Say “small footprint” again. I dare you, I double dare you.

Rick Holland

During the past 18 months or so, we have seen the emergence of innovative endpoint security solutions. The list is long; it is hard to keep track of all the solutions in the space. In no particular order, here is a sampling:  Bromium, Invincea, IBM Trusteer, Cylance, Palo Alto Networks Next-Gen Endpoint Protection (Cyvera), Microsoft Enhanced Mitigation Experience Toolkit (EMET), Bit9/ Carbon Black, Confer, CounterTack Sentinel, Cyberreason, Crowdstrike Falcon Host, Guidance Software Cyber Security, Hexis HawkEye G, FireEye HX, Triumfant, Tanium, and Verdasys Digital Guardian. 

I take many briefings from these types of vendors (primarily the ones I cover in Forrester’s Endpoint Visibility and Control category) and within the first five minutes of the conversation, the vendor mentions that their solution has a “small footprint.”  The use of this phrase is the equivalent of nails scratching their way across a chalkboard for me.  When was the last time you heard anyone say that they have a “large footprint?” Please provide more information: Do you run in user or kernel land? What are the impacts to utilization? Even if a vendor truly has a “small footprint,” when that new agent is deployed to a host that already has 4 or 5 agents running, the collective footprint is far from small.

Read more

Protect Your Brand Today Through Comprehensive Risk Intelligence

Nick Hayes

We all know that securing your perimeter and your internal assets only gets you so far today. The crux of the issue is that your brand, and potential threats to it, are now often external and out of your direct area of control. The number of places and channels online where your brand appears and where malicious actors discuss how to take down your organization is expanding rapidly today.

Websites, media outlets, search engines, marketplaces, social networks, forums, mobile apps, online ads, and more – these are all places where your brands, products, workers, and affiliates and other associated third parties can be mentioned in inappropriate or malevolent contexts: They increase opportunities for brand defamation and data leakage; they act as discreet places to conspire or collude; they open the door to new security vulnerabilities; they decrease your control over your products; and they make it harder to spot contract violations and breaches.

 

The good news is: You’re not powerless either.

Read more

got STIX?

Rick Holland
The sharing of threat intelligence is a hot topic these days. When I do conference speeches, I typically ask how many organizations see value in sharing, and most in the room will raise their hand.  Next, I ask how many organizations are actually sharing threat intelligence, and roughly 25% to 30% in the room raises their hand. When our 2014 Security Survey data comes in, I will have some empirical data to quote, but anecdotally, there seems to be more interest than action when it comes to sharing. I wrote about some of the challenges around sharing in “Four Best Practices To Maximize The Value Of Using And Sharing Threat Intelligence.” Trust is at the epicenter of sharing and just like in "Meet the Parents," you have to be in the circle of trust. You can enable sharing, but automating trust does take time. 
 
 
Read more

Are You Down With CIP (Critical Infrastructure Protection)?

Rick Holland

I am kicking off a new research series on critical infrastructure protection.  This first report is titled: “Brief: S&R Pros Can No Longer Ignore Threats To Critical Infrastructure.”  

Critical infrastructure is frequently on my mind, especially the ICS/SCADA within the energy sector. I live in Texas; oil and natural gas are big here ya'll. I'm just a short distance away from multiple natural gas drilling sites.  I cannot help but think about the risks during the extraction and transport of this natural gas.  North Texas has seen an attempt to bomb the natural gas infrastructure. In 2012, Anson Chi attempted to destroy an Atmos Energy pipeline in Plano, Texas. As a security and risk professional, I wonder about the potential cyber impacts an adversary with Chi's motivations could have.

Read more

Upcoming Research -- Brief: US Department Of Homeland Security (DHS) Provides Funding For Cybersecurity Innovation

Edward Ferrara

The United States Department of Homeland Security (DHS) plans to sponsor important research in cybersecurity over the next three to five years through the Broad Agency Announcement (BAA) process.  The US Federal government’s participation in cybersecurity is one of false starts. Members of each of the branches of government have made statements on the need for improved cybersecurity but very little has been done, at least in any public sense, to help the private sector deal with an onslaught of cyberattacks. At the same time, the National Security Agency (NSA) has been actively spying on private sector companies and their customers. This has sent mixed messages.

Encouragingly, the DHS is now making money available to fund research in cybersecurity with the goal of solving some of the toughest cybersecurity issues. The amount of money is small compared to the enormity of the cybersecurity problem, but it is a step in the right direction. This report will focus on what the money funds and what it means to commercial enterprises and their customers. Look for this report to publish in early August.

Mobile Application Security - The Fight Results

Tyler Shields

A few months ago I posted a blog entry entitled: "Containerization vs. Application Wrapping: The Tale Of The Tape." Well... the bout is finally over and a winner has been decided. Using a virtual tape measure, I analyzed the mobile application technology spectrum to determine which technologies are better suited to deployment in the enterprise and why. The results were about what I expected. The fight went right down to the wire and nobody scored a knockout with the winner being decided with a slim margin over the 8 rounds. Here is the judge's score card:

You can read all about the data behind the analysis and the justification for the results in my latest report: "In The Mobile Security Bout Of the Year, App Wrapping Beats Containerization On Points." 

Slide To Unlock - The New Face of Home Security

Andrew Rose

I recently visited a trade show dedicated to physical security.

Almost every vendor was advertising IP-enabled ‘smart’ technology, with accompanying apps, that would log and alert on access or motion, prevent tail-gating, recognise smartphones or RFID tags, or track faces or number plates automatically. The sheer number of CCTV vendors alone was stunning, although, truth be told, as a physical-security novice, I struggled to spot any discernable difference between them all!

There were firms who were crossing over into ‘smart home’ technology – selling a series of sensors to control temperature and light; detect issues such as movement, flooding or smoke; and remotely unlock the front door of homes, or secure areas. Although mainly sold on a ‘home security’ premise, these systems were also cleverly brought together into packages which could be used to monitor the activity of an elderly relative, sending alerts if regular patterns of behaviour, or safe limits, were transgressed (i.e. Has the shower been on too long suggesting a fall? Has the box containing essential pills been opened at around the right time? Has the front door been opened at 2am? Etc.) 

I spoke to six or seven vendors of similar technology sets and asked how they managed the logical security around their product. Almost every response began with a pause.... then came, “well, you know that nothing can ever be totally secure”, and then they abruptly ended with “we have encryption!”. It became abundantly clear that few, if any, vendors, had thought through the logical security issues and none were including it in their sales training.  Other responses, somewhat worryingly, included “our engineers look after that”, “they wouldn’t let us sell it unless it was secure”, and the classic “I’m sure it’s fine….”

Read more

CISOs, CMOs: What's It Like Working With The Privacy Pro In Your Organization?

Heidi Shey

Business needs and requirements demand expertise and coordination for privacy programs and practices. As a result, chief privacy officers, data protection officers, and other designated privacy professionals like privacy analysts are a fast growing presence within the enterprise today. The International Association of Privacy Professionals (IAPP) is 16,000 members strong today (compared to 7,500 back in 2010) and growing!    

In many organizations, a dedicated privacy professional (e.g., a full-time employee who focuses on privacy and not someone who has privacy responsibilities attached to another role) is a new role. Privacy professionals come from a variety of backgrounds from legal to IT, and the details of their role and focus can vary depending on the organization and the size of the privacy team. Yet they all have one thing in common: they must work together with multiple privacy stakeholders – IT, security, legal, HR, marketing, and more! – across the enterprise. And honestly, it’s not always easy. Like any relationship, there are ups and downs.

Read more

Don’t Blame Target’s Audit Committee For The Sins Of Technology Management

Renee Murphy

Yesterday, Institutional Shareholder Services (ISS), a third-party advisor to Target Corp. investors, recommended ousting Target’s Audit Committee because they failed to do appropriate risk management, resulting in a breach of customer data. According to Twin Cities Business Magazine, ISS stated that “… in light of the company’s significant exposure to customer credit card information and online retailing, these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information, especially since it involves shoppers and the communities in which the company operates, as well as the overall impact on brand reputation and brand value.”  This suggests a fundamental lack of understanding of both the nature of the breach and who should be held responsible for the outcome.

First, let's understand what really happened here: Target updated their point of sale (POS) systems before the holiday season. There was a known vulnerability in those POS systems that let credit card data travel between the POS system and the register before it was encrypted and sent off to the clearinghouse for approval. Target’s technology team was warned of the vulnerability and DECIDED that the risk was worth accepting – not the board, not the auditors; it was the people involved in the project who accepted the risk of losing 70 million records. When departments accept that level of risk, they in essence, end the conversation.  The audit committee and board of directors would be none the wiser. When was the last time you notified your board about how you were disposing of hard drives? 

Never, right?

Read more

The Connected Car As A Microcosm Of The New Threat Landscape

Andrew Rose

The Internet of Things (IoT) is a hot phrase right now, and every vendor is talking about the huge potential of continual connectivity and interaction with smart devices to optimize the asset and transform the customer experience. The potential is undeniably huge and developers are right to be excited, but it’s not all "hugs and puppies."

As S&R professionals, we have to balance the excitement of innovation with pragmatism and caution, and the IoT is a turmoil of innovation right now. With so much change, it can be difficult to focus in on the key issues, so let's choose an area where there has been a lot of discussion and hype for years (or even decades) but not much in the way of actual consumer adoption; let's use the "connected car" as an example to crystalize a few of the risk scenarios.

 

Picture courtesy of Dave Gray on Flikr

Today’s cars operate on computers, and mechanical functionality breaks down when the computer is not there to manage it. It’s not quite an aerodynamically unstable plane, such as the B-2, or indeed most modern fighter jets, which are kept in the sky by instantaneous computer feedback and corrections, but it’s not dissimilar. As we move toward the connected car, think through these scenarios:

Read more