SEPTEMBER 2013 INFORMATION VOL. 15 | NO. 07...

SEPTEMBER 2013 VOL. 15 | NO. 07I N F O R M A T I O N

SECURITY

BRIDGING THE SECURITY SKILLS GAP

ATTACK SECURITY LITERACY WITH BRUTE FORCE

CYBERSECURITY ENTERS THE BOARDROOM

RANUM Q&A: CONVERTING TO CLOUD

GLOBAL RISK ASSESSMENT MOVES BEYOND REGULATIONS

NEXT-GENERATION FIREWALLS PLAY BY NEW RULESModern firewalls offer greater application awareness and user controls. Protect your migration strategy with these tips from the pros.

2 INFORMATION SECURITY n SEPTEMBER 2013

EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION

NEXT-GENERATION FIREWALLS

SECURITY SKILLS SHORTAGE

CYBERSECURITY OUTLOOK

professionals are doing. They know it, now we need the rest of the organization to know it.”

Ulsch, who joined the Information Security magazine editorial advisory board last month, is among the experts who shared tips and strategies in my article on global risk assessment and security. Analysts at Gartner, and elsewhere, advise senior security management that by 2020, companies can expect cybersecurity spending outside of compliance to drive global risk assessments and strategy assumptions at Global 2000 companies.

“The answer to [the spending question] is not immedi-ately obvious,” says Ernie Hayden, CISSP, global manag-ing principal, RISK, Verizon Enterprise Solutions.

“Right now the drivers are still based on compliance to certain security standards,” he says. “Additionally, the

Cybersecurity Enters the BoardroomAnalysts expect security concerns to drive global risk assessment, but executives may need convincing. BY KATHLEEN RICHARDS

EDITOR’S DESK

WE NEED TO advance the secu-rity agenda to the boardroom,” says MacDonnell Ulsch, CEO and chief analyst of ZeroPoint Risk Research. That means

turning to managing risk, according to Ulsch. “I know there are those who disagree with this, and who believe that technical security is the answer. To me, it is only part of the solution of managing risk.

“It is interesting, too, that so many in the industry are focusing on data protection of regulated data, but that in-tellectual property [IP] and trade secrets seem less criti-cal, even though these secrets may be the lifeblood of the company,” adds Ulsch. “If I lose PII and PHI, it’s a bad day, and there are consequences. If I lose IP, it may be the end of the company. So managing risk is what security

“

http://www.gartner.com/DisplayDocument?id=2500615&ref=g_fromdoc


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




network, applications and databases,” he says. “Again, this is a tough task.”

We also tackle the ongoing issues that CISOs and their teams face as the security skills shortage shows few, if any, signs of improvement. Author Rob Lemos writes about the innovative ways that security firms and other companies are trying to keep their pipelines flowing; es-pecially as universities and colleges continue to fall short, and entry-level security specialists offer little more than “frequent flyer” skills.

On a positive note, help is on the way as vendors con-tinue to improve their next-generation firewalls, fine-tuning application awareness and other user controls. Longtime tech journalist and technology expert, David Strom, interviewed IT security managers and CISOs to find out how their migrations were going and what advice they could pass on to other organizations that are think-ing about replacement strategies. Enjoy the issue, and let us know what you think. n

KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath. Send comments on this column to [email protected].

EDITOR’S DESK

threat intelligence and how it can be useful to a company is not immediately obvious to the executives, who ap-prove security expenditures. And, with the new threat in-telligence, it is quite common that the CISO may need to ask for more technology or staff to help react to the intel more effectively.”

As Hayden points out, the amount of information and data that CISOs need to plow through—and protect—is bursting beyond the “four walls” as mobile devices and high-memory portable media proliferate. And it shows no sign of tampering off. The format of the threat intel—which is likely coming in bursts instead of a continuous stream—may open the door for arguments about its real value to the company.

All of this “makes the CISO’s job that much more difficult and expensive to execute,” says Hayden. “The CISO, executive leadership team and board of directors need to realize that they should assume that the orga-nization will be breached in the future. This is the sad truth that many leaders have difficulty accepting,” he ac-knowledges. “The bad guys only need one way into your network to steal and vandalize. However, the CISO and their team need to cover every single entry point into the

https://twitter.com/RichardsKath

mailto:[email protected]

http://searchsecurity.techtarget.com/feature/Data-breach-protection-requires-new-barriers


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




RANUM Q&A

Converting to CloudNot down with Dropbox? Lee Heath embraced shadow IT and improved his company’s data security practices in the process. BY MARCUS J. RANUM

IS MARCUS RANUM changing his views on cloud computing? The Information Security magazine columnist chats with Lee Heath, a 20-year veteran of vulnerability management and compli-ance at companies such as Yahoo! and JPMorgan

Chase & Co. Heath is currently working on data loss pre-vention, classification and cloud storage as an information security business partner for Alliance Data Systems Inc. and its line of businesses.

We were talking in Dallas a couple of weeks ago and you said some things that pretty much made me do a complete 180 on the whole cloud computing thing. You were, basically, embracing it and using it as a way to steer other business problems, specifically, data custodianship and classification. Tell us about it.

My colleagues—Brian Mork and Houston Hopkins—and I are somewhat new to our positions, and we were tasked with a few specific jobs. We were to look for ways to im-prove upon several standard security practices, such as data loss prevention, file usage monitoring, data owner-ship and data classification, as well as trying to stay ahead of the curve with shadow IT.

Each quarter, we try and come up with a shadow IT topic and discuss how we can prevent it, or if we can use it. One the first topics that came up was the “Dropbox ef-fect” and figuring out that upper management was already using it, not to mention the usual marketing and sales folks. After some thought—and talking to several provid-ers about our needs—we saw an opportunity to embrace cloud storage, make it work to our advantage and clean up the state of data management in the process.

http://searchsecurity.techtarget.com/magazineContent/Deploying-DP-systems-Four-DLP-best-practices-for-success

http://searchsecurity.techtarget.com/magazineContent/Deploying-DP-systems-Four-DLP-best-practices-for-success

http://blogs.gartner.com/jeffrey_mann/2012/11/12/is-there-a-dropbox-effect/

http://blogs.gartner.com/jeffrey_mann/2012/11/12/is-there-a-dropbox-effect/


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




RANUM Q&A

service provider, to be successful in the corporate world, they need to have more accountability and control over more aspects of their product and the product has to be usable.

Some providers had all the con-trols in the world, but the prod-uct was not usable or they did not

support, for example, a device with iOS (which is popu-lar among the C-level). Most [services] are really user friendly, but they have limited security controls or ac-counting capabilities associated with their tools. In the end—which has taken about six months and is not re-ally the end—we have the bulk of what we wanted. It has been an ongoing, iterative process with the vendor we decided to go with. It would be interesting to go back and see if any other [vendors] took what we had to say and improved their offerings.

Did you keep any metrics about the effectiveness of the data classification? How many of the units just moved everything up and marked it with the “default” markup? Still, this sounds like a huge win—because you now have an audit trail of all the files a unit moved to the cloud; and I suppose you could do more detailed analy-sis from the audit trail. What metrics did you keep dur-ing the migration, and what have you done with them?

The idea seemed simple at first—everything moved to the cloud has an owner. By using the promise of access to your data from “anywhere” as a carrot, we’re able to get users to migrate their data from traditional network file storage up to the cloud. As they move it, their data is flagged with a default classification. This allows for data retention policies that are easier to stick to and monitor-ing of who is accessing what, from where and with what tool. Overall, it seems like a win-win for everyone, but there is no perfect solution.

It sounds like you’re asking for the cloud service provid-ers to stretch their business models a bit and do some technology and policy development. The good news is that once you’ve “broken them in” for us, everyone gets those capabilities, right? How did you manage to get a sufficient level of responsiveness?

The nice thing about the cloud is that it is agile. We talked to several providers, and none of them really had what we wanted. Luckily, some [providers] can see the advantages of listening to our security concerns and uti-lizing our suggestions as a way to improve their products. Some [providers] did not feel like dealing with the re-quirements. But a good sales rep can go a long way; some-one [willing] to make a sale, and sit with both us and the engineers, really made a difference.

I think for a cloud storage provider, or any online

Lee Heath


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




RANUM Q&A

been updated and how it is classified and tagged. Based on that data, we can automatically move the file to a trash folder to be deleted at a later date, notify the owner that it will be deleted or whatever we see fit. Overall, it is very flexible.

I have to admit I’m surprised that the cloud providers were willing to make modifications for you. I suppose that what you’re seeing is maturation of the market with newer and hungrier providers trying to distinguish themselves. The provider you went with is one of the top-tier providers, though, right? Were you early adopt-ers? How did you get into their technology lifecycle so effectively?

I will admit we were not the only ones asking for these features. The sales guy has several big name compa-nies that are asking for similar features. Luckily, we had worked with him before on other projects, and through other companies, so we have a good rapport with him and he understands that the sale is dependent on doing the right thing.

Security is the big concern with cloud services for most companies, to the point that they are unwilling to use them. For some reason, many cloud companies are, as you mentioned, not willing to meet the requirements of their customers. Whether they think they know better or think it is the corporate user community being overly

Actually, you caught us at the end of the testing and de-sign phase, and we are about to start on-boarding the general masses. Thus far, we have only had a few key test groups that are sending in feedback for tweaks and fea-tures. Brian and Houston have been playing with the API, which allows us to pull the detailed logs of all actions, plus all metadata associated with every file on the sys-tem. The API is mainly for creating your own apps, but we are using it to get to the details held within [the stor-age system].

One of the big things we are looking at tracking is, as you mentioned, whether people are using the tags and classification at upload time, going back, or just leaving the default. We are already tracking where people are ac-cessing the files they have uploaded from and who they are sharing items with. Some of this data will be fed into SIEM solutions for alerting, because we don’t want to muddle the signal-to-noise ratio in email alerts. Some [data] will be tracked for trending, and for alerts of anom-alies, such as bulk downloads.

One upcoming feature from the provider is a rules en-gine, so some of the data we will be pulling and parsing on-site will end up being in the product itself at a later date. Until the rules engine is complete, the features will be managed by us via scripts and the API. For instance, data retention policy adherence is an example of how we use the API. We can pull the metadata from each object; therefore, we can see how long [it’s been] since a file has


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




RANUM Q&A

[AD] or human resources—you could actually start to do queries against stuff like, “Tell me about people in sales who have files that came from HR.” Are you doing any-thing like that now?

Brian and Houston have started pointing out some of the bits of information we could use for data mining and some trending. While we have technically unlimited space, using the SHA-1 hashes that are part of the meta-data provided by the cloud service, we can easily pull that information and look for duplication. The duplication de-tection would be more of a concern for which one is “offi-cial” and making sure that is the one people are utilizing. The file and folder objects have a lot of attributes we can pull and manipulate. There is also access and revision his-tory, so we can see that while Bob may own the file, Alice is the maintainer.

Along with the revision history, the cloud provider keeps the previous versions, so we can see if and when a large amount of data is added or deleted from specific documents. If a file has been consistent for a period of time and suddenly changes, then we can notify the owner and/or updater to make sure that a mistake wasn’t made.

We can also take that one step further to monitor the SHA-1 of specific documents to do basic file integ-rity monitoring of policies or procedural documents that should not change often, for instance. Beyond that we are already monitoring file sharing. We cannot only see

paranoid, it doesn’t matter. Just because the general pub-lic accepts security shortcoming does not mean that com-panies that have knowledgeable staff will. I hope we see more of a change and get the cloud providers to be more flexible and to meet our needs as an industry, and not just stick with what they feel is “good enough.”

We ask most of the smaller to midrange companies we work with if they have a technical advisory board we can be part of; for some, it works quite well. I don’t expect a company like IBM or Hewlett-Packard to really listen when we have feature requests, but there are a lot of com-panies that do, and they benefit from it as much as we do. One of the key things is not just asking for a feature, but having justification and reasoning behind it. You may not end up with exactly what you asked for, but often what you get will fill the need.

Have you attempted any redundancy analysis? I won-der if you could do something like pull back checksums and see how many exact copies you have of certain files in your entire enterprise? Or, perhaps filename analy-sis to see how many variant versions you have of files? I can see a lot of potential for “big data” style analysis, treating your file storage—once you’ve got it all in one place—as the subject of study. You could do some clus-ter analysis to see how many people shared files out-side of their group. If you could tie some departmental data into the analysis—via Microsoft Active Directory

http://searchsecurity.techtarget.com/answer/Use-SHA-to-encrypt-sensitive-data


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




RANUM Q&A

In my last position, I was right there with you and would have not considered using the cloud for any stor-age. While I now feel there are some good use cases, and ways we can make it fit a need, there are still cases where I would not use it. I don’t want to keep, for instance, credit card data in bulk in the cloud. I don’t feel the risk warrants it, but, as you mentioned, it might be better than having it on a wide open share, even if the network is protected.

I think the main thing we took away from this as a company is, to some extent, to embrace shadow IT and le-verage it to your advantage. At the same time, don’t back down from what you know you need. If a vendor is not willing to work with you, explain why you don’t want to use them. Many [providers] are aware of security con-cerns and have good ideas on their roadmaps, but until more companies push the issue, security won’t be high priority over usability bells and whistles… It is a trade-off of usability versus security with users’ wants thrown in to make it even more complicated, and we all know that is the ultimate balancing act for infosec. n

MARCUS J. RANUM, chief security officer of Tenable Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.

Send comments on this column to [email protected].

who has shared files, but we can see if the share has been accepted and whether or not the objects have been ac-cessed. We can also see if specific documents or whole folders have been shared internally or externally. Some groups will have more control over who they can share with than others, based on culture and business need, but we still need to monitor for abuse.

We are tying the solution into AD for authentication using SAML [security assertion markup language], but we don’t see a way we can comfortably use AD groups for access controls. The cloud system allows for adding details about the user such as title, address and phone number, but not organizational info. With the enterprise console, we can add groups of users and assign access to a group, but again it is not tied to AD—at this time—and the groups are just for ease of use. The actual file attri-butes list all users with access and the type of access, not the group.

I guess one of the biggest “data management nirvana” aspects of what you’re doing is that you more or less move away from unauthenticated access to important data. What you guys have done is figured out a way to take advantage of the nature of the cloud in a way that offsets the security disadvantages of it. That’s fantas-tic! I may become a cloud computing advocate after this. What’s the most important thing you’ve learned from this effort?



EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




SECURITY EDUCATION

Attack Security Literacy with Brute ForceForget the slogans. Reset your security awareness program with actionable information. BY DOUG JACOBSON AND JULIE A. RURSCH

MOST ORGANIZATIONS spend thou-sands of dollars on the latest technology to heighten security and yet overlook one of the low-est cost options available—

increasing security literacy in its employees. The ancient Chinese proverb is true: “Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.”

And, we don’t mean create an enterprise security awareness program with catchy slogans and no real se-curity education. Teach employees why security is im-portant and show them how hackers use vulnerabilities, created by human carelessness, to attack enterprise net-works and computer systems.

Too many times, organizations treat employees as if

they can’t comprehend the security threats that we try to protect them from technologically. End users love to download software for their PCs and applications for their personal devices to help them with their work or provide some personal enjoyment. Unfortunately, many of them don’t ever consider the possibilities of backdoors, spy-ware, ransomware or botnets being installed as side ef-fects of their activities. However, if we properly lay out the problem with downloads and frame it in an ordinary context, most users can be taught how to protect them-selves and their organizations. Historically, security ex-perts have tried to get employees to take the right security measures without an understanding of why these steps help protect enterprise assets.

A security awareness program often features a catchy phrase that is memorable and graphically cute: “Make

http://searchsecurity.techtarget.com/magazineContent/Computer-security-education-shouldnt-be-limited-to-tech-pros


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




SECURITY EDUCATION

further login attempts. We even demonstrate the relative quickness of brute forcing a word that’s found in the dic-tionary versus a stronger password by running a password testing utility such as L0phtCrack (now L0phtCrack 6) or John the Ripper. The visual demonstration in which it takes longer to crack the stronger password solidifies the end users’ understanding of a larger key space.

In addition to just talking about “strong,” we need to help the employees understand the threats associ-ated with passwords. On their own, passwords are not a panacea for security threats. Users need to understand what protection passwords actually provide, and what they do not protect. For example, no matter how techni-cally strong a password is, sharing a password weakens it. A password needs to be viewed as a secret that is well-guarded. A shared password is worthless.

Employees must also realize that when presented with multiple systems that need authentication, the same

your password like a good cup of coffee, strong.” These campaigns do little to help technology users understand why taking certain security measures is important or how to adjust if a similar, but technically different, problem arises. For example, an employee creates what they as-sume is a strong password, but then uses it for multiple accounts due to password fatigue.

The “strong coffee” slogan is catchy, but it doesn’t have much impact on users because it doesn’t tell them what to do. The problem: What does “strong” mean? And, what specific actions are needed to make passwords effective?

SCHOOLED ON PASSWORD CRACKINGWith a security literacy approach, security managers ex-plain to employees what “strong” actually means and demonstrate how to make passwords stronger. To start, they provide basic background information on security is-sues. For example, hackers get into computer systems by guessing passwords or through brute-force attacks, which may involve cryptanalysis and exhaustive key searches. The attackers’ success depends, in part, on the company’s security controls and authentication software systems.

A strong password is longer and it has more types of characters in it. By making hackers try all the ran-dom combinations of letters, numbers and characters, you have delayed—and sometimes deterred—them from

Teach employees why security is important and show them how hackers use vulnerabilities, created by human carelessness, to attack enterprise networks and computer systems.

http://www.l0phtcrack.com/

http://www.openwall.com/john/


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




SECURITY EDUCATION

they become part of the conversation and they feel like security is part of their daily responsibilities.

A security awareness program with posters and slo-gans doesn’t help employees internalize these messages. Those campaigns just make employees feel like security is an added burden that’s dictated from the top down.

Most employees will make good decisions given enough information and understanding of security issues. We understand from a purely IT perspective that it is eas-ier to focus on technological innovations to solve our se-curity problems. However, no amount of technology will overcome the human factor. Security literacy is the non-technological answer to the ongoing security problem. n

DOUG JACOBSON is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.

JULIE A. RURSCH is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry.

password should not be used because if it’s compromised, the hacker has access to all the systems, not just one. Teaching technology users to have a process for handling multiple passwords is a smarter approach. It also allows them to have better control of their own liability.

SECURITY LITERACY BEYOND CHARACTER STRINGSWe have used the concept of understanding passwords to illustrate the need for security literacy training. How-ever, security literacy goes much, much deeper than this. Employees need to be literate in many other facets of se-curity such as wireless, Web surfing, email and more. By creating the proper examples and putting the threats and solutions in terms the employees can internalize, we ar-gue that users will be able to understand existing threats and adapt to the ever-changing security landscape.

Employees are an organization’s most valuable re-source. We take time to hire the right people, ensuring they have the best skill sets and the proper values. We train them in our way of thinking to do business, and they make decisions with the best interests of the organiza-tion in mind. So, why don’t we empower our employees to help the organization become stronger in the area of IT security? By focusing on security literacy for employees,


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




COVER STORY: NEXT-GENERATION FIREWALLS

By David Strom

FIREWALLS PLAY BY NEW RULES Modern firewalls offer greater application awareness and user controls. Protect your migration strategy with these tips from the pros.

FIREWALLS STARTED THEIR journey to the next generation at about the same time as the Star Trek TV series. While the products have advanced, many IT security experts are still stuck with the original firewalls that handle ports and protocols.

Modern enterprises need a deeper understanding of the applications that operate across their networks. Newer security appliances offer deep packet inspection, finer-grained controls and application awareness to help organizations police their network perimeters. Despite the appeal of these newer platforms, “next generation” labels can’t begin to describe the range of technology, features and support issues involved when companies mi-grate to modern firewalls. These appliances are now of-fered by a host of established vendors including Check Point Software Technologies, Cisco Systems, Dell, Fort-inet, Juniper Networks, Palo Alto Networks, Source-fire (acquired by Cisco in July), Stonesoft (acquired by McAfee in May) and WatchGuard. F5 Networks entered the fray in 2012, when its Big IP product line of applica-tion delivery controllers received ISCA Labs certification.

http://searchsecurity.techtarget.com/magazineContent/NGFW-Getting-clarity-on-next-gen-firewall-features

http://searchsecurity.techtarget.com/magazineContent/NGFW-Getting-clarity-on-next-gen-firewall-features

http://searchsecurity.techtarget.com/news/2240183545/McAfee-in-agreement-to-acquire-next-gen-firewall-maker-Stonesoft

http://searchsecurity.techtarget.com/news/2240183545/McAfee-in-agreement-to-acquire-next-gen-firewall-maker-Stonesoft

https://www.icsalabs.com/product/big-ip-family


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





port/protocol approach is appropriate and when it isn’t.”Still, it wasn’t a painless process, and Hubbard had

migration issues with his older Check Point firewalls. “It took us four months to do the migration, with most of the time related to issues involving having a large group

of people coordinating their efforts because each was re-sponsible for a different part of our network,” he says. “We also had outdated documentation of our network that didn’t help matters. Like many businesses, we grew organically over time and our documentation had lagged behind. So make sure you update this before you start any migration process, and get your house in order.”

The ability to add application awareness was also a primary motivation to upgrade for the Hawaii branch of Brigham Young University (BYU). The university has cer-tain apps, such as ones for student enrollment, that only run at specific times of the year. Neal Moss, the systems

“Most modern firewalls really have some next-gen-eration aspects to them, including integrated intrusion prevention (IPS) and better application controls,” says Gartner research director Eric Maiwald. “This is the stan-dard of today’s firewalls and all of the major security ven-dors claim to have a next-generation story.” But claims aren’t always accurate, and understanding how to evalu-ate and migrate to next-gen platforms is crucial.

FINE-TUNING APPLICATION AWARENESSCertainly, finer-grained application controls are a big rea-son to switch to next-gen firewalls. “The day after we mi-grated to a Palo Alto Networks firewall, the advantages were obvious to our network operations,” says Neohap-sis Labs security consultant Andy Hubbard, who worked with the technology in a former position as IT manager for a California hospital chain. “After we deployed Palo Alto, we immediately found four botnets and a couple of other rogue servers on our network. We were also able to protect special medical devices with ease once we figured it out.”

And while having better application awareness and intelligence is a nice benefit of next-gen gear, it doesn’t come without some effort. “You need a full understand-ing of when to use application IDs in your firewall rule sets,” says Hubbard. “You need to know what protocols are being used by which apps, and when using a classic

“After we deployed Palo Alto, we immediately found four botnets and a couple of other rogue servers on our network.” —Andy Hubbard, Neohapsis Labs security consultant


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





Complementing applications awareness is the abil-ity to add domain or IP reputation management to the firewall actions. This is done through a combination of placing sensors across the Internet and whitelisting and blacklisting domains or IP source addresses as potential malware. “Domain reputation tools aren’t perfect,” says Tim Crawford, a former CIO and now a strategic advisor at AVOA in Silicon Valley. “Really, this is just one dimen-sion to overall threat prevention.”

BYU-Hawaii uses a different take on domain

and network IT analyst in charge of the project, was inter-ested in setting these enrollment systems up with proper protection. He spent several months running his older Cisco ASA 5500 Adaptive Security Appliances and Palo Alto Networks firewall platforms in parallel to make sure that the new firewall was working. This was his third fire-wall migration, so he knew what to expect. “I just took my time to make sure that the various rule sets were con-figured properly, and gradually opened up the old firewall until I could pull it offline completely,” he says.

[FIGURE 1 ]

Next-gen firewall with integrated IPS and

application controls.

SOURCE: PAULSPARROWS.WORDPRESS.COM


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





One example of this, according to Gartner’s Maiwald, is how “some companies use an IPS as a way to monitor the health and well-being of their firewalls, so they have evolved with separate staffs to handle each device. This makes for a less compelling case for integrating them,” he says.

reputation. After getting severely hacked last year, the university wanted something that could isolate its serv-ers into separate security zones and it looked at several next-gen firewalls for this feature. “This way the database server and application server are in separate zones and they can only talk to each other. If our servers are compromised, our databases are still intact,” says Moss.

DIFFICULT TO RIP AND REPLACEHow existing firewalls are used—or more accurately, mis-used—can also cause migration issues. In some cases, businesses have come to rely too heavily on their fire-walls, often as their sole piece of network routing infra-structure with no edge routers in place. “This makes it difficult to rip and replace them,” says Hubbard.

Implementing next-gen firewalls can raise issues with technology replacement, network setting changes and security policies. Migrating the entire enterprise fire-wall collection is a complex process with “lots of moving parts,” says Hubbard. “There are some counterintuitive things and differences between the two systems, such as Network Address Translation design and Quality of Ser-vice rules.” Traditional firewall administrators are used to thinking of blocking incoming threats, whereas for next-generation admins, “you look at the outbound interface more closely,” Hubbard notes.

[ FIGURE 2 ]

Next-gen firewalls use different application-awareness technologies to filter network traffic,

including application libraries, decryption, decoding, heuristics, signature databases or

some combination.

SOURCE: JEFF SCOTT/148APPS.COM


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





ASA firewalls. He moved to the Cisco ASA CX Context-Aware Security models because he trusted Cisco and “didn’t want any downtime,” he says. “ Plus, we aren’t adding a new piece of gear to our existing Cisco infra-structure such as switches and VPNs, and we have staff that is already trained on how to use them,” explains LaBleu. “There isn’t much of a learning curve to come up to speed on the CX next-gen features.”

Some of this complexity has nothing to do with the actual technology, however. “The issue with application control isn’t a technical issue, but that IT managers have to understand its implications and consequences,” says Maiwald. “You could inadvertently block your employ-ees’ access to Facebook games. Ideally, IT should coordi-nate closely with human resources and management to ensure that the intended policies are deployed correctly,” he advises.

And then there is the overall cost. “Some companies can’t justify the added expense of the features, and the more virtualized environments of today’s networks adds to the complexity of their information security structure,” says Crawford. “The traditional firewall technologies sim-ply don’t scale to the cloud.”

However, depending on your licensing requirements, it could actually cost less: At BYU-Hawaii, replacing their older firewall and antimalware licenses actually ended up being cheaper. “We are saving a bundle on maintenance fees now,” Moss says.

Complexity issues can work in favor of sticking with your incumbent vendor and upgrading to the latest next-gen features. This is what Chris LaBleu, IT director at Houston-based Texas Heart Institute, did with his Cisco

[ FIGURE 3 ]

Handling virtual machines is still an issue. Traditional firewall technologies can’t scale to

the cloud, which may cause some organizations to rethink their approaches to security.

SOURCE: VMWARE


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





antivirus and antimalware screening, our new firewall is amazingly fast,” he says. “The upgrade was well worth it.”

LaBleu also found that sizing his Cisco ASA CX units to handle the level of Internet traffic was key to keeping latency low. “Don’t get an undersized box if you have a lot of Internet traffic,” he advises.

The biggest obstacle to moving to next-gen firewalls is just fear of the unknown. “Inertia is probably the biggest sticking point for why people haven’t upgraded their fire-walls,” says Hubbard.

LaBleu agrees: “When you put anything new in place, you are always nervous, but the next-gen firewalls are a great investment.” n

DAVID STROM is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.

Send comments on this column to [email protected].

UNIFIED PLATFORM ALTERNATIVESOne alternative to moving to next-gen firewalls is to de-ploy unified threat management (UTM) tools that com-bine firewalls with IPS and antivirus protection. In recent years, UTMs from Juniper Networks, Check Point Soft-ware and others have improved, incorporating the same security features that used to be only found on the most expensive models across their entire UTM lines.

However, UTMs have their own drawbacks including throughput issues, especially in larger networks. “When the antivirus component of a UTM is turned on, there is a significant drop in the overall throughput of the device,” Maiwald says.

Hubbard agrees: “UTMs can add a lot of latency and are harder to troubleshoot to find the misconfigured com-ponent, plus they have some complex licensing steps, too.”

But some next-gen firewalls can offer surprisingly good throughput. BYU’s Moss was amazed to see the per-formance when he upgraded his firewalls. “Even with

http://www.tomshardware.com

http://www.networkcomputing.com/

http://www.digitallanding.com/

http://strominator.com/


http://searchmidmarketsecurity.techtarget.com/definition/unified-threat-management


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




DELL SECUREWORKS’ BUSINESS relies on having top talent to run its security operation centers and threat analy-sis groups. As a managed security service provider in the business of filling the holes in its clients’ defenses, the company needs a well-trained workforce.

Yet, like most firms, SecureWorks is hounded by a dire scarcity of trained security professionals. The situa-tion is so bad that for every 20 open security positions at the company, there is only one qualified candidate, says Jon Ramsey, the firm’s chief technology officer. The com-pany has pursued a number of strategies to improve its chances of gaining the right people, from aggressive re-cruiting tactics to in-house ‘farm teams’ for developing talent, to partnerships with universities. On top of that, the company awards higher salaries to the right people, a necessary tactic that not every company can afford.

“The people who need security professionals cannot find them,” says Ramsey. “And if the company is not a se-curity business, it is hard to justify paying a premium for people who are not core.”

If a company whose business is security is having such By Robert Lemos

BRIDGING THE SECURITY SKILLS GAPWhile poaching security talent may plug short-term gaps, outreach and education will solve the long-term shortfall in IT security professionals.


http://searchsecurity.techtarget.com/news/2240173143/Unrealistic-expectations-skills-gap-mire-market-for-IT-security-jobs


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




government agencies need at least 30,000 to secure their systems, he estimates. According to assessments by the International Information Systems Security Certification Consortium, or (ISC)2 more than 300,000 trained cyber-security professionals are needed.

The disparity in the estimates does not indicate un-certainty in the numbers, rather a difference in the type of security position being described: Gosler’s lower num-ber focuses on the highly technical security engineers and ethical hackers who are intimately familiar with secur-ing systems, while the (ISC)2’s higher number includes security professionals more familiar with compliance

problems finding the needed security staff, businesses in other industries are even worse off.

CYBERSECURITY TALENT CRUNCHEstimates of the problem vary, but no one disputes that the United States, among other countries, is suffer-ing from a security talent crunch. Cybersecurity spe-cialist James Gosler, a former employee at the Central Intelligence Agency, estimates that in 2012, no more than 1,000 people had the necessary skills to tackle tough cybersecurity tasks. The nation’s companies and


SOURCE: FROST & SULLIVAN, “THE 2013 (ISC)2 GLOBAL INFORMATION SECURITY WORKFORCE STUDY”

[ FIGURE 1]

Demand For Security Professionals Growing Quickly

2010 2011 2012 2013 2014 2015 2016 2017

3, 000, 000

2, 250, 000

1, 500, 000

750, 000

0

n Americas

n EMEA

n APAC

https://www.isc2.org/


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





BEG, BORROW, STEALToday, the strategy that most companies rely on is poach-ing from their competitors or even inside their own or-ganization. When Dom Nessi, deputy executive director and CIO of Los Angeles World Airports, took over IT se-curity in 2007, the department, which manages the oper-ations of LAX airport, had no information-security team. In 2008, Nessi hired a CSO, who brought two other secu-rity professionals from a different department.

“I had to poach them from the City of Los Angeles’ IT department, and they don’t let me forget it,” he says.

Yet, such measures are short-term at best and can be a vicious circle. Instead, companies focused on staving off the poachers should carve out appropriate positions for skilled workers, consider paying their competent security people more and provide a clear path of promotion, says (ISC)2’s Tipton.

Companies and government agencies that have good security professionals should make sure they are not treating them like a third arm, says LA World Airports’ Nessi. The problem is acute within government, where security professionals are routinely lumped in with other information technology professionals, even though they typically command a premium.

Government “tries to pigeonhole our IT security staff into positions that were never intended for them,” Nessi says, pointing to security experts toiling under titles of

regulations and managing other security workers, says Alan Paller, director of research for the SANS Institute.

Companies are having problems finding the security professionals that they need, and schools are not graduat-ing enough students with the necessary talents or experi-ence for entry-level positions in cybersecurity.

“More than half the people needed are the ‘frequent flyers,’” says Paller. “They’re the ones that can tell you how the plane flies, but if you put them in the cockpit, the plane would crash.”

Colleges and universities are good at training and graduating the “frequent flyers,” but the more techni-cally adept security technicians are more cultivated than taught, he says.

The security industry, however, will not wait for the workers to catch up. The industry will grow about 11% per year until at least 2020, says W. Hord Tipton, execu-tive director of the (ISC)2.

A major problem for companies is a lack of college- educated candidates for entry-level positions, says Fran-ces Alexander, a former CISO at two medium-size health-care providers and now a director at the Information Systems Security Association. Because IT security profes-sionals tend to develop their skills on the job, they end up being too senior for most entry-level positions.

“There are not a whole lot of entry-level resources out there,” she says. “We, as a profession, are definitely heavy in the middle.” (Continued on page 22)

http://www.sans.org/

http://www.issa.org/

http://www.issa.org/


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





In the Pipeline: Farm Teams and HackathonsFOR COMPANIES THAT have time to develop the necessary security skills in-house, training willing and talented employ-ees is a good—albeit slower—alternative. If a candidate fits the culture and has a strong curiosity about technology and security, the company can develop the rest, says Jon Ramsey, chief technology officer of Dell SecureWorks.

“It’s all about hiring the best, and once we hire them, we use a farm league to develop the talents we need,” he says, adding that the company frequently has the trainee shadowing a more experienced worker. “We can put a junior member of the team with a more senior person for training, send them to an engagement and not charge for the trainee.”

Hacking and cyber-defense competitions are another good way to teach security professionals more technical skills in a competitive setting. The nationwide competitions—typically offered at the high school, college and post-graduate levels—can act as a good team-building exercise, but have also become the foundation of one strategy proposed by the Homeland Security Advisory Council’s Task Force on Cyber Skills.

By taking competition winners and offering them scholarships for intensive training at a two-year college, the initiative aims to increase the number of technical people in the pipeline, says Alan Paller, director of research at SANS Institute.

In a recent New Jersey trial, 960 people competed, 76 advanced to live systems and 15 contestants got scholarships. Paller estimates that 40 of them could have taken home a scholarship if there were enough.

“That’s with substantially no promotion,” he says. “That means there are a lot of potential candidates out there, so the problem is not the training, but the selection process and the opportunities.” n

https://www.dhs.gov/homeland-security-advisory-council-hsac


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





Yet, the government has its own problems. Lured by the big salaries in the private sector, many security pro-fessionals are using the government as a stepping stone, and rather than spending five or six years in government service, workers spend a year to 18 months and then jump ship, says SecureWorks’ Ramsey.

Along with efforts to keep technically talented people, the government should offer an alternative reserve sys-tem where computer security professionals can serve in government roles for a few days a month, but not run the risk of being called to active duty, he says. “I know a lot of people that would be interested in that.”

Such a system would allow the government to ben-efit from the talents of security experts over time, while giving those professionals additional opportunities for training.

Finally, the U.S. needs to have an education system that is more responsive to industry’s needs, security ex-perts say. Companies should work with universities to

“application programmer” and “network specialist.”Companies that do not have the resources to hire their

own security team could rely on cloud and managed ser-vices. Cloud services tend to have better-managed secu-rity than at most companies, freeing up IT security people from managing that business process. Managed security services can help companies fill their security gaps.

“Cloud has really taken a lot of pressure off the de-mand,” says the (ISC)2’s Tipton. “The amount of de-mand would be more than double if it wasn’t offset by the cloud.”

GOVERNMENT ‘RESERVISTS’ AND UNIVERSITY PARTNERSHIPSFor the long term, companies need to work with the gov-ernment and academia to increase the supply of potential candidates with the right skills.

One model is the relationship that the government has with airlines: The military trains pilots to fly air-craft. The government retains skilled pilots for a certain amount of time, and the pilots know that there is a good job out there when they are done with their training and term of service.

“They train the pilots (at a cost of about $130,000 per person), benefit from that training and then send them out into the industry,” says Paller.

Companies need to work with the government and academia to increase the supply of potential candidates with the right skills.

(Continued from page 20)


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




an intern in, I take them under my wing and show them the security side of the business.”

(ISC)2’s Tipton would like the industry and govern-ment to focus on even younger students. “Starting at grade school, teach something besides functionality,” Tip-ton says. “If you only make it user friendly, perhaps you sell more, but you also take away the checks and controls that make it that much more secure.” n

ROBERT LEMOS is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several publications focused on information security issues. Send comments on this column to [email protected].

mentor future graduates and provide internships for po-tential employees. Dell SecureWorks, for example, works with the Georgia Institute of Technology, Rochester Insti-tute of Technology and Purdue University.

Without a good outreach program, companies may find that they have no one to fill their ranks of IT secu-rity experts in the future, says Garrett Felix, information security and privacy officer for MediFit, a preventative health and wellness provider.

By fostering and mentoring students, companies can create their own pipeline for the future and help draw students to the profession, Felix says.

“Getting interns exposed to the information security role in the industry is important,” he says. “When I bring




EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




GLOBAL RISK ASSESSMENT MOVES BEYOND REGULATIONSRisk management based on the lowest common denominator may not ‘comply’ with IP or trade secrets. Analysts see big changes ahead.

By Kathleen Richards


REGULATORY ENVIRONMENTS AND compliance drive global risk management and associated actions at many orga-nizations. But auditing is not based on actual threats. As threat intelligence becomes more available and this infor-mation is offered up by multiple sources, is it changing the way that global enterprises view risk assessment?

“The ability to access intelligence and react to com-plex attacks is vital,” says MacDonnell Ulsch, chief execu-tive officer and chief analyst at ZeroPoint Risk Research, LLC, a Boston-based consultancy focused on global risk management and related services. “If a regulation states that a risk assessment must be conducted, what does that really mean?

“Regulations don’t instruct, so it is important to un-derstand what to look for,” says Ulsch, who likens global threat intelligence to a cat setting out birdseed. “After a time, the birds feel it’s safe to eat there.”

CONSUMED BY COMPLIANCESecurity professionals have warned companies for years

http://www.zeropointrisk.com/

http://www.zeropointrisk.com/


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




Many organizations have invested years of work in developing processes that are driven by audit and audit responses, notes Tony UcedaVelez, managing partner at VerSprite, an Atlanta-based consulting firm that spe-cializes in global risk management and threat modeling. “Some fear auditors more than adversaries planning tar-geted attacks,” says UcedaVelez. “Although audits don’t equate to strategic security defense at all, it at least pro-vides a near-constant vigilance on security controls on nearly a year round basis. The takeaway,” he adds, “is not reinventing an audit-based culture but overlaying or even paralleling it with a threat modeling-based approach to define the most probable and impact-oriented risks.”

BOARD ROOMS ON ALERTWhile compliance concerns trumping cybersecurity is nothing new, escalating threat levels and warnings have infiltrated boardroom discussions.

Depending on the size, industry and security pos-ture, many companies today have access to higher lev-els of threat information from multiple sources, ranging from a simple RSS feed to intelligence and analytics from a third-party service provider. Despite this level of threat intelligence, complex threats and harmful attacks still go undetected for months (62%) or even years (4%), accord-ing to the Verizon 2013 Data Breach Investigations Re-port (DBIR).

that compliance-driven security programs may not ade-quately address security concerns.

“It is very rare that you will find auditors focused on performance-based issues. Instead, they are mainly fo-cused on documentation supporting compliance to a par-ticular rule or requirement,” says Ernie Hayden, (CISSP),

the global managing principal, Verizon Enterprise Solu-tions. “In some cases, adhering to the compliance program and related paperwork actually gives manage-ment an inaccurate and potentially risky perception that the organization is secure, when it may not be the case.”

Yet, Global 2000 spending is primarily driven by risk assessment based on regulations and compliance, rather than security, according to Gartner and other consulting firms. That trend has continued as technology changes in-crease attack surfaces for both enterprises and individuals with mobile, cloud and increasingly, big data.


“Some fear auditors more than adversaries planning targeted attacks.” —Tony UcedaVelez, VerSprite managing partner

http://www.versprite.com/about.html

http://searchsecurity.techtarget.com/feature/Reframing-compliance-with-a-threat-model



http://www.verizonenterprise.com/DBIR/2013/

http://www.verizonenterprise.com/DBIR/2013/

http://www.VerizonEnterprise.com

http://www.VerizonEnterprise.com


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





third-party contractors or service providers fail to protect the integrity of sensitive information. Ulsch, who struc-tures detailed service-level agreements for clients, advises companies to carry out due diligence and work out con-tractual details, with a particular focus on seven areas:

1. Security framework, breach history;2. Privacy, information handled (IP, trade secrets,

regulated data); 3. Threat and risk assessment;4. Compliance range;5. Enforcement; 6. Internal audit, both right to audit and access

to third-party audit findings; and7. Foreign corrupt practices management.

Managing foreign corrupt practices “is increasingly important as transparency becomes a vital element of managing risk,” Ulsch says. Also, knowing the third- party’s compliance range of requirements is useful in understanding what that company believes it must implement.

Reliable data on average annual loss expectancy is also hard to come by. McAfee, in conjunction with the Cen-ter for Strategic and International Studies, revised its $1 trillion forecast (a widely held estimate since 2009) to roughly $100 billion in the 2013 report, “The Economic Impact of Cyber Crime and Cyber Espionage.” When the

More than 90% of breach events, according to Ve-rizon’s DBIR are detected by people outside of the or-ganization, findings echoed by other researchers and consultants. Most infiltrations occur because of unknown or unreported activities at a third-party vendor or client, or they get discovered when cyberespionage is detected at other organizations.

“Third parties are often involved, but it isn’t always the third parties that you would expect,” says Ulsch. “A cus-tomer’s toxic IP address is every bit as dangerous as a mali-cious IP address originating directly from a hacker.” Many companies are reluctant to bring up these issues and risk alienating clients. “As part of a global risk management program, companies should remain vigilant about who or what is operating in their environment,” he says.

Organizations are also liable in the event that

“A customer’s toxic IP address is every bit as dangerous as a malicious IP address originating directly from a hacker.” —MacDonnell Ulsch, CEO and chief analyst, ZeroPoint Risk Research, LLC.

http://searchsecurity.techtarget.com/feature/Third-party-risk-management-Horror-stories-You-are-not-alone

http://csis.org/

http://csis.org/

http://mcaf.ee/1xk9a

http://mcaf.ee/1xk9a


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





review,” he says. SIEMs and related tooling are starting to consume

shared cyberintelligence—typically, lists of perceived potential threats, including bad IP addresses and Web URLs—from companies such Cyveillance, Verisign’s iDefense and Vigilant, which was acquired by consult-ing firm Delolitte in May 2013. These companies, among others, publish their threat intelligence as XML feeds and structured data or offer cyberintelligence services. SIEM providers, such as Hewlett-Packard and IBM, integrate their own intelligence feeds.

“It is a very new thing. It is still seen as a top-shelf feature; it is not seen as something that everyone would use,” says Dr. Anton Chuvakin, research director, secu-rity and risk management, Gartner. “If you have someone who understands SIEMs and is technically inclined, they will make use of the features, and they will have threat detection in a shorter time frame, but that’s not a major-ity of customers.” Companies that can get useful threat intelligence and cut the detection lag from two to nine months after an incident—per Verizon’s latest data—to a couple of days or a week, would have a huge advantage, according to Chuvakin.

“Some companies don’t detect anything ever—their time frame is infinity—third-parties detect most of the breaches,” he says, confirming Verizon’s findings. “If you can detect a breach in a couple of weeks compared to never, then to me that’s a huge advantage.

data was published in July, some companies—and ana-lysts—wondered if the annual loss expectancy from a breach or security incident amounted to much more than a line item associated with the costs of doing business.

NO TIME FOR GLOBAL THREATS With more access to global threat intelligence, is this in-formation changing how companies “turn the dials” and respond to security and risk assessment?

Some organizations spend resources to obtain and analyze tactical and strategic risks, according to Hayden, but unfortunately, those companies are in the minority. “Many companies either don’t want to pay for the threat intelligence or if they do they don’t have the internal re-sources to take advantage of that information and beef up security,” says Hayden. “I’ve even heard some compa-nies complain that they can’t get the intelligence data in a timely fashion, and then when they get it, the necessary mitigation response is not obvious. Hence, they may view it as ‘too hard’ and simply fall back onto the classic perim-eter-based or ‘castle and moat’ defense.”

Technology is emerging that can help and it is playing a huge role in resolving some of the challenges involved in security content aggregation, analytics and correlation, according to VerSprite’s UcedaVelez. “There is too much data for security operations to manually consume and


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





“Real time to me is kind of way beyond wishful think-ing,” says Chuvakin. Most of the threat intelligence is produced in a lab and it takes time to create the pro-ducts. Finding good threat intelligence is also a bit of a “black art,” Chuvakin says. “The only criterion that I would use is if my threat detection improved. There is no real shortcut to figuring out whose intelligence feed is good.”

SB SIEMs require an architectural approach, which can be expensive and difficult to implement and manage, notes UcedaVelez. The discrepancies between vulner-abilities and exploitation are more the result of most or-ganizations’ security posture, or lack thereof. “The issue is that very few organizations have a security approach,” he says. “Compliance drives much of the rationale behind security resources and projects. As such, no one stops to consider their threats in order to apply tailored controls and countermeasures to more probable attacks.”

The use of SIEMs and related tooling, such as vulner-ability management, is important, according to Ulsch, be-cause it could shorten the time between infiltration and discovery. “The biggest issue I’ve seen is that log data is collected but no one looks at it,” he says. “That’s why it is important to understand how each element is to be de-ployed and maintained in a global risk management pro-gram. Clearly, collecting data is a valuable contribution to the process only if the data is analyzed and acted upon. In fact, having the data and then not analyzing it may

Gartner’s 2020 VisionACCORDING TO GARTNER, security will move to the forefront of global risk management programs by 2020. Senior security managers and CISOs are advised to consider the following assumptions when planning their organizations’ long-term global risk management and security strategies:

n Global risk assessment will drive more risk and security spending than government regulation by 2020, despite increasing government regulation.

n In the same time frame, 25% of global enter-prises will hire a “cyberwar mercenary.”

n By 2020, at least one manufacturer will be held liable by a national government for security problems with a consumer product.

n Facebook will lose 30% of its longstanding members (three years or more) as the result of privacy issues.

n Gartner estimates 30% of Global 2000 CEOs will have personal data and accounts “directly com-promised” by cybercriminals or hacktivists. n

http://www.gartner.com/DisplayDocument%3Fid%3D2500615%26ref%3Dg_fromdoc


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION





assessment and security move beyond regulatory require-ments and compliance?

“The threat intelligence and how it can be useful to a company is not immediately obvious to the executives who approve security expenditures,” says Hayden. “And, with the new threat intelligence, the CISO may need to ask for more technology or staff to help react to the intel more effectively.”

Changes may be on the horizon, however. According to Gartner, security is projected to overtake risk assess-ment as the primary driver of security spending by 2020. In the same timeframe, 25% of Global 2000 companies will hire “cyberwar mercenary” services. (See “Gartner’s 2020 Vision” on page 28.)

“I personally believe the industry is maturing away from a compliance approach to more risk-based ap-proaches or those that are even security-based,” says Uce-daVelez, “but for the most part, companies still follow the mantra of doing only what they have to and not what they need. Many large organizations do not even have CISOs, which is a clear indication that they don’t feel a dedicated and consorted effort should be made around infosec.” n

KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.

contribute to risk. You had the data, but you failed to rec-ognize its threat significance because you never analyze it. That doesn’t look good to the client you must notify or the regulators, or even in court.

“In my experience, the real reason that companies fail to take advantage of this is one of cost. I’ve heard secu-rity officers say, ‘I don’t have the staff or budget to ana-lyze it. We’re collecting it, but that’s all I can do,’” says Ulsch. “My response is that, in a well-managed global risk management program, this gap would be identified and remediated.”

If even half of all the SIEM users would consume threat intelligence, according to Chuvakin, detection lags would improve across the board. “I’m hoping to start to see it in the global threat report, but I’m not holding my breath to see it happen immediately,” he says. In a year or two, if the majority of SIEM users have threat intelli-gence—and they need to have good threat intelligence—their SIEM products and other security products would be able to detect breaches faster.

FUTURE SPENDINGAs more Global 2000 companies are compromised by cybercriminals or hacktivists, will spending on risk

https://twitter.com/RichardsKath


EDITOR’S DESK

RANUM Q&A

SECURITY EDUCATION




TechTarget Security Media Group

TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com

EDITORIAL DIRECTOR Robert RichardsonFEATURES EDITOR Kathleen RichardsSENIOR MANAGING EDITOR Kara GattineSENIOR SITE EDITOR Eric ParizoNEWS AND FEATURES WRITER, Sally Johnson

ASSOCIATE EDITOR Brandan Belvins

ASSOCIATE MANAGING EDITOR Rachel ShusterDIRECTOR OF ONLINE DESIGN Linda KouryGRAPHIC DESIGNER Neva ManiscalcoCOLUMNISTS Marcus Ranum, Gary McGraw, Doug Jacobson, Julie A. Rursch, Matthew ToddCONTRIBUTING EDITORS Michael Cobb, Scott Crawford, Peter Giannoulis, Ernest N. Hayden, Jennifer Jabbusch Minella, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Anand Sastry, Dave Shackleford, Joel Snyder, Lenny Zeltser

USER ADVISORY BOARD

Phil Agcaoili, Cox CommunicationsRichard Bejtlich, MandiantSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, City of SeattleChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial EnginesMacDonnell Ulsch, ZeroPoint Risk Research

VICE PRESIDENT/GROUP PUBLISHER Doug [email protected]

© 2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER IMAGE AND PAGE 12: HUAN TRAN/IKON IMAGES/GETTY IMAGES

http://reprints.ygsgroup.com/m/techtarget

Date post:	01-Jan-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

SEPTEMBER 2013 INFORMATION VOL. 15 | NO. 07...

Documents