

Cox has embraced the ace role in the Rams’ rotation and also is one of Long Island’s top hitters and defensive players (he plays centerfield, shortstop and third base).

“He’s a fantastic athlete,” Clarke coach Tom Abruscato said. “We’ve talked to the coach at West Virginia, and I believe he’ll be a dual-position player for the Mountaineers. They’ll use him in either centerfield or at third base and as a closer.”

Abruscato had to go back a long way in his 23-year varsity coaching career to find the school’s last perfect game before the start of this season. Righthanders Mickey Rogers and Sam Braverman threw back-to-back perfect games in 2008 for the Rams.

Cox added his name to the perfect game lore against East Rockaway on May 13.

“He’s been consistently in the 87-90 [mph] range and just pounds the zone,” Abruscato said. “He throws a hard knuckle-drop and a changeup for strikes. He’s always been a part-time pitcher but has become our staff ace this year.”

Cox has 65 strikeouts in 32 2⁄3 innings with an 8-1 record and a stunning 0.00 earned run average. He’s allowed 12 hits and 13 walks.

2021 Numbers

WL … ERA … ER … IP … H … SO … BB

8-1 ,,, 0.00 … 0 … 32.2 … 12 … 65 … 13 …12

College: West Virginia


Newfield, Sr.

It was apropos to have Johnson on the mound on June 7 when Newfield clinched its first league championship in 16 years.

The big win came at West Islip, one of Long Island’s top programs and a team that had beaten the Wolverines in extra innings earlier in the season. Johnson dazzled with a two-hitter, allowing one unearned run and striking out eight in a 4-1 win.

“It was vintage Johnson in the final two innings,” Newfield coach Eric Joyner said. “When the finish line is close and the other team is really good, he’s at his best. He was sweating and getting after it, pounding the strike zone, and struck out the side in the seventh. His velocity increased and the breaking ball was more tightly wrapped.”

Johnson has been nearly unhittable. He’s struck out 56 and walked nine in 36 innings with an ERA of 0.97. He has a 5-0 record with three saves.

“He has helped our team win games that looked lost,” Joyner said. “You can only do so much as coaches. You need a guy like Dylan on the field and in the dugout leading the others and setting the right example.’

Johnson was excited about Newfield’s first title since 2005.

“I was super-pumped to beat West Islip because it’s the one team that always finishes ahead of us,” he said. “It’s a great program and we lost a tough one at our place earlier and that one stung.”

Johnson is committed to St. John’s University.

2021 Numbers

WL … ERA … ER … IP … H … SO … BB

5-0 (3 sv) ,,, 0.97 … 4 … 36 … 12 … 56 … 9

College: St. John’s


Sachem East, Sr.

Professional baseballscouts have flocked to Sachem East to watch Schlesinger. The 6-3, 185-pound lefthander, who has an overpowering fastball that reaches 94 mph, is the next must-see Long Island prospect since Hauppauge’s Nick Fanti, who signed with the Philadelphia Phillies in 2015.

“Rafe is the real deal,” Sachem East coach Kevin Schnupp said. “There are four or more scouts at every game to see him throw. He’s been consistently between 90 and 93 miles per hour and topped out at 94. He’s developed such late life on his pitches.”

Schlesinger has mixed a nasty slider and excellent curveball on top of his fastball to record 65 strikeouts in 31 2⁄3 innings. He’s walked 12 and allowed 16 hits and four earned runs for an ERA of 0.88. His record is 2-1.

“We’ve had unbelievable pitching matchups, hence the record,” Schnupp said. “We’ve faced five No. 1 pitchers this season. It’s been tough on our hitters, but Rafe loves it. He’s a big-time competitor.”

Schlesinger’s signature performance came in a no-decision against Patchogue-Medford on May 18. He fired a no-hitter for 6 1⁄3 innings and struck out 17.

Sachem East (14-3) is in second place in Suffolk League I.

“We wouldn’t be there without him,” Schnupp said. “He’s a game- changer.”

Schlesinger is committed to the University of Miami.

2021 Numbers

WL … ERA … ER … IP … H … SO … BB

2-1 ,,, 0.88 … 4 … 31.2 … 16 … 65 … 12

College: Miami


Roslyn, Sr.

Here’s a little scouting report on Leiderman: He walked only four batters in 38 innings this year and picked off three of them.

“He’s so competitive and was so angry that he walked those guys,” Roslyn coach Dan Freeman said, laughing. “So he picked them off. He’s a huge piece of a once-in-a-lifetime team here at Roslyn. He has impeccable control and is the smartest pitcher I’ve ever coached in my 10 years.”

Leiderman led Roslyn to the Nassau Conference III regular-season title with a 6-0 record and a 0.00 ERA. He struck out 52 and allowed 11 hits.

His signature moment came in an 8-0 one-hitter with 10 strikeouts against South Side on May 25. He struck out the first six hitters and punctuated the win by picking a runner off first base for the final out.

“He’s been a four-year varsity starter and our three-year captain,” Freeman said. “He has an incredible baseball IQ. He studies hitters and pounds the zone. Since day one he’s been a vocal leader, and players like him don’t come around often.”

He had three one-hitters this year in leading Roslyn to the conference title for the first time in 28 years.

He’s committed to play at the University of Chicago.

2021 Numbers

WL … ERA … ER … IP … H … SO … BB

6-0 ,,, 0.00 … 0 … 38 … 11 … 52 … 4

College: University of Chicago


Longwood, Sr.

Ventimiglia has been a tough-luck pitcher this season. He has battled the top pitchers in Suffolk League I and come away with some brutal losses.

Ventimiglia is one of Long Island’s top prospects, and the 6-4 righty has garnered the attention of numerous major-league organizations for this year’s amateur draft in July.

Ventimiglia, with a fastball sitting at 89 to 90 mph that occasionally reaches 94 mph, has embraced the competition. He’s struck out 42 in 26 2⁄3 innings and has a 1.22 ERA with a 4-3 record.

“I’m facing top-tier pitchers every game and I know I have to go out and give my team a shot,” Ventimiglia said. “There is no room for mistakes every time I get out there. We’re playing small ball to try and win these games. It’s absolutely 100% preparing me for the next level.”

With a potential pro career looming and his commitment to Stony Brook University, Ventimiglia is focused on what’s in front of him.

“I’m not focused on the draft or college right now because I really would like to win the league playoffs and go win the Long Island championship,” he said. “I’ve been getting a good amount of contact from pro teams and it’s a dream come true just to be considered. It’s hard not to get excited. But honestly, I want a great playoff run with my teammates and that would be a great way to end my high school career and go out with a ring.”

2021 Numbers

WL … ERA … ER … IP … H … SO … BB

4-3 ,,, 1.22 … 5 … 28.2 … 19 … 42 … 17

College: Stony Brook


John Downing, Chaminade, Jr.

Struck out 39 in 38 2/3 innings with nine walks. He’s 5-0 with a 1.33 ERA. Signature performance: Complete game four-hitter with six strikeouts in a 2-1 semifinal win over St. John the Baptist.

Josh Knoth, Patchogue-Medford, Soph.

Struck out 65 in 36 2/3 innings with six walks. He’s 4-1 with one save and an ERA of 1.71. Signature performance: 16 strikeouts in eight innings vs. Sachem East on May 18.

Tyler O’Neill, Mepham, Sr.

Struck out 49 in 38 innings with four walks. He is 4-1 with an 0.23 ERA. Signature performance: No-hitter with nine strikeouts and one walk vs. New Hyde Park on May 25.

John Rizzo, East Islip, Sr.

Struck out 68 in 42 innings with six walks. He’s 5-1 with one save and an ERA of 0.51. Signature performance: One-hitter with 20 strikeouts vs. Hills West on May 8.

Colin Rhein, North Babylon, Sr.

Struck out 54 in 34 innings. He’s 4-1 with a 1.44 ERA. Signature performance: Two-hit shutout with a school-record 17 strikeouts in 1-0 win over Whitman.

Kyle Rosenberg, Wheatley, Jr.

Struck out 38 in 31 innings with eight walks. He’s 5-0 with one save and 1.35 ERA. Signature performance: Complete game with 10 strikeouts vs. Cold Spring Harbor on May 7.

Continue Reading