meeting new challenges in mobile and cloud security

CONTENT PROVIDED BY

> High Alert

> BYOD Empowers Users but Poses Risks Page 8

> Security Threats Aren’t Inhibiting Most Cloud Use Page 13

> Q&A: ThreatTrack Chief Details Enterprise Security Plans Page 16

MEETING NEW CHALLENGES IN MOBILE AND CLOUD SECURITY

May 2013 | Redmondmag.com

http://redmondmag.com


Untitled-9 1 5/15/12 6:09 PM

http://lumension.com/batten-down

Meeting New Challenges in Mobile and Cloud Security

1

An alarming increase in reported cyber attacks this year is extending the onus on IT pros to once again step up efforts to protect their infrastructures. While attacks have escalated routinely over the past several decades,

they’ve also increased in frequency, intensity, and sophistication, leading to heightened awareness and concern. That’s raising the bar for how businesses and government agencies need to respond.

Major banks, media outlets, government agencies—including those in law enforcement—and other organizations have sustained unprecedented penetrations, many since the beginning of this year. Intruders have ranged from criminals seeking big paydays to activists looking to make a point to state-sponsored probes of the critical infrastructure of the United States.

The increased incidents reached the point in March when the intelligence community declared cyber attacks have supplanted terrorism as the leading threat to the nation’s security, in part due to recent revelations that many of these attacks represent government efforts originating in China, Russia, Iran and North Korea.

“The volume of attacks is still on a multiplicative growth curve, and spans all forms of enterprise targets, from small law firms in Silicon Valley to Fortune 50 financial institutions, and every branch of government—from city government offices to the DoD [Department of Defense],” says Simon Crosby, the one-time CTO of Citrix Systems Inc. and founder of XenSource, and now cofounder and CEO of security software firm Bromium Inc.

Cyber attacks are increasing at an alarming rate, forcing IT to rethink protecting systems.BY CHRIS PAOLI & JEFFREY SCHWARTZ

Major banks, media outlets, government agencies—including those in law enforcement—and other organizations have sustained unprecedented penetrations, many since the beginning of this year.

2


Like many providers, Bromium is tackling the increased prolifer-ation of attacks in a novel way by offering a specialized hypervisor for the client device. Experts agree traditional forms of defense like firewalls and anti-malware, which many still rely on, are no longer enough to combat today’s escalating threats.

“The threats that exist today are getting through many of today’s existing security controls,” warns Lawrence Pingree, an analyst and research director with Gartner Inc. “Advanced threat protection appliances that leverage virtual execution engines as a petri dish for malware are most effective to deal with the latest threats. Also, organizations must continue to upgrade their endpoint protection suites. The antivirus they bought several years ago is not the same as it is today.”

The cyber threat issue has grown so intensely that the U.S. govern-ment has stepped up its efforts to fight back. In February President Barack Obama sidestepped Congress and issued an executive order mandating policies aimed at defending against attacks and espionage by, among other things, encouraging better communication between the government, businesses and those managing key Internet infrastructure.

“We know foreign countries and companies swipe our corporate secrets,” Obama said in his annual State of the Union address. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

Worst DDoS Attack EverThis shift in the philosophy of cyber criminals—a change in focus from data theft to acts that shut down businesses—was nowhere more in evidence than in the massive distributed denial of service (DDoS) attack that crippled the networks of Spamhaus, Cloudfire and European switching stations with an unprecedented 300Gbps load of traffic in March.

That attack was the result of a group angered by the fact that Spamhaus has effectively blacklisted any organization it finds to be a spammer, leading anti-spam systems to block them. While Spamhaus is often attacked, the latest was the worst DDoS on record.

“It’s the largest DDoS ever witnessed,” says Dean Darwin, senior VP for security at F5 Networks Inc. “Because it was so large there was certainly the potential for collateral damage for those adjacent to the attack. It’s unique because of the amount of power they’ve been able to harness.”

The cyber threat issue has grown so intensely that the U.S. govern ment has stepped up its efforts to fight back.

3


Despite the raised magnitude of attacks, Darwin warns they might just be the tip of the iceberg. “It’s the kind of attack we’re going to see a lot more of,” he says, noting the massive Spamhaus attack is the latest data point showing the need for CIOs and CSOs to step up their game by providing application-level security to their systems.

Banks TargetedMaking matters worse, banks (including the nation’s largest—Bank of America and J.P. Morgan Chase—as well as PNC, U.S. Bank and Wells Fargo, among others) have reportedly sustained massive and prolonged DDoS attacks. Back in September, the Financial Services Information Sharing and Analysis Center (FS-ISAC), which advises banks and brokerage firms, upgraded the threat level from elevated to high.

After several months, banks are still under attack, according to experts. While enterprises have suffered sporadic DDoS attacks for decades, most have lasted a few days or at most a week, says Dan Holden, director, Security Engineering and Response Team, Arbor Networks Inc. “To go for months is unprecedented,” Holden says.

The goal of DDoS perpetrators apparently isn’t to steal insecure credit-card numbers in a database, learn corporate secrets or obtain blackmail material through employee e-mail. It’s to cause mayhem and the total shutdown of operations against a specific target.

But is corporate IT, which has been primarily focused on waging war against data thieves, up to the challenge of defending against a different breed of cyber criminal?

Phil Lieberman, president and CEO of Lieberman Software Corp., doesn’t believe so. “As with any type of addiction—and this is to outdated security methods—the first step is to acknowledge that you have a problem and want to address it,” says Lieberman. “Many companies figure that they are immune or have nothing of value, so the threats to them are minimal or nonexistent—[meaning], everything is nothing more than scare tactics of security vendors.”

Lack of PlanningKeeping the data safe is just one key aspect in a comprehensive security plan—another is having IT properly incentivized not only for uptime, but for the success in identifying and stopping a potential problem before it occurs.

So what can IT pros stuck in one security mindset do to change their thinking? Step one is to segment your security plan to target specific types of attack—a one-size-fits-all strategy won’t work.

Is corporate IT, which has been primarily focused on waging war against data thieves, up to the challenge of defending against a different breed of cyber criminal?

4


“The fundamental difference between hackers who are trying just to show their muscles as cyber thieves [by] trying to get a financial advantage and governmental-sponsored attacks is in scale of operation,” says Leonid Shtilman, CEO of Viewfinity Inc. “It’s hard to believe that a group of two to three thieves could have developed Stuxnet [the computer worm used to attack Iran’s nuclear operations]. IT organizations may be well armed to protect databases containing credit-card data, but at the same time will not be prepared for an attack on Group Policies, which will lead to damage to the global infrastructure.”

New ApproachesIt’s one thing to identify where the problem is. It’s another thing to address the problem. And facing the problems of today with the security tools of yesterday won’t work. “Application-control technology can play a significant hand in prevention of the latest attacks,” says Gartner’s Pingree. “Defense in depth and detect in depth are concepts that all customers should explore.”

That’s what Bromium thought when creating its analytics-based cyber defense weapon, Bromium vSentry, which the company describes as a specialized hypervisor designed to protect Windows PCs by automatically, instantly and invisibly isolating hardware from any untrustworthy event at the CPU level so that, when processing data or executing code from an untrustworthy source, this so-called “micro-VM” can’t modify Windows or gain access to enterprise networks, systems and, ultimately, data. “When the user ends the task—closes a browser tab or a document—the micro-VM is discarded, automatically discarding all malware,” Crosby says.

Cupertino, Calif.-based Bromium’s vSentry is just one of many third-party tools emerging that are engineered not only with the capability to protect against known attacks, but that have a core focus to actively monitor the online landscape to protect against the malware of today and what will be engineered tomorrow.

Another is ThreatAnalyzer from ThreatTrack Security Inc., a company spun out of GFI Software in late March to focus on enterprise security. ThreatAnalyzer aims to use analytics to become more proactive in reacting to attacks. ThreatTrack CEO Julian Waits says because there’s no such thing as a standard signature from a single antivirus product, many approaches to intrusion detection and intrusion prevention, as well as antivirus, are signature-based. Customers of ThreatAnalyzer, formerly known as SandBox, receive a behavioral analysis of what’s going on in a particular file.

Facing the problems of today with the security tools of yesterday won’t work.

5

“You can use that to create your own customized signature that you can basically put inside whatever perimeter tool you’re currently using,” Waits says. “That’s the way our customers have been using it. They cap-ture the behavior, [then] they create a signature that they place inside of Qualys or Rapid7 or whatever the tool happens to be ..., or they use it for correlation purposes in ArcSight [from Hewlett-Packard Co.].”

For its part, F5, whose core business has historically emphasized boosting application performance, now has a formidable security practice based on its BIG-IP portfolio. With its application security manager, application firewall manager, access policy manager and VIPRION application delivery controller (ADC), F5 has added intelligence to the application infrastructure to combat attacks.

Darwin argues the fastest traditional firewall under optimal conditions (without adding intrusion-protection systems and anti-malware) can ward off an attack at 500,000 connections per second. A recent DDoS attack on U.S. banks from Iran clocked in at 2 million. “Firewalls are out of the game before they ever started,” Darwin says. “They just got blown out of the door.”

With its high-end VIPRION 4480 ADC, Darwin says the F5 product can fend off 8 million connections per second. “We’re coming out with solutions that double and triple that,” Darwin says.

To be sure, networking and security companies of all sizes are doubling down as well, including AccelOps Inc., Alert Logic Inc., Barracuda Networks Inc., Cisco Systems Inc., Dell Inc., HP, IBM Corp., McAfee Inc., Palo Alto Networks, SolarWinds, Splunk Inc., Symantec Corp., Trend Micro Inc. and Websense Inc., among scores of others.

The problem, according to Shtilman, is that adopting new security tools takes both time and money—two things that small to midsize enterprises may be unwilling to part with, especially when the financial cost, anticipated targets, and the regularity of politically and idealistically based attacks are so hard to predict.

Further, those that do have the resources to devote to sabotage- motivated attacks must also continue to strengthen their resolve to counter what is still the top enterprise threat: data theft.

According to Shtilman, financially driven attacks focused on breaking into corporate databases are picking up steam faster than any other attack type.

Increased Data LossThe number of breaches disclosed over the past two years has increased 40 percent, according to accounting firm KPMG LLP,

The problem is that adopting new security tools takes both time and money—two things that small to midsize enterprises may be unwilling to part with.



6

which also found hackers penetrated 681 million records between 2008 and 2012. The report noted that 60 percent of all incidents reported were the result of hacking.

“The fastest-growing attack vector for enterprise attacks seems to be the use of stolen credentials, often acquired through spear-phishing campaigns, to gain access to protected networks,” says Shtilman. “As several of the technical components of information systems have gotten more secure, attackers have shifted their focus to targeting the human link in these systems. [They] are finding it easier to trick people into giving them access to their credentials and using those to access networks than to find ways to sneak into those same networks without credentials.”

Lieberman agrees, noting these attacks are still being exploited at high levels because of the success hackers are having with custom attacks against one-time targets. “Using inexpensive and plentiful labor as well as access to vast amounts of personal data in Facebook, LinkedIn and other sites, attackers can now create perfect e-mail attacks that allow the insertion of remote-control software,” he says.

Address the ObviousThe best defense enterprises can take to limit the damage done by stolen credentials is to protect the ultimate target of the attackers: user passwords. This involves both making sure you reiterate to users the importance of strong, complex passwords and, according to the Sophos Ltd. “Security Threat Report 2013,” making sure that the password database is hashed multiple times.

This sounds simple enough, and it’s advice that’s been handed down for decades. But how often have we heard after a major data theft at a large corporation that—as in the case of Yahoo! Inc.’s data breach in the summer of 2012, where 450,000 passwords were stolen—the passwords swiped were unencrypted? Experts say IT needs to step up and insist that lax passwords will not be tolerated regardless of the enterprise’s size, especially because of the relative ease in securing those passwords.

The key for enterprise IT in today’s threat landscape is balance. Continuing to solely focus on battling data loss while completely ignoring the chance of service disruption and sabotage attacks leaves a huge hole open in your network. And devoting all your time and effort to battling a new breed of enemy while fundamental data protection falls to the side will lead to disaster. R

Chris Paoli is the author of the Redmondmag.com Security Advisor blog. Jeffrey Schwartz is editor of Redmond.

The best defense enterprises can take to limit the damage done by stolen credentials is to protect the ultimate target of the attackers: user passwords.

Addressing the ‘insider threat’ with NetWrix

Specially designed for uni�ed auditing of the entire IT environment, NetWrix Change Reporter provides visibility and control over the changes made to IT systems and users with excessive rights. The solution shows who changed what, when and where, indicates ‘before’ and ‘after’ values for modi�ed settings and allows you to quickly remediate unwanted changes. With NetWrix Change Reporter there is no need to manually analyze the event logs spread across the network – everything is centrally audited, consolidated, and presented in easy to understand reports for forensic auditing of daily activities. NetWrix AuditArchive™ technology provides data storage capability of up to 7 years and above as required by HIPAA, SOX, PCI, GLBA, FISMA and other compliance regulations.

The abuse of privilege – are you protected?Firewalls keep the bad guys out and AV prevents malware getting on the network; but what about protection from the ‘insider threat’? While this is usually assumed to be rogue employees or planted ‘moles’, it is important to consider IT administrators and managers that already have privileged access to sensitive information, resources and controls. They have the ability to make critical changes such as granting access rights and can even delete security logs without trace. We all prefer to believe we can rely on trusted employees to do the right thing; but it would be naive not to think it is possible that someone is going to abuse their privileges. And of course if they become disgruntled or plan to leave for a competitor – the risk is even greater.

We can’t stop the occasional IT admin turning bad or simply making mistakes but we can make sure we know ‘who did what, when and where’, to act as a deterrent or to catch the rogue criminal after the event. Unfortunately many companies still do not have quick and easy access to this information and IT security teams have to trawl manually through �les of native logs.

The security of our environment has increased tenfold since the implementation of NetWrix software.

- Mervyn Govender, CIO, CreditEdge

NetWrix customers include

Download FREE Trial:netwrix.com/trial

• Windows Server• File Server• SQL Server• SharePoint• Group Policy

The NetWrix uni�ed auditing solution o�ers the broadest reach of covered platformsincluding (but not limited to):

• Active Directory• Exchange• VMware• EMC Celerra/VNX• NetApp Filer

But what about auditing applications that do not produce event logs? NetWrix Change Reporter acts like a surveillance camera recording the dynamic screen activity and lets you watch the actions performed by your IT admins or third-party users as if you were there directly viewing their screens at the time the critical change was made. With NetWrix Change Reporter not a single change made to your IT infrastructure will slip away and stay unnoticed. This uni�ed auditing solution helps control unauthorized changes, prevent costly security breaches and maintain continuous compliance with security standards and industry regulations.

http://netwrix.com/trial

8


BYOD Empowers Users but Poses Risks

It wasn’t long ago that few would dream of asking IT to connect their personal laptop to an enterprise network beyond typical Web-based access to systems, knowing full well that would violate security policies. Those sneaking them in were often

called out by alarms. That changed rapidly following the release three years ago of the first iPad device, which opened the floodgates, primarily because of the millions of devices sold.

Now an astounding 78 percent of white-collar employees in the United States use their own PC, smartphone or tablet for work purposes, according to a report last year released by Cisco Systems Inc. outlining the Bring Your Own Device (BYOD) trend. According to a December 2012 report released by IT market

An astounding 78 percent of white- collar employees in the United States use their own PC, smartphone or tablet for work purposes.

Most IT organizations lack adequate policies for securing employee-owned PCs, tablets and smartphones accessing their systems. BY CHRIS PAOLI

9


researcher Gartner Inc., 70 percent of organizations allow users’ personal devices to access network systems and applications.

Economic, business and competitive imperatives have rapidly forced IT not only to allow employees to use their own devices, but to embrace the trend. This about-face has many in IT scrambling to actively monitor and manage devices that have already entered the network.

Only 33 percent of organizations have BYOD policies in place to ensure employee-owned devices aren’t a security threat, according to the Gartner report—a result echoed by an F5 Networks Inc. survey finding in March 2013 that 75 percent don’t have such policies.

“Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organization,” wrote Gartner analyst Dionisio Zumerle in the report. “An analysis of the impact on mobile security when shifting from an enterprise-owned device scenario to a BYOD one is neces-sary to provide recommendations for maintaining security levels.”

IT is now in the awkward position of needing to secure personal devices connected to the network, while not having physical governance of those devices. Yet with so many lacking a plan or policy, these devices are creating huge security holes in organizations, says Ken Baylor, research vice president of NSS Labs Inc., a supplier of intrusion-prevention systems.

Asked what the top policy concern is when crafting an enterprise BYOD security procedure, Baylor suggests that “the benefits and risks of BYOD must be evaluated by a cross-disciplinary committee of senior management personnel who together set the policy. The policy and its enforcement mechanism must be in place prior to allowing BYOD devices on the network.”

So what can be done by the majority of IT shops that already have strike one on them for not having a policy in place on day one? According to an NSS Labs report, the technology is already there, Baylor says. While IT may not feel ready to handle the problems of securing user devices, the majority of available mobile device management (MDM) software is.

Take, for example, an enterprise running a Microsoft Exchange Server. The tools for securing corporate e-mail on mobile devices are already in Exchange ActiveSync (EAS). According to the NSS Labs report, EAS already provides the ability to disable specific device features such as Wi-Fi and Bluetooth, the ability to wipe lost

Only 33 percent of organizations have BYOD policies in place to ensure employee-owned devices aren’t a security threat.

10


or stolen devices remotely, and support for digital rights management (DRM) technology.

As for the actual device management, the cloud-based Microsoft Windows Intune is one viable option, especially with the recent update that brought full device management support for Windows 8, Windows Phone 8, Android and iOS devices. Intune provides options for setting fire wall connectivity and pushing through security updates and custom applications, along with remotely monitoring which personal device applications can have access to the network.

For more-sophisticated requirements, Microsoft System Center 2012 supports MDM, as do a bevy of third-party wares from the likes of AppSense, N-able Technologies Inc., Kaseya International Ltd., IBM Corp., the Sybase division of SAP AG, MobileIron, Citrix Systems Inc. (which last year acquired Zenprise), Symantec Corp. and others.

Losing ControlA major problem is the longtime issue of lost or stolen devices, exacerbated by the sheer number of devices that have grown out of BYOD. “The No. 1 security concern with employee-owned devices connecting to enterprise networks is loss of the devices,” says Dave Amsler, president of Foreground Security, a consulting, services and training firm. He explains that “47 percent of non-IT workers have no passcode for their mobile phones. If a lost phone is found by a mali-cious individual, they’ll likely have access to any enterprise data stored on the phone and possibly to data stored on enterprise servers.”

These lost devices could cause a huge headache for IT because, even if the device is never accessed after being lost or stolen, it could trigger a mandatory data-breach notifica tion in the corporate MDM system, according to Amsler.

So how can IT safeguard the loss of data, short of handcuffing the physical devices to employees? The top priority, Amsler says, is to have a strong password policy in place for every device.

Once you have the devices secured and under your watch, NSS Labs’ Baylor says the next hurdle for IT is making sure malware via employee hardware isn’t making its way into your network.

The first step should be to limit the potential damage that can be done by isolating the devices to have access to only what they need. IT can manage access though policy- management tools and authen-tication services enabled by Active Directory such as BeyondTrust PowerBroker Privilege Manager (and its recently acquired Blackbird

A major problem is the longtime issue of lost or stolen devices, exacerbated by the sheer number of devices that have grown out of BYOD.

11


Auditor), Full Armor GPAnywhere, NetIQ Group Policy Administrator, NetWrix Change Reporter and Quest (now a unit of Dell) ChangeAuditor, among others.

Once IT contains access to systems, applications and data based on the device and network-access type used, administrators should keep a close eye on the device activity. “Insert application- level filtering of traffic to inspect BYOD traffic to the corporate network to ensure no malware or exploits pass from the BYOD segment to corporate servers,” Baylor advises.

Once comprehensive monitoring is in place, Baylor says the following steps should be taken to properly protect your network:

• Implement a custom device-enrollment program, which will limit the number of devices per employee and will give an accurate view of who’s accessing the network at any given time.

• Make it mandatory that IT has admin access to all devices. This will provide a clearer picture of any malware-related events that occurred when not connected to the network.

• Require all employees to have anti-malware software installed on the device and automatically deny access to any that do not.

• Protect all highly sensitive servers with multifactor authentication.

Other ConcernsThe Gartner report advises addressing three key issues: the risk of data leakage, ensuring employee privacy isn’t jeopardized when mandating the installation of security or tracking software, and the challenges of coming up with adequate policies for securing devices, tracking vulnerabilities and providing updates.

To address those issues, Gartner recommends enforcing a mobile policy on personal devices or requiring users to separate business from personal environments. But, if opting for the latter, be cautious not to compromise the UX. IT also should determine sup-ported devices and configurations and create support levels using a “managed-diversity matrix”—while keeping in mind that as more devices are supported, a greater amount of time and IT resources will be needed to support all of them. The final option, though more costly, is to offer an employer- owned device to a user’s liking and requirements that doesn’t store private data. R —Chris Paoli

Once IT contains access to systems, applications and data based on the device and network- access type used, administrators should keep a close eye on the device activity.

© 2013 UltraBac Software. All rights reserved. UltraBac Software, UltraBac, UltraBac Software logo, UBDR Gold, Continuous Image Protection, and Backup and Disaster Recovery Software for People Who Mean Business are trademarks of UltraBac Software. Other products mentioned herein may be trademarked and are property of their respective companies.

BACKU P AN D DI SASTE R R ECOVE RY SOFTWAR E FOR PEOPLE WHO M EAN B US I N E SS WWW.U LTRABAC.COM 1.866 .554 .8562

VIRTUAL:[‘v rCHoo l] –adjective.

Not physically existing as such but made by software to appear to do so

WHETHER YOU ARE BACKING UP PHYSICAL OR VIRTUAL MACHINES, ULTRABAC SOFTWARE HAS YOU COVERED.

The Virtual Disk Agent provides the ability to generate a native VMware® VMDK fi le or Microsoft® VHD fi le while simultaneously

performing an image backup of live Windows servers or workstations. The agent can create or update a virtual disk fi le every

time you back up. This completely eliminates the conversion typically required for a physical-to-virtual (P2V) operation. The

virtual disk fi le is ready for use as soon as the backup is completed – simply attach the VMDK or VHD and boot to perform a

fast disaster recovery.

The vSphere Agent performs centralized virtual machine backups without the disruption of running backup tasks from inside

each VM. Changed Block Tracking reduces the backup window and provides amazing backup and restore speeds. The

agent’s ability to perform these incremental backups of virtual disks allows VM images to be quickly updated and recovered

to a specifi ed point-in-time.

And offering exciting fi rst to market features… UltraBac Software’s new Hyper-V Agent backs up only used space, no matter if

it is thin or thick disk, ensuring faster backups as well as storage space savings. The product is also the only one currently on

the market with the ability to choose the target disk format. In other words, a user can perform two-way conversions from VHD

to VHDX (and vice versa) during backup and restores with a single click of a button!

ULTRABAC SOFTWARE – MAKING THE VIRTUALLY IMPOSSIBLE TASK OF PROVIDING FAST, RELIABLE DATA PROTECTION FOR ALL MACHINE TYPES A REALITY.

Untitled-2 1 4/8/13 4:24 PM

http://www.ultrabac.com

13


Security Threats Aren’t Inhibiting Most Cloud UseBY JEFFREY SCHWARTZ

As more organizations use public cloud infrastructure for functions ranging from setting up a server farm for devel-opment and testing, to running e-mail or, in a growing num-ber of cases, a database-driven app in production, security

is still the largest inhibitor to a greater number of cloud deployments. Yet whether IT embraces cloud computing, it appears it’s here to

stay. A survey by Symantec Corp. found 90 percent of organizations are at least considering cloud deployments, up from 75 percent a year earlier, according to a company report released in January. The survey found 77 percent of organizations were aware of rogue cloud deployments and, of those, 40 percent learned of confidential information leaking and 25 percent saw cloud accounts taken over.

Perhaps the biggest risk to effective cloud security is the Bring Your Own Device (BYOD) trend, which is pushing IT to support user-owned PCs, tablets and smartphones. A survey conducted by AccelOps Inc. during the 2013 RSA Conference in San Francisco found BYOD is the most significant roadblock to ensuring effective security when using cloud services.

Of 176 IT security professionals surveyed, 78 cited BYOD as the most significant cloud security problem, with data control coming in second and potential data loss a distant third. Many users can easily access cloud services such as Dropbox, SkyDrive, Google Drive

A survey by Symantec Corp. found 90 percent of organizations are at least considering cloud deployments, up from 75 percent a year earlier.

14


and iCloud, all of which are accessible from Windows-, iOS-, and Android-based phones, tablets and PCs.

Those services have user-controlled security—it’s not in the purview of IT (unless SkyDrive Pro, which comes with Microsoft’s recently released Office 365 and SharePoint Online offerings, is being used).

Yet, ironically, the same survey found that only 18 percent of respondents were dissatisfied with the security and access control service-level agreements (SLAs), though a large percentage (41 percent) had no opinion. A slight majority, 51 percent, were satisfied—and 11 percent of those respondents were extremely comfortable with it.

Flint Brenton, AccelOps president and CEO, admits to being somewhat surprised that the survey showed less fear of cloud services among security professionals. He believes that mindset will change as more organizations use public cloud services.

“I think as the adoption rate of cloud services goes up, people will come to learn what they don’t know. As the market evolves the bar will keep rising,” Brenton says. “What makes them satisfied today may not be adequate six months from now.”

Only 35 percent said they weren’t using any cloud infrastructure, while 29 percent use hybrid clouds, 17 percent use public cloud services and 19 percent use private clouds.

A vast majority of those using cloud services, 78 percent, manage security themselves, while 13 percent have a managed services provider handle it. The remaining 9 percent use an ISP or consultant. Only 29 percent rated the existing Security Information and Event Management (SIEM) systems they use as excellent or good, with 32 percent finding them acceptable, 21 percent saying they’re fair and 18 percent giving them the thumbs-down.

Just as enterprises are weathering distributed denial of service (DDoS) attacks and a variety of breaches, cloud providers are not immune. A survey by Alert Logic Inc., a provider that captures security events through an intrusion detection system, tracked 1 billion security incidents and 45,000 “confirmed” security events between April 1 and Sept. 30 of 2012 among its customers, which include primarily hosting and cloud providers but also large enterprises.

Among cloud providers, 52 percent were victims of Web application attacks, 30 percent were victims of brute-force attacks and 27 percent were victims of vulnerability scans. Among enterprises, 49 percent of incidents sustained malware and botnet attacks, with the same number as victims of brute-force incidents and 39 percent victims of Web application strikes. R —Jeffrey Schwartz

A vast majority of those using cloud services, 78 percent, manage security themselves, while 13 percent have a managed services provider handle it.

It takes just seconds for today’s polymorphic malware to mutate into millions of threats, but now it has met its match. Introducing Symantec Endpoint Protection 12—simply the fastest, most effective reputation- based protection ever created.* Improve the security of your information, devices, and employees. Download the trial version of Symantec Endpoint Protection 12 at go.symantec.com/sep12

* Sources: PassMark Software, “Enterprise Endpoint Protection Performance Benchmarks” (Report 2), February 2011. AV-Test GmbH, “Remediation Testing Report” and “Real World Testing Report,” February 2011.

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.

Symantec™ Endpoint Protection 12

Next-generation reputation-based technology

The fastest, most effectiveendpoint protection anywhere

Built for virtual environments

SRZ.220_Fortune_ChecklistPage_CTA_8.25x11.indd 1 5/6/13 1:26 PM

http://go.symantec.com/sep12


16

GFI Software in March 2013 said it decided to spin out its enterprise security software technology business into a separate company called ThreatTrack Security. Backed by the same investors, Clearwater, Fla.-based ThreatTrack

will target large government and defense agencies, as well as major enterprise business, including retailers and financial services firms.

Julian Waits, the CEO of GFI’s new spinoff ThreatTrack, discusses how his company intends to stand out in the growing federal and large-enterprise security space, especially in the new era of international cyber-attacks. BY JEFFREY SCHWARTZ

PHOTOGRAPHY/ILLUSTRATION BY SHUTTERSTOCK/REDMOND STAFF

Q&A: ThreatTrack Chief Details Enterprise Security Plans

17


Julian Waits, a veteran of the IT security industry and longtime friend of GFI CEO Walter Scott, will lead the newly formed company as its chief executive. In an interview with Redmond magazine Editor Jeff Schwartz, Waits explained why GFI spun out its security business and how he sees using predictive analytics and big data to help customers anticipate advanced persistent threats before they strike.

J.S.: Why did GFI decide to spin out its security business? Waits: GFI as a company is 100 percent focused on the needs of small and medium businesses [SMBs], meaning business entities that have roughly 1,000 users or less. As we looked at our security business, a great part of the growth outside of what we’re already doing with Vipre, which has been focused primarily around our Sand-Box technology, and what we’re doing with our ThreatIQ product. Today, sandboxing and advanced business threats aren’t as big an issue in SMBs as they are today in enterprises and federal agencies. So we decided as a business to spin off the security business unit so it can focus on that and optimize it, while GFI continues to focus on small and medium business. Of course, we still have a core competency and a strong commitment to small and medium businesses and the consumers, but we’re expanding our footprint into the federal government and late enterprises.

Will GFI continue to own a stake in this new company or will it be a totally separate business? It’s a completely separate company, though we do have the same investors. You can think of it as sister-portfolio companies.

Are you sharing R&D or any other types of properties?We have OEM arrangements across both entities. For instance, in Vipre today—specifically in the premium offering, both on the consumer and business side—we OEM components of GFI’s LanGuard. And in many of GFI’s products, the MAX AV product and Vipre is included in the solutions. We’ll continue to license technology from each other.

How much presence have you made into the enterprise?What started all of this—over the last six to nine months in the sand-boxing side of the business, we’ve had over 100 percent growth year-over-year, and all of those customers have been federal and enterprise. Unfortunately, I’m not at liberty to share their names, but

We decided as a business to spin off the security business unit so it can focus on that and optimize it.

18


they’re all household names. Think about it as large enterprises that are primarily concerned with targeted attacks and other forms of advanced malicious activity that concern them. From an industry per-spective, you should assume large retailers, large oil and gas compa-nies, and large financial institutions, which are all included in the customers that we’ve closed.

With so many security companies targeting that segment, how do you see ThreatTrack standing out? When you look at all of the companies entering this space, they’re all basically “detections-are-us.” Now what’s happening is they’re moving from what’s already known to the stuff that’s new that you haven’t seen before. The issue is no one is really focused on remediating these issues. From our standpoint, detecting it is only half the battle. The real thing is when you’ll be able to remediate the issue. Like a lot of other players in this space, FireEye and Palo Alto Networks, where they have network-based systems that are designed to look for new malware, none of them are addressing the issue of remediation and we plan to do both. We don’t want to be another one of the 27 security tools that a customer buys to help pinpoint that there was a malicious file that came to the network. I want to pinpoint and I want to resolve it.

How do you manage to get on the radar screens of CIOs and CSOs at large enterprises, given your heritage in the SMB market?It’s all word of mouth. We’ve done a small amount of marketing while we were under the GFI moniker, but it has primarily been word of mouth. At trade shows we’ll sit there and one of the world’s largest retailers comes in and says, “We need one of those because we get phishing attacks that are changing on us daily and there’s no amount of AV [antivirus] or firewall or IP that we can buy that we can deal with this because they can only deal with what’s known already.”

What are the biggest threats you’re dealing with?You have to separate it between the ones that are enterprise customers and the federal government. We [GFI] were actually one of the vendors involved with discovering Flame from a federal government perspective. I’ve actually done a webinar on it. Again, under the GFI moniker, it wasn’t a business we wanted to empha-size as not something we’ve made a lot of hay over but we were

From our standpoint, detecting it is only half the battle. The real thing is when you’ll be able to remediate the issue.

19


one of the vendors there. When you look at large enterprises, it just depends on the nature of their business. In the case of the retailer, it’s people trying to come up with an interesting way to steal credit-card numbers and other personal information that can be used to steal your money. With our oil and gas customers, it’s primarily around malware created by environmentalists. By using our toolsets, we can help our customers more proactively get in front of them.

For those not familiar with your toolset, how does it address these threats?There’s no such thing as a standard signature from one AV product to the next but the truth is most things are signature-based, whether it’s IDS, IPS or AV. So by using our SandBox [marketed by the new company as ThreatAnalyzer], it gives a full behavioral analysis of what’s going on in the particular file, and ... you can use that to create your own customized signature that you can then create and basically put inside whatever perimeter tool that you’re currently using. That’s the way our customers have been currently using it. They capture the behavior, they create a signature that they then place inside of Qualys or Rapid7 or whatever the tool happens to be that they use or they use for correlation purposes in ArcSight.

To what extent are your tools being used to address threats coming from China, Iran, Russia and North Korea to address some of these large-scale attacks?I can tell you today ThreatAnalyzer is used in over 60 percent of the U.S. cyber defense infrastructure with large three-letter defense agencies who were already involved in that fight. We’re used. Pretty much [if] you name the agency, they’re a customer.

These attacks are getting faster and wreaking more havoc than ever. Where do you see this going?I wake up every morning terrified by what new things are going to come out, be it from a cyber-espionage or a warfare perspective. It’s only going to get worse. It’s not going to get better based on our own internal intelligence that we’ve done. And we cooperate very much with the federal government. There’s information that we’re privy to that most people don’t get. Our goal is to make our solution smarter and smarter. We do believe that you have to not only cover the

I wake up every morning terrified by what new things are going to come out, be it from a cyber-espionage or a warfare perspective.

20


network but also cover the endpoints. There’s a set of heuristics, especially using big data techniques such as genetic algorithms and machine algorithms and a plethora of things against a Hadoop data-base, that allow us to basically get a detection from what currently takes us three or four days to an hour or less. We call it ThreatNet.

Are enterprises becoming more proactive as these threats heat up?Enterprises want to become more proactive. The big issue is they still think about it from [the perspective of] “How do we respond to a threat once it occurs?” So they look at tools like ours and others and it still becomes “How do you fit in the overall ecosystem of what we’re using?” The way we’re approaching the problem is to crea te a set of strategic relationships, which we already have around HP ArcSight and companies like RSA with NetWitness. When we integrate into many of the tools, even to the point where our tools are embedded in the case of NetWitness Spectrum, they use our SandBox in the case of selling that. We’re more proactive in the overall ecosystem because with the enterprise, 90 percent ask, “How are we going to respond to it?” While they desperately want to get in front of it, they know most of the time they’re going to be reacting to it. The more tools they can put in place, not only to detect it but to help in the response process, like being able to create an auto- remediation as we’re going to do.

What do you see as the next key advance in countering these threats?I do think it’s associated with big data. One of the biggest voids in the market is being able to get more and more data from a customer set. For instance, there’s a large set of my customers that classify the data so they won’t share, mainly in the federal and intelligence industries. Whereas on the enterprise side, they’ve shown a huge interest in being able to share with us if it means that we can reme-diate faster with things they haven’t seen before. The more of that data we can collect, the more fancy analytics stuff we can use to do our job a lot faster. There’s no way we’ll be able to anticipate an APT before it’s created. God knows they’re becoming more and more sophisticated. All we can do is become more sophisticated about how rapidly we can respond to it and it’s going to take a community to do that.

Enterprises want to become more proactive. The big issue is they still think about it from [the perspective of]

“How do we respond to a threat once it occurs?”

21


Has President Obama’s executive order in February help motivate companies to share information?Tremendously. In our sales pipeline and our closures this quarter, we’ve seen an uptick that’s directly related to the national address that he did.

To what extent has the BYOD movement created security issues that need to be addressed. Is that an area you’ve been addressing?Absolutely. We have an Android SandBox today, which quite frankly we weren’t sure about how we were going to market it late last year, so we went out and met with some of our customers in the Washington, D.C. area in New York. And we were blown away with the amount of interest that they have with the ATKs that have happened in the Android world. Of course if you see any of this data, there’s more and more malware statistically on the Andorid platform than almost anything right now. It’s a huge issue. We’ll see what happens. Now we’re hearing more things happening in the iOS world and the Apple world. There’s not a huge concern over that but there’s a huge concern as it relates to Android.

How are you leveraging the GFI partnerships, including with Microsoft, or are you establishing your own?As a division, we just took those partnerships with us. Microsoft is a very strategic partner to us. I’m not at liberty to say everything that we do with them but suffice to say, our tools are used on their network every day.

Given your long tenure in the IT security industry, how would you characterize the current state of affairs?I think this is one of the most exciting times to be involved. The last couple of years has been stagnant in terms of security vendors providing new technologies to address a lot of these more complex problems. But I think based on, quite frankly, a lot of the marketing of FireEye and Palo Alto, and more specifically the Mandiant report that came out where it finger-pointed China as being very much involved in cyber offenses on their part and corporate espionage, it just brought to life everything that’s going on. So the industry is going through a renaissance from a security perspective. Everyone is understanding it’s not just what we know, we have to deal with the stuff that’s coming out every day faster.

In our sales pipeline and our closures this quarter, we’ve seen an uptick that’s directly related to the national address that President Obama did.

22


Can that be done or are we all toast no matter what we do?The thing that bothers me about all of this is I still believe 80 percent of security problems are risk management problems. What you have to focus on first are the systems and the applications that are most critical to your environment. Many enterprises approach security almost the same way they approach compliance. It’s more about “Let’s make sure we don’t get caught this way because this became big news and if it happens to us, we’re in The Wall Street Journal and we’ll all lose our jobs,” and it’s less about true risk mitigation.

I think it all starts around a process completely built around people and the processes they use in their environment and technology should be used third. Are there a set of perimeter defenses and AV technologies that everybody should have? Absolutely. It comes down to what’s the most critical. If I’m an operating entity, my financial systems are absolutely critical. If I can’t send out a bill, I go out of business. If I’m a software company, I have to make sure my development systems are protected. If I’m taking a sales view of my Web site and I’ve done things proactively, again from a risk mitigation perspective, be assured I can do business no matter what happens. The DDoS attacks, what’s our response to that? What we’re doing is going after advanced, persistent threats added to what’s known. The key thing is to really start with a risk mitigation strategy for your enterprise.

How do you see addressing cloud computing in terms of protecting data, as well as providing your technology as a SaaS offering?Today at GFI, one of the products they have that they OEM’d from us using their own cloud-based infrastructure is called GFI Cloud. That’s for those who want all the protection of AV on their endpoints from a business perspective but not have to deal with all of the administration associated with doing so. We used to call it a micro SMB market but what we’ve found is even larger enterprises are considering it just as larger enterprises are considering outsourcing all their e-mail, just like Office 365 and Google are moving forward. We have a two-pronged strategy. The first component is to provide our AV technology through a cloud-based infrastructure today through GFI [and that] in the near future will be offered by us directly. The second component to that is to utilize [and] to build these next-gen solutions like ThreatNet. In the past, ThreatNet has been used

What you have to focus on first are the systems and the applications that are most critical to your environment.

23


on a small scale by us to protect files from our customers to do some form of correlations, primarily for building remediation for files we haven’t seen before. Our next generation of ThreatNet customers will have to opt out rather than opt in. In some industries they’d never opt in. Again, whether it’s federal or intelligence, we’ll have to have a specialized network, but we plan to take everything we possibly can, put it in a cloud-based offering again, utilizing Hadoop with analytics to just really unleash the data that we’re getting about what’s going on the environment.

Speaking of Hadoop, how many experts have you brought on board to advance the use of big data analytics to predict future threats?What we’re advocating is whether you’re involved in the project or not, our entire engineering department is being educated on Hadoop and the associated systems. In our case, it happens to be Cloudera we’re using to implement this. I really do think it’s where security is going. R —Jeffrey Schwartz

Our next generation of ThreatNet customers will have to opt out rather than opt in. In some industries they’d never opt in.


meeting new challenges in mobile and cloud security

Documents