Archive for the ‘security’ Category
A Crypto Kinda Friday
It’s a crypto kinda Friday.
Engadget’s reporting on an interesting blockchain story, one which has ticket broker Ticketmaster fighting bogus ticket sales by acquiring Upgraded.
Upgraded is a company that combine’s the distributed trust of blockchain with encrypted barcodes to minimize the fraud sometimes seen with paper-based or PDF tickets.
The Engadget story claims with the new one solution one would “have a clearer sense of when a concert pass is legitimate, while even holders will have more of a grip on where their tickets are going.” But Ticketmaster told Engadget it didn’t have a definitive time frame for integrating the Upgraded’s solution.
…While U.S.-based cryptocurrency exchange Coinbase made a recently developed automated security scaling tool available to the public.
In a report from Coindesk, it was said Coinbase released a program called “Salus” which can automatically choose to run and configure different security scanners and issue a report on the results.”
Salus was available as an open-source tool via GitHub starting yesterday, and is said to “offer the advantage of being able to centrally coordinate security scans across a large number of software storage repositories, avoiding having to configure a scanner for each project.”
And finally, if you’re worried about those crypto assets, U.K-based security firm G4S announced a new service for protecting them.
According to a story from Cointelgraph, the company is offering high-security offline vault storage for crypto assets, a new capability which builds on the company’s existing expertise, which is running prisons and detention centers.
What’s fascinating about the offering is the how. G2S explained in a press release that the company not only take crypto assets offline, but it breaks them up into fragments so that they are independently without value, and then stored in the company’s security vaults.
Access to these sites is heavily restricted with multiple layers of security and robust protocols, and only when all the fragments are combined with specific technology can they unlock access to the value stored within.”
“It has been a justified cliche to describe the cryptocurrency space as a Wild West. Working with our clients, our innovative vault storage concept offers the highest protection to keep people and their assets secure and bring order to the frontier.
So how long until we see a cold storage Bitcoin heist flick on the big screen? Maybe not until Bitcoin gets back over $10K?!
IBM X-Force’s New Services for Automotive and IoT
The Black Hat 2017 security conference kicks off this week in Viva Las Vegas, Nevada (actually, the happening unofficially started over the weekend).
So it’s no surprise that IBM Security earlier today announced the launch of two new security testing practice areas focused on automotive security and the Internet of Things (IoT).
The new services will be delivered via an elite team of IBM X-Force Red researchers focused on testing backend processes, apps and physical hardware used to control access and management of smart systems.
The new IoT services will be delivered alongside the Watson IoT Platform to provide security services by design to organizations developing IoT solutions for all industries. The Watson IoT Platform provides configuration and management of IoT environments, and the IBM X-Force Red services bring an added layer of security and penetration testing.
IBM X-Force Red marked its first-year anniversary with the addition of security specialists such as Cris Thomas (aka Space Rogue) and Dustin Heywood (aka Evil_Mog with Team Hashcat), who add to the team’s impressive roster of talent globally. To further optimize their engagements, IBM X-Force Red has also built a password cracker called “Cracken” designed to help clients improve password hygiene.
IBM X-Force Red at Black Hat 2017 and DEF CON 2017
Charles Henderson, Global Head of IBM X-Force Red, will present his discussion of real-life penetration testing, “Better Than Mr. Robot” at Black Hat USA 2017. The session will be held in Business Hall Theater B, Mandalay Bay on Thursday, July 27 from 11:00-11:50 a.m. PT.
Chris Thompson, Red Team Ops Lead, IBM X-Force Red, will present his demonstration of advanced Red Team tactics, “MS Just Gave the Blue Team Tactical Nukes (and How Red Teams Need to Adapt)” at DEF CON 25. The demo will be held in the 101 Track on Saturday, July 30 from 3:00-3:45 p.m. PT.
X-Force Red and other IBM Security experts will demonstrate the latest offerings at Booth #616, Level 1 Business Hall, Mandalay Bay on July 26 & 27.
You can learn more about IBM Security solutions here.
Over 90 Custom Apps Now ON IBM Security App Exchange
The IBM Security App Exchange has now grown to over 90 custom applications from IBM and Business Partners.
Over 30,000 apps, content packs and tools have been downloaded since the launch of the App Exchange, allowing users to extend the capabilities of IBM’s Security technologies with custom apps and integrations.
Launched in December 2015, the IBM Security App Exchange is a community marketplace for customers, Business Partners and other developers to build and share applications which build upon and integrate with IBM Security products.
The IBM Security App Exchange has been populated with new applications from more than 30 Business Partners, including Trend Micro, Recorded Future, BluVector and Ziften.
Through this collaboration, customers now have access to new solutions which can help them streamline their security operations, potentially saving valuable resources and allowing their security teams to remain focused on the latest threats rather than technology management and integration.
Combining these partner applications with innovative new security apps developed within IBM Security, the App Exchange is now home to 92 applications which extend across the IBM Security portfolio, including IBM QRadar security intelligence platform,BigFix endpoint management, Guardium data protection, MaaS360 mobile device management, Resilient incident response platform, and IBM’s open source threat intelligence platform, X-Force Exchange.
“As threats are evolving faster than ever, collaborative development amongst the security community will help organizations adapt quickly and speed innovation in the fight against cybercrime,” said Sandeep Mukherjee, Marketing Manager, IBM Security. “The rapid growth of the IBM Security App Exchange shows the value that this collaboration is providing to partners and customers.”
You can visit the IBM Security App Exchange here.
IBM Delivers Watson For Cyber Security, New Watson-Powered Chatbot And Voice-Powered Assistant
IBM security has announced the availability of Watson for Cyber Security, the industry’s first augmented intelligence technology designed to power cognitive security operations centers.
Over the past year, Watson has been trained on the language of cyber security, ingesting over 1 million security documents. Watson can now help security analysts parse thousands of natural language research reports that have never before been accessible to modern security tools.
Watson for Cyber Security will be integrated into IBM’s new Cognitive SOC platform, bringing together advanced cognitive technologies with security operations and providing the ability to respond to threats across endpoint, network, users and cloud.
The centerpiece of this platform is IBM QRadar Advisor with Watson, a new app available in the IBM Security App Exchange, which is the first tool that taps into Watson’s corpus of cyber security insights.
This new app is already being used by Avnet, University of New Brunswick, Sopra Steria and 40 other customers globally to augment security analysts’ investigations into security incidents.
IBM has also invested in research to bring cognitive tools into its global X-Force Command Center Network, including a Watson-powered chatbot currently being used to interact with IBM Managed Security Services customers.
IBM also revealed a new research project, codenamed “Havyn,” pioneering a voice-powered security assistant that leverages Watson conversation technology to respond to verbal commands and natural language from security analysts.
The project uses Watson APIs, Bluemix and IBM Cloud to provide real-time response to verbal requests and commands, accessing data from open source security intelligence, including IBM X-Force Exchange, as well as client-specific historic data and their security tools.
Watson is also currently engaging with clients daily via a new chatbot tool deployed in IBM’s X-Force Command Center Network, which manages over 1 trillion security events per month. Clients can choose to ask Watson questions via instant messaging about their security posture or network configurations.
For example, clients can ask Watson questions about a device or ticket status. The tool is also capable of executing commands from IBM MSS customers, such as reassigning a ticket to a new owner.
Go here to learn more about Watson for Cyber Security and the Cognitive SOC.
IBM Plans to Acquire Security Visualization And Management Firm Agile 3 Solutions
IBM Security today announced plans to acquire Agile 3 Solutions, a developer of software used by the C-Suite and senior executives to better visualize, understand and manage risks associated with the protection of sensitive data.
The addition of Agile 3 Solutions’ capabilities to IBM Security’s portfolio adds an intuitive tool to improve C-Suite decision making as businesses prepare to defend themselves against cybercrime.
As cybersecurity has become a board-level issue, there is a growing need for the C-suite and the Board to understand their security posture through the lens of business risk, not just the technical security data and metrics.
Business leaders must be equipped to make risk-based decisions and prioritize investments toward the cybersecurity readiness and resilience. In fact, Gartner predicted that “by 2017, 80% of IT risk and security organizations will report metrics to non-IT executive decision makers; however, only 20% will be considered useful by the target audience.”
Agile 3 Solutions is a San Francisco-based, privately held company that provides business leaders with a comprehensive, business-friendly dashboard and intuitive data risk control center to help uncover, analyze, and visualize data-related business risks.
Financial terms of the deal were not disclosed and the transaction is expected to close within several weeks.
For more information about Agile 3 Solutions, go to http://www.ibm.com/security/announce/agile3/
IBM Study: Business More Likely To Pay Ransomware Than Consumers
IBM Security has announced results from a study finding 70 percent of businesses infected with ransomware have paid ransom to regain access to business data and systems.
In comparison, over 50 percent of consumers surveyed said they would not pay to regain access back to personal data or devices aside from financial data.
For those not familiar with the practice, ransomeware is an extortion technique used by cybercriminals where data on computers and other devices is encrypted and held for ransom until a specified amount of money is paid.
The IBM X-Force Study, “Ransomware: How Consumers and Businesses Value Their Data’ surveyed 600 business leaders and more than 1,000 consumers in the U.S. to determine the value placed on different types of data.
Key findings from the survey:
- While over half of consumers surveyed initially indicated they would not pay the ransom, when asked about specific data types, 54 percent indicated they would likely pay to get financial data back
- More than half (55 percent) of parents surveyed would be willing to pay for access to digital family photos vs. 39 percent of respondents without children
Businesses Held For Ransom Likely To Pay
Nearly one in two business executives surveyed have experienced ransomware attacks in the workplace. The study found 70 percent of these executives said their company has paid to resolve the attack, with half of those paying over $10,000 and 20 percent paying over $40,000.
Nearly 60 percent of all business executives indicated they would be willing to pay ransom to recover data. Data types they were willing to pay to recover included financial records, customer records, intellectual property, and business plans.
Overall, 25 percent of business executives said, depending upon the data type, they would be willing to pay between $20,000 and $50,000 to get access back to data.
As for small businesses, well, they remain a ripe target. Only 29 percent of small businesses surveyed have experience with ransomware attacks compared to 57 percent of medium-sized businesses. While cybercriminals may not view these businesses as offering a big payday, a lack of training on workplace IT security best practices can make them vulnerable. The study found that only 30 percent of small businesses surveyed offer security training to their employees, compared to 58 percent of larger companies.
Preparing For And Responding To Ransomware
Preparing for and Responding to Ransomware
With the financial returns on ransomware growing north of a $1 billion for cybercriminals, IBM anticipates it and other extortion schemes will continue to grow. ‘
Both businesses and consumers can take some steps to help defend themselves from ransomware. IBM X-Force experts recommends the following tips to protect yourself and your business:
- Be vigilant. If an email looks too good to be true, it probably is. Be cautious when opening attachments and clicking links.
- Backup your data. Plan and maintain regular backup routines. Ensure the backups are secure, and not constantly connected or mapped to the live network.
- Disable macros. Document macros have been a common infection vector for ransomware in 2016. Macros from email and documents should be disabled by default to avoid infection.
- Patch and purge. Maintain regular software updates for all devices, including operating systems and applications. Update any software you use often and delete applications you rarely access.
For additional tips and details on the survey findings, you can download the full report at: https://ibm.biz/RansomwareReport.
In addition, Resilient, an IBM Company, today announced an industry-first Dynamic Playbook to help organizations respond to ransomware and other complex attacks. Resilient Dynamic Playbooks orchestrate response in real-time, adapting the actions organizations need to take in response to cyberattacks as they unfold.
If you are a victim of ransomware, the FBI and other law enforcement agencies advise victims to avoid paying a ransom to cybercriminals. They do recommend you report a cybercrime, including becoming the victim of ransomware to the appropriate authorities:
- In the U.S. report via the FBI’s Internet Crime Complaint Center (IC3): https://www.ic3.gov/default.aspx
- In Europe report via Europol’s Cybercrime Reporting website: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
Batten Down The Hatches! IBM’s X-Force 2012 Trend And Risk Report
It’s been a busy year for IT security incidents. Yesterday, John Markoff and Nicole Perlroth with The New York Times told us about yet another incident, this time a cyberattack involving antispam group Spamhaus and an anonymous group unhappy with their efforts.
Click to enlarge. Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosed in 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.
But the list goes on and on. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations have been inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.
At the mid-year of 2012, IBM’s X-Force team predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case. While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection.
What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, X-Force looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices.
That said, recent developments have indicated that while these dangers still exist, and X-Force believes mobile devices should be more secure than traditional user computing devices by 2014. While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
In its latest report, X-Force explores how security executives are advocating the separation of personas or roles on employee-owned devices. It also addresses some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose.
Click to enlarge. The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,
they have become a favorite target of scam and phishing.
Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems.
Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
As X-Force also reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive.
Whether the target is individuals or the enterprise, once again, X-Force reminds organizations that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.
Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak X-Force recorded.
Social media has dramatically changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities.
Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.
Click to enlarge. The values for the evaluated threat and residual threat can be determined by comparing the likelihood or frequency of a threat occurring (high, medium, low) against the damage impact that could happen if the threat occurred (catastrophic, high, medium, low). The goal is to implement mitigation processes that either reduce the frequency of the threat occurring or reduce the impact if the threat does occur. A requirement for this to be successful is to have a specific, designated monitoring mechanism to monitor the implementation of the treatment processes and for the appearance of the threats.
2012 X-Force Trend And Risk Report Highlight
Malware and the malicious web
- In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display.
- Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. X-Force attributes this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet.
- The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks. In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.
- IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet.
- IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets.
- Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 X-Force observed an upsurge in web browser exploit kit development and activity—the primary target of which are Java vulnerabilities—and X-Force supplies some strategies and tips to help protect against future attacks (see end of post to download full report).
- Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment. Web content trends, spam, and phishing Web content trends Top used websites are readily deployed as IPv6- ready, although attackers do not yet seem to be targeting IPv6 on a large scale.
- One third of all web access is done on websites which allow users to submit content such as web applications and social media.
- Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information.
Spam and phishing
- Spam volume remained nearly flat in 2012.
- India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain.
- At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume.
Operational Security Practices
Vulnerabilities and exploitation
- In 2012, there were over 8,168 publicly disclosed vulnerabilities. While not the record amount X-Force expected to see after reviewing its mid-year data, it still represents an increase of over 14% over 2011.
- Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012.
- Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate X-Force has ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010.
- There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels.
- Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and critical severity web browser vulnerabilities saw an increase of 59% for the year.
- Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities.
- Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.
Emerging Trends In Security
Mobile
- Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
- Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program.
- In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today’s mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements.
- Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program.
To learn more on how your organization can work to address these types of vulnerabilities, download the full IBM X-Force 2012 Trend And Risk Report here.
Live @ IBM Pulse 2013: A Cloud Computing Security Roundtable
At the IBM Cloud Security press roundtable, several IBM Security experts expounded on the issues and challenges organizations are facing as they work to better secure their cloud computing environments.
If you’ve followed the headlines recently, you can’t help but notice the constant barrage of news concerning security break-ins at some of the most public cloud sites on the planet: Facebook, Google, Evernote…the list goes on and on.
Yet in spite of the looming cloud security concerns, enterprises and organizations continue to ramp up their investments in both public and private cloud infrastructure as a cost-effective, dynamic way to scale up their IT capacity.
At the IBM Cloud Security roundtable here at IBM Pulse 2013 yesterday in Las Vegas, several IBM security experts came together to discuss some of the challenges, best practices, and solutions to protect against threats and provide security-rich cloud computing environments.
Jack Danahy, director of security for IBM North America, hosted the panel before the gathered industry press, and offered up some prefacing comments to set the stage for the security discussion.
Jack began by stating that 9 out of 10 global CEOs say that cloud computing is critical to their business plans and “a way to increase their organizational productivity, but all also admit security is a lingering concern.”
Brendan Hannigan, the general manager for the IBM Security Division, explained that there are some key basic security concerns around cloud, including the safety of enterprise data, and whether or not it can be compromised or lost.
Hannigan explained: “Cloud is simply another computer upon which we can deploy capabilities for our customers, and we should be able to look at cloud security the same way we do across other domains.” That includes giving organizations a single view of identity across their cloud environments.
Kris Lovejoy, general manager for IBM Security Systems, discussed some of the key inhibitors to organizations providing more effective cloud security measures, and explained that the cloud is actually inherently more securable than traditional IT infrastructure because of they way it’s designed and the manner by which you can replicate security controls.
So if the cloud is inherently more securable, why the seeming contradiction that nobody seems to be able to effectively secure it?
Because, Lovejoy explained, when you buy public cloud capability you typically have to buy the security features as an added extra, and may customers don’t do so.
“Think about the provider as being a hotel,” Lovejoy explained, “and in each hotel room they have a series of diseases. The provider must provide you good housekeeping to protect you from diseases in the other rooms, and yet so many cloud computing tenants don’t make that obvious investment to protect their cloud applications and data.”
When Danahy asked the panel about what can be done to make executives more comfortable with the idea of security investments in the cloud space, Hannigan chimed in, and explained the rationale comes down to a distinction in the type of data you’re working with, and delineating between the information that is critical and that which is less sensitive.
“When you have a specific application or data set,” Hannigan explained, “there are wonderful opportunities afforded by the cloud because in security, one of the biggest challenges is striking a balance between locking the infrastructure down and providing free and unfettered access to the that information customers and employees need.”
Lovejoy explained it was not dissimilar from the crazy notion of automakers selling cars without seatbelts or brakes. “You don’t want to suddenly discover you don’t have these features going 60 miles per hour down the interstate.”
Kevin Skapintez, program director of product strategy for IBM Security, said that the need for more cloud security standards reminded him of the late 1800s, when fire hydrants had different nozel sizes that required varying widths of connectors for the hoses.
“You have to have standards related to identity,” Kevin explained, “so you don’t have to build different registries per cloud!”
“More organizations needed to also heighten their log management regimes,” he explained, “so that they have improved visibility to see if they have the right controls in place and where incidents are occuring.”
Lovejoy explained that “most organizations have a pretty defined pathway to cloud success.” Many are using develop and test environments and are moving to non-core workloads, allowing a lot of applications to emerge and consolidate on the cloud.
At the same time, she explained, most companies are planning a security operations optimization and that the cloud is a remarkable opportunity. “As we consolidate,” she explained, “things get simpler. Companies need to think about this in the context of business transformation. You need to adopt the cloud in a safe and reliable manner while managing the risk.”
During the Q&A, I asked the panel whether or not all these very public public cloud security incidences we’ve seen in the headlines were driving any real productive conversation in terms of making cloud security more of a priority.
Lovejoy explained the scenario typically went something like this: A CEO would call up their provider, ask for an assessment, give them a threat briefing, then go to a third party standard to see if they matched the security checklist.
But that not enough of them were what she termed “security aware.”
Hannigan concluded, “It’s a classic dilemma with security spending. Security concerns are not specific just to the cloud, and clients are working about losing data, period. The question is, can they invest all the money necessary to adequately secure those environments?”
To date, the answer seems to largely be “no.”
IBM Unveils Comprehensive Mobile Portfolio
Click to enlarge the infographic. As the first new technology platform for business to emerge since the World Wide Web, mobile computing represents one of the greatest opportunities for organizations to expand their business. Based on nearly 1,000 customer engagements, 10 mobile-related acquisitions in the last four years, a team of thousands of mobile experts and 270 patents in wireless innovations, IBM MobileFirst offers an array of solutions that helps businesses connect, secure, manage and develop mobile networks, infrastructures and applications.
IBM is going big on mobile.
Today, the company unveiled “IBM MobileFirst,” a comprehensive mobile strategy that combines security, analytics, and application development software, with cloud-based services and deep mobile expertise.
Using IBM MobileFirst solutions, businesses can now streamline everything from the management of employee mobile devices, to the creation of a new mobile commerce app that will transform their entire business model.
Today’s move by IBM builds off of its experience helping nearly 1,000 customers become mobile enterprises, and takes advantage of its thousands of mobile experts and 270 patents in wireless innovations.
IBM has made 10 mobile-related acquisitions in the past four years alone.
IBM also announced an expanded relationship with AT&T to provide developers with tools to create faster, richer mobile apps and services for customers. For instance, organizations can now quickly incorporate payment and messages into their apps.
With this expanded partnership, the AT&T API Platform, featuring IBM Worklight Adapters, will enable the more than 31,000 members of the AT&T Developer Program to quickly create and securely deploy enterprise apps that improve subscriber engagement and customer loyalty.
With these adapters that support AT&T’s ecosystem of APIs including those for speech, SMS, device capabilities, notary management and payment, developers can quickly and securely create rich, business-ready apps across a variety of platforms including iOS, Android and Windows.
Through IBM MobileFirst, IBM is providing companies with the essential tools to take advantage of new business opportunities being enabled by mobile.
A Broad Portfolio of Mobile Solutions
To be successful in embracing mobile for driving revenue growth, clients must have an integrated strategy for mobile, cloud, big data, social business and security. Today’s announcements from IBM help clients harness these complex technologies to drive innovation and growth.
IBM’s mobile solutions portfolio provides the key elements of an application and data platform with the management, security and analytics capabilities needed for the enterprise.
In addition to meeting mobile-specific requirements, the portfolio provides for rapid integration between social and cloud services as well as back-end technologies that help secure and manage strategic business processes. Key aspects include:
- IBM MobileFirst Platform – New updates include expanded capabilities of IBM Worklight to simplify deployment. It also features single sign-on capabilities for multiple applications. A new beta of the Rational Test Workbench for mobile helps to improve the quality and reliability of mobile apps.
- IBM MobileFirst Security – IBM extends its context-based mobile access control solutions and expands mobile application vulnerability testing with support for Apple iOS apps with the latest release of AppScan.
- IBM MobileFirst Management – New updates to IBM Endpoint Manager include enhanced support for Bring Your Own Device (BYOD) programs and increased security standards that are critical to governments and regulated environments.
- IBM MobileFirst Analytics – IBM is expanding its Tealeaf CX Mobile solution to give enterprises more visual insight into mobile behaviors so they can better understand where improvements are needed and create exceptional and consistent consumer experiences across mobile devices.
To provide organizations with maximum flexibility and accelerate their adoption of mobile computing, these solutions can also be delivered through cloud and managed services.
A Deep Set of Mobile Services for Clients
Enterprises are embracing the mobile revolution at a rapid pace. IBM has thousands of mobile experts to help clients understand how industries will be transformed in a mobile world, based on client engagements across more than a dozen industries.
The IBM MobileFirst portfolio features several services to help clients establish mobile strategies, design and implement mobile projects. These include:
- IBM MobileFirst Strategy and Design Services – Clients can tap into IBM expertise to map out a mobile strategy for employees and customers, and key experience design skills from IBM Interactive to build compelling mobile experiences. IBM’s new Mobile Maturity Model can assess how a business is progressing towards becoming a mobile enterprise, while new Mobile Workshops help clients develop applications, architect infrastructure and accelerate their mobile progress.
- IBM MobileFirst Development and Integration Services – IBM offers services that help organizations roll out a mobile infrastructure and manage mobile application portfolios and BYOD environments. Enhanced Network Infrastructure Services for Mobile provide IT network strategy, optimization, integration and management. Mobile Enterprise Services for Managed Mobility help manage and secure smartphones, tablets and devices across a business. Mobile Application Platform Management helps speed deployment of mobile infrastructure to develop mobile applications more easily and quickly.
An Expansive Set of Mobile Resources and Programs for Business Partners, Developers and Academics
According to IBM’s recent Tech Trends Report, only one in 10 organizations has the skills needed to effectively apply advanced technologies such as mobile computing.
To help overcome this skills gap, IBM is rolling out a series of resources to help its ecosystem of developers, partners and academics tap into the mobile opportunity and augment existing skills or develop new ones.
These include:
- Developers – IBM today is announcing a relationship with AT&T that will enable developers to enhance mobile apps by using IBM Worklight to access AT&T’s APIs in the cloud. Now, developers have another tool with AT&T to quickly and easily create apps with rich features such as speech recognition and rapid payment. IBM is also rolling out new technical assets on developerWorks and CodeRally, a developer game community.
- Business Partners – With Ready for IBM MobileFirst, Independent Software Vendors (ISVs) can also embed mobile technologies into their solutions and Software Value Plus now provides mobile certifications, workshops and incentives for resellers and systems integrators.
- Academics – To help train the next generation of mobile developers, IBM is offering new faculty grants for curricula development. IBM is also making IBM Worklight available, free of charge, for the classroom and via online training to teach both students and faculty to develop for mobile environments.
IBM Global Financing, the lending and leasing arm of IBM, can also help companies affordably transform into mobile enterprises.
Credit-qualified clients can take advantage of simple, flexible lease and loan packages for the IBM MobileFirst portfolio — some starting at as low as 0% for 12 months with no up-front costs — allowing businesses to acquire essential technology and services while managing cash flow more effectively.
To learn more, visit the IBM MobileFirst site. You can also follow @ibmmobile, #ibmmobile on Twitter, and see IBM MobileFirst on YouTube, Tumblr and Instagram.
Also, watch the video below (3:46), for it paints a broad, comprehensive, and gorgeous “picture” of the enterprise mobile opportunity and challenges.
IBM MobileFirst Announcement Coverage:
Taking The Pulse On Mobile
IBM Pulse 2013 is introducing a new social networking feature called “Pulse on Vivastream,” where you can connect and interact with other attendees and speakers to find people with similar interests and skills, share agendas, discuss hot and trending topics, and network with your peers. So, sign up now so you can make the most of IBM Pulse 2013 — before, during, and after the event.
First it was Ubuntu Linux on phones, and now it looks like it’s going to be Ubuntu Linux on Tablets.
TechCrunch posts that on Thursday, developers will be able to start “playing with” the new code, citing Ubuntu founder and VP Products Mark Shuttleworth saying that the strategy is “One Ubuntu” that contains the same codebase but works across multiple platforms, including desktops, phones, and tablets.
But, that each platform “uses a Linux kernel” that’s tailored for the specifics of the target hardware.
This in juxtaposition with iOS and Android, which don’t work as well beyond the handset form factor.
For the record, I currently run Ubuntu on several of my older machines, and save for some VPN woes, I’m a (mostly) happy Ubuntu user.
But what’s more interesting to me about this announcement is the timing. The global mobile confab, Mobile World Congress, is set to launch next week in Barcelona (one of my favorite cities on the planet!).
And speaking of mobile, just last week, IBM announced that Forrester Research, Inc. has recognized IBM as a leader in enterprise mobility services in its recent Forrester Wave report “Enterprise Mobility Services, Q1 2013.”
The report gave IBM the highest score possible on its current offering, writing that IBM “brings clients a world-class design agency (IBM Interactive) combined with breadth and depth of enterprise mobility consulting in terms of technology and global presence.”
I expect you’ll hear more about IBM’s mobile strategy in Barcelona, and shortly thereafter at the IBM Pulse event in Las Vegas, which I’ll be covering for Big Blue.
If you’re planning on attending IBM Pulse, I would highly recommend you start preparing your schedule now. Already-registered attendees simply need go to the Pulse SmartSite to start checking out this year’s fare.
But wait, there’s more!
This year, IBM has introduced an exciting new social feature in the form of Pulse on Vivastream, a unique social networking platform where you can connect and interact with other attendees and speakers in advance of, during, and after the event to find people with similar interests and skills, share agendas, discuss hot and trending topics, and network with other attendees before you ever land in the land of what happens there stays there.
I’m already registered on “Pulse on Vivastream” myself, so feel free to drop by and introduce yourself.
This year, IBM Pulse guest speakers and performers include 4-time NFL MVP quarterback Peyton Manning and 6-time Grammy Award winner Carrie Underwood.
You’ll also have the opportunity to mix it up with 8,000+ of your peers and hear from IBM business partners and top industry analysts on the latest trends and hottest IT topics…including, yes, mobile.
You can go here to learn more about IBM Pulse 2013, which goes from March 3-6.
I’ll be bringing you more insights and coverage leading up to and during the event right here in the Turbo blog, and will once again be broadcasting via the Interwebs from the show floor, speaking with a variety of IBM executives, industry analysts, and other thought leaders that help make the IBM Tivoli world go round.
turbotodd
Turbotodd 