Corporate Partners

Top IT Security Bloggers

Network World - Networking Nuggets and Security Snippets
  • Enterprise Annexation of Endpoint Security

    Network World - Networking Nuggets and Security Snippets
    When it comes to strong cybersecurity, endpoints and servers have often been second-class citizens when compared to the network. I described this situation in a March 2013 blog post. According to ESG research, 58% of security professionals working at enterprise organizations (i.e. more than 1,000 employees) said that network security processes, skills, and technical controls were “much more thorough” or “somewhat more thorough” than server security processes, skills, and technical controls. Why the discrepancy? Network security includes mature technologies like firewalls, IDS/IPS, and Web Application Firewalls (WAFs). Furthermore, network security often involves a lot of network design and engineering for segmentation, access control, and traffic management. Alternatively, endpoint and server security is typically based on nothing more than AV software and its associated signature downloads and occasional scans.To read this article in full or to leave a comment, please click here
  • Book Report: Cyberstorm by Matthew Mather

    Network World - Networking Nuggets and Security Snippets
    In spite of the volume and sophistication of recent cyber-attacks, there are still plenty of folks who scoff at the notion of “cyberwar.”  It is not unusual for military types to assume the role of doubting Thomas by dismissing cyber-attacks as “weapons of mass disruption.”  They go on sarcastic quips saying that a brief blackout or ATM network outage doesn’t really qualify as a national security event.
    Having spent the last dozen years of my life in the cybersecurity domain, I vehemently disagree with this minimalist notion but it is truly difficult to describe what might happen.  Former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, Richard Clarke does a good job of painting a picture of a cyber-attack on critical infrastructure in his 2010 book Cyberwar, but his account is only a few pages long.  Daniel Suarez tells a gripping story in Daemon and Freedom, but this is more of a science fiction thriller than a more likely view of reality. To read this article in full or to leave a comment, please click here
  • Note to Executives, Legislators, and Consumers: Time For a More Serious Dialogue About Cybersecurity

    Network World - Networking Nuggets and Security Snippets
    Like everyone else in the cybersecurity domain, I've been pretty busy the past week or so.  First there was the UPS store breach, which was small change compared to the nefarious cybersecurity situation at JP Morgan Chase. The condition became a bit more whimsical when photos of naked celebrities floated around the web, but quickly became serious again with the breach at Home Depot, which may trump the Target breach when all is said and done. Here is a terse synopsis of what’s going on: we’ve gotten really good at rapidly developing and implementing new applications on new technologies. We can even do so at scale (with the exception of healthcare.gov, but that’s another story). Yup, we want immediate gratification from our technology toys but we really don’t have the right people, skills, processes, or oversight to actually protect them.To read this article in full or to leave a comment, please click here
  • Network Security Challenges in the Enterprise

    Network World - Networking Nuggets and Security Snippets
    ESG recently published a new research report titled, Network Security Trends in the Era of Cloud and Mobile Computing (note:  I am an ESG employee). In this project, ESG surveyed 397 IT security professionals working at enterprise organizations (i.e. more than 1,000 employees) and asked a multitude of questions about their current and future network security policies, practices, and technologies.Here is a list of the top 5 network security challenges at enterprise organizations:
    39% of organizations say that, “IT initiatives are being adopted without the proper network security oversight or controls in place.” Sound familiar? I’ve had lots of CISOs tell me about this very problem, especially around mobile computing. Sounds like an opportunity for Bradford Networks, Cisco, and ForeScout. The Trusted Computing Group (TCG) may also have a play here.
    31% of organizations say that, “network security policies and controls are not cohesive as they must be implemented across many different security and networking technologies.” In other words, network security is addressed with network devices when it should be applied to network flows. This leads to network complexity and many, many associated challenges. 
    28% of organizations say they are challenged by, “too many overlapping controls and processes tend to cause trouble.” When the networking and security teams are subnetting, VLANing, firewalling, and applying ACLs to network devices, there’s bound to be a lot of redundancy and wasted resources. I get the need for layered defenses, but there must be a better way to isolate network traffic. SDN? NFV? Cisco ACI? VMware NSX? Something is needed.
    27% of organizations say that the, “security staff is too busy responding to alerts/events and not enough time with training, planning, or network security strategy.” This points to the global cybersecurity skills shortage that I’ve been screaming about for years (in other ESG research, 25% of organizations said that they have a “problematic shortage” of IT security skills). With too much work and too little staff, CISOs need network security technologies that can help them work smarter, not harder.
    26% of organizations are challenged by, “security policies that are too complex and can’t be enforced with the current network security processes and controls.” Everyone talks about “contextual security” where network access is governed by user identity, device identity, location, time-of-day, etc. The problem is that this requires central management, common data, data exchange, and technology integration. Alas, these things haven’t happened yet in many enterprises.

    Summarizing this list presents a scary scenario. While business units are doing their own IT projects, the security team is hampered by mismatched policies, tactical technologies, and an overburdened staff. Not a very good recipe for success. To read this article in full or to leave a comment, please click here
  • White House Cybersecurity Coordinator Is Kind of Right – but Mostly Wrong

    Network World - Networking Nuggets and Security Snippets
    Poor Michael Daniel, the White House cybersecurity coordinator and the man who “leads the interagency development of national cybersecurity strategy and policy” is taking a beating in the press.  In a recent interview with federally-focused media outlet, GovInfoSecurity, Daniel defended his lack of security technology experience with the following statement: 
    "You don't have to be a coder in order to really do well in this position.  In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction.  You can get taken up and enamored with the very detailed aspects of some of the technical solutions and the real issue is looking at the broad strategic picture."To read this article in full or to leave a comment, please click here
  • Security pros speak out on SDN uses for network security

    Network World - Networking Nuggets and Security Snippets
    At this week’s VMworld shindig in San Francisco, many networking and security vendors will crow about software-defined security and software use cases for SDN. Some of this rhetoric will be nothing more than industry hype, while other banter may prove to be extremely useful in the near future. Yes, there are many interesting ways that SDN could work to enhance network security. That said, which SDN/network security use cases are really compelling and which could be considered second-tier? ESG research asked this specific question to security professionals working at enterprise organizations (i.e. more than 1,000 employees) as part of a recent network security research report (note:  I am an ESG employee). Here are the top 5 SDN use cases for network security:To read this article in full or to leave a comment, please click here
  • Virtual Security Remains Anathema to Many Organizations

    Network World - Networking Nuggets and Security Snippets
    Next week, the IT industry will gather in San Francisco to discuss all things cloud and virtualization at VMworld. The discussion will center on “software-defined data centers” which will quickly morph to “software-defined security” in my world (Writer’s note:  In my humble opinion, this is a meaningless marketing term and I don’t understand why an industry that should be focused on digital safety acts like its selling snake oil). So we are likely to hear about the latest virtual security widgets, VMware NSX, and OpenStack integration, virtual security orchestration, etc.This will make for fun and visionary discussions, but there’s one critical problem: while almost every enterprise has embraced server virtualization and many are playing with cloud platforms, lots of organizations continue to eschew or minimize the use of virtual security technologies – even though they’ve had years of experience with VMware, Hyper-V, KVM, Xen, etc. According to ESG research, 25% of enterprises use virtual security technologies “extensively,” while 49% use virtual security technologies “somewhat,” and the remaining 25% endure on the sidelines (note: I am an ESG employee). To read this article in full or to leave a comment, please click here
  • Figuring out FIDO (i.e. the Fast IDentity Online alliance and standard)

    Network World - Networking Nuggets and Security Snippets
    No one hates passwords more than I do and it seems like I’m asked to register for a new site each day.  For those of us in the know, this situation of “password sprawl” is even more frustrating because we really should have solved this problem years ago.  After all, Whit Diffie, Marty Hellman, and the RSA guys first came up with PKI back in the 1970s so you’d think that passwords would be dead and strong authentication would be ubiquitous by now!
    Thankfully, there may be hope on the horizon in the form of the FIDO alliance.  The group, composed on a who’s who of industry big shots like ARM, Bank of America, Discover Card, Google, Lenovo, MasterCard, Microsoft, PayPal, RSA, Samsung, and VISA, is “developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance of passwords to authenticate users.”  In other words, FIDO wants to introduce “trusted convenience” by making strong authentication easy to deploy and easy to use on the front-end (i.e. for users) and back-end (i.e. for IT). To read this article in full or to leave a comment, please click here
  • Enterprise Organizations Need Formal Incident Response Programs

    Network World - Networking Nuggets and Security Snippets
    I spent the early part of my IT career in the storage industry, mostly with EMC Corporation.  Back then, large storage subsystems were equated with IBM mainframe computers, with a heavy emphasis on the financial services market. 
    Given this market alignment, I became quite familiar with the concept of business continuity/disaster recovery (BC/DR) way back in the 1990s.  Techopedia defines BC/DR as follows:
    Business continuity and disaster recovery (BCDR or BC/DR) is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster. To read this article in full or to leave a comment, please click here
  • My Final Impressions of Black Hat 2014

    Network World - Networking Nuggets and Security Snippets
    I attended Black Hat 2014 in Las Vegas last week and wanted to write a post while I’m still feeling the buzz of the event. Here are just a few of my takeaways:
    Black Hat = High Energy.  I attended Interop at the same venue (Mandalay Bay) for many years but I noticed that the event was getting stale and rather morose recently.  It was quite invigorating then to witness the high-energy security crowd at Black Hat in comparison.  There was lots of energy, great discourse, and plenty of knowledge transfer.  Yes, there was commercialism and Vegas schmaltz, but Black Hat is more of a community get together than your typical stale trade show – and way more lively than Interop post the late 1990s.
    Black Hat vs. RSA.  When I worked at EMC back in the late 1980s, one of the common sales mantras of the company was, “people who know how always work for people who know why.”  This was a “solution selling” message intended to get the sales team to focus on the “why” customers who own business processes, financial results, and budgets, rather than the “how” customers who twiddle bits and bytes.  With this analogy in mind, RSA is a “why” conference while Black Hat (and to some extent, (DEFCON) is a “how” conference.  With this explained, there is also a difference as cybersecurity is a hardcore “how” discipline that revolves around the folks who know how to twiddle bits and bytes or can detect when someone else has twiddled bits and bytes in a malicious way.  In my humble opinion, these two shows complement each other.  Yes, we need extremely competent CISOs who know business, IT, and security technology but we must also have security practitioners with deep technical skills, devotion, and passion.  RSA is focused on the former while Black Hat/DEFCON appeals to the latter. 
    Security vendors should be at Black Hat.  Many leading security vendors passed on Black Hat and allocated event budget dollars to RSA and shows like VMware instead.  I get this but would suggest that they find ways to spread event investments around so they can attend Black Hat 2015.  Why?  Black Hat attendees may not be budget holders but they are the actual people who influence technology decisions and make up the majority of the cybersecurity community at large.  These are the people who choose cybersecurity technologies that can meet technical requirements.   Creative security technology vendors can also approach Black Hat as a recruiting opportunity, not just a sales and marketing event. 
    I left Black Hat with even more cybersecurity concern.  I’m in the middle of this world all the time so I hear about lots more about the bad guys’ Tactics, Techniques, and Practices (TTPs) than most people do.  Even so, I spent the week hearing additional scary stories.  For example, Blue Coat labs reported on 660 million hosts with a 24 hour lifespan it calls “one-day wonders.”  As you can imagine, many of these hosts are malicious and their rapid lifespan files under the radar of signature-based security tools and threat intelligence.  I also learned more about the “Operation Emmantel,” (i.e. from Trend Micro) that changes DNS settings and installs SSL certificates on clients, intercepts legitimate One-time passwords (OTPs) and steals lots of money from online banking customers.  Black Hat chatter served as further evidence that our cyber-adversaries are not only highly-skilled, but way more organized than most people think. 
    Endpoint security is truly “in play.”  A few years ago, endpoint security meant antivirus software and a cozy oligopoly dominated by McAfee, Symantec, and Trend Micro (and to some extent, Kaspersky Lab and Sophos as well).  To use Las Vegas terminology, all bets are off with regard to endpoint security now.  With the rash of targeted attacks and successful security breaches over the past few years, enterprise organizations are questioning the value of AV and looking for layered endpoint defenses.  Given this market churn, Black Hat was an endpoint security nexus with upstarts like Bromium, Cisco, Crowdstrike, Digital Guardian (formerly Verdasys), Druva, FireEye, Guidance Software, IBM, Invincea, Palo Alto Networks, Raytheon Cyber Products, RSA, and Webroot ready to talk about “next-generation” endpoint security requirements and products.  While the incumbents have an advantage, endpoint security is becoming a wide-open market as evidenced by the crowd at Black Hat. 

    Black Hat is a great combination of Las Vegas shtick, hacker irreverence, and a serious cybersecurity focus.  Yup, it’s only a tradeshow but there is a serious undercurrent at Black Hat/DEFCON that is sorely missing from most IT events. To read this article in full or to leave a comment, please click here

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Blog Posts

Media Release

More media release

Market Place