Facebook's Security Breach: Reputation On The Line Now More Than Ever

Nick Hayes

Facebook made headlines last Friday with its announcement that it had been the victim of a sophisticated security attack. All major news publications picked up the story, citing widespread concern about the implications of the breach.

The breach itself, however, was largely a nonevent from a security standpoint.

Facebook identified the security breach before it infiltrated too deeply into company systems, remediated all compromised machines, informed law enforcement, and reported the Java exploit to its parent owner Oracle – acting quickly and appropriately. Most importantly, Facebook made it clear that the breach did not expose any of its users’ data.

Read more

Implement A Successful GRC Program With Forrester's Governance, Risk, and Compliance Playbook

Chris McClean

I’m proud to announce that this week Forrester launched our Governance, Risk, and Compliance Playbook, a collection of in-depth reports covering the critical information you need to implement a successful GRC program… one that focuses on supporting business success, not getting in its way.

First, because risk and compliance are always such quickly moving targets, we included reports to help you plan for the future of GRC and build a business case for why it’s important to invest in your program now.

Next, to make sure your GRC plan is comprehensive and can achieve success, we offer guidance on creating a GRC strategy and making sense of the very complicated GRC technology landscape.

Read more

Introducing Forrester's Cyber Threat Intelligence Research

Rick Holland

We have started a new report series on Cyber Threat Intelligence.  The first report, "Five Steps To Build An Effective Threat Intelligence Capability," is designed to help organizations understand what threat intelligence is and how to establish a program. If you're not a Forrester client and would like the report, Proofpoint is providing a complementary copy. On Thursday March 28th, I will be conducting a Forrester webinar on the report.  Please join me if you'd like to get a deeper perspective on it.  In the future, we will expand on sections of this intial report with additional research including:

  • A collaborative report with Ed Ferrara looking at the cyber threat intelligence vendor landscape
  • An in depth report on "Step No. 5: Derive Intel" 
Read more

Forrester's Enterprise Fraud Management Wave is Out!

Andras Cser

We just published the Forrester Wave on Enterprise Fraud Management - piece of research that has been consistently asked for by our clients. See how vendors stack up on current offering criteria including statistical models, rules authoring, case management,, and reporting  and strategy criteria including vendor staffing, customer satisfaction and financial stability.

Do You Think Of Consumers When It Comes To Data Security Policies And Controls?

Heidi Shey

Your customers are consumers too. They don’t turn into business bots when they set foot in the enterprise. Whether your organization sells a product or a service to enterprises or consumers, you’re interfacing with consumers who have opinions about security and privacy. S&R pros, you already know that you have to be on top of things like regulatory compliance (Hello HIPAA! Hi EU Data Protection Directive!) when creating policies and implementing controls. But what about consumer perceptions and behavior? Consider that*:

  • 49% of US online consumers are concerned about security and privacy when purchasing products online
  • 44% of EU online consumers say the same about sharing personal information to access a website
  • 39% of US online consumers express security and privacy concerns over sharing personal information to participate on a website (e.g, discussion boards, writing reviews)
  • 20% of EU online consumers are concerned about their security and privacy when downloading apps to their mobile phone
Read more

Crowdsourcing my RSA panels

Rick Holland

The San Francisco RSA conference is now less than two weeks away, and this year I am moderating two great panels. I thought I'd reach out and solicit suggestions for discussion. 

1) Too Big to Fail: CISO Panel on Scaling Security in the Era of Big Data

This Forrester-moderated panel of top security executives from Allergan, Zappos and Humana will discuss the impact of scale in solving Big Security challenges. Issues from the importance of scale in detecting advanced threats to benefits to the average user will be debated. Drawing on their experiences, these experts will share their views on why scale matters in the era of big data.

Panelists: 
David Hannigan, Zappos, Information Security Officer
Stephen Moloney, Humana Inc., Manager, Enterprise Information Security
Jerry Sto. Tomas, Allergan, Inc., Director, IS Global Information Security
 

2) 50 Minutes Into the Future: Tomorrow's Malware Threats

Predicting what malware will look like five years from now requires more than a crystal ball. In order to fully understand future threats and challenges, you need a finger on the broader pulse of technological innovation. Our panel of esteemed experts will attempt to guide a better understanding of where we may need to target our defensive efforts in the coming months and years.
 
Panelists: 
Read more

Bit9’s Operational Oversight Is Probably Your Operational Reality

Rick Holland

You are now no doubt aware that Boston-based security firm Bit9 suffered an alarming compromise, which resulted in attackers gaining access to code-signing certificates that were then used to sign malicious software. See Brian Kreb’s article for more details. (Symantec breathes a quiet sigh of relief to see a different security vendor in the headlines.)

The embarrassing breach comes at a time when the company has been seen as one of the security vendor landscape’s rising stars. Bit9 has actually been around for more than a decade, but the rise of targeted attacks and advanced malware has resulted in significant interest in Bit9’s technology. In late July, Bit9 secured $34.5 million in funding from Sequoia Capital. Bit9’s future was bright. 

On Friday afternoon, Bit9 CEO Patrick Morley published a blog providing some initial details on the breach. A few of his comments stood out:  “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network … We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9."

Read more

Big Data for Fraud Management

Andras Cser

We will be conducting research to look into how big data can be used for better fraud management. We define big data as data of Volume, Velocity and Variety. Our premise is that more and more granular data from more sources allows banks, insurers, government agencies, e-Retailers to cut fraud losses more aggressively.We are interested in your thoughts around this topic.

A 2012 Security Incident Recap By The Numbers

Heidi Shey

Before we get too far along into 2013, I’d like to take a moment to reflect back on the events of 2012. Thanks to our friends at CyberFactors*, this is what we saw:

Overall

  • 1,468 (publicly reported) incidents. This includes everything from stolen laptops to external hacks to third party partners mishandling data to employees accidentally disclosing data via email.
  • 274,129,444 (known) records compromised. In the 608 cases where there was a record count reported, this was the total count. 

Types of data lost/compromised

  • Personally identifiable information (PII) was compromised in 53% of cases. This also includes credit card or bank account information, as well as medical or health insurance information.
  • Company confidential information (CCI) was compromised in 4% of cases. This includes things like proprietary intellectual property (IP), compensation data, business plans, corporate financial data, and information subject to a non-disclosure agreement with a third party. These types of incidents may not always be publicly reported, assuming that organizations are even aware that it has occurred or is happening. IP is a valuable asset, and must be protected
  • Governmental information was compromised in 42% of cases. This includes things like address, voting data, driver’s license numbers, state or Federal tax IDs, Social Security numbers, and passport information.
Read more

Security Vendors You Should Know

Heidi Shey

One of the really cool things about this analyst gig is that we get to field client inquiry calls – 30 minutes where we hop onto the phone to speak with our clients and answer their questions about the topics that we cover. As of the week before Christmas, analysts on the security and risk team have jumped onto over 300 inquiries so far this quarter when not on a plane or on site with a client (and this is a slow quarter given all the holidays!). Vendors are one topic that we discuss quite a bit with S&R pros because, let’s face it, there’s are vendors that are really good at marketing and there are also vendors that just haven’t shown up on your radar.

Research report ideas are often born from inquiries as we notice trends in the types of questions that are asked. As we continue to hammer out research agendas for 2013, we’re thinking of adding a new stream of research for our security playbooks: Vendors You Should Know. It would not be the same as a Forrester Wave which compares established vendors, but rather a report which highlights smaller, emerging vendors that are disrupting the existing market with a unique, innovative technology or service to solve a client’s painful challenge or perhaps alter current approaches to information security. It’s a report to recognize emerging vendors who raise the bar, but may not necessarily raise the most buzz. These would be living research documents that are updated periodically as market events and technological developments warrant changes.

S&R pros, does this type of research appeal to you? Which areas would you like for us to identify vendors you should know? What business and security challenges are you grappling with where you would like to see us profile emerging vendors that could help?

Categories: