Exploring The Invisible Internet

John Kindervag

At Forrester's Security Forum 2011 in Miami, November 9-10, we will be reprising the wildly successful "Hackers Vs. Executives" track session. There will be two leading security professionals sitting on the panel representing the executive viewpoint, and they will be joined on stage by two noted researchers who will provide a hacker's-eye for this session. Rodney Joffe of Neustar will give us a live guided tour of the “Invisible Internet” – the IRC chat rooms and carder forums where the underground cybercrime economy lives.  Michael Hamelin of Tufin Technologies – a noted white hat hacker and multiple winner of the DefCon “Capture the Flag” competition – will do another demo to help us understand how attacks work. We will then turn to our panelist representing the executive viewpoint to start an interactive discussion about current and future threats and how best to understand them and protect against them.

Last year this session was packed. It was highly interactive with lots of provocative questions coming from the audience. I encourage you to join us in Miami, November 10th from 11:35 a.m. to 12:20 p.m. for this unique and informative presentation.

Go to the security forum website for more information. Hope to see you there!

The Content Security Forecast Calls For Clouds

Rick Holland

I am very excited to introduce my first Forrester report, "The Content Security Forecast Calls For Clouds."  I wrote the report to help guide your strategy on SaaS based email and web content security.  During my inquiries, I am frequently asked about content security in the cloud:

  • "Is web SaaS mature enough for enterprises?"
  • "Will SaaS help secure my mobile and remote users?" 
  • "What about the hybrid model?"
  • "What are other organizations doing?" 

In the report, I take a closer look at these questions, and I also address the benefits and challenges associated with the SaaS model.  I leave you with multiple deployment options and specific recommendations for your journey to the cloud.  If you have questions or comments please let me know, I would love to hear from you. 

Protecting The Extended Enterprise

Laura Koetzle

“To succeed, Security & Risk leaders need to be part of the business strategy.” If I had a nickel for every time I’ve heard someone give some variation on that piece of advice, I’d be rich. As you all know, that’s an easy thing to say but a difficult thing to do. And that’s particularly true now, because our business leaders today are prioritizing growth – they’re entering new markets and releasing new products and services to grow revenue. Your business will unleash the creativity of its entire extended enterprise ecosystem – employees, partners, suppliers, and current customers – to find new ways to win and serve new customers. And your extended enterprise will connect via mobile and social applications and use cloud services. 

Read more

Are Your Risk Management Efforts Enabling Partnership Opportunities?

Chris McClean

Forrester's Security and Risk Management clients often describe the frustration they feel when they are not included in important initiatives until after decisions have been made. Lately, this situation has been especially pronounced among decisions to enter partnership agreements based on service, performance, and cost considerations... with risk management only brought in later to identify and mitigate potential points of exposure.

At the same time, Forrester's Sourcing and Vendor Management professionals find themselves facing their own challenges when it comes to managing the risk of partner relationships. In a Q3, 2011 suvey of 575 Sourcing and Vendor Management professionals, top concerns related at "X-as-a-service" relationships included the lack of recourse if a vendor fails or goes out of business, the lack of a clear way to assess risk of a third party, and inability to manage how providers are handling data. ( Source: Forrsights Services Survey, Q3 2011)

In order to bridge this gap, Security and Risk Management professionals need to deliver a streamlined way to insert risk identification, analysis, and evaluation steps within their organization's existing vendor management lifecycle. Forrester customers who have taken this approach - for example, by introducing short, 10-15 question surveys to determine whether more detailed vendor risk assessments are warranted - report better oversight of vendor risk and better involvement in the decision making process. In some cases, Security and Risk Management professionals have even reported casting a decisive thumbs-down vote to block a new vendor contract because it represents unacceptable risk.

Read more

What’s Holding CISOs Back?

Stephanie Balaouras

According to our survey data dating back to 2008, despite year after year of high profile security breaches from Heartland Payment Systems to Wikileaks to Sony, security budgets have only increased by single digits. This is hardly enough to keep up with the increasing sophistication of attacks, the avalanche of breach notification laws and the changing business and IT environment.

The changing business and IT environment is perhaps the greatest concern. With a massive explosion of mobile devices and other endpoint form factors and an ever expanding ecosystem of customers, partners, clouds, service providers and supply chains, you increasingly have less and less direct control over your data, your applications and end-user identities. We refer to this expanding ecosystem as the “extended enterprise.” An extended enterprise is one for which, a business function is rarely, if ever, a self-contained workflow within the infrastructure boundaries of the company. We believe that the extended enterprise is such a major shift for CISOs and security professionals that we dedicated our upcoming Security Forum to it as well as a significant stream of research.

Read more

IBM To Acquire Algorithmics... GRC And Financial Risk Management Get A Little Closer

Chris McClean

Today IBM announced plans to acquire the Fitch Group’s Algorithmics, a heavy-hitter in financial risk management software and services market, for $387 million.

 Here are my initial thoughts about today’s announcement:

  • IBM is making a (relatively safe) bet that operational and financial risk functions will continue to comes together. Regulatory pressures from Basel III, Dodd-Frank, and Solvency II, as well as the competitive realities of the global market, are pushing for banks and insurance companies to have more comprehensive oversight of exposure across all domains of risk. In fact, analytics should be a top priority of any compliance program. It will be some time before IBM (or any other vendor) can deliver a single platform to manage operational, credit, market, liquidity, etc. in one place; however, the addition of Algo’s subject matter expertise and even basic integration of data for a single source of reporting offers customers attractive benefits.
  • IBM still faces heavy competition in financial services for both operational risk with its OpenPages product and financial risk with its new Algo offerings... however. there are very few significant competitors that have strength in both. IBM’s announcement today was a strong move against these other few, most notably Oracle and SAS.
Read more

RSA Breach: Two-Factor Authentication Is Not Dead But Is Morphing And Getting More Granular

Andras Cser

Many IT end-user companies deployed hard tokens at a time when intermediate-risk choices were thinner on the ground, and some of these companies would have benefited from a more granular approach anyway. In general, we are seeing companies moving towards risk-based authentication augmented by mobile soft tokens (sometimes called from a mobile application through an API). These software-only solutions are easier and cheaper to deploy, particularly if the target population is on smartphones, and a lot easier to patch in case of an attack. Interestingly, risk-based authentication is now asked about not only in the B2C context (which was a norm about a year ago), but also in the B2E context as well. Right now, end-user companies are thinking about:

  1. How they can ditch hardware tokens altogether; and
  2. How can they can move risk-based authentication, and increasingly authorization (fraud management), into the cloud.

The Power Of Data Analysis - "Spamalytics"

Edward Ferrara

Some of you may have seen the article in the New York Times by John Markoff (endnote1) announcing a paper to be presented at last week’s IEEE conference. This paper is an update to research conducted by a team at the International Computer Science Institute in Berkeley, California. The institute is associated with the University of California, San Diego and the University of California, Berkeley. A paper published by the team in 2008 Spamalytics: An Empirical Analysis of Spam Marketing Conversion outlines interesting research in the area the research team has coined as “spamalytics.”

The paper describes a methodology to understand the architecture of a spam campaign and how a spam message converts into a financial transaction. The team looks at the “conversion rate” or the probability an unsolicited email will create a sale. The team uses a parasitic infiltration of an existing botnet infrastructure to analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing online pharmaceuticals. The team looked at nearly a half billion spam emails to identify:

  • the number of spam emails successfully delivered
  • the number of spam emails successfully delivered through popular anti-spam filters
  • the number of spam emails that elicit user visits to the advertised sites
  • the number of “sales” and “infections” produced
Read more

More On Metrics...

Edward Ferrara

At Forrester, we place a great deal of emphasis on relevance and what it means when researching a topic.  For the busy executive, it's sometimes difficult to wade through deep lists of operational security metrics and really understand how relevant the information is to the mission of the business.  Further to the problem is the need to understand what your metrics say about the security posture of your organization and the health of the business overall.

The draft title of the report I'm currently working on is Information Security Metrics – Present Information That Actually Matters To The Business. In the paper, I plan to focus on the key factors that make security metrics relevant.  The idea here is that if people start checking their BlackBerrys and iPhones while you're presenting your report, it's probably time for some new metrics.

Success is the ability to educate positively the C-Level suite in your organization and demonstrate the value you and your information security program provide.  

Categories:

Information Security Metrics & The Balanced Scorecard

Edward Ferrara

I just finished a final draft of a presentation on information security executive reporting that I and some colleagues will present at the upcoming Forrester IT Forum in Las Vegas.  For those of you who want more information on the Forum please see Forrester's IT Forum 2011 in Las Vegas. In this presentation Alissa Dill, Chris McClean and I will present an approach for using the Balanced Scorecard to present security metrics for senior level audiences. For those of you who are not familiar to the Balanced Scorecard, it was originated by Robert Kaplan currently of the Harvard Business School and David Norton as a performance measurement framework that added non-financial performance measures to traditional financial metrics to give managers and executives a 'balanced' view of organizational performance[1].  This tool can be used to:

  • Align business activities to the vision and strategy of the organization
  • Improve internal and external communications
  • Monitor organization performance against strategic goals
Read more