Security and Risk

Avoid The Headlines, Focus On Corporate Culture

Chris McClean — Wed, 23 May 2012 22:12:09 +0000

Guest post from Researcher Nick Hayes.

Chris and I recently published a report describing how to build risk and compliance principles into your company's corporate culture. As we worked to finalize, edit, and publish the report, a flurry of new corporate scandals emerged, all related to this topic.

Here are just a few of them:

Wal-Mart executives accused of trying to hush up bribery cases in Mexico (article here).
A whistleblower accuses Infosys of engaging in a systematic practice of visa fraud (article here).
A former Goldman Sachs employee writes an op-ed for the New York Times blasting the company's ethics (article here).
JP Morgan suffers a $2 billion trading loss due to "poorly monitored" trades (article here).

What's the common theme? The financial, reputational, regulatory, and operational risks related to poor employee behavior are massive, and often overlooked.

My Threat Intelligence Can Beat Up Your Threat Intelligence

Rick Holland — Tue, 22 May 2012 13:48:51 +0000

Have you ever been in a vendor meeting and heard the vendor extol the greatness of their threat intelligence? You may have even seen a slide that looks similar to this:

Image source: iStockphoto

The vendor probably proceeded to highlight the key differentiators that make their threat intelligence network stand second to none. Bullets containing statistics like this surely followed:

Global coverage, in well over 100 countries
50 million network devices
50 billion web queries each month
30 billion emails a month
100 million users

I have been in countless meetings and presentations where this exact scenario has occurred and I get déjà vu every time I hear it. In fact, if you simply swap out the vendor logo you could almost use the same slide deck. Threat intelligence networks are like opinions, everybody has one. Vendors are often surprised when I tell them that their threat intelligence networks aren't that unique. Vendors collect data from their offerings. Vendors like Cisco or Juniper leverage their networks offerings, players like McAfee or Symantec leverage diverse security portfolios, content delivery companies like Akamai leverage their content delivery networks, and so on; you get the idea. Am I saying there isn't value in these threat intelligence networks? Absolutely not; my position is that the vendors aren't deriving actionable intelligence that is significantly different from the competition and there is considerable overlap in what is being observed. The vendors are looking at the same malicious activities from slightly different perspectives. Vendor threat intelligence networks are commoditized.

After I explain my position to the vendor who has just attempted to marvel me with their threat intelligence network capabilities I like to dig deeper and focus on the research that accompanies the threat intelligence network.

Kim Kardashian And APTs

Rick Holland — Thu, 17 May 2012 13:12:31 +0000

On Wednesday, American footwear company Skechers agreed to pay the US Federal Trade Commission $40 million. This settlement resulted from a series of commercials that deceived consumers claiming that the Shape-Ups shoe line would "help people lose weight, and strengthen and tone their buttocks, legs and abdominal muscles." Professional celebrity Kim Kardashian appeared in a 2011 Super Bowl commercial personally endorsing the health benefits of these shoes.

This settlement was part of an ongoing FTC campaign to "stop overhyped advertising claims." A similar effort would serve the information security community well. For example, one particular claim that causes me frequent grief is: "solution X detects and prevents advanced persistent threats." It is hard, dare I say impossible, to work in information security and not have heard similar assertions. I have heard it twice this week already, and these claims make my brain hurt.

Is The Time Right To Spread Your Risk?

Andrew Rose — Tue, 15 May 2012 14:09:44 +0000

For many years, security professionals have lived by the three pillars of risk management - AVOID, TREAT, ACCEPT. These great tenets have served the profession well, enabling CISOs to build appropriately secure networks at a tolerable level of cost. Unfortunately, as evidenced by the litany of security breaches we have seen over the past 12 months, it's clear that the landscape is changing. More than ever before, security is clearly a 'no-win' game.

The high profile attackers, state-sponsored or otherwise, are one threat - but it goes deeper than this. The keys to the kingdom are no longer in the hands of the generals and policy makers; their decisions and discussions are enabled by email, IM and IP telephony, all of which sit firmly in the domain of the IT department and system admin - and stressed, poorly paid employees do not make the ideal custodians of such critical information. As an example, Anonymous claims to have access to every classified government database in the US, but they didn't hack them - disaffected system administrators and employees simply opened the doors for them, or sent them the access codes.

As the broadening gap between our ambitions for a secure enterprise and our abilities to deliver on such a vision become self-evident, the time has come to pay equal attention to the poor cousin of risk management, "TRANSFER." For many CISOs, risk transference is a topic that is largely theoretical as, even when a task is outsourced, the risk associated with a breach commonly remains with the data owning organisation. Cyber insurance offers a different solution.

Hackers Vs. Executives Is Back

Rick Holland — Tue, 08 May 2012 13:00:00 +0000

Our next installment of "Hackers vs. Executives" is just weeks away. Join us at the Forrester Security Forum and sit in on one of the most popular sessions of the event each year. We have a great panel lined up for you. In the Hackers corner, we have Chase Cunningham of Neustar and Brian Gorenc of HP Tippingpoint DVLabs. In his hacking demo, Chase will use social engineering, packaged exploit delivery, and credential harvesting to show you how open source data can create avenues for hackers to attack users and ultimately compromise your network. In his hacking demo, Brian will provide an in-depth look at what it takes to analyze a vulnerability and the steps required to weaponize it. Centering on a vulnerability in a Microsoft application, the demo will show you how an attacker can quickly move from proof-of-concept to remote code execution.

In the Executive corner, we have Richard Bejtlich of Mandiant and Steve Martino of Cisco Systems. Richard and Steve will discuss what these types of attacks mean to Security & Risk professionals, including how your organization can prepare and respond to them. John Kindervag and I will moderate the panel. There will be great discussion and you will have the opportunity to ask questions of all of our panelists. It will be a fantastic session; one you won't want to miss. Please join us in Las Vegas on May 25th from 11:05 to 12:40. Take a look at the Security Forum website for more details. John and I hope to see you there.

NASDAQ OMX Acquires BWise… Where Is GRC Headed?

Chris McClean — Tue, 08 May 2012 01:02:21 +0000

Last week saw news that yet another top GRC software vendor has been acquired, following in the footsteps of Paisley, Archer, OpenPages, among others. BWise has always been an impressive vendor in the GRC space, so first off I think congratulations are in order for both parties.

That said, if you didn't foresee NASDAQ getting into the GRC software space coming, don't beat yourself up… after seeing the large technology vendors and content providers enter the space over the past 3 years, this wasn't an obvious move. But looking a little deeper, NASDAQ's move makes sense for a couple reasons:

- NASDAQ's target market cares about GRC. NASDAQ lists its target roles as marketing/corporate communications, board and corporate secretary, investor relations, and corporate finance. All of these roles have a vested interest in better controls, stronger risk management practices, and improved corporate governance.

- BWise has always focused on the "G" of GRC. More than any other of the top GRC software vendors, BWise targeted governance professionals with capabilities such as entity management.

- There are immediate integration possibilities. Among NASDAQ's corporate solutions are products for board management, whistleblower reporting, and XBRL filing. BWise has a host of capabilities (issue management, process management, policy management, reporting, etc.) that could quickly add value to implementations of those products.

But, as always with a deal like this, both parties will have to show the market how they will address some key questions:

From Customer To Channel Partner

Edward Ferrara — Mon, 07 May 2012 20:11:37 +0000

Even though it is not specific to security, this idea came to me while attending Dell's Annual Analyst Conference (DAAC) in Austin, Texas two weeks ago. One of the hot topics discussed at the conference is the issue of bring your own device (BYOD). Dell recognizes this is a major trend and is looking for ways to remain true to its business-to-business DNA but still offer a competitive end-point solution with strong management and security capabilities. This is a problem for companies like Dell because a significant amount of revenue comes from corporate and not consumer sales, but BYOD is a consumer sale.

Not all is lost, however. As corporations move away from purchasing blocks of PCs for their employees, they will still have the capability to influence their employees to purchase certain equipment. The value for the employer is that they can still have some visibility to the types of equipment employees will use. The employee wins because they have assurances that the equipment they purchase has been vetted with some level of assurance that there is compliance with company systems.

What this means is that organizations will need to treat their former business customers as channel partners. I can envision scenarios where device makers provide their former customer marketing funds and special incentive funds (SPIFs) to encourage employees to buy their equipment. They will also be willing to offer the end user customer/employee a volume discount for employees for purchasing specific equipment. All of the major cell phone providers provide this type of program. PC makers, but also other types of device makers, need to start looking at their former customers as channel partners.

CISOs Must Act As The Glue Between BC, DR And Security

Stephanie Balaouras — Thu, 03 May 2012 21:21:49 +0000

During the past three years, you may have noticed that security and risk professionals have added a new term to their lexicon - business resiliency. Is this just an attempt by vendors to rebrand business continuity (BC) and IT disaster recovery (DR) in much the same way that vendors rebranded information security as cybersecurity to make it seem sexier and to sell more of their existing products? Some of it certainly is rebranding. However, like the shift in the threat landscape from lone hackers to well-funded crime syndicates and state sponsored agents that precipitated the use of the term cybersecurity, a real shift has also taken place in BC/DR.

If you look up the term "resiliency" in the dictionary, it's defined as "an occurrence of rebounding or springing back". Thus, business resiliency refers to the ability of a business to spring back from a disruption to its operations. Historically, BC/DR focused on the ability of the business to recover from a disruption. Recovery implies that there was in fact a disruption, that for some period of time, business operations were unavailable, there was downtime as the business strove to recover. Resiliency, on the other hand, implies that an event may have affected the business' operations, perhaps the business operated in a diminished state for some period of time, but operations were never completely unavailable, the business was never down.

Active Directory Moving To The Cloud?

Andras Cser — Wed, 02 May 2012 14:18:52 +0000

We hear a lot about cloud IAM vendors offering metadirectories or user repositories in the cloud. We predict that in 1-2 years we'll see AD being moved from on-premises installations into cloud based services. This has a benefit of simpler provisioning, higher availability, muc, much easier support for federation both into SaaS applications and with business partners. Today the only technical difficulty is latency of access to AD in the cloud from on-premises applications, but we believe this will be resolved by some type of customer premises equipment (much like the reverse of Symplified's Identity Router today). Moving AD into the cloud will also have a huge impact on reducing the cost of AD management and improving delegated administration by providing easy-to-use web interfaces.

Business Continuity Standards Don’t Matter -- But They Should

Stephanie Balaouras — Thu, 26 Apr 2012 19:10:13 +0000

Zero Trust Identity: Go From "Identity-As-A-Service" To "IAM-As-An-API"

Eve Maler — Tue, 17 Apr 2012 22:29:27 +0000

I just love the theme of our upcoming Forrester Security Forum (Las Vegas in May, and Paris in June -- check out Laura Koetzle's definitive blog post). Leapfrog Your Global Competition. Rethink Security; Run At The Threat. There's never been a better time to take a deep breath and rethink how security can contribute to business savvy and agility. The "Zero Trust Identity" report I'd telegraphed in my previous post on API access control is now out, and it's consonant with this theme. I found that if enterprises want to be nimble and secure in getting value out of mobile, cloud, and consumerization trends, they're going to have to get over some bad "unextended enterprise" habits, such as tight coupling to authentication functions.

Communication And Coordination Should Be The Cornerstone Of Your BC Plan

Stephanie Balaouras — Thu, 12 Apr 2012 17:09:24 +0000

In a recent Forrester/DRJ joint survey on BC preparedness, of organizations that have invoked a BC plan in the last five years, 37% said that their BC plans had not adequately addressed communication. In my experience, I've found that many organizations:

Calculating Breach Costs: An Accounting Problem For Risk Management Strategy

Edward Ferrara — Tue, 10 Apr 2012 14:25:57 +0000

Guest post from Researcher Heidi Shey.

Calculating the cost of a data breach should be a part of every organization's information security risk management strategy. It's not an easy task by any means, but making efforts to do so upfront -- as opposed to after a breach, when calculating cost is the last thing on the to-do list! -- for your organization can help to assess risk and justify security investments. But where does one begin, and what should be considered in cost estimates? There are the usual suspects, or direct costs, relating to discovery, response, notification, and damage control such as:

Nine Managed Security Services Providers (MSSPs) Compete In The North American Market

Edward Ferrara — Wed, 04 Apr 2012 18:16:14 +0000

After months of diligent vendor evaluations, last week we officially published The Forrester Wave: Managed Security Services: North America, Q1 2012. This report features our detailed analysis on nine of the top managed security services providers (MSSPs) offering a robust set of security services to their North American clients.

Through this process, we uncovered a market that we believe is currently ripe for a major disruption: market demand for managed security services (MSS) remains extremely strong, customer satisfaction is higher than we've seen in the past, and current MSSPs tend to compete on delivery, customer service, and cost.

This isn't to say MSSPs all currently offer the same services with the same level of quality - not by a long shot. Selecting the right provider still means that you must understand your needs and the areas you feel they can enhance your security program the most. Each MSSP we evaluated has solid overall security capabilities, but has unique strengths in certain security areas and use different deployment methods to bring their offerings to bear.

At the same time, however, we hear more decisions today come down to cost and execution, and as this becomes more commonplace, we begin to prepare ourselves for a shift in the market. In fact, we believe we'll see significant changes over the next couple of years for three primary reasons:

Security Intelligence: Should We Send A Guy With A Gun Or A Wrench?

Andras Cser — Wed, 04 Apr 2012 12:31:37 +0000

We are kicking off research on security and identity intelligence, which is about understanding risk and detecting abnormal behavior. One thing is clear: companies don't even *know* what kind of security (SIM, data, identity, email, etc.) information they should be inspecting to detect security threats and where they should start eating the giant elephant of risk. They clearly need intelligent and automated systems to establish what a normal baseline means in user behaviors and events and then alert on any anomalies - and when they see any changes to normal patterns, understand whether they should send a guy with a gun or a guy with a wrench. In this research (which will also be the topic of my Security Forum keynote speech) we will look at the interdisciplinary areas between enterprise fraud management, risk based authentication, data protection and identity management. I want to hear about your concerns, issues, and early case studies/solutions in this area.

Security and Risk

Avoid The Headlines, Focus On Corporate Culture

Categories:

My Threat Intelligence Can Beat Up Your Threat Intelligence

Categories:

Kim Kardashian And APTs

Categories:

Is The Time Right To Spread Your Risk?

Categories:

Hackers Vs. Executives Is Back

NASDAQ OMX Acquires BWise… Where Is GRC Headed?

Categories:

From Customer To Channel Partner

CISOs Must Act As The Glue Between BC, DR And Security

Categories:

Active Directory Moving To The Cloud?

Business Continuity Standards Don’t Matter -- But They Should

Categories:

Zero Trust Identity: Go From "Identity-As-A-Service" To "IAM-As-An-API"

Categories:

Communication And Coordination Should Be The Cornerstone Of Your BC Plan

Categories:

Calculating Breach Costs: An Accounting Problem For Risk Management Strategy

Nine Managed Security Services Providers (MSSPs) Compete In The North American Market

Categories:

Security Intelligence: Should We Send A Guy With A Gun Or A Wrench?