Archive for the ‘risk management’ Category
If you’ve been curious as to what IBM has been up to on the security front, today’s a good day to check in.
Earlier today, the Dow Jones AllThingsD blog had this post about some new capabilities IBM is announcing on the security front.
Today, IBM unveiled several new services planned for its security intelligence platform designed to combine deep analytics with real-time data feeds from hundreds of different sources to give organizations, for the first time, the ability to help proactively protect themselves from increasingly sophisticated and complex security threats and attacks using a single platform.
Organizations today are struggling to defend themselves against an onslaught of ever-evolving data breaches, such as theft of customer and employee information, credit card data and corporate intellectual property.
To date, many corporations have been unable to create a security defense system because they have cobbled together technologies that don’t integrate in an intelligent and automated fashion. This patchwork approach has created loopholes that hackers can exploit.
The QRadar Security Intelligence Platform, designed by Q1 Labs and acquired by IBM last fall, tackles this problem head-on by serving as a control center that integrates real-time security intelligence data to include more than 400 different sources.
Major breakthroughs planned in the security platform include:
- Threat Intelligence – Intelligence from one of the world’s largest repository of threat and vulnerability insights is planned to be available based on the real-time monitoring of 13 billion security events per day from the IBM X-Force Threat Intelligence Feed. This insight can flag behavior that may be associated with Advanced Persistent Threats, which may emanate from teams of attackers accessing networks through stealth means.
- Visibility into Enterprise Activity – The platform will unite events from IBM and non-IBM products that span four areas of organizational risk – infrastructure, people, applications and data.
- Pinpoint Analysis in an Age of Big Data – The platform can drill down to basic data elements to help analyze issues emanating from network access information at the periphery to database activity at the core of a business.
New Integrations Bring Real-Time Security Analytics
With new integrations to be made available, the analytics platform can quickly identify abnormal activity by combining the contextual awareness of the latest threats and methods being used by hackers with real-time analysis of the traffic on the corporate IT infrastructure.
For example, the future integrations permit the platform to detect when multiple failed logins to a database server are followed by a successful login and access to credit card tables, followed by an upload to an unknown site.
“We chose the QRadar platform to build on and deliver our vision of a streamlined, highly intelligent platform to serve as our central nervous system for enterprise-wide monitoring,” said Ken Major, Information Security Officer at AmeriCU Credit Union. “It enables us to achieve our goals, industry best practices and regulatory compliance.”
One of the significant planned integrations for the QRadar platform is IBM’s X-Force Intelligence Threat Feed based on the real-time monitoring of 13 billion security events per day, on average, for nearly 4,000 clients in more than 130 countries.
The QRadar platform will have visibility into the latest security trends worldwide to help protect enterprises against emerging risks. QRadar will present current IBM X-Force threat feeds in dashboard views for users, and correlate an organization’s security and network events with these threats and vulnerabilities in real-time using automated rules.
Other planned integrations to allow the QRadar Security Intelligence Platform to help clients more rapidly identify threats by connecting events from the following categories:
- People: Organizations should control access to key systems and information. An employee’s unauthorized access to key databases and client information can leave a firm vulnerable to security breaches. With security intelligence, security teams can quickly determine whether access patterns exhibited by a given user are consistent with the user’s role and permissions within the organization. IBM Security Identity Manager and IBM Security Access Manager will integrate with the QRadar platform, complementing QRadar’s existing support for enterprise directories such as Microsoft Active Directory.
- Data: Data is at the core of security; it is what’s behind every security measure in place, and is the primary target of cyber-criminals. With IBM Guardium Database Security integrated with the security intelligence platform, users will be able to better correlate unauthorized or suspicious activity at the database layer – such as a database administrator accessing credit card tables during off-hours – with anomalous activity detected at the network layer, such as credit card records being sent to unfamiliar servers on the Internet.
- Applications: Applications are vital to day-to-day function but can also introduce new and serious vulnerabilities into company networks. Applications, because of their sensitivity, should be updated frequently. Organizations however are often unable to patch immediately due to corporate testing requirements and change control cycles. With security intelligence, companies will be able to automatically alert security teams to unpatched Web applications that risk being attacked by known application-layer exploits that have previously been identified by IBM Security AppScan. This planned integration complements existing QRadar support for monitoring enterprise applications such as IBM WebSphere and SAP ERP.
- Infrastructure: Today, organizations struggle to secure thousands of physical devices, such as PCs and mobile phones, especially as Bring Your Own Device (BYOD) continues to grow in popularity. For this reason, companies should take extra precautions to help employees to follow secure practices in using these devices. With IBM Endpoint Manager integration, the security platform can provide organizations with enhanced protection of physical and virtual endpoints: servers, desktops, roaming laptops, smartphones and tablets, plus specialized equipment such as point-of-sale devices, ATMs and self-service kiosks.
QRadar integration modules are also planned for Symantec DLP, Websense Triton, Stonesoft Stonegate and other third-party products, increasing QRadar’s ecosystem and continuing Q1 Labs’ long-standing approach to multi-vendor heterogeneous environments.
Solutions to Analyze Big Data
In addition, the QRadar platform has been expanded with Big Data capabilities for storing and querying massive amounts of security information, and functionality for helping to secure virtualized infrastructures and providing a new level of visibility that helps clients reduce security risk and automate their compliance processes.
The expansion of security and network data sources is complemented by advanced functionality to help organizations keep pace with their exponential data growth. The new deliverables include:
- Instant Search to provide high-speed, free-text querying of both log and flow data, designed to bring the simplicity and speed of Internet search engines to the security intelligence solution.
- The XX24 appliance series to extend the scalability and performance advantages for which QRadar solutions are well known. With the release of the QRadar 3124 SIEM appliances, QRadar 1624 Event Processor and QRadar 1724 Flow Processor – which all include 16TB of usable storage and 64GB of RAM – organizations can support more users, achieve higher performance and store data longer.
- Intelligent data policy management to enable users to designate which information they want to store and for how long. Less important data can be removed sooner to achieve longer retention for more important data.
- Virtual appliances to allow end customers and service providers to capitalize on the virtual infrastructures they have built, while benefiting from lower-priced yet fully capable security intelligence solutions.
The planned integration modules (device support modules) are expected to be included with QRadar SIEM and QRadar Log Manager at no additional cost, via automatic updates.
The Big Data and virtual infrastructure enhancements are available now. QRadar integration modules for IBM Guardium Database Security are planned to be available in 1Q2012.
Integration modules for IBM X-Force Threat Intelligence, IBM Security Identity Manager, IBM Security Access Manager, IBM Security AppScan and IBM Endpoint Manager are planned to be available in 2Q2012.
Visit Q1Labs’ site for more information.
At Information On Demand 2011, day 3, BBC presenter showed up onstage ready to play ball with Moneyball author Michael Lewis and Oakland A’s general manager Billy Beane.
Fitting, considering we’re currently in the midst of this year’s World Series between the Texas Rangers and St. Louis Cardinals (Game 6 is tonight in St. Louis!)
Kay first asked Lewis why a book on baseball statistics, and Lewis explained that people are sometimes misvalued by markets, and that what Beane was doing with his team in Oakland in 2001 was a science experiment where “the lab rats [the players] didn’t really know they were lab rats.
Lewis went on to tell a hilarious story about first seeing the A’s players walking naked out of the showers, and how what he saw did not seem to be a gathering of muscle-ridden athletes. They were fat, misshaped, and otherwise seemingly disfigured.
When Lewis approached Beane to ask him about this, Beane explained “that’s kind of the point. We’re in the market for defective people. We’re in the market for players whose value the market does not grasp. We’re a magnet for these unattractive bodies!”
Lewis says that’s the moment it hit him: Beane’s assembled the misfit toys of baseball, the people who have been discriminated against because of their appearance and who are greatly undervalued when compared to their actual player statistics.
Lewis went on to explain, “I realized there was this discrimination going on in the market for baseball players. The way they had done it, with statistics, getting below it…the statistics though were besides the point. You had to think of it as a business. These baseball players, who do what they do, for the past 100 years, and there were all these people who considered themselves experts based on intuition instead of actual performance.”
So there they were, October 2001, the A’s v. The Yankees, and Billy Beane had some of the best players out there: Jason Giambi, Johnny Damon…but he knew he wasn’t going to be able to hold on to them, so he was going to have to throw the intuition playbook out the window.
Beane: “I remember thinking I will never have a collection of talent like this. What the heck are we gonna do? We knew they were gonna go (Giambi, Damon, etc.). We knew the whole year that was gonna happen, but we were trying to find some solution and replace in the aggregate what they did. So, we scoured guys who had A skill, not five skills. And because we had no money…we had one of the lowest payrolls…we couldn’t afford to invest in the romance of a player, but really what they could do and with no biases for or against them, just their performance.”
“Quite frankly,” he went on to explain, “if we were ever going to trust the mathematics, this was the time. We had nothing to lose!”
Cay then posed the all important question: How did you come to this way of looking at the data?
Beane responded that “we never claimed to have invented anything. Numbers are historically scary to everybody, and math doesn’t come easy and doesn’t come from sports. Sports are more about the gut. But we had to be a disciplined card counter.”
Lewis elaborated: “The fact that they weren’t actually generating themselves a whole lot of new baseball knowledge, but that a lot of it was on the web, available to any team, and they recognized it as knowledge. And the use of analytics was so critical, as it took them to another decision point in the game of baseball.”
“This is why the market was so hostile,” Lewis went on. “That there was a new and valuable way of analyzing baseball players, because it implicitly undermined their intuition and knowledge of the game. All these years you did this job, spouting out an intuitive response. So it was finding a better way to measure baseball. Baseball stats are so clean, and it’s easy to assign them in the field of play. The second thing was, sports are somewhat anti-intellectual, and baseball was really anti-intellectual. Most of the kids who go on to play the game don’t go to college, and the game itself is not intellectually challenging.”
“You can’t be too stupid to play baseball,” Lewis explained, eliciting great laughter from the audience, and what had to be the most highly-Tweeted quote from the conversation.
Then, to the heart of the matter in terms of bridging baseball analysis to business purpose: How did you get to the right numbers? asked Katty Cay.
Beane: “If you’re following metrics that have no correlation to business success, or in our case, winning games, you’re in trouble. The older the business, the more challenges and the more traditional and conventional thought.
“Baseball started in the mid 1800s. For us, it was simply put, out of necessity, if we had a dollar, where were we going to get the most efficiency from it. Bill James really started this whole thing, but he didn’t have a venue by which to test this out.
“But I was in the game, and I had the forum and the platform, and really no other choice. So, they had to be the stats that correlated the most to winning.”
Beane went on to detail his recipe: “We were able to pile all our chips to guys who got on base, and on base percentage had the strongest correlation to winning games. For us, this was the statistic that had the most impact on winning.”
Cay: In the moments, you have moments of tension with the staff re: intuition. Did you waver at all when you looked at the numbers?
Beane: “There was this perspective that it was risky, but it wasn’t, and the beauty of baseball over time is that there’s so many games you weed out the randomness and ultimately we thought we’d come out where we thought we could. We thought there was more risk in NOT doing it, in going with our guts.”
“To go with our gut would have been the most irrational thing to do.”
Cay: Michael, how do you think Billy was able to get away with this?
Lewis: “He had to be able to intimidate his staff. It was just him and an assistant who were privy to what the goals were. Re: the players, he said, we don’t tell them, it’ll just confuse them.”
“But he did get some resistance, yet it went away, because he was basically bigger than everyone else in the organization. He could beat up everybody there. There’s this law of the jungle quality to the clubhouse. The players also knew he was a better athlete than they were. It came clear to me right away where reason was being imposed by violence.”
Cay: He looked like such a nice guy.
Lewis: “He’s mellowed. He would chew tobacco, and his eyes would get red, and I would think, ‘Don’t get in his way!’”
Cay: Let’s translate that to the business environment. You have to have the confidence to go with what your’e analyzing with the data.
Lewis: “It’s sort of like, did it work or did it not worth? The confidence comes from having the information and feeling like you’re right.”
Billy: “As Michael said, the tough thing is how you give out the information, and you have to be careful. One of our directors in the back office, he said, ‘I don’t know what you guys are doing back there, but whatever it is, it works.’”
“If you were disciplined with it, you were going to be right to the end.”
Lewis: “There’s a huge amount of randomness, and you can have made a huge amount of decisions, but you can’t change the process of how you made that decision. People make decisions based on outcomes in sports all the time.”
“If you’re the casino, and you stack the odds in your favor, and you play a really disciplined game, it’s going to be an optimum strategy.”
Cay: You described it as a flipping a coin….if you flip it a million times, it will come out well.
Beane: “The great thing is that the eight teams that get there, those are usually the best teams. But then you get into a round robin series, and the best team doesn’t always win. The Phillies were one of the best teams this year, but micro events did them in.”
“So a lot of decisions are made on those random events that happen in a short series.”
Lewis: “For me, this was not just a sports story, it was a market story. It wasn’t the actual number crunching that interested me, but rather what it exposed about the world around me.”
“You could quantify a player’s value very precisely, but you could value what he’d done in the past. How can a market be so misvalued for such an obvious thing as a baseball player. What’s going on in markets is people are operating using intuition vs. statistics, and that influences their judgement!”
“People generalize from small sample sizes. People overvalue things that are flashy and easy to see, like foot speed or arm strength. And they underestimate things like plate discipline or ability to get on base. The big thing is understanding those biases and you, the business manager, are making at least partially intuitive judgments.”
Cay: Why did you let him write a book about this?
Beane: “This is a long answer. There was a momentum that was already starting to happen, and other teams were out there. Brian Cashman in NY, others, were already on their way. So the book maybe accelerated it a bit. But the information was on the Web so fans could do the same work. And technology, there was just no way to ignore the fact that technology was creating data that they could go out and analyze themselves.”
Cay: Arbitrage only lasts for a small period?
Beane: “Yeah, other people catch on, even with Wall Street. The other thing was, when my assistant came in, who was a Harvard graduate, there was now an avenue for people to come into the game who were highly intelligent. Smart people had an opportunity, and it became a meritocracy in the front office.”
“Today, the people who are running sports teams…well, I like to say, in 10 years, I won’t be employable.”
“And what really captured us about Michael, he said right away, ‘you guys are arbitraging the misevaluation of baseball players.’”
“We sort of viewed him as a resource to us as well. And he was validating everything we did. He became one of the guys.”
Lewis: “I just had a single question: How is this happening? And it was more than five minutes than I caught on, but it was the Wall Street story in the easy 1980s when a previously, not intellectual business, got complicated and people saw arbitrage opportunities in the market.”
“And in the course of the reporting, it became clear that other teams, especially the Boston Red Sox, had started learning what was going on. The Boston folks tried to talk me out writing the book, and they wanted me to try and talk Billy into coming to work for them!”
“You could already see that the market was going to move, and the opportunities I identified in the book were going to go away. So it would have been socially awkward to have thrown me out by this time.”
“So the book was all about them, and all about him [Billy], and he gets a galley, and he’s at spring training in 2003. And he calls me, and he’s upset after reading it. What’s disturbing you?”
“You had me saying ‘F—k’ all the time. And I said, ‘But you do.’ And he says, ‘My mother is going to be furious!’”
“As a coda to the story, when I’m on the book tour, and I’m doing a reading in San Diego, and there’s a lady at the back, with her arms folded like this, and I thought, ‘Oh no…that’s Billy’s mother.’”
“She comes up afterwards and says, ‘My son doesn’t talk like that.’ And I covered for him.” Lewis explained he went on to have the most awkward dinner with Beane’s mother for the next two hours.
Cay: So weren’t you concerned he wrote this blueprint for arbitrage?
Beane: “No. Because I said to Michael, “You don’t think anybody in baseball is going to read your book, do you?”
Huge laughter from the audience.
Cay: But they did. And the game changed…baseball changed…so how are they using analytics today in a way they weren’t 10 years ago?
Beane: “None of them are stupid enough to let Michael in so we don’t know!”
But seriously, Beane explained, “The Yankees now have 21 statisticians!”
Lewis: “Think about why that’s changed. 20 years ago, signed a player who didn’t perform, that was a $20K mistake. Now, that’s a $20M mistake. So all the front offices have evolved and they’ve ballooned their analysis staff.”
“After the book came out, what’s amazing was how it changed. Baseball owners were getting calls from Wall Streeters, telling them they were wasting money. But the industry left to its own devices would have not changed.”
“The lesson? If you got a business with an entrenched culture, you don’t know how entrenched it is. There are so many disincentives to not changing what they know to what they don’t know. There’s a personal resistance to that.”
Cay: So are we seeing a generational shift in the game?
Lewis: “Sure, all these 50 year olds have been lopped off, and all these 20 and 30 somethings are now running the game. There’s a book entitled The Structure of Scientific Revolutions, which explains how middle aged physicists are hesitant to embrace ideas from the younger generation coming after them.”
Lewis concluded: “Progress is a funeral at a time.”
Once again, IBM has published a global business risk and resilience study, this year in partnership with Economist Intelligence Unit on behalf of IBM.
The study was conducted in June of this year, and included responses from 391 senior executives…Thirty-five percent of the respondents were C-level executives…About 39% were from North America,38% from Western Europe, 20% from Asia Pacific, and 3% from Eastern Europe.
Companies with less than U.S. $500M in revenue comprised 39% of the responses, and 48% of the respondents hailed from companies with more than U.S. $1 billion in revenue…The survey also covered a gamut of industries, including financial services (16%), IT and technology (16%), professional services (13%), manufacturing (8%) and healthcare (7%).
Before I dive into the results, here’s the setup: Global organizations are increasingly emphasizing business resilience; that is, the ability to rapidly adapt to a continuously changing business environment. Resilient corproations are able to maintain continuous operations and protect their market share in the face of natural or man-made disasters as well as radical changes in the financial or economic climate. They are also equipped to seize opportunities created by unexpected events.
So, the question is, are they?
It’s a mixed bag.
The research suggests that more and more businesses will adopt a more holistic approach to risk management in the next three years ass they deal with growing uncertainty and the increasing interconnectedness of the varied risks they face.
That’s the good news, aspirational though it may be.
But in terms of today’s reality, the study indicated that only a minority of companies (37%) has implemented an organization-wide business resilience strategy…with 42% saying they’ll do so in the next three years.
Almost two-thirds (64%) say they have a business continuity plan of some sort, and a robust 58% have dedicated contingency plans for dealing with a variety of risks.
That’s the topline…now on to the deeper dive:
- Larger organizations are more likely than smaller ones to have an integrated strategy. They, of course, typically have more to lose, and complexity increase’s an organization’s exposure to risk. Larger firms are more likely to have assigned overall responsibility for enterprise risk management to a single executive (which means, of course, direct accountability). Still, there is a contingent of small companies that have adopted integrated strategies. These companies also rank highly with regard to indicators of success such as revenue growth, profitability, and market share.
- Continuity, IT and compliance risks remain in the foyrefront, but companies are diversifying their strategies to build business resilience. Nearly 40% of respondents say their organization regards business continuity as primarily an IT issue. However, when they’re asked to name their “primary risk management concern,” some name more than one, including disaster recovery (47%), IT security (37%), and regulatory compliance (28%). Though most have started by addressing the largest threats first, they increasingly are expected to turn to such things as communications and training programs designged to build a more resilient culture overall.
- Business resilience planning increasingly involves specialists from across the organization, yet CIOs and IT pros remain the most prominent stakeholders. Hey, what happened to sharing the love…and the risk?? Because a culture that imbues responsibility for risk management at every level enables companies to respond to changes and unexpected events. A solid majority of respondents (60%) say that business resilience is considered a joint responsibility of all C-level execs. Yet as IT penetrates more deeply into every aspect of company operations, CIOs and IT pros remain key players in building more resilient organizations. Fifty-six percent of respondents say the CIO collaborates with top IT strategists much more frequently than three years ago.
How Can I Better Manage Risk Moving Forward?
In most organizations, improving business resilience requires a shift in corporate culture because that is what shapes values and behavior. If a company’s culture blends risk awareness with other corporate values, then people instinctively know the right thing to do when confronted with an unexpected situation, and that reduces risk.
Understanding these principles is a good first step, but in interviews, executives are clear that buy-in from the top is essential to foster broad organizational change. Promoting holistic risk management concepts to peers and employees is also critical.
Taking an incremental approach with broad participation in strategy development can help, because it is easier to promote change if a new initiative is not seen as being pushed by one particular faction.
Senior-level commitment and adequate resources are also needed to develop comprehensive communications and training programs to support integrated risk management. One of the distinguishing features of the most resilient companies is that they are much more likely than other firms to have developed a communications strategy to push the message of resilience out to every corner of the organization.
Companies that embrace these measures are more likely to create an effective business resilience plan. This will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management.
Go here to download the full report.
IBM today announced a definitive agreement to acquire Algorithmics for $387 million, subject to price adjustments at closing.
Algorithmics is a risk analytics firm with operations in Toronto, Canada. Algorithmics risk analytics software, content and advisory services are used by banking, investment and insurance businesses to help assess risk, address regulatory requirements and make more insightful business decisions.
This acquisition expands IBM’s business analytics capabilities in the financial services industry by helping clients quantify, manage and optimize their risk exposure across a range of financial risk domains, including market, liquidity, credit, operational and insurance as well as economic and regulatory capital.
According to a recent IBM Institute of Business Value survey of 1,900 global CFOs, nearly half indicated that their finance organizations are not effective in the areas of strategy, information integration, risk and opportunity management.
The roles of financial officers across all industries are evolving — drawing them into more frequent boardroom conversations about forecasts, profitability and exposure to risks. The survey reveals the importance of integrating information has more than doubled, mirroring the exponential rise in information volume and velocity within businesses today. Financial officers are becoming more involved in mitigating corporate risk in all its many forms – whether strategic, operational, legal or environmental.
Across the financial industry, integrated risk management continues to be a challenge — made even more pressing by regulations triggered in response to the global financial crisis. Financial practitioners are tasked with making split-second decisions by analyzing activity happening both within their corporations and from other market forces.
With the combination of IBM and Algorithmics analytics, companies can measure and assess operational risk associated with lending processes, market and credit risk exposures. Having this type of transparency and granular insight of financial risk in advance can help organizations meet new regulatory requirements.
More than 350 clients, including 25 of the top 30 banks and more than two-thirds of the CRO Forum of leading insurers, use Algorithmics analytics software and advisory services. Clients include The Allianz Group, BlueCrest, HSBC, Nedbank, Nomura, Societe Generale, and Scotia Capital.
“Today’s economic environment demands that financial institutions have more cash on hand, a better understanding of their financial standing and the ability to deliver more transparency to stakeholders,” said Rob Ashe, IBM General Manager, Business Analytics. “Combining Algorithmics expertise with IBM’s deep analytics portfolio will allow clients to take a more holistic approach to managing risk and responding to economic change across their enterprises.” IBM’s agreement with Algorithmics reinforces that companies are looking to reduce independent silos to gain an enterprise-wide view of risks for strategic planning, operations and new growth opportunities.
Algorithmics risk analytics software and services combined with IBM’s acquisition of OpenPages and recent investments in predictive analytics will provide clients with the broadest range of business analytics solutions.
Algorithmics risk advisers will enhance IBM’s Business Analytics and Optimization practice. The Business Analytics and Optimization team has more than 8,000 consultants including 200 mathematicians with more than 500 patents and a network of analytics solution centers, backed by an overall investment of more than $14 billion in acquisitions in the last five years. Algorithmic’s focus on credit, market and liquidity risk, as well as key customers in operational risk, will strengthen and expand IBM’s risk consulting services.
The acquisition is subject to applicable regulatory clearances and other customary closing conditions. With the closing of this acquisition, approximately 900 Algorithmics employees will join IBM’s Software Group.
It’s been a bad computer hair week.
My MacBook Pro, which is an early ‘08 model, took a hard drive nose dive earlier this week, and, of course, my Apple Care expired in March.
This after the same machine did a hard drive nose dive last summer (along with the motherboard), when both were still under Apple Care.
Here’s the irony: I have a Dell Latitude E4300 that I’d been running Ubuntu Linux on, and decided to go back to Windows 7, and was literally in the midst of rebuilding a productive machine with all the stuff I need to, you know, do actual work, and THAT was the time Mr. Turbo MBP decided to jump off into the bottom of an empty pool.
Thank you, Mactronics, here in Austin, for fixing the MBP in two days. Those folks are some of the most awesome tech repair teams I’ve ever dealt with.
So we’re beyond the Debt Ceiling deal, finally. Now, if we can just keep the economic skies from falling.
And there was more bad news today. MacAfee, the now Intel-owned security firm, issued a jaw-dropping report about a five-year cyber security exposure that impacted 74 organizations and governments around the world.
If you want to get caught up on this story, go straight to the source, a blog post by MacAfee VP Dmitri Alperovitch. If you had any second thoughts about the severity of industrial espionage and security break-ins online, this ought to put those thoughts to rest.
The list of victims is a veritable “Who’s Who” of nation-states and institutions. Impacted were the U.S., Taiwan, India, South Korea, Vietnam, Canada, ASEAN, the International Olympic Committee, the World Anti-Doping Agency, and a host of companies, including defense contractors and high-tech firms.
Wrote Alperovitch in his blog post, “This is the biggest transfer of wealth in terms of intellectual property in history…The scale at which this is occurring is really, really frightening.”
Probably not a bad time to remind folks of IBM’s security solutions.
In the meantime, I’m sitting here inside Turboville downloading Mac OS X Lion and in the process of rebuilding my MBP so I don’t have a “No Mac Attack.”
Wish me luck!
Congrats to India on their Cricket World Cup victory over Sri Lanka. You’ve had a whole long weekend to celebrate, so let’s get back to work, shall we? : )
Because as it turns out, the most recent IBM X-Force Trend and Risk Report (2010 edition) suggests there’s still plenty of work to do, at least on the IT security front.
The IBM X-Force Trend and Risk Report is an annual assessment of the security landscape, designed to help clients better understand the latest security risks, and stay ahead of these threats. The report gathers facts from numerous intelligence sources, including its database of over 50,000 computer security vulnerabilities, its global Web crawler and its international spam collectors, and the real-time monitoring of 13-billion security events every day for nearly 4,000 clients in more than 130 countries.
These 13-billion events monitored each day – more than 150,000 per second – are a result of the work done in IBM’s nine, global Security Operations Centers (SOC), which is provided as a Managed Security Service to clients.
IBM X-Force’s Tom Cross explains the most recent results of IBM’s global security study. High on this past year’s list of security concerns: Cloud computing and mobile devices (including the exposure presented by smartphones).
150,000 Security Threats Per Second
Based on the intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150K security events per second during every day of 2010, here are the headlines from the latest X-Force report:
- More than 8,000 new vulnerabilities were documented, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.
- Spam volume leveled off by the end of 2010 (as compared to its historically high growth rate). This indicates that spammers may be seeing less value from increasing the volume of spam, and instead are focusing on making sure it is bypassing filters.
- “Spear phishing,” a more targeted attack technique, was on the rise in 2010, even though there were significantly fewer phishing attacks relative to previous years. This suggests that cyber crooks are focusing more on quality of attacks, rather than just quantity.
- End user adoption of smartphones and other mobile devices demonstrated a rise in vulnerability disclosures and exploits that target these devices. IT security departments, of course, have been struggling to determine the right way to bring these devices safely into corporate networks.
IBM documented more than 8,000 new vulnerabilities, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.
In conjunction with this year’s report, IBM is launching the IBM Institute for Advanced Security in Europe to combat growing security threats in the region. The IBM X-Force report stated that in 2010, nearly a quarter of all financial phishing emails targeted banks located in Europe. It also identified the UK, Germany, Ukraine and Romania among the top 10 countries sending spam in 2010.
This Institute joins its predecessor in Washington, D.C., focused on U.S. clients.
Emerging Security Threats In Cloud Computing, Mobile
A new section in the IBM X-Force Trend and Risk Report is dedicated to the security trends and best practices for the emerging technologies of mobile devices and cloud computing. The report highlighted a shift in perception about cloud security as adoption continued to evolve and knowledge around this emerging technology increased. Since security is still considered an inhibitor to cloud adoption, cloud providers must earn their customers’ trust.
Organizations are also increasingly concerned about the security implications of personal mobile devices used by employees. Organizations must ensure control of their data regardless of where it is, including employee-owned or business-issued smartphones.
In 2010, IBM X-Force documented increases in the volume of vulnerabilities disclosed in mobile devices as well as the disclosure of exploits that target them. The desire to “jailbreak” or “root” mobile devices has motivated the distribution of mature exploit code that has been reused in malicious attacks.
Nevertheless, malware is not yet common on the latest generation of mobile devices and most IT professionals view the data stored on them and how that can be misused or lost as the main security threats associated with these devices. According to the IBM X-Force Report, best practices for mobile security are evolving with enhanced password management and data encryption capabilities.
Additional trends highlighted in the report included:
- The new, sophisticated face of cyber crime — From a security standpoint, 2010 is most remembered as a year marked by some of the most high profile, targeted attacks that the industry has ever witnessed. For example, the Stuxnet worm demonstrated that the risk of attacks against highly specialized industrial control systems is not just theoretical. These types of attacks are indicative of the high level of organization and funding behind computer espionage and sabotage that continues to threaten a widening variety of public and private networks.
- Web applications accounted for nearly half of vulnerabilities disclosed in 2010 — Web applications continued to be the category of software affected by the largest number of vulnerability disclosures, representing 49 percent in 2010. The majority represented cross site scripting and SQL injection issues, and the IBM X-Force data showed that these vulnerabilities are being targeted by attackers. According to the report results, every summer for the past three years there has been a globally scaled SQL injection attack some time during the months of May through August. The anatomy of these attacks has been similar across the board, targeting .asp pages that are vulnerable to SQL injection.
- A secure by design approach can improve security — IBM X-Force has determined that taking proactive steps to evaluate web application security and improve development and quality assurance processes can result in a significant improvement in the security of web application software. The report included data showing that web applications scanned for vulnerabilities often showed significant improvements upon being retested – exhibiting less than half of the number of particular classes of vulnerabilities, on average, the second time they are assessed. This encouraging information points the way toward sustained improvements in Internet security.
- Nearly half of vulnerabilities remain unpatched – To help prevent attackers from exploiting vulnerabilities, organizations must focus on shortening the window of time between vulnerability disclosure and patch installation. Forty-four percent of all security vulnerabilities had no vendor-supplied patch at the end of 2010. However, even in cases where patches are made available on the same day that a vulnerability is publicly disclosed, there may be a significant gap in time before those patches are installed on vulnerable systems. Computer criminals often privately develop exploits that target publicly disclosed security vulnerabilities, and use those exploits to launch attacks. Later, when these private exploits have ceased to be valuable as attack tools, they are publicly disclosed. The IBM X-Force report data showed that exploits are often publicly disclosed tens or hundreds of days after the vulnerabilities they target. If it is taking a long time for these exploits to surface, it may be taking a long time for networks to patch.
- Continued growth of Internet botnets – IBM X-Force saw an upward trend in Trojan botnet activity during 2010. This growth is significant because despite increasing coordinated efforts to shut down botnet activity, this threat appeared to be gaining momentum. However, IBM X-Force’s data did illustrate the dramatic impact of a successful effort in early 2010 to shutdown the Waledac botnet, which resulted in an instantaneous drop off in observed command and control traffic. On the other hand, the Zeus botnet continued to evolve and constituted a significant portion of the botnet activity detected by IBM X-Force in 2010. Due to its extreme popularity with attackers, there are hundreds, or even thousands, of separate Zeus botnets active at any given time. The Zeus botnet malware is commonly used by attackers to steal banking information from infected computers.
To help address these challenge IBM now has nine worldwide research labs innovating security technology and nine security operations centers around the world. These are designed to help global clients maintain the appropriate security posture.
Click here to access the 2010 IBM X-Force Trend and Risk report.
You can find more information on IBM Security Solutions at www.ibm.com/security.
I’m back after a week disappearing into the rainforests, rivers, and golf courses of Costa Rica.
And when I mean disappearing, I’m referring mostly to the little white balls that I sent trafficking off into the Costa Rican wilderness with great frequency.
Neither my father nor I even placed in our collegial golf tournament, but a good time was definitely had by all. You can see below an action shot from one of the greens.
Of course, while I was out galavanting about the links of Costa Rica, my peers Scott Laningham and Tiffany Winman are out in Viva Las Vegas representing on the show floor as the IBM PULSE 2011 event kicked off over the weekend.
Though I’m sad not to be there with them this year, they are already off and running, and you can go here to keep track of all the tidings.
Scott’s interviews are being featured on the IBM Software Livestream channel.
Just yesterday, IBM started making some important announcements coming out of the PULSE event.
First, we introduced software to help bring a new level of intelligence to the world’s physical infrastructure, software that aims to advance smarter cities and industry transformation across water, energy, transportation and healthcare industries by monitoring and analyzing new streams of data.
With this news, IBM is continuing these advancements, delivering new software to give greater intelligence to the business operations of the world’s infrastructure:
- Analytics software for monitoring telecommunications, transportation, or any network that distributes data such as escalators for metros, ATMs for banks and refrigerators for grocery chains;
- New software that monitors and manages smart meter networks for energy, water and gas utilities;
- New software that helps hospitals locate and monitor their clinical and biomedical equipment in real-time to ensure that life-saving medical devices are instantly available and expertly maintained; and
- Smarter buildings software that helps organizations to optimize their buildings’ energy and equipment efficiency.
As part of this news, IBM also announced a series of client wins and advancements to transform infrastructures around water, energy management, buildings, and more.
You can go here to get all the details and read more about the client wins.
In the meantime, I need some new software to manage the overabundance of email I received while on holiday!
So if you’ll excuse me, I’m off to try and climb out from under the pile.
But please, do keep an eye out on the Tivoli PULSE press room for more news breaking from Vegas!
My last post was about security.
This post is going to be about security.
The last post covered IBM’s recent X-Force Trends report which reported on the lingering and expanding security threats faced by organizations around the globe.
This post will address some of the antidotes IBM announced just yesterday at the RSA Conference in San Francisco.
In San Francisco, IBM detailed a number of new IBM Security Solutions, research initiatives, partnerships and client results aimed at meeting the rising demand by businesses and governments worldwide to secure digital and physical infrastructures.
Security, by Design
In my recent coverage of the IBM Pulse 2010 conference, I covered a session by IBM Chief Privacy Officer Harriet Pearson in which Harriet introduced the idea of “security by design.”
This approach stems from recognition of the fact that new computing paradigms and business models fundamentally require businesses to rethink how they deal with compliance, risk management and data protection. Central to IBM’s approach to addressing clients’ security challenges is a shift in focus from securing assets to securing critical services.
With integrated service management – tools that provide can provide a “command center” view into a client’s operations and potential areas of risk — IBM can help its clients design security into the fabric of the services they deliver, making security intrinsic to their business processes, product development and daily operations.
Yesterday’s announcements, based on IBM’s experience with hundreds of global clients and businesses, are designed to further expand on the vision that security, by design, is an enabler of innovative change.
IBM is introducing new software, systems and services to help global organizations securely adopt new forms of technology like cloud computing and new business models like telework, while addressing emerging compliance constructs.
New IBM Security Solutions include:
- IBM Secure Web Gateway Service 2.0 – IBM X-Force research indicates a dramatic rise in the number and complexity of Web application attacks. This new service enables greater protection against Web-based threats and enforcement of corporate IT policies while lowering overall management costs.
- IBM Managed Firewall Service and IBM Unified Threat Management Service – this new bundled offering allows clients to use select Check Point firewall and unified threat management devices while receiving IBM Managed Security Services for those devices for a monthly fee. This provides clients increased levels of protection without the burden of upfront capital expenditures for the devices.
- IBM Security Information and Event Manager 2.0 – this updated software helps to reduce costs by automating enterprise log management and central management, reduce insider threats and protect integrity by monitoring and auditing privileged user activities, and facilitate compliance efforts and streamline management with compliance management modules.
- IBM Security Content Analysis Software Development Kit (SDK) – rapid growth of the Internet and the constant onslaught of spam requires advanced filtering technology that is expensive to develop and maintain. This new SDK provides developers with up-to-date filter database and accurate analysis — along with an easy-to-implement application programming interface (API).
- IBM AppScan Source Edition – as organizations continue to develop and design products and services that are increasingly interconnected, they are also placing increased emphasis on securing the software that powers these products and services. This new edition of IBM Rational AppScan Source Edition AppScan can scan software source code and identify potential security and compliance vulnerabilities during the earliest stages of software development, when they are less expensive to correct.
- IBM Lotus Protector for Mail Encryption – for secure collaboration and communication, IBM is announcing a new software product called IBM Lotus Protector for Mail Encryption. Available in April, it extends IBM’s flagship messaging software, offering Lotus Notes’ native e-mail encryption feature to include any address accessible on the Internet — irrespective of e-mail system or client used by the recipient. IBM Protector for Mail Encryption addresses the Internet encryption challenge, in a simple and integrated way, unlike third-party “bolt-on” products that have historically been complex and expensive to deploy.
- IBM Security Privileged Identity Management and Compliance Solution – rising trend from attackers to use privileged user identities to gain access to core systems, increasing compliance mandates and high administrative costs all add to the difficulty of managing users and identities and blocking against internal and external threats. This combined solution provides threat prevention, identity management and meeting compliance needs through file integrity monitoring, separation of duties, role hierarchy, and intrusion prevention.
- IBM z/OS V1.12 – With the latest release of z/OS, IBM helps clients promote improved operations, availability, manageability, and security through self-learning, self-managing, and self-optimization capabilities. z/OS security functions, such as data encryption, encryption key management, digital certificates, password synchronization, and centralized authentication and auditing, can be deployed as part of enterprise-wide security solutions and can help mitigate risk and reduce compliance costs.
Institute for Advanced Security
In February 2010, IBM, the Security & Defence Agenda (SDA) and a coalition of international think tanks hosted almost 4,000 global experts from government, industry, academia, non-government organizations (NGOs) in a virtual dialogue on the world’s greatest security challenges.
Cybersecurity was identified as a significant potential threat to international peace and stability, and a number of experts called for the creation of a cybersecurity agency to increase public and private sector collaboration and educate global leaders on cyber issues.
In order to address such concerns, the company is launching the IBM Institute for Advanced Security to help clients, academics, partners and other businesses more easily understand, address and mitigate the issues associated with securing cyberspace.
The Institute will collaborate with public and private sector officials in Washington, D.C., and provide access to a wide range of resources to help the government more efficiently and effectively secure and protect critical information threatened by increasingly malicious and costly cyber threats.
As part of this effort, IBM is bringing to bear expertise from its software, services, systems and research arms to help governments and businesses around the world safeguard themselves from new and existing threats.
For instance, the U.S. Air Force recently selected IBM to design and demonstrate a highly secure cloud computing infrastructure that can support defense and intelligence networks.
The IBM Institute for Advanced Security will provide a collaborative setting for public and private sector officials to tap IBM’s vast security expertise so they can more efficiently and effectively secure and protect critical systems and information threatened by increasingly malicious and costly cyber threats.
IBM’s approach will help public and private organizations avoid the trend of adding security on after the fact by providing them the education, expertise and resources to design security into the foundation of their infrastructures.
IBM Tivoli general manager Al Zollar spoke at yesterday’s RSA conference. His keynote presentation is now available via podcast, in which Zollar addressed “The Decade of Smart Security.”
So no sooner am I back from the IBM Pulse 2010 conference than IBM releases the results from its latest Annual X-Force Trend and Risk Report from 2009.
Hold on to your passwords, folks…we’re gonna be in for a bumpy ride!
The latest report’s findings show that existing threats like phishing and document format vulnerabilities continued to expand last year, even as clients have generally made progress in improving their overall security.
The IBM X-Force research and development team has been cataloguing, analyzing and researching vulnerability disclosures since 1997.
With more than 48,000 security vulnerabilities catalogued, it has the largest vulnerability database in the world. This unique database helps X-Force researchers to understand the dynamics that make up vulnerability discovery and disclosure.
The latest X-Force reveals three main threats: Malicious Web links, Phishing attacks, and document reader/editor vulnerability disclosures (most notably, PDF docs!).
The report also found that:
- New vulnerabilities have decreased but are still at record levels.
- Critical and high vulnerabilities with no patch have decreased significantly year-over-year in several key product categories.
- Vulnerability disclosures for document readers and editors and multimedia applications are climbing dramatically.
- New malicious Web links have skyrocketed globally.
- Web application vulnerabilities continue to be the largest category of security disclosures.
- Attacks on the Web using obfuscation increased significantly.
- Phishing rates dipped mid-year but rose dramatically in the last half of 2009.
- Phishing still takes advantage of the financial industry to target consumers.
“Despite the ever-changing threat landscape, this report indicates that overall, vendors are doing a better job responding to security vulnerabilities,” said Tom Cross, manager of IBM X-Force Research. “However, attackers have clearly not been deterred, as the use of malicious exploit code in Web sites is expanding at a dramatic rate.”
General manager for IBM’s Tivoli group also chimed in on the report, and more importantly, how IBM could help.
“IBM continues to invest in strategic research like this report to create value for our clients and the security industry,” said Zollar. “With insight from our X-Force research team, our professional and managed services offerings, and our software, we can help enable the most secure IT infrastructure while meeting clients’ risk, governance and compliance requirements.”
You can register to download the full report here.