SecureServices « SecureThinking

Monday, August 9, 2010

What CSOs Talk About at Dinner

By Jill Knesek, Chief Security Officer, BT Global Services

Last week I had the pleasure of meeting with some of Chicago’s outstanding CISOs and CSOs. We met for dinner to discuss those thorny and gnarly issues that keep us working overtime to make sure that our companies are secure and our employees excel at work. So, what was on our menu that night?

The first hot topic was methods of securing data across companies with disappearing perimeters. BT, like many companies, works to enable its workers to literally work anywhere to boost their productivity and enhance their work-life balance. But as the office walls disappear, new challenges abound.

While we touched on what value firewalls and IDSs provide, much more time was spent discussing endpoint security, such as personal firewalls, antivirus products and good patch management processes. I see particular value in hard disk encryption on laptops, which renders stored data nearly useless to thieves.

Obviously, mobile devices are top of mind for us. Not only do we have to worry about laptops — with more companies supporting a “BYOD” (bring your own device) policy, we have a whole new set of things to be concerned about. For example, it seems inevitable that companies will need to let employees bring their own hardware platform into the workplace. And, while we all love our iPads, iPhones, Blackberries, and Android phones, with hundreds of thousands of apps available for download and many thousands more becoming available each day, how do we secure them? While I wish I could say that we came up with a solution during dinner, this topic, for now, still generates more questions than answers.

The other topic that provoked a great deal of discussion as the economy emerges slowly from recession is how we secure new acquisitions. The biggest problem facing CSOs in this area is — how do we change the culture of a new acquisition without breaking the business model that made them a desirable target? But, the bottom line is that at the end of the day, CSOs are responsible for the security of all company assets, whether organic or acquired. From my view, the key is good communication with the acquired management team and a strong security awareness campaign, since employees remain our first line of defense. After that, it comes down to pure risk management and understanding the biggest threat against the acquired company — and mitigating that piece first.

And, from that discussion, we found ourselves deep in the nitty-gritty of Risk Management. I know this message is getting tired, but the reality is that having a mature risk management program with real stats and data to back up your risk register can be a great tool in communicating at the boardroom level. We can’t be Chicken Little, but we do need to rely on cold hard facts that resonate with the senior management team.

The example I used was how to relate a fraud case to the senior leadership team in terms of revenue lost from the bottom line. For example, if you lose $1 million in a fraud, how much revenue would it take to make up for that net loss? Well, if the revenue was from a service with a 15% margin, it would take nearly $7 million in new revenue to make up for the loss. Putting the cost of crime in terms of revenue helps the CFO and senior management appreciate the importance of reducing crime through security.

By the time we reached dessert, we’d hashed through these and other very interesting topics. And, while we didn’t come up with concrete solutions or definitive answers, we learned a lot from sharing our common experiences and unique responses.

I’d like to thank everyone who came and invite you all to carry on the conversation in cyberspace. Leave a comment below, or let me know what you think in the Security Leaders Group on LinkedIn.

Friday, May 21, 2010

Report Card Time: Forrester Rates BT as a Top Performing MSSP

By Pete Russo, Senior Marketing Manager, BT Global Services

BT has been named as one of only two providers of “comprehensive services” in “Market Overview: Managed Security Service Providers,” a new report published by Forrester Research. Inc.

Forrester rated 24 multinational vendors that provide outsourced security services, such as log management, threat intelligence, content security, policy/compliance and vulnerability management. BT was ranked in the report as one of the highest rated Managed Security Service Providers (MSSPs) for its breadth of services.

The report highlights the changing nature of MSSPs, pointing out that, “MSSPs are not just managing devices; they also provide insightful analysis that can help with business decisions.” The Forrester report identifies the readiness of chief information security officers to outsource their security and that while, “…security spending stayed flat for the most part in 2009, Forrester estimates that the managed services grew by roughly 8 percent.”

As well as highlighting BT’s breadth of services, the report notes BT’s “excellent penetration” throughout Europe and the UK and points to its expansion with “a number of acquisitions recently in the US.” The report also highlights BT’s “good integration of consulting services with managed services.”

Learn more about BT’s managed security solutions and other security offerings.

Tuesday, March 2, 2010

Guest Post: Our Future in the Cloud

By Sanjay Mehta, senior vice president of Breach Security

Cloud computing is a hot topic at this week’s RSA Security Conference in San Francisco. The amount of time the conference has designated to discuss, explore and debate the numerous security issues surrounding cloud computing is proof positive that more business – and supporting technologies – are taking place in the cloud.

But as more business technologies utilize cloud computing, new opportunities have emerged for hackers and cyber criminals to exploit vulnerabilities and profit from business applications using outdated security solutions for protection. In short, the evolution of business technologies using cloud computing means that security solutions must follow suit – now.

Rapidly changing security needs require the benefits and advantages that Software-as-a-Service (SaaS) and cloud computing provides. Security providers that don’t leverage cloud technology are quickly becoming antiquated as all technology – business and security – moves into the cloud.

Using SaaS or cloud computing provides security technology with distinct technological advantages, such as making security updates and code changes instantly available to clients. In addition, new security technology needs to be developed specifically for the protection of business conducted in the cloud. The technology landscape has changed and security needs to keep up by including cloud security needs and requirements at the forefront of the development process.

Breach Security is working with partners, such as Akamai, to provide web application security in the cloud. For example, when deployed with Akamai’s Web Application Firewall service, Breach’s WebDefend Global Event Manager is the first web application security management solution to defend against global application security threats by enabling customers to make distributed cloud and data center defense-in-depth architectures operational.

Breach and Akamai are guarding their clients against security threats in the cloud. Are you protected?

Sanjay Mehta has more than a decade of experience driving revenue growth and strategic business opportunities at Internet security and technology companies. As Senior Vice President, he is responsible for overseeing Breach Security’s go-to-market strategy, expanding the company’s channel and maintaining and growing its existing customer base.

Thursday, February 25, 2010

Business Continuity’s big bets for 2010 and beyond

By Bharat Thakrar, Head of BCM, Security Practice, BT Global Services

Now that we are a few months into the New Year, it is interesting to see what others are forecasting as key trends that will be shaping the Business Continuity agenda in the next couple of years. Looking through analysts’ forecasts and key trends shows there is much consensus as well as a few surprises. While it is clear the recession will continue to overshadow everything, and finances will remain under pressure for some time, there is also a realization that as the economy stabilizes, companies will need to move on from trying to squeeze further savings from IT budgets that are already wildly overstretched.

By far the most popular investment will continue to be in Server Virtualization – almost 80% of enterprises according to Forrester — because of the many advantages this offers, such as IT consolidation, which substantially helps reduce the number of physical servers required while increasing the utilization levels of remaining servers. This in turn helps reduce hardware, power and maintenance costs and increases space utilization.

Also, by having each application effectively run within its own “virtual server,” one can prevent one application from impacting another when upgrades or changes are made. Interestingly, one of the more notable pieces of research was the VMWare’s global customer survey which detailed the primary drivers for customers adopting virtualization technologies. The results were quite revealing: increasing the server utilization ratio (i.e., server consolidation) was the second highest reason at 40%. The most important objective noted to implement virtualization is to improve a company’s BC and DR – a reason indicated by 45% of the 676 global respondents in the VMWare study.

Closely related to server virtualization and often part of the same project is Storage Virtualization involving the pooling of physical storage from multiple devices via networking into what appears to be a single storage device managed centrally, which can lead to improvements in data backups, data archiving and provide data recovery more easily and in less time.

Looking ahead, Cloud Computing is second major trend forecasted for Business Continuity. While not dependant on it, virtualization technologies as well as data center services and fast, reliable and resilient networking infrastructures underpin the key cloud disaster recovery features such as the

Ability to recover all workloads in the cloud
Unlimited scalability with little or no up-front provisioning
On-demand services using Pay-per-use billing model
Highly secure and reliable infrastructure

An example of Cloud Computing is the Virtual Data Center (VDC), a pre-provisioned, hosted data center environment that enables enterprises to create, deploy, monitor, and manage their own service through a self-service portal. Enterprises considering VDC offerings should look for self-healing properties and an infrastructure that is inherently resilient, with integrity maintained using physical and local separation at all times.

The third trend of significance is Environmental Efficiency. As in other sectors, green considerations are now playing an increasingly important role within the business continuity industry. In fact, this is seen as the new holy grail which not only claims to minimize impact on the environment and therefore enhance the organization’s sustainability credentials, but the reduced footprint/space/power requirements also make a powerful argument in the investment business case. It is therefore a foregone conclusion that vendors will increasingly use green criteria to differentiate their offerings

The importance of Email Continuity has been espoused within business continuity plans for a long time, and its criticality to businesses cannot be underestimated as staff, customers, partners, stakeholders, etc. need to be updated and kept in touch more urgently during a disaster then usual business circumstances. The major hurdle with email recovery systems has been the lack of adequate protection at an affordable price. Many continuity solutions provide only limited Outlook features during failover (that may last days or weeks) and may not support cache/online mode clients or Exchange applications. It seems this is an area which is expected to be under increased focus, especially since, in certain data-critical industries, it is now often a legal obligation as well as a business necessity to ensure that no messages are lost.

The final continuity focus area is likely to be on Data De-duplication – a technology that claims to reduce data backup volumes by a factor of as much as 20:1 using a combination of hardware and software techniques to eliminate duplicate and redundant data. Just as in the case of virtualization, effective de-dupe implementations can result in deep cost savings from a combination of reduced disk storage requirements and reduced bandwidth requirements. If only unique new data is being transferred to the remote site, then the required WAN bandwidth and recovery objectives will be significantly reduced – which allows you to shave hours off your data backup and recovery times since only a twentieth of the data now needs to be protected.

Clearly the above list is a reflection of the emphasis on cost savings that continues to dominate IT budgets priorities. However, the smart money is definitely on incorporating these technologies into existing enterprise business continuity programs because not only will they contribute to reduced risk, recovery times, and environmental emissions — but the strength of some of the cost savings can easily justify the investment as so many companies have already shown.

Tuesday, December 1, 2009

DLP – A security solution, not a security savior

Ben Rothke, Senior Security Consultant, BT Global Services, CISSP, PCI QSA

Laptops with hard drives in excess of 250GB and 160GB iPods are not uncommon in today’s organizations; neither are multi-petabyte data libraries. When you combine that with broadband access to that data, often with minimal data access controls, the sound of confidential data escaping from enterprises can be deafening.

In the last few years, Data Loss Prevention (DLP) software has become quite popular to address this predicament. DLP refers to software that identifies, monitors and protects data, mainly via content inspection and contextual security analysis. DLP systems can detect and prevent the unauthorized use and transmission of confidential information. Sounds like a slam-dunk security solution that every organization can use.

Yet, as important as protecting data is, there’s more to it than simply rolling out a DLP solution. The following are a few steps to protect your data if you decide to deploy a DLP solution:

Step 1 – Level set

Realize that the DLP will not solve all of your data security issues, or mitigate its risks. DLP is but one part of a larger set of information security tools.

Step 2 – Show me the data, or at least tell me where it is

The first step in data protection is to identify where the corporate data is. Many organizations know exactly how many laser printer toner cartridges they have in a storeroom, yet are unaware of where their data storage locations are. By performing a data discovery project, you can find all the data on your network. Note though, that this is a detailed endeavor. Expect it to take weeks if not months to locate, diagram and document all of your major data storage locations.

Step 3 – Data classification

Commence a project to classify data to understand what needs to be protected and the reason for it. Detail the risks to confidentiality and list common risk scenarios that may arise from inappropriate data leakage.

Step 4 – DLP strategy

A DLP solution can’t be deployed in a vacuum. Organizations need to develop a formal DLP strategy that details the specific business and technology needs and requirements. Many vendors position their DLP solutions differently, so it is important that you document their DLP solutions differently. And it’s important that you document your requirements, and not simply map it to their product offering.

Step 5 – Product selection, testing and deployment

Once the requirements are documented, create a pilot to test a number of DLP products. Ensure various use cases are tested to analyze the product in different scenarios. Have specific and objective metrics to ensure value controls are tested and that your outputs are accurate.

Overall, DLP is a great security technology, but it is not security pixie dust that can magically secure your network. The steps listed here are a few of the many that need to be done for a formal DLP rollout. By taking such a tactical approach to DLP, you can ensure that it really does prevent your data from being lost.

Wednesday, November 11, 2009

Bringing our Customers Together – It’s our Approach

Toby Weir-Jones, Vice President, Product Development, Managed Security Solutions Group, BT Global Services

Next week is going to be an exciting one for us. We are bringing together our customer community with the best security minds at BT for the Managed Security Leaders Conference. These events bring together people from different roles and industries; the collaboration inevitably results in good discussion we didn’t plan. Here at BT MSSG, we rely on that sort of information sharing between customers to develop solutions to best meet their needs.

The different approaches taken by vendors often come up as a subject of discussion as we ramp up for our customer event. Some SIM vendors will make a lot of noise about their latest product features, and they always imply the same thing: use my product, and it will make more and more decisions for you because it is so smart, so well-informed, so correlated, and so on. The proposition sounds attractive. A customer can buy a product, set it up, and all-knowing insight will flow into their inboxes, faster and cheaper than they could do on their own. But is that really the case?

If you are comparing managed security services to any kind of self-managed or outsourced SIM, there is one key point to remember which centers on the role of expertise in the tool’s operation and maintenance. The contemporary threat landscape moves very quickly and it’s probable that any given tool will need to have new functionality added in order to decode and reassemble the attack. If the enterprise isn’t on top of this – and doesn’t treat it as a discrete professional discipline – then it will inevitably fall behind. Just like reading the Harvard Law Review doesn’t make you a seasoned attorney, playing in the shallow end of network security is not the same as being a professional who lives it every day.

When we approach customers who haven’t used outsourced security services before, we frequently encounter IT staff that are nervous about their job security. We reassure these customers that, quite to the contrary, their roles become even more important if their companies are preparing to take a more serious look at security. They become the eyes and ears on the ground, and they provide a critical translation function between what we know we can do abstractly, and figuring out how to apply it in practice to that particular network.

That is why our approach is so different. It is not just about the fact that we have the tools and the people who analyze the data. We also know that without customer input and understanding our customers’ challenges, we can not provide the best solution for them. If we want to better secure our customers against the ever evolving threat landscape, we need their active participation in combination with our expertise and development of the latest tools and solutions.

I expect that many of these interesting conversations will continue during our customer event and we’ll get even further feedback.

Tuesday, September 22, 2009

The Ethical Hacking Framework

Jim Tiller, VP – Security Professional Services, North America, BT Global Services

In its infancy, ethical hacking meant simply attacking a network and exploiting any vulnerability that was uncovered. The goal was simple — to get into a system. Quite frankly, this is still the M.O. for many engagements today. The tools have changed, the techniques are much more sophisticated, the knowledge of the consumers is much more comprehensive – however, the essence of the test has remained much the same.

While technique and tools are important and provide a strong foundation for further evolution, in the security field the environment is too dynamic to base success on technique and tools alone. By formatting ethical hacking within a framework, as opposed to simply a collection of methods and tactics, elements can be easily removed and added to accommodate specific requirements of the test. Of course, the removal of a particular element within the framework can have repercussions when the goal of the entire framework is value.

In my book, The Ethical Hack ¹, I present a framework of steps to conduct a controlled attack. The context within each section introduces methods for performing certain tasks, heeding the value represented by other points within the framework. When combined, an entire process geared towards value can be presented.

How this applies to penetration testing is to ensure that the value of the test is realized. Given that a penetration test is part of a larger security program, one must include other characteristics of security to align the test appropriately to the demands driving it. Moreover, a framework highlights each phase, drawing relationships between them to make sure you’re on track with the objectives. In addition, each step in the phase helps you take into account the nuances of performing a controlled attack. For example, there are limitations, inherent and imposed, that will have effects on each phase translating into varying degrees of value. Finally, it provides operational structure to the test. Knowing how and when to perform a task is as important as the task itself.

Penetration tests can be a valuable component of a security program. They can provide fascinating insights to the presumed security of an organization and the actual security employed. Tests can also assist in defining acceptable levels of risk and exposure and set the foundation for future security developments.

A bit of good news … Norwich University is now offering a security class that is based on my Ethical Hacking book and the framework it defines. The classes have gone very well and there is potential it may become a required, accredited course in their information assurance masters program, beginning next year (2010).

Would you like a copy of my book? Send me at note at info@counterpane.com.

¹Review of book – “The Ethical Hack: A Framework for Business Value Penetration Testing”

http://www.securitymanagement.com/article/ethical-hack-framework-business-value-penetration-testing
http://www.crcpress.com/us/product.asp?sku=AU1609&dept%5Fid=1&af=W1135

http://www.infosectoday.com/Articles/Ethical_Hacking_Framework.pdf

http://www.norwich.edu/

http://www.nuacc.org/page10.php

http://infoassurance.norwich.edu/

Tuesday, September 15, 2009

New Offerings: Business Continuity Solutions to Safeguard Clients’ Customer Services Operations

Pete Russo, Senior Marketing Manager, BT Global Services

BT today launched a series of new offers to help companies and government organizations around the world avoid downtime hitting customer services operations, if faced with an outbreak of diseases, man-made events and natural occurrences.

Extreme weather conditions, industrial strikes and virus outbreaks have all unexpectedly affected customer service operations for a number of companies over the past year, and to tackle this, BT Global Services has today outlined special offers, aimed at helping businesses prevent downtime in their contact centers.

Among the offers, BT has launched a new enhancement to its Next Generation Contact Center (NGCC) service. As part of the service, called BT NGCC Protect, BT will help businesses ready themselves for any business continuity risks in their contact centers, by auditing their requirements and configuring systems so that agents can work from home, or other remote locations, if they can’t make it into the office. The service can work as a stand alone solution or alongside existing contact center technology, with licenses held in reserve at a greatly reduced cost, and then when required they can become live immediately.

By hosting the service over BT’s 21CN global platform, contact center agents will be able to access Unified Customer Communications features, a BT-designed desktop and Customer Relationship Management (CRM) tools quickly over the network, reducing the likelihood of downtime, while allowing businesses to reduce capital expenditure costs and benefit from greater flexibility.

Neil Sutton, VP Global Portfolio, BT Global Services, said: “Businesses today face the dual challenge of ensuring excellent customer service, while keeping capital expenditure costs under control. But, as recent examples have shown, unexpected events – such as extreme weather conditions, travel problems or virus outbreaks – can quickly bring a contact center to its knees. Advances in BT’s on-demand contact center technology and self-service CRM tools, as well as trial offers, will put businesses in a stronger position to tackle any unforeseen events and benefit from cost savings.”

In addition, BT is offering business customers a free trial of its self-service CRM solutions, which allow businesses to offer a better service to customers while improving efficiciency.

In the current economy and with a growth in business continuity threats, self-service applications such as identity and verification, balance enquiries, account payments and booking lines offer businesses a cost-effective solution to handle routine customer requests. In fact, some 67 percent of consumers* say they would select voice self service over off-shored contact centers, according to recent research.

BT and the customer will work together to define a clearly measurable Return on Investment (RoI) model within an agreed timeframe and install the technology. If the RoI investment objectives are met then the customer can move to a full contract with BT; if they are not, the customer has no other commitment from the trial and can walk away. BT also has the capability to charge self-service applications through per-minute rates and per transaction and offer a risk-share and reward approach to its customers.