Enterprise Organizations Are Taking Steps to Improve Cybersecurity Analytics

Last week, online retail giant eBay announced that it was hacked between February and March of this year with stolen login credentials of an eBay employee. This gave the hackers access to the user records of 145 million users including home addresses, e-mail addresses, dates of birth, and encrypted passwords. It appears that the hackers made copies of this data so eBay is advising all users to change their passwords.

Topics: IBM Big Data Cisco Information and Risk Management FireEye Dell endpoint Security and Privacy Security SIEM Narus Mandiant Cybereason LogRhythm 21CT Leidos ISC8 Blue Coat RSA Security Lancope netSkope SDN click security Bit9 cybercrime Carbon Black

RSA Conference Recap: Positive Direction for Security Industry

Last week’s RSA Conference was a whirlwind of meetings, presentations, and unusual west coast rain storms. I’m not sure about the attendance numbers but it seemed especially busy – not surprising after the many cybersecurity events of 2013.

I met with around 40 different security vendors throughout the week and heard some encouraging news. Rather than crow about the latest technology fad or threat Du Jour, many security vendors are now focused on:

  1. Integration. In the past, vendors tended to push a bunch of point products on a one-off basis but enterprise CISOs are now resisting this onslaught as they don’t have the time or personnel to manage an army of security widgets. Smart vendors are responding with more integrated product suites and central management. For example, Trend Micro is aggregating all of its endpoint elements into one product offering while FireEye is extending its protection across the enterprise. Similarly, Cisco is adding Sourcefire technology into traditional Cisco security and networking, while Symantec has consolidated a number of products into a data center security suite. Finally, Palo Alto Networks has externalized integration with a number of proof-of-concept projects with VMware NSX for virtual network security in large data centers. These efforts aren’t simple bundling and marketing spin, there is actual R&D going on to make products work better together.
  2. Ease-of-use. Security professionals don’t have the time for complex product deployment, customization, or lengthy training classes on product administration. Fortunately, some vendors are addressing this by making their products much easier to use. Newcomer TraceVector is designed to identify and apply risk scores to malware with a simple but thorough graphical interface. Click Security uses visual analytics to help security professionals see the relationships associated with malicious traffic patterns between various internal and external hosts. LogRhythm’s new 6.2 release is designed to advance and improve how security intelligence gets delivered to security analysts. Given the IT security skills shortage, this trend is very encouraging.
  3. Middleware. Once you start integrating security piece parts, you need middleware to act as the software glue between them. McAfee announced this type of architecture as part of its Security Connected and Threat Intelligence Exchange (TIE) announcements. In the short term, McAfee will use its middleware to integrate its own products and threat intelligence but it plans to extend these capabilities to 3rd parties over time to support heterogeneous environments.
  4. Automation. Given the scale of network traffic and malware, CISOs want intelligent technologies to take some of the risk management and remediation burden. I hosted a panel discussion on security automation that featured speakers from Boeing, NIST, and JW Secure (sponsored by the TCG) around this topic. All agreed that we need to instrument security tools and provide standard enumeration and protocols so we can share information more effectively. Many vendors are using the DHS/Mitre TAXII and STIX standards along this line to automate and integrate threat intelligence sharing. Aside from standards discussions, new security products from companies like Proofpoint, Tufin, and vArmour, are designed specifically to automate today’s complex security tasks. Once again, the security skills shortage makes automation a necessity.
Topics: Palo Alto Networks Cisco VMware Information and Risk Management Sourcefire FireEye McAfee Security and Privacy Security SIEM Proofpoint LogRhythm rsa conference trend micro Symantec click security Anti-malware NIST Firewall & UTM

“Cold” Topics at RSA that Should Receive More Attention

In my blog yesterday, I outlined the hot topics I anticipate at this year’s RSA Security Conference. Since the show is dominated by security vendors, the show hype will focus on products, services, and various technologies.

So what’s missing? A broader discussion on cybersecurity issues, trends, collective efforts, and best practices. Yes, these subjects will get some attention in presentations and break-out sessions but the show floor and cocktail party banter will lean toward a myopic security perspective around bits and bytes.

Topics: Information and Risk Management Security and Privacy Security cybersecurity skills shortage google Bradford Networks Cybereason LogRhythm compliance DHS ForeScout CybOX Great Bay Software Lancope Edward Snowden Facebook FIDO

Enterprise CISO Challenges In 2014

I’m sure lots of CISOs spent this week meeting with their teams, reviewing their 2013 performance, and solidifying plans for 2014. Good idea from my perspective. The CISOs I’ve spoken with recently know exactly what they have to do but aren’t nearly as certain about how to do it.

At a high level, here’s what I’m hearing around CISO goals and the associated challenges ahead this year:

  1. Improve risk management. This translates into threat/vulnerability measurement, threat prevention, and ongoing communication with the business mucky mucks. The problem here is that their networks are constantly changing, scans are done on a scheduled rather than real-time basis, and the threat landscape is dangerous, sophisticated, and mysterious.
Topics: IBM Palo Alto Networks Cisco Information and Risk Management FireEye HP Security and Privacy Security risk management Centrify Malwarebytes LogRhythm bromium 21CT Leidos RSA Invincea Accenture ISC8 Blue Coat CloudPassage click security Bit9 CSC Hexis HyTrust

Addressing advanced malware in 2014

In the cybersecurity annals of the future, 2013 may be remembered as the year of advanced malware. Yes, I know that malware is nothing new and the term “advanced” is more hype than reality as a lot of attacks have involved little more than social engineering and off-the-shelf exploits. That said, I think it’s safe to say that this is the year that the world really woke up to malware dangers (advanced or not) and is finally willing to address this risk.

So how will enterprise organizations (i.e., more than 1,000 employees) change their security strategies over the next year to mitigate the risks associated with advanced malware threats? According to ESG research:

  • 51% of enterprise organizations say they will add a new layer of endpoint software to protect against zero day and other types of advanced malware. Good opportunity for Kaspersky, McAfee, Sophos, Symantec, and Trend Micro to talk to customers about innovation and new products but the old guard has to move quickly to prevent an incursion by new players like Bit9, Bromium, Invincea, and Malwarebytes. The network crowd (i.e., Cisco, Check Point, FireEye, Fortinet, and Palo Alto Networks, etc.) may also throw a curveball at endpoint security vendors as well. For example, Cisco (Sourcefire) is already selling an endpoint/network anti-malware solution with a combination of FireAMP and FirePOWER.
  • 49% of enterprise organizations say they will collect and analyze more security data, thus my prediction for an active year in the big data security analytics market – good news for LogRhythm and Splunk. Still, there is a lot of work to be done on the supply and demand side for this to really come to fruition.
  • 44% of enterprise organizations say they will automate more security operations tasks. Good idea since current manual security processes and informal relationship between security and IT operations is killing the effectiveness and pace of security remediation. Again, this won’t be easy as there is a cultural barrier to overcome but proactive organizations are already moving in this direction. If you are interested in this area, I suggest you have a look at Hexis Cyber Solutions’ product Hawkeye G. Forward thinking remediation stuff here.
  • 41% of enterprise organizations say they will design and build a more integrated information security architecture. In other words, they will start replacing tactical point tools with an architecture composed of central command-and-control along with distributed security enforcement. Good idea, CISOs should create a 3-5 year plan for this transition. A number of vendors including HP, IBM, McAfee, RSA Security, and Trend Micro are designing products in this direction with the enterprise in mind.
Topics: IBM Check Point Palo Alto Networks Fortinet Cisco IT Infrastructure Information and Risk Management Sourcefire FireEye HP McAfee Security and Privacy Security endpoint security Kaspersky LogRhythm trend micro bromium Symantec Invincea antivirus RSA Security Sophos Bit9 Anti-malware Hexis Splunk

It Could Be a Very Happy New Year for FireEye

Ah, December. Time to reflect on the past year and look ahead to 2014. In retrospect, 2013 was a banner year for the security industry as the world finally woke up to the very real perils of cybersecurity. Of all the many events of this year, however, FireEye’s IPO may have trumped them all. As I write this blog on December 11, 2013, FireEye’s market cap is just north of $4.5 billion. Wow!

Yup, Wall Street loves a hot market and a timely IPO – check and check for FireEye. Okay but when the New Year’s Eve champagne turns into the New Year’s Day hangover, what’s in store for FireEye in 2014?

Topics: Palo Alto Networks Fortinet Cisco Information and Risk Management Sourcefire FireEye Security and Privacy LogRhythm trend micro Blue Coat Firewall Anti-malware APT Hexis

Real-Time Big Data Security Analytics for Incident Detection

I’ve spent the last year or so doing research on the burgeoning field of big data security analytics. Based upon the time I’ve spent on this topic, I’m convinced that CISOs are looking for immediate help with incident detection, so they will likely focus on real-time big data analytics investments in 2014.

What do I mean by real-time big data security analytics? Think stream processing of data packets, network flows, and metadata looking for anomalous/suspicious network activities that provides strong indication of a security incident in progress. A multitude of vendors including ISC8, 21CT, Click Security, Hexis Cyber Solutions, IBM, Lancope, LogRhythm, Netskope, RSA Security, SAIC, and Solera Networks (and others) play in this space.

Topics: IBM Information and Risk Management Security and Privacy Security big data security analytics SIEM LogRhythm incident detection 21CT ISC8 CISO NetFlow Lancope netSkope click security Hexis Cyber Solutions

The Keys to Big Data Security Analytics Solutions: Algorithms, Visualization, Context, and Automation (AVCA)

ESG research indicates that 44% of organizations believe that their current level of security data collection and analysis could be classified as “big data,” while another 44% believe that their security data collection and analysis will be classified as “big data” within the next two years (note: In this case, big data security analytics is defined as, “security data sets that grow so large that they become awkward to work with using on-hand security analytics tools”).

So enterprises will likely move to some type of big data security analytics product or solution over the next few years. That said, many CISOs I speak with remain confused about this burgeoning category and need help cutting through the hype.

Topics: IBM Check Point Palo Alto Networks Cisco Hadoop Information and Risk Management HP McAfee Security and Privacy Security big data security analytics SIEM Narus LogRhythm 21CT RSA Security SilverTail LexisNexis Solera Networks Lancope click security Hexis Cyber Solutions Splunk

Big Data Security Analytics FAQ

I’ve been having a lot of conversations with security professionals about big data security analytics. In some cases, I present to a large audience or I’m on the phone with a single CISO in others.

While big data security analytics content varies from discussion to discussion, I consistently come across a lot of misunderstanding around the topic as a whole. This is understandable since “big data” is really a marketing term that the industry has all but coopted. Worse yet, security vendors have glue the mystery of “big data” and, the misconceptions of security analytics, and marketing hype together. No wonder why security professionals remain confused!

Topics: IBM Cybersecurity Data Management & Analytics Hadoop Information and Risk Management Dell Enterprise Software Security and Privacy Security big data security analytics SIEM LogRhythm ArcSight Leidos RSA netSkope click security APT Packetloop

Defining Big Data Security Analytics

At the end of 2012, ESG conducted a research project looking at big data security analytics from the demand-side. It turns out that market demand is already apparent -- 44% of enterprise organizations consider their security analytics “big data” today, while another 44% believe that their security analytics requirements will be regarded as “big data” within the next two years.

Okay, enterprise organizations need big data security analytics solutions today; but just what is a “big data security analytics” solution anyway? ESG just published a market landscape report to answer this very question by looking at the supply side to gauge existing solutions and future directions for big data security analytics.

Topics: IBM Big Data Hadoop Information and Risk Management Security and Privacy Security NoSQL big data security analytics SIEM Narus LogRhythm RSA Security Solera Networks Cassandra Lancope click security Splunk Packetloop RedLambda