On Wednesday, American footwear company Skechers agreed to pay the US Federal Trade Commission $40 million. This settlement resulted from a series of commercials that deceived consumers claiming that the Shape-Ups shoe line would “help people lose weight, and strengthen and tone their buttocks, legs and abdominal muscles.” Professional celebrity Kim Kardashian appeared in a 2011 Super Bowl commercial personally endorsing the health benefits of these shoes.
This settlement was part of an ongoing FTC campaign to “stop overhyped advertising claims.” A similar effort would serve the information security community well. For example, one particular claim that causes me frequent grief is: “solution X detects and prevents advanced persistent threats.” It is hard, dare I say impossible, to work in information security and not have heard similar assertions. I have heard it twice this week already, and these claims make my brain hurt.
Our next installment of "Hackers vs. Executives" is just weeks away. Join us at the Forrester Security Forum and sit in on one of the most popular sessions of the event each year. We have a great panel lined up for you. In the Hackers corner, we have Chase Cunningham of Neustar and Brian Gorenc of HP Tippingpoint DVLabs. In his hacking demo, Chase will use social engineering, packaged exploit delivery, and credential harvesting to show you how open source data can create avenues for hackers to attack users and ultimately compromise your network. In his hacking demo, Brian will provide an in-depth look at what it takes to analyze a vulnerability and the steps required to weaponize it. Centering on a vulnerability in a Microsoft application, the demo will show you how an attacker can quickly move from proof-of-concept to remote code execution.
In the Executive corner, we have Richard Bejtlich of Mandiant and Steve Martino of Cisco Systems. Richard and Steve will discuss what these types of attacks mean to Security & Risk professionals, including how your organization can prepare and respond to them. John Kindervag and I will moderate the panel. There will be great discussion and you will have the opportunity to ask questions of all of our panelists. It will be a fantastic session; one you won't want to miss. Please join us in Las Vegas on May 25th from 11:05 to 12:40. Take a look at the Security Forum website for more details. John and I hope to see you there.
Last Friday, after a long week of RSA conference events and meetings, I eagerly looked forward to slipping on my headphones and enjoying the relative silence of my flight back to Dallas. As I approached my seat, I saw I was sitting next to a United States Air Force (USAF) officer. I looked at his rank and saw two stars on his uniform, making him a major general. I had a sudden sense of nostalgia and I instinctively wanted to salute him. I resisted the urge, introduced myself, and thanked him for his service.
Over the next two hours I had the most unexpected and fascinating conversation of my RSA week. It turned out that my fellow traveler is the commanding officer of the Air Force Research Laboratory (AFRL). According to the website, the AFRL is “the Air Force’s only organization wholly dedicated to leading the discovery, development, and integration of war fighting technologies for our air, space, and cyberspace forces.” We discussed a variety of open source topics, including electromagnetic pulse weapons, cyberweapons, Stuxnet, unmanned aerial vehicles, USAF renewable energy initiatives, as well as national policy.
Last week I read an article on wired.com’s Danger Room blog about the elite US military Special Forces command, JSOC. The units within the Joint Special Operations Command (Delta Force and Seal Team 6) are responsible for the most clandestine and sensitive US military operations, including the Bin Laden raid into Pakistan last year. JSOC is very similar to elite Special Forces (SF) units across the globe including: the Russian Spetnaz, British SAS, French Naval Commandos, and the Israeli Shayetet 13. These SF units are capable of addressing asymmetric threats that traditional military units aren’t prepared to handle.
In the article, Spencer Ackerman interviews Marc Ambinder, one of the authors of The Commandabout JSOC. The article piqued my interest and I just finished reading the eBook. Like almost everything I do, I considered the information security implications as I read it. Today’s infosec threat landscape is dominated by unconventional threats that are difficult to address. How can we leverage the techniques utilized by SF to deal with the cyber threats we face today? I realize that we have an international audience, and my point isn’t to focus on US policy, but rather to take a deeper look at the unique capabilities of SF units and what lessons we can apply in our roles as S&R professionals.
This week I did a webcast, Planning for Failure, which makes the assumption that if you haven't been breached, it is inevitable, and you must be able to quickly detect and respond to incidents. An effective response can be the difference between your organization's recovery and future success or irreparable damage. While I was working on the slides for the webcast, I started to reflect back on the 2011 security breaches that personally impacted me. Three breaches immediately came to mind:
I am excited to announce my latest research, The CISO's Guide To Virtualization Security. This is the first report in a new series focusing on securing virtual environments. The reduced costs and flexibility of virtualization have led to widespread adoption of the technology. Despite this adoption, security and risk professionals haven't given their virtual environments the attention that is required. Our research interviews revealed several themes:
Business as usual is the status quo. IT departments rely upon traditional security solutions (end point and network security) to secure their virtual environments. Depending on the network architecture, virtualization can create blind spots in your network leaving you blind to intra-virtual-machine (VM) communication.
Many security pros aren't aware of the virtualization aware solutions available on the market. One CISO we spoke with wasn't aware that his organization's current antivirus vendor offered a virtualization aware solution. This isn't necessarily surprising; many of the virtualization aware security solutions are relatively new to the market. Virtualization aware solutions afford us the ability to have potentially greater visibility into workloads than we might have in our traditional physical environment.
Many security pros have a general discomfort with virtualization. Security pros, especially CISOs and other security leaders who have risen up the technical ranks, aren't as confident in their virtualization knowledge as they would like to be. This is particularly the case when we compare virtualization with more mature security areas, such as network security.
Winter is coming; the year is quickly drawing to a close, and its time to a look back and see how accurate our content security crystal ball was for 2011. Last year we predicted three trends; two were accurate and one was partially correct. Let's take a closer look.
1) Content security spending will slow down - We were right. According to our latest survey data, the content security budget represented 6% of the total IT security budget; this is a 1% decrease from 2010. Content security remains one of the lowest budgeted technology areas in IT.
2) Consolidation will continue to drive suite offerings - We were partially correct. In 2011, we didn't see any significant M&A activity in the content security space. While we were wrong on the vendor consolidation prediction, we were correct on the prediction that market leaders would increase their data loss prevention and mobile capabilities to further solidify their market positions.
3) Mobile filtering will enter mainstream IT - We were correct. Laptop filtering is mainstream, and mobile device filtering is gaining momentum and getting significant attention. Content security vendors are currently testing content filtering on mobile phones and tablets.
What about 2012? To see what five trends we predict will impact your strategy next year, check out the full document: "Content Security: 2012 Budget And Planning Guide." Here's a teaser, is your content security strategy ready for the extended enterprise?
We are excited to announce "Planning For Failure," the first collaborative report in a series of new research taking a closer look at incident management and response.
A look back at the year's headlines isn't encouraging. Many companies have experienced security breaches, and their bottom lines and brand reputation have suffered. You might not have considered it, but your organization is a likely target. In fact, your intellectual property could be exfiltrating your network even as you read this blog; you must be prepared. Once the airplane is going down, it is too late to pack the parachute.
Preventive security controls will fail, and you should operate under the assumption that if you are not already breached, you will be. An ounce of preparation is worth a pound of remediation, and the sooner you can detect and respond to a security breach, the more likely you will be able to minimize the impact and scope of the incident. The proper execution of a well-thought-out strategy can reduce your remediation costs and protect your brand reputation.
"Planning For Failure" takes a look at why an incident management strategy is critical to the success of your business and provides recommendations on how to implement or improve your plans.
If you have questions or comments, please let us know. We would love to hear your feedback.
I am very excited to introduce my first Forrester report, "The Content Security Forecast Calls For Clouds." I wrote the report to help guide your strategy on SaaS based email and web content security. During my inquiries, I am frequently asked about content security in the cloud:
"Is web SaaS mature enough for enterprises?"
"Will SaaS help secure my mobile and remote users?"
"What about the hybrid model?"
"What are other organizations doing?"
In the report, I take a closer look at these questions, and I also address the benefits and challenges associated with the SaaS model. I leave you with multiple deployment options and specific recommendations for your journey to the cloud. If you have questions or comments please let me know, I would love to hear from you.