Corporate Partners

Top IT Security Bloggers

Network World - Networking Nuggets and Security Snippets
  • Is it Time for Two CISOs at Large Organizations?

    Network World - Networking Nuggets and Security Snippets
    I was able to get out of snowy Boston this week to give a presentation on enterprise security to a Federal IT audience in Washington D.C. As usual, I stated my opinion that enterprises are in the midst of a profound transformation with how they address cybersecurity risk. This change will require a new strategy around security technology AND a new type of leadership from CISOs.What type of leadership? Well, CISOs at large organizations need visibility in the boardroom and thus possess the ability to communicate cyber risk to non-technical executives and help craft cybersecurity strategies that truly align business and IT priorities.This led to a discussion on CISO skills in general. Some audience members complained that federal CISOs had no such skills or power, and that this position was mostly technical in nature. Others stated that they thought it might be extremely difficult to find a single individual with the right mix of business, leadership, and technical skills to take on the growing number of responsibilities of the emerging CISO role.To read this article in full or to leave a comment, please click here
  • Enterprise Organizations are Replacing Commercial Antivirus with Freeware

    Network World - Networking Nuggets and Security Snippets
    For the past 15 to 20 years, the vast majority of organizations install commercial antivirus software on just about every PC residing on their networks.  This resulted in a multi-billion dollar industry dominated by five vendors:  Kaspersky Lab, McAfee (Intel Security), Sophos, Symantec, and Trend Micro.  AV security efficacy has come into question over the past few years however, as cyber-criminals and State-sponsored hackers regularly used customized malware and zero-day attacks to circumvent AV and compromise PCs. Given the limitations of traditional AV, some organizations are adding new endpoint anti-malware tools from vendors such as Bit9, Bromium, Cisco, Confer, Cylance, CrowdStrike, FireEye, IBM, Malwarebytes, Palo Alto Networks and Triumfant.  Others are implementing endpoint forensic capture/analysis tools (i.e. Guidance Software, RSA, SentinelOne, Viewfinity) to gain a better understanding of endpoint activity and anomalous behavior.To read this article in full or to leave a comment, please click here
  • Grading the President’s SOTU Cybersecurity Agenda

    Network World - Networking Nuggets and Security Snippets
    In the wake of the furor over the Sony Pictures attack, President Obama came out swinging in his State of the Union speech earlier this week. Not to be outdone, Senator Joni Ernst (R-Iowa) included a cybersecurity-centric sentence or two in the Republican’s response.Yup, the President is finally rolling up his sleeves and proposing some Federal cybersecurity initiatives, but are these the right actions? Allow me to offer my two cents by grading each of the proposals.1. Increased security/threat intelligence between the public and private sector (Grade = B-)This is a new spin on the old "public/private partnership" that arises from time to time across a myriad of areas. Furthermore, Congress has been wrangling over this for the past few years – first with the Cyber Intelligence Sharing and Protection Act (CISPA) and more recently the Cybersecurity Information Sharing Act (CISA). To read this article in full or to leave a comment, please click here
  • Information Security Tops the List of Business Initiatives Driving 2015 IT Spending

    Network World - Networking Nuggets and Security Snippets
    Those of us in the cybersecurity community can name-drop dozens of data breaches from the last ten years, but the late 2013 breach at US retailer Target could be considered a game-changer.  In addition to the $148 million price tag, the CEO and CIO were both ousted in the wake of the cyber-attack.Since the Target breach, it has become increasingly clear that cybersecurity has become an increasingly important issue at the boardroom level but where does it rank in comparison to other business concerns? ESG research may shed some light on this question (note:  I am an ESG employee).  Each year, ESG conducts its annual IT spending intentions survey to gather data on IT and business trends.  ESG asked 601 IT professionals working at organizations in North America and Western Europe to identify the business initiatives that will drive IT spending over the next year.  In 2014, the top three responses were:To read this article in full or to leave a comment, please click here
  • Endpoint Security Activities Buzzing at Enterprise Organizations

    Network World - Networking Nuggets and Security Snippets
    Endpoint security used to be a quasi “set-it-and-forget-it” category at many enterprise organizations.  The IT operations team would provision PCs in an approved secure configuration and then install AV software on each system.  Of course there were periodic security updates (vulnerability scans, patches, signature updates, etc.), but the endpoint security foundation was set and dry by then.As Bob Dylan once sang, “the times they are a-changin.’  CISOs realize that these legacy endpoint security methods are no longer enough so they are thoroughly altering endpoint security across their organizations. ESG is about to publish some new research on endpoint security that illustrates the depth and breadth of some new activities (note:  I am an ESG employee).  For example, over the last 2 years:To read this article in full or to leave a comment, please click here
  • New research indicates cybersecurity skills shortage will be a big problem in 2015

    Network World - Networking Nuggets and Security Snippets
    Like all other industry analysts, I offered my prognostications for 2015 in my blog way back in 2014.  Prediction #1 on my list:  Widespread impact from the cybersecurity skills shortage.
    I’ve been screaming about the cybersecurity skills shortage for a number of years as I believe it may be one of the most important issue that receives an inadequate amount of media and industry attention.  Now I may be a tad on the emotional side about the cybersecurity skills shortage but I try to base my rants and obsessions on cold hard facts rather my opinion whenever I can.To read this article in full or to leave a comment, please click here
  • What Should the 114th Congress Do About Cybersecurity in 2015?

    Network World - Networking Nuggets and Security Snippets
    It’s 2015 and the GOP-dominated 114th congress returns to Washington tomorrow.  After years of maintaining a hands-off approach toward cybersecurity, the new Republican-led Congress is poised to jump all over this issue – mostly because of the December data breach at Sony Pictures and the subsequent brouhaha over the release of the now infamous movie, The Interview.While no one was voting for anything in late December, there were a few consistent cybersecurity themes coming from Congress:
    Blame the President.  Senator John McCain (R-AZ) the incoming chair of the Senate Armed Services Committee, blamed the Sony Picture’s data breach on the Obama administration, citing a lack of leadership on national cybersecurity.  Note that this is the same Senator McCain who sided with the Chamber of Commerce in 2012 in blocking the passage of Cybersecurity legislation that had bipartisan support in the Senate Homeland Security and Government Affairs (HSGAC) committee. 
    Declare a Cyberwar Against North Korea.  Before exiting Washington, retiring Congressman Mike Rogers (R-MI) and others have suggested that the U.S. should declare a cyberwar on North Korea and take out its ability to launch another cyber-attack on the U.S.  I guess no one told the Congressman about North Korea’s minimal attack surface or explained how the IP protocol works to him.
    Push for public/private security intelligence sharing.  This one has some legitimacy as there is actual bill (Cyber Information Sharing Act aka CISA) that was moving through the last congress.  While it may be a good idea to share intelligence, this is no panacea for curing our nation’s cybersecurity ills.  Furthermore, CISA will never gain popular support without some additional privacy protection. 

    I for one am glad that cybersecurity is finally getting more airplay in Washington but it’s clearly still being treated a political hot potato.  Note to the 114th Congress:   We don’t need reactionary legislation or finger-pointing, we need a national cybersecurity strategy. To read this article in full or to leave a comment, please click here
  • Last Minute Cybersecurity Predictions for 2015

    Network World - Networking Nuggets and Security Snippets
    By now, every vendor, analyst, and media outlet has already published their cybersecurity predictions for 2015.  I actually described some of mine on a Co3 webinar with Bruce Schneier last week so I thought I’d put together a quick list.  Here are ten predictions in no particular order.
    Widespread impact from the cybersecurity skills shortage.  Demand will exceed supply for cybersecurity professionals leading to salary inflation.  CISOs who can’t hire the right talent will have no choice but to look for help from MSSPs and security SaaS vendors.  As a result, 2015 will be another boom year for all types of security service providers on all types.  See my recent blog for more details. 
    Expanding attack surface.  While most attacks will still center on Windows PC, browsers, and common applications, sophisticated cyber-adversaries will start to poke around with hacks for mobile devices, cloud applications, IoT, Macs, and Linux.  The industry will pitch individual threat management tools for each of these threat vectors but CISOs should avoid the point tools trap and create an expansive all-inclusive strategy to safeguard the growing attack surface.
    Health care heartache.  Cyber-criminals need new industry targets as the return on credit card theft is steadily decreasing.  Health care industry beware – you are the next mark.  Look for hackers to launch attacks on major hospital groups and health care insurance providers throughout 2015.
    Mobile payment popularity and vulnerability.  Led my Apple Pay, mobile payment will take off in 2015, leading cyber-criminals to focus on vulnerable software, devices, and protocols.  I expect an explosion of Near Field Communications (NFC) hacks by next summer.
    Peace out, passwords.  Closely related to mobile payment, consumers will become more and more comfortable with smartphone-based authentication and biometrics in 2015.  Apple has the lead but the recently published FIDO 1.0 specification will bring similar functionality to Android and Windows phones as well.  By the end of 2015, many enterprises will start to explore ways to integrate mobile phone-based authentication into their IAM infrastructure.  On a related note, CISOs will get much more involved in IAM decisions next year as IAM assumes the role of a security perimeter for cloud, mobile, and internal IT assets. 
    Beyond AV.  The endpoint security market has been a cozy oligopoly for many years, dominated by 5 AV vendors:  Kaspersky, McAfee, Sophos, Symantec, and Trend Micro.  This exclusive club is now being invaded by a slew of newbies including Bit9, Bromium, Cisco, Confer, Digital Guardian, FireEye, Guidance Software, Hexis Cyber Solutions, IBM, Malwarebytes, Palo Alto, RSA, Triumfant, and Webroot.  Why?  Security pros realize that AV alone isn’t enough so they are adding advanced anti-malware layers and/or endpoint forensic software.  By the end of 2015, at least one vendor will exhibit extreme chutzpah by telling customers to abandon AV altogether and redistribute legacy endpoint dollars at new types of tools. 
    Washington Cybersecurity Wannabes.  Get ready for a steady diet of bellicose cybersecurity rhetoric when congress returns from vacation.  This is likely because of the Sony breach and the other GOP’s majority in the house and Senate.  We may see unprecedented funding of cybersecurity education programs (good stuff), tax breaks for private sector cybersecurity investments (good stuff), and a ton of other Pork Barrel cyber programs (wasteful stuff).  By the end of 2015, someone or some group will step up to become a cybersecurity watchdog for billions of dollars in federal funding (note:  This could be me).
    Enterprise Security Co.  Enterprise security based upon an army of point tools, manual processes, and limited IT visibility doesn’t work.  CISOs recognize this and are now looking to build an integrated, scalable, enterprise security architecture.  Think ERP (SAP) as a replacement for departmental apps in the 1990s.  Which vendors can address this burgeoning enterprise security requirement?  Leading candidates:  Cisco, McAfee, IBM.  Fast followers:  Check Point, FireEye, Fortinet, HP, Palo Alto Networks, RSA, Symantec, and Trend Micro.  Others?
    Security Analytics Maturity.  Most of the enterprise organizations I speak with are collecting, processing, and analyzing a heck of a lot more security data today than in the past.  What kind of security data?  Logs, packets, threat intelligence, endpoint forensics, IAM data – you name it.  We are passing from the age of SIEM to a much broader and more holistic security analytics era.  A market free-for-all will ensue as startups, service providers, and established vendors (i.e. AlienVault, Arbor Networks, Dell, LogRhythm, Narus, Splunk, etc.) vie for big security analytics projects.  Look for vendors to highlight hybrid cloud offerings, massive threat intelligence integration, remediation automation, and visual analytics capabilities next year.
    Cybersecurity Intelligence Intelligence.  Speaking of security analytics, 2015 will be a big year for cybersecurity intelligence, driven by the eventual passing of the Cybersecurity Intelligence Sharing Act (CISA), and momentum around FS-ISAC’s Avalanche and Soltra.  On the enterprise side, CISOs want to rationalize their threat intelligence consumption, use, and integration while figuring out which threat intelligence feeds are really worthwhile and which are simply redundant information.  Vendors will remain in the evangelical selling phase, but innovators like BitSight, iSight Partners, Norse, Vorstack, and ThreatStream with unique information or advanced integration should do well.  OpenIOC, STIX, TAXII, and other cybersecurity standards are bound to come along on this ride. 

    I could go on for a while longer but these are the ten that came to mind.  I hope you find them useful AND entertaining.To read this article in full or to leave a comment, please click here
  • Sony Baloney

    Network World - Networking Nuggets and Security Snippets
    As an information security analyst, I’ve been following the cyberattack details at Sony Pictures for some time now, just as I followed other events (i.e. Home Depot, JP Morgan Chase, Staples, UPS, etc.) earlier this year.Yup, each of these events received its fair share of publicity, but nowhere near the amount of press that Sony is getting. Maybe it’s the Hollywood angle, maybe it’s the intrigue of geopolitical tensions between the U.S. and North Korea, or maybe it’s the general impression that this hack is juxtaposed to our first amendment rights. Whatever the reason, it’s big. I participated in a webinar yesterday with security guru Bruce Schneier (CTO of Co3), focused on security predictions for 2015. The Sony Pictures cyberattack dominated the conversation, and we both agreed that we could have discussed it for hours more. To read this article in full or to leave a comment, please click here
  • NAC Renaissance

    Network World - Networking Nuggets and Security Snippets
    Remember NAC? Cisco first introduced the concept of Network Admission Control back around 2004. Back then, NAC’s primary role was checking the security status of PCs before granting them access to the network. This type of functionality was really in response to a wave of Internet worms in the early 2000s that were infecting and clogging up corporate networks.NAC became an instant network security fad that everyone wanted a part of. Microsoft introduced a competing initiative called Network Access Protection (NAP) for its “Longhorn” operating system (Vista) followed by a wave of long-lost startups like ConSentry Networks, Lockdown Networks, Mirage Networks, and Vernier. Heck, NAC was even highlighted at the RSA Conference during this timeframe.To read this article in full or to leave a comment, please click here

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Blog Posts

Media Release

More media release

Market Place