Archive for the ‘security’ Category
An important announcement earlier today from IBM: The appointment of the company’s new Chief Privacy Officer, Christina Peters.
Peters has worked as a practicing attorney with IBM since 1996 (first in Germany, later in the US), and has handled a wide range of complex transactional, policy, compliance, litigation, and cybersecurity matters in the United States and internationally.
Peters was educated at Dartmouth College (summa cum laude) and Harvard Law School (magna cum laude), where she was an Executive Editor of the Harvard Law Review.
Following a District of Columbia Circuit clerkship, Peters worked at D.C.-based law firm, Covington & Burling. Prior to joining IBM, she was a Robert Bosch Fellow in Germany, where she worked at the Federal Cartel Authority and Deutsche Telekom.
In her new role, Peters will guide and oversee IBM’s global information policy and practices affecting more than 400,000 employees and thousands of clients. She will lead the company’s global engagement in public policy and industry initiatives on data security and privacy, and continue to serve on the advisory board of the Future of Privacy Forum.
Peters also is responsible for a worldwide team of legal, data protection and technical professionals at IBM who address privacy and data security in the leadership manner expected of the company’s global brand.
IBM was the first major corporation to appoint a Chief Privacy Officer in 2000 and has consistently applied advanced techniques and technologies across its global business operations and practices. IBM’s numerous privacy advancements include:
- First company to adopt a global privacy code of conduct.
- First to adopt a genetic non-discrimination policy.
- First to establish a policy to only advertise on websites with visible privacy statements.
As IBM’s general manager for its Security Systems Division will tell you, we’re entering into a perfect IT security storm.
These days, hackers are more sophisticated, your data is increasingly accessed anytime and anywhere and often resides in the cloud.
Fewer access points are corporately-controlled, and there is a growing digital data explosion while the compliance demands on staff and systems escalate.
These trends mean corporate IT security can no longer be an afterthought where a secure perimeter is good enough. Instead, security intelligence preventing, detecting and addressing system breaches anywhere must start in the boardroom and become part of your organization’s IT fabric. It is now imperative to be woven into your everyday business operations.
Brendan Hannigan brings more than 25 years of industry experience to his role as general manager of the new IBM Security Systems Division.
Previously, he was the president and chief executive officer of Q1 Labs, the acquisition of which catalyzed the creation of the Security Systems Division.
This new division brings together many capabilities across IBM to respond to the market need for sophisticated, comprehensive and integrated approaches to enterprise security.
Prior to Q1 Labs, Brendan was vice president of marketing and technology at Sockeye Networks; director of network research at Forrester Research; and served in a variety of senior-level product development roles at Digital Equipment Corporation, Wellfleet Communications, and Motorola.
We discussed a number of security-related topics during our Q&A at IBM InterConnect, including browser exploits, the need for increased security intelligence, and IBM’s bi-annual X-Force Trends and Risk Report, which I’ve covered extensively in this blog.
You can see our interview here.
As hackers increasingly find new and nefarious ways to threaten the global digital infrastructure, recent policy advancements such as the proposed “Cybersecurity Act of 2012” in the U.S. have been introduced as solutions to the world’s growing cybersecurity problem.
While IBM accepts it is an imperative to properly secure critical systems, private sector advancements should be balanced with pragmatic legislative policies that avoid overly-prescriptive mandates that can inhibit the very innovation needed to ensure cybersecurity.
Consequently, IBM moved quickly and sent a letter urging the U.S. Senate to address flaws in the proposed cybersecurity bill.
According to IBM’s X-Force 2011 Trend and Risk Report, cyber attackers are adapting and moving quickly to target newer information technologies such as social networks and mobile devices. This rapidly evolving nature of cyber attacks necessitates a new approach to enabling cybersecurity.
Responding to the ever-changing nature and volume of attacks requires agility, risk-based management, and a commitment to innovative defensive measures. IBM supports bipartisan, cybersecurity legislation, but the “Cybersecurity Act of 2012” would add bureaucracy to a process that needs speed to succeed.
Government and industry would be best served by a common-sense approach to cybersecurity that allows for investment in R&D, improved information sharing between public and private sectors, better security for federal IT networks, and criminal penalties for cyber-crimes.
Industry Solutions To A Network Problem
Advanced threats, rapid adoption of social media, and Web applications have also been driving the need for new, intelligent approaches to security.
As employee access to the Web has become ubiquitous, enterprises are struggling with massive increases in malware as well as Advanced Persistent Threats (APTs), which can compromise proprietary data.
Many of today’s security solutions often offer limited visibility and control over network activity, which can put the company at risk.
To help clients proactively protect against evolving security threats, including those posed by social media sites and malicious websites, IBM today announced a new class of network security appliance that delivers a more granular view of a company’s security posture and a simplified security management interface.
This new next-generation intrusion prevention appliance helps clients address advanced attacks targeting their organization, providing visibility into exactly what applications are being used on the network, where users are going on the Web, with the ability to monitor and control this activity, which can result in improved security and reduced operational costs.
IBM Security Network Protection XGS 5000 is a next-generation intrusion protection system specifically designed to address the constantly evolving, increasingly sophisticated threats that organizations face today.
It builds on the proven, core security features found in IBM Security Network Intrusion Prevention System, including helping protect against “zero-day” exploits, by adding new levels of visibility and control over the network, applications, data and users to help improve security by helping prevent misuse and identify previously undetectable threats.
IBM Security Network Protection incorporates global threat intelligence from X-Force, including a Web filter database of over 15 billion URLs — capable of monitoring and categorizing millions of Web servers and applications each day to provide superior protection against the changing threat landscape.
Gaining Control, And Visibility, Into Security Events
Once organizations are aware of the nature of activity on their network, the new application control features enable clients to have granular control over what is happening on their network; this means granular user and group-level control over which applications and Websites are permitted, and how they are used down to individual actions or activities within these applications and sites.
IBM Security’s Advanced Threat Protection Platform helps clients by providing the following features and capabilities:
- Proven security to help protect against zero-day threats: enables preemptive protection against a full spectrum of advanced threats, including Web application attacks and exploits hidden in files. IBM’s protection engine is built upon years of security intelligence gathered by X-Force Research, and can stop entire classes of attacks — including new and unknown threats – without updates; most solutions available today match individual protection signatures — a process that can be too slow to stop evolving threats and can result in higher rates of false positives and false negatives.
- Visibility and insight: provides application awareness, monitoring and control, with high level dashboards for drilling down into events and reporting. Also provides deep insight into the nature of activities on the network through broad application awareness and flow data analysis. Integrates with QRadar Security Intelligence Platform to provide even greater levels of insight including anomaly detection and event correlation.
- Control: utilizes intelligence related to Web applications, Websites, and non-Web applications, including Web application and Web site coverage with over 15 Billion URLs across 68 categories and support for 1000+ applications and actions.
IBM Security Network Protection XGS 5000 will be available starting in 3Q12.
About IBM Security
IBM’s security portfolio provides the security intelligence to help organizations holistically protect their people, data, applications and infrastructure. IBM offers solutions for identity and access management, security information and event management, database security, application development, risk management, endpoint management, next-generation intrusion protection and more.
IBM operates one of the world’s broadest security research and development, and delivery organizations. This comprises nine security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM monitors 15 billion security events per day in more than 130 countries and holds more than 3,000 security patents.
You ever get one of those emails where there are two headlines that couldn’t have been more synchronous?
That’s what I got today in a Washington Post email newsletter:
“New malware is 20 times size of Stuxnet”
“Cybersecurity experts needed to meet growing demand”
Surely the Post newsletter editor at least chuckled when he put those two together.
I didn’t chuckle, however, when I started reading up on this new Internet security phenom.
Wired’s Threat Level blog led with this: “A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.”
Here was The New York Times lead on the story: The computers of high-ranking Iranian officials appear to have been penetrated by a data-mining virus called Flame, in what may be the most destructive cyberattack on Iran since the notorious Stuxnet virus, an Iranian cyberdefense organization confirmed on Thursday.
And, the Post led with: Researchers have identified a sophisticated new computer virus 20 times the size of Stuxnet, the malicious software the disabled centrifuges in an Iranian nuclear plant. But unlike Stuxnet, the new malware appears to be used solely for espionage.
The Post goes on to cite analysts who “suspect Israel and the United States, given the virus’s sophistication, among other things.”
Which is it, we need more cybersecurity experts in the U.S., or we’re the “nation-state” behind this latest cyber war virus?
Whatever the case, the BBC’s coverage included the following facts: Russian security firm Kaspersky Labs believed the malware had been operating since August 2010 and described Flame as “one of the most complex threats ever discovered.”
If you don’t remember Stuxnet, it was the alleged state-sponsored virus which wreaked havoc on Iran’s uranium centrifuges. This new malware, according to the BBC story, “appears not to cause physical damage,” but instead collects “huge amounts of sensitive information.”
Wired also adds to the story, reporting Flame was “written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals.”
Wired went on to report that “Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.”
Yes, indeedy. According to Wired, one of the modules in Flame is “one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity.”
It also allegedly contains a module that turns “Bluetooth-enabled computers into a Bluetooth beacon,” scanning for other Bluetooth-enabled devices in order to “siphon names and phone numbers from their contacts folder.”
It can also store “frequent screenshots of activity on the machine,” screenshots that include everything from emeetings to instant messages, email….you get the picture. Literally.
I don’t know about you, but I sense a whole new genre of cyber espionage novels looming on the horizon.
I’m back from IBM Impact 2012…but my brain is still processing all the information I took in through all the interviews Scott and I conducted for ImpactTV and for all the sessions I attended…and I won’t mention all the cocktails in the evenings where I learned SO much from my industry peers.
I’ll be putting together a recap post of some of the major announcements, and I’ve still yet to transcribe my interview with Walter Isaacson, but first, I wanted to highlight an important new study from IBM on the security front.
For those of you who follow the Turbo blog, you know the issue of security (particularly cybersecurity) is one I take very seriously and that I follow closely, partially because of my longstanding interest in the topic, and partially because I recognize we live in an imperfect world using imperfect technology, created and used by imperfect humans.
But the promise and hope for security, fallible though it may sometimes be, is a worthy aspiration. There are ideas, assets, and often even lives at risk, and the more we move up the stack into an intellectual capital driven global economy, the more there is at stake and the more that will be needed to protect.
So, that’s a long way of saying expect to be hearing even more from me on this important topic.
Chief Security Officers: “We’ve Got Our CEO’s Attention”
To that end, now for the new information security study results. The new IBM study reveals a clear evolution in information security organizations and their leaders, with 25 percent of security chiefs surveyed shifting from a tech focus to one of a more strategic business leadership role.
In this first study of senior security executives, the IBM Center For Applied Insights interviewed more than 130 security leaders globally and discovered three types of leaders based on breach preparedness and overall security maturity.
Representing about a quarter of those interviewed, the “Influencer” senior security executives typically influenced business strategies of their firms and were more confident and prepared than their peers—the “Protectors” and “Responders.”
Overall, all security leaders today are under intense pressure, charged with protecting some of their firm’s most valuable assets – money, customer data, intellectual property and brand.
Nearly two-thirds of Chief Information Security Executives (CISOs) surveyed say their senior executives are paying more attention to security today than they were two years ago, with a series of high-profile hacking and data breaches convincing them of the key role that security has to play in the modern enterprise.
Emerging Security Issues: Mobile And A More Holistic Approach
More than half of respondents cited mobile security as a primary technology concern over the next two years. Nearly two-thirds of respondents expect information security spend to increase over the next two years and of those, 87 percent expect double-digit increases.
Rather than just reactively responding to security incidents, the CISO’s role is shifting more towards intelligent and holistic risk management– from fire-fighting to anticipating and mitigating fires before they start. Several characteristics emerged as notable features among the mature security practices of “Influencers” in a variety of organizations:
- Security seen as a business (versus technology) imperative: One of the chief attributes of a leading organization is having the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. In fact, 60 percent of the advanced organizations named security as a regular boardroom topic, compared to only 22 percent of the least advanced organizations. These leaders understand the need for more pervasive risk awareness – and are far more focused on enterprise-wide education, collaboration and communications. Forward-thinking security organizations are more likely to establish a security steering committee to encourage systemic approaches to security issues that span legal, business operations, finance, and human resources. Sixty-eight percent of advanced organizations had a risk committee, versus only 26percent in the least advanced group.
- Use of data-driven decision making and measurement: Leading organizations are twice as likely to use metrics to monitor progress, the assessment showed (59 percent v. 26 percent). Tracking user awareness, employee education, the ability to deal with future threats, and the integration of new technologies can help create a risk-aware culture. And automated monitoring of standardized metrics allows CISOs to dedicate more time to focusing on broader, more systemic risks.
- Shared budgetary responsibility with the C-suite: The assessment showed that within most organizations, CIOs typically have control over the information security budget. However, among highly ranked organizations, investment authority lies with business leaders more often. In the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets. Lower ranking organizations often lacked a dedicated budget line item altogether, indicating a more tactical, fragmented approach to security. Seventy-one percent of advanced organizations had a dedicated security budget line item compared to 27 percent of the least mature group.
Recommendations to Evolve the Security Role in an Enterprise
To create a more confident and capable security organization, IBM recognizes that security leaders must construct an action plan based on their current capabilities and most pressing needs. The report offers prescriptive advice from its findings on how organizations can move forward based on their current maturity level.
For example, those “Responders” in the earliest stage of security maturity can move beyond their tactical focus by establishing a dedicated security leadership role (like a CISO); assembling a security and risk committee measuring progress; and automating routine security processes to devote more time and resources to security innovation.
About the Assessment
The IBM Center for Applied Insights study, “Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer Assessment,” included organizations spanning a broad range of industries and seven countries.
During the first quarter of 2012, the Center conducted double-blind interviews with 138 senior business and IT executives responsible for information security in their enterprises. Nearly 20 percent of the respondents lead information security in enterprises with more than 10,000 employees; 55 percent are in enterprises with 1,000 to 9,999 employees.
Click here to access the full study.
Some veddy interesting news on the cybersecurity front has reared its ugly head the last couple days.
First, VMware confirmed via CRN yesterday that proprietary source code from its ESX server hypervisor (server virtualization software) had been posted online, but in a blog post about the incident, the director of VMware’s Security Response Center said the posted code was created sometime in 2003 and 2004.
That raises questions as to relevance, according to CRN, with VMware explaining that “the fact that it has been made public does not necessarily put VMware customers at risk.”
Yet given the large number of providers that run vSphere, it could have “a broad and widespread impact.”
Here’s the blog post from VMware — for those potentially impacted, one to keep an eye on.
This just as the Obama Administration comes out against the current House cybersecurity bill entitled the “Cyber Intelligence Sharing and Protection Act,” or “CISPA,” a law proposed last November by U.S. Rep. Michael Rogers (R-MI) and 111 co-sponsors that would allow the voluntary sharing of attack and threat information between the U.S. Government and security cleared technology and manufacturing companies to try and ensure the security of networks against patterns of attack.
CISPA was reported out of committee on December 1, 2011, but has yet to be debated or brought to a vote.
The Electronic Frontier Foundation has also come out against the bill, concerned that the bill’s broad warnings would leave little protection for individual consumers and not provide effective judicial oversight for the types of monitoring the bill would allow.
If, in the meantime, you’re looking for some industry thought leadership on the topic of security, IBM’s own Marc Van Zadelhoff, the director of strategy for IBM’s still relatively new Security Solutions Division, look no further than this podcast interview (MP3, 17:45 minutes, 10.2 MB) where Marc provides extensive insight into IBM’s approach to security intelligence and compliance. You can also read a transcript here. (36.4KB, PDF)