CSOof the Year

Transcription

CSOof the Year

march 2013 •  WWW.SCMAGAZINE.COM 
REVIEWED IN OUR GROUP TEST
eSoft P39
This month’s UTM
Best Buy is featurerich with a low cost
CSO
FEATURES:
of the Year
John South joined Heartland when it was
still reeling from a breach…and it’s the best
career decision he’s ever made P18
Handheld at arm’s length
The mobile payments concept is surging in  
Canada, but due to security concerns,  
consumers seem less than enthusiastic PC1
Preparing for the new norm
Many respondents to this year’s  
“Guarding Against a Data Breach” survey  
say they are armed for advanced attacks P24
WatchGuard P47
Well worth the
expense for larger
enterprises
Symantec P51
Wraps mission  
critical environments
in protection
VOLUME 24 NO. 3 • March 2013 • WEBSITE WWW.SCMAGAZINE.COM • EMAIL [email protected]
REGULARS
PRODUCT REVIEWS
4 Editorial Just get on with it already
31Product section
The UTM has morphed into a catch-all
for security functionality.
8 Threat report A hacktivist posted
the personal data of the former
president of Brazil.
32Group Test: UTMs
We saw quite a range of possibilities in
this year’s batch of UTM devices.
10 Threat stats A mobile device was
reported stolen from the Florida
Department of Juvenile Justice.
49Group Test: Emerging products
This time we take a look at one of the
hottest trends developing: Security in
the virtual world.
12 Update The nascent partnership
between a Chinese development group
and an entrepreneurial hub funded by
three levels of Canadian government
has raised concerns.
13 Debate The FTC should have the
right to penalize companies for poor
data security practices.
14 Two minutes on…The influence of
overseas reforms.
15 Skills in demand A need for
experienced penetration testers.
16 Opinion New risks must be valued,
by Geoff Webb, director, solution
strategy, NetIQ.
17 From the CSO’s desk Maximizing
quality and reliability, by Rafael Diaz,
CISO, state of Illinois.
74 Last word Before you take the
plunge, by Justin Somaini, former
Yahoo CISO.
John South, CSO, Heartland Payment Systems P18
FEATURES
18 CSO of the year
John South joined Heartland Payment
Systems when it was still reeling from a
breach…and it’s the best career decision
he’s ever made.
NETGEAR P43
C1 Handheld at arm’s length
The mobile payments concept is surging
in Canada, but due to security concerns,
consumers seem less than enthusiastic.
22 Losing control
Industrial control systems remain
troublingly vulnerable to both internal
error and outside intruders.
Special survey
24 Guarding against a data
breach survey
For this sixth edition of our annual data
breach survey, we broadened our base
of respondents to include security
professionals in the U.K. and Australia.
Reflex Systems P50
SC Magazine™ (ISSN No. 1096-7974) is published 12 times a year
on a monthly basis by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2013
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website: www.scmagazine.com.
Haymarket Media uses only U.S. printing plants and U.S. paper
mills in the production of its magazines, journals and digests which
have earned Chain of Custody certification from FSC® (Forest
Stewardship Council®), SFI (Sustainable Forestry Initiative) and
from PEFC (Programme for the Endorsement of Forest Certification
Schemes), all of which are third party certified forest sustainability
standards.
52 Book of the night
Our program profiling the winners and
finalists of the 2013 SC Awards U.S., held
Feb. 26 in San Francisco.
C. Scott Hartz P15
www.facebook.com/SCMag
www.twitter.com/scmagazine
Justin Somaini P74
Cover photo by Jason Janik/Newsport
Editorial
Just get on with it already
R
ight before he took to the microphone
for his State of the Union address in
February, President Obama signed an
executive order (EO) that aims to strengthen
the country’s critical infrastructure security
by primarily getting government agencies
and private companies to share information
on attacks and potential cyber threats. The
information-sharing provisions introduced
were joined by other directives, including one
pushing for the creation of frameworks that
would help critical infrastructure operators
and owners to work together to shrink the
risks they all face.
Since the EO’s release, plenty of industry
players have bemoaned its shortcomings
alongside just about as many others who say
the decree showcases a U.S. president finally
pushing forward with some real cyber security
initiatives for the country to embrace. And
then there are those who, like me, think that
offering up more general guidelines that organizations ought to follow is all well and good,
but without any meaningful and enforceable
requirements then, really, what’s the point?
I understand the need for a national
approach to cyber security and an understanding of some ways of getting there, but
sans incentives and enforcement, chances are
it will just be business as usual. The marketplace will figure it out, some say. But, many
sectors haven’t been able to do so without regulation. As well, quite a few critical infrastructure companies still enlist poor data security
practices, thereby supporting an argument to
impel action through regulatory mandates.
For now, some congressional leaders
have taken the EO to mean that the
Cyber Intelligence and Sharing Protection Act (CISPA) should be reinstated.
Hence, a cringe-inducing proposal for
the bill has resurfaced thanks to Reps.
Mike Rogers, R-Mich., and Dutch
Ruppersberger, D-Md. No matter that
the Senate skipped the act once before
because of outcries about potential
privacy infringements. Lawmakers
who support it say it’s needed to
codify cyber threat intelligence
sharing among critical infrastructure players, and will not include
the potential sharing of citizens’
private information. Groups
like the ACLU disagree.
So, this is the best we have
– documents and debates that
typify still more documents
and debates in the future. In
the meantime, all comers can
carry on launching APT and
other attacks on our critical
systems. When massive mayhem
ensues, maybe then the many
parties charged with safeguarding
them will just get on with it.
Security and flexibility for the BYOD era.
Illena Armstrong is VP, editorial,
of SC Magazine.
So, this is the best we have –
documents and debates that typify
still more documents and debates...”
4 SC • March 2013 • www.scmagazine.com
MOBILE
MASTERY
Imagine an enterprise network with smartphones, tablets, mobile PCs – and
no compromises. ForeScout delivers real-time visibility and control over
mobile computing devices. Users get the freedom, while you protect the
network from data loss and malicious threats. Poof! Your primary IT problems
just disappeared. Get an IDC whitepaper and more BYOD Essentials at
forescout.com.
What is SCWC 24/7?
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host an event focused
on a subject that you as an IT security
professional face on a regular basis.
This MOnth
March 20-21
eConference: PCI compliance
This is the year that the Payment Card
Industry Data Security Council – which is
charged with enhancing payment
20 account data security by driving
education and adoption of the
PCI security standards – updates its
requirements. We explore what companies
should expect and learn how these
developments might impact their security
planning for the rest of the year.
next month
April 11
eSymposium: Mobile security
The security and privacy issues surrounding the use of mobile devices abound. And
though bring-your-own-device (BYOD)
has been alive and well for some time
now, many organizations still face myriad
challenges in deploying just the right
security solutions and the proper policies
and training to support these. All the
while, alongside the privacy and security
15 challenges around compliance
issues,
with any number of regulations only get
more complex as users demand ever more
mobility. We examine the most recent
developments in the area of mobility and
find out some programs that are showing
positive inroads.
For more info
For details on SCWC 24/7 events,
please contact Natasha Mulla at
[email protected].
For sponsorship opportunities,
contact Mike Alessie at mike.alessie@
haymarketmedia.com. Or visit
www.scmagazine.com/scwc247.
SC MAGAZINE EDITORIAL ADVISORY BOARD 2013
Rich Baich, chief information security officer,
Wells Fargo & Co.; former principal, security and
privacy, Deloitte and Touche
Greg Bell, global information protection and
security lead partner, KPMG
Kris Lovejoy, vice president of IT risk,
office of the CIO, IBM
Christopher Burgess, chief security officer and
president, public sector, Atigeo
Tim Mather, chief information security officer and
vice president of security and compliance markets,
Splunk; former director, information protection, KPMG
Jaime Chanaga, managing director,
CSO Board Consulting
Stephen Northcutt, president,
SANS Technology Institute
Rufus Connell, research director,
information technology, Frost & Sullivan
Randy Sanovic, former general director,
information security, General Motors
Dave Cullinane, CEO, Security Starfish; former
chief information security officer, eBay
* Howard Schmidt, principal at HAS Security; research
Mary Ann Davidson, chief security officer,
Oracle
Dennis Devlin, assistant vice president,
information security and compliance services,
George Washington University
THEY:
Paul Kurtz, partner and chief operating officer,
Good Harbor Consulting
Are the ones who grow your business.
Are clueless about what it takes to keep things running.
professor at Idaho State University; former cyber security
coordinator, White House
Have no idea how many times you were attacked last month.
Ariel Silverstone, chief security officer adviser, GNN;
former chief information security officer, Expedia
Are tired of security solutions that block innovation.
Justin Somaini, former chief information security
officer, Yahoo
Gerhard Eschelbeck, chief technology officer and
senior vice president, Sophos
Craig Spiezle, chairman, Online Trust Alliance;
former director, online safety technologies, Microsoft
Gene Fredriksen, chief information security officer,
Tyco International
W. Hord Tipton, executive director, (ISC)2;
former CIO, U.S. Department of the Interior
Maurice Hampton, technical account manager,
Qualys
Amit Yoran, chief executive officer, NetWitness;
former director, U.S. Department of Homeland
Security’s National Cyber Security Division
* emeritus
Who’s who at SC Magazine
EDITORIAL
VP, Editorial Illena Armstrong
[email protected]
executive editor Dan Kaplan
[email protected]
managing Editor Greg Masters
[email protected]
digital content coordinator Marcos Colón
[email protected]
reporter Danielle Walker
[email protected]
TECHNOLOGY EDITOR Peter Stephenson
[email protected]
SC LAB MANAGER Mike Stephenson
[email protected]
DIRECTOR OF SC LAB OPERATIONS John Aitken
[email protected]
SC LAB EDITORIAL ASSISTANT Judy Traub
[email protected]
program director, sc congresS
Eric Green [email protected]
regular CONTRIBUTORS
Stephen Lawton, Deb Radcliff, Karen Epper Hoffman
DESIGN AND PRODUCTION
ART DIRECTOR Michael Strong
[email protected]
VP, Audience Development & Operations
John Crewe
[email protected]
production manager
Krassi Varbanov
[email protected]
SC events
Events director Natasha Mulla
[email protected]
Events manager Anthony Curry
[email protected]
Events coordinator Maggie Keller
[email protected]
U.S. SALES
VP, Sales David Steifman
(646) 638-6008 [email protected]
REGIOnal sales director Mike Shemesh
West Coast sales director
Matthew Allington (415) 346-6460
[email protected]
Event Sales director
Mike Alessie (646) 638-6002
[email protected]
Account manager Dennis Koster
account Manager Samantha Amoroso
[email protected]
SALES/EDITORIAL ASSISTANT Roo Howar
Account Executive, Licensing and Reprints
Elton Wong (646) 638-6101
[email protected]
SC MAGAZINE LIST RENTAL
reach marketing
Wayne Nagrowski, VP, marketing solutions
CIRCULATION
Audience Development Director
Sherry Oommen (646) 638-6003
[email protected]
customer data manager
Joshua Blair (646) 638-6048
[email protected]
Subscription Inquiries
Customer service: (800) 558-1703
Email: [email protected]
Web: www.scmagazine.com/subscribe
MANAGEMENT
CEO, Haymarket Media Lee Maniscalco
Executive vP Tony Keefe
YOU:
Are up late keeping the business together.
Know how many threats are out there.
Want security that opens doors, not builds walls.
Know that cloud-based security can do amazing
things when you know who to call.
Don’t let security stand in the way of innovation. Akamai cloud-based security solutions can protect your business without
slowing it down. Because the Akamai Intelligent Platform™ brings Web security closer to the end users, your business remains
protected, wherever they decide to take it. Learn more about our innovative approach at www.akamai.com/security.
DataBank
ThreatReport
Cyber criminal activity across the globe, plus a roundup of security-related news
Colored dots on the map show levels of spam delivered via compromised computers
(spam zombies). Activity is based on the frequency with which spam messaging
corresponding with IP addresses is received by Symantec’s network of two million
probes with a statistical reach of more than 300 million mailboxes worldwide.
HIGH-LEVEL ACTIVITIES
MEDIUM-LEVEL ACTIVITIES
LOW-LEVEL ACTIVITIES
CUMBERLAND,
MAINE – A document from
BARABOO, WISC. – Mihai Bandura, 39, of
Romania was charged with felony ID theft after
prosecutors allege he outfitted ATMs with skimmers to steal card numbers and PIN codes from
Bank of Prairie du Sac customers. It’s believed
Bandura was part of a larger ring that defrauded
bank customers nationwide of $3.3 million.
2008 containing the names
and Social Security numbers
of 275 municipal workers
was uploaded to the town’s
website. It’s since been taken
down, and search engine
caches have been cleared,
but it remains a mystery how
the Department of Labor
spreadsheet got on the
public site.
NETHERLANDS – The country’s National Cyber
Security Center posted official best practices for
responsibly reporting security vulnerabilities. The
guidance also advises organizations to create web
disclosure forms and to agree not to prosecute any
hackers who discover bugs. The recommendations
are not legally binding, however.
PHILIPPINES – The Supreme
U.K. – A member of the Anonymous
online collective was spared jail time
for his role in launching distributed denial-of-service attacks against PayPal,
Visa and MasterCard. Jake Birchall, 18,
who was two years younger at the time
of his arrest, was given an 18-month
youth rehabilitation order.
DENVER – Three men were booked
on theft and computer crime charges
after allegedly downloading 70,000 files
from their work PCs to removable drives,
resigning, and taking the data to a competing engineering company. The victim
company, EPS, alleges it lost $400,000 in
contracts due to the stolen data.
BRAZIL – A hacktivist posted the personal data of former President Luiz Inácio
Lula da Silva following a “cash-for-votes”
scandal that led to convictions of some
of Silva’s top aides. Silva claims he wasn’t
aware of the scheme, but that didn’t stop
an intruder – known as “nbdu1nder” –to
dump business addresses, phone numbers and taxpayer IDs belonging to Silva.
Spain top producer of zombie IP addresses
For the period reported, the EMEA region (Europe,
Middle East, Africa) was the leading source of all
zombie IP addresses. Of the countries making up the
EMEA, Spain was the top-producing country. For the
other regions, the highest producers were Argentina
in South America, the United States in North America
and India in the Asia-Pacific region. Source: Symantec
Court renewed an injunction that
prevents the government from
enforcing a new cyber crime bill. The
law seeks to fight hacking, fraud and
ID theft, but critics have protested
over provisions that would penalize
online speech and permit authorities
to eavesdrop without warrants.
SRI LANKA – A hacker calling
himself “Davy Jones” claimed to have
breached a large number of government websites, resulting in defacements and dumped usernames and
passwords. Victims included the sites
for state-run TV channels and the Sri
Lanka Port Authority, which oversees
commercial ports.
www.scmagazine.com • March 2013 • SC 9
DataBank
ThreatStats
Zombie IPs Global distribution
1. ZeroAccess trojan
Other
N. America
4.8%
Other S. America
11.4%
The biggest increase in month-over-month zombie activity occurred in Vietnam.
Top 5 attacks used by U.S. hackers
2. Sinowal trojan
India 14.8%
3. Pushdo trojan
4. Chinese Infostealer trojan
5. Waledac trojan
Top breaches in January Data loss
Number
of records
Position
Industry
Rate
Name
Type of breach
1
Retail & wholesale
125%
2
Education
100%
Cbr Systems
San Bruno,
Calif.
The 2010 theft of a company laptop,
hard drive and unencrypted backup
tapes resulted in the exposure of sensitive information.
3
Food & beverage
95%
4
Health care
75%
5
IT & telecommunications
65%
6
Government
45%
7
Banking & finance
40%
2. Pushdo trojan
Vietnam 7.3%
Other Asia
16.1%
A mobile device that contained both
youth and employee records was
reported stolen.
100,000+
King Drug &
Home Care
Owensboro, Ky.
An employee reported that a portable
hard drive was missing. The device had
last been seen sometime around Nov.
19. The data on the device included
information from before July 31, 2009.
13,619
3. Sinowal trojan
4. Chinese Infostealer trojan
Belarus 5.1%
Iran 3.7%
Pakistan Kazakstan
2.9%
3.5%
5. Downloader trojan
The biggest increases in month-over-month zombie activity occurred in
India, while the largest decreases occurred in Germany and Peru.
Source: Commtouch Software Online Labs
Spam rate Volume by month for each region
TOTAL number of records containing sensitive personal information
involved in breaches in the U.S. since January 2005:
The chart above reflects the encounter rate of web malware across a selection of industry verticals. Rates above 100 percent reflect a higher-thanmedian rate of encounter, and rates below 100 percent reflect a lower-thanmedia rate.
Source: Cisco
1. ZeroAccess trojan
Russia 5.4%
300,000
Florida Dept.
of Juvenile
Justice
Tallahassee,
Fla.
Top 5 attacks used by foreign hackers
China 9.4%
Received spam Top five regions
Asia Pacific 5.6B
607,110,929
U.S. 10.04%
Japan 4.59%
Europe 2.3B
(as of Feb. 13)
Africa & Middle East 1.9B
Source: Privacy Rights Clearinghouse
(data from a service provided by DataLossDB.org, hosted by the Open Security Foundation)
North America 1.1B
Index of cyber security Perceived risk
South America 888.9M
3.0
0
1B
2B
3B
4B
1,450
2.5
Rate of change over
previous month (%)
1,350
1,250
1,150
1,050
1.5
Index value
02/12
03/12
04/12
05/12 06/12
07/12
08/12
09/12
10/12
11/12
12/12
01/13
1.0
The index queries information security industry professionals monthly to gauge their perceived risk to the corporate, industrial and governmental information
infrastructure from a spectrum of cyber security threats. A higher index value indicates a perception of increasing risk, while a lower index value indicates the
opposite.
Source: ICS, www.cybersecurityindex.com
5B
6B
Spam rate indicates the
accumulated emails tagged
as unsolicited.
France 1.33%
U.K. 1.27%
0%
3%
6%
9%
12%
Source: Fortinet Threatscape Report
Internet dangers Top 10 threats
Name
2.0
Colombia 1.60%
Source: Cloudmark
1,650
1,550
There were 23,895,890 attacks in the United States last month, primarily
originating from Los Angeles, Cleveland, Phoenix, New York and Chicago.
There were 35,286,628 foreign attacks last month, primarily originating
from Bucharest, Romania; Tokyo; Mumbai, India; Sao Paulo, Brazil; and
Taipei, Taiwan. Source: Dell SecureWorks
Detected activity
Malware Vertical encounter rate
Other Europe
15.6%
Movement
Date first observed
Type
Last month
Months on list
1.
Zbot
p
09/22/10
PasswordStealer
18
2
2.
Lamechi.B
p
01/10/12
Downloader
0
0
3.
Hotbar
09/23/10
Adware
2
12
4.
Allaple.A
12/05/10
Worm
1
11
5.
Winwebsec
p
22/10/09
Scareware
10
1
6.
Sirefef.P
p
11/04/11
Bot
11
2
7.
Rimecud.A
p
09/22/10
Bot
14
1
8.
Kelihos.F
Same
03/31/12
Backdoor
8
5
9.
Sality.AT
12/05/10
Virus
4
2
10.
Loring
02/06/11
Downloader
6
1
Source: Kindsight
Security Labs
Update
2 minutes on...
The influence of
overseas reforms
P14
Me and my job
Options on business
from a security
perspective P15
Sign o’ the Times
»The nascent partnership between
»The Conservative government of
Prime Minister Stephen Harper
has rarely backed down during its
seven years in power. It has made
an exception on the controversial
internet surveillance legislation first
introduced in early 2012.
Bill C-30 – officially named The
Protecting Children from Internet
Predators Act – was opposed by
Growing demand for
veteran penetration
testers P15
Debate» The FTC should have the right to penalize
companies for poor data security/privacy practices.
While there is no silver bullet
to guarantee data protection,
companies must take reasonable steps to secure consumer
data. Last year, the number of
breaches increased 34 percent,
yet more than 90 percent of
these were avoidable. Although
Craig Spiezle
executive director
these businesses have to deal
& president, Online
Trust Alliance
with remediation expenses,
compliance with state statutes and the impact
on trust of their brand, it is just as important
that businesses be held accountable to the
impact on their customers.
Under section five of the Consumer Protection Act, businesses have the obligation to
safeguard consumer data. The FTC has increasingly exercised settlements with some of the
worst offenders, yet does not have the power to
fine a company directly. Many industry observers have suggested that the FTC be directly
empowered to levy fines to increase accountability. As a data-driven economy, business
leaders need to increase the stewardship of the
data they collect. Those that fail to take reasonable steps need to be held accountable.
FOR
NEWS BRIEFS
a Chinese development group and
an entrepreneurial hub funded by
three levels of Canadian government has raised concerns from an
outspoken former security adviser
to Nortel Networks.
Brian Shields, who advised
the telecommunications giant
on security, told the Canadian
Broadcasting Corp. that the
state-owned Zhongguancan
Development Group (ZDG)
should not be trusted with unlimited
access to Canadian intellectual
property.
In December, ZDG announced
that it was contributing $10 million toward a business incubator in
partnership with Invest Ottawa,
a joint venture of the city of
Ottawa and the Ontario federal
governments. The incubator, to be
managed by a Chinese director,
will provide funding and support to
Ottawa-based technology start-ups
that want to do business in China.
Invest Ottawa CEO Bruce
Lazenby responded that all business partnerships come with risks,
and that he put his faith in Canada’s
federal security agencies to prevent
cyber espionage.
Skills in demand
Hackers believed to
be from China spent
four months infiltrating computer networks
atThe New York Times,
ripping off passwords of
reporters in an attempt
to uncover information
related to a Times story
on the fortune amassed
by relatives of China’s
prime minister. The
attackers used a number
of techniques to install
remote access trojans
and hide their tracks.
The Washington Post and Wall Street Journal also were hit.
THE QUOTE
This attack
was not
the work of
amateurs...”
—Bob Lord, Twitter’s
director of information
security, commenting
after an advanced
attack in early February
affected a quartermillion users
federal and provincial privacy commissioners, who decried provisions
that would permit law enforcement
officials to compel internet service
providers (ISPs) to identify clients
without a warrant. ISPs opposed the
bill because they claimed it would
force them to install expensive
tracking equipment.
“We’ve listened to the concerns
of Canadians,” said Justice Minister
Rob Nicholson, who pledged that
the government would not introduce
additional legislation to monitor
online activity.
»When former spies break their
silence about national security,
people generally pay attention. It
was no surprise, then, that it raised
eyebrows when John Adams,
former head of Communications Security Establishment
Canada, called cyber crime “a
runaway freight train.”
Speaking at the Ottawa Conference on Defence and Security,
Adams warned that Canada’s
critical infrastructure is the
country’s weakest point.
His message carried added weight
coming within days of a report by
Mandiant that cited Chinese
cyber attacks on systems that
regulate North American infrastructure components, including Canadian oil pipelines.
While saying that it is no simple
matter for foreign powers to gain
control of critical infrastructure,
Adams urged governments to make
it mandatory for utility companies
and others to tighten security.
“If one’s weak, they’re all weak,”
he said, addressing the Obama
administration’s decision to
impose voluntary rules-based
standards on companies that
run critical infrastructure in the
United States.
right to penalize companies
for poor data security and
privacy practices. If the FTC
attempts to penalize companies for poor security, there
will be several issues. The first
is around poor practices. How
Brian Gay
owner,
will the FTC measure poor
Think Forward
Consulting
data security and privacy practices? Will the FTC compare programs by
industry? Without clear guidelines the penalties will not be enforceable.
The next concern is that increasing cyber
security oversight will create a decrease in
transparency. Currently, companies are very
reluctant to admit security hacks and data
losses. If the FTC were allowed to penalize
companies, there would no incentive to publicly admit data security issues and share best
practices. This will negatively impact data
and privacy as a whole.
It would be better for the FTC to provide
positive incentive. How about if the FTC
were to reward companies for high-performing cyber security practices instead?
THE STATS
Do you think the Computer Fraud and Abuse Act is
too broad and contains penalties that are too severe?
4.8m
No
38.24%
Yes
61.76%
To take our latest weekly poll, visit www.scmagazine.com
Java zero-day
AGAINST The FTC should not have the
THE SC Magazine POLL
THREAT OF
THE MONTH
articles
allegedly downloaded by
Aaron Swartz from JSTOR
through a guest account on
MIT’s network.
13
felony counts lodged
against Swartz for CFAA
violations; he faced up to
eight years in prison if he
were convicted.
What is it?
Yet another zero-day vulnerability in Java Runtime
Environment (JRE) that
allows remote code execution via browsers.
How does it work?
It can be triggered by a
user simply viewing a web
page embedding malicious
Java content.
Should I be worried?
Yes, many of the Java
vulnerabilities being exploited are types of errors
that allow code execution
in a completely reliable
manner.
How can I prevent it?
Users should upgrade to
Java 7 Update 13, which
Oracle released in early
February – 18 days prior
to its scheduled release
– in response to reports
of the vulnerability being
actively exploited. This
latest update addresses 50
vulnerabilities for Java SE
products. One of these is
the new zero-day, though it
is currently unclear which
one. As attacks targeting
Java are increasing, and we
could see new zero-days
in the immediate future,
users should also disable
Java in browsers by default,
only enabling it for trusted
websites when needed.
Source: Carsten Eiram, chief research officer, Risk Based Security
Source: Trading Secrets/reason.com
Update
2 MINUTES ON...
The influence of overseas reforms
W
hile efforts to harmonize data security
laws in the United
States so far have been futile,
the European Union is close
to implementing an information protection law that will
homogenize the responsibility
of all of its 27 member states.
But while the European
General Data Protection Regulation, now under review by
the European Parliament, is
expected to efface some of the
confusion around complying
with a hodgepodge of disparate laws, some companies
are concerned that its provisions and penalties are too
burdensome. That includes
some of the most powerful
globally serving U.S.-based
firms, which currently are
heavily lobbying the EU for
Briefs
amendments, a move that has
Jacob Kohnstamm, the head
of a working group representing EU privacy and data
protection regulators, telling
these companies to back off.
“If such a lobby from the
European side were organized
toward Congress, we would
be kicked out of there,” he
reportedly said.
So what’s causing concern
on the American side? The
proposed provisions are heavy
on privacy and consumer
protection. They include a
requirement that any company handling EU citizens’
data must notify data protection authorities and affected
individuals of a breach within
24 hours. But what’s particularly upsetting to titans like
Google and Facebook is a
“right-to-be-forgotten” clause,
which instructs companies
to expunge any data published by someone upon their
request. Fines for violating
the regulation could swell to
two percent of an offender’s
annual global revenue.
While it’s unlikely Congress
in the United States would
ever pass anything as stringent
as what is proposed in the EU,
one unintended consequence
2%
of global net annual
income would be
assessed against EU
members for serious
breaches under new
data-protection rules
of a synthesized framework
in Europe is that it may push
U.S. policymakers to also
consider adopting an overarching law here, said Paul
Luehr, managing director and
chief privacy officer at Stroz
Friedberg, a New York-based
computer forensic firm.
Right now, nearly all states
have breach notification laws.
Despite a slew of high-profile
incidents that have generated interest from Congress,
the body has tried and failed
several times in the past, even
after urging from the White
House, to enact a national law.
Typically efforts have been
hampered by disagreement
over the threshold that should
constitute notification, concerns from privacy advocates,
pushback from corporations
not wanting to spend additional money on compliance
and opposition from some
who believe the state laws provide greater protection.
– Marcos Colón
JOBS MARKET
Me and my job
Dominic Vogel
IT security analyst at a financial institution in British Columbia, Canada
How do you describe your
job to average people?
I offer options and advice
on various business projects
and initiatives from a security
perspective. At the end of the
day, what I do is risk management. It’s about mitigating
risk – to the business and our
customers – to appropriate
levels by ensuring effective
countermeasures and safeguards are in place.
Why did you get into IT
security?
When I was in high school,
my dad brought home a copy
of SC Magazine and I read it
(I have no idea where he got
it). I’ve been fascinated with
IT security ever since. It is
the constant change, acute
contextual awareness, and
the allure of the unknown
that drew me to IT security.
The challenge of marrying IT
security with the rest of the
business structure is something I enjoy immensely.
What was one of your
biggest challenges?
Improving the security culture and attitude toward IT
security. Since the value of
security is difficult to quantify, measure and see in hard,
cold dollars, it often falls by
the wayside. By embarking on
a security awareness goodwill
tour, I’ve visited our branches
and spoken to head office
staff about the importance
of security. I always wanted
to be a stand-up comedian,
so by incorporating humor
into my speeches, I changed
people’s perception about IT
security. The key to cultural
change is always humor.
Skills in demand
Of what are you most
proud?
Being known as a strong communicator and proponent of
improving security culture.
People in the IT security
realm are often perceived as
being hyper-sensitive nerds
who force unreasonable security measures that clash with
business objectives. I’m very
proud of the fact that I’ve
broken that stereotype and
that my colleagues now have
security as a priority rather
than an afterthought.
What it takes
For what would you use a
magic IT security wand?
If such a wand were to exist,
I’d probably be unemployed. Significant expansions of IT
infrastructures have increased
demand for experienced penetration testers to find security vulnerabilities in targeted
apps, networks, and systems.
Hands-on experience with
reverse engineering and
scripting languages is helpful. Expertise in identifying
flaws is critical. Designing
creative solutions to complex
problems, paired with stellar
documentation and communication skills, are most
valuable.
Compensation
Specialist-level roles start
around $100K, with senior and
lead often earning $110K to
$130K.
Source: Adam Weissman, director of legal
technology, Glenmont Group
Company news
»Paige Leidig has joined
San Jose, Calif.-based cloud
information protection company
CipherCloud as its first chief
marketing officer. Leidig was
formerly the global VP at SAP, an
enterprise software corporation
headquartered in Germany.
Travis Patterson also has
joined CipherCloud as SVP of
worldwide sales. Prior, Patterson
served as the SVP of sales and
support at Sunnyvale, Calif.based mobile security cloud
service provider Marble Cloud,
formerly called IronKey.
rity issues in Yahoo Mail, namely a
cross-site scripting (XSS) vulnerability made public in January.
Prior to joining Yahoo, Somaini
was CISO at Symantec. Before
that, he served as the director of
information security at Reston,
Va.-based Verisign.
Paige Leidig, chief marketing officer,
CipherCloud
»Justin Somaini has left
Yahoo, where he had served as
CSO, a move that comes not long
after researchers exposed secu-
»Famed researcher Moxie
Marlinspike has left Twitter,
where he was part of its security
team. He used the social networking site to announce his exit, telling followers in January that he
had “some fun projects coming
up.” Marlinspike previously cofounded the San Francisco-based
Android security firm Whisper
Systems, which was acquired
by Twitter in 2011.
»A new company, Cyber-
salus, has launched and will
focus on providing services and
solutions for threats affecting
the government sector. John
Kiehm is the CEO of the Reston,
Va.-based firm. Cybersalus is a
standalone company based on a
partnership between Kiehm and
Temple, Texas-based distribution
and defense solution provider
McLane Advanced Technologies (MAT).
»FireEye, a Milpitas, Calif.-
based advanced threat solutions
company, has secured $50 million
in venture funding from new and
existing investors, which include
Goldman Sachs, Norwest
Venture Partners, Silicon
Valley Bank and Sequoia
Capital. The funding will support
FireEye’s international expansion,
innovation and other initiatives to
expand its customer base.
C. Scott Hartz, CEO, TaaSERA
»C. Scott Hartz has joined
Cupertino, Calif.-based security
start-up TaaSERA as CEO. Prior,
Hartz was the CEO of PwC.
TaaSERA, a behavioral malware
detection firm, was established
in February 2012 through the
acquisition of cloud and endpoint
security provider Taasware. It
also licensed research and development technology for network
malware detection from SRI
International.
WatchDox, a Palo Alto,
Calif.-based enterprise solutions
provider, has secured $12 million
in funding to further its secure
»
document-sharing technologies.
New York-based Millennium
Technology Value Partners
led the funding, which helped
WatchDox last December acquire
InstallFree, a product that
allows the company to enhance its
own file-sharing security platform.
Follow us on Facebook
and Twitter
Opinion
From the CSO’s desk
New risks must be valued
Rafael Diaz
Geoff Webb, director
solution strategy, NetIQ
I
Getting a handle on the basics is difficult today. While
T trends –cloud, social networking and BYOD – are
making the practice of security management complex, and adopting cloud or BYOD can have a great impact on IT costs,
employee productivity and even worker morale, there is little
are forcing organizations to shift to a risk-management
to nothing in the way of data to understand what the risks
perspective.
The purpose of risk management is to better enable smarter are, let alone how serious they may be. There are a lot of vested interests in both talking up and
decisions. Good risk management must underpin all security
playing down the risks of all of these industry trends, makstrategy, and yet it is often overlooked in the pressure to “do
ing the problems to risk management that much harder to
something.” Communicating risk to senior stakeholders is
overcome. So, organizations are left to puzzle out the right
challenging, and vague categories of “high, medium, low”
approach. Businesses, IT organizations, vendors and industry
risk can undermine, rather than support, security programs. bodies need to be both open and collaborative in the way we
Today’s security teams cannot be seduced by the “sexy”
build risk management capabilities. Failure to do so will damaspects of risk. Worrying about APTs may get you a meeting
age the ability of businesses to be competitive, for governwith the board, but failures in the basics of patch management agencies to serve their constituents and for IT vendors
ment, protection against SQL injection, privileged user monito retain the trust of their customers. And those are the real
toring and the like, will be the cause of breaches and negative
13-10548_SCMag_IT_Ad_6.875x4.125_PressReady.pdf
1
2/4/13
1:39 PM
risks.
publicity that
undermine corporate reputations.
GRADUATE
with
C
M
MORE
Y
CM
MY
CY
CMY
K
The master’s degree program in Information Security and Assurance from WGU
is CNSS certified and covers the 10 security domains of the CISSP so you can
graduate with more—more expertise, more knowledge, and
respected industry certifications.
Visit www.wgu.edu/scm to learn how you can graduate with an
affordable, accredited degree online from WGU.
Western Governors University | 1.800.288.1285
CISO, state of Illinois
A
s CISOs, we are expected to be developing
secure organizations
from insecure components
– namely, our business
processes, our people, our
technologies, indeed our very
organizational construct.
Information security
executives today must work
to “engineer” our organizations to be better, faster and
cheaper – and more secure.
We must design organizations that are self learning,
self organizing and self
improving. And, it is vital to
question even the most sacred
of processes or methods. It is
through this questioning that
we gradually improve reliability – confidentiality, integrity
and availability.
There are many reasons for
this, but perhaps primarily
it is that national security is
business security. How do we
design these new organizations? How do we engineer
the reliable organization?
Aligning security and
compliance with business
strategy – While some
the people who will use, support, develop, implement and
secure the project.
While the statistics vary,
many researchers will agree
that most of the data loss
occurring in our organizations is a result of faulty business processes – good people
following bad process. One
organization, for example,
found that for months it had
been sending HIPAA data
to a fax number that had
never been verified. A formal
review of business processes
using confidential or sensitive data will reveal astonishing results.
Organizational changes
require a new kind of CISO
– As our organizational
connectivity and collaboration grows exponentially,
information security becomes
increasingly complex and
difficult to manage. Organizations that recognize this
and respond by taking a more
proactive, integrated and
strategic approach to security
will also ensure their CISO is
empowered with a business
leadership role.
forward-thinking organizations are reorganizing their
information security functions – moving out of IT
– most CISOs report to the
CIO. Aligning the information security function with
overall business strategy will
allow organizations to get a
holistic view of security, risk
and compliance, help businesses achieve greater speed
to market, adopt a risk-based
approach to drive growth,
and allow for greater input
and visibility from business
leaders for technology projects. This reorganization can
include changes in reporting
structure, scope of responsibility and organizational
design philosophy.
People, process and technology – This is undoubtedly
a well-worn concept, heard
many times, though not often
followed when implementing
a solution. In my experience, I’ve often witnessed
operations simply address
a problem by throwing
technology at it. Yet perhaps
the greatest asset – and most
important consideration – is
30seconds on...
»Leveraging position
CISOs who are more closely
integrated into the business
– and more independent of
IT – will have more influence
and decision-making power,
says Diaz.
»Ensuring a safe enterprise
Involving the CISO with business decisions will give the
organization the needed visibility to ensure its business strategy has security, compliance
and risk integrated.
»Good with the bad
The expansion of digital capabilities juxtaposed with vulnerabilities, risks and new attacks
brings us to the most constructive and destructive digital era
in human history.
»From the ground up
We have entered an era that
requires a new organization,
a new security function and a
new type of CISO to achieve an
organization engineered for
security, says Diaz.
Photo by Brian Kersey
Maximizing quality and reliability
J
CS O
of
the
Year
John South joined Heartland Payment Systems when
it was still reeling from a breach…and it’s the best career
decision he’s ever made. Dan Kaplan reports.
Before Heartland, South toiled for
nearly two decades in security jobs
where his role was administrative in
scope, and every request for budget support was a feckless battle with the rest of
the IT department. But with Heartland,
he knew that the 3,000-employee payment processor had, even before sustaining the breach, tightly aligned security
with its overall business model. The
problem was that it always lacked one
key ingredient: sound, experienced and
strategic security-specific leadership.
South was just the person to fill that
void, and now, at 62, he’s got a comfortable seat at the boardroom table.
“Obviously there’s that risk when you’re
coming into a company that suffered a
major breach that viability is something
you have to be careful of,” South recalls.
“But having talked to the principals and a
number of other players in the company,
I could see a real dedication to not only
mitigating the breach, but keeping the
company moving forward.”
Three-and-a-half years later, South
has overseen the gutting and successful
reconstruction of its security infrastructure. South, who is SC Magazine’s 2013
CSO of the Year, was brought in to help
transform the new operation into a “sustainable and reliable” part of Heartland’s
business. In addition, he established
an internal audit group that conducts
regular compliance checks, even though
Heartland knows firsthand that compliance doesn’t equal security.
South, who also is an adjunct professor
at the University of Dallas, was recruited
to work at Heartland’s Plano, Texas location by Kris Herrin, now the processor’s
chief technology officer, who was only
a couple of months on the job when the
breach was discovered. Herrin formerly
reported to South at Alcatel-Lucent, where
South ended a 19-year stint as director of
information security in January 2008. In
fact, he was one of the first people Herrin
called when he learned of the breach.
South’s past year largely has been
spent creating Heartland’s application
security program, which concentrates
not only on external apps – remember,
Heartland’s attackers leveraged an
SQL vulnerability to stake their initial
foothold – but also internal ones. South
also is significantly ramping up the company’s security awareness program. For
example, he recently oversaw an exercise
in which a small portion of workers
received fake phishing emails. The security team was interested in learning how
many people would click.
“Information security is one of the
most significant corporate missions and
continual challenges at this high-growth
company,” says Charles Kallenback,
general counsel and chief legal officer at
Heartland. “John’s work with the board,
the audit committee, senior management,
IT, operations and corporate development is absolutely integral to ensuring
that information security is embedded in
everything that is done at Heartland.”
Photos by Jason Janik/Newsport
oining a payment processor a mere nine
months after it was plundered by hackers
of more than 100 million of its customers’
credit card numbers might seem like a risky, if not
desperate, employment decision. But for John
South, who in September 2009 took the role as
Heartland Payment System’s chief security officer,
he couldn’t have timed the move any better.
CSO of the year
diplomatic action against those nations
that harbor these criminals or conduct
nation-state attacks themselves.
SC: Are we getting anything right?
JS: Absolutely. We are seeing much
more information sharing across government agencies (though there is plenty
of room for expansion) and among
corporations. Businesses are getting
the message that security issues can no
longer be their dirty little secret or their
competitive advantage.
John South, CSO, Heartland Payment Systems
Outside of Heartland, South has been
instrumental in promoting information sharing around threat intelligence,
something he believes is paramount if
the good guys stand a fighting chance.
He sits on the board of directors at the
Financial Services – Information Sharing
and Analysis Center (FS-ISAC). In 2009,
he helped create a subgroup, known as
the Payments Processing Information
Sharing Council (PPISC). South also
believes in enforcement. In 2003, he
helped stand up the U.S. Secret Service
North Texas Electronic Crimes Task
Force, and is a founding member of the
region’s FBI InfraGard program.
“John has provided his mentorship
to me, personally, and to countless
individuals who have benefited directly
from his experience,” says David Bentz,
assistant director of Group Services, a
Fort Worth, Texas-based security services and consulting firm. Besides being
“scary smart,” Bentz, a retired Secret
Service agent in Dallas, adds that South
is a “man of character and dedication.”
In a Q&A, SC Magazine asked South
to comment on current and future
trends, and to define his technology and
project roadmap at Heartland.
SC Magazine: How would you describe
today’s security threat landscape?
John South: Today’s security threat
landscape is the most dynamic and
aggressive we have ever seen. We have
focused threat actors, some with nationstate protection, attacking more targets
than ever. Whether it’s criminals monetizing their attack strategies or nation-states
attacking our critical infrastructures and
intellectual property, the financial and
tactical rewards are enabling them to
invest in building powerful capabilities.
They are actively developing new techniques and tactics to affect their strategies, and are easily luring new members
into their ranks. Most importantly, cyber
criminals know what targets they want to
hit and when they will hit them.
SC: What is your biggest gripe with the way
security is done these days?
JS: The information sharing movement
can only get traction if it gets federal
attention, funding and resources that
would enable the intelligence agencies,
federal law enforcement and the carriers
to establish a comprehensive program for
defending and alerting our infrastructure, companies large and small, and even
individuals when they are threatened. A
second and equally critical requirement
is that the Department of State takes
SC: Are the adversaries beatable?
JS: With these advantages, they probably can’t be beaten. Just like bank robbers and drug dealers, cyber criminals
and nation-state actors are part of a
criminal lethality that will never go
away. But we should all collectively
strive to make it so difficult for them to
conduct their attacks that it depreciates
their economic and political incentives
and cripples their operations. At best,
we may eventually reach a point where
we can effectively stop the majority
of attacks at the carrier level and then
track the criminals down and bring
them to justice.
infrastructure. I would not assume that
these attacks will be only aimed at major
companies, like we have recently seen
focused toward the major banks. As
cyber criminals perfect their attack vectors, I would expect to see new targets
to emerge in the weak links of corporate
networks, such as the crucial junctures
of companies’ supply chains, as well as
their customers’ networks. Attacking the
weaker links may give the adversaries
an edge in compromising the country’s
critical infrastructure.
BYOD will challenge all of us, as this
is but the tip of the ever-evolving iceberg. Over the next few years, I expect
to see more applications and infrastructure built around mobile platforms.
Cloud computing will have similar challenges for us in the future, particularly
in maintaining full diligence of data and
applications. In the cloud, the presence
of data may take on all new meanings.
SC: What is on your future agenda at
Heartland?
JS: My agenda is to continue improving Heartland’s security strategy to take
advantage of emerging technologies,
such as BYOD and the cloud, while
staying focused on the security implications of merging these technologies into
our infrastructure. I will also continue to
press for improvements in industry-government sharing and advocate that the
value in the intelligence that we gather is
in the sharing of it.
SC: What are the security technology essentials that organizations should have in place?
JS: One of the more important tools,
as always, is a comprehensive logging
and review process. Today, it’s critical
that this capability be tied into an active
intelligence process that allows trained
resources to quickly and efficiently
identify anomalous behavior. Two other
technical capabilities can be associated
with this process. As our adversaries
need to be able to communicate back to
their own devices, having a mechanism
for quickly identifying command-and
control-channels as they are established
is essential. In addition, as we share
malware and attack indicators, having
a tool that allows one to quickly locate
the presence of the indicators on the
network provides a distinctive edge.
SC: What are the threats/newer applications
that you think you and others in your position
must address this year, and how will you do this?
JS: One of the major threats that will
be facing all of us over the next year
is the increasingly aggressive DDoS
attacks against elements of our critical
SC: What tips would you give to individuals looking to enter the field of information
security?
JS: Build a strong base of understanding around the technical side of security,
but be able to discuss your strategies in
business terms. You will have to sell your
The most important aspect of
building a strong security program
is having the right team...”
—John South, CSO, Heartland Payment Systems
ideas to your business leaders and perhaps even your company’s board of directors. Therefore, you must be able to build
a business case around your strategy to
show not only the technical, but business
advantages. The more lucid and compelling an argument you present, the better
chance you have of selling and implementing your idea. In addition, if you are
completely new to the field of information
security or if you are still in school, try to
find a company that is offering an internship program, which will give you an
opportunity to showcase your capabilities
and gain relevant experience.
SC: What’s your best advice to others when
it comes to building a strong security program?
JS: The most important aspect of building a strong security program is having
the right team, and the right-size team,
in place. There’s no right answer to what
the right number of people is. No magic
formula exists. However, it’s essential
that you have team members who can
operate effectively without direct supervision, who can independently decide
how to approach a security question and
who act as internal security consultants.
As such, security team members need
to understand how to listen to business
leaders and help translate their needs
into a strong security program. While
this process needs to start early in the
project lifecycle, the security team should
be engaged throughout the various stages
of development and deployment.
SC: How will the role of the CSO look in five
years? In 10 years? In 20?
JS: In the next five years, I expect
that we will see increasing turmoil as
criminals and nation-states continue
to develop and use their capabilities to
attack our infrastructure, as well as the
networks and computers of companies
and individuals. The incentives for our
adversaries far outweigh the repercussions. But we aren’t just going to be
sitting around, as I believe corporate and
federal law enforcement will increase the
use of offensive tactics and weapons and
implement better defensive capabilities.
My projections for 10 and 20 years
out are a bit more fuzzy. But wherever
that may take us, we need to ensure that
security stays engaged early and often in
new projects.
One thing that is fairly apparent about
the future is that there will be a glut
of open security jobs as baby boomers
phase out of the workforce. There are
few colleges and universities that are
educating students with degree programs focused specifically on security.
This is where active mentor and internship programs can help identify new
talent for your organization.
SC: Any hobbies, destination spots or other
more personal areas of your background that
you would like to share?
JS: My wife and I have taken up running (after a long hiatus for me, a new
adventure for her). Though we both
enjoy competing in 5K races around
Plano, [Texas], we have a long way to go
before we get competitive. But, at least
at this time for us, it’s about the running
and not the medals. It’s fun to challenge
ourselves to improve, even if the only
reward is in knowing that we finished. n
A more extensive version of this
Q&A is available on our website,
www.scmagazine.com.
Mobile payments
handheld
at arm’s
length
The mobile payments concept is surging in Canada, but perception over
insecurity is guiding some consumers to resist it, reports James Hale.
F
rom the world’s first trans-continental fiber optics network to the
invention of the BlackBerry, Canada
has been a pioneer in digital technology. Now, with Visa’s endorsement of
BlackBerry’s Secure Element Manager as
the global standard for the card brand’s
mobile payments, and the unlikely
partnership of telco rivals Bell Mobility,
Telus and Rogers in EnStream, the digital
wallet concept is surging in the country.
But, while some Canadian companies
are leading the mobile payments revolution, Canadian consumers seem more
wary about the concept. Only about one
in five Canadians has used a smartphone
to make a purchase, and just 13 percent
have used a mobile banking application, according to a 2012 study by PwC
Canada, a member firm of the international advisory and tax services organization. The study reports that 74 percent of
Canadians are reluctant to make mobile
transactions because of security concerns.
“Canadians have a feeling that their
security is compromised,” says Balaji
Jairam, a technical analyst at PwC Canada and one of the study’s authors. “These
are the same people who think nothing
of giving someone a cheque, even though
it has their bank account number on it,
but mobile raises concerns.”
And, the sense for many is that mobile
payment technology is shifting the traditional retail transaction model away from
financial institutions. Through EnStream,
the telcos appear to be positioning themselves as transactional agents. Formed
in 2005, the company has been particularly active in recent months. Its latest
move toward transforming Canadians’
smartphones into digital wallets was its
February announcement of a distribution
agreement with SecureKey Authentication Technology.
In announcing the deal, Almis Ledas,
EnStream’s chief operating officer, said:
“Our mandate is to accelerate the adop-
C1 SC • March 2013 • www.scmagazine.com
tion of secure, SIM-based NFC [near
field communication] mobile payments
in Canada through common platforms.”
At the same time, PayPal, the global
firm that enables online money transfers,
has been trying to interest Canadian
consumers in its mobile application for
Android, Apple and Windows phones,
while Square technology – another
small-business platform, founded by
Twitter creator Jack Dorsey, that enables
debit and credit card payments on a
mobile device – jockeys to position itself
as an alternative to cash registers for
small business owners.
Still, none of them has done much to
make consumers pull out their phones
instead of their credit or debit cards.
While PayPal has effectively established
itself as an online service provider, its
effectiveness as a mobile solution rests
on consumers’ trust of cellular security.
While Square strikes many merchants
as a sensible solution – particularly in an
era when ‘pop-up’ locations of restaurants and other commercial ventures are
in vogue – it presents consumers with
an uncertain link to exactly where their
bank information is going once they sign
with their index finger.
“Right now, we’re way behind countries like Japan when it comes to mobile
payment adoption,” says Umar Ruhi,
assistant professor at the University of
Ottawa’s Telfer School of Management.
“The overarching factor is trust. Security
and privacy are significant barriers.
Canadian consumers want to see their
banks directly involved.”
Andrew Szabo, senior manager of
technology strategy and architecture at
Deloitte, agrees. “The reluctance on the
part of consumers right now is huge,”
he says. “We’re hardwired to think of
banks as playing the leading role when it
comes to retail transactions.”
For their part, Canada’s largest
banks have been slow to move. In May
2012, the industry announced a set of
voluntary, secure and open guidelines –
known as the Mobile Reference Model.
Yet, in a survey of the Canadian banking
landscape released in November, the
Canadian Bankers Association was still
calling mobile payment “the next innovation, which is coming soon.”
“Banks recognize mobile payments as
a market interruption,” says Jairam. “I’ll
stop short of calling it a threat. They’re
making strategies to partner.”
But, while banks start from a position
of strength in terms of the trust consumers place in them, it remains to be
seen if a single organization will be able
to control all forms of value transfers
in the mobile payment realm, says the
PwC report co-authored by Jairam. “For
banks to secure and even extend their
revenue potential from mobile payments,
they’ll have to play an active role in the
enforcement of standards across the
ecosystem,” the report said.
Other key players in the landscape
want to have their say, too. For one, the
Canadian Federation of Independent
Business (CFIB) has expressed concern
Government could definitely
step back on this one.”
—Andrew Szabo, Deloitte
that mobile payment technology will
hurt merchants by driving up costs, and
create consumer confusion by introducing nontraditional actors like the telcos,
PayPal, Square and the like.
The CFIB enthusiastically endorsed
the federal government’s decision to
introduce a Mobile Payment Addendum
to the Code of Conduct for the Credit
and Debit Card Industry in Canada.
Led by the Department of Finance, the
government held a two-month public
consultation on the addendum early last
fall. Announcing the consultation, Ted
Menzies, the minister of state for finance,
said: “As mobile payment options begin
to grow more rapidly in Canada, our
government wants to ensure that the
principles of transparency, fairness and
competition are respected.”
In February, David Barnabe, a spokesperson for the department, could only
say: “The findings of the consultation are
being reviewed, and the finalized addendum will be presented in the near future.”
No timetable has been announced.
Canada’s privacy commissioner is
another interested party. As spokeswoman Heather Ormerod says: “Our
office is following developments in the
mobile payment industry closely, and we
are actively exploring the privacy issues,
from both a technology and identity
management perspective.”
As is the case for many longtime
observers of Canada’s information technology scene, the government’s decision
to insert itself, rather than letting market
forces rule, doesn’t come as a surprise.
“Government could definitely step back
on this one,” Deloitte’s Szabo says. “They
could simply set broad boundaries and
let the free market rule. Otherwise, it
creates an artificial situation.”
Canadians have lived with those types
of dynamics before: In the limited competition that was permitted following
the decision by the Canadian Radiotelevision and Telecommunications
Commission to end the Stentor members’ monopoly over the long distance
telephone business; in the limited-player
cellular market; and in the monopolistic
cable television industry. Canadians have
learned to live with higher prices than
those paid for similar services in other
countries, and with delayed introductions of innovative technologies and
delivery mechanisms.
Analysts are hoping that government
intervention won’t stop what they view
as what’s needed to kickstart consumers’
adoption of mobile payments.
“For consumers, processing integrity
is the main thing,” says Szabo. “They
also want to have confidentiality, privacy,
security and availability, and the banks
are good at all of that. Right now, there
are a lot of companies trying to figure
out how to bring it all together. I think
the bad ones will fall away. The winners
will figure out the security question and
make it look secure for consumers.”
Jairam agrees that changing the
perception in the minds of skeptical
consumers is the winning formula.
“This is a field that is going to be
driven by consumers’ choice,” he says.
“So, if you look at what could be a
game-changer, you have to think that
if a trusted company, like Apple, came
along with a winning NFC solution, that
would be a significant event.”
Szabo says mobile payment adoption
will come naturally. “Everything is leaning
the way of NFC,” he says. “It’s shaping the
way phone manufacturers are thinking.
We’ll see a staggering number of Androidbased NFC apps by the end of the year,
and that could change everything.” n
www.scmagazine.com • March 2013 • SC C2
Critical infrastructure
losing
control
Industrial control systems remain troublingly
vulnerable to both internal error and outside
intruders, reports Danielle Walker.
R
esearcher Tyler Klinger was curious if the companies that operate
the nation’s industrial control
systems had jumped the proverbial
shark when it came to cyber attack
susceptibility. While he was well aware
that critical infrastructure providers,
like power companies and oil-and-gas
refineries, had become increasingly
juicy targets in recent years, he was
interested in learning the ease by which
they could be compromised.
Klinger, a researcher at Idaho-based
Critical Intelligence, which provides
information services to industrial control
system (ICS) customers, knew that
most companies outside of his area of
expertise were being regularly breached
through targeted emails, commonly
referred to as spear phishing, in which
employees open a legitimate-looking
attachment or follow an enticing link,
only to invite malware into their organization. But would the same type of
trivial, easy-to-launch attack – one that
doesn’t require deep pockets and nationstate backing – be just as effective at
allowing criminals to, say, access a utility
plant? The answer was a resounding yes.
After receiving approval from two
companies that operate control systems,
Klinger scoured various websites, like
LinkedIn and Jigsaw, to locate contact
information and other details about
various high-level employees working
there. He then delivered experimental
phishing emails to 72 workers, who
had no knowledge of the experiment.
Eighteen clicked on the links contained
in the messages. Now, if this were a
real-world scenario, Klinger would now
have a foothold to initiate more technical, and potentially devastating, attacks
by leveraging, for example, a vulnerability residing on the very hardware and
software that runs these plants. It’s not a
far-fetched scenario.
In the last decade or so, industrial
control systems that were never designed
with IT security in mind have become
interconnected with corporate computers and networks that expose them to
a range of new threats. Last April, the
U.S. Department of Homeland Security’s Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT)
warned of an ongoing spear phishing
campaign where attackers increasingly
targeted companies in the natural gas
pipeline sector.
Spear phishing often exposes the
human vulnerability within companies, says Scott Gréaux, VP of product
management and services at Chantilly,
Va.-based PhishMe, a software firm that
focuses on phishing threats. Gréaux,
who helped Klinger with his experiment,
says he advises that management stress
to employees that anyone could be on an
attacker’s radar.
“Engage users in a discussion about
phishing attacks, so they are aware that
they are real and that [attackers] will target anyone in an organization,” Gréaux
says. “They may not necessarily target a
control operator. They will target someone where they can get a foothold.”
So what can attackers accomplish once
they are inside? The threat of outsiders
with sophisticated malware targeting
critical infrastructure has grown markedly in recent years. Last August, datawiping virus Shamoon rendered 30,000
computers at the Saudi Arabia-based oil
company Saudi Aramco unusable. A few
months later, officials at Chevron confirmed that the U.S. oil company was hit
by Stuxnet in 2010, a worm – believed
to be the creation of the United States
and Israel – that was originally designed
to target only Siemens SCADA systems
being operated within nuclear enrichment facilities in Iran.
In October, ICS-CERT alerted the
ICS sector of increased attack interest shown by malicious groups, like
hacktivists. The threat report warned
that these groups were using specialized
search engines to identify internet-facing ICS devices as potential targets for
attacks. The finding came after a security research company released hacking
techniques for targeting programmable
logic controllers (PLCs), computerbased hardware used to automate industrial monitoring and control processes.
The exploit tools were meant for PLCs
made by General Electric, Rockwell
Automation, Schneider Electric and
Koyo Electronics.
Then just last month, Austin-based
security firm NSS Labs released a study
that tracked a 600 percent jump in ICS
system vulnerabilities revealed between
2010 and 2012, with 124 security flaws
being disclosed.
Also this year, ICS-CERT released a
technical paper in January that included
guidance – and common mistakes to
avoid – when responding to advanced
attacks. For instance, instead of immediately trying to rid systems of the
malware, IT management or designated
responders should capture live system
data, like network connections and
open processes, before disconnecting
compromised machines from networks,
growth market:
Cyber security spending
According to ABI Research, a New Yorkbased market research firm, industrial
control systems that are ill equipped to
fend off cyber attacks will drive increased
...unless the government
steps in...the water supply will
be vulnerable.”
– Nate Kube, CTO, Wurldtec
the paper says. Companies additionally
were advised to avoid running anti-virus
software immediately after an attack,
since the scan could change critical file
updates or thwart analysis of malware
for future detection.
David McIntosh, vice president of
federal government affairs at Siemens, a
Germany-based electrical engineering
and manufacturing company that services critical infrastructure sectors, says
federal policies are necessary to facilitate
the kind of public-private information
sharing needed when advanced attacks
occur. According to Nate Kube, CTO
of Wurldtech, a Canada-based industrial
security products company, the nation’s
water supply is particularly at risk to
attacks of this kind.
“[In] industries like water, there’s not
a lot of budget for security, so unless the
government steps in and provides incentives and regulations, the water supply
will be vulnerable,” says Kube. “The
level of security is close to zero, which
means if you can procure knowledge
on its systems, you can [cause] a lot of
damage. There’s not a lot of stop gaps.
The only protection now is that there’s
not a lot of incentive in hacking these
systems.”
Hours before his State of the Union
address, President Obama issued a
cyber security executive order designed
to spur the implementation of better
security spending in coming years. By
2018, ABI expects worldwide cyber security
spending on oil-and – gas infrastructure to
hit $1.87 billion for the year. Spending in this
category includes investments in policies
and procedures, IT networks and countermeasures for threats, the firm found.
security standards among ICS companies. Though the order won’t be mandated like legislation and will merely
provide best practices for the government and private companies, it will
direct federal agencies to share information about critical infrastructure threats
with corporations in the ICS sector.
The move also encourages lawmakers to
pass legislation with critical infrastructure protection in mind.
Last month, lawmakers reintroduced
the controversial Cyber Intelligence and
Sharing Protection Act (CISPA), though
many privacy groups oppose a provision
that may permit personally identifiable
information collected by companies
to be among what is shared. News of
CISPA returning came not long after
seven Democratic senators introduced
the Cybersecurity and American Cyber
Competitiveness Act of 2013 in January,
essentially a refresh of a bill that was
shot down last year. The language in
the measure has not yet been firmed up,
but it is expected to create mechanisms
for threat information sharing, workforce development, risk assessment and
identity theft prevention.
Security vendors and end-users have
differing opinions, however, on whether
regulations are the answer. PhishMe’s
Gréaux says that more policy could distract companies from detecting the real
threats. “From a practical perspective,
I think there’s good policy that can be
written to help guide [companies] in the
right direction, but it also can distract
security practitioners from focusing on
threats,” he says. “It takes focus away
from protecting assets and systems, and
puts it more on compliance. Sometimes
it makes the organizations less secure
than they were before.” n
The 2013 survey: Guarding against a data breach
Sponsored by:
Preparing for the
new
norm
With almost daily advanced
attacks, organizations of all sizes
must be at the ready, according to our
latest survey. Illena Armstrong reports.
E
ven as advanced persistent threats (APTs) and other attacks
strike companies and government agencies at an unparalleled
rate, information security professionals remain bullish about
forging ahead with their data protection and risk management
efforts this year. In fact, more IT security leaders than ever before
think their companies are making greater strides in safeguarding
critical corporate and customer data.
According to this year’s SC Magazine “Guarding Against a Data
Breach” survey, which for the first in its six-year history sought
input from professionals in the U.K. and Australia, 91 percent of
the 427 U.S. respondents say their companies are taking proper
steps to protect critical data, compared to 87 percent in 2012 and
2011. Meanwhile, of the 104 respondents from the U.K. and Australia, 83 percent think they are moving in the right direction.
However, the reality may be a little different from these
more optimistic views. Just in the last month, it was revealed
that sly and practiced hackers, likely from China, pervaded
The New York Times computer networks over four months to
try to steal information related to a story the newspaper wrote
late last year about the Chinese prime minister’s relatives –
and the riches they obtained. Enlisting several techniques
to hide their tracks, the criminals gained access to employee
computers and stole reporters’ passwords, probably using
spear phishing methods to install backdoors.
So far, there is no evidence that any files, cusConducted by
tomer information or other data was affected,
according to newspaper officials.
The incursions didn’t stop there. Also
recently hit were The Washington Post, The Wall
Street Journal, Twitter and the U.S. Department of Energy. And
all were reportedly battered by similar or the very same savvy
cyber assailants employing what are fast-becoming preferred
APT attacks that allow them to infiltrate networks and then
linger for long periods behind a sea of obfuscation to observe
network communications, amass critical information and more.
“Generally, there may be a perception that companies are
doing a better job by applying security products [or other
tactics], but the reality is that security breaches keep escalating each year,” says Ron Baklarz, CISO and export control
compliance officer with the National Railroad Passenger Corp.
(AMTRAK). “This will only worsen as nation- and state-sponsored attacks on U.S. critical infrastructures increase, as well.”
Likely because of this escalation, more respondents to this
year’s data breach survey compared to previous years agree that
the threat of a breach, loss or exposure is greatly influencing
their organization’s security initiatives. Some 85 percent noted
this as a major driver, compared to 80 percent in 2012. Similar
to U.S. responses last year, 76 percent of U.K. and Australia
IT security pros say attacks are a major influence on initiatives
for this year’s survey, which was sponsored by Vormetric and
conducted in partnership with CA Walker.
“As time goes on, more companies understand that it’s better
to be proactive and assess and deal with the security of their
data – through frameworks, standards and regulations, like
ISO 27002, PCI or HIPAA – rather than wait for a security
incident or a failing security audit to start making progress,”
says Brad Johnson, vice president at long-standing consultancy
SystemExperts, based in Sudbury, Mass.
This is especially true given how much
data actually is being generated every day
and how much organizations have come
to rely on it to run their businesses, says
Tina Stewart, vice president of marketing at Vormetric, a San Jose, Calif.-based
provider of enterprise encryption and
key management. With reliance on data
assets growing exponentially in recent
years, protection of it is paramount.
“Recently I read that every day, we
create 2.5 quintillion bytes of data – so
much that 90 percent of the data in the
world today has been created in the last
two years alone,” Stewart says. “This
data needs to be protected, and there is
a cost to that protection.”
Despite the costs, though, budgets
largely are remaining flat, with occasional
spikes here and there, says Stephen Fridakis, CISO of UN FAO, the Rome-based
food and agriculture organization of the
United Nations. While a host of external
factors may prompt some increases in
shares of IT funding to be allocated to
cyber security – with motives often going
well beyond the threat of a breach – most
budgets remain fixed.
“By far the most significant factor
affecting our investment strategy is regulations,” he says. “Similarly, the second
greatest influence is client requirements.
Visa, for instance, requires certain cyber
security hardware, software, policies and
routine audits to engage in business relationships. Additional factors are results
of current audits [or] response to media
attention or a direct compromise.”
Of the 427 U.S. respondents to
the survey, 70 percent say IT security
departments and their leaders have the
power, executive and business support,
budget and resources to continually
improve overall corporate IT security
strategies – compared to only 63 percent
last year. For U.K. and Australia respondents, though, the number is much
lower at only 55 percent.
These numbers reflect the reality,
says Ian Appleby, information security
manager with Australia-based Endeavour Energy. “Budgets still remain flat,
and all security projects are justified on
support the business.
“I hear security concerns used as
justification to delay system modernization efforts or other changes that might
possibly create new exposures,” says
Do you agree your company is preventing data from being
stolen, exposed or lost?
Strongly
agree or
agree
91%
83%
Respondents
are more likely to
agree that their company
is taking steps to protect
corporate data
6%
Neither
agree nor
agree
10%
Strongly
disagree or
disagree
0 0
91% in 2013
vs. 87% in 2012
and 2011
3%
5%
non-USA
USA
20 40 a business-risk basis,” he says. “Having a budget for new tools is good, but
not fully effective without the budget
for staffing to operate and manage the
security environment.”
And while some information security
funds are seeing modest boosts, Fridakis
adds that “there is concern that these
budgets may not be able to sustain, in
the long run, the increased capabilities
that we establish today.”
Future plans
Just how much current and prospective
“increased capabilities” are impacted
by questions of budgetary need is up for
debate, but some experts – even now –
have seen security worries plaguing the
adoption of new technologies that could
60 60
80 80
100
Becky Bace, chief strategist at the Center
for Forensics, Information Technology
and Security (CFITS) at the University
of South Alabama in Mobile. But, what
information security leaders must be
0
40
diligent about explaining
to20
their bosses
is that “there’s virtue associated with
0
20
40
80
beefing
up security
testing
and 60
other
mechanisms in order to fix problems
before systems are deployed,” she says.
Because C-level executives and boards
of directors often see IT security as a
cost center, misunderstand technology
in general and fail to see how harmful
data breaches can be to bottom lines
and the brand, it’s hugely important that
CSOs continually educate them about
the threats and risks confronting their
businesses.
60
ExeC leaders:
Embracing security
The need for robust information
security plans and data control
mechanisms is being acknowledged
by executive leaders across all major
industries, which bodes well for
CSOs looking to ensure they have the
resources to support their programs.
“Security and data breaches do significantly alter the company’s security
initiatives, especially where it relates
to an internal breach or a breach in a
similar company,” says Ian Appleby,
information security manager with
Australia-based Endeavour Energy.
“Security concerns are now coming
down from board level, so the directors can understand the overall risk
and security posture of the company.
“I believe the publicity surrounding
some of the breaches has caused
some of the rise in concern. It creates
a ‘can this happen to me,’ inquisitive
culture.”
Most companies rightly concerned
about the various ways breaches
could impact their organizations.
Most of these are worries for private
and publicly traded businesses, alike.
Still, there are specific controls that
public companies must meet as dictated by standards set by major stock
exchanges worldwide, which move
beyond regulations, such as PCI-DSS,
HIPAA or state data breach laws.
“These [drivers] all focus on
protecting the value of the firm. As the
intrinsic value of the firm is classically
tied up in things, such as reputation – i.e. brand, customer base – i.e.
customer satisfaction, and profit
– [meaning] control of losses and
other costs of production, says Becky
Bace, chief strategist at the Center
for Forensics, Information Technology and Security at the University
of South Alabama in Mobile. “It’s no
surprise that these would be drivers
for information protection.”
“They must be able to place security
into a business-relevant context and balance the needs to protect the organization versus the needs to run the business
operations,” says Phil Ferraro, CISO of
Arlington, Va.-based DRS Technologies,
a global defense contractor.
The goal is help business leaders
understand that cyber security is not an
IT function, but rather a key business
enabler, he adds.
Yet, even though the potential adoption or deployments of new businessenabling technologies and services might
have some influence on continually shaping an organization’s information security
plans, their impact should be as nominal
as chatter about the next big attack or the
soon-to-be released regulatory requirement. Instead, “appropriate risk management” that accounts for what the critical
assets are, how they flow and in what
ways they contribute to the underpinnings of the business must be the main
factors in updating security strategies,
says Fridakis. “CISOs need to make sure
that we are not swayed by media hype
about a technology or a vendor or a perception for an attack,” Fridakis says. “We
need to work smarter and concentrate on
the most material work. Remaining faithful to a risk profile is essential.”
So, when talk of bring-your-owndevice (BYOD) and mobile security
crops up, frantic worries about safeguarding cloud environments are voiced,
or discussions around third-party
applications heat up, security pros have
to refine their approaches, but do so
through a living risk management plan
that enables organizations to be much
more adaptable and proactive, rather
than reactionary.
“Many companies don’t seem to
have clear policies to clarify stances
on technology like cloud and mobile,”
says Jeff Brown, operations leader at
General Electric. The implications of
technology need to be considered early,
and requirements need to be proactively
defined and communicated,” he says.
“Right now, it is very reactive. Security
is often called in well after the project
direction has been set and deployment
under way.”
Accounting for gaps
Comparable to previous years, 13 percent of U.S. respondents to this year’s
survey say their company has suffered
a loss, theft or breach of customer/client data. For the U.K. and Australia, 18
percent say they have.
So, although more respondents overall
say they’re taking steps to protect critical
data, it doesn’t necessarily mean they’re
actually doing a better job. “Though I’m
certain that more are taking steps to protect data, I’m not as sanguine that those
steps are keeping up with the threat
vectors,” say Bace of the University of
South Alabama.
To be sure, the threats are abundant.
As well, the attacks themselves are more
complex and frequently persistent.
“There is no strategy that will be
effective against all types of attacks, but
to know there are a variety of types is
to build effective ways to monitor for
them,” says Jennifer Bayuk, a former
CSO, and current principal at consultancy Jennifer Bayuk, LLC, based in the
greater New York City area.
This is where a well-rounded defensive
strategy that considers threats from all
vectors comes into play, adds Stephen
Scharf, CISO of Experian, a Costa Mesa,
Calif.-based consumer and business credit reporting firm. “With proper attention
to log aggregation and event correlation, an organization can help increase
the likelihood it will discover a security
breach quickly and be able to address the
threat appropriately,” he says. “Time is
critical and the sooner malicious activity
is detected, the greater the chance it can
be resolved before data is exfiltrated.”
Survey results show that of those who
experienced a breach, loss or theft of
data in the U.S., the information was
lost, stolen or exposed through a variety
of methods, including web application
attack (29 percent), malicious insider (20
percent), targeted attack, laptop loss and
theft, or email exposure (all 18 percent).
Malicious insiders were higher for U.K.
and Australia respondents at 42 percent,
as were targeted attacks at 26 percent.
As well, the information securityrelated problems at the top of lists that
caused the greatest financial loss to
U.S. companies included data loss (18
percent), data theft (14 percent), vulnerabilities/bugs (11 percent), web application attacks (11 percent) and phishing
(nine percent). These seemed to match
up with responses from the U.K. and
Australia, except when it came to insider
threats. Once again, this problem moved
nearer the top, at 21 percent compared
to only seven percent in the U.S.
Targeted attacks, like those that hit
some organizations last month, are more
frequently the cause of breaches, and so
are becoming the norm, experts agree.
As a result, it’s crucial that organizations
understand how they happen and when.
“Attacks, at least the sophisticated
ones, aren’t a single-stage process,” says
Charles Kolodgy, a research vice president in the security products service for
IDC, a provider of market analysts and
advisory services with corporate headquarters in Framingham, Mass. “They
generally involve multiple steps.”
First, there may be a targeted spear
phishing email that entices a gullible
user to visit a website that infects them
with custom malware complete with
backdoors. Now inside the network,
attackers can search out data and start
removing it. So being able to catch and
stop anomalous behavior on the network
is critical, yet so too is preventing the
download of the custom malware that
enabled it in the first place. Companies,
therefore, are taking numerous steps
to address these kinds of attacks, says
Kolodgy, including bolstering information security-awareness training to help
staff spot phishing emails. As well,
organizations are looking to deploy
better network-based advanced malware
detection to catch malicious payloads.
“At the endpoint, companies are looking at whitelisting and application control
to ‘firewall the data’. By implementing
a layered approach that includes these
critical elements, organizations can
improve their security posture more
effectively and efficiently than by focusing exclusively on traditional networkcentric security methods.”
Unsurprisingly, respondents across all
the regions queried through this year’s
SC Magazine survey already have deployed
such solutions as email management and
content filtering, network monitoring solutions, database security, and file and email
encryption. As well, to a lesser degree,
some have implemented vulnerability
management solutions and web application security. Regarding plans for future
deployments this year, many of these
solutions make the lists for both respondents from the U.S. and U.K./Australia,
to prevent unknown executables from
running,” Kolodgy says. “They are using
network forensics and improved SIEM
[security information and event management] to see communications from the
network to a location that is suspicious.
One solution isn’t going to do it.”
Vormetric’s Stewart agrees, noting that
traditional data protection models that
enlist network-focused security methods
– using solutions such as firewalls, intrusion detection systems and more – are no
longer sufficient on their own.
“Any data-centric approach must
incorporate encryption, key management, strong access controls and file
monitoring to protect data in physical
data centers, virtual and public clouds,
and provide the requisite level of security,” she says. “Today, it is table stakes
Which does your company intend to hire?
11%
7%
CISO
Data loss
prevention officer
8%
6%
Chief
security
officer
7%
5%
Chief risk
officer
7%
4%
Chief
privacy
officer
5%
2%
Other
non-USA
USA
Respondents
say they are more
likely to hire new
security professionals
compared to last year,
although those intending
to hire are at
0
20
a minority.
0
34%
20
40
40
60
60
80
7%
11%
None of
these
66%
71%
0
0
20 30
30 40
40 50
50 60
60 70
70 80
1010 20
80
100
Working with others
Information security departments also
are becoming more adept at connecting data protection efforts with other
departments beyond IT, such as human
resources, public relations, legal, boards
of directors and others, Bayuk says.
Indeed, compared to the results of past
data breach surveys, this year, a higher
number of respondents across the regions
queried say they are meeting with various
departments more frequently than in
previous years – usually monthly or quarterly. As well, business continuity and
recovery plans are reviewed much more
frequently than in the past.
“Security is not a department, it’s an
architecture,” says Bayuk. “These links
are part of your everyday security pro-
dropped, 6+ persons in
the department has
increased.
16 to 24
11 to 15
24%
8%
8%
13%
26%
4%
9%
USA
5%
1 to 5
9%
63%
6 to 10
15%
SECRET
MESSAGES
AS TATTOOS
ON PEOPLES' HEADS
350 BCE
PROTECT
WHAT MATTERS
agencies still need to protect what matters — their sensitive data — from both internal and external
threats. In a world of Advanced Persistent Threats (APTs), Vormetric helps many of the global and
most security-conscious organizations and government agencies, including 17 of the Fortune 25,
15%
15%
a
Since the beginning of time, information needed protection. Present day, enterprises and government
How many are people in your company IT department?
25 or more
SPARTANS CONCEAL
quer Mace
Con
do
ni
Build Delphi
“We actually exist because of busigram – an evolving part of your ability to
ness,” Brixius says. “So how do we get
respond. It’s observe, orient, decide, act.
to the point to have an effective risk
It’s a living thing.”
mitigation plan and communicate that
This is especially true in bolstering
to the board because they’re becoming
an organization’s business continuity
more concerned about security overall?
and response efforts in times of both ITLet’s identify the data. Let’s classify the
based attacks and physical disruptions,
data. Let’s put retention policies around
such as those experienced by many
that data and then really think about
companies in New York, New Jersey and
who needs access to this data.”
other Northeastern states during Hurricane Sandy.
Dennis Brixius, vice president of risk
Pondering the future
management and CSO with McGrawThis year’s survey revealed that more
Hill, the New York-based global
CISOs actually are recognizing and
financial information and education
espousing their stake in the business.
company, knows all too well the need
And that trend is important since “techto ensure that organizations stay up and
nical people don’t make business decirunning. Mobile security issues became
sions,” says Rick Doten, CISO of DMI, a
much more critical when Sandy hit, and
Bethesda, Md.-based provider of mobile
his company lost a major data center in
solutions and services for smart devices.
the heart of Manhattan, which resulted
An embrace of corporate needs by
in 4,500 employees going mobile. While
security pros also indicates that there is
the company slowly is moving back to
more understanding of “business risks
the data center, most of these staff have
from the departments, what data is
been working from home and the road
important, what applications are critical,
since November, he says.
what behaviors are risky,” and what conNaturally for him, security is not
trols ultimately must be put in place, he
about just putting together a security
adds, noting that “bringing the business
architecture or understanding all the
into the process is critical.”
nuances of a risk management plan. With
And with hacktivists, organized crimicyber criminals focused on attacking the
nals, espionage actors, state-sponsored
key business resource of today – data,
attackers and still others overrunning
understanding where critical
a wide variety of organizations’
information is, how it flows
networks, making security
The number
and who is accessing it no
a natural part of everyday
of people assigned
to handle infosec has
matter their location or
activities has never been
increased: i.e., although
the technology or service
more central to an enter1-5 person departments prise’s success. This is why
they are using is vital.
ts Athens
fea
De
α Spártē
άρτ
Σπ
with other technologies, such as mobile
security, two-factor authentication, cloud
security services and data loss prevention
getting some attention.
Consultant Bayuk adds that some
organizations that often find themselves
the targets of APTs, such as government contractors or public agencies, are
enlisting attack “kill-chain-monitoring”
techniques. In undertaking these more
advanced monitoring methods, organizations avoid confusing a series of malicious
activities as standalone happenings,
which enable them to suss out the patterns behind attacks and therefore better
prepare for them in future. “That’s the
state of the art now – knowing enough
about the individual steps of attacks.”
to protect their sensitive data with advanced data security and data security intelligence.
63%
41%
Vormetric.com/ProtectWhatMatters
non-USA
© 2013 Vormetric, Inc. – All Rights Reserved
“strong risk management cultures that
take systematic approaches to measuring risk” and then apply the appropriate
resources to address the greatest dangers
among them can remain viable even in
the toughest times, says Rob Goldberg,
vice president of audit services for information technology and eCommerce at
Wal-Mart.
“The economy is an interconnected
web with many interdependencies,” says
Goldberg. “An attack on one or multiple
pieces of that web can have widespread
impact[s] on a country’s welfare. Organizations that do not maintain diligence
in this area make themselves the weakest
link in the chain and put every other part
of the web at risk.” n
A more extensive version of the Global
Data Breach Survey is available on our
website, www.scmagazine.com.
Increased capabilities
A deeper look at the cloud
Cloud services, mobile security threats, social networking vulnerabilities, among other security concerns, all need attention. What
most information security leaders understand, though, is that
“implementing any new technology lags with securing
that technology,” says Rick Doten, CISO of DMI.
Cloud, though, in particular has its own set of issues that must be addressed prior to contracting with a provider, says Stephen Fridakis,
CISO of UN FAO. For starters, many cloud
environments use shared infrastructure
that must be monitored and controlled.
“We recommend that cloud providers
provide a clear understanding of their safeguards and potentially a SAS-70 audit,” he says.
Below are a few other areas Fridakis says information security
and executive leaders must think about and answer when turning to
cloud service providers. Here, mostly verbatim, are his suggestions:
A cloud environment does not provide clear control over our
confidential information. Insider access to sensitive information
needs to be controlled. And, this time, insiders also include the cloud
provider’s employees and their contractors. The cloud provider
needs to provide information about who has access to sensitive information. If a lot of employees have access to sensitive information,
our risk of insider abuse is much higher.
Cloud environments are shared, and our data is in the same
environment alongside data from other customers. Breaches can
easily happen from one database to another. How does the cloud provider protect sensitive data in storage? Are access logs available? Is
the data encrypted (at rest, in transition, and for disposition)? How’s
the key management handled?
The cloud provider should enforce security processes for their
integration with third parties. Is there a certification process to
make sure that third-party applications are secure and won’t allow
hackers to get into the cloud provider environment through one of
these partners?
Hackers can obtain access to a cloud provider (e.g., Google
Apps) and plant botnets. Cloud is also susceptible to a lot more
About the survey: Email invitations
to take a web survey were sent to approximately 62,000 security professionals
who subscribe to SC Magazine across
the United States, United Kingdom and
Australia. A total of 531 respondents
completed the survey. All surveys were
completed between Nov. 15, 2012 and
Jan. 6, 2013. The resultant data was not
weighted, and the margin of error is
+/–4.2% at the 95% confidence level.
DoS attacks. As a result, cloud providers need to ensure that their
perimeter is secure and the barrier to attacks is high. What devices is
the cloud provider using to stop bad guys from getting in through the
perimeter? Do they have strong network firewalls? How are they kept
updated? Do they have good IDS/IPS systems in place?
How do they monitor the events? Do they have a SIEM
or log management software in place?
Does security ownership transfer to the
infrastructure provider? What’s the impact on
security in the SDLC? How do they ensure protection against key vulnerabilities, like XSS,
SQL injection, CSRF, session management,
etc.? What happens in case of a breach?
Who’s responsible? What are the security issues around APIs (integration is very
important when you move to the cloud) and what
kind of encryption keys are used for these integrations? Does the
cloud provider use scanning tools and services to find vulnerabilities
in applications? What is the process of remediating or blocking those
vulnerabilities? Would the cloud provider allow you to run your own
vulnerability assessment tools?
And, given all the attack types being used by a number of
cyber criminals who have different motivations, alongside the
continuous deployment of various business-enabling technologies, it is up to security pros to keep up with all the risks.
“Anything can be secured if committed to it – cloud, mobile, security as a service (SaaS), but most don’t focus on it first,” says Doten.
As well, information security leaders should understand that they
can’t go it alone, adds Fridakis. “We are very concerned with industrial espionage impacting every sector of the economy in developed
countries,” he says. “The problem we face is that we do not have the
resources to adequately defend ourselves against this kind of attack.”
Beyond acknowledging the inevitability of being attacked, organizations like his must engage in more information sharing to stay on
top of the threats and modify their security postures as needed.
“The CISO who [operates] in the current economic environment
needs to negotiate with other entities, utilize his networks and collaborate with his peers to better detect and also identify the best
potential approach to address a problem,” Fridakis says.
Product Section
Fortinet
gateprotect
Offers power
over Ethernet
ports P40
Makes policy
creation easy
and granular P41
UTMs becoming universal
U
TMs – universal threat management systems – probably are the poster product for
convergence in the information security
space. What started out as an evolution from multipurpose devices some years back has morphed
into a well-defined product that now has morphed
again into a catch-all for security functionality.
Conventional wisdom says that you should consider your network compromised and worry now
about how to keep the family jewels in the family.
Today’s batch of UTMs can help with that. They help by enabling the
common sense defenses that we know we should deploy if only we had
the tools to implement them.
For example, assuming that your enterprise has been compromised,
the next task is to detect data exfi ltration. If a firewall is part of the UTM
functionality, we now accept that it needs to look at traffic in both directions, not just penetration attempts from outside. If anti-malware is part
of the functionality, it needs to see malware that is brought in by user
carelessness or other client-side attack.
This month, SC Labs Manager Mike Stephenson took half the products and Kevin O’Connor took the rest. It was an interesting batch, to
be sure. In addition, I looked at four very cool products in our periodic
Emerging Products group. This time it’s security for virtual environments. While we all probably would agree that the cloud is virtual, it
does not stand that all virtual systems are clouds.
There are multiple ways to secure a virtual system. Some hook into
VMware’s API, but some don’t, and, while one might think that the API
is necessary to provide good security, this month you’ll fi nd out that it’s
not always necessary to hook directly into the VMware kernel. Spending
a lot of my time in a virtual environment has taught me that the world
– while most of it may be VMware – has more than one virtual environment. Those other environments need securing too. Most of the products in our Emerging Product group address the popular virtual systems
and are hypervisor agnostic.
I think that there is a lot to like this month – that generally is the case
here – and I also think that this month we really have hit some of the
most timely product types around. Enjoy!
—Peter Stephenson, technology editor
Sophos
This Best Buy
offers a hefty
feature set P45
How we test and score the products
Our testing team includes SC Labs staff, as well as external experts
who are respected industry-wide. In our Group Tests, we look at
several products around a common theme based on a predetermined set of SC Labs standards (Performance, Ease of use,
Features, Documentation, Support, and Value for money). There
are roughly 50 individual criteria in the general test process. These
criteria were developed by the lab in cooperation with the Center
for Regional and National Security at Eastern Michigan University.
We developed the second set of standards specifically for the
group under test and use the Common Criteria (ISO 1548) as a
basis for the test plan. Group Test reviews focus on operational
characteristics and are considered at evaluation assurance level
(EAL) 1 (functionally tested) or, in some cases, EAL 2 (structurally
tested) in Common Criteria-speak.
Our final conclusions and ratings are subject to the judgment
and interpretation of the tester and are validated by the technology editor.
All reviews are vetted for consistency, correctness and completeness by the technology editor prior to being submitted for
publication. Prices quoted are in American dollars.
What the stars mean
Our star ratings, which may include fractions, indicate how well
the product has performed against our test criteria.
★★★★★ Outstanding. An “A” on the product’s report card.
★★★★ Carries out all basic functions very well. A “B” on the
product’s report card.
★★★ Carries out all basic functions to a satisfactory level.
A “C” on the product’s report card.
★★ Fails to complete certain basic functions. A “D” on the
product’s report card.
★ Seriously deficient. An “F” on the product’s report card.
LAB APPROVED
What the recognition means
Best Buy goes to products the SC Lab rates as outstanding.
Recommended means the product has shone in a specific area.
Lab Approved is awarded to extraordinary standouts that fit into
the SC Labs environment, and which will be used subsequently in
our test bench for the coming year.
» PRODUCT SECTION
Unified threat managers (UTM)
How unified is “unified”? Judging by this year’s crop of unified threat managers under review,
pretty doggone unified, says Peter Stephenson.
THE WHEEL CIPHER
WAS INVENTED
PICK OF THE LITTER
For its rich feature set and excellent pricing, we make the eSoft
InstaGate 604 our Best Buy.
The Sophos UTM 220 offers
a comprehensive feature set
and integrates perimeter and
endpoint security into one product. We make this one Recommended.
The Watchguard XTM 830 offers
an outstanding feature set,
powerful hardware and flexible
device management options. It is
well worth the expense for larger
enterprises. Recommended.
U
TMs – unified threat
managers – have been
with us in one form or
another for some time. The
earliest ones were multipurpose appliances and really
were little more than a bunch
of point solutions to various
security challenges packaged
in the same server-grade appliances. Somewhere along the
line, the term UTM was coined
and, along with it, came a
sort-of definition: UTMs had
to have a firewall, anti-virus
and a VPN. The next step
was to start adding all sorts of
gateway-applicable functionality – back to the multipurpose
boxes – and now definitions
seem to be drifting back to the
original, more structured UTM
description.
Today, we can pretty much
trust Gartner when the analyst
group tells us that a UTM has,
“firewall/intrusion prevention
system (IPS)/virtual private
network, secure web gateway
security (URL filtering, web
anti-virus) and messaging security (anti-spam, mail AV).”
However, even Gartner
admits that we still are in the
“point-solution-in-a-box”
mode. No matter. The types of
functionality described in the
most current credible definition subsume most information
security functionality anyway.
That begs the question: How
unified is “unified”? Judging
by this year’s crop of UTMs,
pretty doggone unified.
The notion of the individual
parts of a UTM working well
together is sort of an expected
goal. Over the course of UTM
history, playing cooperatively
with others was equally desirable, but somewhat more rare
than it is today.
We saw quite a range of possibilities in this year’s batch.
First, there are some indications that a large part of what
makes a UTM a UTM is stabilizing. That suggests maturity.
The user interfaces are about
the same as we are used to
– with a bit of refinement in
dashboards, perhaps – and the
integration of functionality
continues to improve.
Where we saw some noticeable improvement came in two
specific areas: defense-in-depth
and new functionality. UTMs
often have been criticized –
certainly by me – as killing
defense-in-depth since they
place all of the security eggs
at the perimeter in one basket.
That is not necessarily true
anymore. Now we are seeing
good integration with clientside protection, especially in
anti-malware.
The second area – functionality – is growing as well. One
of our reviewers observed that
this year’s batch seems to be
heading toward the “super
appliance” that does everything security in a single box.
While we didn’t see any of
these super boxes this year, we
did see some that are clearly
heading in that direction. The
added functionality is not
radical, either. It is refinement
of what the traditional UTM
has, certainly of the UTM as
defined today by Gartner.
As you make your decisions
about which of these merit
further attention, though,
remember that at SC Labs we
don’t do shoot-outs. The products are not compared against
each other. They are tested and
graded on their own merits.
What this means to you is that
there may be a product that
has exactly the feature set you
want, we liked its performance,
but it is a bit pricey. If price is
much less a consideration than
the other factors, this might
be just what you need – even
though it might not have gotten our Best Buy this month.
This is more important in
UTMs because of the wide
range of available functionality offered. In UTMs, functionality and performance to
published specs are king and
queen. If the device won’t do
exactly what you need – assuming, of course, that anything
can – it is not worth following
up even if it is a five-star value
for the money. While that
always is true to some extent
with our products, we see it
most often in multifunction
products, such as UTMs.
So, with all of that in mind,
we commend our current crop
of tools to your consideration.
This is a large group – it almost
always is – and the competition
is fierce. However, we believe
you will likely find answers
here, even if you don’t find the
perfect product. So, onward
into the month’s reviews.
TO PROTECT
DIPLOMATIC MESSAGES &
SECRET DATA
1795
PROTECT
WHAT MATTERS
» GROUP TEST l UTM
Specifications for UTM tools
●=yes ○=no
Application
control
Integrates
with
client side
anti-malware
(A)ppliance
or
(S)oftware
●
●
●
A
40%
●
●
●
○
A
PEOPLE
●
●
●
●
●
A
●
●
●
●
●
○
A
●
●
●
●
●
●
●
A
●
●
●
●
●
●
●
○
A
Kerio Technologies
Kerio Control v7.4
●
●
●
●
●
●
○
○
S
NETGEAR
ProSecure UTM25S
●
●
●
●
●
●
●
○
A
Panda Security
GateDefender Integra eSeries eSB v5
●
●
●
●
●
●
○
●
S
WHAT MATTERS
Sophos UTM 220 v9
●
●
●
●
●
●
●
○
A
Firewall
Intrusion
prevention
Gateway
antivirus
Gateway
antispam
Web
content
filtering
Email
content
filtering
Check Point Software Technologies
Threat Prevention
Appliance
●
●
●
●
●
Cyberoam
Technologies
CR2500iNG
v10.04.0
●
●
●
●
Dell SonicWALL
NSA E8510 v5.8.1.9
●
●
●
eSoft InstaGate
604 v5.0.20121127
●
●
Fortinet FortiGate
60C-POE
●
Gateprotect
GPZ5000 v9.2
Product
MORE
HAD PERSONAL
INFORMATION
HACKED
IN 2012 THAN IN 2011
2013
PROTECT
VASCO Data Security aXsGUARD
Gatekeeper v7.6.5
●
WatchGuard Technologies XTM 830
●
●
●
●
●
●
●
○
A
Wedge Networks
1005G
AntiMalware
Gateway v4.0.2
●
●
●
●
●
●
●
●
A
●
●
●
●
●
○
○
A
GROUP TEST l UTM
Check Point Threat Prevention
Appliance (4809)
T
Details
Vendor Check Point Software
Technologies
Price $28,500
Contact checkpoint.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money ★★★★½
Overall rating ★★★★★
Strengths Comprehensive functionality that is easy to manage.
Weaknesses None that we found.
Verdict A solid product that rolls
out nicely.
he Threat Prevention Appliance from Check Point provides fullscale threat protection at the perimeter, as well as incorporating
with endpoint security applications to provide a comprehensive
security infrastructure. This appliance consists of several components
that Check Point refers to as security blades. These include firewall,
identity awareness, advanced networking and clustering, IPsec VPN,
mobile access, web URL filtering and anti-malware. These blades all
function together in a single appliance that can be centrally managed through
the Check Point SmartConsole.
We found setup and management of this appliance to be much simpler than
many of the Check Point products we have seen in the past. It seems as though
Check Point has started to refine its product integration with the SmartConsole
management junction. The initial setup is done in two stages. The first is to set
up the appliance itself. This is done by connecting the device to the network
and running through a web-based setup wizard on a machine connected to the
same network. This wizard helps get a base configuration in place on the appliance, including network and administrator information. Once the appliance
has a base configuration, it can be integrated with the SmartConsole dashboard
installed on a machine in the management network. All further configuration
and management now can be done through the SmartConsole.
This tool offers a lot in the way of configurability and management functions. The SmartConsole dashboard offers a multitude of configurable security
functions that help optimize the security capabilities of the Threat Prevention
Appliance. Each software blade of the appliance can be easily managed and
finetuned directly from this console, which also can manage other Check Point
products. This integration allows for easy management across the entire network infrastructure.
Documentation included a getting-started guide and several administration
guides in PDF format. The getting-started guide provided a great amount of
detail on initial configuration steps to get the appliance up and running, while
the various administrator guides focused in on specific blades of the appliance.
We found all documentation to be well-organized and to include many screen
shots, diagrams and configuration examples.
Check Point offers standard, premium and elite support levels to customers as
part of an annual contract. These services include various levels of phone- and
email-based technical help, as well as product replacement and on-site assistance.
At a price of $28,500, it may seem a little steep. However, we find the Threat
Prevention Appliance to be a very good value for the money. This price, while it
does not include support costs, includes nine software blades – firewall, identity
awareness, advanced networking and clustering, IPsec VPN, mobile access,
IPS, URL filtering, anti-virus, anti-bot – to provide full perimeter threat protection. These blades combined with easy management and integration tools offer
a solid threat management bundle.
»
» GROUP TEST l UTM
Cyberoam Technologies
CR2500iNG
T
he CR2500iNG unified threat management appliance from
Cyberoam offers a multitude of security and threat prevention features for the network perimeter. This appliance
features a stateful inspection firewall, intrusion prevention system,
full gateway anti-malware suite, anti-spam, web content management, SSL VPN, web application firewall and controls for instant
messaging applications, among many other security and reporting
features. This appliance also offers identity-based controls integrated across all the appliance functions allowing for granular security controls
based on user authentication and role.
We found deployment and configuration of this solution to be easy and
straightforward. The initial deployment was done by simply connecting the
appliance to the network and browsing to the default IP address with a web
browser on a machine connected to the same network. When we accessed the
web-based interface for the first time, we were taken through a brief setup
wizard that helped us not only set up the basic appliance configuration, but
also allowed us to put a base security policy in place. After the initial setup was
complete, we were able to manage and finetune our configuration using the
intuitive web-based management GUI.
This tool offers quite a lot of deployment and policy flexibility. The appliance
itself can be deployed in either gateway or bridge mode. Gateway mode allows
the appliance to replace an existing firewall, router and perimeter security
device, while bridge mode allows for keeping the existing devices and adding
additional security using the Cyberoam appliance.
Documentation included a short quick-start guide that provided a few simple
steps to get the appliance up and running with a basic configuration, as well
as a full user guide and several other supplemental configuration guides. The
user guide featured full explanation of the product features and functions while
illustrating configuration and use of the product through many screen shots
and configuration examples. We found all documentation to be well-organized
and easy-to-follow.
Cyberoam offers customers no-cost, eight-hours-a-day/five-days-a-week
phone- and email-based technical support along with access to an assistance
area via the website. This includes product documentation, knowledge base and
other resources.
At a price just under $20,000 for just the appliance and a total cost up to
around $35,428 for the appliance and a year of subscriptions to the various
services provided by the appliance, this product comes with quite the price
tag. However, we do find that this product does offer a very reasonable value
for the money despite its high cost. The Cyberoam UTM appliance offers
much more than just a perimeter security device, it offers a high level of
granular security controls that can keep the network environment safe from
many possible threats.
Details
Vendor Cyberoam Technologies
Price $19,999
Contact cyberoam.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money ★★★★½
Strengths Identity-based security
controls.
Verdict A good choice if you can
handle the price tag.
GROUP TEST l UTM
Dell SonicWALL NSA E8510
T
Details
Vendor Dell SonicWALL
Price $39,995
Contact sonicwall.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★½
Value for money ★★★★
Overall rating ★★★★¾
Strengths High-powered security
device with many robust features.
Weaknesses Expensive.
Verdict Likely will be too much for
the smaller enterprise.
he NSA E8510 from Dell SonicWALL is a monster security
appliance designed for the large enterprise environment. This
product features a firewall and integrated intrusion prevention
system that scans all network traffic for trojans, software vulnerabilities, application exploits and other malicious code. Aside from the
powerful IPS, this product also provides granular user-based application controls that manage bandwidth, control web access, restrict file
transfers and scan email attachments preventing data leakage.
The appliance we were sent from the vendor was already licensed
and contained an initial configuration, so we did not have a chance to go
through the initial setup process. What we can say, however, is that the initial
setup process looks quite straightforward based on the documentation. The
first step is to register the appliance with SonicWALL by creating a mysonicwall
account. After the appliance is registered, the initial configuration is done by
accessing the web-based setup wizard using the default IP address of the appliance. This setup wizard allows for selection of the deployment mode and assists
in getting the appliance up and running with a basic configuration.
This tool features options that allow for deployment in almost any environment. The NSA offering can be deployed as a full security gateway appliance, in
conjunction with another security device, such as an existing firewall or router,
or in tandem with another SonicWALL appliance to provide additional security
functionality. Aside from deployment flexibility, this product also includes a lot
of configuration and policy options. Firewall and security policies can be made
to be as granular or as broad as needed with the comprehensive policy engine
that is included on the appliance. Each policy rule includes many checkable and
configurable options.
Documentation included a detailed getting-started guide that illustrated the
steps necessary to get the appliance up and running with an initial configuration, as well as information on deployment options. Other documentation
included a full administrator guide and a few supplemental configuration
guides. The administrator guide was a massive 1,490-page PDF. It included a
high level of detail on how to configure and manage the appliance and its features. This guide was well organized and included many screen shots, step-bystep instructions and configuration examples.
SonicWALL offers support and maintenance contracts in one, two, and threeyear increments. Customers can purchase support at various levels of phoneand email-based technical assistance and other options based on contract level.
As part of its support offerings, SonicWALL also offers access to a knowledge
base, product documentation and product downloads.
At a price just shy of $40,000, this product features quite the price tag. We
find it to be a good value for the large enterprise, but probably overkill and way
too expensive for smaller environments. With that said, this solution does have
a lot to offer in the way of features and functionality – if you can afford it. The
SonicWALL NSA E8510 offers robust security features with the high capacity
throughput that is needed for even the largest of environments.
»
» GROUP TEST l UTM
eSoft InstaGate 604
T
he InstaGate 604 from eSoft is an appliance we have seen come back
year after year with an array of great features and functionality at a
reasonable cost. This product offers a stateful firewall with deep
packet inspection capabilities, proxy-based scanning, real-time
threat monitoring, scanning of both web and email for worms
and viruses, and protection from bots and other network
attacks. This product can be loaded with functionality by using
specific SoftPaks made available from eSoft, allowing for complete customization of features and services.
We found this product is about as plug and play as a network security appliance can get. The initial setup process takes just a few minutes and the appliance is pretty much up and protecting the network with just a few clicks of
the mouse. To begin the setup, we plugged the InstaGate into our network
so it could grab a dynamic host configuration protocol (DHCP)assigned address. Once it had an address, we were able to access
the web-based setup wizard through a web browser. This short
setup wizard helped us get a base configuration in place, as well
as download and update the SoftPaks that were registered to the
appliance. After the wizard was complete, we were able to access the webbased management console for all further administration and management.
We continue to find this appliance to be one of the easiest appliances to
configure, use and manage. On the policy and management side, most configurations are as simple as on or off, but that does not mean this product lacks
flexibility or granularity. This solution can be easily configured for a multitude
of environments. It also features a solid dashboard that is centered around the
ThreatMonitor, which shows real-time reporting of events and traffic with clear
charts and graphs that are easy to read even at a quick glance.
Documentation included a short quick-start guide that detailed the initial
setup process with clear step-by-step instructions and screen shots, as well as
a full user guide. The user guide also provided many screen shots and stepby-step instructions on device and feature configuration, as well as overall
device management procedures. We found all documentation to be well organized and easy to follow.
eSoft offers 90 days of no-cost phone support to help get the appliance up
and running. After 90 days, customers can purchase phone support on a per
incident basis or as a yearly subscription for unlimited 24/7 support. Also
available is a plan that includes unlimited phone support, hardware care, software updates and hot swap service. All customers also can access a web-based
assist area that includes product documentation and a knowledge base.
At a price just shy of $2,000, plus an annual cost of around $1,500 for software, maintenance and technical support, we find this product to be an excellent value for the money. The eSoft InstaGate is powerful enough to protect
some of the larger environments with an impressive feature set, but it has a
price tag that even small environments can easily handle. We find this product to be a solid value for the money.
Details
VVendor eSoft
Price $1,999
Contact esoft.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money ★★★★★
Strengths Feature rich with a low
cost.
Verdict For its rich feature set and
excellent pricing, we make this our
Best Buy this month.
GROUP TEST l UTM
Fortinet FortiGate-60C POE
T
Details
Vendor Fortinet
Price $1,998
Contact fortinet.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Strengths Many easy-to-manage
network security features in a box
with power over Ethernet ports.
Verdict An extremely strong
contender, especially for smaller
enterprises.
he FortiGate-60C POE offers a combination of the functionality of a security appliance with the capabilities of a power over
Ethernet switch. This product can protect the perimeter of the
network with a firewall, intrusion prevention system and IPsec and
SSL VPN, along with providing direct connectivity to power small
ethernet devices and access points. This product also features many
network security functions, including web content and URL filtering,
application control and anti-virus, along with botnet protection and
data leakage protection capabilities.
It can be configured and managed in multiple ways for added flexibility. The
FortiGate-60C is compatible with FortiGate’s FortiExplorer setup application.
This can be run from a Windows- or Mac-based system to easily and quickly
configure the appliance using a wizard-based structure. The appliance also can
be manually configured without the use of the wizard through the web-based
management interface or the command line interface. We chose to run FortiExplorer to configure the appliance. We found this method of setup to be easy to
follow and we were up and running within minutes.
For more granular configuration, the web-based management interface can be
accessed after the appliance is configured. We found this interface to be quite
easy to use overall and a lot less awkward than some of the older versions of
the FortiGate interface. It also was intuitive to navigate – we were performing
advanced configuration with no trouble at all. Overall, we found this appliance
to include many robust and configurable options and features.
Documentation included a short quick-start guide, along with a full administrator guide and a few other pieces of supplemental documentation. The
quick-start guide provided simple step-by-step instructions for each of the initial setup scenarios, as well as an overview of the appliance specifications. The
administrator guide focuses on configuration and management of the product
with many step-by-step instructions and configuration examples. Both guides
also included many screen shots and diagrams.
Fortinet offers various levels of support contract lengths and assistance
levels. Customers can purchase support in one-, two- or three-year increments
and at eight-hours-a-day/five-days-a-week or 24/7 levels. This help includes
phone and email technical support, as well as software and firmware updates
and hardware replacement in case of failure. Customers also can purchase
additional professional services from Fortinet, including on-site visits and
dedicated support engineers. Additionally, Fortinet offers a support area
online at no cost that includes product documentation, a knowledge base and
other resources.
At a price just shy of $2,000, we find this little appliance to be an excellent
value for the money. The FortiGate-60C POE offers a full suite of perimeter
security features, along with the added functionality of an Ethernet switch to
power access points and other devices – all from one easy-to-manage unit. This
product offers a comprehensive feature set at a reasonable cost for almost any
size environment, but really shines for smaller enterprises.
»
» GROUP TEST l UTM
gateprotect GPZ5000
T
he gateprotect GPZ5000 is the ultimate multifunction security
gateway appliance. This product features a full firewall with
intrusion detection and prevention system; anti-malware at the
gateway, including protection from viruses, worms and spyware; spam
protection; web and URL content management; and application control. This appliance is built for the large enterprise with high throughput and multiple VLAN capability, along with QoS and user-based
controls.
A couple of years ago when we reviewed this product, we said that
the management console was difficult to use and hard to understand.
After getting the chance to spend a bit more time with the product this
go around and consequently becoming comfortable with the design of the
gateprotect eGUI, we actually found that this tool has become a bit more
easy to configure and use. The eGUI, especially, added to the process becoming somewhat more simple as it replaces the standard management interface
with something more visual. Rules are created simply by establishing a map
of the network and assigning rules or policies based on connections, users or
groups.
The initial configuration of the appliance is done by connecting it to the
network and then installing the management application on a machine on
the same network. Once the appliance is powered on, it can be seen from the
application, and the eGUI interface can be accessed by logging in. There is
a setup wizard available, but it is actually much easier to configure the appliance from scratch using the drag-and-drop method of the eGUI. Overall, this
appliance seems to get easier and easier to use every time we see it.
Documentation included a one-page quick-start guide – that provided the
steps to access the appliance initially – and a full administrator guide. The
administrator guide covered the appliance from initial configuration all the
way through advanced management and use of the appliance features. This
also included many step-by-step instructions, configuration examples and
screen shots. We found all documentation to be well-organized and to provide a good amount of detail.
The company offers no-cost phone and email technical support during evaluations and the first 30 days after purchase of the product. After the first 30
days, customers can purchase additional assistance through a contract. The
company offers both eight-hours-a-day/five-days-a-week and 24/7 support
options, which include phone- and email-based technical help. Customers
also have no-cost access to an online support area that provides a knowledge
base, FAQ section, user forum, product downloads,and other resources.
At a price just shy of $20,000, this product is not inexpensive by any means.
However, we find this solution to be an excellent value for the money. While
the price may seem high at first, it is balanced by the overall ease of use of
this appliance. Not only is this appliance easy to manage overall, it has a very
high degree of flexibility in policy configuration, with the help of the eGUI
interface.
Details
Vendor gateprotect
Price $19,995
Contact gateprotect.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money ★★★★¾
Strengths eGUI interface makes
policy creation easy and granular.
Weaknesses Can be too expensive for many environments.
Verdict The strength here is in
the policies – a solid, configurable
product that can be finetuned for
your requirement.
GROUP TEST l UTM
Kerio Technologies
Kerio Control v7.4
T
Details
Vendor Kerio Technologies
Price $265 for software
appliance, plus five users,
$26 per additional users.
Contact kerio.com
Features
★★★★½
Ease of use
★★★★★
Performance
★★★★★
Documentation ★★★★¾
Support
★★★★¾
Strengths Simple setup,
documentation geared for novice
administrators.
Weaknesses VPN implementation is currently proprietary, light
on reporting.
Verdict Great for small businesses or novice administrators,
administrators with more complex
environments may want to wait
for v8.0.
he term “unified threat management” can sound intimidating to administrators lacking in information security experience. Fortunately, basic
UTM protection doesn’t need to be overly complex, and Kerio Technologies’ Kerio Control product is a great example of that.
The product we tested was provided as a VMware virtual appliance. Following the quick setup guide, it was a simple matter of importing the appliance into
our ESX environment and starting the tool. Through the console, we set up our
trusted and untrusted interfaces and chose an administration password. All further configuration was performed through the product’s web interface. On first
login, we were presented with a configuration assistant wizard, which guided us
through installing our license and setting up a basic traffic policy.
Kerio Control provides a clear, snappy interface for administration. The
administrator is provided with a clean, configurable dashboard on login, which
offers a number of system status charts. All device features are listed in a hierarchal menu on the left-hand side, with configuration options presented on the
right. All of the features we’d expect are present, including a basic firewall,
intrusion prevention system, content filter, perimeter anti-virus scanner and
VPN. It also can serve as a dynamic host configuration protocol (DHCP) and
domain name system (DNS) server.
While intended to be used as the default gateway, the product also can be
configured as a proxy server for content filtering purposes. The intrusion
prevention system (IPS) is signature-based, with signatures updated automatically on a configurable schedule. Anti-virus services are provided by Sophos,
with signatures again updated on a configurable schedule. The content filter
supports rules based on IP address groups, URL groups and keywords. Lightweight directory access protocol (LDAP) integration is supported, which makes
user-based content filtering extremely easy to implement.
The product’s documentation is very good. Guides are provided for the initial
appliance installation, initial configuration and ongoing administration. Presented as PDFs, they are well-organized and seemingly tailored for administrators without extensive UTM experience. One negative thing we noticed was
their recommendation that administrators allow access to the administration
front-end from the untrusted interface. While we acknowledge that it would
make remote administration easier, it really does not follow best practices, so
we recommend reading the documentation with a critical eye.
Product support is offered on a 24/5 basis, and is provided via phone or
email. Kerio also maintains an online knowledge base and active user support
forums.
Kerio Control starts at a cost of $265 for the software appliance with five user
licenses. Additional user license are priced at $26 per user. Software maintenance is $9 per user per year. Support is free during an initial 90-day implementation period. After that, Kerio allows two free support calls per year and
charges $80 per incident after that.
»
» GROUP TEST l UTM
NETGEAR ProSecure UTM25S
U
nified threat management solutions shouldn’t be limited to large corporations with unlimited budgets. NETGEAR agrees, and offers their
ProSecure UTM25S at a price point that should be attractive
to small businesses.
We began the setup process by unpackaging the device and connecting
one of its four local area network (LAN) interfaces to our network. After
configuring a network interface on our administration workstation with an
IP address of 192.168.1.2, we were able to reach the device’s web configuration
screen. After logging in with the default username and password, we were presented with a basic system status screen displaying CPU/RAM utilization and other
statistics. Clicking on the “wizards” link took us to a page that allowed us to begin
a basic setup wizard, which guided us through configuring the LAN IPs, the WAN
interface, connection to an network time protocol (NTP) server, basic service scanning and update scheduling. Once the wizard was complete, the system rebooted
and came back up ready to begin protecting our network.
The ProSecure UTM25S offers a number of protections, including a firewall,
email, web content and application filters, VPN services and anti-virus scanning.
The content filter works as we’d expect, allowing for blocking based on category,
keyword, file extension and URL black/whitelisting. Schedules can be set to
expand or relax filtering rules and the website categorization database is regularly
updated. LDAP integration is supported, and installing the domain controller
agent allows for single sign-on authorization allowing administrators to be granular
in the application of content filtering rules. A basic IPS is also included. It is signature based and also offers basic protections against port scans and DDoS attacks.
VPN setup is made easy with a set of wizards to assist with creating IPsec
and SSL VPN tunnels. Point-to-point tunneling protocol (PPTP) and Layer 2
tunneling protocol (L2TP) also are supported. Its two WAN interfaces allow
for load balancing or WAN failover, and owners of two UTM25s can configure
them into a high-availability cluster. The device also supports a couple of addon modules: a wireless LAN module can provide wireless services for five to 20
users in either the 2.4GHz or 5GHz band (but not both simultaneously), and
the optional digital subscriber line (DSL) network module can be configured
as the primary WAN link, or as a failover or load balancing link. Unfortunately,
the interface that administrators are required to use to control all these great
features is the device’s main weak point. It’s clunky and simplistic.
NETGEAR’s product documentation is well done. Quick start, installation
and administrator’s guides are available as PDFs on the included support CD
and on NETGEAR’s website. They’re very detailed and well-organized with
bookmarks, screen shots and diagrams where appropriate. We were pleased
with the thoroughness of the system log and error message appendix in the
administrator guide, which provided detailed explanations of log entries and
remediation suggestions for error messages.
The ProSecure UTM25S is priced at $695, which includes the hardware and a
one-year support and update subscription. The optional wireless module is $56,
and the optional DSL module is $91.
Details
Vendor NETGEAR
Price $695 (includes hardware,
plus one year subscription
bundle)
Contact netgear.com
Features
★★★★¾
Ease of use
★★★★
Performance
★★★★★
Documentation ★★★★★
Support
★★★★★
Overall rating ★★★★¾
Strengths Low cost, included
support, good feature set.
Weaknesses Ugly, clunky interface.
Verdict A great option for small
businesses.
GROUP TEST l UTM
Panda Security GateDefender
Integra eSeries eSB
P
Details
Vendor Panda Security
Price $1,505/year (50 users)
Contact pandasecurity.com
Features
★★★★★
Ease of use
★★★★¾
Performance
★★★★★
Documentation ★★★
Support
★★★★★
Overall rating ★★★★½
Strengths Well-done interface
and low cost.
Weaknesses Mostly comprised
of freely available software, poor
documentation requires some
familiarity with UTMs.
Verdict While it’s hard to get
over the fact that this product is
essentially a collection of open
source software, the interface is
so well put together that we believe it’s worth the fee for support,
provided one is familiar with the
individual components.
anda Security’s GateDefender Integra eSeries eSB is both easy to set up
and offers a rich feature set with a great deal of flexibility. To get the most
out of the product, however, administrators should be familiar with a
number of open-source technologies.
The product was provided to us as bootable ISO. Upon boot, we were presented with a DOS-style GUI installer. We were prompted to input an IP
address for the LAN interface, after which the OS installation proceeded to
completion. After a quick reboot, the console directed us to access the product’s web interface, where a post-installation wizard began. We chose a root
password for console access and an administrator password for use in the web
interface. We then configured the WAN interface and an administrator’s email
for notifications. This brought us to the end of the wizard, and a message was
displayed indicating services were being restarted. However, there was no progress bar or any indication of activity until an authentication window popped up
about a minute later.
The GateDefender Integra eSeries eSB provides all of the functionality we’d
expect from a UTM, featuring a firewall, HTTP proxy, content filter, spam and
anti-virus filters, intrusion prevention system and VPN functionality. However,
the product, almost in its entirety, is comprised of freely available open source
software. For example, the base operating system appears to be RedHat Linux,
IPS services are provided via Snort, the HTTP proxy via squid, spam filter via
SpamAssassin, and so on. The real value, then, comes from the included support and the outstanding administration interface. Panda Security has clearly
put a great deal of effort into unifying these disparate software packages into a
single, high-performance UTM. In addition, the company has built in a remote
administration service that, when activated, permits an administrator to open a
secure tunnel to their device via Panda Security’s website.
Documentation is barely passable. While a number of PDFs are available
– including quick-start, installation and user guides – they are extremely textheavy. No bookmarks or indexing are included and, of the few diagrams and
screen shots provided, some of them are in Spanish and some in English. The
administrator’s guide can be found on the website, but it is an HTML document; again, very text heavy and at times difficult to navigate. In addition to
these weaknesses, information on some of the UTM features is scarce. The
documentation appears to be written with the assumption that the administrator is already familiar with the software encapsulated in the product, or that the
administrator will make use of information available elsewhere. Information on
the anti-virus engine was missing completely at the time of this writing.
Panda Security offers only one tier of support, which is provided 24/7/365 via
phone or email. The company also hosts an online knowledge base, FAQ and
user support forum.
The GateDefender Integra eSeries eSB is priced at $1,505 per year for up to
50 users, which includes support.
»
» GROUP TEST l UTM
Sophos UTM 220
P
erhaps best known for its anti-virus products, Sophos has produced a
stellar UTM product with the UTM 220. Targeting small to midsized
offices with up to 150 users, it combines standard UTM offerings
with a few features we didn’t expect, making this product something definitely worth looking at.
The initial product setup proceeded about as we expected. We first
set our workstation IP to match the system’s default LAN network, then
logged into the web interface with a default username and password.
We were presented with a one-page form where we specified a hostname, administrator password and device location data. (Curiously, all fields
were required, including the location city and country. We discovered later that
those values are used to generate a root certificate for the product’s encryption features.) After accepting the device end-user license agreement (EULA) and submitting the form, the device performed a
quick reboot and then launched a 10-step setup wizard where we
installed our license file, configured our LAN and WAN interfaces, and made some simple selections to establish a basic rule base
for the firewall and content filtering systems. Finishing the wizard initiated a
final reboot and, at that point, we were ready for finetuning. Overall, the initial
setup from unboxing to basic configuration took around 10 to 15 minutes.
The UTM 220 has eight freely configurable network interfaces, providing
plenty of space for WAN, LAN and DMZ zones. It can be easily managed with
its excellent web interface or clustered and centrally managed via the Astaro
Command Center software. It supports link aggregation and bridging, and
offers border gateway protocol (BGP) or open shortest path first (OSPF) as
routing protocols. Several types of authentication servers are supported, including LDAP/Active Directory, RADIUS and eDirectory.
A standard category-based content filter is provided, with support for user/
group-centric rules and white/blacklisting. SMTP and POP3 proxies can be
enabled, with S/MIME and PGP encryption options available for SMTP. The
product also provided support for SIP and H.323 protocols, dynamically opening ports based on activity in the control channels of those protocols. It contained a signature-based IPS and web application firewall, with numerous VPN
options ranging from a standard IPsec tunnel to Amazon Virtual Private Cloud
integration and an HTML5 SSL VPN.
Sophos also extends its perimeter protection to the endpoints. By installing a
workstation agent, the UTM 220 can provide centrally managed AV protection, as
well as provide limited control over predefined storage, network and short-range
devices. The logging options on the device are impressive as well. Syslog is naturally supported, as well as log archival to FTP, SSH, SMB shares or email. Numerous
charts are available and live scrolling views of all logs are easily accessible.
The UTM 220 is priced at $1,275 for the unit itself or $3,135 for the unit and
one year of updates and premium support. Continuing that package beyond the
first year costs $2,979 per year.
Details
Vendor Sophos
Price $3,135
(includes one year of support)
Contact sophos.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Strengths Comprehensive
feature set, integrates perimeter
and endpoint security into one
product.
Weaknesses None that we could
find.
Verdict A strong product for
its target market and aggressively
priced. We make this one
Recommended.
GROUP TEST l UTM
VASCO Data Security
aXsGUARD Gatekeeper
A
Details
Vendor VASCO Data Security
Price $775
Contact vasco.com
Features
★★★★
Ease of use
★★★
Performance
★★★★★
Support
★★★★★
Overall rating ★★★★½
Strengths Inexpensive, good
documentation.
Weaknesses Very basic user
interface; careful documentation
review is a must; per user licensing fee for content filter; and relies
on open source components.
Verdict The product’s low upfront cost makes it a good choice
for knowledgeable administrators in small, budget-conscious
environments.
dministrators of smaller environments on a fixed budget could
do very well by the aXsGUARD Gatekeeper by VASCO Data
Security. While a little more complicated to use than some
of the more expensive products, with a little attention to detail the
device performs well.
As usual, our setup process began by setting a workstation IP
address to match the product’s default network. We logged in to the
web interface and were immediately presented with a user-creation
wizard, which we enlisted to create an administrator account. Upon completion
of that wizard, we were automatically logged in with our new credentials. A
menu was displayed with a series of separate wizards, which guided us through
configuring the device hostname and location data, SMTP relay and administrator email accounts, time server and interface settings. Once the wizards were
complete, a device reboot completed the initial configuration.
While the product offers all of the features we expect out of a basic UTM,
configuration of those features is not always completely straightforward. Administrators will want to keep the documentation close by. That said, once configured, the device performed very well. The firewall appears to use your standard
iptables. However, rules are automatically put in place, allowing VASCO full
access to the device. While ostensibly for support purposes, security-minded
administrators will want to disable those rules straight away. The product uses
Snort as the intrusion prevention system, which is great. Yet, administrators
are expected to acquire their own registration code for signature updates. The
content filter works well, but it is the only component of the device licensed on a
per-user basis, so keep that in mind when comparing prices.
Anti-virus protection is provided with ClamAV, another open source
component. VPN services are provided via picture transfer protocol (PTP),
IPsec and OpenVPN protocols, and support is also included for Vasco’s aXs
GUARD product, as well as a basic SSL web portal. AD/LDAP integration is
included. However, single sign-on features require an agent to be installed on
each client workstation. One thing we really did like was the device’s multifactor authentication features, with support for Vasco’s DIGIPASS tokens and
eID smart cards included.
VASCO offers a number of different support options. Their standard package
provides eight-hours-a-day/five-days-a-week phone and email support. This is
upgradeable to a 24/7 support package. A VIP package is also available, which is
completely customizable according to the customer’s needs. Additionally, per incident and emergency support services are offered, as well as a customer support area
hosted on VASCO’s website, which offers a knowledge base and product tutorials.
The VASCO aXsGUARD Gatekeeper is priced at $775 for the hardware unit,
and includes the first year of support. Support renewal starts at $175 per year
for a basic nine-hours-a-day/five-days-a-week support tier. The content filter is
an optional extra and is licensed at $25 per user per year.
»
» GROUP TEST l UTM
WatchGuard XTM 830
W
hile best known for its firewalls, WatchGuard is no slouch in the
UTM space. As we detail below, its XTM 830, somewhat pricey,
provides an excellent enterprise-grade perimeter defense
against viruses, spam and other unwelcome traffic – and includes a
number of other features all in one easy-to-administer device.
We began the setup process, as is usual for these types of devices,
by connecting a specified interface to our LAN. After setting our
workstation IP to fall within the default device network, we were
able to access the product’s web interface. Upon logging in with
the default username and password, we were presented with a first-run setup wizard, which stepped us through a
basic device configuration. After configuring the WAN and LAN
interfaces – setting admin and read-only passwords, location information and time settings – we were given the option to activate
the device online. Completing the activation process (a simple, one-click affair)
unlocked all of our licensed features and this ended the configuration wizard.
The elapsed time from unboxing the product to having a functioning perimeter
gateway was approximately 10 minutes.
The XTM 830 is a centrally managed UTM with a rich feature set. While
most device features are easily managed through its excellent web interface, the
device’s true power is only unlocked by setting up the WatchGuard System Manager, a client-server application which enables management of all WatchGuard
devices in one’s environment. The firewall works, as expected, with support for
comprehensive rule sets, static network address translation (NAT) mapping and
other standard features. Its signature-based IPS breaks threats out into critical,
high, medium, low, and informational categories, and the signature database can
be regularly updated on a predetermined schedule. Additionally, support is built
in for signature exceptions, and notifications can be configured to be delivered
via email or a simple network management protocol (SNMP) trap.
The WebBlocker feature is a content-filtering system that can be configured
to use one of two website categorization database services: either the default,
cloud-based Websense service or up to five locally hosted WebBlocker servers.
User/group-oriented filtering rules are made possible through the device’s AD/
LDAP integration support, and RADIUS and SecureID are offered also.
WatchGuard has a reputation with us for providing excellent documentation and this product’s documentation falls right in line with that expectation.
Installation, quick start, and two versions of the administration guides, tailored
to either the device’s web interface or administered through WatchGuard System Manager, are available as downloadable PDFs from WatchGuard’s support
site. These are superbly organized with bookmarks, hotlinks, screen shots and
diagrams where appropriate. The administration guides are also available as a
web document hosted on the product’s support site.
The XTM 830 is a pricey $17,740, which includes one year of plus-level support. This may be upgraded to gold for $2,430. Standard (12/5) support afterward costs $2,725 per year and gold is priced at $5,145 for one year.
Details
Vendor WatchGuard Technologies
Price $17,740, includes one year
of support
Contact watchguard.com
Features
★★★★★
Ease of use
★★★★¾
Performance
★★★★★
Support
★★★★★
Value for money ★★★★¾
Strengths Outstanding feature
set, powerful hardware, flexible
device management options.
Weaknesses Expensive, requires
client-server application to use
some advanced features.
Verdict Well worth the expense
for larger enterprises.
Recommended.
Wedge Networks
1005G AntiMalware Gateway
T
Details
Vendor Wedge Networks
Price $5,080, plus $1,270/year
for basic support.
Contact wedgenetworks.com
Features
★★★★
Ease of use
★★★
Performance
★★★★★
Documentation
★★★★
Support
★★★★½
Value for money ★★★
Overall rating ★★★★
Strengths Flexible deployment
options, high data throughput.
Weaknesses Partially functioning
features, some documentation
lapses.
Verdict Given the price, you may
want to consider carefully before
selecting this one.
he Wedge Networks 1005G looks good on paper, but in reality is a little disappointing. While the initial setup was easy
enough, ease-of-use issues and documentation gaps made for
a frustrating deployment experience.
The 1005G setup procedure was a completely manual process.
Given the choice between bridge and routing mode, we elected to
deploy the device in a bridge configuration. After setting our workstation IP
to the device’s default network, we were able to access its web interface. From
there, we configured the Ingress interface to match our network, reset our
workstation IP and reconnected to the web interface. We then connected the
Egress interface to our WAN network logically just behind our firewall. After
that, we reset the default route on our LAN to point to the 1005G, sending all
of our outbound traffic through the device. We were then able to set up rules
governing anti-virus scanning and SMTP and web content filtering. One of
the first signs of trouble we encountered was when running one of the device’s
built-in diagnostic tools. The Configuration Check tool tests the device’s network configuration by attempting to connect to various update and support
servers. As we discovered, the configuration check consistently fails because
one of the servers it attempts to connect to does not exist – or was at least
unreachable up until the time of this writing. While not entirely critical, we
considered it bad form.
The 1005G encompasses anti-virus, anti-spam and content filter services. The
anti-virus service offers a choice between the Kaspersky or Bitdefender AV
engines, and can use Wedge’s GreenStreaming feature, which permits the device
to begin relaying HTTP information to the client before the entire payload has
been downloaded and scanned.
Active Directory/LDAP integration is also supported. However, it requires
login and logoff scripts to be implemented in order to append IP address information into users’ AD entries. That said, we were not actually able to get the
device to connect to our AD environment due to an inability for the configuration submission form to parse our otherwise valid Search Schema DN string.
While the documentation is adequate, we did encounter a few gaps. For
example, we were not able to determine how to specify which of the two antivirus engines were used, even though the administrator’s guide says only one
is usable at a time. It also offered no workaround from our AD configuration
issue. Outside of those issues, there was enough information to make the other
features function, and the PDFs were easily navigable and well-organized.
Wedge Networks offers three tiers of support: basic, advanced and advanced
24/7. Basic provides nine-hours-a-day/five-days-a-week phone and email support. The Advanced option adds next-day advanced hardware replacement,
and the Advanced 24/7 tier upgrades support hours to 24/7. The company also
maintains an online knowledge base and a user support forum, albeit a sparsely
populated one.
»
PRODUCT SECTION
» GROUP TEST l UTM
Emerging products:
Virtual system security
Don’t presume the vShield will protect you. That actually is not the case, says Peter Stephenson.
T
his month, we continue
our periodic look at the
hot product groups that
are shaping the information
security marketplace. One of
the hottest is, of course, security in the virtual world. We
have four products this month
that are focused on securing
virtual systems.
Virtual system security is a
mixed bag of security at the
hypervisor, security at the
VMware API (vShield), and
relatively independent security
applications. We saw examples
of all of this and a bit more. For
example, while we generally
think of security as being some
sort of direct protection – such
as encryption, firewall and
more – sometimes configuration and other management
offers improved security within
the enterprise environment.
We have learned the truth of
this in the physical world when
the enterprise is quite large.
The challenges of keeping
configurations consistent must
be met or there could be vulnerabilities resulting from misconfigured devices that are not
noticed in the forest-and-trees
environment of a really big
enterprise. In the virtual world,
the problem is exacerbated by
the simple fact that it is way too
easy and inexpensive to spin
up new servers. This results in
virtual-world-unique challenges, such as server sprawl. Once
a server is built for whatever
reason, it seems to be a law of
virtual nature that it will live on
forever – even if it is not needed
anymore.
The end result is that there
usually are lots of servers that
have been retired, but still consume resources and may even
still be accessible. Server sprawl
is not the only problem that
is more or less unique to the
virtual environment. Another
not so obvious challenge is the
scan flood. Scanning floods
occur when one has an automated vulnerability scanner
that lives in the virtual and
scans the virtual. Because it is
not uncommon to have a large
number of virtual devices in
the enterprise, that means that
lots of packets are flying about
looking for security holes. Some
control certainly seems like a
good idea here.
But scanning for vulnerabilities is not the only type
of security scanning that can
cause trouble in the virtual.
Anti-malware scans are at
least – if not more so – as problematic. In a well-managed
enterprise, virtual or physical,
everything that comes in or
goes out of the virtual environment should be scanned for
malicious content. That can be
a lot of scanning – more, even,
than vulnerability scanning. In
a large environment – one of
our vendors this moth reported
a customer with 40,000 virtual
machines – one can depend
on the fact that there are scans
occurring constantly.
Another challenge is access
to the virtual environment
by mobile devices. That’s not
unique to the virtual, of course,
but it can be somewhat more
challenging to manage in a virtual data center. Unfortunately,
managing mobile devices is not
a luxury in the virtual – something that we do in the physical
world but think of as an option
in the virtual. Rather it is one
of those “must haves” that
plague us with each new wave
of emerging technology.
All of these and many more
obvious and not-so-obvious
challenges are either unique
to or exacerbated by the virtual world. Our products this
month address these and many
more. I enjoyed looking these
over and I learned a lot about
where threats live in the virtual
world. Even though I spend
most of my computing time in a
virtual environment, I fi nd that
I take security in these environments for granted. Like most
users, I assume that vShield
will protect me. That actually is
not the case.
It is important to understand
the virtual environment in
one’s virtual data center. One
needs to recognize where it is
similar to and where it is very
dissimilar from the physical
world and then to seek out the
appropriate security solutions
to the problems uncovered.
Sometimes those will be the
old standbys that we have lived
with for decades in the physical
world. But sometimes they will
be totally unique.
Something new
Each quarter, Technology Editor
Peter Stephenson and his team
at the SC Lab address emerging
technologies and markets. The
purpose is to look at market segments in the information
assurance space that represent
new technologies, needs and
capabilities. In those emerging
segments there always are new
entries and old pros that want to
expand into the space. We will be
looking at both – and bringing you
the companies and products that
we believe will shape the future.
To view the first installment
of Emerging Products, click on
www.scmagazine.com/emerging-products/grouptest/266/.
GROUP TEST l Emerging products
»
» GROUP TEST l Emerging products
McAfee MOVE Anti Virus
his is one of those products that one would think is a no-brainer. Virtualized
data centers can get very large and complicated. Managing is a challenge. So why
doesn’t someone come up with a unified approach to managing configuration,
security, deployment and monitoring. It should be easy. After all, in a virtual environment we can spin up a management server with little effort and almost no cost. As it
turns out, it’s not quite a walk in the park. But, like a virtuoso musician who “makes it
all look so easy,” the clean simplicity of VMC’s deployment is deceptive.
A lot of thought clearly went into this product. VMC takes advantage of the nature of
a virtual data center. Part of that nature is that there is a lot of data moving on the virtual
network. That data tells all about the environment – and if one can just collect and analyze all of that streaming data, it can be managed. And that is exactly what VMC does.
Some of the product’s capabilities seem to flow naturally from the straightforward
analysis. For example, if one is seeing all of the data in the enterprise, it follows that
the user should be able to understand how the system is behaving. That, logically,
includes capacity measurement, security and other types of monitoring. VMC can
handle monitoring, performance and capacity, security and configuration management, all behind a single pane of glass.
Bitdefender GravityZone
Symantec Critical System Protection (CSP)
T
T
Reflex VMC (Virtualization Management
Center)
At a glance
Product: Reflex VMC
Company: Reflex Systems
reflexsystems.com
Price: Call Reflex Systems for pricing
based upon deployment.
What it does: Provides monitoring,
performance, capacity, configuration
management and security for virtual data
centers in a single product.
What we liked: Simplicity of deployment
without sacrificing comprehensive
management capabilities.
At a glance
Company: Bitdefender
http://enterprise.bitdefender.com
Price: Modular pricing based on one’s
requirements.
What it does: Unifies security
management for physical, virtualized and
mobile environments.
What we liked: Single security platform
for virtual, physical and mobile systems,
enabling seamless security interactions
between the various environments.
A
nti-malware today suffers from a frustrating dichotomy. First, it is, arguably,
the most mature of all of the capabilities in the security practitioner’s toolkit.
And, certainly, McAfee is one of the grand old products of the genre. On the
other hand, a huge percentage of today’s threats – especially advanced persistent
threats – are delivered using increasingly sophisticated malware. Throw virtualized
environments into the mix and one has a witch’s brew of potentially bad news.
McAfee has successfully brought together the application of a centralized policy
engine – ePO – with its anti-malware capability in the physical world. There is a
strong suite of enterprise-class protection for the physical data center. Today, though,
most enterprises of any size are becoming virtualized, so this protection needs to
reach into the virtual to be effective. Because today’s virtualization extends from
servers to endpoints, the notion of pervasive anti-virus (AV) is even more important.
Data and other transmittable files – especially bad files, such as malware – can move
extremely quickly across a virtualized network backbone, so controlling malware in a
virtualized world may well be more important than it is in the physical world. MOVE
AV addresses this challenge head-on.
MOVE is optimized for the virtual – and it is hypervisor agnostic. It is managed
through ePO policies and it integrates cleanly with other McAfee capabilities in the
physical enterprise. Nowhere is a scan storm more threatening to system performance
than when it results from AV scanning across a virtual network. MOVE monitors all
of the loads – memory, CPU, IO, disk, hypervisor and more – in the virtual environment and manages itself accordingly.
T
his sounds a bit like one of those inflatable toys at local fairs inside of
which kids bounce around. Or, perhaps, some science fiction environment
that surrounds a planet. Actually, although it is neither, it has some similar
characteristics.
Like the kid’s toy, GravityZone lets users bounce between various computing
environments: physical, virtualized and mobile. Like a gravitational field around
the planet, it pulls the paradigms together and down to a single security management environment. Each of the paradigms has its own security requirements, but as
part of a coherent enterprise each needs to work in concert. The focal point is the
GravityZone Control Center. Each of the management modules plugs in separately.
Consider the typical virtualized – or, hybrid, if you prefer – enterprise. The servers
live in the virtual. The endpoints are physical, with some of them mobile devices. Each
has its own requirements, operating systems and, of course, security quirks. Certainly
it would be pleasantest to take the security management from each of the portions –
each quite different from the rest – pull it together in a single management console and
facilitate security interaction between them. That is exactly what GravityZone does.
GravityZone comes as a virtual appliance and it supports an extremely wide range
of physical virtual and mobile systems, operating systems, mobile environments and
hypervisors. For today’s enterprises, it is unlikely that one will have something that
GravityZone can’t support. But if something is present – a hypervisor, for example –
Bitdefender will configure it for you.
he notion of wrappers has been with us for a long time. Back in the early days
of Unix and Linux, we used wrappers to provide security to not-so-secure
applications, such as telnet. Today that concept has matured and we see it popping up in modern apps. Symantec CSP is a good example. One might characterize
CSP as a security wrapper for mission-critical environments. That means that if it is a
crucial piece of the computing infrastructure – such as a SCADA system or a medical
device controller – it gets the security protection it needs.
But that protection does not stop with those systems. Because CSP is integrated
with the enterprise’s security infrastructure, it becomes an extension of that environment, extending seamless protection across the enterprise, physical or virtual.
CSP consists of two pieces: a detection and a prevention component. Detection watches behavior on the enterprise to determine if something is going on that
shouldn’t be. The component even extends to watching system admin accounts,
something that is a sort of Holy Grail for security administrators.
The key to CSP is data. The detection piece monitors everything in the virtualized
environment from the hypervisor up through the applications. It looks for disallowed
or potentially dangerous actions and kills or de-escalates the process. So an administrator doing something inherently dangerous – inherently because as an admin he/she has
total superuser rights – may be de-escalated to a normal user without those rights.
We liked this product for its ability to address important, but hard to secure, systems and still integrate cleanly into the virtualized enterprise as a whole.
At a glance
Product: MOVE Anti Virus
Company: McAfee, an Intel company
mcafee.com
Price: $34.73 per virtual desktop and up,
depending on number of desktops/servers.
What it does: Provides ePO managed
anti-virus for virtualized environments.
What we liked: Ease of use combined with
the ability to integrate a virtual environment
into the overall hybrid environment for an
ePO-managed, anti-malware capability that
is seamless across all of the hybrid, physical
or virtual, components.
At a glance
Product: Symantec Critical System Protection
Company: Symantec
symantec.com
Price: Starts at $995 per user license.
What it does: Wraps mission critical
environments – OS, applications and
more – in protection on the detection and
prevention levels.
What we liked: Ability to address
critical systems that are not typical – such
as SCADA, ATMs and point-of-sale terminals
– as well as the more prosaic servers and
endpoints.
2013 SC Awards U.S.
Optimistic despite threats
Feb. 26, 2013 • San Francisco
When it comes to data protection and
risk management planning, information security professionals are feeling
more hopeful than ever. According to
our annual “Guarding Against a Data
Breach” survey, compared to previous
years, a majority of IT security pros
say their organizations are taking appropriate steps to protect critical data.
As promising as this feedback is,
one has to juxtapose it against the less
upbeat happenings of our collective
reality. For starters, advanced persistent threats (APTs) and
other more methodical and sophisticated cyber crime attacks
are becoming the norm, according to most experts. Just look to
the recent attacks against The New York Times, Twitter or the
U.S. Department of Energy to get a sense of things to come.
Internet-based thieves aren’t as easy to catch in the act or stop
altogether nowadays, which means organizations have to stop
relying on traditional network protections alone and step up
their games with advanced monitoring techniques, application
and other endpoint controls, better security awareness training
and more. Because spear phising, custom malware and targeted
attacks are happening at a rate never witnessed before, a datacentric approach to security now is vital, say experts.
And most security pros have to achieve this desired end
with flat budgets. I suppose, though, it’s telling that CISOs
generally are upbeat despite myriad problems. Improving risk
management plans, bettering policies, strengthening training
and bolstering controls, along with constantly educating C-level
executives about data security being a necessary part of day-today activities, are all recurring duties. Yet, survey respondents –
SC Magazine readers – are at the ready to tackle these seemingly
endless challenges with zeal. And, for a fortunate growing
number, undertaking them deftly is paying off as more CEOs
and other business leaders register understanding and embrace
IT security for what it is – a necessary pillar of good business.
It’s that passion and commitment that drives us every year to
celebrate these industry leaders, their many achievements and
the varied contributions they make without hesitation to help
advance this essential and vibrant industry. Congratulations to
you all. – Illena Armstrong, VP, editorial, SC Magazine
Contents
The Judges .............................................................................. 54
The Sponsors .......................................................................... 55
Word from the co-chair........................................................... 56
Reader Trust Awards
Best Anti-Malware Gateway ................................................... 56
Best Cloud Computing Security ............................................ 57
Best Computer Forensic Tool ................................................. 57
Best Data Leakage Prevention (DLP) .................................... 58
Best Database Security Solution .......................................... 58
Best Email Security Solution .................................................. 59
Best Enterprise Firewall .......................................................... 59
Best Fraud Prevention Solution.............................................. 60
Best Identity Management Application ................................. 60
Best IDS/IPS Product .............................................................. 61
Best IPsec/SSL VPN ................................................................ 61
Best Managed Security Service ............................................. 62
Best Mobile/Portable Device Security .................................. 62
Best Multifactor Product ........................................................ 63
Best NAC product ................................................................... 63
Best Policy Management Solution ......................................... 64
Best SIEM Appliance............................................................... 64
Best UTM Security .................................................................. 65
Best Vulnerability Management Tool ..................................... 65
Best Web Application Firewall ................................................ 66
Best Web Content Management Product.............................. 66
Excellence Awards
Best Customer Service........................................................... 67
Best Emerging Technology ..................................................... 67
Best Enterprise Security Solution .......................................... 68
Best Regulatory Compliance Solution................................... 68
Best Security Company.......................................................... 69
Best SME Security Solution ................................................... 69
Rookie Security Company of the Year.................................... 70
Professional Awards
Best Cyber Security Higher Education Program .................. 70
Best Professional Certification Program ................................ 71
Best Professional Training Program ........................................ 71
Best Security Team ..................................................................72
CSO of the Year ........................................................................72
Editor’s Choice Award ..............................................................73
EDITORIAL
VP, EDITORIAL Illena Armstrong
DESIGN AND PRODUCTION
U.S. SALES
ART DIRECTOR Michael Strong
EXECUTIVE EDITOR Dan Kaplan
MANAGING EDITOR Greg Masters
VP AUDIENCE DEVELOPMENT &
OPERATIONS John Crewe
VP, SALES
David Steifman (646) 638-6008
2013 SC AWARDS U.S.
PRODUCTION MANAGER
Krassi Varbanov
EVENTS DIRECTOR Natasha Mulla
EVENTS COORDINATOR Maggie Keller
SENIOR EVENTS COORDINATOR
Anthony Curry
REGIONAL SALES DIRECTOR
Mike Shemesh (646) 638-6016
WEST COAST SALES DIRECTOR
Matthew Allington (415) 346-6460
EVENT SALES DIRECTOR
Mike Alessie (646) 638-6002
ACCOUNT MANAGERS
Dennis Koster, Samantha Amoroso
SALES/EDITORIAL ASSISTANT
Roo Howar (646) 638-6104
ACCOUNT EXECUTIVE, LICENSING
AND REPRINTS Elton Wong
AUDIENCE DEVELOPMENT DIRECTOR
Sherry Oommen
MANAGEMENT
CEO OF HAYMARKET MEDIA
Lee Maniscalco
EXECUTIVE VICE PRESIDENT
Tony Keefe
2013 SC AWARDS U.S. 53
2013 SC Awards U.S.
2013 SC Awards U.S.
The Judges
The Sponsors
SC Magazine would like to thank all of our sponsors for their generous support of the
2013 SC Awards U.S. Their involvement has made this event possible, which helps raise
professional standards in the information security industry worldwide.
Co-chair
Illena Armstrong
VP, editorial,
SC Magazine
Co-chair
Rich Baich
CISO,
Wells Fargo
Philip Agcaoili
CISO, Cox
Communications
Rebecca Bace
CEO, Infidel
Jennifer Bayuk
principal, Jennifer
L. Bayuk LLC
Bruce Bonsall
senior security
strategist, BT US&C
Dennis Brixius
VP and CSO, The
McGraw-Hill Cos.
Leahy Center for Digital Investigation
at
Chris Camacho
information security
officer,
The World Bank
John Johnson
senior security
program manager,
John Deere
Larry Whiteside
CISO,
Spectrum Health
Jaime Chanaga
CEO,
The CSO Board
Cedric Leighton
colonel, USAF
(Ret.); founder and
president, Cedric
Leighton Associates
Spencer Wilcox
special assistant
and lead security
strategist, Exelon
Rafael Diaz
CSO, Department
of Central Management Services, state
of Illinois
Yonesy Nunez
SVP, Citi
Dov Yoran
CEO,
ThreatGRID
Rick Doten
CISO,
DMI Enterprise
Transformation
Jim Reavis
executive director,
Cloud Security
Alliance
Gene Fredriksen
global CISO,
Tyco International
Ariel Silverstone
CISO,
self-employed
Stephen Fridakis
senior IT officer,
FAO
Ward
Spangenberg
director, information
security, pearl.com
Pamela Fusco
director/CISO,
Apollo Group
Chenxi Wang
vice president,
Forrester Research
Bradford Networks
Bradford Networks enables secure
network access for corporate-issued
and personal mobile devices.
Imperva
Imperva provides a comprehensive
solution for monitoring and controlling all data usage and business
transactions across the data center.
Champlain College
Champlain College has been providing education in the field of digital
forensics and cyber security for more
than six years.
Qualys
Qualys is a leading provider of
cloud security and compliance solutions with more than 6,000 customers in more than 100 countries.
CipherCloud
CipherCloud provides cloud encryption and tokenization gateways to
enable organizations to securely
adopt cloud applications.
Schwartz MSL
Schwartz MSL helps technology
companies leverage public relations
to create visibility and tell their
innovative story.
Entrust
Entrust secures governments,
enterprises and financial institutions
in more than 5,000 organizations
spanning 85 countries.
Solutionary
Solutionary reduces the information
security and compliance burden,
providing flexible managed security
and compliance services.
ForeScout Technologies
ForeScout enables organizations to
accelerate connectivity by allowing
users to access network resources
without compromising security.
Splunk
Splunk software collects,
indexes and harnesses the machinegenerated big data coming from the
devices that power business.
Halon
Halon Security is a prominent
technology leader of email security
and firewalls, protecting millions of
users worldwide.
Symantec
Symantec is a global leader in
security, backup and availability
solutions.
HP Enterprise Security
HP Enterprise Security provides
information security solutions to
protect the hybrid enterprise.
West Coast Labs
West Coast Labs is a leader in independent testing, certification and
real-time performance validation for
information security products.
IBM
IBM Security offers one of the
world’s broadest portfolios of enterprise security products and services.
54 2013 SC Awards U.S.
2013 SC AWARDS U.S. 55
2013 SC Awards U.S.
2013 SC Awards U.S.
Welcome from the
co-chairman
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Best Anti-Malware Gateway
Best Cloud Computing Security
Best Computer Forensic Tool
WINNER
WINNER
WINNER
Symantec for
Symantec Web Gateway
Reflecting back on information security and cyber
threats in 2012 can be quite
exhausting. The volume of
cyber agitation and threats in
the online world is increasing, and the distribution
continues to evolve. As an
industry, we have been busy, and as a result we have seen
many technologies emerge to help address these complex,
ever-changing threats to our companies. Innovation and
tradecraft are the tools needed to align our security efforts to meet regulatory requirements, ensure compliance,
provide actionable cyber threat intelligence and establish
proactive techniques to get ahead of the cyber risks. We
need to be able to notice indicators of compromise and
have good visibility into what is happening within and
beyond our own ecosystem. Timeliness of incident identification combined with lapse time taken to address the
incident is a key performance indicator of an organization’s ability to address the new reality we live in today.
Understanding why an organization is at risk can be even
more valuable than the forensics of root cause because
the organization may be able to change a behavior, increase operational security or take other actions to deter
any possible impact to their business.
Asymmetric practices, innovative solutions, determination to succeed, creativity and dreams can be found
tonight in this room. You are all the supply chain to
those fighting the cyber threats each day. Your efforts,
technologies and ideas enable countless information
security professionals to do their jobs. The internet world
depends on you, needs you to keep innovating and appreciates your partnership in dealing with the unprecedented
threats we all face every day.
– Rich Baich,
co-chairman, 2013 SC Awards U.S.;
CISO, Wells Fargo
Symantec Web Gateway 5.0
is a web security solution
that protects organizations
against all types of web-borne
malware. The tool is powered
by Symantec Insight, which
provides proactive protection against new, targeted
or mutating threats. Insight
enhances protection and can’t
be evaded or coded around by
self-mutating malware. Also,
Symantec Web Gateway can
integrate with Symantec Data
Loss Prevention seamlessly,
which allows for a robust web
and data loss prevention solution from a single vendor. This
helps stop sensitive data from
leaving the corporate network
via the web, and also allows
for users to receive real-time
education on company security
policies with notifications for
policy violations.
Symantec Web Gateway 5.0
presents organizations with
many business and technical
advantages. Companies can
dynamically allocate resources
as web traffic increases. SSL
encryption capabilities provide
safe transmission of web traffic
to popular sites that employees
and companies often use for
business purposes. Real-time
scanning of pages as they load
prevents any latency in web
browsing and decreases calls to
the IT helpdesk.
Symantec Web Gateway’s
in-depth reporting gives organizations the detailed view they
need into their network, to
ensure they are protected from
today’s complex and dangerous
malware related threats.
Symantec Web Gateway’s
ability to be deployed as a
proxy or cache helps companies save money by reducing
bandwidth usage, and avoiding
the need to purchase another
solution to perform these functions. Customers who already
have a valid subscription of
Symantec Web Gateway and
Protection Suite Enterprise
Edition are also entitled to
perform a simple upgrade to
the new version at no additional cost.
vGW is a solution specifically
designed for virtualization
as opposed to a pale retrofitted alternative. Compared
to competing solutions, the
hypervisor-based vGW delivers protection, throughput,
scalability, automated deployment, operational efficiencies
and value. vGW has a highperformance stateful firewall,
integrated IDS, compliance
monitoring/enforcement, VM
Introspection, reporting, access controls, AV protection,
support for IPv6 and groundbreaking scalability.
vGW offers granular
customer resource isolation,
layers of protection, superior
performance and regulatory
compliance mechanisms that
help users trust in the security
of their data – and online business. vGW can help organizations take advantage of cloud
computing sooner rather than
later, optimize investments in
virtualization infrastructure
and make the most of existing
network security investments.
It accomplishes this by providing cloud-enabling, purposebuilt security and integrating
virtualization security with
physical network security.
Organizations want to
virtualize to save money. Yet,
many still hesitate to virtualize
because of security concerns.
vGW removes barriers to
virtualizing, as well as to
implementing large-scale
virtualized environments
for global organizations and
cloud service providers. How?
By ensuring security doesn’t
impede virtualized workload
performance and, moreover,
maximizing secured VM-tohost compression ratios. With
vGW, businesses can plan
to support more VMs on a
host while ensuring security
and without compromising
performance.
vGW was built specifically
for virtualized environments
and takes a fast-path approach
to security. Thanks to this
design, vGW can clearly and
positively impact budget.
Guidance Software for
EnCase
Guidance Software’s EnCase software is a powerful
solution that provides the
foundation for government
and law enforcement agencies to conduct thorough and
effective digital investigations
of any kind, including intellectual property theft, incident
response, compliance auditing
and responding to e-discovery
requests – all while maintaining the forensic integrity of the
data. EnCase allows customers to conduct more complete
investigations than its competitors with additional integration
to CaseCentral’s secure hosted
review platform and with
security information and event
managers (SIEM) for automated incident response. EnCase
software includes the EnCase
Enterprise platform with
software applications EnCase
Cyber Security and EnCase
eDiscovery built on top of the
platform. The product line also
includes EnCase Forensic and
EnCase Portable.
The tool provides security
specialists, investigators, computer incident-response teams
and litigation specialists with
everything they need to immediately and thoroughly search,
collect, preserve and analyze
data from servers, workstations,
mobile devices and cloud-based
data sources. With EnCase,
users can be confident in their
ability to complete a comprehensive analysis of whatever
evidence they may encounter
for virtually any business
purpose. Moreover, users of
the EnCase solution have the
ability to customize how the
solution functions, adding
capabilities to the product to
meet their specific needs.
With EnCase, organizations
can improve effectiveness of
their staff, as processes and
procedures associated with the
acquisition, analysis and reporting of a forensic investigation
can be automated, eliminating
redundant manual work. This
allows examiners to focus on
their specialty of completing
digital investigations.
Finalists 2013
Finalists 2013
Finalists 2013
• Dell SonicWALL for Dell
SonicWALL TZ 215
• IBM for IBM Cloud Security
Services
• AccessData Group for
Forensic Toolkit (FTK)
• McAfee for McAfee Web
Protection
• Juniper Networks for vGW
Virtual Gateway
• FireEye for FireEye
Malware Analysis System
• Symantec for Symantec Web
Gateway
• Sophos for Sophos SafeGuard 6
• Guidance Software for
EnCase
• Trustwave for Secure Web
Gateway
• Websense for Websense
TRITON Security Gateway
Anywhere
Juniper Networks for
vGW Virtual Gateway
• Symantec for Symantec O3 Cloud
Identity and Access Control
• Trend Micro for Trend Micro
Deep Security 9
• Websense for Websense TRITON
Enterprise
• RSA, the security division
of EMC, for RSA
NetWitness
• Websense for Websense
Cyber Security Intelligence
(CSI) On-Demand
2013 SC Awards U.S. 57
2013 SC Awards U.S.
2013 SC Awards U.S.
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Best Data Leakage Prevention (DLP)
Best Database Security Solution
Best Email Security Solution
Best Enterprise Firewall
WINNER
WINNER
WINNER
WINNER
Symantec for Symantec Data
Loss Prevention
Symantec Data Loss Prevention delivers a unified solution
to discover, monitor and protect confidential data wherever
it is stored or used. Symantec
offers comprehensive coverage
of confidential data across
endpoint, network and storage
systems – whether users are on
or off the corporate network.
By measurably reducing risk,
Symantec gives organizations
confidence to demonstrate
compliance while protecting
their customers, brand and
intellectual property (IP).
Symantec Data Loss Prevention v11.6 is the current
release of Symantec’s data
security suite. It introduces
expanded data loss coverage,
advanced multidimensional
reporting, improved usability
and new security integrations.
It features DLP for Mobile,
which monitors and protects
sensitive data sent from an
iPad and iPhone mail client,
browser and apps, like Face-
book, Twitter and Dropbox.
It also secures sensitive data
without stopping business or
personal use.
Protecting IP is a significant
challenge for organizations
because it is spread out, and
subtle differences between
what is sensitive and what is
not make finding it timeconsuming and costly. With
ever-increasing amounts of
sensitive data in corporate
environments and accessed on
mobile devices, with or without permission from IT security, traditional DLP detection
technologies cannot effectively
and accurately identify and
protect IP, like source code
documents that change daily.
Collecting and fingerprinting
100 percent of confidential
data is too time-consuming
and expensive, while identifying the data with keywords
sacrifices accuracy. Symantec
DLP 11 enables organizations
to easily define and locate
their unstructured data so that
they can quickly prioritize
which data needs to be fixed,
saving time and money.
Databases store information,
the crown jewels of today’s
organizations. For this reason,
they are targeted in the overwhelming majority of breach attempts by external hackers and
malicious insiders. Perimeter
security and the security features of native database management systems (DBMS)
prove insufficient as the critical
last line of defense for the
sensitive, valuable information
that databases hold. McAfee Database Security offers
real-time, reliable protection
for business-critical databases
against external, internal and
even intra-database threats.
This non-intrusive, softwareonly solution requires no
architectural changes, database
downtime or additional security management silos. With
this tool, organizations of all
sizes can gain complete visibility into their overall database
landscape and security posture,
Barracuda Networks for
Barracuda Email Security
Productivity losses due to
spam and other email security
issues can cost businesses millions of dollars each year. The
Barracuda Email Security solutions, including the Barracuda
Spam & Virus Firewall appliance and Vx appliance and
the Barracuda Email Security
Service cloud solution are extremely powerful and provide
complete email protection for
organizations of all sizes.
The email security solution features ease of use and
deployment for hardware,
virtual, cloud and hybrid offerings with no per-user fees.
It provides detailed email
monitoring; scans outbound
emails and attachments; and
blocks disclosure of sensitive
data, such as Social Security
and credit card numbers. Its
outbound scanning also blocks
spam from leaving an email
server causing reputation
loss and blacklisting. Too,
the integrated cloud encryp-
tion service lets users encrypt
customized emails – at no
extra cost.
Barracuda Networks
leverages 12 defense layers to
provide defense capabilities for
any email server within large
corporate or small business environments. Online resources
are available and include a
portal for opening a support
case, a searchable knowledge
base, technical support forum
and more.
Without software to install
or modifications required to
existing email systems, installation of the Barracuda email
security solutions are quick
and painless.
As well, a key technical
advantage for enterprises or
SMEs deploying a Barracuda
email security solution is access to Barracuda Central, an
operations center that works
24/7 to capture the latest
data on spam and other email
threats from a vast network of
honeypots, as well as submissions from the more than
85,000 Barracuda Networks
customers worldwide.
Check Point Software
Technologies for Check Point
R75.40
Internet use has changed
dramatically with the wide
adoption of virtualization, mobile computing and Web 2.0 in
the enterprise. Security used to
be handled by simply blocking
specific applications, ports or
websites entirely. However, the
Web 2.0 also drives communication through fewer ports and
protocols.
Check Point R75.40 includes
Check Point ThreatCloud, the
first collaborative network to
fight cyber crime. It gathers
data from global threat sensors
and distributes threat intelligence to security gateways
around the globe. The tool
also features new anti-bot and
enhanced anti-virus software
blades, powered by ThreatCloud. Check Point GAiA
adds a unified secure operating system for all Check Point
appliances, open servers and
virtual systems. SmartLog is
a new feature of the logging
and status software blade that
provides split-second search
results from billions of log
records.
Check Point R75.40 allows
companies to consolidate
security protections with an
integrated solution that can be
tailored to meet specific security and performance needs.
Because R75.40 is based on
Check Point’s Software Blade
Architecture, customers can
expand their security as needed without new management
or hardware. This significantly
reduces costs.
The tool’s newest security
appliances are designed to optimize all of the software blade
protections available with
R75.40 and leverage the company’s multi-core and acceleration technologies – delivering
outstanding firewall performance capable of up to 200
Gbps throughput and less than
five-microsecond latency. The
result is an integrated firewall
solution that keeps businesses
safe and information available,
without impacting network
performance.
Finalists 2013
Finalists 2013
Finalists 2013
SonicWALL E-Class Network
Security Appliance (NSA) 8510
• BeyondTrust for PowerBroker
Database - Monitor & Audit
• AT&T for AT&T Network-Based Firewall Service
• Identity Finder for Identity
Finder
• RSA, the security division of
EMC, for RSA DLP
• Symantec for Symantec Data
Loss Prevention
• Trend Micro for Trend Micro
Integrated Data Loss Prevention
• Websense for Websense Data
Security Suite
McAfee, an Intel company,
for McAfee Database
Security Solution
fully align their security policy
administration practices and
efficiently maintain regulatory
compliance.
By delivering a complete
family of products, fully
integrated through McAfee
ePolicy Orchestrator’s dashboard, McAfee significantly
simplifies the deployment and
monitoring of the security infrastructure. McAfee Database
Activity Monitoring requires
no changes to the database
itself and no configuration
changes to the network, and
yet can provide real-time
alerting or session termination with minimal overhead.
The memory-based sensor
model catches threats from all
potential sources, including
privileged users, and the fully
distributed architecture also
can be deployed in virtualized environments and in
the cloud. McAfee Virtual
Patching for Databases identifies and blocks attempts to
exploit known vulnerabilities
on unpatched servers, as well
as common threat vectors of
many zero-day attacks.
• Check Point Software Technologies for Check Point R75.40
• DB Networks for Adaptive
Database Firewall ADF-4200
• IBM for IBM InfoSphere
Guardium Finalists 2013
• Imperva for Imperva
SecureSphere
• McAfee for McAfee Email Protection
• McAfee, an Intel company,
for McAfee Database Security
Solution
• Barracuda Networks for Barracuda Email Security
• Proofpoint for Proofpoint Enterprise Protection/Proofpoint
• Dell SonicWALL for Dell SonicWALL
SuperMassive E10800
• Fortinet for FortiGate-800C
• Sourcefire for Sourcefire
Next-Generation
Firewall (NGFW)
Enterprise Privacy
• Symantec for Symantec Messaging Gateway
• Websense for Websense Email Security Gateway Anywhere
2013 SC Awards U.S.
2013 SC Awards U.S.
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Best Fraud Prevention
Best Identity Management Application
Best Intrusion Detection/Prevention Product
Best IPsec/SSL VPN
WINNER
WINNER
WINNER
WINNER
RSA, the security division
of EMC, for RSA Adaptive
Authentication
As organizations migrate
customers and partners to
the web, they must look at
two primary considerations:
Implementing flexible security
that adapts to the ever-evolving world of online threats,
and doing so without sacrificing usability.
RSA Adaptive Authentication is a comprehensive,
risk-based authentication and
fraud detection platform that
balances security, usability and cost. Powered by the
RSA risk engine, Adaptive
Authentication monitors and
authenticates online activities
in real-time by correlating
behavioral analysis, device
profiling and data feeds from
RSA eFraudNetwork. Because
the Risk Engine works behind
the scenes to validate devices
and behavior, the vast majority
of users are authenticated invisibly, without impact to their
user experience. Available
in both SaaS and on-premise
deployments, it is scalable
to millions of users, and
provides login and transaction
protection for users accessing
websites, mobile applications/
portals, SSL VPN applications
and web access management
applications.
As a risk and policy-based
platform with the ability to
leverage the depth of the
eFraudNetwork, RSA Adaptive Authentication helps organizations drastically improve
fraud detection in real-time,
thus decreasing fraud-related
losses. In addition, its flexibility lowers operational
overhead associated with
deployment (i.e., there are no
tokens to deploy and users can
self-enroll). Most end-users
are authenticated invisibly,
causing the end-user little
disruption, allowing them to
access data faster and more
efficiently. Finally, offering a
solution that does not require
tokens or extra passwords
means fewer “lost token” or
“forgotten password” calls to
tech support.
CA Technologies for
CA IdentityMinder
Managing the identities and
access of users to key resources
is a critical function for IT
organizations under increasing
pressure to cut operating costs
while demonstrating continuous compliance. They must also
deal with other challenges like
protecting critical systems,
applications and information
from unauthorized access and
use; increasinge efficiency and
productivity, without sacrificing
security across many platforms;
efficiently prove proving compliance with internal policies,
regulations and best practices;
and easily adopting new technologies – such as virtualization
and cloud – that support business initiatives.
CA IdentityMinder helps improve the operational efficiency
and effectiveness of IT organizations by providing a scalable
and configurable identity management foundation that can
organize identity information
across the enterprise and within
the context of business roles
and processes. It helps streamline the on- and off-boarding
of users, enables the business
to manage access requests and
automates identity compliance
processes from distributed and
mainframe environments.
The tool provides a highly
scalable end-to-end solution
for automating and improving
the many time-consuming tasks
associated with identity management. The CA solutions for
identity management also build
structure around the complete
identity lifecycle, enabling
repeatability and the ability to
leverage standardized processes
for additional improvement.
CA IdentityMinder delivers
a scalable and configurable
solution that accommodates
enterprises’ unique needs at
every level – from leveraging a
role foundation that accurately
represents their organizational structure to defining
and enforcing unique business
and regulatory policies to cost
effectively extend automated
provisioning to applications
and policies.
Check Point Software
Technologies for Check Point
IPS Software Blade
Today’s threat landscape is
dynamic, evolving and includes
organized groups creating
sophisticated attacks that
specifically target the security
weaknesses of their business
target. Enterprises want to
protect their business against
the multitude of threats while
simplifying their security
deployment and reducing their
total security costs.
The Check Point IPS Software Blade provides complete,
integrated, next-generation
firewall intrusion prevention
capabilities at multi-gigabit
speeds, resulting in IPS security
and performance. The tool
provides complete threat coverage for clients, servers, OS and
other vulnerabilities, malware/
worm infections and more. The
Multi-Tier Threat Detection
Engine combines signatures,
protocol validation, anomaly
detection, behavioral analysis
and other methods, including
Finalists 2013
Finalists 2013
• CA Technologies for CA RiskMinder
• Check Point Software
Technologies for Check
Point IPS Software Blade
• Entrust for Entrust TransactionGuard
• RSA, the security division of EMC, for RSA Adaptive Authentication
SonicWALL SuperMassive
E10200
• Symantec for Symantec Code Signing
• Trusteer for Trusteer Pinpoint
• HP Enterprise Security for HP
TippingPoint
Finalists 2013
• CA Technologies for CA IdentityMinder
• Centrify for Centrify Suite 2012
• IBM for IBM Security Network
IPS / Network Protection
• Sourcefire for Sourcefire
Next-Generation IPS (NGIPS)
identity and application awareness, to provide the highest levels of network IPS protection.
By quickly filtering 90 percent
of incoming traffic without
requiring deep inspection, the
IPS engine inspects for attacks
only on relevant sections of the
traffic, thus reducing overhead
and increasing accuracy.
Customers require the flexibility of the Software Blade
Architecture to enable more
security functions as needed,
ultimately migrating toward a
next-generation firewall type of
deployment. The IPS Software
Blade leverages a sophisticated
engine that uses multiple methods of detection and analysis
to detect bad traffic and IPS
Update Service delivers leading
IPS coverage including our
industry leading coverage of
Microsoft applications.
Deploying the IPS Software
Blade dramatically reduces the
complexity of customer network security infrastructure
by reducing their hardware
footprint, rack space, cabling,
cooling, as well as power
consumption.
Juniper Networks for MAG
Series Junos Pulse Gateways
The Juniper Networks MAG
Series Junos Pulse Gateways
are a market-leading SSL VPN
platform that provide secure
remote access for both nonmobile and mobile devices.
The offering secures clientless
access to enterprise applications, data and resources, and
ensure best-in-class endpoint
security, granular access control and threat prevention. The
MAG Series are scalable for
companies of all sizes and support BYOD initiatives through
support of all major mobile
OSs. In addition to secure connectivity via SSL VPN, MAG
Series gateways also can deliver
NAC and application acceleration, offering a significant
reduction in OpEx and CapEx
costs, increased deployment
density, extensive scalability and easily reconfigurable
“personality” changes between
secure mobile and remote
SSL VPN access control and
network access control (NAC)
modes. Juniper’s SSL VPN
capabilities are also available
as a virtual appliance, offering
added flexibility and scalability
and lower cost.
The MAG Series Junos
Pulse Gateways product family
includes models sized to meet
the needs of SMBs with limited
IT experience, all the way up
to high capacity products for
large enterprises and service
providers requiring the utmost
authentication, authorization
and accounting capabilities for
employee, partner (extranet)
and customer access. In addition, a virtual SSL VPN appliance is available.
The solution uses SSL, with
no client software deployment
required, and offers cross platform support across any webenabled device and all major
OSs, including Windows, Mac,
Linux, iOS, Android and others. Additionally, Host Checker
scans endpoints for compliance, including mobile devices
used in BYOD, and the tool
enables single sign-on capabilities to clouds and web-based
applications via SAML 2.0.
Finalists 2013
• Barracuda Networks for Barracuda SSL VPN
• Dell SonicWALL for Dell SonicWALL Aventail E-Class SRA
EX9000
• HOB GmbH & Co. KG for HOB RD VPN
• Juniper Networks for MAG Series Junos Pulse Gateways
• NCP Engineering for NCP Secure Enterprise Management 3.0
• Cyber-Ark Software for Privileged Identity Management Suite
• IBM Security Systems for IBM Security Identity Manager
• NetIQ for NetIQ Identity Manager 4
2013 SC Awards U.S.
2013 SC Awards U.S.
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Best Managed Security Service
Best Mobile/Portable Device Security
Best Multifactor Product
Best NAC product
WINNER
WINNER
WINNER
WINNER
Verizon Business for
Managed Security Services Commercial
The continued increase of
new technologies and systems
introduced to the workplace
results in an ever-wider
spectrum of business risks – in
addition to the challenge of
maintaining appropriate technical risk levels, which present
themselves as operational
challenges, vulnerabilities and
evolving internet threats. In
order to reduce risk, organizations must move away
from standalone and isolated
security products as they only
provide an incomplete view of
enterprise security.
In order to reduce risk
exposure, businesses need
a methodology and a security platform to manage risk
exposure which allows them
to anticipate problems, take
corrective action and demonstrate results. Verizon offers a
process framework and global
infrastructure for consistency
in handling threats and poli-
cies, as well as direct access
to experts and best practices.
As a result, organizations have
one consistent view of their
security and risk management
posture.
Customers leverage Verizon’s expertise and global infrastructure to address a wide
range of challenges, including cyber threats, regulatory
compliance and the adoption
of cloud-based computing
services. The SEAM engine is
Verizon’s intellectual property
and provides the technology to
detect security incidents and
to assign a risk rating, which
allows the customer to define
the business impact based on
their asset information. Security incident creation is based
on threat information generated by the security devices.
Verizon can help determine
risk and its impact by taking
into account threat, vulnerability, and assets through its
proprietary SEAM engine, and
can provide valuable insight
on recommending corrective action when mitigating
threats.
Marble Security (formerly
IronKey) for Marble Access
Criminals, hackers, hacktivists
and hostile governments are
attacking mobile devices and
desktops to steal information,
break into online accounts and
humiliate governments and
enterprises. Marble Security’s
Marble Access provides an
impenetrable layer of mobile,
desktop and network security
that protects all endpoints
from all threats, both known
and unknown, including
keystroke loggers, viruses,
man-in-the-browser trojans,
zero-day malware, malicious
Wi-Fi hotspots, network
hackers and poisoned DNS attacks. Marble Access provides
a unified user experience
across PC, Mac, Android and
iOS mobile devices. Marble
Access combines a virtualized
secure browser with encryption, mutual authentication,
URL whitelisting and Marble
Access technology to isolate
users from any threats on
the device or the internet.
Personal data is never stored
on the device, and cannot be
stolen or leaked. At the same
time, Marble Access reduces
IT costs, secures broader use
of the cloud, achieves compliance and risk management
goals and enables secure use
of BYOD initiatives.
Marble Access differs starting with its virtualized secure
browser. Unlike signaturebased countermeasures, such
as anti-virus or firewalls that
are vulnerable to zero-day
attacks, the secure browser
works with jailbreak detection, keyboard encryption and
other technologies to isolate
users inside an invulnerable
“cocoon.” Marble Access
delivers a unified user experience on all platforms: iPhones,
iPads, Android, BlackBerries,
PCs or Macs. Another major
differentiator, the Marble Access, uses encryption, authentication, whitelists, blacklists
and other technologies to
protect against phishing and
network-level attacks, such as
DNS poisoning or malicious
hotspots.
RSA, the security division of
EMC, for RSA SecurID
Protecting access to information – and assuring the
identities of users requesting
that access – is a core element of any security initiative.
Whether a small organization
or large enterprise, password
authentication is not enough to
protect against today’s security
landscape. Aanother layer of
protection is required.
RSA SecurID is the standard
for two-factor authentication
solutions. It reliably proves the
identities of users, devices and
applications by using a unique
symmetric key combined with a
proven algorithm to generate a
one-time password that changes
every 60 seconds. RSA SecurID
helps legitimate users gain
secure access to VPNs, wireless
access points, applications
in the cloud, on the web and
mobile, and network operating systems. Adding in that
additional layer, RSA SecurID
helps organizations protect
private information and assure
the identities of people, devices
and applications exchanging
that information.
RSA offers a broad range of
easy-to-use form factors to suit
a variety of organizations and
requirements. These include
both hardware and software
authenticators to support the
leading mobile platforms, SMS
authenticators and software
developer kits to custom build
API calls into third-party mobile applications.
RSA has more than 400 partners to ensure out-of-the-box
integrations with the widest
range of applications that are
jointly tested by each organization to ensure a positive
experience that significantly
reduces deployment, testing
and integration costs.
RSA SecurID is a costeffective way for organizations
to address authentication
and compliance concerns
and provide an extra level of
security for networks, VPNs,
and other business assets. RSA
SecurID offers a broad array of
form factors and authentication
mechanism to meet all budgets.
Trustwave for Trustwave NAC
Trustwave offers full network
access control protection for
all endpoints, managed and
unmanaged, and works in any
network infrastructure. Trustwave NAC combines agentless
network access control with
zero-day threat prevention
and automated policy enforcement and is available in three
configurations:
Enterprise NAC – A
highly scalable, full-cycle NAC
solution designed for large
organizations with thousands of
endpoints, providing centralized and unified web-based
management with unified
configuration and reporting
support, deployed virtually
inline.
Managed NAC – Trustwave’s
MSS operation offers full-function NAC as a managed service,
including the same feature/
function support as Enterprise
NAC, while maintaining sensor integrity and health, and
providing reduced cost with no
capital expense.
Plug-n-Play NAC – Offered
as an add-on software module
with Trustwave’s Managed
UTM service for smaller,
distributed enterprises, Plug-nPlay NAC automatically detects
and optionally blocks rogue
devices and network service,
providing automatic updates of
firewall rules for access policy
enforcement.
Agentless deployment works
for every endpoint regardless
of device type or operating
system, including BYOD assets,
enabling an organization to
quickly start monitoring both
existing and new devices that
come on and off the network.
The solution requires zero
integration with existing switch
fabrics or a lengthy implementation process for discovery
or enforcement. Trustwave
NAC operates virtually inline
as needed with a fail-open
architecture and self-contained
enforcement, with zero latency.
Any device on the network is
detected, and patented technology further identifies rogue
devices as well as unauthorized
routers and gateways.
Finalists 2013
• CA Technologies for
CA AuthMinder
• Entrust for Entrust
IdentityGuard
• PhoneFactor, a Microsoft
company, for PhoneFactor
• RSA, the security division of
EMC, for RSA SecurID
Finalists 2013
Finalists 2013
• Dell SecureWorks for Dell SecureWorks Managed
Security Services
• AirWatch for AirWatch Enterprise Mobile Management
• IBM for IBM Managed Security Services
• Marble Security (formerly
IronKey) for Marble Access
• Bradford Networks for Network Sentry
• Mandiant for MCIRT Managed Defense
• Verisign for Verisign MalDetector Service
• Sophos for Sophos Mobile Control 2.5
• StillSecure for StillSecure Safe Access
• Verizon Business for Managed Security Services –
Commercial
• Symantec for Symantec Mobile Management Suite
• Trustwave for Trustwave NAC
• AVG for AVG AntiVirus FREE for Android
• Symantec for Symantec VIP
Finalists 2013
• ForeScout Technologies for ForeScout CounterACT
2013 SC Awards U.S.
2013 SC Awards U.S.
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Reader Trust Awards
Best Policy Management Solution
Best Security Information/Event Management
(SIEM) Appliance
Best UTM Security
Best Vulnerability Management Tool
WINNER
SolarWinds for SolarWinds
Network Configuration
Manager (NCM)
SolarWinds Network Configuration Manager (NCM)
simplifies managing network
configuration files in multivendor network environments
by backing up configuration
files, as well as continuously
monitoring device configurations and providing immediate
notification of configuration
changes to help resolve problems before they impact users.
SolarWinds NCM can check
regulatory compliance of all
network devices, including
routers, switches and firewalls,
and generate detailed reports
from a single instance. These
reports can be launched ondemand or scheduled on a
periodic basis and emailed to
security personnel.
The compliance checks
available cover many different
standards, including HIPAA,
SOX, PCI, DISA STIG and
FISMA, and can be customized
by the users based on their
company-specific rules and best
practices. Users also can create
their own checks from scratch.
Both customized and entirely
new checks can be shared on
thwack, the SolarWinds online
IT management community.
NCM combines powerful
network configuration management features, rapid time-tovalue, an easy-to-use web-based
interface, and affordability into
one package. NCM is part of
SolarWinds’ IT management
suite, which includes solutions
for network, application and
server, log and security information, virtualization, storage, IT
help desk, remote support and
mobile IT management, and
real-time troubleshooting and
diagnostic tools.
Additionally, SolarWinds’
unique Thwack.com community of more than 100,000
members is extremely active.
In particular, the NCM section,
one of the most active areas of
thwack, receives on average
dozens of postings per day –
questions and answers, shared
content, blog postings, feature
requests and tips.
WINNER
Splunk for Splunk
Enterprise
Splunk is a Big Data security
intelligence platform that is
used by more than 1,500
customers to search and
investigate, proactively monitor
user and machine behavior,
perform statistical analysis
to identify anomalies and
unknown threats, and create
dashboards and visualizations for executives. Splunk’s
architecture makes all machine
data in an organization useable
and valuable to the IT security
team. It can index any type of
machine or log data without
upfront normalization, and
allows users to create correlations and reports on the raw
data. The platform is agile,
flexible and lets security customers address a wide range of
security use cases – from basic
log management and incident
investigation/forensics to fraud
detection and correlation/
alerting – to find known and
unknown threats. In regards
to traditional SIEM use cases,
the Splunk App for Enterprise
Security comes with out-of-thebox reports, dashboards, incident workflow and correlation
searches for SIEM use cases.
Splunk can ingest any type
of machine data from any
source, whether from files,
syslog, a script, and more.
Splunk stores this data in a flat
file data store, not a fixedschema SQL database, so is
not limited to indexing and
searching only data that fits
a database schema. Splunk
leverages a powerful search
technology and language that
enables fast, advanced searches
against terabytes of data to
find threats. Searches can
leverage Boolean and statistical logic to identify outliers
and abnormal behavior that
may represent an advanced,
unknown threat. Also, Splunk
is software-only and installs on
commodity hardware, thus is
cheaper and easier to upgrade.
Lastly, Splunk enables the fast
creation of new reports and
dashboards.
WINNER
Symantec for Symantec
Endpoint Protection
Last year, attackers unleashed
more than nine new mutated
viruses every second of every
day, resulting in more than 403
million distinct threats. This
huge volume and variety of
threats has made it virtually impossible for security companies
to protect users. Traditional
security software is reactive,
looking for digital fingerprints
of viruses after they have been
discovered. But today’s criminals work differently, mutating
their malware and creating new,
unique threats for each user.
Symantec Endpoint Protection v12 offers advanced
protection while improving
system performance to businesses of all sizes. It includes
a new detection system that
includes Symantec Insight, a
cloud-based technology that
tracks more than three billion
files from more than 200 million systems to identify new and
rapidly mutating threats, as well
as SONAR, Symantec’s system
for real-time monitoring and
blocking of malware. Symantec
Endpoint Protection protects
both physical and virtual
systems.
By tracking nearly every
program file on the internet,
Symantec can identify new or
rapidly mutating files. Leveraging, Insight and SONAR technologies, Symantec Endpoint
Protection blocks new and
unknown threats missed by
traditional signature, heuristic,
behavioral and HIPS-based
security solutions.
Symantec Insight provides
performance advantages. Because Insight knows the security status of most of the files on
a system before it scans them,
it eliminates up to 70 percent
of scan overhead – providing
performance so fast users won’t
know it is there.
Symantec Endpoint Protection 12 provides unrivaled
security, blazing performance
and optimization for virtual
environments. The tool offers
comprehensive defense against
all attacks on physical and
virtual systems.
WINNER
Qualys for QualysGuard
Vulnerability Management
QualysGuard Vulnerability
Management (VM) automates
network auditing and vulnerability management across organizations, including network
discovery and mapping, asset
management, vulnerability
reporting and remediation
tracking. Driven by a comprehensive knowledge base
of known vulnerabilities, it enables cost-effective protection
against vulnerabilities without
substantial resource deployment. It is used by more than
5,800 customers in more than
100 countries, including a
majority of each of the Forbes
Global 100 and Fortune 100.
Delivered as a cloud solution accessible from any web
browser, QualysGuard VM is
easy to deploy and manage –
even across globally distributed environments – enabling
organizations to accurately
scan their networks and applications to identify and fix
vulnerabilities and collect
compliance data. Organizations report 50 to 90 percent
lower costs and can more
efficiently remediate vulnerabilities using the solution’s
powerful tools and features,
including centralized reports,
verified remedies and risk
rankings to prioritize remediation steps, and full remediation workflow capabilities
with trouble tickets.
QualysGuard VM delivers a
powerful, scalable solution at
a low cost. It requires no infrastructure to deploy or manage,
saving time and resources,
providing a continuous view
of security across the organization.
Qualys also maintains the
industry’s largest vulnerability database, updated daily
for more than 35,000 unique
vulnerabilities. Automated
signature regression testing
ensures quality/accuracy, scoring six sigma accuracy (fewer
than 3.4 defects per million
scanned). Updates are rolled
out immediately, and users can
scan globally without requiring additional infrastructure.
Finalists 2013
Finalists 2013
• Check Point Software
Technologies for Check
Point 2200 and 4000 Series
Appliances
• GFI Software for GFI LanGuard 2012
SonicWALL TZ 215
• Qualys for QualysGuard Vulnerability Management
• Rapid7 for Rapid7 Nexpose
• Tenable Network Security for Tenable Security Center
• Trustwave for TrustKeeper Vulnerability Manager
• Fortinet for FortiGate-100D
Finalists 2013
Finalists 2013
• IBM for IBM Endpoint Manager
• HP Enterprise Security for HP ArcSight
• IBM for IBM Security Q Radar SIEM
• NetIQ for NetIQ Secure Configuration Manager
• LogRhythm for LogRhythm
• SolarWinds for SolarWinds Network Configuration
Manager (NCM)
• NetIQ for NetIQ Sentinel 7
• Tripwire for Tripwire Enterprise 8.2
• Splunk for Splunk Enterprise
• Sophos for Sophos UTM 9
• Symantec for Symantec
Endpoint Protection 12
• SolarWinds for SolarWinds Log & Event Manager (LEM)
2013 SC Awards U.S.
2013 SC Awards U.S.
Reader Trust Awards
Reader Trust Awards
Excellence Awards
Excellence Awards
Best Web Application Firewall
Best Web Content Management Product
Best Customer Service
Best Emerging Technology
WINNER
WINNER
WINNER
Barracuda Web Application
Firewall
A recent study by Forrester
Research found that 67 percent
of vulnerabilities can be found
at the web application layer.
The Barracuda Web Application Firewall is a complete and
powerful security solution for
web applications and websites.
The tool quickly protects web
servers from data breaches,
and websites from defacement,
without administrators waiting
for clean code or even knowing
how an application works.
Additionally, it can increase
the performance and scalability
of these applications. Content
caching, data compression
and SSL acceleration optimize
application performance while
reducing impact on servers. Integrated load balancing further
optimizes performance and
provides high availability.
Unlike traditional network
firewalls or intrusion detection
systems that simply pass HTTP
or HTTPS traffic for web ap-
plications, the Barracuda Web
Application Firewall proxies
traffic and inspects it for access
by hackers. For added security,
the solution provides full PKI
integration for use with client
certificates to verify identities
of clients accessing the web
applications.
The Barracuda Web Application Firewall performs
deep inspection of all web
traffic, enabling it to provide
a wide range of intrusion
prevention capabilities at both
the network and application
layers. It provides protection
from common attacks on web
applications, including SQL
injections, cross-site scripting attacks, session tampering
and buffer overflows. As a full
proxy, the Barracuda Web
Application Firewall blocks or
cloaks attacks, while preventing
sensitive outbound data leaks
of information.
Overall, customers benefit
significantly from ensuring
data, applications and websites
are secure – and that bandwidth and performance are
optimized.
Websense for Websense Web
Security Gateway Anywhere
Web access opens the door
to malware, data theft, legal
liabilities, productivity issues
and bandwidth loss. In early
2012, 42 percent of Facebook
activity was streaming media,
many with video lures to
malware. Also, there’s been an
increase in spear phishing with
embedded links to advanced
threats. Too, Osterman Research says the costs associated
with a malware infection are
approximately $110 per user.
Clearly, new technology is
needed to reduce these costs.
Websense Web Security Gateway Anywhere meets that need
with zero-day malware prevention and DLP to address risks
not covered by basic URL
filtering, anti-virus and firewall
solutions.
Websense Web Security
Gateway Anywhere (WSGA)
offers complete protection
against malware and data
theft. It uses TruHybrid
technology to combine on-
site appliances with cloud
security for web security and
content management – with
a unified console and policy
for employees in all locations.
WSGA offers TruWeb DLP for
data theft and loss protection,
and Advanced Classification
Engine (ACE) to provide realtime security and data analysis.
Websense ThreatSeeker Network inspects three billion to
five billion requests from 900
million endpoints daily.
The tool offers a single
management console and
policy that manages defenses
for office, remote and mobile
users. It’s part of the TRITON
solution that unifies web,
email, data and mobile security
across on-premise and cloud
platforms for a lower cost.
ACE protects against
malicious scripts and zero-day
threats that circumvent antivirus products. It analyzes web
traffic in real-time, categorizing dynamic web content/
threats offering detection of
advanced payloads, exploited
documents, mobile malware
protection and much more.
Finalists 2013
Finalists 2013
• Barracuda Networks for Barracuda Web Application Firewall
• Barracuda Networks for Barracuda Web Security
• Dell SonicWALL for Dell SonicWALL SRA Web Application
Firewall Service
• EdgeWave for iPrism Web Security
Barracuda Customer Service
and Support
Barracuda Networks offers multiple hard copy and
online tools to make setup and
installation quick and easy
for customers. This includes
quick-start guides and installation manuals, as well as more
detailed administration guides.
This documentation outlines
step-by-step processes to get
up and running quickly and efficiently, as well as tips and best
practices to make our products
most effective.
Barracuda Networks
provides documentation that
is easy to understand and is
effective. In fact, SC Magazine
conducted a review of its flagship email security offering in
September 2012 and said, “We
found deployment of this product to be quick and easy.”
Barracuda Networks strives
to provide awesome customer
service with live people always
on the receiving end to help
trouble shoot – there are no
phone trees and no automated
service.
Also, Barracuda Networks
customers are provided with
telephone support. Since inception, Barracuda Networks has
prided itself on the “IT Guy
Next Door” mentality – making sure that there is always a
live person available to help
with any customer issues 24
hours a day, seven days a week.
This is included as part of the
purchase price /at no additional
charge.
Too, Barracuda Networks
customers are provided with
web-based downloads at no additional charge. This includes a
variety of overview information
(whitepapers, best practice tips,
user guides), as well as set-up
quickstarts, admin guides and
more.
Barracuda Networks customers are provided with online
forums and FAQ sections
online at no additional charge.
Additionally, it provides Live
Chat directly on the website,
LinkedIn User Groups with
best practice sessions, and
more.
WINNER
CipherCloud for CipherCloud
Gateway
CipherCloud is helping businesses and governments that
could otherwise not adopt the
cloud because of data privacy,
residency, compliance and security concerns. Using real-time
format and operations preserving encryption, CipherCloud
ensures that customers are the
only ones that can access data
in the cloud while preserving
the native user experience
of cloud applications across
browser, desktop, and mobile
interfaces.
CipherCloud addresses the
top six cloud computing threats
as identified by the Cloud Security Alliance: insecure interfaces
and APIs, malicious insiders,
shared technology issues, data
loss or leakage, account or
service hijacking and unknown
risk profile.
For those using the cloud,
significant data privacy, residency, compliance and security
challenges exist. Encryption is
the most widely and universally
recognized means to ensure that
sensitive data remains private
and always in control of the
enterprise. Gartner estimates
that by 2016, 25 percent of all
enterprise will use
a cloud encryption gateway.
CipherCloud launched its
first product in February 2011.
As of September 2012, CipherCloud has more than 40 large
enterprise customers in production with more than one million
users. This includes two of the
top five U.S. banks and two of
the top five Canadian banks.
CipherCloud encryption
gateways are delivered as
virtual appliances and can run
across virtualization systems
from VMware, Microsoft, and
Citrix as well as IaaS platforms
from Amazon, Microsoft, and
Google. CipherCloud encryption gateways can quickly be
enabled and disabled and
scaled with simple load balancing. A production deployment
supporting more than 100,000
users is deployed with two gateways always running and two
more on standby to support
additional load.
• Websense for Websense Web Security Gateway Anywhere
• Fortinet for FortiWeb-400C
• IBM for IBM Security Network IPS/Network Protection
• Imperva for SecureSphere Web Application Firewall
Finalists 2013
Finalists 2013
• Black Lotus for Human Behavior Analysis
• CipherCloud for CipherCloud Gateway
• Barracuda Networks for Barracuda Customer Service and Support
• CloudPassage for CloudPassage Halo
• eSoft for eSoft Customer Support
• Microsoft for Enhanced Mitigation Experience Toolkit (EMET) 3.0
• Kaspersky Lab Americas for Kaspersky Business Products
• Pindrop Security for Fraud Detection System
• Qualys for QualysGuard Technical Support
• Webroot Software for Webroot SecureAnywhere Business Endpoint Protection
• Vanguard Integrity Professionals for Vanguard Customer Service
2013 SC Awards U.S.
2013 SC Awards U.S.
Excellence Awards
Excellence Awards
Excellence Awards
Excellence Awards
Best Enterprise Security Solution
Best Regulatory Compliance Solution
Best Security Company
Best SME Security Solution
WINNER
WINNER
WINNER
Tenable Network Security for
SecurityCenter
With more than 15,000 customers, more than 1,000 of the
world’s largest organizations
and a community of more than
one million users, Tenable is
a leader in the vulnerability
and compliance management
market.
Its company founders are
widely recognized technology
leaders – CEO Ron Gula (IDS/
IPS innovator), Chief Research
Officer Renaud Deraison
(creator of Nessus), and Chief
Security Officer Marcus Ranum
(developed the first commercial
proxy firewall) – who spend
time daily responding to questions. Tenable also provides detailed white papers, webinars,
videos, and blog posts designed
to help customers with detailed
instructions for achieving compliance initiatives.
Tenable’s SecurityCenter has
a low total cost of ownership
and a rapid return on investment. The solution is quick
and easy to deploy, manage
and scale, and comes stocked
with hundreds of prebuilt
dashboards and reports that
automate audits, vulnerability,
attack path, threat analysis and
information sharing across the
organization – saving enterprises hundreds of thousands of
dollars annually.
Tenable maintains one of
the industry’s largest research
teams, staffed by award-winning security experts delivering
updated security content daily.
During 2012, Tenable introduced new features including
advanced malware detection, patch and configuration
management integration, and
mobile device detection helping
customers stay ahead of threats.
Tenable’s unique combination of vulnerability scanning,
network monitoring, log and
event analysis, and analytics
helps customers eliminate
vulnerabilities, identify attack
paths and respond to attacks
even from new technologies:
mobile, cloud and virtual infrastructure, the fastest growing
sources of theft, disruption, and
compliance violations.
Websense for Websense Data
Security Suite
Due to the increased fines
levied by agencies for non-compliance and new regulatory requirements, organizations have
reprioritized their approach to
audits. Organizations recognize
the need for a solution that can
monitor and ensure sensitive
data is not transmitted to unauthorized users, while being able
to walk through the incident
details and generate reports for
audits.
The latest report by The
Corporate Board Member/FTI
Consulting, “Legal Risks on the
Radar,” ranked data security
as the top concern of corporate America. With increasing
external threats from hackers using advanced malware,
organizations realize they need
to account for both accidental
data loss from employees and
deliberate attacks from external
entities. In 2011, the number of
customers with Websense DLP
exceeded 2,000. Websense
DLP is now deployed in more
than 50 countries with approximately two million users.
All customers receive specialized support from technical
engineers in support centers
worldwide, which regularly
average 8.91 (out of 10) in
satisfaction surveys. An online
knowledge base, a forum of
more than 19,000 individuals, technical alerts, monthly
training webinars and personal
myWebsense.com accounts are
also available.
Websense Data Security
Suite offers more than 1,600
policies and templates out
of the box, many of which
are regulatory requirements.
These extensive built-in
regulatory policies enable
customers to quickly deploy
the necessary controls for
regulatory compliance.
With the constant release
of new and updated regulations, Websense provides new
regulatory policies monthly.
Websense also offers a custom
policy service for free, if
customers are challenged with
crafting a regulatory policy for
their specific needs.
Mandiant
Founded in 2004, and named
“Best Security Company” by
SC Magazine in 2012, Mandiant solutions, services and
expertise set the standard in
advanced threat detection and
incident response. Mandiant
counts more than 30 percent
of the Fortune 100 as clients,
many referred by law enforcement agencies.
Its products and services
help guide customers through
the process of detecting,
responding and containing
an attack. Its responders and
forensic investigators are
directed by the latest technical
and investigative intelligence
from the front lines.
Mandiant Intelligent Response (MIR) is today a leading
incident response technology for combating advanced
threats. The company’s MCIRT
Managed Defense product
combines the technology of
MIR with its Computer Incident Response Team (MCIRT)
whose combined experience
in advanced threat detection and response, along with
Mandiant’s proprietary network
intelligence, provides customers
with effective incident insight
– from host to network – along
with actionable intelligence.
The company’s R&D efforts
are evidenced by eight free
forensic software offerings to
improve incident response and
forensics technology.
In July, Mandiant announced its new research
division, Mandiant Labs, to
bring together reverse engineers, malware analysts and
researchers onto a single team
to drive innovation and automation across the company
and support products and
services via intelligence gathering and analysis and advanced
analytics and service delivery
automation.
The company offers clients
training program built on realworld consultant experiences.
Through incident response,
malware analysis and memory
forensics tracks, students learn
the skills necessary to solving
crime in the field.
WINNER
Kaspersky Lab Americas for
Kaspersky Endpoint Security
for Windows Workstations
The core challenge in today’s
environment isn’t that there
are no tools available, it’s that
each individual tool adds to
the complexity users face when
trying to implement security
policies. Businesses need to reduce the number of tools used
and number of consoles managed, so they can get back to
focusing on their core business
competencies. With Kaspersky
Endpoint Security 8, customers
can protect data, improve overall efficiency and secure mobile
computing with encryption and
device management.
By combining multiple
technologies into a single,
centrally-managed solution,
Kaspersky Endpoint Security
8 for Windows Workstations
offerns an extensive set of tools
to ensure security and control
over an array of applications,
devices and web content.
Kaspersky features range from
a ready-to-use template to
granular policy controls, all
of which help administrators
customize Kaspersky’s solution
to their own organizations’
unique needs, thus simplifying the user experience while
providing extensive security
and management.
In addition to anti-malware,
Kaspersky Lab’s solution manages software vulnerabilities,
provides data encryption in
case laptops are lost or stolen
and provides security for smartphones and tablets. Kaspersky
Endpoint Security 8 provides
all this functionality from a
single pane of glass and is built
from the same code-base to
work together, providing a significantly easier user experience
and true value to the customer.
Kaspersky Lab continues
to make major investments in
R&D to develop in-house new
technologies to strengthen its
portfolio. All its technologies
are built from the same code
base and work together seamlessly, not cobbled together
on the backend. The result is
solutions that are more efficient
and easier to manage.
Finalists 2013
Finalists 2013
• CA Technologies for CA Content-Aware IAM Solution
• FireEye for FireEye Malware Protection System
• Kaspersky Lab Americas for Kaspersky Endpoint Security
for Windows Workstations
• Qualys for QualysGuard Enterprise
• Sourcefire for Sourcefire Next-Generation IPS (NGIPS)
Finalists 2013
• Tenable Network Security for Tenable SecurityCenter
• Cyber-Ark
• Varonis Systems for Varonis Data Governance Suite
• Dell SonicWALL
Finalists 2013
• Agiliance for Agiliance RiskVision with Agiliance Compliance
Manager Application
• Qualys for QualysGuard Policy Compliance
• Qualys for QualysGuard Express
• Sophos for Sophos UTM 9
• SpectorSoft for SPECTOR 360
• Mandiant
• Sophos
• Sourcefire
• Verizon
• RSA, the security division of EMC, for RSA Archer eGRC
• Symantec for Symantec Control Compliance Suite 11
• Websense for Websense Data Security Suite
2013 SC Awards U.S.
2013 SC Awards U.S.
Excellence Awards
Professional Awards
Professional Awards
Professional Awards
Rookie Security Company of the Year
Best Cyber Security Higher Education Program
Best Professional Certification Program
Best Professional Training Program
WINNER
WINNER
WINNER
WINNER
Pindrop Security
Originally, the belief was that
Pindrop Security technology
would provide call analysis for
recorded calls to identify potential fraud. However, improvements to accuracy and the ability to detect specific niche cases,
such as “dead air” calls and
call forwards, have significantly
expanded applicability to cover
all areas of phone security.
The process of authenticating
customers through knowledgebased authentication questions
is an unsatisfactory solution. It
reduces satisfaction by treating
customers like criminals, and
by putting the burden on them
to remember secret answers,
passwords and more. It increases call length, therefore adding
cost. And it’s ineffective since a
fraudster can find most answers
to these questions online.
Pindrop Security’s technology
allows companies to reduce or
eliminate this process. Authentication is transparent to the customer. Detection of fraudsters is
reliable and can be done prior
to the call center. With Pindrop
Security solutions, the call
center can return to focusing on
satisfied customers.Its products
combine techniques to provide
a multi-layered defense against
fraud, using blacklisting and
anomaly detection to uncover
fraudsters.
Pindrop Security provides
services and solutions to the
largest financial institutions in
the world, including systems
used inline in their call centers.
Pindrop Security was
founded out of research initiated at Georgia Tech’s Information Security Center (GTISC)
by Vijay Balasubramaniyan
(below) and the director of
GTISC, Mustaque Ahamad.
Balasubramaniyan is now CEO
of Pindrop Security and Ahamad is chief scientist. National
Science Foundation grants have
continued to fund ongoing research into Balasubramaniyan’s
original research, and Pindrop
Security continues to grow its
research in order to continually
improve accuracy and capabilities of the technology.
Champlain College for
Computer Forensics and
Digital Investigation Degree
Programs
Through its on-campus, online
and graduate degree programs,
Champlain offers more than 35
computer forensics and digital
investigation courses – more
than any other college in the
country. Students can jump
into digital forensic courses immediately, taking advantage of
leading-edge courses, like mobile device forensics, network
forensics, file systems forensics,
and many more.
Courses are developed and
taught by industry experts who
bring current industry best
practices and techniques to
the classroom. And, its Leahy
Center for Digital Investigation
enables students to get to work
on active investigations, gaining
valuable real-world experience,
including developing and writing response plans.
Champlain graduates are
extremely well prepared to create and manage ever-evolving
risk management plans. More
than 90 percent of graduates
have job offers within 30 days
of graduation, and many even
well before graduation.
Champlain students are
highly encouraged to participate in internships and the
college offers assistance in
those placements. The Leahy
Center for Digital Investigation
hires a large number of interns
to work on projects supervised
by professional investigators on
active cases.
This year, Champlain conducted an “Imagine College”
program for under-served
students. They were able to explore college as an opportunity
they may not have considered
to be within their reach.
(below) Champlain College
President David Finney and
Sen. Patrick Leahy, D-Vt., at the
opening of The Patrick Leahy
Center for Digital Investigation,
a new Center of Excellence at
the college offering students an
up-to-date facility in which to
learn and practice digital forensic
investigation techniques.
Information System Audit
and Control Association
(ISACA) for Certified in Risk
and Information Systems
Control (CRISC)
With more than 100,000
members in 180 countries,
ISACA provides a vast pool of
knowledge and research that is
shared globally with members
and nonmembers through
conferences (both in-person
and virtual settings), webinars,
a bimonthly journal, training
courses, social media groups,
blogs and research publications. Additionally, ISACA
offers a network of nearly 200
chapters worldwide, offering IT security professionals
local training, professional
networking, certification review
courses and opportunities
for the exchange of ideas and
information. Members are
also provided opportunities
to take on leadership roles,
participate in the development
of research publications and
speak at worldwide conferences. To ensure that certifica-
tion candidates demonstrate
up-to-date skills, job practices
for ISACA certifications are
closely monitored, analyzed and
updated within every five years.
To determine how to best serve
the IT security professional,
ISACA conducts a “Member
Needs” survey annually.
The CRISC certification
was developed by a nonprofit,
independent global leader in
security, risk, governance and
compliance. It provides a tool
to help assess the proficiency of
a professional’s IT-related risk
management skills. CRISC is a
highly desired certification because it is the only certification
that positions IT professionals
for future career growth by
linking IT risk management to
enterprise risk management.
Nearly 17,000 professionals
across a range of job functions
– including IT risk, security,
audit and compliance – have
earned CRISC since it was established two years ago. This
number includes more than
1,200 CIOs, CISOs and chief
compliance, risk and privacy
officers.
(ISC)2 for The (ISC)2
Education Program
(ISC)2 delivers efficiency in
certification for individuals
by tapping into innovative
technologies and learning
strategies. (ISC)2 Education
Program engages current and
future students and young and
experienced professionals to
support workforce initiatives
and inspire a continuous supply
of knowledgeable professionals.
Technology is evolving
rapidly. (ISC)2’s Education
Program reflects this change
through updated review seminars. The goal is to promote
and increase a candidate’s
ability to retain and transfer
the knowledge gained in the
certification training course by
improving the study material,
training experience and refining
performance on the job. Recent
changes include measuring
knowledge gain through the use
of pre- and post-test analytics;
restructuring course content to
be both practical in knowledge
needed for exam study and
applicable in order to increase
retention, transfer and recollection on the job; and including value-added, real-world
application activities to increase
motivation for learning the
skills and concepts necessary
for success.
The (ISC)2 common body of
knowledge (CBK) defines the
expertise needed in a framework that provides standardized information security
principles. This framework
establishes a way to assess a
candidate’s mastery of certain
domains of knowledge and
includes the most relevant,
current topics of the profession
today. The (ISC)2 Education
Program aims to change the
landscape by helping professionals foster this.
Virtual and in-person
security leadership events
offer exclusive access (free to
86,000 members) and continuing education opportunities to
industry professionals looking
for timely, relevant and “hot
topic” content featuring expert
speakers and unique networking opportunities.
Finalists 2013
Finalists 2013
Finalists 2013
• Appthority
• Champlain College for
Computer Forensics and
Digital Investigation Degree
Programs
• Inspired eLearning for Security Awareness Training
• Iowa State University for
Cyber Security Education
Program
• The SANS Institute for SANS Training
• Pindrop Security
• Seculert
• Vaultive
• viaForensics
• Guidance Software for Guidance Software Training
• (ISC)2 for The (ISC)2 Education Program
• Secure Ninja for SecureNinja Cyber Security Training Program
• Kennesaw State University for
Bachelor of Business Administration in Information Security
and Assurance (BBA-ISA)
Finalists 2013
• University of Maryland
University College for Cyber
Security Degrees and Certificate Programs
• ISACA for Certified in Risk and Information Systems Control (CRISC)
• GIAC for GIAC Security Expert (GSE)
• GIAC for GIAC Exploit Researcher and Advanced Penetration Tester
(GXPN)
• ISACA for Certified Information Security Manager (CISM)
• ISACA for Certified Information Systems Auditor (CISA)
2013 SC Awards U.S.
2013 SC Awards U.S.
Professional Awards
Professional Awards
Professional Awards
Best Security Team
CSO of the Year
EDITOR’S CHOICE
WINNER
ICS-CERT Security Team
for U.S. Department of
Homeland Security
The Industrial Control Systems
Cyber Emergency Response
Team (ICS-CERT) Security
Team responds to incidents,
vulnerabilities and threats that
can impact those industrial
control systems (ICS) which
operate critical infrastructure
across the United States. These
systems are vital for the processes used throughout many
critical sectors that the nation
depends on every day.
The ICS-CERT Security
Team’s mission is to reduce
cyber security risks by offering
four core products and services
to the nation’s critical infrastructure sectors: Providing
situational awareness to government and the private sector
through national alerts and
advisories that warn of cyber
threats and vulnerabilities;
conducting technical analysis of
malware, system vulnerabilities
and emerging exploits; performing cyber security incident
response for asset owners and
operators; and partnering with
the control system community
to coordinate risk management
efforts and serve as the focal
point for information exchange.
The ICS-CERT Security
Team has received national and
international recognition as an
essential element for coordinating cyber security risk reduction efforts among the nation’s
critical infrastructure asset
owners. Through its incident
response, situational awareness
and recommended practices
efforts, the team is recognized
as a national resource for cyber
security guidance.
It is also a key functional
element of the DHS National
Cyber Security and Communications Integration Center
(NCCIC) and is integral to
the department’s capability to
coordinate national-level cyber
events. ICS-CERT Security
Team presence in the NCCIC
Operations Center provides
synergistic information-sharing
value to the various public
and private sector partners
participants.
WINNER
John South, CSO, Heartland
Payment Systems
John South has established a
best-in-class IT security team
at Heartland Payments Systems
by hiring the most talented
practitioners to manage the
various elements defined in
the security program. Seeking
team members that have strong
communicative and technical
capabilities, he stresses the
importance of compatibility between the company’s risk/needs
and individuals’ strengths.
Once team members are
identified and on-boarded,
South ensures they have ample
opportunities to continually
expand their knowledge with
access to a variety of security
training resources. Further,
South challenges his team
members to grow their expertise by pursuing professional
development opportunities.
He encourages his staff to earn
both CISSP and CISA credentials, as well as at least one
additional expertise-specific
certification.
With this foundation, South
empowers his team to take
ownership of security initiatives
and lead the application of security principles and guidelines
to mitigate risks that face the
enterprise.
By aligning Heartland’s security program with the company’s
corporate objectives, South and
his team have won the support
of corporate leaders and colleagues. In doing so, South has
established the business of security at Heartland as a vehicle
to support the organization’s
various business units.
Coming to the table with
solutions that help leaders
securely accomplish their
objectives, and being able to
effectively communicate these
measures, South and his team
have solidified their roles as true
business partners for groups
across the organization. Looking out for the best interests of
business units and merchant
customers, South and his
staff have earned respect and
even converted once-skeptical
business leaders into internal
champions for the group.
Finalists 2013
Finalists 2013
• Go Daddy Security Team
• Bobby Dominguez, director,
IT security and GRC, PSCU
Financial Services
• Teleperformance Security Team
• ICS-CERT Security Team for U.S. Department of Homeland Security
• Nikk Gilbert, vice president
and chief information security
officer, CUNA Mutual Group
• John South, CSO, Heartland
Payment Systems
• Bruce Wignall, CISO,
Teleperformance
WINNER
Electronic Frontier
Foundation (EFF)
In an environment that
primarily measures achievement in net sales or visibility,
it’s particularly rewarding for
us to call out the work of an
organization that can prioritize
ideals – particularly privacy
protection in our new age of
digital connectivity.
The nonprofit Electronic
Frontier Foundation (EFF)
takes on those who hold the
reins – whether in government
or industry – large, intimidating forces which, and can often, abuse their privilege, such
as in overzealous prosecutions,
as was just evidenced in the
case of Aaron Swartz. The
EFF has put its weight behind
Aaron’s Law, a proposed
update to the Computer Fraud
and Abuse Act that, among
other principles, aims to make
certain that questionable
innovations are not treated
as criminal offenses and that
penalties are proportionate to
allegations of wrongdoing.
Another initiative the
technology watchdog group
has recently undertaken is
the Coders’ Rights Project.
This effort aims to safeguard
programmers and developers
as they perform their work.
As many of these security and
encryption researchers come
up against a slew of state,
federal and international legal
limitations, the EFF advocates that the momentum of
these innovators should not
be hindered. On their behalf,
the group – which maintains
an active presence at conferences, like Black Hat and
DefCon – promotes education, stands ready to prepare
legal defenses and carries on
public programs to ease the
path forward for technological
innovation, including the work
of hackers and others on the
edges of digital exploration. In
addition, the group has a presence on Capitol Hill, providing policy advice to legislators
all of the sites encrypted with
HTTPS on the web. The goal
of the EFF SSL Observatory
aided by a substantial gift from
entrepreneur Mark Cuban and
game developer Markus Persson, is to uncover vulnerabilities; substantiate the practices
of certificate authorities, the
organizations delegated to
sign cryptographic certificates
up the gaymers, arguing that
the term had been in use for
several years prior to the adversary’s claim and therefore
belongs in the public domain.
“Trademarks have one
primary purpose: To protect
consumers from confusion
about the source of goods or
services,” said EFF Staff Attorney Julie Samuels at the time
involved in deciding new
computer crime legislation.
The group’s advocacy for
privacy protections extends
into many areas touching technological progress. Just last
month, the EFF filed an amicus brief in a Maryland case
to voice its concern about the
collection of DNA from those
arrested for a crime, insisting
that warrants must be served
by law enforcement before
anyone is required to provide
a genetic sample. The point, it
argued, is that the accessibility
of advanced technology should
not undermine traditional
privacy protections.
Further, last year, the group
began a project to delve into
the certificates in use to secure
trusted by browsers; and help
those further developing the
underlying encryption infrastructure of the web.
Too, the EFF recently
became involved in a case in
San Francisco that pitted a
group of Reddit “gaymers” –
members of the lesbian, gay,
bisexual, and transgendered
community active in video
games – against a website
operator who had registered
the term as a trademark.
The trademark registration
should be canceled, the group
stated in its petition to the
U.S. Patent and Trademark
Office, so that the term can
be used worldwide. The EFF,
in association with the law
firm Perkins Coie, is backing
of the filing. “This registration
isn’t being used to protect
consumers – it’s being used to
threaten free speech.”
Whether it is there with an argument for what it believes is a
dangerously narrow view of fair
use, or debating in court with
police departments to challenge
the use of invasive technology,
such as GPS tracking devices on
a suspect’s car, the EFF stands
up to the overseers – alleged
and in place – to insist that
powerful interests must not
shun the rule of law. In doing
so, it smooths the path for technological innovation and those
whose thinking outside the box
transgresses ordinary boundaries that only serve the privileged
and powerful.
LastWord
SC Magazine readers, save $450 off conference rates
Before you take the plunge...
COMPLIANCE WEEK
MAY 20-22 2013
Prior to a job
switch, ask
questions to learn
if the company you
are considering
is in good shape,
says former Yahoo
CISO Justin Somaini.
W
hether we change
jobs out of boredom
and are looking for
new challenges, or the decision to depart is made for us,
too often we don’t take the
time to evaluate what worked
for us and what didn’t in our
previous job, and what we’d
like to gain from our new
job position. But, even if we
can’t predict what will be a
good fit, I have found some
principles that are essential
to look at when considering a
new job.
Understanding a company’s standing is always impor-
tant. Is the company losing
revenue? Have executives
and/or board members left?
Is the company prime for a
takeover? Are competitors
dominating the industry? All
of these questions help determine a company’s health: a
factor that will be critical to
know if you’re going to make
the right move. While risks
can pay off, you want to know
what you are getting into. A
company in turmoil will be
more resistant to funding
projects, hiring new staff, or
making security a priority.
Review the 10k and 10Qs
and do some analysis and
check out the headlines –
you’d be surprised what a
simple Google search can
yield. It’s OK to enter a
higher risk environment
only if you are aware and
prepared.
When possible, find out
what the company spends on
IT and security. The financial
health of the IT and security
group is important before
taking over the role. The general rule is that five percent of
IT spending goes to security.
Of course, this will vary, but
it can be used as a marker. If
you are performing a security
turnaround, there will be
more capital expenditures
in the first few years than normal. Does this seem possible
given the company’s financial
outlook? Is the financial
budgeting cycle ad-hoc or
formal based on the annual
fiscal cycle? Is there an IT
budget governance committee managing it? How much
was spent on security projects
last year? It may not always
be easy to get these answers,
but they’ll tell you a lot about
what your job will look like
once you take the reins.
One of the worst aspects
of security groups, let alone
IT, is staff management.
It is common to have to
restructure a team based
on skills gaps. So always try
to determine how large the
team is in relation to the
overall company and IT staffing. Typical security groups
for companies of 10,000 to
15,000 full-time employees
will have 25 to 30 staff. This
does not include IT operational teams that I usually
leave in a separate group.
Is last year’s attrition rate at
the typical 10 to 15 percent?
Is the staff located in key
areas for the company? Are
there cascading goals from
A company in
turmoil will be
more resistant
to funding
projects...”
corporate objectives? Are
reviews done quarterly and
historically attached to goals?
What are the results of the
latest employee survey? Has
there been a layoff or hiring
freeze in the past 18 months?
As with financial assets, not
having the right human capital will only make your job
tougher, so ask the questions.
As with any security group,
it is really the relationships
with other groups that makes
it a success or not. Understanding their structure and
maturity goes a long way
toward understanding what
these relationships are. Get
an overview of the organizational chart from the CEO to
the third level down. Understanding attrition rate and
longevity with the company
will help you understand
effectiveness and focus.
While these questions
and thoughts will not bring
everything to light, they will
help. More importantly, the
answers to these questions
will help you to map your
strengths and objectives a bit
better to the situation that is
before you. Before jumping
into that next leadership
role, it’s important to know if
the company is healthy and
supports the function. Words
are great, but actions speak
much louder, and having
some indicators where the
company is can make the
difference between success
and failure.
MAYFLOWER HOTEL
WASHINGTON DC
2013
IT security and compliance converge at the Compliance Week Annual
Conference, delivering powerful ideas, practical ideas and real solutions.
Here are a few of the sessions and regulatory chats we’re excited about:
Case Study: Putting Policies Into Practice at Dell
Crafting Effective Privacy Policies
This session will review how $62 billion Dell, the world’s largest
maker of computer equipment, takes the ideas expressed in its
policies and puts them into practice. How do you “game out”
the procedures, manpower, and equipment for a new policy?
What’s the training required, and the cajoling necessary, to
win over employees? How do you ensure a new policy doesn’t
contradict procedures for an old one? All that, and much more.
In the modern age of the extended enterprise, social media,
and mobile devices, standard corporate privacy policies no
longer fit the IT and business landscape that exists today. So
what sort of objectives should a privacy policy have? How do
you manage consent, data capture, and security? This discussion will explore privacy policies from the perspective of the
end goals compliance officers want to achieve—and then work
backward to policies you can implement that actually work.
Speaker(s):
Kristi Kevern, director of operational compliance, Dell
Additional speakers to come.
Privacy Compliance, Step 1: Knowing Your Data
The first step in assessing privacy risks sounds simple: know the
data your company has. So how do you do that? How do you
map out where your data is, identify the types of data you have,
and monitor where your data is going (or equally important,
where it shouldn’t be going)? This session will unpack that first
step in plain language so you, the compliance officer, can see
which risks are coming.
Speaker:
Alex Zadrozny, consultant, technology & information risk, Zmen
Systems
Additional speakers to come.
Speakers:
Allen Brandt, chief privacy officer, Graduate Management
Admissions Council
Jim Byrne, chief privacy officer, Lockheed Martin
Gretchen Herault, VP, compliance and fraud prevention and
deputy chief privacy officer, Monster
Regulator Chat: National Labor Relations Board
The NLRB is the federal government’s lead agency on corporate
social media policies. The NLRB will be on hand to discuss its
current thinking about proper corporate oversight of employees’
social media activity and offer further details about the guidance
(and enforcement actions) the agency has published so far.
Speaker:
Jayme Sophir, deputy associate general counsel, division of
advice, National Labor Relations Board
Register today at conference.complianceweek.com and use discount code SCMag
Trust one. Identify all.
T
Learn about the
assurance that comes
with the Power of One.
hidglobal.com/
powerOne or Scan
this with a QR reader
H
E
P
O
W
E
R
O
F
O
N
E .
Only HID Global has the capability to take care of all
your company’s identity assurance needs through a single
trusted source.
From IT to corporate security, from credentials to authentication to management services, HID
Global is the only one ready to provide a best in class Identity Assurance solution that goes beyond
a simple password. Each user receives a single identity credential that can be authenticated
across multiple access points and devices. One identity. One security policy. One trusted source.
Only from HID Global. The Power of One.
For more information, visit hidglobal.com/PowerOne-SCM
© 2012 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo and the Chain Design are trademarks or registered trademarks
of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission. All other trademarks, service marks, and product or service
names are trademarks or registered trademarks of their respective owners.

CSOof the Year

Transcription

Similar documents

Bolean Lake Fire - Regional District of North Okanagan

stall this

Presentazione dei “Corporate Art Awards”

Web Safety

Darktrace Case Study: William Hill plc, Leading Gaming Company

Abuse in close relationships - Upplands

Print Excellence Awards Arizona – Sponsorship Opportunities

Business Outreach

JOHN JAY COLLEGE OF CRIMINAL JUSTICE THE CITY

KennethGeers