A new blog site for one of our analysts

For those that have been following my blog posts, I've started up my own blog. It's called Cyberia, and it's at http://jpenn.wordpress.com.

wanted to blog more often about a broader set of topics, but found the
team blogs non-optimal places to do so. Having my own blog will allow
me to stretch out the topics a bit per my own interests, and avoid my
flooding this wonderful team blog with my own posts.

I've already started posting several items, so it's live and active.

I hope to see you there!

Why Consumers Use Security Freeware

I’ve been doing a lot of research into
the consumer security market lately, and with it the rise of consumer security freeware (AVG, etc). One of the interesting findings is that those who use security freeware are not primarily motivated by price. In fact, price is less of an influence on their selection than it is for the consumers who use paid security products.

You all wear IT security hats during the
day. But if you’re like me, that hat never gets completely removed when outside
of work either: you protect your computers at home, and you also help protect those
of your family members, your friends, and the occasional neighbor or two. Indeed, when it comes to computer security, you’re
likely a savvy consumer shopper and a strong influencer of other people's purchases. So if you use free
consumer security software, considered using, or used it and switched back to
pay versions, take a look at my new post on the security freeware trend.
I’d love to hear your thoughts on this.

How Consumer Security Vendors Can Fight Freeware (part 1)

Lately, I’ve been delving quite a bit into the consumer
security market. This is perhaps the biggest change in my security coverage as
I moved to focus on vendor-oriented research. Forrester doesn’t have consumer
clients, so our coverage of consumer security in the past has been less then rigorous,
except in cases where our IT clients raise issues in areas like B2C/G2C online
security (phishing, risk based authentication, fraud and identity theft, etc.)

A major source of anxiety for the consumer
security vendors is freeware. Companies like AVG, ALWIL (Avast!), Avira, and
others offer antivirus for free, with Microsoft hitting the market soon with
its new service code-named Morro. But it’s more than just AV: with free antispyware,
free  personal firewall, free HIDS and so
on, the big consumer security vendors have a right to be concerned. Take Symantec,
where 30% of its revenues and 45% of its income comes from its consumer
security division. Symantec and others – such as McAfee, Trend, and even Tier 2 players like Kaspersky – have revenue streams to protect in their consumer security products.

Read more

RSA Conference review: vendors continue to miss the mark

Jonathan Penn

For those who are used to seeing me post here, I have been writing more frequently to security vendor strategists rather than security & risk practitioners. I just posted on Forrester's Vendor Strategy blog about my impressions from RSA. You can read the unabridged version there, but here's the CliffsNotes:

Read more

Impressions of the RSA Conference: Notable for what was missing

The RSA Conference is now over, though by no means have I decompressed: it was a whirlwind of activity (I held 38 meetings in 5 days!). As evidence of how significant the RSA Conference is as the place to show your wares and to be seen, by my count there were over 350 vendors exhibiting - which is a bit less than half of the entire security vendor community. Notably, though, many of the booths were smaller than in years past.
My colleague John Kindervag predicted in advance of the conference that cost-cutting and "cloud" were going to be the two big pitches coming from vendors. Credit John with a direct hit on that.
But here's what I saw missing from the event:

Read more

Symantec's acquisition of MessageLabs

Jonathan Penn

This acquisition extends Symantec into the security software-as-a service (SSaaS) market, but it doesn’t in itself provide any proof that Symantec is looking at SSaaS strategically.
For example, we have not yet had any indication from Symantec that it is conducting
a portfolio-wide SSaaS opportunity analysis.

Rather, this appears to be a
tactical move into the most mature area for security outsourcing -– results from our Enterprise And SMB Security Survey, North America And Europe, Q3 2008
show that content filtering is the most commonly managed/outsourced security
function (31% of organizations surveyed have procured content security as an managed
or outsourced service).

That's a shame. As we have written recently when analyzing the market for security outsourcing,
we've seen security outsourcing grow 22% for 2007, and we expect it to continue outpacing growth of the overall security
market. IT Security groups are reeling under the pressure of a skills shortage, the desire for cost transparency and predictability if not outright cost reduction, and a need to alleviate themselves from tactical and operational functions so they can have time to focus on more strategic initiatives and areas. All of these are strong factors driving the market for security outsourcing.

Read more

The Growing Security Skills Shortage

Jonathan Penn

We are regularly hearing from our security clients about their difficulties finding people with the right skills – or when they do finally find them, these people are too costly to employ because their skills are in such demand.

Indeed, the “unavailability of people with the right skills” was cited as a top challenge for security groups in both our enterprise and SMB surveys.

In comparing need for talent across 25 different IT roles, Forrester analysts came to the conclusion that information security experts are among the hottest roles in IT, sharing the top spot with information/data architects.

The skills shortage is likely to get worse before it gets better. We’re unlikely to see a significant spike in security experts’ salaries to attract those we need to hire: large changes in compensation for senior security personnel would run against the current of economic belt-tightening. Another typical approach to offsetting the shortage would be to train up: foster the career development and advancement of existing security personnel on our payroll. However, with all the outsourcing that is going on – and which will increasingly occur – there is a shrinking pool from which to find people with “the right stuff” worth championing their advancement.

We could look outside of security to others in IT, or even to co-workers in other departments or business groups. But given how poor a job IT Security does of marketing its value proposition, I don’t hold much hope for attracting non-security people.

Read more

Two faces of Identity as a Service (IDaaS)

Here's a post based on comments by
Andras Cser, Sr. Analyst covering Identity Management, from a discussion we recently had. Andras was just leaving for vacation, so I'm posting this on his behalf.

In the
interviews I have been conducting for my research for my upcoming paper,
Identity As A Service, I repeatedly encountered two interpretations of IDaaS.

One interpretation is fairly simple:
Identity as a Service means Managed Identity Services (MIS). In this offering, a
Managed Service Provider (MSP) provides on-site or off-site services to the
customer, such as provisioning, directory management, or operation of a single
sign-on service (See this post for more on that

Read more

Are We Ready For Managed Identity Services?

There have
been several announcements recently around identity management as a
managed service:

Read more

Internet Banking Security: It's Not About Login Authentication

It recently came to light that ABN AMRO banking customers were targeted with a virus. Nothing new there, as malware activity these days is all about financial gain. But ABN AMRO isn't your ordinary bank: it has two-factor authentication in place where customers need to use a One-Time Password (OTP) token to access the site. However, this also wasn't your ordinary attack. The malware, installed when unsuspecting users opened up an email attachment, redirected victims to a fraudulent ABN AMRO site where it conducted a man-in-the-middle attack. While the damage was contained to just four victims (that we know of), it does serve as a warning sign that threats are evolving to counter the simple defense of consumer strong authentication at login, here combining Trojans, pharming, and man-in-the-middle into one targeted attack.

This is why it's important to authenticate/authorize at the transaction level -- login itself is all but irrelevant.

Activity monitoring and risk analysis in combination with authorization in the context of the activity (often referred to as risk-based authentication) is the only defense robust enough to counter attacks of  any kind that attempt to compromise customers' accounts. We've written about such an approach here.