Tag: Enterprise Security

The Great Security Skills Shortage

by , posted in Secure
Paula Musich
Paula Musich

Summary Bullets:              

  • IT security specialists need to expand their skills range, especially in technology areas that are seeing  the greatest amount of new investment
  • Employers looking for good candidates need to put resources into training and mentoring programs in order to cultivate the mix of skills they are seeking

Here’s an interesting conundrum:  There is an acute skills shortage in the IT security job market, but at the same time those with security skills are being turned away when they seek to advance through new job openings.  It appears to be a combination of factors that have created this scenario.  In a recent TechTarget article, George Hulme argues that there are unrealistic expectations on the part of those hiring.  Many organizations appear to be looking for candidates with multiple talents.  Not only do they want specialists, they want candidates to be specialists in multiple areas, and they want those candidates to have some leadership skills or business acumen. Continue reading “The Great Security Skills Shortage”

Networks Do Matter – Really!

by Jeremiah Caron, posted in IT Leader
Jerry Caron
Jerry Caron

Summary Bullets:              

  • Networks and networking suffer from a lack of respect that defies logic.
  • Innovation continues apace, however, the industry often fails to give these advances the attention they deserve.

Networks and the stuff that make them work are suffering from a dearth of respect to which even Rodney Dangerfield would have to defer. Sure, we all know that it is lunacy to dismiss the value of both private and public networks because the quality of experience is utterly dependent on the quality of the network connections. This is a stone-cold fact, whether we are talking about a teenager looking at YouTube videos on a smartphone, or a business running mission-critical applications.

Yet while networks and networking have never been truly glamorous, there is a perceptible downward trend in love for the stuff of connectivity. It has long been the case, for example, that the hottest, most admired Internet businesses take public and private networks for granted and ride roughshod over them with something approaching complete disdain. If Facebook is sluggish, you don’t blame Facebook, do you?. Continue reading “Networks Do Matter – Really!”

Why Are Enterprises Still Paying Premium Pricing for Less Effective Endpoint AV?

by , posted in Secure
Paula Musich
Paula Musich

Summary Bullets:

  • Antimalware innovators are increasingly successful in pitching their endpoint alternatives as supplemental to incumbent AV products.
  • This raises the question:  why continue to pay premium prices for less effective, traditional protection?

Yet another study claimed recently that anti-virus products fail to detect 60% of the malware in the wild, according to the Security Engineering Research Team (SERT) Solutionary, a managed security services provider.  Those kind of statistics hardly raise eyebrows anymore, but large enterprises continue to pay premium prices for their endpoint protection. This is not to say that the large anti-malware providers aren’t trying to adapt to the changing threat landscape, but they are slow to innovate and are taking baby steps to move beyond the broken signature-based approach to malware protection, in which each new malware and its variant must be identified and a signature created for endpoint-based scanners to identify. Continue reading “Why Are Enterprises Still Paying Premium Pricing for Less Effective Endpoint AV?”

Beware the Cloud Service Provider Shell Game

by Jeremiah Caron, posted in IT Leader
Jerry Caron
Jerry Caron

Summary Bullets:

  • Cloud services imply a new type of sales and support ecosystem that is still very complex and relatively unstable at the moment
  • This should not put buyers off, and should be welcomed—but all customary, cautionary warnings apply

The dynamics of cloud services have caused a fair bit of healthy upheaval in the way technology and software suppliers deliver and support their goods. In fact, that would be an understatement. Beyond the obvious difference between a network-based infrastructure or a software service versus goods sold or licensed for installation on-premise, there is a fundamental shift in the go-to-market plan for suppliers that takes the notion of so-called co-opetition to an entirely different level. Continue reading “Beware the Cloud Service Provider Shell Game”

Virtualization Security Has Finally Arrived, but a Skills Gap Threatens its Success

by , posted in Secure
Paula Musich
Paula Musich

Summary Bullets:

  • Enterprise IT now has a healthy array of choices for protecting virtual machine-based applications and data
  • What’s missing are the IT skills necessary to adequately support security for virtual environments

In the last month it’s become abundantly clear that virtualization security is alive and well, and quickly moving toward mainstream status – at least from the vendor side.  Real competition has arrived when it comes to specifically protecting virtualized applications and data, thanks to this year’s serious entry into the growing market by three of the four largest anti-malware providers – Symantec, McAfee, and Kaspersky – along with innovative new startups such as Bromium. (Trend Micro, the third-largest anti-malware provider, has been in the market for a few years now with a very capable contender.)  There is now finally a healthy array of host-based anti-malware, encryption, network security and threat management products geared specifically toward securing virtual servers and cloud-based data. That means there are plenty of options to choose from, different approaches to streamlining the resource utilization of scanning, and varying levels of maturity in virtualization security products. Now what’s really needed is education.  Continue reading “Virtualization Security Has Finally Arrived, but a Skills Gap Threatens its Success”

Education is Needed to Assure End User Buy-in to BYOD policies

by , posted in Mobilize
Paula Musich
Paula Musich

The younger generation of smartphone and tablet users brings a false sense of security to all things cloud and mobility, trusting way too much in the security and intentions of apps providers, cloud purveyors, the Internet and even friends.  This brings even greater unease to security professionals charged with protecting corporate data as BYOD becomes pervasive in all sizes of enterprises.  A raft of articles in IT-focused publications exhort IT to put in place the proper policies and security controls to mitigate this new risk (as if they needed more risks to worry about) with regard to the use of employee-owned devices in the enterprise.  Continue reading “Education is Needed to Assure End User Buy-in to BYOD policies”

What Does VMware Mean to You?

by Jeremiah Caron, posted in IT Leader
Jerry Caron – Senior Vice President, Analysis

Summary Bullets:                

  • VMware’s VMworld was a hit again, pulling in partners and customers alike
  • The buzz around VMware is about much more than simple virtualization software

I did not attend last week’s VMworld in Las Vegas, hosted of course by VMware, the virtualization software market leader. I wish I had, though. While timing and location prevented my own pilgrimage, Current Analysis was very well represented as were a who’s who of technology-market partners and a robust contingent of IT executives and managers. The reason why this event has become so important for so many is simple, but also profound: Certainly VMware caught lightning in a bottle with its virtualization software, but the company is also leveraging this rather arcane solution as a platform to help solve myriad other IT problems, both with and without partner support. Continue reading “What Does VMware Mean to You?”

Okay, Breaches Are Inevitable: So Now What Do We Do?

by , posted in Secure
P. Musich
P. Musich

Summary Bullets:  

  • It takes only minutes for a sophisticated attacker to breach an enterprise network, but it can take months to uncover their presence.
  • Reducing that time to discovery can minimize the damage done, but there are multiple ways to try to achieve faster detection.  Which route should you choose?

I had an interesting conversation the other day with a company in the still fairly small market niche called incident response, and it got me thinking about the evolution of the threat landscape and the time that it takes enterprises to respond to new market conditions – especially in the security market.  I think by now most large enterprise security administrators and CISOs understand that it is not a matter of if, but when their organization will experience a breach – one that could potentially be very painful for the whole organization.  But recognizing that sad fact does not help those administrators and executives understand the most effective way to tackle the new challenge presented by more sophisticated, stealthy, multi-stage attacks.  Exacerbating their dilemma is an increasingly porous enterprise perimeter, where computing workloads are shifted outside the traditional DMZ and end users are allowed (or go around policies that prohibit) access to corporate data from their own smartphones, tablets and even laptops. Continue reading “Okay, Breaches Are Inevitable: So Now What Do We Do?”

Federated Identities: Is Secure Ease-of-Access Keeping Up with Cloud Usage Patterns?

by , posted in Secure

B. Ostergaard
B. Ostergaard

Summary Bullets:       

  • Business users are pushing companies into a multi-cloud environment.
  • The automated mechanisms for handling multi-cloud access securely are not yet in place.

It’s not just the European summer weather that’s cloudy; so too is the future IT paradigm.  In this emerging multi-cloud near-future, business users will want easy access to corporate cloud resources from their private cloud, as well as the ability to launch apps in a platform-as-a-service (PaaS) environment and the ability to access a variety of ever-changing external SaaS clouds.  Users would prefer not to have to log in to these clouds individually with different passwords and log-in procedures, which just results in people keeping lists of passwords on yellow stickers or Word files on their desktop computers, clearly breaching any corporate security policy.  Public cloud destinations such as Amazon mostly rely on user-centric passwords (i.e., not aligned with the password used for corporate data site access), and even if a cloud site such as Salesforce.com (SFDC) is linked to a specific corporate account, it will still not sync with the user’s corporate password.  If the company wants to make such cloud access easy and safe (and keep password lists off user desks), the solution lies in storing individual passwords in the company’s Active Directory (AD) and subscribing to a federated identity service that automates access to multiple clouds based on the user information in AD.  With a federated identity service, users get a single sign-on service that may be either single-factor or require two-factor authentication for access to sensitive data. Continue reading “Federated Identities: Is Secure Ease-of-Access Keeping Up with Cloud Usage Patterns?”

Online Banking for SMBs: Like Playing Russian Roulette

by , posted in Secure
P. Musich
P. Musich

Summary Bullets:                

  • Before enabling online banking for payroll or other payments, SMB IT personnel should carefully review the bank’s security procedures and understand what guarantees the bank offers for securing funds against cyber losses.
  • SMB IT managers should take special pains to educate the payroll manager on the risks and safe online behavior, and encourage hyper-vigilance in conducting company business online.  If possible, a system should be dedicated to online banking, and blocked from accessing any other web sites or email.

Past studies have indicated that small and medium-sized businesses (SMBs) and non-profits are a target for cyber criminals because they don’t have the same level of protection that larger companies do.  That is especially true for small and medium-sized banks, because they don’t have the same sophisticated online banking cyber-fraud controls that large banks have.  That could be why the SMB/non-profit market has become so attractive to security vendors such as McAfee, which in the last year has made a concerted push to improve its presence and offerings for that market segment.  In fact, security for SMBs is pegged to be about a $5.1 billion opportunity.  Besides that bull’s eye they’re sporting on their backs, there’s another reason for SMBs and non-profits to be hyper vigilant about protecting their finances:  should cyber thieves manage to gain access to their online bank accounts and steal their money, they are legally held responsible for the loss – not the bank.  A Tennessee construction company found that out the hard way, according to security blogger Brian Krebs.  Cyber thieves using the widely available Zeus Trojan toolkit managed to steal an employee’s user credentials as the user logged on to the firm’s online banking site, redirect the employee to a fake web page that claimed the bank’s site was under maintenance, and hijacked the employee’s online banking session to put through multiple fake payroll payments to a series of money mules.  For some unknown reason, the bank failed to call the company for approval before it processed the automated clearing house payments, even though it had done so on a regular basis before the breach.   Despite that lapse on the part of the bank, the construction company was left holding the bag. Continue reading “Online Banking for SMBs: Like Playing Russian Roulette”