Cisco, FireEye Announcements: A Microcosm of the Enterprise Cybersecurity Market

Just as the leaves started to turn here in New England, I headed out to the Silicon Valley last week to present at an IT event. While I was in California, there were two announcements that illustrate the state of the cybersecurity industry.

Topics: Information and Risk Management Security and Privacy

Enterprise Annexation of Endpoint Security

When it comes to strong cybersecurity, endpoints and servers have often been second-class citizens when compared to the network. I described this situation in a March 2013 network-security-trumps-server-security-in-the-enterprise/index.html" target="_blank">blog. According to ESG research, 58% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) said that network security processes, skills, and technical controls were “much more thorough” or “somewhat more thorough” than server security processes, skills, and technical controls.

Why the discrepancy? Network security includes mature technologies like firewalls, IDS/IPS, and web application firewalls (WAFs). Furthermore, network security often involves a lot of network design and engineering for segmentation, access control, and traffic management. Alternatively, endpoint and server security is typically based on nothing more than AV software and its associated signature downloads and occasional scans.

Topics: Cybersecurity Networking Information and Risk Management Security and Privacy malware endpoint security

Book Report: Cyberstorm by Matthew Mather

In spite of the volume and sophistication of recent cyber-attacks, there are still plenty of folks who scoff at the notion of “cyberwar.” It is not unusual for military types to assume the role of doubting Thomas by dismissing cyber-attacks as “weapons of mass disruption.” They go on sarcastic quips saying that a brief blackout or ATM network outage doesn’t really qualify as a national security event.

Having spent the last dozen years of my life in the cybersecurity domain, I vehemently disagree with this minimalist notion but it is truly difficult to describe what might happen. Former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, Richard Clarke does a good job of painting a picture of a cyber-attack on critical infrastructure in his 2010 book Cyberwar, but his account is only a few pages long. Daniel Suarez tells a gripping story in Daemon and Freedom, but this is more of a science fiction thriller than a more likely view of reality.

Topics: Information and Risk Management Security and Privacy

Note to Executives, Legislators, and Consumers: Time For a Serious Dialogue About Cybersecurity

Like everyone else in the cybersecurity domain, I’ve been pretty busy the past week or so. First there was the UPS store breach, which was small change compared to the nefarious cybersecurity situation at JP Morgan Chase. The condition became a bit more whimsical when photos of naked celebrities floated around the web but quickly became serious again with the breach at Home Depot, which may trump the Target breach when all is said and done.

Here is a terse synopsis of what’s going on: We’ve gotten really good at rapidly developing and implementing new applications on new technologies. We can even do so at scale (with the exception of, but that’s another story). Yup, we want immediate gratification from our technology toys but we really don’t have the right people, skills, processes, or oversight to actually protect them.

Topics: Cybersecurity Information and Risk Management Security and Privacy risk management

Network Security Challenges in the Enterprise

ESG recently published a new research report titled, Network Security Trends in the Era of Cloud and Mobile Computing. In this project, ESG surveyed 397 IT security professionals working at enterprise organizations (i.e., more than 1,000 employees) and asked a multitude of questions about their current and future network security policies, practices, and technologies.

Topics: Network Security Networking Information and Risk Management Security and Privacy Enterprise

White House Cybersecurity Coordinator Is Kind of Right – but Mostly Wrong

Poor Michael Daniel. The White House cybersecurity coordinator and the man who “leads the interagency development of national cybersecurity strategy and policy” is taking a beating in the press. In a recent interview with federally-focused media outlet, GovInfoSecurity, Daniel defended his lack of security technology experience with the following statement:

"You don't have to be a coder in order to really do well in this position. In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction. You can get taken up and enamored with the very detailed aspects of some of the technical solutions and the real issue is looking at the broad strategic picture."

Topics: Cybersecurity Information and Risk Management Security and Privacy federal government

Enterprise Security Professionals Speak Out on SDN Use Cases for Network Security

At this week’s VMworld shin dig in San Francisco, many networking and security vendors will crow about software-defined security and software use cases for SDN. Some of this rhetoric will be nothing more than industry hype while other banter may prove to be extremely useful in the near future.

Yes, there are many interesting ways that SDN could work to enhance network security. That said, which SDN/network security use cases are really compelling and which could be considered second-tier? ESG research asked this specific question to security professionals working at enterprise organizations (i.e., more than 1,000 employees) as part of a recent ESG research report, Network Security Trends in the Era of Cloud and Mobile Computing. Here are the top 5 SDN use cases for network security:

  • 28% want to use SDN to help them selectively block malicious traffic to endpoints while still allowing normal traffic flows. In this case, SDN would be tied into malware detection appliances like those from Cisco, FireEye, Fortinet, Palo Alto Networks, or Trend Micro.
  • 28% want to use SDN to improve network security policy auditing and conflict detection/resolution. Here, SDN could be used to aggregate and manage network segmentation, for example.
  • 23% want to use SDN to centralize network security service policy and configuration management. Similar to the use case above but in this case, SDN could be used to align network security policy with server virtualization (i.e., vCenter, MS System Center), cloud (i.e. AWS, OpenStack, etc.), or orchestration platforms (i.e., Chef, Puppet, etc.).
  • 23% want to use SDN to automate network security remediation tasks. Think “self-defending networks” here. Based upon the latest threat intelligence, a firewall/SDN controller combination could generate new firewall rules on the fly. Firms like Norse, Vorstack, or Webroot could act as the security intelligence brains tied into SDN in this use case.
  • 23% want to use SDN to implement more granular network segmentation for network security. Think micro-segmentation where specific users, sessions, or flows could communicate across a point-to-point VPN. For example, HyTrust works with Intel TXT to offer fine-grained segmentation aligning workloads with particular servers and trust zones.
Topics: Cloud Computing IT Infrastructure Networking Information and Risk Management Security and Privacy

Virtual Security Remain Anathema to Many Organizations

Next week, the IT industry will gather in San Francisco to discuss all things cloud and virtualization at VMworld. The discussion will center on “software-defined data centers” which will quickly morph to “software-defined security” in my world (Writer’s note: In my humble opinion, this is a meaningless marketing term and I don’t understand why an industry that should be focused on digital safety acts like it's selling snake oil). So we are likely to hear about the latest virtual security widgets, VMware NSX and OpenStack integration, virtual security orchestration, etc.

This will make for fun and visionary discussions but there’s one critical problem: While almost every enterprise has embraced server virtualization and many are playing with cloud platforms, lots of organizations continue to eschew or minimize the use of virtual security technologies – even though they’ve had years of experience with VMware, Hyper-V, KVM, Xen, etc. According to ESG research, 25% of enterprises use virtual security technologies extensively, while 49% use virtual security technologies somewhat, and the remaining 25% endure on the sidelines (Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014).

Topics: Cloud Computing Private Cloud Infrastructure Information and Risk Management Security and Privacy Public Cloud Service

Figuring Out FIDO (i.e., the Fast Identity Online Alliance and Standard)

No one hates passwords more than I do and it seems like I’m asked to register for a new site each day. For those of us in the know, this situation of “password sprawl” is even more frustrating because we really should have solved this problem years ago. After all, Whit Diffie, Marty Hellman, and the RSA guys first came up with PKI back in the 1970s so you’d think that passwords would be dead and strong authentication would be ubiquitous by now!

Thankfully, there may be hope on the horizon in the form of the FIDO alliance. The group, composed on a who’s who of industry big shots like ARM, Bank of America, Discover Card, Google, Lenovo, MasterCard, Microsoft, PayPal, RSA, Samsung, and VISA, is “developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance of passwords to authenticate users.” In other words, FIDO wants to introduce “trusted convenience” by making strong authentication easy to deploy and easy to use on the front-end (i.e., for users) and back-end (i.e., for IT).

Topics: End-User Computing Information and Risk Management mobile Security and Privacy

Enterprise Organizations Need Formal Incident Response Programs

I spent the early part of my IT career in the storage industry, mostly with EMC Corporation. Back then, large storage subsystems were equated with IBM mainframe computers, with a heavy emphasis on the financial services market.

Topics: Information Security IBM Data Protection Information and Risk Management HP Security and Privacy incident response SunGard E&Y Booz Allen Accenture