Virtualization Security Has Finally Arrived, but a Skills Gap Threatens its Success

Paula Musich
Paula Musich

Summary Bullets:

  • Enterprise IT now has a healthy array of choices for protecting virtual machine-based applications and data
  • What’s missing are the IT skills necessary to adequately support security for virtual environments

In the last month it’s become abundantly clear that virtualization security is alive and well, and quickly moving toward mainstream status – at least from the vendor side.  Real competition has arrived when it comes to specifically protecting virtualized applications and data, thanks to this year’s serious entry into the growing market by three of the four largest anti-malware providers – Symantec, McAfee, and Kaspersky – along with innovative new startups such as Bromium. (Trend Micro, the third-largest anti-malware provider, has been in the market for a few years now with a very capable contender.)  There is now finally a healthy array of host-based anti-malware, encryption, network security and threat management products geared specifically toward securing virtual servers and cloud-based data. That means there are plenty of options to choose from, different approaches to streamlining the resource utilization of scanning, and varying levels of maturity in virtualization security products. Now what’s really needed is education.  Continue reading “Virtualization Security Has Finally Arrived, but a Skills Gap Threatens its Success”

Education is Needed to Assure End User Buy-in to BYOD policies

Paula Musich
Paula Musich

The younger generation of smartphone and tablet users brings a false sense of security to all things cloud and mobility, trusting way too much in the security and intentions of apps providers, cloud purveyors, the Internet and even friends.  This brings even greater unease to security professionals charged with protecting corporate data as BYOD becomes pervasive in all sizes of enterprises.  A raft of articles in IT-focused publications exhort IT to put in place the proper policies and security controls to mitigate this new risk (as if they needed more risks to worry about) with regard to the use of employee-owned devices in the enterprise.  Continue reading “Education is Needed to Assure End User Buy-in to BYOD policies”

What Does VMware Mean to You?

Jerry Caron – Senior Vice President, Analysis

Summary Bullets:                

  • VMware’s VMworld was a hit again, pulling in partners and customers alike
  • The buzz around VMware is about much more than simple virtualization software

I did not attend last week’s VMworld in Las Vegas, hosted of course by VMware, the virtualization software market leader. I wish I had, though. While timing and location prevented my own pilgrimage, Current Analysis was very well represented as were a who’s who of technology-market partners and a robust contingent of IT executives and managers. The reason why this event has become so important for so many is simple, but also profound: Certainly VMware caught lightning in a bottle with its virtualization software, but the company is also leveraging this rather arcane solution as a platform to help solve myriad other IT problems, both with and without partner support. Continue reading “What Does VMware Mean to You?”

Okay, Breaches Are Inevitable: So Now What Do We Do?

P. Musich
P. Musich

Summary Bullets:  

  • It takes only minutes for a sophisticated attacker to breach an enterprise network, but it can take months to uncover their presence.
  • Reducing that time to discovery can minimize the damage done, but there are multiple ways to try to achieve faster detection.  Which route should you choose?

I had an interesting conversation the other day with a company in the still fairly small market niche called incident response, and it got me thinking about the evolution of the threat landscape and the time that it takes enterprises to respond to new market conditions – especially in the security market.  I think by now most large enterprise security administrators and CISOs understand that it is not a matter of if, but when their organization will experience a breach – one that could potentially be very painful for the whole organization.  But recognizing that sad fact does not help those administrators and executives understand the most effective way to tackle the new challenge presented by more sophisticated, stealthy, multi-stage attacks.  Exacerbating their dilemma is an increasingly porous enterprise perimeter, where computing workloads are shifted outside the traditional DMZ and end users are allowed (or go around policies that prohibit) access to corporate data from their own smartphones, tablets and even laptops. Continue reading “Okay, Breaches Are Inevitable: So Now What Do We Do?”

Federated Identities: Is Secure Ease-of-Access Keeping Up with Cloud Usage Patterns?

B. Ostergaard
B. Ostergaard

Summary Bullets:       

  • Business users are pushing companies into a multi-cloud environment.
  • The automated mechanisms for handling multi-cloud access securely are not yet in place.

It’s not just the European summer weather that’s cloudy; so too is the future IT paradigm.  In this emerging multi-cloud near-future, business users will want easy access to corporate cloud resources from their private cloud, as well as the ability to launch apps in a platform-as-a-service (PaaS) environment and the ability to access a variety of ever-changing external SaaS clouds.  Users would prefer not to have to log in to these clouds individually with different passwords and log-in procedures, which just results in people keeping lists of passwords on yellow stickers or Word files on their desktop computers, clearly breaching any corporate security policy.  Public cloud destinations such as Amazon mostly rely on user-centric passwords (i.e., not aligned with the password used for corporate data site access), and even if a cloud site such as Salesforce.com (SFDC) is linked to a specific corporate account, it will still not sync with the user’s corporate password.  If the company wants to make such cloud access easy and safe (and keep password lists off user desks), the solution lies in storing individual passwords in the company’s Active Directory (AD) and subscribing to a federated identity service that automates access to multiple clouds based on the user information in AD.  With a federated identity service, users get a single sign-on service that may be either single-factor or require two-factor authentication for access to sensitive data. Continue reading “Federated Identities: Is Secure Ease-of-Access Keeping Up with Cloud Usage Patterns?”

Online Banking for SMBs: Like Playing Russian Roulette

P. Musich
P. Musich

Summary Bullets:                

  • Before enabling online banking for payroll or other payments, SMB IT personnel should carefully review the bank’s security procedures and understand what guarantees the bank offers for securing funds against cyber losses.
  • SMB IT managers should take special pains to educate the payroll manager on the risks and safe online behavior, and encourage hyper-vigilance in conducting company business online.  If possible, a system should be dedicated to online banking, and blocked from accessing any other web sites or email.

Past studies have indicated that small and medium-sized businesses (SMBs) and non-profits are a target for cyber criminals because they don’t have the same level of protection that larger companies do.  That is especially true for small and medium-sized banks, because they don’t have the same sophisticated online banking cyber-fraud controls that large banks have.  That could be why the SMB/non-profit market has become so attractive to security vendors such as McAfee, which in the last year has made a concerted push to improve its presence and offerings for that market segment.  In fact, security for SMBs is pegged to be about a $5.1 billion opportunity.  Besides that bull’s eye they’re sporting on their backs, there’s another reason for SMBs and non-profits to be hyper vigilant about protecting their finances:  should cyber thieves manage to gain access to their online bank accounts and steal their money, they are legally held responsible for the loss – not the bank.  A Tennessee construction company found that out the hard way, according to security blogger Brian Krebs.  Cyber thieves using the widely available Zeus Trojan toolkit managed to steal an employee’s user credentials as the user logged on to the firm’s online banking site, redirect the employee to a fake web page that claimed the bank’s site was under maintenance, and hijacked the employee’s online banking session to put through multiple fake payroll payments to a series of money mules.  For some unknown reason, the bank failed to call the company for approval before it processed the automated clearing house payments, even though it had done so on a regular basis before the breach.   Despite that lapse on the part of the bank, the construction company was left holding the bag. Continue reading “Online Banking for SMBs: Like Playing Russian Roulette”

IT Pains Evolving: Where’s Holmes & Watson?

M. Spanbauer
M. Spanbauer

Summary Bullets:

  • Intelligent embedded network agents and sophisticated software heuristics provide key insights into information and performance patterns for predictable data consumption, but interpreting these requires talent
  • Humans remain the most valuable troubleshooting tool in the IT arsenal

Having worked in infrastructure in the ‘90s and I’ve done my fair share of troubleshooting vampire taps, thick-LAN, and eventually thin LAN (and those finicky terminations) I can say we’ve come a long way.  Granted at its most basic we’re troubleshooting low voltage electrical wires in most wired infrastructure.  Sophisticated tools are embedded in many switching platforms now which can immediately detect a link loss in addition to whether it’s a damaged cable or connector, or alert correlation from multiple devices to pinpoint the exact location of a ‘noisy’ device polluting the network.  Advances such as these have increased efficiency, reduced trouble ticket resolution times, and freed up valuable resources to work on more complex challenges.  With wireless access becoming the norm for clients as more and more devices go solely mobile, tools have generally kept pace and network management systems have slowly grown more capable and feature rich.  As cloud adoption rates increase and systems grow more diverse, the tools are likely to suffer a setback, though, with many disparate elements, both physical and virtual, contributing to a single application connection. Troubleshooting these will once again require a significant amount of technician involvement to determine root cause during an outage (and no, rebooting your client isn’t the answer, Mr. Helpdesk).  Physical and virtual agents must be deployed in order to collect statistics in real time and aggregate these bits into a collective perspective of the health of the network.  Whether this is done with one of the extensible “framework” NMS systems or via vendor element management systems does not matter, but at the heart of this is that enterprises need to embrace a more sophisticated management model than they have in the past. Continue reading “IT Pains Evolving: Where’s Holmes & Watson?”

APT Threats Today Need a Different Kind of Response

B. Ostergaard
B. Ostergaard

Summary Bullets:       

  • The ‘Flame’ advanced persistent threat (APT) is invisible to commercial AV defences and may lie dormant for years.
  • Combating APTs may create a new role for the ITU and further international anti-malware efforts.

The latest news on the (often purported to be state-sponsored) APT front is a massive piece of spy software, dubbed ‘Flame,’ which seems to have been around for many years – at least since 2010.  The worm was discovered by accident when security vendor Kaspersky was looking for another mystery APT dubbed ‘Wiper,’ which has been deleting files on servers in the Middle East for some time.  Much like earlier APTs such as ‘Stuxnet’ and ‘Duqu,’ Flame exploits software and hardware vulnerabilities that evade any of the known AV defences and infects desktops and servers in multiple ways (USB, LAN, drive-by etc.); similar to these other APTs, it appears to harm or spy very selectively, so it may reside dormant on a large number of Windows PCs.  Flame is different in that the remote controllers can install different modules (e.g., taking control of the PC’s microphone to record conversations) on infected machines depending on what kind of information the controllers want to steal.  So, the net-net is we do not know if our desktops or data centres are infected, and consequently whether they are actively or passively spying on us and stealing our data.  We might seek some comfort in the belief that this malicious (often Middle Eastern) activity is politically rather than commercially motivated, but state-sponsored industrial espionage is an obvious use as well. Continue reading “APT Threats Today Need a Different Kind of Response”

Time to Bridge the Security Divide That Separates CISOs and Directors/CEOs

P. Musich
P. Musich

Summary Bullets:

  • There is a huge gap between the views of senior executives/boards of directors and CISOs when it comes to managing cyber risks
  • To bridge that divide, CISOs need to speak the language of business risk, while executives must remove the blinders that keep them from seeing the depth of the problem.

A couple of recent studies that came to light underscore the very large disconnect between boards of directors/CEOs and the CISO when it comes to managing cyber risks. In the “Governance of Enterprise Security: CyLab 2012 Report,” conducted by Carnegie Mellon CyLab for RSA, some very disturbing findings came to light from the energy/utilities sector.  That study, scrutinized whether boards and CEOs were carrying out fundamental cyber governance tasks and discovered that 71% of those boards rarely or never reviewed privacy and security budgets, 79% rarely/never reviewed roles and responsibilities, 64% rarely/never reviewed top-level policies and 57% rarely/never reviewed security program assessments.  This, in a highly regulated and essential industry. Continue reading “Time to Bridge the Security Divide That Separates CISOs and Directors/CEOs”

Mobile Operating System Choice

A. Braunberg
A. Braunberg

Summary Bullets:

  • Nobody ever got fired for buying BlackBerrys. Embrace device diversity but incentivize best practices

Anyone old enough to remember the phrase: “Nobody ever got fired for buying IBM equipment”? If uttered by an IBM sales person it could be considered classic fear, uncertainty and doubt (FUD). But it was based on an industry axiom at the time: IBM hardware was the known quantity and the safe purchase. For a long time, nobody got fired for buying BlackBerry either, but the ‘consumerization of IT’ has thrown those old assumptions out the window and organizations are back to really taking a hard look at the features of each mobile OS and trying to keep the FUD at bay. I sat in a panel at Interop last week that basically asked the question: is it safe to hitch your wagon to any one mobile OS, BlackBerry or otherwise? Continue reading “Mobile Operating System Choice”