254 posts categorized "General Security"

April 30, 2013

What and How to tell your customers about a Data Breach

Data-Breach-Photo If your midmarket enterprise is like most, sooner or later you will be the victim of a data breach. Data breaches are never fun, but how and what you tell your customers can be the difference between minimizing the impact to your company’s bottom line and a full-fledged disaster.

Informing your customers about everything you know and taking reasonable precautions will always work better than sugar coating and trying to minimize the potential damage. Trying to minimize the situation to your customers so as to not panic them could wind up costing you customers in the long run.

As a case in point I want to contrast two recent data breach cases. One is the case of local deals vendor LivingSocial and the other is the video rental service Vudu.

I recently received the following email from Living Social:

IMPORTANT INFORMATION

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

Two things you should know:

1.     The database that stores customer credit card information was not affected or accessed.

2.     If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised.

You do not need to take any action at this time, but we wanted to be sure you were fully informed of what happened.

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website - and require you to login - before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

If you have additional questions about this process, the "Create New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Sincerely,
Tim O'Shaughnessy, CEO

Now, I understand that LivingSocial wants to minimize the potential damage here. To me though they have made two crucial errors. One is that they are giving their customers the impression that because their passwords were encrypted (actually salted and hashed), there is a low likelihood that they would be useable. This is not necessarily true. In fact there have been several cases and much written about the relative ease that hackers have in cracking these passwords.

Based upon their opinion that there is a low likelihood of these passwords being compromised, they tell their customers that they do not have to do anything at this time, but if they want to change their passwords they can. Knowing that these passwords could be compromised why not make everyone change their passwords? It would seem a rather trivial thing to do and ensure the integrity of your customer’s accounts to force a password change. In a similar situation you should strongly lobby for mandatory password resets.

Secondly again LivingSocial is telling their customers that they don’t have to do anything. But clearly customer names, email addresses and dates of birth were stolen. It doesn’t take much for a criminal to take that, match it up with public record information and quickly gather enough information to start using a false identity for nefarious purposes.

While some states mandate complimentary credit watch services for customers in these kinds of cases, at least suggesting to be on the lookout for fraudulent credit transactions and suggesting a credit watch service seems called for here.

Again in the interest of keeping customers calm and downplaying this breach, customers could be potentially at greater risk. The breach happened already, breaches happen. Good security practice and customer service should require you to place the bar high in terms of protecting and warning your customers.

As I mentioned earlier, Vudu also recently had a breach. Here is the email I received regarding that one:

Dear alan,
We want to let you know that there was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives.
Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It's important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives.
While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft. So we think it's best to be proactive and ask that you be proactive as well.
SECURITY PRECAUTIONS:
If you had a password set on the VUDU site, we have taken the precaution of expiring and resetting that password. To create a new password, go to www.vudu.com. Click the "Sign In" button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired VUDU password on any other sites, we strongly recommend that you change it on those sites as well.
As always, remember that VUDU will never ask you for personal or account information in an e-mail. Please use caution if you receive any emails or phone calls from anyone asking for personal information or directing you to a web site where you are asked to provide personal information.
As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have FAQs on our web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you.
Thank you,
Prasanna Ganesan
Chief Technology Officer, VUDU

Can you see the difference? VUDU also states that the passwords were encrypted and unlikely to be cracked, but nevertheless they have expired everyone’s password forcing you to pick a new one. They are also making arrangements for ID protection for one year.

This makes me feel that VUDU is serious about protecting me and is not sugar coating or minimizing the consequences of the data breach. To me this is text book on how to communicate a breach to your customers.

In both cases I don’t blame VUDU or LivingSocial for being victims of data theft. It can and does literally happen to everyone. Also both companies are successful businesses. But as a midsize enterprise how you communicate a breach to your customers can communicate an awful lot.

If your company is the victim of a breach, follow best practices to inform and most importantly protect your customers.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Related articles
Enhanced by Zemanta

Posted at 09:45 PM in General Security, IBM, identity theft, Midmarket, security tips, the security industry | | TrackBack (0)

April 26, 2013

If IBM X-Force were running the IT department

IBM’s X-Force research team recently released their “2012 Trend and Risk Report”. The report is a great look back at last year and is full of metrics and analysis on the kinds of threats and risks seen across the spectrum of different verticals last year in information security. It also has some excellent advice on how to institute and operate a successful information security and risk management program. If you are interested in security (and who isn’t?) you should definitely download and give it a read. xforce report graphic

One section I wanted to highlight and expand on though was the “If IBM X-Force were running the IT department” section. Here is the X-Force’s top 10 list to make you more secure. This is especially relevant for mid-market companies who may not have the budget or resources to do everything they might like around risk and threats. If you could check each of these ten off you would have the foundation of a solid strategy

1. Perform regular third party external and internal security audits – Many organizations are so reluctant to bring in an outside party to conduct security audits. I am not sure if it is a case of now wanting to share dirty laundry with outsiders or a case of “ignorance is bliss”, but either way it is a mistake. Having a security expert come in on a regular basis to give you a “hacker’s eye view” is one of the best ways to see really how your security plan holds up. My recommendation is a full internal and external audit annually, with external only audits quarterly if possible.

2. Control your endpoints – This used to be a whole lot easier. The advent of BYOD has made control of your endpoints more like being the sheriff in the Wild West. Of course it is probably futile to try and prohibit BYOD devices from accessing your network, data and applications. A more realistic goal may be to at least have a mobile device management solution in place. The first step is to have policies defining what is acceptable in terms of endpoints, what configurations are required, what applications can be accessed and what security should be installed on them. Regular security scanning, including vulnerability and configuration testing should be mandatory across the board! Of course traditional company owned devices are a lot easier to manage and control.

3. Segment sensitive systems and information – You need to treat your high value assets as high value. That means giving them an extra level of protection. This starts with segmenting them off from rest of the network. Too many mid-size organizations run flat networks where once you have access to the network, you can see and access everything on the network. This is obviously a mistake. High value assets should be segregated out from the rest of the network. Access and even visibility to these networks should be on a “need to know” basis. This can be accomplished using VLANs, firewalls and identity and access control.

4. Protect your network via basics (firewalls, anti-virus, intrusion prevention devices, etc.) – Too many of us are always lusting after and chasing the latest and greatest shiny new technology widgets. A perfect example of this is the latest infatuation with some of the newest threat detection technologies that run incoming packets in sandboxes before allowing them into the network. While new technologies can be exciting and effective, they should not be instituted at the expense of the “meat and potatoes” of your security program. They may not be sexy, but firewalls, AV and IPS are still front line tools for the defense. A recent report by 451 Research about the “Real Cost of Security” by Wendy Nather showed that most CISOs would still pick AV and firewall among their top choices in building out a security program. You should too!

5. Audit your web applications – Web application security is perhaps the hottest area of security today. An increasing percent of attacks are targeting web applications. SQL injection, cross-site scripting, drive by attacks have all become all too common in the news. There are different aspects to securing web applications. It starts with secure code development. Building security into the development process is a great way to start with a strong foundation. Just as having a 3rd party audit is a must, an audit of your web, including not only the code but the implementation as well should be performed before an app is deployed and after every change to code and infrastructure. There are any number of firms that can perform this type of test for you.

6. Train end users about phishing and spearphishing – This sounds like a no brainer, but you would be surprised how many companies don’t take the time for security awareness training. It is even more important today when so many of the most sophisticated attacks actually start with a targets spearphish aimed at a key person in your organization. Recognizing phishing attempts and not to click on links in email, social media or anywhere unless you are sure of who sent it and where it goes is a must if you hope to keep your organization out of the next headlines.

7. Search for bad passwords – This can be automated and strong password requirements can be built into many applications today. Passwords still represent one of the weakest links in our security technology. At some point hopefully 2-factor authentication, biometrics and other technologies may make passwords obsolete. But until then we are stuck with them. Passwords like 123456 and password are just not acceptable and should not be allowed. Password managers offer lots of choices so that users don’t have to remember strong passwords. Also requirements to change passwords regularly should be instituted and enforced.

8. Integrate security into every project plan – Microsoft did this years ago with their Trustworthy Computing initiative and it forever changed Windows. Security is too important to be an afterthought bolted on after the fact. Everything you do or plan to do has to be seen through the prism of security. Failing to do so could wind up putting your organization at dire risk.

9. Examine the policies of business partners – We live in an interconnected world, no one exists in a vacuum. However, our partners often have to have access to our data and systems in order to work with us. However, they can also represent a vector into our systems for hackers and criminals. You must institute a policy on what and how 3rd parties have to show before they are given access to your network. Also this should be regularly audited and re-examined.

10. Have a solid incident response plan – It is not a question of if, but when something is going to happen. Do not let your pride and ego get in the way of putting in a place a plan to do when you have an incident. While you are at it, you should have a worst case scenario as part of your planning. Today’s threat and risk landscape means you should assume that you will have security incidents. How you respond to these incidents as a mid-market company could mean the difference between survival or not of the organization. Well thought out incident response plans make all of the difference in the world in the fluid, fast moving situations that follow discovery of a security incident.

There is a whole lot more in this great report from the IBM X-Force team. Go download it and read it at least twice!

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Related articles
Enhanced by Zemanta

Posted at 12:37 PM in education, General Security, IBM, identity theft, IDS/IPS, Midmarket, vulnerability management | | TrackBack (0)

April 22, 2013

Webinar: Who Moved the Cheese in Security

image Tomorrow, April 23, 2013 at 2pm eastern time my friend Dominique Karg of Alien Vault and I are doing a webinar on “Who Moved the Cheese in Security”.  It should be a lot of fun and I invite everyone to listen in and participate.

This grew out of a conversation Dominique and I had after RSA. It was amazing to us that some security executives actually believed that the Cloud, BYOD and such were passing fads. That soon we would return to traditional networks and traditional security. Talk about putting your head in the sand.

We will discuss that not only has the technology changed but how. We will also discuss how attacks and attack vectors have changed.  Finally what should you do and how is success defined.

It should be a great webinar. If you can make it please do.  If not you will be able to listen in to a recording of the webinar, but of course no live questions.  You can register down below or by going to: http://www.alienvault.com/resource-center/tech-talks/who-moved-the-cheese-in-security

A BrightTALK Channel
Related articles
Enhanced by Zemanta

Posted at 12:31 PM in Current Affairs, education, General Security, links and appearances, network convergence, virtualization | | TrackBack (0)

April 15, 2013

What is the Real Cost of Security?

You were just hired as the Chief Information Security Office (CISO) of a mid-market one thousand employee company. Your first day on the job you are told that the company really hasn’t done anything about information security to this point. You need to submit your prioritized plan and budget by the end of the week! What do you do? This is exactly the scenario that Wendy Nather, Senior Research Director of 451 Research put to literally dozens of CISOs. What they picked, what they think it may cost and the actual cost may really surprise you. Wendy’s new report, “The Real Cost of Security” (warning this is not free unless you are a 451 client) details her findings and analysis.

I had a chance to sit down and chat with Wendy about the report and its findings for Network World. Below you can listen to our conversation where Wendy provides some detail and depth to the report.

Despite all of the buzz about new and more sophisticated attacks, it was surprising that for the top priorities the oft-maligned technologies of firewall and AV were most often picked. In fact of the top 7 choices among CISOs, almost all of them are tried and true traditional products. I guess the old “no one ever gets fired for buying IBM” is still true today. According to the report, these are the top 7 recommended technologies

clip_image002

Figure 1 courtesy of 451 Research

The difference between the purple and gold lines is those that would recommend the technology if all they had was enough for the bare minimum (purple) versus if they had a blank check (gold).

Beyond the top 7, the next tier of choices represent a little more diversity:

clip_image003

Figure 2 courtesy of 451 Research

What was interesting about these next 6 is the wider disparity between the gold and purple lines. This indicates that many CISOs considered these more of an optional choice, but not bare minimum.

I was surprised that App Security and App firewalls were not in the top tier of solutions, given that so many attacks today use Port 80 and Web Apps as their vector of choice.

Bringing up the rear in the survey were the following:

clip_image004

Figure 3 Courtesy of 451 Research

You can see here the very wide disparity between some the minimum requirements and blank check scenario. This plainly labels some of these technologies as “nice to haves” but not required. GRC, NAC and Risk Management and Analysis seem to fall into this category by the widest margin. I was disappointed to see Training have such a wide disparity between minimum and blank check. I think dollar for dollar, security awareness training for your organization is some of the most effective security you can buy.

Beyond picking what technologies to buy, the cost of security as detailed in the report may surprise you. 451 Research looked at not only the cost of the technologies (not easy getting prices out of vendors), but also added in the cost of actually running these security solutions. When the total cost was figured in at a minimum an organization is looking at a budget of $250k. A more realistic budget for a 1000 person organization is probably somewhere between $500k and $800k. If you went all the way, you are closer to $1.2m dollars for security! Another metric from the report is that most organizations have about one security admin for every 500 employees.

What about your organization? What technologies have you deployed and what you are planning to deploy? What is your budget? Do you match the 1 to 500 ratio? There is a ton of great info in this report if you buy it or are lucky enough to be a 451 Research customer.

My full conversation with Wendy is here:

 

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Related articles
Enhanced by Zemanta

Posted at 10:54 AM in CISO, General Security, IBM, IDS/IPS, podcasting, security tips, the security industry | | TrackBack (0)

March 07, 2013

APT – It can happen to anyone, especially you

This past RSA was a memorable one for several reasons. First of all I was glad to see the security industry move off of compliance as its reason for being. Compliance had taken the industry hostage for too many years. It seems that we are now finally focusing back on security and preventing breaches rather than some least common denominator check box model. I think in the long run we will all be more secure for this.

Another thing I saw at RSA was the idea of security using virtualization. It is not just securing virtual environments, but it is using hardened virtual containers to run code and apps to make sure they are not malware and they can’t do any harm to our devices. These hardened virtual containers run on our devices or they can run in the cloud or anywhere in between. The important thing is they can’t (supposedly anyway) get to anything valuable on our networks. If this pans out, it could have a profound impact on the way we secure our data in every segment of the market.

Perhaps one of the biggest trends though was the realization that we are under attack by very sophisticated forces, perhaps even nation states who are using very sophisticated and highly organized techniques. The report by security company Mandiant on the alleged acts by a unit of the Chinese PLA codenamed APT1 was chilling.

The thing about APT attacks is that no matter whether you are a big company or small, government related or not, you are a target. Midmarket companies should not be fooled into a false sense of security that these attacks are not aimed at you. They are! If you have IP that could be valuable, you are a target. Manufacturing, media, technology and financial companies are all potential targets. Not to be an alarmist, but if you are not doing something about defending yourself against this type of breach¸ you are foolish.

The good news is that many of these attacks while they use 0 day attacks and other unknown exploits almost always start with a simple spearphishing attempt or something similar. Most of these attacks still take place because the weakest link is still the person behind the keyboard. In this regard security awareness training is still a strong tool. If you can afford a 3rd party to come in an implement a security training program, you should do so. If not there are plenty of web resources available that you can put together and make your own. So much of this is common sense about not clicking on links you aren’t sure about.

Of course there is no guarantee that even with all of the security awareness training in the world you will prevent an attack from being successful. That is why it is also important to have a plan in place for what to do when something happens. Don’t wait until something happens to figure out what you should do. Assume something is going to happen.

Planning for a breach is as important as trying to prevent a breach. Again this is as important for a midsize firm as it is for a large firm. In fact many security experts say that midsize firms are more of a target than some of the larger organizations. So again, not to be a scaremonger, but you should be planning this for your company right now. Again there are 3rd parties who can really help with this. IBM and their partners have lots of options. But there are plenty of resources available on the web that you can use to craft your own plan as well. Don’t let budget stand in the way of your preparedness.

I will write up some more news from RSA around BYOD, Big Data and the Cloud in my next report so stay tuned.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Related articles
Enhanced by Zemanta

Posted at 10:50 AM in Current Affairs, General Security, IBM, Midmarket, phishing, the security industry, tradeshows | | TrackBack (0)

March 06, 2013

Webcast on User Activity Monitoring with Spectorsoft and SC Magazine

Image representing SpectorSoft as depicted in ...

Image via CrunchBase

My friends at Spectorsoft makers of Spector 360 have invited me to participate in a webinar next Wednesday, the 13th at 2pm eastern time, 10am pacific time.  The webinar is entitled “Getting More Out of DLP”.  It will cover how using Spector 360 can enhance your DLP coverage and give you greater control over controlling your confidential data.

The webinar is being conducted along with the great people over at SC Magazine. 

If you can’t make it live, there will be taped versions available, but no questions then.  You can register for the webinar here.

Hope to hear or see you next Wednesday!

Related articles
Enhanced by Zemanta

Posted at 11:26 AM in General Security, links and appearances, SC Magazine, the security industry, tradeshows, uam | | TrackBack (0)

March 02, 2013

Microsoft Trustworthy Computing Sponsors Security Bloggers Network

I am very pleased to report that once again the good folks over at Microsoft's Trustworthy Computing Group have agreed to sponsor the Security Bloggers Network.  The SBN has a long history of working with TWC and we are happy to work with them again.

SDC_Banner_495x90_v1

Microsoft is holding their second annual Security Development Conference in San Francisco, May 14-15, 2013. The conference will feature Scott Charney, Corporate VP Trustworthy Computing, Microsoft; Edna M Conway, Chief Security Strategist Global Supply Chain, Cisco Systems; Brad Arkin, Senior Director of Security Adobe Secure Software, Engineering Team (ASSET).

Conference specialty tracks target three different types of professionals: Engineers, Project Management, and Leadership. Combining keynotes from thought leaders as well as specialized breakout sessions, this conference is a can’t-miss for security professionals at any level. You can register now and USING THIS CODE AND SAVE $300 OFF THE REGISTRATION PRICE: SBN@SDC#13!

tim rainesI had a chance to chat with director of TWC Tim Raines. We were going to talk about the conference, but Tim and I started talking about the TWC, the world of security and what the challenges on the horizon are. By the time we were done, we never got to the conference, LOL!

Anyway, I think you will find the conversation very interesting. Enjoy and if you can go to the conference.

Related articles
Enhanced by Zemanta

Posted at 06:52 AM in education, General Security, microsoft, security bloggers network, the security industry, tradeshows, Web/Tech | | TrackBack (0)

February 21, 2013

Life Outside the Audit Zone

pci cryptLast week I wrote a “Tales from the PCI Crypt” blog article in regard to the findings of iScan Online that many of the merchants they scanned had credit card data contained in their email files. The fallout from that was that many organizations only worry about what is in their “audit zone”. What is the audit zone? It is those devices and those parts of your IT infrastructure that are subject to regulatory compliance or other types of audit. It may also include your policies and process that are subject to audit as well.

A popular strategy for dealing with compliance audits, especially in the mid-market has been to move as much as possible “outside the scope” of the audit. In PCI for instance, if the device is not involved in the recording, storing or transmitting of cardholder data, it is not subject usually to a QSA or other type of PCI audit. But as my friends at iScan Online found out, that is not necessarily the case. While technically, because these devices do have cardholder data they are subject to PCI audit, when asked by the auditor they are usually excluded because they don’t “touch” the cardholder data environment. But in fact they do!

A bigger issue though is that most organizations, especially in the midmarket, seek to do as little as possible to pass compliance. Compliance becomes a substitute for being secure. In the iScan Online case for instance, it was more important to say that sales persons cell phones and tablets are not part of the cardholder data environment so that they were “outside the scope” of PCI. But turns out those devices were vulnerable and had card data. A breach on those devices would not only have PCI consequences, but it could have more dire consequences to the bottom line. For instance according to several breach reports the average cost of a record lost is between 200 and 300 dollars. The average breach has a few thousand records lost. Do the math. That is enough to crater many smaller and midsize companies.

As we are seeing in many IBM Midmarket highlights such as this one on the Huffington Post, small and medium business are moving more and more to mobile, phones and tablets. If anyone thinks moving to mobile moves these devices outside of the audit zone they are mistaken. Even if they are not being audited, they represent security risks that must be addressed. You need a strategy for these devices outside of your audit zone.

A successful strategy has to go outside of the audit zone. You need to look at your real security and risk factors. Don’t be fooled into thinking that minimizing your audit profile, minimizes your risk. In fact it could be just the opposite. Minimizing your audit profile, could be at the expense of increasing your risk.

This dilemma is the result of our compliance at all costs mentality which has ruled in infosec for these past years. Checkbox security for compliance sake alone gives us a false sense of security. It does more harm than good. So next time you are looking at a compliance audit, try to think outside the audit zone and do what is best for the security and risk of your organization.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

 

Related articles
Enhanced by Zemanta

Posted at 10:37 AM in General Security, IBM, Midmarket, pci | | TrackBack (0)

February 12, 2013

Illuminating the Dark Matter of your network with iScan Online’s Opportunistic Scanning

iscan-logoI have written recently about two friends of mine from the security industry, Carl Banzhof and Billy Austin and a company they started called iScan Online.  Carl and Billy first told me what they were thinking about last spring or so. Over the next months they kept me in the loop as they continued to develop. Over the summer they showed me early versions of a new kind of security scanner they had developed. They started offering free scans in the fall and today they officially launched iScan Online.

I have been very impressed with what Carl and Billy are doing. So impressed in fact that I have been helping them with the launch activities and consulting with them over the last few weeks.  I really like what they are doing and the space they play in.  Utilizing the cloud for a SaaS based security scanner, they actually do internal scanning on any device, anytime, anywhere. The internal scan is done on the endpoint itself, so no hardware or virtual appliance necessary, no complicated software. Fast and accurate, it is a great security tool for a BYOD world. They call it Opportunistic Scanning.

The company has written a white paper that I really like and even helped with, that explains what they do. It talks about the dark matter of your network.  What is the dark matter of your network?  Well like the dark matter of our universe, it makes up a large percentage of the mass of your network. These dark devices access your network, but are largely invisible to your current vulnerability management solutions. They are not always on, are not in your office regularly and are not static desktops, servers or infrastructure. Nevertheless they represent a significant risk to your security.  Using iScan Online you can gain visibility to this dark matter. You can download the white paper (without the usual “give me your contact info”) right now from the web site here.

The scans are quick and easy delivered via a web browser plug in, command line or API. They work on PCs and Macs, with mobile apps coming very soon.  The scans themselves are done on the endpoints so thousands of scans can be done at once. iScan Online can scan for traditional vulnerability scans, compliance scans (PCI, HIPAA) and data scans (PAN, PII).  You get instant reports per device and there is a cloud based portal for organization wide reporting that is pretty sophisticated.  You can get a free scan right now so you can see for yourself what it is does and how it works. Go check it out.

Carl and Billy have a lot of experience in this area. Both guys worked at Citadel Security, makers of the Hercules Patch management solution. Carl was the CTO there. Billy went on to be the CSO at SAINT, a vulnerability management company. After the sale of Citadel to McAfee, Carl was a VP over there continuing to work on endpoint security.  Both Carl and Billy are really passionate about what they are doing. iScan Online has already attracted seed investment from a strategic investor and will be expanding in the near future with more capabilities, as well as sales and marketing activities.

I really do like what they have done and how they are doing it. I think this represents a “next gen” approach to vulnerability management, just when we need one. BYOD, mobile and remote workers and offices have left a gap in our vulnerability management coverage, iScan Online’s opportunistic scanning is a great solution to fill that gap. I am looking forward to seeing how the market responds and am happy to be helping them.

Also many thanks to Mike Rothman of Securosis for allowing iScan Online to put a quote from the Securosis Evolution of Vulnerability Management research in the release. What Mike wrote is dead on to the issues that iScan Online solves.

Posted at 07:47 AM in cloud, cloud security, Current Affairs, friends, General Security, marketing, McAfee, other security companies, patching, SaaS, Security Consulting, Security Incite, the security industry, VAM, vulnerability management | | TrackBack (0)

November 19, 2012

Virtualization is a Game Changer for Mid-Market Security

I remember when I first started seeing virtualization really start popping up in the enterprise. It was slow and clunky. Of course I was already familiar with virtualization from my web hosting days. Running multiple instances of web servers on one physical machine allowed us to scale up a great web hosting business in the mid to late 90s. But when VMware burst on the scene in the early to mid 2000’s, I didn’t at first see the profound impact it would have.

Today of course we take virtualization for granted. Whether it is VMware, Microsoft’s HyperV, Xen, KVM or another hypervisor technology, they are in use throughout the enterprise. They have had a profound impact on the quantity and types of hardware servers we use. In retrospect, virtualization may be the single biggest change in data center computing over the last 10 years.

Of course security has not been immune from or above the virtualization revolution. I remember not that long ago security admins and security vendors saying that you should never put security products in a virtual environment. It would be poor design to have a security solution share resources with other appliances or processes. Of course that argument seems pretty weak now.

In fact virtualization has changed security pretty drastically, the same way it has servers, storage and applications. We now see virtual security appliances performing just about every security function you can think of.

But there are two aspects of virtualization from the security prospective. There is securing the virtual environment and there is leveraging virtualization for better, more efficient security. It used to be that putting a physical security appliance in front of a virtual stack was considered securing the virtual environment. But then we started to see security technologies that were built into the virtual environment itself. These solutions made use of virtualization itself to better secure not only virtual environments, but physical environments as well.

Virtualization also drastically changed the business models. Think of Disaster Recovery (DR) for instance. When you are running a dozen different virtual servers on one physical machine, how do you price your DR solution? Is it based on how many physical machines, how many virtual machines, a combination of both? Many companies are still grappling with these questions and models. But the market will evolve and standards and norms emerge.

While virtualization is already huge in the large enterprise, its impact on the mid-market is still gaining momentum. How much virtualization technology is your organization deploying? As we come to the end of the year and start planning next year’s budget will virtualization be playing an ever increasing role? I bet the answer is yes.

If so, now is also the time to be thinking about virtual security. Not only in terms of securing your virtual environments, but in leveraging virtualization to make your security posture more efficient, more secure and safer.

If you are not planning on leveraging virtualization in your security plans, you may find yourself falling behind in your ability to keep your organization secure. Here are some resources on virtual security:

http://www-935.ibm.com/services/us/iss/html/virtualization-security-solutions.html

http://www.youtube.com/watch?v=Xm77gh6EbkQ

http://www.sourcefire.com/security-technologies/network-security/virtual-security

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet

Posted at 11:46 AM in General Security, IBM, Midmarket, virtualization | | TrackBack (0)

Next »
My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search


Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Blog powered by TypePad
Member since 10/2005

About