After RSA's acquisition of SilverTail, things are heating up in mobile application level behavioral detection.
We see fraud management vendors increasingly looking at mobile application behaviors (beyond web fraud management and device fingerprinting) to build out a normal and abnormal behavior profile for the network traffic signatures coming out of the application (similarly to how SilverTail/RSA looks at web traffic signatures). Note that this is clearly a grey area that falls between what device fingerprinting vendors (iovation, 41st Parameter, BlueCava, ThreatMetrix), or risk-based authentication (RBA) vendors (RSA, Entrust, CA/Arcot, etc.) or what traditional back-end, cross-channel transaction monitoring vendors (Actimize, ACI, Detica, SAS, etc.) have been doing. Although device fingerprinting and RBA vendors have long been providing SDKs and APIs for developers to include in their mobile applications, understanding mobile application network traffic and building good and bad behavioral models is becoming something people are increasingly interested in.
Mobile application behavior detection has the benefits of not having to open up application code, not having to define too many security policies or rules. Because of this, mobile application behavior detection and network traffic signature profiling is something we expect to see a lot of vendor interest in the next 9-12 months.
"My master made me this collar. He is a good and smart master and he made me this collar so that I may speak. Squirrel!"
In the Pixar film Up, squirrels frequently distract Dug the talking dog. In our space, we are frequently distracted by technology. "I am a good and smart security professional; I must protect my enterprise so that we are secure. APT defense in a box!"
The expo floors at industry events such as the RSA Conference and Blackhat contribute to this. Signage touts the next great piece of technology that will solve all of our security problems. We allow Big Data, security analytics, threat intelligence, and APT defense in a box to distract us. It is easy to do; there is no shortage of challenges for today’s security and risk professional. The threat landscape is overwhelming. We have problems recruiting and retaining the right staff. Day-to-day operational duties take up too much time. Our environments are complex, and we struggle to get the appropriate budget.
These “security technology du jour” solutions are very appetizing. They compel us much like IDS, IPS, and SIM did in the past. We want and need the “easy” button. Sadly, there is no “easy” button and we must understand that threat protection doesn't equal a product or service; there is no single solution. Technology alone isn't the answer we are looking for.
Want to know more about Access Certification and Attestation? Would you like to win an iPad and get a courtesy copy of a Forrester report on the findings of a survey on the topic?
Forrester is collaborating with the University of British Columbia (UBC) on an Identity and Access Management survey. The main topic of the survey is Access Certification and Attestation, also known as Access Governance. It takes only 15 minutes to complete the survey. In August 2013, Forrester, in collaboration with UBC, will publish the highlights of survey results.
Here's what we offer for your participation:
If you complete the survey,
You will eligible to win a 128 GB iPad in a raffle organized by UBC.
Forrester will send you a courtesy PDF copy of the report.
Stephanie Balaouras and I published a report last week on the current state of crisis communications, and one thing is clear: most companies are not ready to invoke their crisis communications plan.
We analyzed data from our recent 2012 Forrester/Disaster Recovery Journal (DRJ) joint online study, which surveyed 115 business continuity decision-makers about their organizations’ crisis communications strategies. The results were disconcerting. Despite roughly half of organizations having invoked their business continuity plan in the past five years, only 15% said their crisis communication efforts were very effective.
Recent events such as Hurricane Sandy and the Sandy Hook school shooting illustrate the damaging, and often tragic, impact crises can have on organizations and the broader community. In fact, Hurricane Sandy was the second costliest in US history. Yet, most organizations are not prepared to manage an effective response to such a crisis. We found that crisis communication programs routinely underperform because:
When I talk to security (S&R) leaders, they always tell me that in an ideal world, they would have enough advanced warning of impending business and technology disruptions in order to understand the security, privacy and overall risk implications and then prepare and present their business executives with a balanced opinion about how best to proceed if and when the enterprise decides to move forward. Unfortunately, most often, business and IT colleagues move on these disruptions and technology shifts far in advance of the security team’s readiness, and we don’t have to look far for examples; just think of employee BYOD, mobile apps for customer engagement, cloud services, social technology for marketing and collaboration, massive big data projects for business intelligence, or virtual and converged infrastructures within the data center.
Many organizations today get caught up in what I call the “social media binary,” where there are only two options to social media control: 1) Allow unrestricted access to social networks, and potentially expose the company to myriad security, regulatory, reputational, and other risks, or 2) set and enforce policy that completely forbids the use of social media while at work, and forgo potentially lucrative business opportunities for the firm.
The evolution of business practices is proving as big of an issue for Security and Risk professionals as the changing threat landscape. Sure, attackers exposed hundreds of millions of personal records and government information in security breaches last year, and there are examples all the time of new, sophisticated attack methods… however Security and Risk pros should also be on the lookout for technology trends that may prove just as difficult to address: Digital disruption creating shockingly more competitive marketplaces, perpetual connectivity intensifying IT user expectations, and the data economy creating incredible new possibilities to leverage the power of existing information. Of course with big business opportunities come big business risks.
I’m very excited to kick off survey development for upcoming Forrester Forrsights surveys that will feature security content. Continuing on from previous years will be the Forrsights Security Survey. This is an annual survey of IT security decision-makers from North American and European SMBs and enterprises. New for 2013 is a Workforce Survey that will provide the (also North American and European) employee perspective when it comes to security and devices in use within their workplace.
These surveys will be fielded April through May, and the results will make their way into published research this summer. Survey development starts now, and I would love to hear what you think about the proposed topics. What are some areas where you’d like to see us gather more data?
Facebook made headlines last Friday with its announcement that it had been the victim of a sophisticated security attack. All major news publications picked up the story, citing widespread concern about the implications of the breach.
The breach itself, however, was largely a nonevent from a security standpoint.
Facebook identified the security breach before it infiltrated too deeply into company systems, remediated all compromised machines, informed law enforcement, and reported the Java exploit to its parent owner Oracle – acting quickly and appropriately. Most importantly, Facebook made it clear that the breach did not expose any of its users’ data.
I’m proud to announce that this week Forrester launched our Governance, Risk, and Compliance Playbook, a collection of in-depth reports covering the critical information you need to implement a successful GRC program… one that focuses on supporting business success, not getting in its way.