Corporate Partners

Top IT Security Bloggers

Network World - Networking Nuggets and Security Snippets
  • Toward Omniscient Cybersecurity Systems

    Network World - Networking Nuggets and Security Snippets
    Cybersecurity systems suffer from compartmentalization.  Vulnerability management systems know which software revisions are installed on which systems, but have no idea how endpoints and servers are connected together.  Similarly, an anti-malware gateway can perform static and dynamic analysis on a suspicious file but doesn't know if a user downloaded analogous malware when she was connected to the Internet on a public network. Yup, cybersecurity is simply a classic example of one hand not knowing what the other is doing. CISOs recognize this disjointed situation and many are undertaking cybersecurity integration projects to address this problem.  This is certainly a step in the right direction, but I find that a lot of these projects are one-off point-to-point integration efforts.  Good idea, but CISOs should be pushing toward an ambitious endgame – omniscient cybersecurity systems.To read this article in full or to leave a comment, please click here
  • Security Is a Prisoner of the Network

    Network World - Networking Nuggets and Security Snippets
    I have a very distinct memory about a conversation I had with a colleague in the mid-to-late 1990s about how NetWare worked.  I told him that file and print services resided “in the network” but he couldn’t get his arms around this concept.  He continually pushed back by saying things like, “well the printers and file servers have to be plugged into the network so isn’t NetWare just running on these devices?”His assumption was somewhat accurate since NetWare did control physical file servers and printers.  What he didn’t get however was that NetWare made physical network devices subservient to a global and virtual file and print services.  Before NetWare (and similar technologies like Sun’s NFS), you had to have a physical connection to a device and/or control these connections on a device-by-device basis.  Novell radically changed this by using software to abstract connections.  This made it much easier to point users at local printers and file shares while applying central access controls for security and privacy.To read this article in full or to leave a comment, please click here
  • Google Network Security Sans Perimeter

    Network World - Networking Nuggets and Security Snippets
    About a decade ago, I was first introduced to the Jericho Forum, an international group of cybersecurity executives committed to defining new infosec tools and architectures.  At that time, Jericho Forum was particularly focused on a concept called de-perimeterization.  Wikipedia defines de-perimeterization as:The removal of a boundary between an organization and the outside world. De-perimeterization is protecting an organization's systems and data on multiple levels by using a mixture of encryption, secure computer protocols, secure computer systems and data-level authentication, rather than the reliance of an organization on its network boundary to the Internet.To read this article in full or to leave a comment, please click here
  • The Cloud Computing Security Challenge

    Network World - Networking Nuggets and Security Snippets
    A few years ago, cloud computing faced an infosec hurdle. Many CIOs appreciated the benefits of cloud computing, but their concerns about cloud security outweighed all of its potential benefits. General cloud security trepidation thus precluded broader use of cloud computing. Fast forward to 2015 and the situation has changed. Yes, CIOs and security folks remain worried about cloud security, but business and IT benefits are so appealing that they tend to trump confidentiality, integrity, and security apprehensions. ESG research indicates that a growing number of organizations are jumping on the cloud computing bandwagon (note: I am an ESG employee):To read this article in full or to leave a comment, please click here
  • Valuable Federal Cybersecurity Training for Critical Infrastructure Organizations

    Network World - Networking Nuggets and Security Snippets
    Last week I wrote two blogs about cybersecurity, critical infrastructure organizations, and the US government. In the first blog, I mentioned some ESG research stating that 76% of cybersecurity professionals working at critical infrastructure organizations were somewhat or very unclear about the US government’s cybersecurity strategy (note: I am an ESG employee).  In spite of this confusion, 83% of these same cybersecurity pros want to see the feds become more active with cybersecurity programs and defenses.To read this article in full or to leave a comment, please click here
  • Federal Cybersecurity Carrots and Sticks

    Network World - Networking Nuggets and Security Snippets
    In my last blog, I highlighted a recent ESG research survey of cybersecurity professionals working at critical infrastructure organizations (note: I am an ESG employee). As a review:
    Only 22% of critical infrastructure cybersecurity professionals believe that the U.S. government's cybersecurity strategy is extremely clear and thorough. The vast majority remain confused and/or underwhelmed.
    In spite of this misconception, 83% of cybersecurity professionals working within critical infrastructure industries say that the U.S. government should be more active with cybersecurity strategies and defenses.

    So the infosec crowd wants Uncle Sam to put more skin in the game, but what specific actions should the U.S. government take? Survey respondents were given a list of potential federal cybersecurity actions and asked to select which of these the government should move forward. Here's what they said:To read this article in full or to leave a comment, please click here
  • Cybersecurity, Critical Infrastructure, and the Federal Government

    Network World - Networking Nuggets and Security Snippets
    The term “critical infrastructure” is used by governments around the world to describe industries and physical assets deemed essential to their economies and national security.  Critical infrastructure industries include agriculture, electricity generation, financial services, health care, telecommunications, and government services like law enforcement and the water supply (i.e. drinking water, waste water, dams, etc.).Cybersecurity vulnerabilities within the US critical infrastructure were first recognized during the administration of George H.W. Bush in the early 1990s, and President Clinton first addressed Critical Infrastructure Protection (CIP) with Presidential Decision Directive 63 (PDD-63) in 1998. Soon thereafter, Deputy Defense Secretary John Hamre cautioned the U.S. Congress about CIP by warning of a potential “cyber Pearl Harbor.” Hamre stated that a devastating cyber-attack, “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.” To read this article in full or to leave a comment, please click here
  • Takeaways from RSA 2015: The stars of the show

    Network World - Networking Nuggets and Security Snippets
    As expected, the 2015 RSA Conference was bigger than ever – more attendees, presentations, exhibitors, etc. Since I live in the cybersecurity space, there were few surprises, but there were a few major highlights to this year's show:
    Visibility. As the old management adage goes, "you can't manage what you can't measure." Cybersecurity professionals are taking this saying to heart with a focus on gaining better visibility of everything on the network at all times. This includes endpoint profiling (ForeScout, Great Bay Software, Promisec, Tanium), endpoint forensics (Carbon Black, Guidance Software, RSA ECAT), and network forensics (Blue Coat/Solera, Click Security, FireEye, WildPackets). In some cases, it's all of the above with tools from IBM, Intel Security, LogRhythm, Splunk, or Symantec. Users are now telling me that they are postponing security technology purchases until they can collect, process, and analyze the right data in real-time in order to accelerate and improve their cybersecurity decisions. In my humble opinion, this is a prudent decision – especially as enterprise organizations increase their use of cloud computing, mobile devices, and IoT.
    Data center security. The data center security buzz really concentrated on cloud/virtual data center security, and this makes sense. Virtual workloads are moving across private and public clouds and this activity is antithetical to traditional network security controls. There is a lot of innovation in this area as well. Cisco is trumpeting the marriage of ACI and network security while VMware NSX gains traction in the market with support from partners like Check Point and Palo Alto Networks. Meanwhile, startups like Illumio and vArmour pitch a software-defined approach for the whole heterogeneous cloud computing enchilada while Tufin had a similar message around network security automation and orchestration. In the meantime, Juniper flexed some hardware muscle by introducing a 2tbps version of its SRX firewall. With all of the software-defined rhetoric, hardware remains important – the winning formula here is bridging the old physical network security with the new virtual security to deliver security efficacy and operational efficiency.
    Two-factor authentication. If the RSA Conference was the Emmy Awards, multi-factor authentication would have been quietly nominated for a best supporting actor award. Why the secondary role? Security veterans remain skeptical after an annual prediction, declaring it "the year of two-factor authentication and PKI." Nevertheless, there is finally a reason to be optimistic. Between the Apple iPhone and FIDO specification, biometrics and two-factor authentication are moving toward commodity status. RSA jumped on this trend with the introduction of its Via identity solutions while a Nok Nok Labs panel (hosted by yours truly) pointed toward a future of identity consumerization. The IT and cybersecurity industries were caught off guard by the tidal wave of mobile device proliferation. These same groups will likely be equally blindsided when new employees want to eschew passwords and use biometrics on their smartphone to log onto corporate applications. 
    Services, services, services. While cybersecurity products (endpoint security, ATP, etc.) grabbed the spotlight at RSA, security services are actually more successful in the market – ESG (and other analysts) believe that organizations are spending $2 on cybersecurity services for every $1 of cybersecurity products they purchase (disclosure: I am an employee at ESG). This trend was evident in many of my RSA meetings. Dell SecureWorks business is growing like a weed. FireEye incident response services have assumed the role of first responder after a breach. HP anchors its cybersecurity business with professional and managed services supplemented with infosec architectures, frameworks, products, and partners. Symantec managed services will act as a foundation for the company as it splits apart. Accuvant is also reaping services benefits along with the traditional big guys like Accenture, E&Y, and PWC. Finally, pure-play managed cybersecurity services vendors like Okta, Ping Identity, Proofpoint and Zscaler probably don't mind playing second-fiddle at RSA since they continue to win in the market. The biggest obstacle to continued cybersecurity services success is the same across all of these players – recruiting, hiring, and training new services employees to keep up with market demand. 
    Diversity. Finally, cybersecurity has finally come out of its geeky shell and attracted an assorted crowd of participants. DHS had its own booth at the show while the State of Maryland crowed about its cybersecurity education and public/private partnership. There was also an area of the show floor dedicated to Israeli cybersecurity innovation, ditto for Germany. 

    Yes, it's nice to see that our little industry has grown up, but let's remember that the RSA Conference popularity is a function of just how dangerous the threat landscape has become. This reality should sober up the industry after its annual RSA party and subsequent hangover.  To read this article in full or to leave a comment, please click here
  • Making Sense of Raytheon and Websense

    Network World - Networking Nuggets and Security Snippets
    I was just getting on my flight to the RSA Security Conference in San Francisco on Monday morning when I received an email announcing an intriguing cybersecurity deal.  Defense contractor Raytheon announced its acquisition of security veteran Websense for approximately $1.6 billion.  Vista Equity Partners, Websense’s previous owner, also contributed $335 million and will retain some skin in the game.When I arrived at the RSA Conference, I asked a number of my contacts with deep federal experience what they thought of the deal.  For the most part, the common response was something like, “every federal integrator has tried to crack the commercial market and everyone has failed.  This won’t be any different.”To read this article in full or to leave a comment, please click here
  • Somber Message at RSA

    Network World - Networking Nuggets and Security Snippets
    As the 2015 RSA Conference got underway this week, I attended a dinner hosted by Pacific Crest Securities.  Our host began the dinner by asking former cyber czar Richard Clarke to say a few words.Now this was a rather festive dinner as the cybersecurity industry is in the midst of a robust boom.  Nevertheless, Clarke’s brief talk was a reminder of where we’ve been and the state of cybersecurity today. I didn’t record Richard’s words but to paraphrase, he said something like the following:A lot of us have been to this show for at least 10 years.  Now if you had asked anyone in this room ten years ago to predict the state of the cybersecurity industry in 2015, I don’t believe that anyone would have dreamed that the industry would be as big as it is today.  So we’ve all had a good ride and made a little bit of money along the way.  To read this article in full or to leave a comment, please click here

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Blog Posts

Media Release

More media release

Market Place