This Forrester-moderated panel of top security executives from Allergan, Zappos and Humana will discuss the impact of scale in solving Big Security challenges. Issues from the importance of scale in detecting advanced threats to benefits to the average user will be debated. Drawing on their experiences, these experts will share their views on why scale matters in the era of big data.
David Hannigan, Zappos, Information Security Officer
Stephen Moloney, Humana Inc., Manager, Enterprise Information Security
Jerry Sto. Tomas, Allergan, Inc., Director, IS Global Information Security
Predicting what malware will look like five years from now requires more than a crystal ball. In order to fully understand future threats and challenges, you need a finger on the broader pulse of technological innovation. Our panel of esteemed experts will attempt to guide a better understanding of where we may need to target our defensive efforts in the coming months and years.
You are now no doubt aware that Boston-based security firm Bit9 suffered an alarming compromise, which resulted in attackers gaining access to code-signing certificates that were then used to sign malicious software. See Brian Kreb’s article for more details. (Symantec breathes a quiet sigh of relief to see a different security vendor in the headlines.)
The embarrassing breach comes at a time when the company has been seen as one of the security vendor landscape’s rising stars. Bit9 has actually been around for more than a decade, but the rise of targeted attacks and advanced malware has resulted in significant interest in Bit9’s technology. In late July, Bit9 secured $34.5 million in funding from Sequoia Capital. Bit9’s future was bright.
On Friday afternoon, Bit9 CEO Patrick Morley published a blog providing some initial details on the breach. A few of his comments stood out: “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network … We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9."
When you fly nearly every week, you can get pretty bored on a plane. When I am sick of working, playing games, or watching movies, my latest distraction is checking out laptop screens. Sometimes I'm curious what movie you are watching but other times I am interested in what type of confidential company information you are displaying for the world to see. In the past few weeks I have seen the following types of information on my fellow flyer's screens:
End of year/end of quarter sales numbers
Disciplinary emails regarding employee peformance
Pre launch marketing information (which I presumed to be under embargo)
Competitive displacement information
Most of the time I suggest that my fellow traveler invest in a privacy screen, and most of the time they are receptive to the suggestion. It really is astounding how many people don't spend the approximate $30 on one. If your company doesn't issue them, I suggest you work to change that stance. World readable aren't the permissions you want on your laptop screen, time for chmod (UNIX joke).
You remember the tribbles don't you? The cute, harmless looking alien species from the second season of the original Star Trek that turn out to be anything but benign. They are born pregnant and reproduce at an alarming rate. The tribbles threaten the ship, but fortunately Chief Engineer Montgomery Scott is able to transport all of the furry creatures to a departing Klingon ship. The tribbles remind me of technology investments:
You start out small, but before you realize it the technology is everywhere and you are overwhelmed. It ends up in places you never intended.
Like the relaxing purr of the tribbles, the flashing lights of racks and stacks of gear gives us warm comfort at night
Tribbles consume everything, just like the operational requirements of much of our technology investment: resources, budget, and productivity are all devoured.
It is with great pleasure that I announce the completion of my first Forrester Wave™: Email Content Security, Q4 2012. I’d like to thank the research associates (Jessica McKee and Kelley Mak) who assisted me with this project. We performed a 47-criteria evaluation of nine email content security vendors. Given my background as a practitioner and solutions engineer, one of the key requirements to participate was unsupervised access to a demo environment. I had access to the environments throughout the evaluation process and found them to be a great option for validating features and “getting to know” the user interfaces. Here are some of the key findings:
Email security is a critical component of your portfolio
Email is a key component of business processes within enterprises and must be secured. Despite the fact that email security is low on the spending priority list, it’s critical that organizations safeguard email. Email is a popular attack vector for targeted attacks, and HIPAA and PCI mandate that emails containing confidential data be secured.
Vendors are delivering enhanced capabilities in response to the threat and compliance landscape. Big data analytics are leveraged to combat targeted attacks. Encryption capabilities have been improved and simplified. Channel DLP is now robust and feature-rich.
Today EMC announced the acquisition of Silicium Security. Silicium’s ECAT product is a malware threat detection and response solution. ECAT did not adopt the failed signature based approach to malware detection and instead leveraged whitelisting and anomaly detection. Incident response teams can leverage ECAT to quickly identify and remediate compromised hosts. ECAT joins NetWitness and enVision.
Last week I had the opportunity to attend the 15th annual Black Hat security conference in Las Vegas. I have attended DEFCON in the past, but never Black Hat. The conference has grown significantly each year, and judging by the size of the expo floor, the vendors understand its significance. I enjoyed the conference and had great conversations with practitioners and vendors alike. Here are some observations from two of the sessions that I attended:
On Wednesday, American footwear company Skechers agreed to pay the US Federal Trade Commission $40 million. This settlement resulted from a series of commercials that deceived consumers claiming that the Shape-Ups shoe line would “help people lose weight, and strengthen and tone their buttocks, legs and abdominal muscles.” Professional celebrity Kim Kardashian appeared in a 2011 Super Bowl commercial personally endorsing the health benefits of these shoes.
This settlement was part of an ongoing FTC campaign to “stop overhyped advertising claims.” A similar effort would serve the information security community well. For example, one particular claim that causes me frequent grief is: “solution X detects and prevents advanced persistent threats.” It is hard, dare I say impossible, to work in information security and not have heard similar assertions. I have heard it twice this week already, and these claims make my brain hurt.
Our next installment of "Hackers vs. Executives" is just weeks away. Join us at the Forrester Security Forum and sit in on one of the most popular sessions of the event each year. We have a great panel lined up for you. In the Hackers corner, we have Chase Cunningham of Neustar and Brian Gorenc of HP Tippingpoint DVLabs. In his hacking demo, Chase will use social engineering, packaged exploit delivery, and credential harvesting to show you how open source data can create avenues for hackers to attack users and ultimately compromise your network. In his hacking demo, Brian will provide an in-depth look at what it takes to analyze a vulnerability and the steps required to weaponize it. Centering on a vulnerability in a Microsoft application, the demo will show you how an attacker can quickly move from proof-of-concept to remote code execution.
In the Executive corner, we have Richard Bejtlich of Mandiant and Steve Martino of Cisco Systems. Richard and Steve will discuss what these types of attacks mean to Security & Risk professionals, including how your organization can prepare and respond to them. John Kindervag and I will moderate the panel. There will be great discussion and you will have the opportunity to ask questions of all of our panelists. It will be a fantastic session; one you won't want to miss. Please join us in Las Vegas on May 25th from 11:05 to 12:40. Take a look at the Security Forum website for more details. John and I hope to see you there.