Turbotodd

Ruminations on tech, the digital media, and some golf thrown in for good measure.

Archive for the ‘risk management’ Category

IBM Plans to Acquire Security Visualization And Management Firm Agile 3 Solutions

with one comment

IBM Security today announced plans to acquire Agile 3 Solutions, a developer of software used by the C-Suite and senior executives to better visualize, understand and manage risks associated with the protection of sensitive data.

The addition of Agile 3 Solutions’ capabilities to IBM Security’s portfolio adds an intuitive tool to improve C-Suite decision making as businesses prepare to defend themselves against cybercrime.

As cybersecurity has become a board-level issue, there is a growing need for the C-suite and the Board to understand their security posture through the lens of business risk, not just the technical security data and metrics.

Business leaders must be equipped to make risk-based decisions and prioritize investments toward the cybersecurity readiness and resilience. In fact, Gartner predicted that “by 2017, 80% of IT risk and security organizations will report metrics to non-IT executive decision makers; however, only 20% will be considered useful by the target audience.”

Agile 3 Solutions is a San Francisco-based, privately held company that provides business leaders with a comprehensive, business-friendly dashboard and intuitive data risk control center to help uncover, analyze, and visualize data-related business risks.

Financial terms of the deal were not disclosed and the transaction is expected to close within several weeks.

For more information about Agile 3 Solutions, go to http://www.ibm.com/security/announce/agile3/

Written by turbotodd

January 23, 2017 at 8:43 am

Batten Down The Hatches! IBM’s X-Force 2012 Trend And Risk Report

leave a comment »

It’s been a busy year for IT security incidents. Yesterday, John Markoff and Nicole Perlroth with The New York Times told us about yet another incident, this time a cyberattack involving antispam group Spamhaus and an anonymous group unhappy with their efforts.

Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosedin 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.

Click to enlarge. Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosed in 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.

But the list goes on and on. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations have been inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.

At the mid-year of 2012, IBM’s X-Force team predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case. While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection.

What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, X-Force looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices.

That said, recent developments have indicated that while these dangers still exist, and X-Force believes mobile devices should be more secure than traditional user computing devices by 2014. While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.

In its latest report, X-Force explores how security executives are advocating the separation of personas or roles on employee-owned devices. It also addresses some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose.

The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,they have become a favorite target of scam and phishing.

Click to enlarge. The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,
they have become a favorite target of scam and phishing.

Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems.  They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems.

Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.

As X-Force also reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive.

Whether the target is individuals or the enterprise, once again, X-Force reminds organizations that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.

Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak X-Force recorded.

Social media has dramatically changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities.

Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.

The values for the evaluated threat and residualthreat can be determined by comparing thelikelihood or frequency of a threat occurring (high,medium, low) against the damage impact that couldhappen if the threat occurred (catastrophic, high,medium, low). The goal is to implement mitigationprocesses that either reduce the frequency of thethreat occurring or reduce the impact if the threatdoes occur. A requirement for this to be successful is to have aspecific, designated monitoring mechanism to monitorthe implementation of the treatment processes andfor the appearance of the threats. This monitoringmechanism should be monitored and alerts should beresponded to. It does no good to have network-basedanti-virus consoles gathering information about virusalerts across the network, if nobody is assigned tomonitor the console and respond to those alerts.Monitoring and responding is part of the mitigationprocess. (An example threat assessment and riskmitigation process chart is provided below, thoughthe IR team may identify a greater list.)

Click to enlarge. The values for the evaluated threat and residual threat can be determined by comparing the likelihood or frequency of a threat occurring (high, medium, low) against the damage impact that could happen if the threat occurred (catastrophic, high, medium, low). The goal is to implement mitigation processes that either reduce the frequency of the threat occurring or reduce the impact if the threat does occur. A requirement for this to be successful is to have a specific, designated monitoring mechanism to monitor the implementation of the treatment processes and for the appearance of the threats.

2012 X-Force Trend And Risk Report Highlight

Malware and the malicious web

  • In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display.
  • Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. X-Force attributes this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet.
  • The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks. In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.
  • IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet.
  • IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets.
  • Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 X-Force observed an upsurge in web browser exploit kit development and activity—the primary target of which are Java vulnerabilities—and X-Force supplies some strategies and tips to help protect against future attacks (see end of post to download full report).
  • Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment. Web content trends, spam, and phishing Web content trends Top used websites are readily deployed as IPv6- ready, although attackers do not yet seem to be targeting IPv6 on a large scale.
  • One third of all web access is done on websites which allow users to submit content such as web applications and social media.
  • Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information.

Spam and phishing

  • Spam volume remained nearly flat in 2012.
  • India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain.
  • At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume.

Operational Security Practices

Vulnerabilities and exploitation

  • In 2012, there were over 8,168 publicly disclosed vulnerabilities. While not the record amount X-Force expected to see after reviewing its mid-year data, it still represents an increase of over 14% over 2011.
  • Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012.
  • Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate X-Force has ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010.
  • There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels.
  • Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and critical severity web browser vulnerabilities saw an increase of 59% for the year.
  • Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities.
  • Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.

Emerging Trends In Security

Mobile

  • Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
  • Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program.
  • In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today’s mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements.
  • Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program.

To learn more on how your organization can work to address these types of vulnerabilities, download the full IBM X-Force 2012 Trend And Risk Report here.

Six Keys To Effective Reputational And IT Risk Management

leave a comment »

In September of last year, I blogged about the IBM 2012 Global Reputational Risk and IT Study, which I explained was an “investigation of how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of their operations and where IT failures can result in reputational damage.”

I also wrote “corporate reputations are especially difficult to manage in an era when anyone with a smartphone and Internet connection can file their complaint with a single touch.”

That continues to be the case, but what’s new is that IBM has recently issued another report on further implications of this study and its findings, and more importantly, what organizations can do to get on offense when it comes to better managing their corporate reputation.

The Connection Between Reputational Risk And IT

When the corporate world first began paying attention to the concept of reputational risk in 2005, organizations’ focus tended to be on business issues like compliance and financial misdoings.

Today, the focus has shifted to include the reputational impact of IT risks. Virtually every company is now reliant on technology for its critical business processes and interactions. While it may take 10 minutes or 10 hours to recover from an IT failure, the reputational impact can be felt for months or even years.

IBM - Factors Affected By IT Risk

Reputational damage caused by IT failures such as data breaches, systems failures and data loss now has a price tag. According to analyses performed by the Ponemon Institute, the economic value of a company’s reputation declines an average of 21 percent as a result of an IT breach of customer data — or the equivalent of an average of US $332 million.

The question now is not whether IT risks affect your corporate reputation, but what you can do to effectively prevent and mitigate these risks.

IBM -- True Price Of Reputational Harm

Six Keys To Effective Reputational And IT Risk Management

An analysis of responses to the IBM study revealed distinct correlations between the initiatives that organizations are undertaking to protect their reputations from the ramifications of IT failures and the overall effectiveness of their reputational and IT risk management efforts.

Based on this analysis, and the pattern it revealed among organizations that are most confident in their ability to prevent and mitigate IT-related reputational risk, there are six key initiatives that IBM recommends as part of every company’s efforts:

  1. Put someone in charge. Ultimate responsibility for reputational risk, including IT-related items, should rest with one person.
  2. Make the compliance and reputation connection. Measuring reputational and IT risk management strategies against compliance requirements is essential.
  3. Reevaluate the impact of social media. In addition to recognizing its potential for negative reputational impact, social media should be leveraged for its positive attributes.
  4. Keep an eye on your supply chain. Organizations must require and verify adherence of third-party suppliers to corporate standards.
  5. Avoid complacency. Organizations should continually evaluate reputational and IT risk management against strategy to find and eliminate potential gaps.
  6. Fund remediation; invest in prevention. For optimal reputational risk mitigation, companies need to fund critical IT systems as part of their core business

IBM -- Importance Of Reputational Risk

How IBM Can Help

When planned and implemented effectively, your organization’s reputational and IT risk strategy can become a vital competitive advantage. When you protect against and mitigate reputational risks successfully, you can enhance brand value in the eyes of customers, partners and analysts. Further, your organization can better attract new customers, retain existing customers and generate greater revenue.

IBM can help you protect your reputation with a robust portfolio of IT security, business continuity and resiliency, and technical support solutions. You can start with an IT security risk assessment, or penetration testing performed by IBM experts.

For business continuity and resiliency, you can begin with a Continuous Operations Risk Evaluation (CORE) Workshop and move on to cloud-based resiliency services. Our technical support solutions range from basic software support to custom technical support.

What makes IBM solutions work is global reach with a local touch. This includes:

  • Over 160 business resiliency centers in 70 countries; more than 50 years of experience
  • More than 9,000 disaster recovery clients, with IBM providing 100 percent recovery for clients who have declared a disaster
  • A global network of 33 security operations, research and solution development centers; 133 monitored countries
  • 15,000 researchers, developers and subject matter experts working security initiatives worldwide.

To learn more about the IBM Global Reputational Risk and IT Study go here.

Live @ IBM Pulse 2013: A Cloud Computing Security Roundtable

leave a comment »

At the IBM Cloud Security press roundtable, several IBM Security experts expounded on the issues and challenges organizations are facing as they work to better secure their cloud computing environments.

At the IBM Cloud Security press roundtable, several IBM Security experts expounded on the issues and challenges organizations are facing as they work to better secure their cloud computing environments.

If you’ve followed the headlines recently, you can’t help but notice the constant barrage of news concerning security break-ins at some of the most public cloud sites on the planet: Facebook, Google, Evernote…the list goes on and on.

Yet in spite of the looming cloud security concerns, enterprises and organizations continue to ramp up their investments in both public and private cloud infrastructure as a cost-effective, dynamic way to scale up their IT capacity.

At the IBM Cloud Security roundtable here at IBM Pulse 2013 yesterday in Las Vegas, several IBM security experts came together to discuss some of the challenges, best practices, and solutions to protect against threats and provide security-rich cloud computing environments.

Jack Danahy, director of security for IBM North America, hosted the panel before the gathered industry press, and offered up some prefacing comments to set the stage for the security discussion.

Jack began by stating that 9 out of 10 global CEOs say that cloud computing is critical to their business plans and “a way to increase their organizational productivity, but all also admit security is a lingering concern.”

Brendan Hannigan, the general manager for the IBM Security Division, explained that there are some key basic security concerns around cloud, including the safety of enterprise data, and whether or not it can be compromised or lost.

Hannigan explained: “Cloud is simply another computer upon which we can deploy capabilities for our customers, and we should be able to look at cloud security the same way we do across other domains.”  That includes giving organizations a single view of identity across their cloud environments.

Kris Lovejoy, general manager for IBM Security Systems, discussed some of the key inhibitors to organizations providing more effective cloud security measures, and explained that the cloud is actually inherently more securable than traditional IT infrastructure because of they way it’s designed and the manner by which you can replicate security controls.

So if the cloud is inherently more securable, why the seeming contradiction that nobody seems to be able to effectively secure it?

Because, Lovejoy explained, when you buy public cloud capability you typically have to buy the security features as an added extra, and may customers don’t do so.

“Think about the provider as being a hotel,” Lovejoy explained, “and in each hotel room they have a series of diseases. The provider must provide you good housekeeping to protect you from diseases in the other rooms, and yet so many cloud computing tenants don’t make that obvious investment to protect their cloud applications and data.”

When Danahy asked the panel about what can be done to make executives more comfortable with the idea of security investments in the cloud space, Hannigan chimed in, and explained the rationale comes down to a distinction in the type of data you’re working with, and delineating between the information that is critical and that which is less sensitive.

“When you have a specific application or data set,” Hannigan explained, “there are wonderful opportunities afforded by the cloud because in security, one of the biggest challenges is striking a balance between locking the infrastructure down and providing free and unfettered access to the that information customers and employees need.”

Lovejoy explained it was not dissimilar from the crazy notion of automakers selling cars without seatbelts or brakes. “You don’t want to suddenly discover you don’t have these features going 60 miles per hour down the interstate.”

Kevin Skapintez, program director of product strategy for IBM Security, said that the need for more cloud security standards reminded him of the late 1800s, when fire hydrants had different nozel sizes that required varying widths of connectors for the hoses.

“You have to have standards related to identity,” Kevin explained, “so you don’t have to build different registries per cloud!”

“More organizations needed to also heighten their log management regimes,” he explained, “so that they have improved visibility to see if they have the right controls in place and where incidents are occuring.”

Lovejoy explained that “most organizations have a pretty defined pathway to cloud success.” Many are using develop and test environments and are moving to non-core workloads, allowing a lot of applications to emerge and consolidate on the cloud.

At the same time, she explained, most companies are planning a security operations optimization and that the cloud is a remarkable opportunity. “As we consolidate,” she explained, “things get simpler. Companies need to think about this in the context of business transformation. You need to adopt the cloud in a safe and reliable manner while managing the risk.”

During the Q&A, I asked the panel whether or not all these very public public cloud security incidences we’ve seen in the headlines were driving any real productive conversation in terms of making cloud security more of a priority.

Lovejoy explained the scenario typically went something like this: A CEO would call up their provider, ask for an assessment, give them a threat briefing, then go to a third party standard to see if they matched the security checklist.

But that not enough of them were what she termed “security aware.”

Hannigan concluded, “It’s a classic dilemma with security spending. Security concerns are not specific just to the cloud, and clients are working about losing data, period. The question is, can they invest all the money necessary to adequately secure those environments?”

To date, the answer seems to largely be “no.”

Live @ Information On Demand 2012: A Q&A With Nate Silver On The Promise Of Prediction

with 2 comments

Day 3 at Information On Demand 2012.

The suggestion to “Think Big” continued, so Scott Laningham and I sat down very early this morning with Nate Silver, blogger and author of the now New York Times bestseller, “The Signal and the Noise” (You can read the review of the book in the Times here).

Nate, who is a youngish 34, has become our leading statistician through his innovative analyses of political polling, but made his original name by building a widely acclaimed baseball statistical analysis system called “PECOTA.”

Today, Nate runs the award-winning political website FiveThirtyEight.com, which is now published in The New York Times and which has made Nate the public face of statistical analysis and political forecasting.

In his book, the full title of which is “The Signal and The Noise: Why Most Predictions Fail — But Some Don’t,” Silver explores how data-based predictions underpin a growing sector of critical fields, from political polling to weather forecasting to the stock market to chess to the war on terror.

In the book, Nate poses some key questions, including what kind of predictions can we trust, and are the “predicters” using reliable methods? Also, what sorts of things can, and cannot, be predicted?

In our conversation in the greenroom just prior to his keynote at Information On Demand 2012 earlier today, Scott and I probed along a number of these vectors, asking Nate about the importance of prediction in Big Data, statistical influence on sports and player predictions (a la “Moneyball”), how large organizations can improve their predictive capabilities, and much more.

It was a refreshing and eye-opening interview, and I hope you enjoy watching it as much as Scott and I enjoyed conducting it!

IBM Announces New Security Solutions, Focuses On Cloud, Mobile, Big Data

leave a comment »

Today, IBM made a move designed to reduce the biggest security inhibitors that organizations face in implementing cloud, mobile and big data initiatives with the announcement of a broad set of security software to help holistically secure data and identities.

I blogged about IBM’s 2012 Global Reputational Risk and IT Study recently, the headline of which was this: Managing reputational risk is crucial to many organization’s business, and managing IT is a major part of their efforts.

I also interviewed Brendan Hannigan, the general manager of IBM’s Security Systems Division, at IBM InterConnect last week about some of these critical security matters.

Today, IBM made a move designed to reduce the biggest security inhibitors that organizations face in implementing cloud, mobile and big data initiatives with the announcement of a broad set of security software to help holistically secure data and identities.

New IBM Security Solutions

IBM’s new software capabilities help clients better maintain security control over mobile devices, mitigate internal and external threats, reduce security risks in cloud environments, extend database security to gain real-time insights into big data environments such as Hadoop, and automate compliance and data security management.

Along with IBM Security Services and IBM’s world-class research capabilities, this set of scalable capabilities supports a holistic, proactive approach to security threats spanning people, data, applications and infrastructure.

“A major shift is taking place in how organizations protect data,” said Brendan Hannigan, General Manager, IBM Security Systems. “Today, data resides everywhere—mobile devices, in the cloud, on social media platforms. This is creating massive amounts of data, forcing organizations to move beyond a traditional siloed perimeter to a multi-perimeter approach in which security intelligence is applied closer to the target.”

IBM is unveiling ten new products and enhancements to help organizations deliver real time security for big data, mobile and cloud computing.

Real Time Security for Big Data Environments 

State of the art technologies including Hadoop based environments have opened the door to a world of possibilities. At the same time, as organizations ingest more data, they face significant risks across a complex threat landscape and they are subject to a growing number of compliance regulations.

With today’s announcement, IBM is among the first to offer data security solutions for Hadoop and other big data environments.

Specifically, Guardium now provides real time monitoring and automated compliance reporting for Hadoop based systems such as InfoSphere BigInsights and Cloudera.

Highlighted data security solutions:

NEW: IBM InfoSphere Guardium for Hadoop

ENHANCED: IBM InfoSphere Optim Data Privacy

ENHANCED: IBM Security Key Lifecycle Manager

To learn more about the data security portfolio go here.

Mobile Security: Improving Access and Threat Protection

Today IBM is also announcing risk-based authentication control for mobile users, integration of access management into mobile application development and deployment as well as enhanced mobile device control.

IBM is also announcing a comprehensive Mobile Security Framework to help organizations develop an adaptable security posture to protect data on the device, at the access gateway and on the applications.

Highlighted mobile security solutions:

NEW: IBM Security Access Manager for Cloud and Mobile

ENHANCED: IBM Endpoint Manager for Mobile Devices

Go here to learn more about specific mobile security product attributes.

Cloud Security: From Inhibitor To Enabler

While the cloud can increase productivity with anywhere, anytime information access, it can also introduce additional challenges for enterprise security.

IBM today is announcing security portfolio enhancements designed to address these new challenges, providing improved visibility and increased levels of automation and patch management to help demonstrate compliance, prevent unauthorized access and defend against the latest threats using advanced security intelligence.

With IBM’s new SmartCloud for Patch Management solution, patches are managed automatically regardless of location and remediation cycles are reduced from weeks to hours thereby reducing security risks.

Additionally, IBM is announcing enhancements to its QRadar Security Intelligence Platform that provides a unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and security related data from distributed locations, using the cloud to obtain greater insight into enterprise-wide activity and enable better-informed business decisions.

The new IBM Security Privileged Identity Manager is designed to proactively address the growing insider threat concerns and help demonstrate compliance across the organization.

IBM Security Access Manager for Cloud and Mobile which provides enhanced federated single sign-on to cloud applications is now available with improved out-of-the-box integration with commonly adopted SaaS applications and services.

Highlighted cloud security solutions:

NEW: IBM SmartCloud for Patch Management

NEW: IBM Security Access Manager for Cloud and Mobile

NEW: IBM Security Privileged Identity Manager

ENHANCED: QRadar SIEM and QRadar Log Manager

Visit here to learn more about specific cloud security product attributes, please visit

Enhanced Mainframe Security Capabilities

In addition, IBM is announcing mainframe security capabilities that enhance enterprise-wide security intelligence based on QRadar security solution integration that provides real time alerts and audit reporting.

The mainframe offers Common Criteria Evaluation Assurance Level 5+ (EAL 5+) certification for logical partitions, providing a platform for consolidating systems, helping protect private clouds, and helping secure virtualized environment.

New IBM Security zSecure improvements help to reduce administration overhead, automate compliance reporting, enforce security policy, and pro-actively detect threats.

Highlighted zSecure security solutions:

ENHANCED: IBM Security zSecure

Through IBM Global Financing, credit-qualified clients can take advantage of 0% interest for 12 months on qualifying IBM Security products and solutions.

About IBM Security 

With more than 40 years of security development and innovation, IBM has breadth and depth in security research, products, services and consulting.

IBM X-Force is a world-renowned team that researches and evaluates the latest security threats and trends. This team analyzes and maintains one of the world’s most comprehensive vulnerability databases and develops countermeasure technologies for IBM’s security offerings to help protect organizations ahead of the threat.

IBM has 10 worldwide research centers innovating security technology and nine security operations centers around the world to help global clients maintain an appropriate security posture.

IBM Managed Security Services delivers the expertise, tools and infrastructure to help clients secure their information assets against attacks, often at a fraction of the cost of in-house security resources.

The Institute for Advanced Security is IBM’s global initiative to help organizations better understand and respond to the security threats to their organization. Visit the Institute community at www.instituteforadvancedsecurity.com.

IBM Survey: Social Media Impacting Threats From Reputational Risk

with 2 comments

More than 400 respondents in 23 industries across the globe agree: managing reputational risk is crucial to their business, and managing IT risk is a major part of their efforts. And, social media is cited as a major factor for those shifting more focus to their reputational risk management efforts. Learn what these respondents are doing — and what they’re overlooking — in the 2012 IBM Global Reputational Risk and IT study report.

So here’s a question for you?  What is your organization doing to more effectively manage its risk profile?

IBM recently released its 2012 Global Reputational Risk and IT Study, and the findings suggest that companies are viewing their IT investments through a new lens.

First, some background, and then a summary of the findings.

This study is an investigation of how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of their operations and where IT failures can result in reputational damage.

The report was written by the Economist Intelligence Unit, which both executed an online survey and conducted client executive interviews.

That included 427 senior executive responses from around the world, 42 percent of those being C-level, with 33 percent of respondents coming from North America, 29 percent from Europe, and 26 percent from Asia-Pacific.

The survey included industries that ran the gamut, including banking, IT, energy and utilities, and insurance.

Impact of Social Media On Risk

Corporate reputations are especially difficult to manage in an era when anyone with a smartphone and Internet connection can file their complaint with a single touch.

With social media sites like Facebook and Twitter boasting over 1.4 million people combined, there is now a highly visible and immediate alterative to a company’s own communications regarding its reputation.

Because of that, more organizations have introduced reputational risk as a distinct category within their enterprise risk management frameworks.

The study suggests that companies have begun to pay closer attention to the links between IT failures and reputational damage, and also examines how executives are attempting to protect their brands from what could arguably be called “a preventable glitch.”

So, drum roll, please.  Here’s a summary of some of the key findings:

  • IT risk management and investment directly supports a company’s reputation.  Reputational risk has evolved into an asset that is fundamentally supported by IT planning and investment.  78 percent say they included reputational risk in their own IT risk planning, and 75 percent say their budget will grow due to concerns for such. Eighteen percent indicate that spend will increase by more than 20 percent in the next 12 months.
  • The CEO owns it but shares it. When asked to name the top 3 C-level execs who owned reputational risk, close to two-thirds say it was shared across the C-suite. 80 percent of CEOs indicated it was theirs to win, followed by 31 percent of CFOs, 27 percent of CIOs, 23 percent of CROs (Chief Risk Officers), and 22 percent of CMOs.
  • Five characteristics of highly effective companies — they get reputational risk and invest in it. Of those who do, 83 percent indicated they have integrated IT into their reputational risk management regimes. They also perceive stronger links between IT threats and key elements of reputation (especially customer sat and brand reputation), and they also say they have strong or very strong IT risk management capacity (84 percent). Seventy-seven percent indicated they have well-resourced IT risk management functions, and are more likely to require vendors and supply chain partners to meet the same levels of control as they require internally.

Improving Reputational Risk Management: Best Practices

So what’s a concerned C-level exec to do? The study revealed several core strategies:

  • Be proactive rather than reactive. That is, be prepared to invest in developing comprehensive reputational risk management strategies that include robust controls on IT risks, particularly those related to security, business continuity and tech support.
  • Create an organization where IT managers collaborate with other risk management specialists. Together, they should be tasked with presenting a comprehensive profile of organization-wide reputational risks to senior management.
  • Engage in scenario analysis, especially with new and emerging technology. Don’t wait for the worst to happen — there are plenty of case studies to be used as a basis for “what-if” planning.
  • Assess risks across the entire supply chain. A failure by a downstream supplier can be just as devastating as an internal problem, and risk controls can be harmonized among key players.

A More Integrated, Holistic Approach

This more integrated, enterprise-wide approach to risk management — led by the C-suite on down — can help your organization increase the attention being paid to the direct reputational impact of IT risks, and help you mitigate those risks (including those stemming from the use of new technologies).

To learn more and to gain access to the full study, go here.

%d bloggers like this: