The Biggest Risk To BC Preparedness – Third-Party Risk

Stephanie Balaouras

At the recent Disaster Recovery Journal Fall World conference, I gave a presentation of the state of BC readiness. I had some great discussions with the audience (especially about where BC should report), but one of the statistics that really stood out for me and I made it a point to emphasize with the audience, is the state of partner BC readiness.

According to the joint Forrester/Disaster Recovery Journal survey on BC readiness, 51% of BC influencers and decision-makers report that they do not assess the readiness of their partners. If this doesn’t shock you, it should. Forrester estimates that the typical large enterprise has hundreds of third-party relationships – everyone from supply chain partners to business process outsourcers, IT service providers and of course cloud providers. As our reliance on these partners increases so does our risk – if they’re down, it greatly affects your organization’s business performance. And with the increasing availability of cloud services, the number of third parties your organization works with only increases, because now, business owners can quickly adopt a cloud service to meet a business need without the approval of the CIO or CISO and sometimes without the approval of any kind of central procurement organization.

Even among those organizations that do assess partner BC readiness, their efforts are superficial. Only 17% include partners in their own tests and only 10% conduct tests specifically of their critical partners.

Read more

What Are S&R Pros Doing About Data Security And Privacy?

Heidi Shey

Data security consistently tops the laundry list of security priorities because it must. Organizations are collecting data, creating data, using data, and storing data in some way or another. Mishandle data or disregard privacy, and you’ve got a public relations fiasco on your hands with the potential to disrupt business operations or hurt the bottom line.

So, we know that data security is a priority, but what does that mean? What are organizations actually doing here? How much are they spending, and where are they focusing their efforts? And what are they doing about privacy? I’ve dug into data from Forrester’s Forrsights Security Survey, Q2 2012 and data from the International Association of Privacy Professionals (IAPP) to answer these questions in a newly published benchmarks report for our Data Security and Privacy playbook. Note: This is not a shopping list, nor a check list, nor is it a “spend x% on data security because your peers are doing so!” manifesto. This report is meant to be a starting point for discussion for S&R pros within their organizations to take a closer look at their own data security and privacy strategy.

Key findings include:

Read more

Incident Response Isn’t About Point Solutions; It’s About An Ecosystem

Rick Holland

Today EMC announced the acquisition of Silicium Security.  Silicium’s ECAT product is a malware threat detection and response solution.  ECAT did not adopt the failed signature based approach to malware detection and instead leveraged whitelisting and anomaly detection.  Incident response teams can leverage ECAT to quickly identify and remediate compromised hosts.  ECAT joins NetWitness and enVision.  

Read more

When It Comes To Data Security, You Don’t Need A Silver Bullet, You Need A Framework

Stephanie Balaouras

There is truth to the meme, “data is the new oil.” Data is the lifeblood of today's digital businesses, and for economic and even political gain, highly skilled cybercriminals are determined to steal it. Meanwhile, customers around the globe have become highly sensitive to how organizations track, use, and store their personal data, and it's very difficult for security pros to stay one step ahead of changing privacy laws and demands. Plus, as data volumes explode, it's becoming a herculean task to protect sensitive data and prevent privacy infringements (today we talk in petabytes, not terabytes).

Every day, vendors introduce a new product that claims to be the silver bullet to data security challenges. Consider that DLP remains one of the most popular search terms by security pros on Forrester.com. In the case of data security, there is no silver bullet. There is no way to solve the problem without a process framework that outlines how you go about discovering, classifying, analyzing, and then ultimately defending data. Forrester has created a framework to help security pros protect data – we call it the Data Security And Control Framework. If you take a framework approach, you will:

Read more

AVG: What They’re Doing Right, Where They (And Other Vendors) Just Make Noise, And What It Means For S&R Pros

Heidi Shey

I spent a jam-packed day with security software and services provider AVG last week, checking out their 2013 product line-up for free antivirus and paid premium products, and participating in roundtable discussions with press, analysts, and AVG executives about consumer security, mobile, privacy and policy. Here are my reactions to what AVG is doing:

LOVE: Outside in perspective, from both a micro and macro perspective. Most vendors will do and mention the importance of customer experience and feedback, but AVG hammered the point home in every _single_ conversation. On a macro level, AVG is very sophisticated about privacy. They are actively engaged in conversations with governments, are sensitive to the complexity that comes with balancing privacy and national security objectives, and closely follow global privacy policy developments and implications for consumers. Maybe I haven’t been connecting with the right folks from other vendors, but I don’t have these types of conversations often outside of an academic setting.

LIKE: Consumer data (yes, I’m biased here, being the data nerd). AVG has lots of it and it’s all free. This is awesome because it’s a great resource not just for the industry but for other parties to use in education and awareness program design. They’ve done studies across 11 countries for their Digital Diaries studies, surveying parents and kids of different age brackets from 0 to 17 to understand online behaviors and attitudes. Here’s a data nugget that caught my attention: by the time they are two years old, 81% of children have some kind of digital footprint (online photographs, personal data, email and/or social networking accounts). 81%!

Read more

Application Whitelisting Offers A Tantalizing Alternative To Popular "Whack-A-Mole" Antivirus Strategies

Stephanie Balaouras

Guest Post From Researcher Chris Sherman

Traditional antivirus techniques have been fighting a losing battle for years. Popular hacker exploit kits pounce on new vulnerabilities quickly while advanced tools such as polymorphic viruses propagate their malicious intents.  As a result, signature databases (known as “blacklists”) have ballooned in size, causing strain on a company’s infrastructure and endpoint performance. Combined with the fact that antivirus vendors  miss a significant number of the unknown or zero-day threats, many security professionals are left questioning their antivirus-centric approach to endpoint protection.  As the number of malware samples rise, this traditional "Whack-A-Mole" blacklist strategy of signature-based antivirus protection is simply unscalable.

Read more

Observations From Black Hat - More Defense Please

Rick Holland

Last week I had the opportunity to attend the 15th annual Black Hat security conference in Las Vegas. I have attended DEFCON in the past, but never Black Hat. The conference has grown significantly each year, and judging by the size of the expo floor, the vendors understand its significance. I enjoyed the conference and had great conversations with practitioners and vendors alike. Here are some observations from two of the sessions that I attended:

Read more

How Will The Extended Enterprise And Zero Trust Identities Impact Your Identity Administration Processes?

Andras Cser

We regularly get inquiries from companies that feel the need to restructure their access controls to support extended enterprise user populations: firms have to support employees, contractors, business partners, customers and keep them contained to be able to access resources (applications, data, etc.) that they have a business need to access. Technology and protocols are catching up here: companies (and vendors too!) are moving to finally support SAML, OAuth and OpenID Connect in bulk. 

The real question, however, is not just access control, but it's also identity administration and attestation. How do you extend your internal provisioning of entitlements to your employees to your business partners or customers? What is the lifecycle of a data asset or piece of intellectual property in the broader ecosystem of identities? OAuth, Claims-based authorization or SAML attribute value injection will provide the infrastructure for enforcing policy decisions, but how do you extend your identity and access governance to the extended enterprise?

We see companies being interested and starting to build on the following to solve these challenges:

1.) Don't solve the problem but ingest a much richer context in your access control solutions (risk based authentication used for internal workforce user access, context variables being passed on to federated Relying Parties to understand that you're at a coffeehouse in a rogue country vs. you're logging in from your normal office and open up the general ledger with read/write access only if you're in your office).

2.) Providing increased delegated administration and attestation services from the cloud so business partners can also participate in these processes. This has been around for some time and will gain more popularity as firms need to remain compliant in the era of the extended enterprise.

Read more

Avoid The Headlines, Focus On Corporate Culture

Chris McClean

Guest post from Researcher Nick Hayes.

Chris and I recently published a report describing how to build risk and compliance principles into your company’s corporate culture. As we worked to finalize, edit, and publish the report, a flurry of new corporate scandals emerged, all related to this topic.

Here are just a few of them:

  • Wal-Mart executives accused of trying to hush up bribery cases in Mexico (article here).
  • A whistleblower accuses Infosys of engaging in a systematic practice of visa fraud (article here).
  • A former Goldman Sachs employee writes an op-ed for the New York Times blasting the company’s ethics (article here).
  • JP Morgan suffers a $2 billion trading loss due to “poorly monitored” trades (article here).
Read more

My Threat Intelligence Can Beat Up Your Threat Intelligence

Rick Holland

Have you ever been in a vendor meeting and heard the vendor extol the greatness of their threat intelligence?  You may have even seen a slide that looks similar to this:

The vendor probably proceeded to highlight the key differentiators that make their threat intelligence network stand second to none.  Bullets containing statistics like this surely followed:

  • Global coverage, in well over 100 countries
  • 50 million network devices
  • 50 billion web queries each month
  • 30 billion emails a month
  • 100 million users
Read more