WikiLeaks And Stratfor Make The Case For More Data Encryption

John Kindervag

Yesterday, WikiLeaks released emails taken in the highly-publicized Stratfor data breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.

While Stratfor’s response suggests that some of the emails may have been tampered with, this is not the point. As the soon-to-be infamous “Lunch Theft” email shows, that might be merely what the email calls Fred's rule # 2: “Admit nothing, deny everything and make counter-accusations.”

Read more

Force Multipliers - What Security & Risk Professionals Can Learn From Special Forces

Rick Holland

Last week I read an article on’s Danger Room blog about the elite US military Special Forces command, JSOC.  The units within the Joint Special Operations Command (Delta Force and Seal Team 6) are responsible for the most clandestine and sensitive US military operations, including the Bin Laden raid into Pakistan last year. JSOC is very similar to elite Special Forces (SF) units across the globe including: the Russian Spetnaz, British SAS, French Naval Commandos, and the Israeli Shayetet 13.  These SF units are capable of addressing asymmetric threats that traditional military units aren’t prepared to handle.

In the article, Spencer Ackerman interviews Marc Ambinder, one of the authors of The Command about JSOC. The article piqued my interest and I just finished reading the eBook. Like almost everything I do, I considered the information security implications as I read it.  Today’s infosec threat landscape is dominated by unconventional threats that are difficult to address. How can we leverage the techniques utilized by SF to deal with the cyber threats we face today?  I realize that we have an international audience, and my point isn’t to focus on US policy, but rather to take a deeper look at the unique capabilities of SF units and what lessons we can apply in our roles as S&R professionals.

Read more


Planning For Failure, Personal Edition -- Strategies To Protect Yourself In 2012

Rick Holland

This week I did a webcast, Planning for Failure, which makes the assumption that if you haven't been breached, it is inevitable, and you must be able to quickly detect and respond to incidents.  An effective response can be the difference between your organization's recovery and future success or irreparable damage.  While I was working on the slides for the webcast, I started to reflect back on the 2011 security breaches that personally impacted me.   Three breaches immediately came to mind:

  1. Texas Teacher Retirement System -  My personal data was stored unencrypted on a public server
  2. Epsilon - Email compromise that resulted in increased phishing attempts
  3. STRATFOR - My personal information, credit card and password hash were stolen
Read more

Virtualization Security, Better Late Than Never

Rick Holland

I am excited to announce my latest research, The CISO's Guide To Virtualization Security. This is the first report in a new series focusing on securing virtual environments.  The reduced costs and flexibility of virtualization have led to widespread adoption of the technology.  Despite this adoption, security and risk professionals haven't given their virtual environments the attention that is required.  Our research interviews revealed several themes:

  • Business as usual is the status quo. IT departments rely upon traditional security solutions (end point and network security) to secure their virtual environments.  Depending on the network architecture, virtualization can create blind spots in your network leaving you blind to intra-virtual-machine (VM) communication. 
  • Many security pros aren't aware of the virtualization aware solutions available on the market. One CISO we spoke with wasn't aware that his organization's current antivirus vendor offered a virtualization aware solution.  This isn't necessarily surprising; many of the virtualization aware security solutions are relatively new to the market.  Virtualization aware solutions afford us the ability to have potentially greater visibility into workloads than we might have in our traditional physical environment.
  • Many security pros have a general discomfort with virtualization. Security pros, especially CISOs and other security leaders who have risen up the technical ranks, aren't as confident in their virtualization knowledge as they would like to be. This is particularly the case when we compare virtualization with more mature security areas, such as network security.
Read more

Xmas IAM Spending Spree: Quest Software Acquires BiTKOO, Enters IAM Suite Provider Market

Andras Cser

With only 4 stack players in Identity and Access Management, it is always welcoming news to see a new company joining the space. Quest Software is on a shopping spree: it acquired e-DMZ (privileged identity management), Völcker Informatik AG (provisioning), Symlabs (virtual directories), and now BiTKOO (XACML entitlement management). Forrester expects that in reaction to its main competitor NetIQ taking over Novell’s IAM portfolio, Quest will expand significantly into the non-Windows, heterogeneous IAM space. Forrester further expects that Symantec and to some degree Intel will follow suit, as both of these companies announced cloud-based IAM offerings.

Enterprises Continue To Drive Adoption Of Advanced Endpoint Security Tools, But SMBs Are Not Far Behind

Stephanie Balaouras

Guest post from S&R Researcher Chris Sherman. 

Host-based intrusion prevention systems, host-based data leak protection, full disk and file level encryption . . . all are important tools used on the frontline of endpoint security. They all offer added levels of protection when used with traditional client AV and patch management systems, but at what cost? In order for these tools to be used correctly, organizations must be prepared to invest in increased IT staffing and product training for administrators. This generally proves to be too high of an obstacle for many SMBs, leaving a majority of the market to comprise of enterprises customers and big spenders. With their higher budgets and dedicated IT staff, enterprises are better positioned to take advantage of these advanced security technologies.

However, according to recent Forrester survey data, SMBs are just as interested in using these advanced security technologies. In our latest report "Endpoint Security Adoption Trends, Q2 2011 To Q4 2012," we present data showing adoption patterns of the various endpoint technologies in both SMBs and enterprises, while offering some analysis on what this means for security professionals looking to support current and future trends.

For those of you who are already planning on increasing your investment in endpoint security next year, which tools specifically are you looking at? What are your decision criteria?


Announcing Two New Forrester Waves: Enterprise GRC And IT GRC

Chris McClean

After months of diligent product and vendor evaluations, today we published The Forrester Wave: Enterprise GRC Platforms, Q4 2011. In the next few days, we will also publish The Forrester Wave: IT GRC Platforms, Q4 2011. These two reports feature a total of 20 vendors, all with proven capabilities to help customers tackle their continuously mounting regulatory challenges and manage their complicated risk profiles.

Why two Forrester Waves?

Governance, risk, and compliance functions within large and medium enterprises demonstrate tighter collaboration all the time... audit is working more closely with risk, and compliance programs are consolidating under more centralized control. However, Forrester still sees a gap between the requirements of those responsible for IT risk and compliance and the requirements of those managing risk and compliance outside of IT. No doubt, there is often substantial overlap between these groups, and many of the vendors evaluated have customers using their products to supports both IT and enterprise GRC functions. You’ll notice that of the roughly 60 evaluation criteria for each Wave, there are only 3-4 that differ between them. For now though, they remain basically two distinct markets.

So, what did we learn from the countless hours of briefings, demos, customer surveys, and other research we did for this Wave?

Read more

Dusting Off Our Content Security Crystal Ball

Rick Holland

Winter is coming; the year is quickly drawing to a close, and its time to a look back and see how accurate our content security crystal ball was for 2011.  Last year we predicted three trends; two were accurate and one was partially correct. Let's take a closer look.

1)  Content security spending will slow down - We were right. According to our latest survey data, the content security budget represented 6% of the total IT security budget; this is a 1% decrease from 2010. Content security remains one of the lowest budgeted technology areas in IT.

2)  Consolidation will continue to drive suite offerings - We were partially correct. In 2011, we didn't see any significant M&A activity in the content security space.  While we were wrong on the vendor consolidation prediction, we were correct on the prediction that market leaders would increase their data loss prevention and mobile capabilities to further solidify their market positions.

3)  Mobile filtering will enter mainstream IT - We were correct. Laptop filtering is mainstream, and mobile device filtering is gaining momentum and getting significant attention. Content security vendors are currently testing content filtering on mobile phones and tablets.

What about 2012?  To see what five trends we predict will impact your strategy next year, check out the full document: "Content Security: 2012 Budget And Planning Guide."  Here's a teaser, is your content security strategy ready for the extended enterprise?

Planning For Failure

Rick Holland

We are excited to announce "Planning For Failure," the first collaborative report in a series of new research taking a closer look at incident management and response. 

  • A look back at the year's headlines isn't encouraging. Many companies have experienced security breaches, and their bottom lines and brand reputation have suffered. You might not have considered it, but your organization is a likely target. In fact, your intellectual property could be exfiltrating your network even as you read this blog; you must be prepared. Once the airplane is going down, it is too late to pack the parachute.
  • Preventive security controls will fail, and you should operate under the assumption that if you are not already breached, you will be. An ounce of preparation is worth a pound of remediation, and the sooner you can detect and respond to a security breach, the more likely you will be able to minimize the impact and scope of the incident. The proper execution of a well-thought-out strategy can reduce your remediation costs and protect your brand reputation.
  • "Planning For Failure" takes a look at why an incident management strategy is critical to the success of your business and provides recommendations on how to implement or improve your plans. 

If you have questions or comments, please let us know. We would love to hear your feedback.

Exploring The Invisible Internet

John Kindervag

At Forrester's Security Forum 2011 in Miami, November 9-10, we will be reprising the wildly successful "Hackers Vs. Executives" track session. There will be two leading security professionals sitting on the panel representing the executive viewpoint, and they will be joined on stage by two noted researchers who will provide a hacker's-eye for this session. Rodney Joffe of Neustar will give us a live guided tour of the “Invisible Internet” – the IRC chat rooms and carder forums where the underground cybercrime economy lives.  Michael Hamelin of Tufin Technologies – a noted white hat hacker and multiple winner of the DefCon “Capture the Flag” competition – will do another demo to help us understand how attacks work. We will then turn to our panelist representing the executive viewpoint to start an interactive discussion about current and future threats and how best to understand them and protect against them.

Last year this session was packed. It was highly interactive with lots of provocative questions coming from the audience. I encourage you to join us in Miami, November 10th from 11:35 a.m. to 12:20 p.m. for this unique and informative presentation.

Go to the security forum website for more information. Hope to see you there!