Top IT Security Bloggers

Network World - Networking Nuggets and Security Snippets
  • Figuring out FIDO (i.e. the Fast IDentity Online alliance and standard)

    Network World - Networking Nuggets and Security Snippets
    No one hates passwords more than I do and it seems like I’m asked to register for a new site each day.  For those of us in the know, this situation of “password sprawl” is even more frustrating because we really should have solved this problem years ago.  After all, Whit Diffie, Marty Hellman, and the RSA guys first came up with PKI back in the 1970s so you’d think that passwords would be dead and strong authentication would be ubiquitous by now!
    Thankfully, there may be hope on the horizon in the form of the FIDO alliance.  The group, composed on a who’s who of industry big shots like ARM, Bank of America, Discover Card, Google, Lenovo, MasterCard, Microsoft, PayPal, RSA, Samsung, and VISA, is “developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance of passwords to authenticate users.”  In other words, FIDO wants to introduce “trusted convenience” by making strong authentication easy to deploy and easy to use on the front-end (i.e. for users) and back-end (i.e. for IT). To read this article in full or to leave a comment, please click here
  • Enterprise Organizations Need Formal Incident Response Programs

    Network World - Networking Nuggets and Security Snippets
    I spent the early part of my IT career in the storage industry, mostly with EMC Corporation.  Back then, large storage subsystems were equated with IBM mainframe computers, with a heavy emphasis on the financial services market. 
    Given this market alignment, I became quite familiar with the concept of business continuity/disaster recovery (BC/DR) way back in the 1990s.  Techopedia defines BC/DR as follows:
    Business continuity and disaster recovery (BCDR or BC/DR) is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster. To read this article in full or to leave a comment, please click here
  • My Final Impressions of Black Hat 2014

    Network World - Networking Nuggets and Security Snippets
    I attended Black Hat 2014 in Las Vegas last week and wanted to write a post while I’m still feeling the buzz of the event. Here are just a few of my takeaways:
    Black Hat = High Energy.  I attended Interop at the same venue (Mandalay Bay) for many years but I noticed that the event was getting stale and rather morose recently.  It was quite invigorating then to witness the high-energy security crowd at Black Hat in comparison.  There was lots of energy, great discourse, and plenty of knowledge transfer.  Yes, there was commercialism and Vegas schmaltz, but Black Hat is more of a community get together than your typical stale trade show – and way more lively than Interop post the late 1990s.
    Black Hat vs. RSA.  When I worked at EMC back in the late 1980s, one of the common sales mantras of the company was, “people who know how always work for people who know why.”  This was a “solution selling” message intended to get the sales team to focus on the “why” customers who own business processes, financial results, and budgets, rather than the “how” customers who twiddle bits and bytes.  With this analogy in mind, RSA is a “why” conference while Black Hat (and to some extent, (DEFCON) is a “how” conference.  With this explained, there is also a difference as cybersecurity is a hardcore “how” discipline that revolves around the folks who know how to twiddle bits and bytes or can detect when someone else has twiddled bits and bytes in a malicious way.  In my humble opinion, these two shows complement each other.  Yes, we need extremely competent CISOs who know business, IT, and security technology but we must also have security practitioners with deep technical skills, devotion, and passion.  RSA is focused on the former while Black Hat/DEFCON appeals to the latter. 
    Security vendors should be at Black Hat.  Many leading security vendors passed on Black Hat and allocated event budget dollars to RSA and shows like VMware instead.  I get this but would suggest that they find ways to spread event investments around so they can attend Black Hat 2015.  Why?  Black Hat attendees may not be budget holders but they are the actual people who influence technology decisions and make up the majority of the cybersecurity community at large.  These are the people who choose cybersecurity technologies that can meet technical requirements.   Creative security technology vendors can also approach Black Hat as a recruiting opportunity, not just a sales and marketing event. 
    I left Black Hat with even more cybersecurity concern.  I’m in the middle of this world all the time so I hear about lots more about the bad guys’ Tactics, Techniques, and Practices (TTPs) than most people do.  Even so, I spent the week hearing additional scary stories.  For example, Blue Coat labs reported on 660 million hosts with a 24 hour lifespan it calls “one-day wonders.”  As you can imagine, many of these hosts are malicious and their rapid lifespan files under the radar of signature-based security tools and threat intelligence.  I also learned more about the “Operation Emmantel,” (i.e. from Trend Micro) that changes DNS settings and installs SSL certificates on clients, intercepts legitimate One-time passwords (OTPs) and steals lots of money from online banking customers.  Black Hat chatter served as further evidence that our cyber-adversaries are not only highly-skilled, but way more organized than most people think. 
    Endpoint security is truly “in play.”  A few years ago, endpoint security meant antivirus software and a cozy oligopoly dominated by McAfee, Symantec, and Trend Micro (and to some extent, Kaspersky Lab and Sophos as well).  To use Las Vegas terminology, all bets are off with regard to endpoint security now.  With the rash of targeted attacks and successful security breaches over the past few years, enterprise organizations are questioning the value of AV and looking for layered endpoint defenses.  Given this market churn, Black Hat was an endpoint security nexus with upstarts like Bromium, Cisco, Crowdstrike, Digital Guardian (formerly Verdasys), Druva, FireEye, Guidance Software, IBM, Invincea, Palo Alto Networks, Raytheon Cyber Products, RSA, and Webroot ready to talk about “next-generation” endpoint security requirements and products.  While the incumbents have an advantage, endpoint security is becoming a wide-open market as evidenced by the crowd at Black Hat. 

    Black Hat is a great combination of Las Vegas shtick, hacker irreverence, and a serious cybersecurity focus.  Yup, it’s only a tradeshow but there is a serious undercurrent at Black Hat/DEFCON that is sorely missing from most IT events. To read this article in full or to leave a comment, please click here
  • Cloud Security Priorities and Synergies with Enterprise Security

    Network World - Networking Nuggets and Security Snippets
    According to ESG research, 63% of mid-market (i.e. 250 to 999 employees) and enterprise (i.e. more than 1,000 employees) are currently using Software-as-a Service (SaaS), 33% use Infrastructure-as-a-Service (IaaS), and 27% employ Platform-as-a-Service (PaaS) today (note: I am an ESG employee).  Additionally, 72% of all firms are increasing their spending on cloud computing initiatives this year.Wasn’t IT risk supposed to put the brakes on cloud computing deployment?  Security professionals are still quite concerned.  In a recent ESG research survey, infosec pros identified numerous cloud security risk areas as follows:
    33% of enterprise security professionals said: “a lack control over security operations directly related to IT resources used for internal purposes.”
    31% of enterprise security professionals said: “privacy concerns over sensitive and/or regulated data stored and/or processed by a cloud infrastructure provider.”
    29% of enterprise security professionals said: “lack of security visibility into cloud services infrastructure.”
    28% of enterprise security professionals said: “a security breach that compromises our cloud service providers’ infrastructure.”
    27% of enterprise security professionals said: “poor infosec practices at our cloud service provider(s).”

    These are clearly legitimate concerns (the kind that keep CISOs up at night!), yet it seems like the proverbial horse has left the barn on cloud computing.  Enterprise organizations may be proceeding with caution, but they are proceeding nonetheless. To read this article in full or to leave a comment, please click here
  • Anticipating Black Hat 2014

    Network World - Networking Nuggets and Security Snippets
    RSA 2014 seems like ancient history, and the 2015 event isn’t until next April.  No worries however, the industry is set to gather in the Las Vegas heat next week for cocktails, sushi bars, and oh yeah – Black Hat.Now, Black Hat is an interesting blend of constituents consisting of government gum shoes, Sand Hill Rd. Merlot-drinking VCs, cybersecurity business wonks, “beautiful mind” academics, and tattooed hackers – my kind of crowd! As such, we aren’t likely to hear much about NIST frameworks, GRC, or CISO strategies. Alternatively, I am looking forward to deep discussions on:
    Advanced malware tactics. Some of my favorite cybersecurity researchers will be in town to describe what they are seeing “in the wild.” These discussions are extremely informative and scary at the same time. This is where industry analysts like me learn about the latest evasion techniques, man-in-the-browser attacks, and whether mobile malware will really impact enterprise organizations. 
    The anatomy of various security breaches.  Breaches at organizations like the New York Times, Nordstrom, Target, and the Wall Street Journal receive lots of media attention, but the actual details of attacks like these are far too technical for business publications or media outlets like CNN and Fox News.  These “kill chain” details are exactly what we industry insiders crave as they provide play-by-play commentary about the cybersecurity cat-and-mouse game we live in.
    Threat intelligence.  All of the leading infosec vendors (i.e. Blue Coat, Cisco, Check Point, HP, IBM, Juniper, McAfee, RSA, Symantec, Trend Micro, Webroot etc.) have been offering threat intelligence for years, yet threat intelligence will be one of the major highlights at Black Hat.  Why?  Because not all security and/or threat intelligence is created equally.  Newer players like BitSight, Crowdstrike, iSight Partners, Norse, RiskIQ, and Vorstack are slicing and dicing threat intelligence and customizing it for specific industries and use cases.  Other vendors like Fortinet and Palo Alto Networks are actively sharing threat intelligence and encouraging other security insiders to join.  Finally, there is a global hue and cry for intelligence sharing that includes industry standards (i.e. CybOX, STIX, TAXII, etc.) and even pending legislation.  All of these things should create an interesting discourse. 
    Big data security analytics.  This is an area I follow closely that is changing on a daily basis.  It’s also an interesting community of vendors.  Some (i.e. 21CT, ISC8, Leidos, Lockheed-Martin, Norse, Palantir, Raytheon, etc.), come from the post 9/11 “total information access” world, while others (Click Security, HP, IBM, Lancope, LogRhythm, RSA, etc.) are firmly rooted in the infosec industry.  I look forward to a lively discussion about geeky topics like algorithms, machine learning, and visual analytics. 

    Las Vegas is simultaneously one of the most fun and banal places on earth, but next week it will become a hotbed of cybersecurity intrigue, intelligence, and brainpower.  It’s likely to be 115 degrees in the shade, but I can’t wait to get there. To read this article in full or to leave a comment, please click here
  • Cybersecurity Startup Gold Rush for Venture Capitalists

    Network World - Networking Nuggets and Security Snippets
    According to PrivCo, a financial data provider on privately-held companies, venture capital firms are poised to push $788 million into early stage cybersecurity startups this year.  This investment amounts to a 74% increase from last year’s $452 million (note:  see this article for more details).
    If you follow cybersecurity trends, it’s easy to understand why VCs fat cats are throwing money around.  For one thing, the threat landscape continues to become increasingly dangerous.  In fact, ESG research indicates that 57% of security professionals working at enterprise organizations (i.e. more than 1,000 employees) believe that the threat landscape is “significantly worse” or “somewhat worse” than it was 2 years ago (note: I am an ESG employee).  So large organizations clearly need help and there are rich rewards waiting for cybersecurity vendors that can come to their aid – after announcing better than expected financial results, Check Point and Fortinet shares are trading at or near a 52-week high.To read this article in full or to leave a comment, please click here
  • BYOA: Bring Your Own Authentication

    Network World - Networking Nuggets and Security Snippets
    Most people who uses IT or Internet application would agree that the current user name/password mode of authentication is cumbersome, ineffective, and obsolete.  According to ESG research, 55% of information security professionals working at enterprise organizations (i.e. more than 1,000 employees) believe that user/name password authentication should be completely eliminated or relegated to non-business critical applications only (note:  I am an ESG employee).Recognizing the foibles of user names and passwords, ESG research indicates that 57% of enterprise organizations use multi-factor authentication technologies.  Unfortunately, multi-factor authentication technology has been too expensive and complex to roll-out across enterprises or offer to on-line consumers.To read this article in full or to leave a comment, please click here
  • Big data security analytics 'plumbing'

    Network World - Networking Nuggets and Security Snippets
    According to ESG research, 44% of enterprise organizations (i.e. those with more than 1,000 employees) consider their security data collection and analysis a “big data” application, while another 44% believe that their security data collection and analysis will become a “big data” application within the next 2 years (note: I am an ESG employee). Furthermore, 86% of enterprises collect “substantially more” or “somewhat more” security data than they did 2 years ago.The ongoing trend is pretty clear – large organizations are collecting, processing, and retaining more and more data for analysis using an assortment of tools and services from vendors like IBM, Lancope, LogRhythm, Raytheon, RSA Security, and Splunk to make the data “actionable” for risk management and incident prevention/detection/response.To read this article in full or to leave a comment, please click here
  • Threat intelligence lifecycle maturation in the enterprise market

    Network World - Networking Nuggets and Security Snippets
    According to ESG research from 2012, 65% of enterprise organizations (i.e. more than 1,000 employees) used external threat intelligence as part of their information security analytics activities (note: I am an ESG employee). The two most popular threat intelligence types were related to vulnerabilities and malware (each is consumed by 63% of organizations that use external threat intelligence).Maybe it’s me, but threat intelligence seems even more relevant today than it was two short years ago. Technology vendors like Blue Coat, Cisco, IBM, Symantec, and Trend Micro emphasize the strength of their threat intelligence and bundle it into product sales. Others like Webroot follow the same path but also invest in threat intelligence as a product and OEM it to other vendors. New firms like BitSight, Norse, RiskIQ and Vorstack have taken threat intelligence in new directions, focusing on industries, threat actors, outside-in use cases and business metrics.To read this article in full or to leave a comment, please click here
  • The CISO-centric Information Security Triad

    Network World - Networking Nuggets and Security Snippets
    What is the information security triad? Just about everyone knows the answer to this question is CIA – Confidentiality, Integrity, and Availability. Security professionals, service providers, and technology vendors are responsible for these three infosec pillars in one way or another.
    CISOs also take part of CIA oversight, but their responsibilities extend beyond confidentiality, integrity, and availability alone. In fact, the CISO role is changing rapidly and becoming so critical that these security executives deserve a cybersecurity triad of their own. The modern CISO triad equates to:
    Security efficacy. In some ways, this requirement supports the status quo as CISOs have always been accountable for cyber defense. So what’s changed? Security efficacy used to be closely associated with risk management – identifying and quantifying risk, and then putting the right controls in place for risk mitigation. While CISOs still own this part of the job, they are increasingly tasked with putting up security fences as well as overseeing top-notch intelligence and emergency response agencies. These responsibilities require a vast improvement in internal and external security intelligence supported by intensification of specialized security analytics skills, which can be difficult to find. Finally, CISOs need to be able to translate geek speak and a cyber-gumshoe lexicon into business metrics.  
    Operational efficiency. In the past, CISOs tended to disregard security operations in favor of a dogmatic focus on security efficacy. This led to a best-of-breed security technology mentality, where organizations purchased the best email security, AV software, firewalls, and IDS/IPSs they could find. While well-intended, this strategy made mighty enterprise organizations dependent upon an army of point tools, manual processes, and a plethora of individual contributors from the IT security organization. This situation is not only an operational nightmare, but it also detracts from security efficacy as modern malware circumvents security defenses and “kill chain” phases are viewed as autonomous events. Modern CISOs hired over the past few years are in charge of supplanting this mess with a mix of coordinated processes, integrated technologies, organizational cooperation, and far more automation.
    Business enablement. Some industry pundits have dumbed down this necessity with statements like: “Information security can no longer get in the way of the business.” That may be true, but it’s overly simplistic and not the point. CISOs are supposed to hold up a stop sign when the organization embarks on initiatives that exacerbate cyber risk, but this assumes that they understand the IT initiatives and business processes involved. Based upon cybersecurity history, this may be a bold supposition. Modern CISOs have to approach business enablement in two distinct ways: 1) Business process expertise, and 2) Cybersecurity services that can support business initiatives. The latter requirement could include a flexible infrastructure for Identity and Access Management (IAM), flexible security services that are extensible to IaaS and SaaS infrastructure, fine-grained network access control policies/enforcement, and strong data security and enterprise Digital Rights Management (eDRM). In aggregate, it’s not about holding back the business; it’s about enabling the business to be creative while constantly managing IT risk.


    A few final observations:To read this article in full or to leave a comment, please click here
CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

SECURE Web Gateway

Balancing the requirement for strong network security with the need to harness collaborative web technologies is essential for business growth.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.