Collaborate With Your Non-Security Peers To See How Objectives Intersect (Hint: Mobile Context For Mobile Authentication)

Heidi Shey

“Enterprise rights management? What does that even mean?! You’re using security speak!” exclaimed my colleague TJ Keitt.

TJ sits on a research team serving CIOs, and covers collaboration software. We were having a discussion around collaboration software and data security considerations for collaboration. “Security speak” got in the way. It wasn’t the first time, and it will likely not be the last, but it is a good reminder to remember to communicate clearly using non security speak – and not just to fellow S&R pros, but to the rest of the business (in this case – the CIO) – to talk about what we really mean. That’s how collaboration starts.

Collaboration is also not just about S&R pros engaging the rest of the business to bring them into the security-minded fold, but to also listen and be aware of what’s bubbling up in other parts of the organization as it can have implications for security too. One of the more interesting examples that I see today come from the marketing side of the business, specifically those involved with strategies for customer experience and digital marketing. Mobile is huge (no surprise, right?), and is transforming how companies interact with customers. The future of mobile is all about context: 1) situation, 2) preferences, and 3) attitudes.

Read more

Observations on the 2013 Verizon Data Breach Investigations Report

Rick Holland

I was very excited to finally get a copy of the much-anticipated 2013 Verizon Data Breach Investigations Report (DBIR.)  I have found the report to be valuable year after year.  This is the 6th iteration and this year’s report includes 621 confirmed data breaches, as well as over 47,000 reported security incidents.  18 organizations from across the globe contributed to the report this year.  The full report is 63 pages, and I have to say that Wade Baker and company did a great job making it an enjoyable read. I enjoyed the tone, and I found myself laughing several times as I read through it (Laughing and infosec aren't commonly said in the same breath.)  There are tons of great references as well, ranging from NASCAR, to Biggie Smalls, the Violent Femmes and more.  The mantra of this year’s report is “Understand Your Adversary’ is Critical to Effective Defense and Response.”   Here are a few observations: 

The focus on the adversary answers customer questions.  Who is the adversary? This is a frequent question from Forrester clients.  The Mandiant APT1 report stirred up much debate on state sponsored actors and Verizon's data and analysis gives us more perspective on this class of threat actor. The first table in the report profiles the threat actors that are targeting organizations.  It provides a high level view that I suggest you include in any type of executive engagement activity you participate in.  This 3rd party snapshot of the threat actors should resonate with a wide degree of audiences.

Read more

Mobile application behavior detection: the cheap way to catch fraud

Andras Cser

After RSA's acquisition of SilverTail, things are heating up in mobile application level behavioral detection. 

We see fraud management vendors increasingly looking at mobile application behaviors (beyond web fraud management and device fingerprinting) to build out a normal and abnormal behavior profile for the network traffic signatures coming out of the application (similarly to how SilverTail/RSA looks at web traffic signatures). Note that this is clearly a grey area that falls between what device fingerprinting vendors (iovation, 41st Parameter, BlueCava, ThreatMetrix), or risk-based authentication (RBA) vendors (RSA, Entrust, CA/Arcot, etc.) or what traditional back-end, cross-channel transaction monitoring vendors (Actimize, ACI, Detica, SAS, etc.) have been doing. Although device fingerprinting and RBA vendors have long been providing SDKs and APIs for developers to include in their mobile applications, understanding mobile application network traffic and building good and bad behavioral models is becoming something people are increasingly interested in.

Mobile application behavior detection has the benefits of not having to open up application code, not having to define too many security policies or rules. Because of this, mobile application behavior detection and network traffic signature profiling is something we expect to see a lot of vendor interest in the next 9-12 months.

Avoid The Information Security Squirrel

Rick Holland

"My master made me this collar. He is a good and smart master and he made me this collar so that I may speak. Squirrel!"  

In the Pixar film Up, squirrels frequently distract Dug the talking dog. In our space, we are frequently distracted by technology. "I am a good and smart security professional; I must protect my enterprise so that we are secure. APT defense in a box!"  

The expo floors at industry events such as the RSA Conference and Blackhat contribute to this. Signage touts the next great piece of technology that will solve all of our security problems. We allow Big Data, security analytics, threat intelligence, and APT defense in a box to distract us.  It is easy to do; there is no shortage of challenges for today’s security and risk professional. The threat landscape is overwhelming. We have problems recruiting and retaining the right staff.  Day-to-day operational duties take up too much time. Our environments are complex, and we struggle to get the appropriate budget.

These “security technology du jour” solutions are very appetizing.  They compel us much like IDS, IPS, and SIM did in the past. We want and need the “easy” button.  Sadly, there is no “easy” button and we must understand that threat protection doesn't equal a product or service; there is no single solution. Technology alone isn't the answer we are looking for. 

Read more

Want to know hardcore survey results on Access Certification and Attestation?

Andras Cser

 

Want to know more about Access Certification and Attestation? Would you like to win an iPad and get a courtesy copy of a Forrester report on the findings of a survey on the topic?
 
Forrester is collaborating with the University of British Columbia (UBC) on an Identity and Access Management survey. The main topic of the survey is Access Certification and Attestation, also known as Access Governance. It takes only 15 minutes to complete the survey. In August 2013, Forrester, in collaboration with UBC, will publish the highlights of survey results. 
Here's what we offer for your participation:
 
If you complete the survey, 
  • You will eligible to win a 128 GB iPad in a raffle organized by UBC.
  • Forrester will send you a courtesy PDF copy of the report.
Read more

Achieving Resilience Means Mastering The Response

Nick Hayes

Stephanie Balaouras and I published a report last week on the current state of crisis communications, and one thing is clear: most companies are not ready to invoke their crisis communications plan.

We analyzed data from our recent 2012 Forrester/Disaster Recovery Journal (DRJ) joint online study, which surveyed 115 business continuity decision-makers about their organizations’ crisis communications strategies. The results were disconcerting. Despite roughly half of organizations having invoked their business continuity plan in the past five years, only 15% said their crisis communication efforts were very effective.

Recent events such as Hurricane Sandy and the Sandy Hook school shooting illustrate the damaging, and often tragic, impact crises can have on organizations and the broader community. In fact, Hurricane Sandy was the second costliest in US history. Yet, most organizations are not prepared to manage an effective response to such a crisis. We found that crisis communication programs routinely underperform because:

Read more

How Do S&R Pros Keep Up With Disruption?

Stephanie Balaouras

When I talk to security (S&R) leaders, they always tell me that in an ideal world, they would have enough advanced warning of impending business and technology disruptions in order to understand the security, privacy and overall risk implications and then prepare and present their business executives with a balanced opinion about how best to proceed if and when the enterprise decides to move forward. Unfortunately, most often, business and IT colleagues move on these disruptions and technology shifts far in advance of the security team’s readiness, and we don’t have to look far for examples; just think of employee BYOD, mobile apps for customer engagement, cloud services, social technology for marketing and collaboration, massive big data projects for business intelligence, or virtual and converged infrastructures within the data center.

Read more

Avoid The Social Media Binary

Nick Hayes

Many organizations today get caught up in what I call the “social media binary, where there are only two options to social media control: 1) Allow unrestricted access to social networks, and potentially expose the company to myriad security, regulatory, reputational, and other risks, or 2) set and enforce policy that completely forbids the use of social media while at work, and forgo potentially lucrative business opportunities for the firm.

Read more

Is Your Security Program Ready To Support Disruptive Business Trends?

Chris McClean

 

The evolution of business practices is proving as big of an issue for Security and Risk professionals as the changing threat landscape. Sure, attackers exposed hundreds of millions of personal records and government information in security breaches last year, and there are examples all the time of new, sophisticated attack methods… however Security and Risk pros should also be on the lookout for technology trends that may prove just as difficult to address: Digital disruption creating shockingly more competitive marketplaces, perpetual connectivity intensifying IT user expectations, and the data economy creating incredible new possibilities to leverage the power of existing information. Of course with big business opportunities come big business risks.

Read more

2013 Survey Development Starts Now -- What Data Would You Like For Us To Collect?

Heidi Shey

I’m very excited to kick off survey development for upcoming Forrester Forrsights surveys that will feature security content. Continuing on from previous years will be the Forrsights Security Survey. This is an annual survey of IT security decision-makers from North American and European SMBs and enterprises. New for 2013 is a Workforce Survey that will provide the (also North American and European) employee perspective when it comes to security and devices in use within their workplace. 

These surveys will be fielded April through May, and the results will make their way into published research this summer. Survey development starts now, and I would love to hear what you think about the proposed topics. What are some areas where you’d like to see us gather more data?

Note: I'd love for these surveys to eventually be global! Today we have global data within the Forrsights Budgets And Priorities Tracker Survey (this one goes out to IT decision-makers) and the Forrsights Business Decision Makers Survey