Goodbye NAC, Hello Software-defined Perimeter (SDP)

Those of use who’ve been around security technology for a while will remember the prodigious rise of network access control (NAC) around 2006. Now the ideas around NAC had been around for several years beforehand, but 2006 gave us Cisco’s network admission control (a.k.a. Cisco NAC), Microsoft’s network access protection (NAP), and then a whole bunch of venture-backed NAC startups (ConSentry, Lockdown Networks, Mirage Networks, etc.).

Topics: Network Security Cybersecurity NAC SDP

Enterprises Need Advanced Incident Prevention

Given the booming state of the cybersecurity market, industry rhetoric is at an all-time high. One of the more nonsensical infosec banalities goes something like this: Cybersecurity has always been anchored by incident prevention technologies like AV software, firewalls, and IDS/IPS systems, but sophisticated cyber-adversaries have become extremely adept at circumventing status quo security controls. Therefore, organizations should give up on prevention and focus all their attention on incident detection and response.

Now I certainly get the logic of this platitude. Yes, the bad guys do know how to get around our defenses and organizations should in fact improve their detection and response capabilities. But abandon or minimize incident prevention? Poppycock! 

Topics: incident detection and response NAC incident prevention

Has Mobile Computing Had a Positive Impact on Cybersecurity?

I’ve heard the same story from a multitude of CISOs: “As soon as we agreed to support BYOD and mobile devices, all hell broke loose!” How? All of a sudden there were hundreds or thousands of new devices accessing the corporate network. Many of these devices were employee-owned, unmanaged, and full of questionable applications. What’s more, users were now working on multiple devices and moving sensitive data between Windows PCs, iPads, Android phones, and a slew of online file sharing sites like Box, Dropbox, and iCloud. Holy threat and vulnerability, Batman!

Most enterprise organizations are now way past this early period of mobile security chaos. Yes, there are still plenty of challenges associated with mobile computing security, but did preliminary mobile computing anarchy have any positive impact on information security in the long run? In other words, did the initial mobile computing fire drills actually help CISOs recognize risks and address systemic weaknesses?

Topics: IBM MDM Cisco Information and Risk Management Juniper HP mobile Security and Privacy Security endpoint security Bradford Networks Mobile computing Box Dropbox Aruba Vormetric ForeScout Veracode Great Bay Software NAC

BYOD Security Gotchas

I've spent a fair amount of time lately on BYOD (Bring Your Own Device), mobile devices, and related issues around information/cyber security. Yes, we are still firmly in the hype cycle but some mobile device security patterns are starting to emerge.

Topics: Cisco Information and Risk Management Security and Privacy Security BYOD endpoint security android Juniper Networks NAC mobile device CISO Extreme Networks iPad Enterasys