Top IT Security Bloggers

Network World - Networking Nuggets and Security Snippets
  • Cybersecurity Industry News Roundup, Week of February 1, 2016

    Network World - Networking Nuggets and Security Snippets
    Just five weeks into 2016 and it’s already been a busy year for the cybersecurity industry. Here are just a few highlights so far:FireEye goes on a shopping spree
    Ignoring Wall Street’s trepidation, FireEye continues to remain aggressive on the acquisition front by grabbing iSight Partners and Invotas. With the addition of these two companies, FireEye can claim leadership in: 
    Threat intelligence. FireEye/Mandiant was already strong in this area, and with the addition of iSight, FireEye becomes the instant market leader. FireEye already had a different view of threat intelligence, pivoting from cyber-adversaries (i.e. threat actors, TTPs, etc.) into the enterprise. With this perspective, FireEye believes it can help customers anticipate attacks and become more proactive with prevention, detection, and response. By adding iSight, FireEye attains a broader view of the threat landscape that can be integrated into its products and used to create a variety of threat intelligence services for enterprise and mid-market customers. Oh, and let’s not forget that FireEye picks up a few hundred cybersecurity experts in the deal, which is especially important given the acute global cybersecurity skills shortage. This will certainly boost FireEye’s services presence and revenue.
    The Integrated Cybersecurity Orchestration Platform (ICOP) market. Invotas sells a market-leading ICOPs solution that helps organizations streamline incident response operations and automate remediation tasks. Just about every enterprise organization needs these IR capabilities, and since it doesn’t make sense for them to write their own software, the ICOPs market is poised to be a big deal in 2016. With Invotas in hand, FireEye becomes an instant player and can now address 4 of 5 areas I call out in my IR “fab 5” concept. 

    You’ve gotta admit that FireEye's CEO has a lot of chutzpah. Dave is on a mission to create a new type of cybersecurity company and is willing to march down this path with or without the millennials on Wall Street’s support. Invotas and iSight are bold moves that have the potential to make FireEye a multi-billion cybersecurity vendor over time.To read this article in full or to leave a comment, please click here
  • The Endpoint Security Continuum

    Network World - Networking Nuggets and Security Snippets
    My colleague Doug Cahill and I are knee-deep into a research project on next-generation endpoint security. As part of this project, we are relying on real-world experience, so we’ve interviewed dozens of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) who have already deployed new types of endpoint security software.Now, all of the organizations we interviewed are already running antivirus tools, but day-to-day responsibilities are often delegated to an IT operations team rather than the infosec staff. So organizations are at somewhat of a disadvantage because they delegated it to an IT generalist team. Still, many of the organizations we’ve interviewed have turned on all of their AV’s advanced features, and are still being compromised.To read this article in full or to leave a comment, please click here
  • Security Requirements Are Driving Identity Management

    Network World - Networking Nuggets and Security Snippets
    Anyone familiar with identity management knows that it can be extremely messy – lots of tactical tools, access policies, multiple data repositories, manual processes, etc. Furthermore, user authentication continues to be anchored by user names and passwords making nearly every organization vulnerable to credentials harvesting, identity theft, and cyber attacks.These persistent IAM problems remain, even though identity management is becoming a bigger component of enterprise security. This is true because, as organizations embrace cloud and mobile computing, they lose some control over their IT infrastructure. As one CISO mentioned to me, “when we lose control in some areas we need to get better control over others as compensating controls.” To read this article in full or to leave a comment, please click here
  • Time to Consider User Behavior Analytics (UBA)

    Network World - Networking Nuggets and Security Snippets
    In 2012, I did an extension research project on big data security analytics. My thesis was that big data tools like Hadoop, Mahout, MapReduce, and Pig would greatly enhance in-depth historical cybersecurity investigations beyond anything provided by SIEM tools. In retrospect, I believe my assumptions were correct, but the market remains in an early stage of development even today. While general use of big data security analytics is still in its genesis phase, there appears to be an increasingly popular use case in cybersecurity: User Behavior Analytics (UBA). UBA is roughly defined as the analysis of all activities related to individual users, covering devices, processes, applications, network sessions, and data consumed and utilized. UBA builds a data analytics model where all log files, endpoint and network forensics, authentication requests, and data access actions are aligned with individual users themselves. To read this article in full or to leave a comment, please click here
  • The 4 kinds of cybersecurity customers

    Network World - Networking Nuggets and Security Snippets
    Depending upon whom you believe, there are roughly 800 to 1200 companies selling cybersecurity products and services to end customers. Yes, the cybersecurity market is forecast to be around $70 billion this year, but that’s still a lot of vendors.Now, there are point product specialists, managed services firms, and enterprise security vendors all competing for the same dollars. So how can any company stand out from the crowd? In my opinion, each security vendor must determine where its products and service fit among four distinct buyer types:
    Security-centric buyers. This traditional security buyer evaluates and purchases security products and services based upon discrete needs and budgets. As such, security-centric buyers tend to look for best-of-breed products from vendors with strong cybersecurity experience. Startups with strong cybersecurity chops are welcome to this club but purchasers also maintain a “rip-and-replace” mentality rather than any type of long-term allegiance. Vendors like Bit9 + Carbon Black, Cylance, Check Point, FireEye, Fortinet, Palo Alto Networks, Symantec, and Trend Micro come to mind here. Note that security-centric buyers will have some role to play in EVERY cybersecurity product and services deal.
    IT infrastructure-centric buyer. In most cases, IT infrastructure vendors extend their reach into security to appeal to their customers and traditional buyers. Cisco is a good example with network security products, ditto for Dell with its secure endpoint program. In some cases, newer vendors will add security functionality on top of IT infrastructure. For example, Data Gravity has added secure access controls and analytics to its storage appliances. In the past, vendors could use their IT infrastructure-centric buyer relationships to circumvent the security team, but no longer. In today’s market, cybersecurity professionals’ role goes beyond defining product requirements, as they are much more involved in the actual selection process. It is also worth noting that today’s IT infrastructure is often virtual rather than physical, so successful vendors need the right software-defined services, not just hardware appliances. 
    IT initiative buyer. Think of things like secure software development, secure data centers, IoT security, etc. These initiatives have to span across people, process, and technology, making them more complex and resource-intensive. Professional services firms have a distinct advantage, as part of the challenge here is systems integration and training. On the customer side, a senior person will likely have ultimate responsibility for the whole project enchilada. Because of this, cybersecurity vendors must have the appropriate scale, skills, and project management chops to succeed here.
    Business-centric buyer. Corporate boards, CIOs, and CISOs who sit at the top of the customer organization demand more from cybersecurity vendors than threat intelligence reports and pretty reports. Aside from security efficacy, business-centric buyers want to work with vendors that can help them improve operational efficiency and align risk management capabilities with new IT projects for business enablement. To win here, cybersecurity vendors need broad product/managed services portfolios, partner ecosystems, integrated architectures, enterprise scale, and strong professional services skills to piece everything together.

    A few additional points:To read this article in full or to leave a comment, please click here
  • Network Security Sandboxes Driving Next-Generation Endpoint Security

    Network World - Networking Nuggets and Security Snippets
    Remember advanced persistent threats (APTs)? This term originated within the United States Air Force around 2006.  In my opinion, it gained more widespread recognition after the Google “Operation Aurora” data breach first disclosed in 2010.  This cyber-attack is attributed to groups associated with China’s People’s Liberation Army and impacted organizations like Adobe Systems, Juniper Networks, Northrop Grumman, Symantec, and Yahoo in addition to Google.APT visibility got another boost in 2013 when Mandiant released its now famous APT1 report documenting several cyber-attacks emanating from a PLA group known as Unit 61398.To read this article in full or to leave a comment, please click here
  • The Incident Response “Fab Five”

    Network World - Networking Nuggets and Security Snippets
    I’ve been focused on security analytics for several years and spent a good part of 2015 investigating technologies and methodologies used for incident response.  Based upon lots of discussions with cybersecurity professionals and a review of industry research, I’ve come up with a concept I call the incident response “fab five.”  Enterprise organizations with the most efficient and effective incident detection and response, tend to establish best practice and synchronization in 5 distinct areas:
    Host monitoring.  This centers on understanding the state and activities of host computers.  Host monitoring tends to concentrate on Windows PCs, but may also include oversight of Macs, Linux, servers, and even cloud-based workloads.  Historically, host monitoring was based upon log collection and analysis but SOC managers are also embracing open source EDR tools (i.e. GRR, MIG, etc.) as well as commercial forensic offerings (i.e. Carbon Black, Countertack, Hexis Cyber Solutions, Guidance Software EnCase, RSA Ecat, Tanium, etc.).  The trend is toward collecting, processing, and analyzing more host forensic data in real-time.
    Network monitoring.  Beyond network logs, I see leading-edge organizations collecting and analyzing a combination of flow and PCAP data.  Think of technologies from Arbor Networks, Blue Coat (Solera), FireEye (nPulse), Lancope, and RSA (NetWitness).  Once again, the ability to get the data you need in real-time matters a lot.  Note that this activity tends to require the ability to decrypt, process, and route encrypted network traffic as well. 
    Threat intelligence.  Strong CERT programs collect, process, analyze and correlate external threat intelligence and then compare it to what’s happening inside the firewall.  In this instance, threat intelligence includes open source, commercial feeds (i.e. iSight Partners, Norse, Symantec DeepSight, etc.) as well as intelligence from static/dynamic malware analysis.  Leading organizations have developed or purchased threat intelligence platforms to de-duplicate, correlate, and normalize external threat intelligence and tend to be further ahead with threat intelligence standards like STIX and TAXII.
    User behavior monitoring.  Top incident responders keep an eye on user actions looking for insider threats and identity theft.  This area is probably the most elementary right now, usually based upon customized dashboards/tools that pull data from Active Directory, authentication tools, system logs, and MDM systems.  I believe we’ll see a lot of adoption of more automated User Behavior Analytics (UBA) tools this year from vendors like Exabeam, Fortscale, Gurucul, and Securonix. 
    Process automation.  Clearly, large enterprise organizations are basing incident detection and response activities on massive amounts of data in order to gain situational awareness and take the appropriate remediation actions.  Unfortunately, doing so isn’t very efficient when IR depends upon an army of independent tools and reporting engines distributed throughout the network.  Enterprises are addressing this with IR automation and orchestration by building their own runbooks/workflows, tapping into software APIs, writing scripts, or deploying commercial IR platforms from CyberSponse, Invotas, Phantom Cyber, Resilient Systems, or ServiceNow.  I also expect a lot of IR automation/orchestration activity in 2016.

    One final observation:  Many organizations continue to back-end IR processes with SIEM tools (i.e. IBM QRadar, LogRhythm, Splunk, etc.).  In many cases, SOC teams are highly-skilled with these tools and often use them to aggregate IR data, triage events, and train junior analysts. To read this article in full or to leave a comment, please click here
  • Cybersecurity Industry Predictions for 2016

    Network World - Networking Nuggets and Security Snippets
    Happy new year everyone!  Late last year, I wrote a blog with a few predictions for 2016 focused on threats and enterprise security.  Here are a few of my additional expectations for the cybersecurity industry:1.       Cybersecurity skills shortage impacts the industry.  I cited a bunch of troubling statistics about the global shortage of cybersecurity talent in another recent blog.  Depending upon whom you believe, there will be 1 million or more cybersecurity job openings that remain unfilled in 2016.  This shortage is already a problem for CISOs, look for it to become a growing headache for cybersecurity product and (especially) services vendors this year as well.  Recognizing this issue, firms like Cisco, IBM, and Symantec are developing internship programs, partnering with Universities, and offering cybersecurity training to general IT professionals.  Other large cybersecurity suppliers will do the same.  As a side note to this problem, cybersecurity vendors seeking talent will be forced to invest in facilities outside of the Silicon Valley, good news for Atlanta, Austin, Boston, and Washington D.C. as well as India, Ireland, and the Philippines.To read this article in full or to leave a comment, please click here
  • Creating a Cybersecurity Center of Excellence

    Network World - Networking Nuggets and Security Snippets
    I’ve been writing about the cybersecurity skills shortage for many years and, unfortunately, things seem to be getting worse. Here are a few data points:
    According to ESG research, 28% of organizations claim that they have a “problematic shortage” of IT security skills (disclosure: I am an ESG employee). 
    Job market analytics vendor Burning Glass states that cybersecurity job postings grew 74% from 2007 to 2013, more than twice the growth rate of all IT jobs.
    Prospective employers posted more than 50,000 jobs requesting Certified Information Systems Security Professional (CISSP) certification. Unfortunately, there are only about 65,000 CISSPs in the world, and many are gainfully employed. 
    ISC2, the organization that certifies CISSPs believes that there will be a deficit of 1.5 million cybersecurity professionals by 2020. The UK House of Lords is even more bearish, predicting a shortage of 2 million cybersecurity professionals by 2017. 
    A 2015 report from the Information Systems Audit and Control Association (ISACA) states that 86% of business and IT professionals globally believe there is a shortage of cyber security professionals. In this case, perception is reality. 
    A Raytheon/National Cyber Security Alliance report indicates that 64% of high school students do not have access to computer science classes (or other similar classes) that could help prepare them for a cybersecurity career. 

    When I speak with CISOs, I always ask them if they have the right skills and an adequate staff to keep up with the cybersecurity workload. The answer is almost always an overwhelming “NO,” regardless of their organization’s location, size, or industry. Cybersecurity professionals I talk with also tend to respond with a question for me: “What can my organization do to attract cybersecurity talent?”To read this article in full or to leave a comment, please click here
  • A Few Cybersecurity Predictions for 2016

    Network World - Networking Nuggets and Security Snippets
    I’m a bit reluctant to blog about 2016 cybersecurity predictions, as it seems like everyone is getting into this act. Alas, this end-of-year tradition used to be the exclusive domain of the analyst community and a few industry beacons, but now it seems like every security tools vendor in the world is reaching out to me to tell me what they see in their crystal ball. So, with some hesitance, here are a few of the things I expect to see after the proverbial ball drops (in no particular order):
    Greater focus on cyber supply chain security. Enterprise CISOs realize that strong cybersecurity extends beyond the corporate LAN and that cyberattacks and data breaches could easily start with third parties with access to the network. The OPM and Target breaches are two examples where cyber-adversaries simply compromised trusted business partners and used them as a beachhead to penetrate their targets. At the same time, we’ve seen an increase in malware hiding in firmware, system BIOS, device drivers, etc., so servers, routers, storage devices, and network appliances could all introduce malicious code into an otherwise pristine environment. I expect CISOs to extend efforts with IT and third-party risk management assessments and controls. Look for additional use of real-time intelligence in this area from vendors like BitSight and SecurityScorecard for keeping an eye on third-party partners.
    The consumerization of authentication. Everyone knows that user name/password authentication is inadequate, but few organizations have the resources to deploy and operate multi-factor authentication technologies everywhere. This IT “rock and hard place” situation is finally changing, driven by mobile phone-based biometric technologies, social login, mobile payment, and industry standards like the Fast IDentity Online (FIDO) specification. ESG research indicates that 41% of enterprise organizations are already using mobile devices for multi-factor authentication, while 44% are using or would consider using social login/consumer-based credentials for authentication (disclosure: I am an ESG employee). Look for mobile and social login to gain a bigger foothold in 2016. On a more general note, I expect lots of IAM activity next year as identity morphs into a granular rules-based security perimeter.
    Cyber insurance continues to boom. I recently blogged about cyber insurance, but this market is so hot that it’s worth repeating. The U.S. market for cyber insurance is around $2.5 billion serviced by around 50 companies. Year-over-year growth was estimated at 35% in 2015, and I believe it could grow at 40% next year as large organizations seek to transfer more of their IT risk to third parties. Look for more business relationships like AIG and K2 as insurance companies seek to get a better handle on IT risk and more hands-on participation in incident response. In fact, cybersecurity professionals will receive calls from head hunters with a new career opportunity – working side-by-side with actuaries and brokers at cyber insurance firms. Also on the risk management front, I expect insurance companies to incentivize customers to adopt the NIST Cybersecurity Framework (CSF), and penalize those that do not.
    A rise in ransomware. In 2015, ransomware became a service offering available for a fee on cybercrime chat forums. At the same time, exploit kits like Angler were offered to more ambitious hackers, alongside Cryptowall and Cryptolocker. Ransomware was typically used for petty crime against small businesses and government agencies, but 2016 could include a frightening escalation, enterprise ransomware. We could see ransomware bundled with worm-like proliferation techniques to “brick” all the Windows endpoints and servers of a targeted organization. Rather than a few hundred bucks, cybercriminals will use this technique on a large scale, demanding millions in Bitcoins from their victims and may even offer payment terms – pay the entire extortion technique and the criminals will unlock all systems and declare a 12-month moratorium on another attack. Alternatively, an installment plan will unlock a majority of systems, but some will remain hostage as monthly payment demands increase over time.

    I have a long list of other predictions, but I’ll save them for another day. Thanks to everyone who reads my blog and happy holidays!To read this article in full or to leave a comment, please click here

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Latest Videos

More videos

Blog Posts

Media Release

More media release

Market Place