Pills from Canada Embedded in danger Feeding frenzy

Transcription

MARCH 2011 • WWW.SCMAGAZINEUS.COM
REVIEWED IN GROUP TESTS
Trend Micro P46
SonicWALL P45
Global Velocity P37
Handles security risks,
while allowing for
granular web policy
Highly configurable
policy controls and a
string of features
Content control and
deep analysis at wire
speeds
FEATURES:
CSO OF
THE YEAR
Working with business partners throughoutt
the organization is key, says CUNA Mutual
Group CISO Scott Sysol P20
Pills from Canada
Canadian pharmacy doesn’t die – it just switches
to web-based promotions. PC1
Embedded in danger
Web-enabled devices are pervasive and becoming
problematic for IT departments P26
Feeding frenzy
With an improving economy, security companies
are being scooped up at a brisk pace P28
VOLUME 22 NO. 3 • March 2011 • WEBSITE WWW.SCMAGAZINEUS.COM • EMAIL [email protected]
REGULARS
PRODUCT REVIEWS
4
31 Products section
8
Editorial Are things getting
brighter…or not?
This month, we get a chance to take a
peek into the future, as well as blocking
web-borne mischief
Threat report Airline Virgin Blue
must pay $110,000 in spam violations
32 Group Test 1: Security
10 Threat stats The biggest increases
Innovators Throwdown
Eight sales pitches went head to head
in our competition to find the most
innovative security products and
services from young companies
in zombie activity occurred in Vietnam
12 Update It was early January when the
first signs of a cyber intrusion became
evident at Canada’s Treasury Board
39 Group Test 2:
13 Debate A governance body should
Web content management
This technology includes managing all
of those data flows that are related to
surfing the web
be created to administer security
certifications
14 Two minutes on… Requiring ISPs
to retain user logs
15 Skills in demand Pros with access
CYBERESPIONAGE
and ID management skills are needed
16 From the CSO’s desk
THREATS ARE REAL...
And Canada isn’t immune. A recent cyberattack reached computer systems at the Canadian government’s Finance Department and
Treasury Board in an attempt to capture passwords for government databases. With the intent to steal classiÀed information, the
hackers, alleged to be based in China, also enlisted spear phishing emails that tricked recipients into opening seemingly innocuous
documents encoded with malware. What can we learn from this attack that will help us prepare for future onslaughts? How do we
successfully defend against new and unknown threats? Attend SC Congress Canada and hear real-world practitioners discuss these
and other timely topics.
Post-WikiLeaks, get back to basics,
says Clarke Schaefer Consulting’s
Maurice Hampton
18 Opinion Take mobile defense
seriously, says Airwide Solutions’
Jonathan Cattell
66 Last word Before tech, process and
policy, says Integralis’ Michael Gabriel
20 CSO of the year
Working with business partners
throughout the organization is key, says
CUNA Mutual Group’s CISO Scott Sysol.
C1 No script needed
Canadian pharmacy doesn’t die – it
just switches to web-based promotions.
EdgeWave P42
26 Embedded in danger
28 Feeding frenzy
With an improving economy, security
companies are being scooped up at a
brisk pace.
The SC Awards U.S. takes pride in
celebrating innovation and technological
advancement in the IT industry.
Kathleen Carroll P32
facebook.com/SCMag
www.facebook.com/SCMag
www.twitter.com/scmagazine
Maurice Hampton P16
Cover photo by Timothy Hughes
twitter.com/scmagazine
SC Magazine™ (ISSN No. 1096-7974) is published 12 times a year
on a monthly basis by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2011
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website: www.scmagazineus.com.
47 Book of the night
June 14-15
For more information or to register click here
Mykonos P33
FEATURES
Smart devices are pervasive and
becoming problematic for IT
departments.
Whether you work for the government, a Ànancial institution, a corporation, the healthcare industry, or anywhere else where yours
and your customers data is critical to your business, SC Congress Canada is the place to Ànd answers, talk with experts, and discover
ideas that will address your security challenges.
Metro Toronto Convention
Centre, Toronto
Scott Sysol, CISO, CUNA Mutual Group P20
Editorial
Are things getting brighter…or not?
I
t is a sad truth, but I’ve never really had the
pleasure of feeling consistently optimistic.
I’ve had lovely spells, yes. But, I seem a bit
predisposed to pessimism. It’s a bummer, I
know. Yet, optimism’s my thing right now.
And, recently, it seems it also is the predominant feeling permeating our industry as a
whole. Hold on, fellow pessimists. I’ll explain.
I’ve been talking to dozens of lead security
executives who have repeated the phrase,
“The more things change, the more they stay
the same.” So, data theft might be at an alltime high, but how data is getting pinched is
pretty consistent. That is, cybercriminals are
still enlisting the likes of application vulnerabilities and social engineering to get what
they want.
Yet, with this sameness comes some newness. As organizations increasingly make use
of cloud-based services, social media sites or
mobile devices, newer points of vulnerability
have sprung up. What these and likely future
innovations show is that security, just as Dan
Geer predicted some years ago, is all about the
data. Many of you, like Geer, have known this.
Still, innovations like cloud computing only
have driven this point home even further. This
fact was discussed at length during a session at
February’s RSA Conference in California.
As Executive Editor Dan Kaplan reported,
IT security leaders, like Eric Litt from General
Motors, discussed how such gaping holes will
see security providers adapt their solutions.
For example, better data classification, deep-
packet inspection, cloud-related
ted risk management, identity authentication and other tools
eeds. And,
will evolve to address these needs.
more importantly, executives likely will
ept the
show some willingness to accept
additional expenses required to deploy
ons as they
these evolved security solutions
ncreased
experience cost savings and increased
productivity by relying on thee cloud or
mobile devices.
ment.
That’s an optimistic statement.
n more
But, there’s reason for it: Even
ion secuheartening than our information
viders
rity leaders and solution providers
staying on the cutting-edge, both in
ions
creating strong security solutions
and deploying them, was the fact
that many more of these pros
his
were at RSA this year. But, this
year in particular, there was
a palpable vibrancy, which
seems an indicator of things
looking up. This bustling
enthusiasm in the industry –
seemingly long laid dormant
by massive budget cuts, layoffs
ffs
and overall market uncertainty
ty
– is a welcome reprieve for
many affected vertical markets.
ts. It
is a reason for optimism…as long
as it lasts, that is.
Shouldn’t you be demanding more from
your SSL solution than just encryption?
Illena Armstrong is editor-innchief of SC Magazine.
The world’s leading SSL now gives you even more protection.
Bustling enthusiasm
in the industry...is a
welcome reprieve.”
Previous
4 • March 2011 • www.scmagazineus.com
VeriSign® SSL, now from Symantec, includes more than just industry-leading authentication and encryption.
You can add a daily website malware scan for increased protection. You can make your customers feel more
protected and generate more site traffic by displaying the VeriSign seal in search results. All at no extra
cost. Chosen by over 93 percent of the Fortune 500®, VeriSign SSL is setting a whole new standard for online
security and trust. See for yourself with a 30-day free trial at verisign.com/ssl/free-30day-trial
Next
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. VeriSign, VeriSign Trust, and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and
other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners.
WHAT IS SCWC 24/7
SC MAGAZINE EDITORIAL ADVISORY BOARD 2011
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host an event focused
on a subject that you as an IT security
professional face on a regular basis.
Rich Baich, principal, security & privacy,
Deloitte and Touche
THIS MONTH
Jaime Chanaga, managing director,
CSO Board Consulting
Greg Bell, global information protection and
security lead partner, KPMG
Christopher Burgess, senior security adviser,
corporate security programs office, Cisco Systems
Rufus Connell, research director information technology, Frost & Sullivan
Dave Cullinane, chief information security officer,
eBay
March 22:
PCI compliance that makes
systems secure
Meeting the many demands noted in the
PCI Data Security Standard is no small
feat. While there are many who
)) claim to be in line, some find
themselves still getting victimized by cybercriminals. Experts provide
some pointers on reaching a PCI-compliant state that also goes the distance
in safeguarding the enterprise.
Mary Ann Davidson, chief security officer,
Oracle
Kris Lovejoy, vice president of IT risk, office of the
CIO, IBM
Tim Mather, board member, Cloud Security Alliance
Stephen Northcutt, president,
SANS Technology Institute
Randy Sanovic, former general director,
information security, General Motors
* Howard Schmidt, cybersecurity coordinator, U.S.
White House; president and chief executive officer,
Information Security Forum
Chris is an IT professional.
Justin Somaini, chief information security officer,
Symantec; former director of information security,
VeriSign
Chris is motivated.
Dennis Devlin, chief information security officer,
Brandeis University
Craig Spiezle, chairman, Online Trust
Alliance; former director, online safety
technologies, Microsoft
Gerhard Eschelbeck, chief technology officer and
senior vice president, engineering, Webroot Software
W. Hord Tipton, executive director, (ISC)2;
former CIO, U.S. Department of the Interior
Gene Fredriksen, senior director, corporate information security officer, Tyco International
Amit Yoran, chief executive officer, NetWitness;
former director, Department of Homeland Security’s
National Cyber Security Division
Maurice Hampton, information security & privacy
services leader, Clark Schaefer Consulting
Chris enjoys playing soccer.
Chris gets recognition.
* emeritus
Paul Kurtz, partner and chief operating officer, Good
Harbor Consulting
Chris achieves more.
ON DEMAND
Insiders with access
IT administrators and information
security pros can use their power for
evil by accessing confidential information that is not pertinent to their duties.
Given that they oversee corporate
systems, their abilities to access human resources data, for example, or the
personally identifiable information of
customers can be virtually unlimited.
Web application security
We talk to experts about the trials and
tribulations of safeguarding web applications, finding out practical steps for
protecting this too-often-used entré into
business networks.
FOR MORE INFO
For information on SCWC 24/7 events,
please contact Natasha Mulla at
[email protected].
For sponsorship opportunities,
please contact Mike Alessie at
[email protected].
Or visit, www.scmagazineus.com/
scwc247
Previous
WHO’S WHO AT SC MAGAZINE
EDITORIAL
EDITOR-IN-CHIEF Illena Armstrong
[email protected]
EXECUTIVE EDITOR Dan Kaplan
[email protected]
MANAGING EDITOR Greg Masters
[email protected]
REPORTER Angela Moscaritolo
[email protected]
TECHNOLOGY EDITOR Peter Stephenson
[email protected]
SC LAB MANAGER Mike Stephenson
[email protected]
DIRECTOR OF SC LAB OPERATIONS John Aitken
[email protected]
SC LAB EDITORIAL ASSISTANT Judy Traub
[email protected]
PROGRAM DIRECTOR, SC WORLD CONGRESS
Eric Green [email protected]
CONTRIBUTORS
Deb Radcliff, Beth Schultz, Stephen Lawton
DESIGN AND PRODUCTION
ART DIRECTOR Brian Jackson
[email protected]
VP OF PRODUCTION & MANUFACTURING
Louise Morrin
[email protected]
SENIOR PRINT AND DIGITAL CONTROLLER
Krassi Varbanov
[email protected]
SC EVENTS
SENIOR EVENTS MANAGER Natasha Mulla
[email protected]
EVENTS COORDINATOR Anthony Curry
[email protected]
U.S. SALES
ADVERTISING DIRECTOR David Steifman
(646) 638-6008 [email protected]
EASTERN REGION SALES MANAGER Mike Shemesh
WEST COAST BUSINESS MANAGER
Matthew Allington (415) 346-6460
[email protected]
NATIONAL ACCOUNT MANAGER - EVENT SALES
Mike Alessie (646) 638-6002
[email protected]
SALES/EDITORIAL ASSISTANT Brittaney Kiefer
UK ADVERTISEMENT DIRECTOR
Mark Gordon 44 208 267 4672
[email protected]
LICENSE & REPRINTS SALES EXECUTIVE
Kathleen Merot (646) 638-6101
[email protected]
EMAIL LIST RENTAL
EMAIL SENIOR ACCOUNT MANAGER
Frank Cipolla, Edith Roman Associates
CIRCULATION
GROUP CIRCULATION MANAGER
Sherry Oommen (646) 638-6003
[email protected]
SUBSCRIPTION INQUIRIES
CUSTOMER SERVICE: (800) 558-1703
EMAIL: [email protected]
WEB: www.scmagazineus.com/subscribe
MANAGEMENT
CHAIRMAN William Pecover
PRESIDENT Lisa Kirk
DEPUTY MANAGING DIRECTOR Tony Keefe
Next
Chris has an ISACA certification.
®
www.isaca.org/certification-scmagazine
Recognition • Success • Growth
June Exam Date: 11 June 2011
Registration Deadline: 6 April 2011
DataBank
ThreatReport
Cybercriminal activity across the globe, plus a roundup of security-related news
Colored spots on the map indicate levels of spam delivered via compromised computers (spam zombies). Activity is based on the frequency with which spam messaging corresponding with IP addresses are received by Symantec’s network of two
million probes with a statistical reach of more than 300 million mailboxes worldwide.
HIGH-LEVEL ACTIVITIES
MEDIUM-LEVEL ACTIVITIES
LOW-LEVEL ACTIVITIES
ESTONIA – The Baltic state may lend its cyberseBOSTON – A 54-year old
PETERBOROUGH, ONTARIO – A hacker recently
accessed the server of internet service provider Nexicom
and took control of 350 customer websites, temporarily
replacing the home pages with an image of a faceless
gunman. The Peterborough County/City Emergency
Medical Services website was among those affected.
man pleaded guilty to hacking
into the email of a probate
judge and sending him harassing messages and phone calls
for three years. Jay Korff was
sentenced to 2.5 years in
prison and ordered to have no
contact with the victim and
his family.
curity expertise to help opposition leaders in Belarus
protect their websites. Current Belarus President
Aleksander Lukashenko ordered a crackdown on the
opposition and independent media after some protested his re-election in December.
IRAN – The government formed a digital police
RIVERTON, UTAH — The National Security Agency
and the U.S. Army Corps of Engineers broke ground on
a $1.2 billion data center being built within the Camp
Williams military compound. The facility will assist various
agencies, including the U.S. Department of Homeland
Security, in protecting national networks.
MIAMI – The websites of at least two south
Florida municipalities were broken into by hackers.
Both North Miami and Hillsboro Beach were affected – though it is unclear whether the incidents
were related. In Hillsboro, intruders left an image
reading “MCSM IRAN HACKING.”
U.K. – Ashley Mitchell, 29, pleaded guilty to
using admin rights to hack into the Zynga Texas
Hold’em application on Facebook to steal 400 billion online poker chips, worth about $12 million in
real-world dollars. Mitchell netted about $86,000
through black market sales.
squad to help deter a large increase in foreign-led and
politically motivated cyberattacks. The government
first became aware of its deficiencies in this area during the Iranian election protests in June 2009.
ANNAPOLIS, MARYLAND –
A bill that would give identity theft
victims in the state the chance
to seek financial restitution was
introduced by Democratic Sen.
Delores Kelley. The bill would allow
individuals to be compensated for
money lost due to identity theft
and for legal fees and lost wages.
INDIA – Hackers embedded a malicious script on the
Domino’s Pizza India website to steal personal information from customers. The company said it was taking
action to ensure a similar incident doesn’t happen again.
Netherlands top producer of zombie IP addresses
During the past month, the EMEA region (Europe, the
Middle East, Africa) was the leading source of all zombie
IP addresses. Of the countries making up the EMEA, the
Netherlands was the top producing country. For the other
regions, the top producers were Brazil in South America,
the United States in North America and India in the AsiaPacific region. Source: Symantec
Previous
AUSTRALIA – Virgin Blue must pay $110,000 in
spam violations. The Australian Communications
and Media Authority concluded that the nation’s
second-largest airline continued to pummel computer users with email marketing messages, even
after they had unsubscribed.
March 2011 • www.scmagazineus.com • 9
Next
DataBank
ThreatStats
Zompie IPs Global distribution
Top 5 attacks used by U.S. hackers
Fk_\iJ%8d\i`ZX-%-
1. Torpig
@e[`X(+%/
2. Koobface
Fk_\i<lifg\
(,%-
The biggest increases in month-over-month zombie activity occurred in Vietnam
3. TDL3
9iXq`c((%*
Top 10 malicious programs New email worm
Position
Name
Change
Number of
infected
computers
1
AdWare.Win32.HotBar.dh
0
169,173
2
Trojan-Downloader.Java.Open
0
165,576
Top 5 attacks used by foreign hackers
)+)=ff[Y\m\iX^\
Fk_\i8j`X
)*
(),@Kk\c\Zfd
4
AdWare.Win32.FunWeb.gq
New
114,022
5
Trojan.HTML.Iframe.dl
–2
112,239
6
Trojan.JS.Redirector.os
New
83,291
7
Trojan-Clicker.JS.Agent.op
7
82,793
8
Trojan.JS.Popupper.aw
–4
80,981
9
Trojan-Downloader.Java.Open
New
66,005
Connection.cg
('+9Xebè^]èXeZ\
0)<[lZXk`fe
2
53,698
In addition to the above, January saw the emergence of Email-Worm.Win32.
Hlux, which spreads via emails containing malicious links that prompt users
to install a fake Flash Player. The link leads to a dialog window that asks if the
user agrees to download a file.
Source: Kaspersky Lab
/*?\Xck_ZXi\
Spam rate Compared to global email
-*>fm\ied\ek
(''
(,'
)''
),'
(.#0*,
(/#'''
(-#/(*
(.#'''
(-#.-)
(-#'''
(-#).+
(-#*,,
(-#'+.
Name
Type of breach
Seacoast
Radiology
(Rochester,
N.H.)
Seacoast discovered that a server had
been breached, affecting patients and
people serving as insurance guarantors.
231,400
Benefits
Resources
(Cincinnati)
A portable electronic device was lost or
stolen containing the PHI of patients.
16,200
Grays Harbor A backup tape used for storing copies
Pediatrics
of paper records was stolen from an
(Aberdeen,
employee’s car.
Wash.)
12,000
J\gk%
FZk%
Efm%
;\Z%
AXe%
The global volume of phishing attacks varied little, decreasing by a mere three
percent as compared with December. January marks the seventh month
through which no proxy-based phishing attacks were launched. It appears
fraudsters do not invest into fast-flux infrastructures for phishing purposes, but
rather use hijacked websites to host attacks. Source: RSA Anti-Fraud Command Center
Previous
Total number of records containing sensitive personal information
involved in security breaches in the U.S. since January 2005:
512,494,364
Source: Privacy Rights Clearinghouse (data from a service provided by
DataLossDB.org, hosted by the Open Security Foundation)
Percentage
Trojan.Win32.Generic!BT: A generic risk that
covers a variety of unwanted and malicious apps.
21.38%
2
Trojan.Win32.Generic.pak!cobra: A generic
detection for a wide variety of malware.
3.71%
3
Trojan-Spy.Win32.Zbot.gen: A generalized
description of a password-stealing trojan.
3.69%
4
INF.Autorun (v): A generic family of threats that
use Autorun.inf files.
1.68%
Received spam Top five spam regions
5
Trojan.Win32.Generic!SB.0: A generic
detection for password-stealing trojans.
1.59%
LJ8()%,,
6
Worm.Win32.Downad.Gen (v): A VIPRE
detection for the Downadup worm.
1.47%
7
FraudTool.Win32.FakeAV.hdd (v): A detection
for the fake system/memory defrag applications.
1.06%
8
Exploit.AdobeReader.gen (v): A detection for
malicious PDF files.
1.06%
9
Exploit.PDF-JS.Gen (v): A detection for threats
that exploit a security flaw in PDF files.
0.8%
10
Trojan.ASF.Wimad (v): A VIPRE detection for a
group of trojanized Windows media files.
0.73%
*'
)'
('
'
()&)(&('
()&).&('
(&*&((
(&('&((
(&(+&((
(&)'&((
AXgXe0%-,
KX`nXe-%)0
=iXeZ\,%*)
@kXcp)%0-
'
(as of Feb. 9)
Threat name
+'
1
Number of
records
(,#'''
8l^ljk
There were 667 attacks via broadband in the United States last month, primarily originating from Farley, Iowa; New York; Scranton, Pa.; Hazelton, Ind.;
and Woodstock, Ill. There were 6,043 foreign attacks last month, primarily
originating from Taipei, Taiwan; Beijing, Nanjing and Shanghai, China; and
Odessa, Ukraine.
Source: Dell SecureWorks
Top 10 spyware threats BT still rules
,'
The chart above reflects the encounter rate of web malware across a selection of industry verticals. Rates above 100 percent reflect a higher-thanmedian rate of encounter and rates below 100 percent reflect a lower-thanmedian rate.
Source: Cisco ScanSafe
Top breaches of the month Data loss
(0#'''
5. Zeus
-'
,'
Phishing Little change
)'#'''
4. Alureon
Source: Commtouch Software Online Labs
'
Trojan.JS.Agent.bhr
3. TDL3
LbiXè\+%(
@e[fe\j`X*
The biggest increases in month-over-month zombie activity occurred in
Vietnam and “other” Asian nations, while the largest decreases occurred in
India, Russia, Ukraine and “other” nations in Europe.
;\k\Zk\[XZk`m`kp
140,474
1. Torpig
2. Koobface
M`\keXd-%)
@kXcp)%-
;\k\Zk\[XZk`m`kp^cfYXc
New
10
Iljj`X0%(
('/I\kX`cn_fc\jXc\
Exploit.HTML.CVE-2010-1885.aa
5. Hydraq
Malware Vertical encounter rate
Connection.cf
3
4. Stapome
*
-
0
()
(,
Spam rate indicates the accumulated emails tagged as spam.
Source: Fortinet Threatscape Report
The majority of these threats reported last month propagate through stealth
Source: Sunbelt Software
installations or social engineering.
Next
Update
2 minutes on...
Me and my job
Skills in demand
Requiring internet
service providers to
retain user logs P14
Providing projects
with application
A need for access
and ID management
skills P15
security expertise P15
online daters were placed at
risk following the exploit of an
SQL injection vulnerability on
PlentyOfFish.com. Creator
of the Canada-based site,
Markus Frind, said it was illegally
accessed when email addresses,
usernames and passwords were
downloaded. He blamed the attack
on Argentinean security researcher
Chris Russo, who Frind claimed
was working with Russians. But
Russo said he learned of the vulnerability trawling an underground
forum, then tested, confirmed and
responsibly reported it to Frind. He
never extracted any personal data,
nor had any “unethical” intentions.
Previous
The hacktivist Anonymous gang went after sites unfriendly to WikiLeaks.
THE QUOTE
We have a
strategy
in place...”
– Prime Minister
Stephen Harper,
following a cyberattack
on government
ministries.
London police charged
five individuals under the
Computer Misuse Act for
their role in launching distributed denial-of-service
attacks against commercial websites. Authorities
believe the suspects are
connected to the Anonymous hacking group, a
loosely affiliated band
of web savvy, politically
motivated individuals. The
hacktivist gang is being
investigated for its role in
taking down a number of
high-profile websites.
»The three-year struggle between
»A team of Italian research-
BlackBerry manufacturer
Research In Motion (RIM) and
India over what can remain private
continues to be played out in public.
After months of debate over
India’s demands for RIM to provide
access to its proprietary enterprise
services and encrypted emails, the
Waterloo, Ontario-based company linked the dispute to India’s
economic outlook. India stated that
although RIM had recently provided
encryption keys for its messaging
and internet services to Indian security officials, the company had not
provided enough technical detail to
allow sufficient use of the access.
In January, RIM temporarily
suspended its discussions with the
Indian government, contending that
officials in the country were leaking
sensitive information to the media
to undermine the Canadian company’s position.
ers presented a crack for the
chip-and-PIN card verification
system that they say makes it possible to skim a PIN that can later be
used with a stolen card. The team,
from security research company
Inverse Path, built a prototype
skimmer that can be inserted invisibly into an electronic point-of-sale
terminal and intercept the interface
between the terminal and a card’s
chip. The researchers, presenting at
the CanSecWest conference in
Vancouver, discovered a disconnect between the process that a
terminal uses to verify a card and
the process that the bank uses
to verify the transaction with the
terminal. The weakness lies in a file
contained on the card, called the
Cardholder Verification Method
(CVM) list, which tells the terminal
which methods should be used to
verify the card.
Photo by Bulent Kilic/AFP/Getty Images
Masks off
»It was early January when
»The credentials of 30 million
to administer security certifications.
For information security to
mature as a discipline, we
should explore the possibility of a professional governing
body similar to that of doctors,
lawyers or accountants. Certification seeks to ensure a basic
level of knowledge and experiRichard
ence within a general area or in
Starnes
president,
Information Systems certain areas of specialty. There
Security Association,
is no doubt that, because of
Bluegrass chapter
certification, we have raised the
level of professionalism in this industry over the
past 20 years. To be clear, I do not believe that
we should have a professional governing body
administering all certification tests, though that
is one approach raised. We already have several certification bodies that are industry recognized, ANSI-accredited and mature. However,
it could be argued, these certifications might
benefit from the independent review a professional governing body could provide. Independent review would add legitimacy, consistency
and help curb some of the “fly-by-night” certifications that we have seen arise in our industry
over the past several years.
FOR
NEWS BRIEFS
the first signs of a cyber
intrusion became evident at
Canada’s Treasury Board
– the branch of government responsible for fiscal control and human
resources. On Feb. 17, Treasury
Board President Stockwell Day
confirmed many people’s worst
fears: His department, along with
the Department of Finance, had
been the target of a massive attack.
No one is sure of the extent of
the damage. What is clear is that
the hackers were using Chinese IP
addresses and entered the government networks by spear phishing
downward through layers of the
bureaucracy. As news of the attack
spread, other government departments warned employees not to
open email messages with webmail
addresses, even if they recognized
the sender’s name.
Debate» A governance body should be created
something, one must first be
able to identify what is broken. Relevant to the statement
above, I would ask, what problem is establishing a board
of examiners attempting to
solve? Are existing certificaW. Hord Tipton
executive director,
tions really the problem of
(ISC)
today’s federal information
security workforce?
The vast majority of industry stakeholders
conclude that certifications as they exist today
are not the cause of our nation’s information
security workforce challenges. Certification, standards and government bodies must
instead work in collaboration to establish and
reinforce a culture of security within federal
agencies and to redirect the leadership toward
security as a top priority with the goal of
increasing funding for cybersecurity staffing,
training and education initiatives.
After all, the efforts of all stakeholders
to influence change will have a far greater
impact than focusing on one narrow technical specialty.
2
THE STATS
Has your organization largely
conquered the issue of spam?
))Ef
Geinimi
AGAINST Prior to attempting to fi x
THE SC MAGAZINE POLL
90%
*0P\j
THREAT OF
THE MONTH
of spam is in English
88%
of all spam is sent from
botnets
Source: Royal Pingdom
*0Jfikf]
What is it?
Geinimi is a trojan that
runs on Android-based
phones. The trojan comes
delivered as a component
of other software and
has been found in pirated
versions of legitimate applications. Once installed
the trojan steals personal
information and uploads it
to remote servers.
How does it work?
Anyone who installs
applications from the
Android marketplace do
not get the compromised
version, and Geinimi is not
widespread. However, this
is a harbinger of things
to come. If you don’t
have an Android-based
phone, your only risk is a
friend’s infected phone
coughing up information
about you that your friend
has. The real message is
that smartphones and
tablets are being used for
commerce now, and this is
attracting criminals.
How can I prevent it?
Your first line of defense
is to use legal apps and be
selective about what you
install. There is considerable wisdom in not being
one of the first to install a
new app.
— Randy Abrams, director of
technical education, Cyber Threat
Analysis Center, ESET
To take our latest weekly poll, click on www.scmagazineus.com
Next
Update
2 MINUTES ON...
Requiring ISPs to retain user logs
T
wo months after the
Federal Trade Commission outlined a framework to protect consumers
from being tracked online,
privacy advocates now appear
to be on the losing end of
another agency’s initiative.
The Department of Justice
(DoJ), with likely blessing
from the new Republican
majority, is pushing for a law
mandating the retention of
user data by internet service
providers (ISPs).
In late January, the House
Judiciary Subcommittee
on Crime, Terrorism and
Homeland Security held a
hearing on how impelling
data retention can help
authorities better investigate
child pornography and other
digital crimes.
Briefs
“All of us rely on the government to protect our lives
and safety by thwarting
threats to national security
and the integrity of computer
networks, and punishing
and deterring dangerous
criminals,” testified Jason
Weinstein, the DoJ’s deputy
assistant attorney general.
“That protection often
requires the government to
obtain a range of information
about those who do us harm.”
In his remarks, Weinstein
acknowledged that retention
requirements may incite privacy concerns, but said critics
should realize that expanding
law enforcement’s reach into
records can enable swifter
prosecution of individuals
responsible for illegal actions,
such as installing bot malware.
8,352
Number of child
pornography cases
prosecuted by the
Department of
Justice between
2005-2009.
JOBS MARKET
Me and my job
Fares Alraie
software security specialist,
Royal Bank of Canada
How do you describe your
job to average people?
I say that I provide projects
with application security
expertise to ensure that application design and implementation are secure for people
to use on daily basis. I also
direct and monitor developers through application security code review to ensure
they apply all application
security standards within
their application development. Further, I provide
application security testing
services, define the proper
test scopes and perform penetration testing on all sorts of
applications.
developments team – starting from the beginning of
the development lifecycle
– to implement application
security as a feature rather
than a later add-on. I was
able to get the development
teams to implement all the
application security standards and requirements with
slight to no effect on their
timelines.
Why did you get into IT
security?
I have always been interested
in application security. I had
been working in the development world for 12 years and
then moved on to the application security world. My previous experience in software
application development
made the transition to application security much easier.
What keeps you up at
night?
Keeping up to date with new
application security trends
and having to translate that to
scenarios that are easy for IT
personnel to understand and
implement.
What was one of your
biggest challenges?
Development teams often
ignore application security
requirements in order to
meet all their hard-pressed
deadlines and requirements.
I worked closely with the
Of what are you most
proud?
Implementing the ASAP
(Application Security Assurance Program) within our
IT communities, and the
fast adoption of it across all
departments.
Skills in demand
Every consulting firm that we
are working with is requesting
pros with identity and access
management skills. Consultants who can lead requirements analysis, strategy,
design and implementation
are in great demand.
What it takes
A thorough knowledge of
business processes enabled
by identity and access management solutions are key.
Technical skills include experience with identity management suites of products (CA,
Sun, IBM, Oracle). Most roles
require substantial travel.
Compensation
The role pays $85k for staff
and $125k and above for
management.
Source: Joyce Brocaglia, CEO, Alta
Associates, www.altaassociates.com
Company news
»Anti-virus firm ESET has
named Andrew Lee as CEO
of its North American operations. Lee, the company’s former
chief research officer, succeeds
Anton Zajac, who will remain
with the company as president.
In addition, Richard Marko,
ESET’s former CTO, has been
appointed as global CEO. ESET
also has recently hired Paul
Laudanski, the former senior
manager of investigations at
Microsoft, as director of its
Cyberthreat Analysis Center.
www.eset.com
Previous
He also dismissed concerns
that retention requirements
would lead to additional
costs for ISPs. “[When] data
retention is purely a business
decision, it seems likely that
the public safety interest in
data retention is not being
given sufficient weight,”
Weinstein said.
Christopher Soghoian, a
security privacy researcher,
said he isn’t surprised by
the seemingly contradictory
efforts of two major federal
agencies. “The FTC can be
talking about wanting to protect privacy, and Justice can
do everything in its power to
eviscerate privacy, and that
can be totally rational because
they don’t have to consult
each other,” Soghoian said.
But he warned that forcing
ISPs to hold on to personal
information invites significant
risk, even though most of
them already voluntarily keep
records. “The more data you
keep, the more at risk you are
for data breaches,” he said.
Another less-verbalized
argument is that media companies pursuing copyright
infringers, as well as divorce
lawyers seeking information
on behalf of their clients,
may turn out to be the biggest winners if a law took
effect. “Civil litigants can get
access to all types of data,”
Soghoian said. – Dan Kaplan
ment of the company’s emerging technologies. Sinha most
recently served as fellow and
chief technologist of Motorola’s
enterprise networking and communication business and before
that was CTO of wireless security
vendor AirDefense.
www.zscaler.com
Andrew Lee, CEO, ESET
»Zscaler, provider of cloudbased web security, has named
Amit Sinha as chief technology
officer. He will be tasked with
leading the research and develop-
»St. Bernard Software,
provider of secure content management solutions, has changed
its name to EdgeWave to reflect
an expanded portfolio of web and
email security, data protection
and e-reputation offerings. The
rebranding follows the company’s
recent acquisition of the assets of
Red Condor, the hiring of five
executives and the opening of a
new worldwide headquarters in
San Diego.
www.edgewave.com
»IronKey, provider of portable
data protection, has appointed
Arthur Wong as CEO. David
Jevans, the founder and
current CEO, will take over as
chairman of the board of directors. Wong previously managed
»Kathleen Carroll, director
Symantec’s security and data
management group and served
as founder and CEO of Security Focus, later acquired by
Symantec.
www.ironkey.com
»Webroot, an internet security
firm, has appointed Michael
Malloy as executive vice
president of products, and Gerry
Coady to the role of chief
information officer. Malloy previously served as chief marketing
officer at Wily Technology,
now part of CA, and Coady most
Kathleen Carroll, director of global
relations, HID Global
recently was senior VP and CIO at
Republic Airways/Frontier
Airlines.
www.webroot.com
of global relations at identity
and access control provider HID
Global, has been elected chair
of trade group TechAmerica’s
identity management committee.
The committee works with federal
and state governments to develop
identity authentication and verification best practices.
www.itaa.org, www.hidglobal.com
»CipherOptics, provider of
refined its strategy to support
secure cloud connectivity. The
company, which has moved its
headquarters to Pittsburgh from
Raleigh, N.C., plans to soon provide a secure LAN extension from
the data center to both public and
private cloud infrastructures.
www.certesnetworks.com
Follow us on Facebook
and Twitter
security solutions for high-performance networks, has changed its
name to Certes Networks and
Next
From the CSO’s desk
Post-WikiLeaks: Back to basics
information security and
privacy services leader,
Clark Schaefer Consulting
A
s information security
professionals, most of
us try to stay ahead of
executive management when
it comes to knowing about
the threats that our organizations face. However, recently
I have spoken with a number
of CISOs who have been
called to the floor by their
senior leadership regarding how they are protecting
their respective organizations from a WikiLeaks-type
incident. Senior executives
understand risk and also
understand that if their
organization is the next to
be targeted by this type of
threat, it could and probably
would cause many sleepless
nights for a lot of people.
They also understand that if
their corporate secrets were
made public, it could directly affect shareholder value
and, ultimately, their ability
to make money or achieve
organizational objectives.
The current trend seems to
be that these “hacktivists” (I
like to refer to them as “hackta-stortionist”) grab some
type of internal data through
social engineering or some
more technical active penetration and hold it hostage, or
threaten to release it if their
demands are not met. Well,
I believe that the answer
lies in those old policies
and standards that we all
spent so much time developing and often wonder if
anyone is following.
Remember that risk assessment process that identifies
what data is present and the
value it has to the organization? Well, dust it off and
make sure it is up to date
because this is where your
approach to defending against
this type of threat is going
to start. Educating users on
their responsibilities to protect the organizational secrets
is also key to your defense
strategy. Many organizations
have budget challenges and as
a result have limited awareness training taking place.
Ensure that you are a strong
advocate for keeping security
awareness training in your
budget. After you have a clear
understanding of the data
that you are protecting, users
are aware of their responsibilities and your policies are
up to date and relevant, you
will need to ensure that there
are technical mechanisms to
enforce the controls called for
in those policies.
As you can see, none of
these strategies are new to
information security practitioners. I believe that WikiLeaks
will prove to be a catalyst to
help organizations get back to
basics as it relates to information security. The bottom
line is that if you have a
well-organized and efficiently
operating information security
program that includes all of
the things mentioned here,
you are probably already
taking the necessary steps to
protect against this new threat
– and future threats as well. If
you don’t have these things in
place, then consider investing
the time to build a comprehensive information security
program for your organization
as it just may be the tool that
saves the day.
30seconds on...
»Policies are not enough
»Enlist technical controls
»Is DLP a panacea?
»An audit trail
We could spend hours debating
the best approach to securing
the workplace, but policies are
not enough to thwart an insider
threat such as a WikiLeaks informant, says Hampton.
The technical controls – such
as trusted security zones, welldefined group policies, logging
mechanisms – will prove to be
the most effective way to protect the organization’s data.
There has also been a lot of
discussion about whether
data leakage prevention (DLP)
solutions are a silver bullet for
thwarting this particular threat,
says Hampton.
DLP technologies offer some
excellent protection capabilities
against known threats and can
offer, at the very least, an audit
trail in the event that data is
somehow leaked.
Previous
Next
Photo by Jim Callaway
Maurice Hampton
Opinion
Letters
Got something to say?
The cloud’s dirty secret
O
pen vulnerabilities in cloud security are like the dirty,
gossipy secret that everybody knows – but, we keep
shoving discussions about it under the rug. According to a recent survey of nearly 13,000 executives, 62 percent
don’t believe they can protect data in the cloud, yet half have
moved forward with cloud initiatives anyway.
Numerous other surveys, as well as Forrester’s recent
report, “Security and the Cloud,” show that security is the
most prominent pain point with cloud computing, yet enterprise security teams often are not involved in the decisionmaking process or brought into the fold early in cloud
initiatives. Instead, organizations often feel that because
cloud computing is a new model, the strategy entails the
reinvention of their security efforts. They believe that
security processes must change so much for the cloud that
we must wait for a new paradigm to be invented before
deploying it.
Jeff Neilsen
VP of engineering, BeyondTrust
As a result, many organizations have given up on securing
the cloud and instead only deploy private clouds or hold off
entirely because cloud security is too big a challenge for any
one company to “invent” themselves. The truth is, all we need
to do is apply the same established security best practices to
new and more varied software layers.
Security policies, processes and best practices haven’t
changed. For example, the best practice of “least privilege” to
provide users with only the access they need is just as relevant
in the cloud. Additionally, the corresponding policies, processes and roles can remain the same as well.
What organizations must focus on to apply existing and
established best practices to a larger diversity of software layers
in the cloud is automating the process. The challenge is that
now best practices must be applied not only to servers or desktops, but to each virtual machine, to hypervisors and more. It is
time we stop waiting and start rolling up our sleeves.
Take mobile defense seriously
T
Jonathan Cattell, solutions
manager, Airwide Solutions
Most mobile
subscribers
assume that
network security
is a given.”
Previous
here is no doubt that data security and
privacy concerns have almost completely
migrated to the mobile channel. Whether
it is impacting enterprise smartphone users or
consumer mobile subscribers, fears that network security is threatened grows each year.
So where does this place the wireless
operators in the battle against mobile security
threats? Certainly most mobile subscribers
assume that network security is a given, and
that with these security risks in play, mobile
service providers would be fast-tracking network upgrades and technology enhancements
that protect their network (and customers)
from malicious attack. However, according to a
recent survey of 31 global operators conducted
by mobileSQUARED, most operators still lag
behind in implementing the proper security
solutions to police their networks against
emerging threats. The study revealed that a
significant factor in this lag is a lack of actual
pressure from subscribers in key security areas,
such as fraud detection and privacy. Whether
it is a perception that security is a “given” or
a lack of understanding about the full scope
of mobile security threats today, operators are
seeing much stronger feedback from subscribers in areas of data costs and network quality.
Therefore, it is important for mobile operators to understand the magnitude of the problem and be ready to act. They need to take
control of their existing security solutions,
evaluate what they can and cannot protect
against, and find the best solution to address
current threats. For example, operators should
consider enhancing existing security solutions
that log and report activity with the ability to
also proactively block new attacks. Finally,
mobile operators need to accurately prioritize
where and how they are focusing technology
investment for customer retention. Certainly
data costs and network quality are enormous
issues for mobile subscribers. However,
when it comes to security decisions, operators should be both reactive and proactive to
consumer demands.
Send your comments, praise or criticisms
to [email protected].
We reserve the right to edit letters.
From the online mail bag
In response to an article on
the website, Best practices
for security awareness training, reporting on a presentation at SCWC by Dennis
Devlin, CISO of Brandeis
University:
Good points. Security awareness must also become part
of the employees’ workflows. I’ve seen too many
situations where people are
overwhelmed with security threats. They become
paralyzed with fear at first,
and then give up on security
because the model they were
shown doesn’t complement
their daily job or personal life.
They must be shown how
to assess their own job’s
information security context. If they are doing their
jobs securely, and considering their information’s sensitivity and the vulnerabilities
in their processes, they are
less likely to be confused
by the constant stream of
threats people try to push
on them. I have been successfully using a facilitated
process for teaching people
not only the fundamentals
of security awareness, but
how to integrate it efficiently
into their jobs. There are
many tools that must be
incorporated into a process
if you really want to reduce
risk and show due diligence.
But many organizations
still do security awareness
training only as a checkbox
in a required compliance
checklist.
Scott Wright, founder of the
Streetwise Security Zone
In response to a February
article on the website, Anonymous takes over security firm
in vengeful hack:
A bunch of wannabe vigilantes with no imagination who
think it is ok to break the law
to make a point. Well…if you
intend to break the law, you
have to be willing to take the
consequences. If they were
to really have an imagination,
they would be able to find a
way to make a point inside
the law.
LegalSecurity
Though I feel for [HBGary CEO
Greg] Hoglund, he does run a
security firm, so I don’t get the
victim mentality. If he didn’t
understand what threat vectors are out there and, more
importantly, didn’t do pentesting on his own infrastructure,
I have to question what his
company knows about cybersecurity. Cyberterrorism is a
fact of life. And whether they
are foreign governments,
organized crime or hacker collectives, the bad guys probably
aren’t going to distribute their
platform or agenda to their
victims in advance.
Guest
INFORMATION
ASSURANCE
DEFEND NETWORKS AND INFORMATION.
IMPRESS POTENTIAL EMPLOYERS.
EgZkZci^c\YViVi]Z[i#GZVhhjg^c\XjhidbZgh#8dbean^c\lî][ZYZgVagZ\jaVi^dch#
?jhihdbZd[i]ZgZVhdchl]nhZXjg^c\^c[dgbVi^dc^hhjX]V]^\]eg^dgîn[dg
ZbeadnZgh#HZôZndjgdeedgijcîn!lî]VXZgi^ÃXViZdgVbVhiZg¼hYZ\gZZ[gdb
Jc^kZghînd[BVgnaVcYJc^kZghîn8daaZ\ZJBJ8#L]Zi]Zgndj¼gZVbVcV\Zg
dgVc>Iegd[Zhh^dcVa!ndj¼aaaZVgc]dlidegdiZXihnhiZbhVcY^c[dgbVi^dcV\V^chi
YZa^WZgViZViiVX`hdgVXX^YZciVaYVbV\Z#
Enroll now.
9Zh^\cViZYVhVCVi^dcVa8ZciZgd[6XVYZb^X:mXZaaZcXZ
^c>c[dgbVi^dc6hhjgVcXZ:YjXVi^dcWni]ZCH6VcYi]Z9=H
GZXd\côZYVhVEgd[Zhh^dcVaHX^ZcXZBVhiZg¼h
Wni]Z8djcXâd[<gVYjViZHX]ddah
;^cVcX^VaV^YVcYVc^ciZgZhi"[gZZbdci]aneVnbZci
eaVcVkVâVWaZ
Egd\gVb^hd[[ZgZYZci^gZandca^cZ
800-888-UMUC umuc.edu/data
Copyright © 2011 University of Maryland University College
Next
Working with business partners throughout the organization is key,
says CUNA Mutual Group CISO Scott Sysol. lllena Armstrong reports.
Previous
times, security experts that don’t have a
depth of infrastructure knowledge will
contemplate [methods] to secure the
enterprise in ways the infrastructure
can’t support.”
For him, this combination was key
to Sysol being hired for the position of
CISO and head of infrastructure. Since
his start, in that same short, three-year
period after which a fledgling 3-yearold can have meaningful conversations
with adults, Sysol has led various successful and far-reaching IT security initiatives. These include a push for data
privacy across the company, implementation of enterprise-wide IT controls,
adoption of tapeless backup and more.
Then there are the mainstays, the goals
that any CISO always has in mind, such
as enlisting the help of outside partners
– from technology providers to analyst
firms – to help point out innovative
processes and technologies to use in
the security process, says Sysol, who is
this year’s SC Magazine CSO of the Year
award winner.
“Similarly, it is important to take
advantage of the corporate executive
board’s ability to gauge our progress
against our peers and keep enhancing processes accordingly,” he says.
“From a CISO’s perspective, it is also
important to play a role in developing
and implementing standards for threats
facing the industry as a whole.
Right now, for example, we’re
collectively focused on combating the rising threat of
Photo by Timothy Hughes
T
ransformative things can occur
in short periods. As an example,
it takes just 30 to 40 days for the
monarch butterfly to complete its lifecycle of becoming the brightly colored
adult insect seen fluttering through
summer months. For humans, changes
are no less miraculous. In three years’
time, for instance, a toddler usually can
stand on one foot, count to 10 or ride
a tricycle.
When Rick Roy, CIO of Madison,
Wis.-based CUNA Mutual Group, sat on
a team of executives looking to hire their
first CSO three years ago, one candidate
stood out to him: Scott Sysol.
“He has a depth and breadth of both
infrastructure and security knowledge,
which is really rare,” he says. “A lot of
Next
CSO of the year
Previous
With approximately 400 applications
and systems and tens of millions of
consumers that use its products every
day, CUNA Mutual Group has plenty
to protect and a constant demand to
evolve its security strategy to reflect the
everyday changes made to such a large
infrastructure. Though the company
employs about 4,000 people, placing
it in the medium-sized category of
organizations, it is a $2.6 billion business that sells everything from property
insurance to disability insurance. Plus,
it works closely with credit unions and
individual customers, says CIO Roy.
In his first five months, Sysol together
with Roy and other staff focused on
developing a robust risk and controls
framework tied to longer-term business
investments and goals. They also made
sure to involve internal and external
auditors to constantly vet the framework they were building, says Roy. In
this way, Sysol played a pivotal role in
creating a climate of collaboration with
auditors, which, at many organizations,
is non-existent.
“It is not that we agree on everything
every day,” says Roy, “but when we have
st the
those debates it is always against
backdrop of what we’ve agreed to.”
This has led to a much more organized
approach to how the company prioritizes
Illena Armstrong: How long have you
been in information security? Can you
highlight the positions and organizations
that helped you prepare for your stint for
CUNA Mutual Group?
Scott Sysol: I have been in the information security field for more than 12
years. I have spent the last three years
at CUNA Mutual Group as the CISO
and the head of infrastructure. Prior
to CUNA Mutual Group, I spent seven
years at CNA Insurance in Chicago –
five years leading the architecture function. In that timeframe, the company
didn’t have a CSO, so I was responsible
for providing overall security vision and
strategy for the company and executing
supporting programs. I then accepted
the formal promotion as CSO two years
before leaving CNA.
Prior to CNA, I spent time in a number of roles, including four years as a
consultant with a focus on infrastructure
and security, as well as other engineering leadership roles where security was a
core responsibility.
information security issues that all –
from a network engineer on up to the
CEO – are concerned about. Additionally, this has gone a long way to easing
those annual IT risk reports he and Roy
must give to the board. In the future,
Roy says Sysol will continue focusing on
security and privacy priorities, as well as
infrastructure-related aims.
He’ll also be reviewing the ways the
company can help its customers and
credit unions in more consultative ways
to remedy specific IT security problems.
His many past successes, along
with his influencing skills, his ability to translate security priorities
into business requirements, and his
understanding of being transparent to
and involving the rest of the business,
undoubtedly will help address these
future challenges, says CNA’s Buerger.
“Scott’s got a presence about him where
he can talk to [executive] leaders, and
he’s confident and people listen to him.”
It was because of these many solid traits
and wide breadth of business and IT
security knowledge why he “was one of
the top three bosses” she has ever had.
As for his continued work at CUNA,
says Roy, “II see great things for Scott in
the future.”
IA: What have been your major achievements in the last year of which you’re
most proud and likely helped you receive
this recognition?
SS: Enterprise-wide IT controls: This
initiative involved implementing an
CSOS:
Relax!
We asked Scott Sysol about his life
fe
es?
beyond work. What are his hobbies?
d
Are their destinations that he and
very
his family just can’t help but hit every
ax
year? Just what does he do to relax
gs
and clear his mind a bit of all things
information security?
“My biggest enjoyment comes from
the time I spend with my family – my wife
and our two beautiful daughters, and their
passion for gymnastics,” he says. “Both
ife and I
our daughters compete, and my wife
are very involved with their team.”
Photo by Gilbert Carrasquillo/Getty Images
malware. Finally, the ultimate goal of
a CISO is to put together a great team
that can strike a balance – and make
the case for it company-wide – between
the sometimes-confl icting pressures of
security, compliance and productivity.
This is an ongoing effort, but CUNA
Mutual Group is fortunate to have a
great team in place.”
Sarah Buerger, director of information security, governance and risk management at CNA Insurance, where Sysol
worked for seven years prior to joining
CUNA, says that before Sysol arrived
the organization had an outdated vision
of security. As CISO he developed the
information security roadmap and mission necessary, getting needed traction
with executive leaders. Even now, after
he has left, she says her department
is still using that roadmap, with, of
course, the appropriate modifications
the passage of time demands.
She recalls Sysol as a very collaborative boss, sitting in his office with her
and other staff for hours debating the
best ways forward to execute the proper
security roadmap – always making
sure business goals helped to drive IT
security planning.
“I could tell when he took the job
that he had a better feeling for that
balance – for technology and business
use,” she says. “It was reflected in the
strategy he developed. He got away
from the security tool for the security
tool’s sake.”
And he sought his team’s input
constantly, as well as helped them learn
and grow, she says, trusting them to
do the job at hand, providing guidance whenever it was needed and never
playing the “helicopter manager.” Their
commitment to the vision he crafted,
she explains, was sealed because their
roles in developing it were integral – he
brought everyone along so that they,
too, were invested in its success.
“You don’t come down from the
mountain bringing your strategy,
hoping that everybody comes along,”
Buerger adds.
The family also enjoys taking trips to
Florida for sun and fun.
Beyond that, says Sysol, he takes pleasure in spending time in his home theater
and enjoys swimming and hockey. As well,
he’s “an avid fan” of football and baseball.
So, who was his team in this year’s Super
Bowl?
“I did root for the Packers since I work
in Wisconsin and I’d be banned from
my office if I didn’t, but I am a New York
Jets fan,” he says. “For baseball, I am a
Philadelphia Phillies fan. And, for hockey,
Philadelphia Flyers, so I am happy to still
have hockey going.”
– Illena Armstrong
enterprise-wide controls framework that
included assessing all fi nancially significant applications for compliance, while
building remediation plans for emerging gaps in controls compliance. The
project has yielded numerous benefits.
Perhaps most important for the user
constituency, the controls framework
has actually increased productivity
among IT developers and systems engineers by helping them avoid potential
rework in the future. In addition, the
project helped internal audit teams by
developing clear and concise reporting
structures, which also increases productivity by giving those responsible more
time to focus on auditing other areas of
the organization. Finally, the initiative
has influenced external audit partners
to use more of CUNA Mutual’s internal
reporting systems when they’re auditing
the company, which is an annual process, and this in turn saves the company
approximately $1 million annually.
Data privacy initiative: This effort is
still in process, but there’s already been
major progress in lowering risk exposure across a number of business areas
and closing audit gaps. The program to
date has implemented a number of key
controls, such as data leakage prevention
tools and processes that have already
helped the company avoid potential data
loss. The implementation of processes
around loss prevention has also given
security and privacy teams a key ability:
They now engage more with employees
at an individual level to discuss why they
need to protect data, the potential fallout
from a data breach, and ways to adjust
processes and behaviors to work more
securely.
Implementing a tapeless backup solution for the enterprise: This seemingly
routine project paid off for the company
in several ways. It not only lowered operating costs, but also removed the threat
of a data center outage by replicating the
data in real time at the disaster recovery
location. In addition, the effort eliminated the perennial fear of actually losing a
tape and having a major data breach.
IA: What were the major challenges
associated with these? For example,
given the economic climate, things generally have been tough for many CSOs
with whom we speak. Did you find difficulties here or in any other areas when
trying to achieve your aims this last year?
How did you overcome them?
SS: Security professionals and CSOs
have always been challenged with
making strong business cases to get the
funding needed to meet our goals. The
economic climate hasn’t helped matters any, but at CUNA Mutual we have
a strong commitment to our customers
and members of credit unions. That
commitment allowed me to continue
the work we needed to do to protect the
data for which we are entrusted. As with
any funding request, you have to make
your case. Security initiatives rarely have
hard-dollar paybacks, but I am able to
show the risk reductions we will accomplish across the enterprise, as well as our
ability to continue to meet our compliance and regulatory requirements. Those
things, coupled with my ability to find
reasonable solutions to the problems we
face – without taking an overly conservative attitude toward security – are what
I believe help me overcome the funding
and economic issues we all face.
IA: What processes and solutions/
vendors helped you reach your project
goals?
SS: We have strong relationships with
numerous technology partners, including EMC, Cisco, Microsoft, Voltage and
Symantec. I believe it is vital to regularly share ideas, vision and roadmaps
bidirectionally in order to enhance each
other’s strategic focus and help meet
long-term goals. Rather than keeping
technology providers at arm’s length, I
believe it is important to let key partners
“inside” the organization to help them
better understand the challenges our
customers face.
IA: Who in your organization helped
with these achievements?
Next
CSO of the year
IA: What steps do you find integral in
getting and maintaining support from
your colleagues and bosses?
SS: In the past, I often worked with
senior executives – particularly in the
insurance industry, which is in the business of risk assessment – who simply
didn’t understand or didn’t want to
understand the complexities of information security. Keep in mind, though,
that their concerns are valid. They need
to focus on delivering value to their
customers, and the same customers
largely take security for granted. Rather
than getting into unproductive battles,
carefully listening to executives talk
about their needs and pressures helps
the CSO and our team to empathize and
build relationships while being able to
communicate the benefits of security
and compliance controls. Corporate
executives view me as a leader who tempers serious security needs with what’s
best for the business given current
circumstances.
IA: When you’re undertaking various
projects, do you have to work with managers of various business units?
SS: Yes, working with business partners
and managers throughout the organization is key to successful projects at
CUNA Mutual Group. We have a highly
collaborative environment.
Previous
Good security programs lead to
strong compliance positions.”
– Scott Sysol, CISO, CUNA Mutual Group
IA: Is there an ideal hierarchical
structure when it comes to ensuring IT
security is being addressed adequately in
a corporate environment?
SS: I report to the CIO. I fi nd this
structure works very well at CUNA
Mutual Group. I am able to easily work
outside the boundaries of IT into our
business areas with the key partnerships we have cultivated with peers in
the business.
In some organizations, reporting to
the CEO would be viewed as the ideal
situation to garner the proper level of
support for the office of the CSO and its
initiatives, but I don’t subscribe to the
idea of “one size fits all” when it comes
to the setup of a security organization.
So much depends on the culture of the
company, its financial position and the
industry served.
IA: Do you foresee budgetary challenges
in 2011?
SS: Our fi nancial performance during
the economic crisis has been strong. In
turn, our company continues to invest
in our capabilities, including our efforts
to maintain our security and privacy
programs.
IA: In regard to compliance demands,
what are your priorities and how do you
adhere to such regulations?
SS: Compliance ranks high on the
list, with [requirements] ranging from
the PCI standard, HIPAA and GLBA
to a wide variety of complex and often
diverse state privacy laws. While most
companies say they hold to a high security standard, those in the financial services industry face much greater scrutiny
from customer and government alike. In
fact, a web of issues combine to present
unique challenges to security executives
in this field.
IA: If you have many mandates to which
you must answer, how do you avoid
duplicating efforts to address these?
SS: Our partnerships with our compliance, audit and legal teams are very
strong. We don’t just communicate
together – we plan and strategize
together. This has kept costs down,
repeat work to a minimum, and sent a
unified message across the organization.
Our strategy strives to meet our security,
compliance and regulatory needs at
once. Good security programs lead to
strong compliance positions.
IA: What privacy regulations (in the
United States and abroad) must you
comply with?
SS: Privacy and meeting associated
regulations is a major concern. As an
insurance and financial services company with a broad product portfolio, we
must comply with a number of regulations, namely, GLBA, HIPAA, SB1386,
PCI, state security laws, state insurance
laws and more.
Our goal is ensuring the right people
see the right data at the right time and
for the right reasons. With that goal
in mind, we combine the efforts of the
compliance and security organizations
to meet the overall goals of security and
privacy together.
IA: What are some of the major challenges you believe you and your counterparts at other companies/government
entities face in the next year? What
about the major threats to your organization and its critical data?
SS: Cybercrime, data theft and the
threat of malware continue to be among
the biggest threats. Because the threat
landscape continuously morphs, it’s difficult to stand still or rely on “traditional”
strategies to protect.
IA: Any advice on how to tackle these?
SS: We have successfully leveraged
technology and solution innovation for
more advanced, infrastructure-wide
approaches to data protection and
compliance.
IA: What are the threats/newer applications that you think you and others in
your position must address this year?
SS: Data protection and privacy rank
high as criminals try new ways to get
access to sensitive information.
The scope of our end data protection
project involves meeting or getting ahead
of regulatory compliance mandates, and
addressing internal security policies and
privacy concerns at the same time. The
implementation was launched in 2009 as
a component of a broader initiative. The
project involves myriad issues, but the
central goal is to safeguard private information as it is gathered, and while stored
in databases and used by applications.
The program covers a two-year period
where the focus is on closing the gaps for
comprehensive protection of private data
while meeting compliance needs.
IA: When hiring information security
practitioners, what experience do you
look for? What advice would you give to
individuals looking to enter the field of
information security?
SS: Obviously, you need experienced
people who have the right level of
knowledge, skills and, if needed, certifications. But those are merely “table
stakes” for me when I search for quality
security professionals. What matters to
me is a proven ability to balance risk
by weighing the decisions that we must
make as security professionals with the
true needs of the business. Too often
I see what I like to call “hard core”
security professionals – people who take
an almost militant position on each and
every topic. This type of person just
doesn’t cut it in the business world. My
advice to those who want to grow as
security professionals into the CSO role
and beyond is to learn this balancing
IA: What is on your agenda for the
coming year?
SS: My agenda for 2011 is to strengthen our security program with the
initiatives we have in fl ight, continue to
look at our long-term strategy and how
the threats that continue to escalate
affect that strategy. The good news for
a CISO like me, who likes constant
change, is that there’s never a dull
moment in this seat. I like the continuous change that the security industry
brings. Every year, we take a significant
portion of our resources to evaluate
our position, the solutions we have
in place, and how they need to evolve
to accommodate the changing
landscape.
CUNA MUTUAL:
FAST FACTS
With corporate headquarters in
Madison, Wis., and regional sales
offices throughout the country, the
75-year-old CUNA Mutual Group
provides financial services to credit
unions, their members and customers worldwide.
Financial highlights
Dec. 2008 Dec. 2009
Assets
$13.2 B
$14.4 B
Total
surplus
$1.2 B
$1.6 B
Revenues
$2.72 B
$2.76 B
Benefits
$1.30 B
$1.60 B
Operating
$152 M
gain
$66 M
Photo courtesy of CUNA Mutual Group
SS: While there have been many groups
within IT and CUNA Mutual Group
that have helped us meet our goals,
the one I must call out as having been
instrumental in this is our corporate
compliance team and its leader, our
chief compliance officer. The strong
partnership between our security and
compliance organizations has enabled a
solid foundation that can be leveraged to
further our overall security and privacy
programs. We communicate as a cohesive team and also successfully advocate
the need for each and every CUNA
Mutual employee to be mindful of
protecting the data that we are entrusted
with and manage.
CUNA Mutual Group headquarters
act – understand that every decision we
make needs to be a risk-based one rather
than black and white.
IA: How do you see the job of information security professionals evolving in
the distant future?
SS: I expect to see the security professional continue to be a highly soughtafter skill set and in high demand
throughout the country. The need for
talented individuals who have the skills
I mentioned previously will be in even
higher demand. The individuals who
can fully understand their company’s
business, its objectives and fi nd creative
ways to marry those needs with security
will be the security professionals that
are the most successful.
IA: What’s your best advice to others
when it comes to building a strong
security program?
SS: In the fi nancial services industry, IT in general and IT security in
particular, play a vital yet sometimes
unrecognized and unrewarded role.
Some people notice the function only
when things go wrong. Working and
succeeding in this field requires not
just technology talent, but a clear
understanding of the unique rhythms
of industry, as well as constant awareness of the diverse pressures of external
threats, internal compliance controls
and the effect of each measure and
implementation on productivity
enterprise-wide.
It also takes a thick skin. And from
the CISO’s office, building a strong
team takes a good mix of experience,
persistence and constant communication. It is also important to realize
when specific individuals who might
otherwise have unique skills don’t fit
the team, and take steps to change the
structure. Team members say I am
tough but fair, reward hard work and
provide plenty of opportunity to grow
professionally. ■
For a more extensive version of this
article, click on scmagazineus.com.
Next
Web fraud
NO SCRIPT
NEEDED
S
pammers capitalise on human
wants and fears that align closely
with the seven deadly sins. Porn
mails target lust. Financial get-richquick schemes play on avarice. Want to
buy a college degree? That’s because
you’re slothful.
Perhaps it was no surprise that pharmaceutical spam became so popular.
Cheap Viagara online, without having an
awkward conversation with your doctor,
is a proposition that seems to hit all three
of the sins above, along with several others. But why does so much of it seem to
emanate from Canada? Canadian Pharmacy spam started at least as far back
as the early 2000s. Junk mailers used
Canada as a brand, presumably because
they believed the folk north of the border, with their public health care system,
would be seen as a trustworthy bunch.
Who wouldn’t buy cheap Viagra from
these friendly northern neighbours?
In the traditional marketplace,
globalisation created supply chains
that transcend these national boundaries. The shady economy of knock-off
pharmaceuticals is no different. The
Canadian branding is merely a front.
Affi liate networks operate from Eastern
Europe, selling drugs manufactured in
cheap Asian factories.
Some of these factories provide
pharmaceuticals with active ingredients. Some are placebos. They trickle
into Western mailboxes in nondescript
brown bags, provenance unknown, and
are gulped down by gullible Westerners, gambling their money for a
Previous
cheap deal. They buy not only sexual
enhancement drugs, but also controlled
substances like Percocet, Oxycodeine,
and Adderall.
Tracking and identifying the backend suppliers is difficult, thanks to
the quantity of people involved, says
Derek Manky, senior security strategist
at Fortinet, a security company. “You
have an army of affi liates. There’s not
just one person that’s setting up spam,”
Nevertheless, some have tried. IronPort, the Cisco-owned email and web
security firm, conducted a study into
these shipments. Researcher Henry Stern
purchased $85 of Viagra from Canadian Pharmacy. “Shortly thereafter, we
received a delivery notice from the U.S.
Postal Service for a banged-up, padded
envelope that had been shipped to us
from Mumbai, India,” he said in a blog
post documenting the operation. He had
the pills analysed by Toxicology Associates, which found no active ingredients.
Stern’s team repeated the experiment
some months later and received pills
from China – this time containing active
ingredients. This suggests at least some
rudimentary attempt at quality control on
the part of the back-end affiliate coordinator, or, alternatively, a total crap shoot
depending on where one’s order is routed.
This bloated layer of affi liate networks – known in Russian circles as
partnerka – is from where the spam for
online pharmaceuticals comes. A company wanting to promote its products
will commission an affi liate to get the
message out. This occurs either through
C1 • March 2011 • www.scmagazineus.com
spam or some web promotion.
Back-end companies create turnkey sites where affiliates can sign
up for a list of URLs to promote.
The sites provide templates for the
spammers to use. “As the programs
got bigger, you’d see some of the
programs offering multiple template
pages, where they’d customize
the message to an extent,” says
Joe Stewart, director of malware
research at managed security
provider SecureWorks.
Other affi liate programs copy the
templates and add their own content,
creating a panoply of similar style sites
referencing Canada. “There are a few
big suppliers at the back end, then it
branches out,” says Stewart.
Two large Canadian pharmacy affi liate networks have evolved over time:
Glavmed (Russian for Med Headquarters), and Spamit. Reports suggest
that both of them are operated by Igor
Gusev as part of the same operation,
called Despmedia. Spamit is said to have
focused its efforts on spam, whereas
Glavmed is said to concentrate on webbased promotion.
Gusev denies culpability for any
emails sent, but global spam levels did
drop considerably after the Spamit
operation closed last September. Spamit
canned its operation just before Gusev
fled from Russian authorities, who
reportedly found evidence of spamming
operations, along with pharmaceutical products shipped from India, in his
apartment.
George Doyle
Canadian Pharmacy spam doesn’t die – it just switches to
web-based promotions. Danny Bradbury reports.
ts.
Significantly, according to statistics
from anti-spam and anti-malware firm
m86, the global drop in spam levels
appears to have come from discontinued activity on one particular botnet:
Rustock, which plummetted in volume
last September. It contributed to 60
percent of all spam in August 2010, the
firm says. That number fell to zero in
September, and is now only at around
four percent. “We’re dropping down to
levels that we saw three years ago,” says
Stewart, referring to spam volumes.
“There was a period in 2009 and
2010 where it went crazy.”
Glavmed, still operational, has
also been linked to the Russian
Business Network, a bulletproof
hosting service that operated in the
late 2000s before being fragmented
into numerous smaller networks
operating both on and off Russian soil.
In a blog post, Gusev identifies himself
as the co-founder of Chronopay, a
payment service that processes purchases for online pharmaceutical sites.
However, he says he has since been
embroiled in a dispute with his former
partner at Chronopay.
Affi liate networks, like Glavmed and
Spamit, have proven highly profitable,
says Manky, recalling the occasional
incident when researchers would manage to gain access to the web interfaces controlling the affi liate networks.
“These panels track the money that
they have been making over a two-year
period,” he says. “Just one affi liate program generated millions of orders from
around a million consumers.”
Affi liate campaigns have used a variety of tricks to get the message through
and to target potential customers.
Carl Leonard, senior EMEA security
researcher at security firm Websense,
says that the email scammers have
switched their approach over the last
five months. “We are seeing Twitter and
Facebook credential emails,” he says.
“They’re putting a layer inbetween the
subject and the initial attack.”
However, this shift could indicate
falling profitability in the spam business, which would have directly hit the
online pharmaceutical business model.
March 2011 • www.scmagazineus.com • C2
“Spam fi lters are a lot better now,”
says Lee Graves, tec
technical services
manager at eSoft, a network security
vendor. “Gmail does
doe an awesome job at
capturing that stuff
stuff, and so that is really
not a good avenue for
f them to work
on anymore. They w
will still get people
that way, but they gget the most bang for
their buck with a bunch
bu
of fake blogs,
blackhat search engine
eng
optimization
[employing unethic
unethical techniques to
return more prominent
promin
search results]
and Twitter.”
One of the bigges
biggest reasons for
this dual-pronged aapproach is that
anti-spam mechanis
mechanisms are becoming
increasingly successful.
success
“It is relatively
straightforward to offer
o
good detection
rates, even with free webmail providers,” says Leonard.
Will Canadian pharmacy
ph
spam ever
go away? “[Glavmed
“[Glavme and Spamit] are
just two affi liate pro
programs, but when
you shut one down, another pops up,”
says Fortinet’s Man
Manky. “There’s too
much motivation.”
The maturity of tthe online pharmacy
underworld also ma
makes it self-sustaining, says SecureWor
SecureWorks’ Stewart. “It is a
product that a lot of people are interested in, and there are
a so many available
systems out there to let someone go and
do a pharmacy spam run to see if they
can make money at it.”
Perhaps that’s wh
why, six months after
Spamit ceased operations,
oper
M86 says
that two-thirds of aall spam is pharmaceutical junk mail. And with web-based
promotions set to rise as a percentage
of overall activity, it is unlikely those
little blue, red, white and yellow pills
will stop flowing from Asia to gullible
customers just yet. ■
Next
Web-enabled devices
EMBEDDED IN DANGER
Smart devices have become pervasive in the enterprise environment,
causing challenges for IT departments, reports Angela Moscaritolo.
N
etworking giant Cisco issued a
warning last spring that flaws
affecting one of its devices could
leave a building’s security, lighting,
energy and ventilation systems susceptible to attack.
The vulnerabilities affected Cisco
Network Building Mediator, a technology that is used to interconnect critical
building systems. Left unpatched, the
bugs could have allowed an attacker to
obtain administrative passwords, read
system configuration files or worse, and
gain complete control over the device and
the building’s key systems.
The flaws were among an ever-growing
class of threats affecting so-called embedded devices.
It is a well-known fact that more and
more traditionally offline machines are
being connected to the internet these
days. From networked printers, smartphones and security cameras to door
locks, air conditioning units and lighting
systems, embedded devices are everywhere. Even microwaves, airplanes, cars,
medical devices and systems used to control the country’s energy supply are connected. In total, there are currently about
20 billion non-PC-connected devices,
about five times the number of PCs and
servers on the internet today, according
to a survey of 269 organizations released
last year by embedded device security
firm Mocana.
Businesses in the security, health care,
industrial, transportation and energy
sectors are becoming increasingly inter-
Previous
ested in acquiring IP-enabled devices
to drive up efficiency, says Paul Pishal,
vice president of product management at
Lantronix, a device networking company.
Embedded devices can decrease the cost
of repairs by allowing remote service
personnel to access them for monitoring
and maintenance, he says.
But if left unprotected, embedded
devices are prone to malicious acts that
are only limited to the imagination of an
attacker, says Ira Winkler, chief security
strategist at IT consultancy TechnoDyne.
Networked printers, in particular, are a
dominant threat vector to the enterprise,
says Adrian Turner, CEO of Mocana.
Cybercriminals could launch a buffer
overflow attack, for example, to gain
remote access and steal sensitive information stored on the printer’s hard disk.
Even worse, this entryway could be used
to access other systems communicating
with that device.
In September, researchers discovered
that certain models of HP combination
printer and scanner devices contained
a feature that could allow for corporate
espionage. The capability, called WebScan, allows a user to remotely trigger
the scanning functionality and retrieve
scanned images via a web browser. This
feature could allow anyone on the local
area network to remotely connect to the
scanner and retrieve documents that have
been left behind.
HP argued that when used as intended
on a secured network, WebScan allows
consumers and small to midsize businesses to share information quickly and
conveniently. But, researchers warned
that a disgruntled employee could
hypothetically write a script to regularly
run the scanner in hopes of capturing a
forgotten confidential document.
And then there was Stuxnet
Similar to traditional cybercrime, the
motives for attacking an embedded
device vary. Some strive to gain notoriety,
but many more seek monetary gains.
Other attackers aim to carry out industrial espionage and – in the most dangerous
cases – to threaten national security.
Highlighting the most severe risks
posed by embedded devices is the nowinfamous Stuxnet worm. Called a “gamechanger” by many, Stuxnet was designed
to target industrial control systems used
to manage operations at power plants and
other critical infrastructure facilities.
Security has to be
built in, not bolted
on after the fact.”
— Adrian Turner, CEO, Mocana
Though it is uncertain who unleashed
the Stuxnet worm, experts say its purpose was to cause a damaging physical
response. The worm did not result in any
destruction, but it did take affected facilities offline in Iran.
Despite the scathing risks, embedded devices are becoming pervasive,
according to the Mocana survey. In
fact, two-thirds of respondents said their
organization uses non-PC-connected
devices – such as smartphones, network
printers, routers and data communication equipment. In addition, more than
half of respondents said they use VoIP
(voice over internet protocol) devices or
networked building security features,
such as digital cameras and computerized
electronic locks.
Alarmingly, 71 percent of respondents
said they expect a serious incident within
the next 24 months due to attacks or
problems affecting embedded devices,
according to the report.
What to do
Moreover, 65 percent of respondents
said that attacks against their nonPC smart devices already require the
attention of their IT staff or will start
requiring it this year. But mitigating
the risk posted by embedded devices
is a responsibility that extends beyond
the IT department, says TechnoDyne’s
Winkler. For starters, organizations
must draft a corporate security policy
that includes embedded devices.
In addition, a risk assessment should
be performed during the acquisition of
any device that has outside connectivity. As part of the assessment, it should
be determined which security controls
are available for the device. Finally, the
organization must seriously consider
whether the device is worth the risks.
While organizations must consider
the risks before procuring embedded devices, much of the onus for
securing such technologies rests
on the manufacturer’s shoulders,
Mocana’s Turner says.
As a minimum level of security,
encryption should be used to protect
data that is stored on the machine and
to safeguard information as it passes
among devices. Also, the firmware
on a device should be hardened
against malware and viruses. And
finally, a mechanism for patching
security flaws must be present.
Some manufacturers have
been taking steps to improve the
security of their connected devices,
Turner says. Networked printer makers,
in particular, are taking security seriously, he says. In addition, the Stuxnet
worm has prompted other device manufacturers to take notice that the threat
landscape has dramatically evolved and
that more proactive steps are needed to
protect embedded devices.
Despite these improvements,
however, there is currently no way for
manufacturers to clearly and easily
communicate to buyers the
level of security included in
an embedded device. Turner
suggested that something akin
to the Energy Star mark, used
to show that a device is energy
efficient, is needed for security.
“Security has to be built in, not
bolted on and delivered after the fact,”
Turner says. ■
TIMELINE:
Latest threats
La
November 2008 Two traffic
engineers in Los Angeles hack a
computer system that controls
traffic lights and disconnect signals at four busy intersections.
February 2009 Researchers discover mobile malware targeting Symbian
smartphones propagating in the wild.
A
April 2009 U.S. officials
w
warn that foreign spies
h
have penetrated the
natio
national power grid.
October 2009 Columbia University researchers discover nearly
21,000 routers, webcams and VoIP
products are susceptible to attack because
their default passwords were not changed.
December 2009 U.S. military
surveillance drone aircrafts are
hacked by insurgents in Iraq who
intercept video feeds.
January 2010 Researchers warn
that the Novatel MiFi portable router
contains flaws that could allow an attacker
to discover its GPS location.
March 2010 A former Texas Auto Center
employee remotely attacks 100 cars
equipped with web-based immobilization
systems to set off horns.
July 2010 Stuxnet infects 30,000
Windows PCs in Iran in its search for
industrial control systems.
August 2010 A malicious
program targeting smartphones
running Google’s Android operating system is detected.
September 2010 Researchers warn that certain HP printers
could facilitate espionage due to a feature
called WebScan.
Next
M&A activity
FEEDING
FRENZY
With an improving economy, security companies
are being scooped up by larger firms at a brisk
pace, reports Deb Radcliff.
E
ven with predictions that 2010
would see an uptick in security
acquisitions, the pace by which
they occurred – along with the
direction many are taking – signal
what a number of analysts believe to
be a banner buying period that will
result in the further integration of
security and operations.
“Security is consolidating and it
is operationalizing,” says Marc van
Zadelhoff, director of strategy for
IBM Security Solutions. “That the
two are happening at the same time
is no coincidence. Consolidation is
occurring because customers can no
longer afford the 35 to 50 different
point security-related products they’re
using. Security is operationalizing
because customers also want security
built in.”
Since IBM’s acquisition in 2006 of
Internet Security Systems, Big Blue
has acquired 10 additional security
software and services companies as
part of its strategy to enable this consolidation within their product sets.
IBM, with $9.1 billion in software
profits in 2010, has most recently invested in built-in security at the application
layer with its 2009 purchases of Ounce
Labs for enterprise source code analysis
(price undisclosed) and in database
security company Guardium for what is
rumored to be $225 million. Then last
July, IBM acquired BigFix, maker of
endpoint vulnerability assessment and
compliance solutions, for an undisclosed
price rumored to be $400 million.
IBM is not the only large infrastructure vendor to invest heavily in security
acquisitions over the past two years. So
too are HP, Intel and even non-IT companies such as Assa Abloy, the $35 million lock company based in Stockholm.
Mirroring IBM’s acquisitions earlier
this year, HP in September completed
an estimated $150 million purchase
of Fortify, provider of static analysis
for application assurance. Then, in
October, it completed a $1.5 billion
acquisition of ArcSight, a leading log
management vendor.
Drivers
Economically speaking, there are two
fundamental drivers behind today’s
fast-paced acquisition activity, says Bob
West, founding CEO of research firm
Echelon One, based in Cincinnati.
“First, the economy is improving,”
West says, adding that at the same time,
buying organizations are sitting on
cash and ready to acquire complementary technologies. “Second, demand for
security automation has been growing as
threats and vulnerabilities are rising.”
Inversely, there are also a lot of fledgling firms ripe for acquisition because
start-ups have innovated in the areas of
mobility, cloud, unified access, streamlined security/systems and application
management with analytics, says Skip
Glass, partner at Foundation Capital,
based in Menlo Park, Calif.
“Small companies are getting funded
and coming out with market-accepted
products,” says Glass. “But even medium and large fish are getting acquired.”
Analysts say acquisitions, such as
McAfee’s purchase of Intel, bring better
options for security on small devices
needing tiny processors that do a lot of
work. Another sign security will meld
deeper into endpoint devices is the
announcement by Dell in January of
its acquisition of security services firm
SecureWorks.
There have also been numerous
rumors of HP, or even Microsoft, acquiring stalwart Symantec, while Symantec
has been busy with sizeable security
acquisitions of its own in recent years. In
April, Big Yellow acquired PGP (encryption) for $70 million and Guardian Edge
(for smartphones) for $70 million. Then,
in May, it acquired VeriSign’s identity
and authentication business for $1.3
billion (the buy also included a majority
stake in VeriSign Japan).
2010 WORTH: $126B
2010 WORTH: $99.9B
Acquired by
HP: $1.5B
2010 WORTH: $35.1B
Partly acquired by
2010 WORTH: $6B
Symantec: $1.3B
Acquired by Assa
Abloy: $162M
2010 WORTH: $5B
Previous
Acquired by
Intel: $1.4B
Acquired by
IBM: $225M
(rumored)
Acquired by
CA: $200M
2010 WORTH: $4.4B
'9
Acquired by
Intel: $7.7B
Acquired by
IBM: $400M
(rumored)
Acquired by
HP: $150M
*'9
-'9
0'9
()'9
(,'9
Next
M&A activity
Silos between security
and other IT operations
are melting.”
– Rick Caccia, VP of product marketing, ArcSight
Many of these acquisitions will lead
organizations to consolidation in their
security operations.
“There has always been innovation
and acquisition in the security space,”
says Vimal Solanki, VP of corporate
strategy for McAfee. “These acquisitions
happen because security products work
best when they are tightly integrated
with other products.”
Initially, this integration will develop
through the use of suites that can take
security management as close to a “single
security chokepoint” as possible, adds
IBM’s van Zadelhoff.
Acquisitions also show that security is
no longer seen as add-on but is becoming part of the core of products and services larger IT vendors are offering, says
Rhonda MacLean, founder of MacLean
Risk Partners.
“HP, IBM, EMC and CA do very large
deals with enterprises,” says MacLean.
“Enterprise customers are asking the
large technology companies to ensure
products are secure, either through
building it in or ensuring they have
solutions that can be easily integrated to
meet their security needs.”
In addition to better-integrated
security management, many of today’s
acquisitions bode well for the successful
melding of security and other IT operations, says Rick Caccia, VP of product
marketing at ArcSight, an HP company.
“Until lately, security has been seen
as an after-the-fact technology bolted on
in a layer-by-layer basis, none of which
connects to IT operations,” he says. “But
with recent acquisitions, it really feels
like the silos between security and other
IT operations are melting.”
In addition to the Intel acquisition,
another example of operations and
Previous
security integration is the acquisition
of ActivIdentity in December for $162
million by HID Global. HID Global’s
parent company is Assa Abloy, a Swedish
lock manufacturer with more than $5
billion in revenues.
HID Global describes its vision
for a convergence of technologies to
protect against the ever-improving
physical threats to infrastructures. With
the ActivIdentity acquisition, HID
Global will integrate with its cards and
readers used for both door and computer access, says Anthony Ball, SVP of
identity and access management at
HID Global.
“Nowadays, individuals are remotely
logging in from a variety of devices
and from different offices in buildings
around the globe,” he says. Because
remote workers are not all tapping into
the company’s protected servers, this
makes complying with the government’s
personal identification verification (PIV)
difficult. “This situation is also creating
the perfect storm for consolidation.”
Point solutions
Consolidation is not only happening on
the part of large infrastructure vendors.
Some so-called point solutions providers are growing suites of their own. For
example, the last independent IDS/IPS
vendor, Sourcefire, is acquiring companies to grow its own portfolio.
Most recently, in January, Sourcefire
announced the $21 million acquisition
of Immunet for a cloud-based, antimalware capability – its first pick-up
since its 2007 purchase of ClamAV – to
complement its holistic approach to
network, data and endpoint security.
Since the ClamAV acquisition, Sourcefire has focused on its own innovations,
optimizing its IDS/IPS and expanding
its real-time network awareness (RNA)
technology, says Tom McDonough,
Sourcefire’s president and COO.
“I’ve been to some of the biggest
banks in the world and they may have
1,200 firewalls and 40 IDS/IPS systems sending reports and alerts all the
time,” McDonough says. “Ultimately,
by driving down management overhead
and centralizing functions of all these
different technologies, you bring down
the total cost of ownership and drive up
efficiencies for return on investment.”
Missing from this acquisition story
is Microsoft, which made no security
acquisitions until October, when it
announced the purchase of AVICode, a
start-up for .NET application monitoring. With Windows 7 released late in
2009, much of Microsoft’s security innovation has taken place organically. Plus,
the software giant is innovating in new
areas: i.e., its software development kit
for secure mobile application development released in late 2010.
Van Zadelhoff of IBM says it is
important to note that large vendors also
did their share of innovation during the
down economy. For example, IBM, with
nine of its labs developing new security
tools, produced half a dozen new security products last year, he says.
This convergence does not mean the
end of point security products, say analysts. As new threats and platforms arise,
so too will there be innovative start-ups
developing tools that will likely become
part of a larger security toolset.
New threats and software tools are
partly what drove the 2010 market for
security software, which grew 11.3 percent from 2009, to $16.5 billion, according to Gartner research.
“There will always be new challenges
that task IT managers to look outside
their comfort zone of vendor managers to
more leading-edge point solutions,” says
Geoffrey Oblak, general partner with
Ascent Venture Partners. “Acquisitions
will continue in this market and, presumably, that is good for all constituents.” ■
Product Section
GFI
Mykonos
M86 Security
Provides outof-the-box
ox
protection
n P43
Detects and
responds to
attacks P33
Filters web
traffic and
reports P44
The face of things to come
T
his month, we get a chance to take a peek
into the future, as well as viewing the current state of information assurance (IA).
The future comes to us in the form of a closer
look at the participants in the Security Innovators Throwdown, which took place at the 2010
SC World Congress in New York. The current
state is focused on web content management,
arguably one of the most important IA functions
in our enterprises.
Web content management is a key piece of our security infrastructures because virtually everything comes into our enterprise through
web browsers. Many question the efficacy of web content management,
and we will see that skepticism in our interviews with Throwdown
participants.
I have railed long and loudly about the state of innovation in our
industry, and it seems to me that, finally, innovation is returning to
information assurance. However, there are lots of opinions as to what
constitutes innovation. This year, I was impressed by the level of original
thinking that characterized the Throwdown participants. They all have
tackled difficult problems and produced solutions to those problems that
to understand require a bit of new thinking. That is good. We often are so
entrenched in “the way it is done” that we forget that there may be better
approaches that don’t really look like what we’re used to seeing. This year,
there was some of that and it is gratifying to see.
As we discuss in the web content management introduction, that group
has begun to mature. However, it is not without some controversy. At least
one person who I interviewed recently characterized the current state of
web content management as the anti-virus industry 10 years ago, depending on signatures and blacklists/whitelists. That said, there are some very
solid players in that product sector and, as always, we have them for you.
Chatting about the products he looked at this month, SC Lab
Manager Mike Stephenson tells me that two of the major improvements
he is seeing over the past few years are improved user interfaces – significant simplification – and improved ease of deployment. So, overall, we
have an exciting product section for you this month with a look at the
here and now, plus a peek at what is coming down the pike. Let’s get to it.
—Peter Stephenson, technology editor
How we test and score the products
Our testing team includes SC Magazine Labs staff, as well as external experts who are respected industry-wide. In our Group Tests, we
look at several products around a common theme based on a predetermined set of SC Labs standards (Performance, Ease of use,
Features, Documentation, Support, and Value for money). There
are roughly 50 individual criteria in the general test process. These
criteria were developed by the lab in cooperation with the Center
for Regional and National Security at Eastern Michigan University.
We developed the second set of standards specifically for the
group under test and use the Common Criteria (ISO 1548) as a
basis for the test plan. Group Test reviews focus on operational
characteristics and are considered at evaluation assurance level
(EAL) 1 (functionally tested) or, in some cases, EAL 2 (structurally
tested) in Common Criteria-speak.
Our final conclusions and ratings are subject to the judgment
and interpretation of the tester and are validated by the technology editor.
All reviews are vetted for consistency, correctness and completeness by the technology editor prior to being submitted for
publication. Prices quoted are in American dollars.
What the stars mean
Our star ratings indicate how well the product has performed
against our test criteria.
★★★★★ Outstanding. An “A” on the product’s report card.
★★★★ Carries out all basic functions very well. A “B” on the
product’s report card.
★★★ Carries out all basic functions to a satisfactory level.
A “C” on the product’s report card.
★★ Fails to complete certain basic functions. A “D” on the
product’s report card.
★ Seriously deficient. An “F” on the product’s report card.
LAB APPROVED
What the recognition means
Best Buy goes to products the SC Lab rates as outstanding.
Recommended means the product has shone in a specific area.
Lab Approved is awarded to extraordinary standouts that fit into
the SC Lab environment, and which will be used subsequently in
our test bench for the coming year.
Next
GROUP TEST l Security Innovators Throwdown
»
» PRODUCT SECTION
Mykonos Software
I
Eight sales pitches went head to head in our competition to find the most innovative security products
and services from young companies. Technology Editor Peter Stephenson has the lowdown.
Previous
their company in terms of
those four areas.
The presentations usually
focused on a product. For that
reason, we wanted to know
about the organization behind it.
It is not particularly useful to an
investor to see a very cool prod-
some additional time to talk to
each of the participants. That
was really lots of fun. I asked
each company rep how he or
she came to their company’s
product(s). The answers, which
one might expect to be canned,
were really enlightening. In every
Laura Mather, founder, Silver Tail
Systems, presents at the Security
Innovators Throwdown
Photo by Larry Ford
T
ell someone to take a
highly technical product or service, or a new
company, and present it in five
minutes such that an investor
would want to hear more, and
you have just handed them a
huge challenge. It is a bit like
telling someone to describe, in
five minutes, their four years
of college. It is a tough sale to
make. But, the eight finalists in
our Security Innovators Throwdown, which took place at SC
World Congress in New York,
did it and did it well.
The judges were seriousminded professionals in the
technology business. There
was a technical consultant, a
venture capitalist, two other
consultants in the field, the
editor-in-chief of this publication, and little old me – the
resident geek-academic.
There can be only one
selected winner, but, clichéd
though it is, they all were winners. The entries ranged from
source code analysis to fraud
detection. In fact, there were
no two companies or products
that were in direct competition. The selection process
is very structured. Once we
picked the participants, each
was given a four-section quad
chart. The sections were mission, marketplace, fi nancing
and management. Each presenter was required to discuss
uct with the full knowledge that
there is nothing behind it but a
very clever engineer. Of course,
investors often try to get a good
product with no organization
behind it into another company
where it can realize its potential,
but that was not the objective
this time around.
After the five-minute dog-andpony shows were over, I took
case this year, there was a real
problem and a creative solution
to it. The teams behind the new
companies or, in a couple of
cases, new products for young
companies, were seasoned and
came from prior lives that did
them credit and, in some cases,
considerable credit.
The state of innovation in our
industry is improving markedly.
However, unlike in previous
years, the innovation is in quality of the creative approaches,
not in the number of creative
approaches. Perhaps it is the
economy, but I am seeing far
fewer innovators, though the
ones I am seeing are truly creative, hard-charging professionals who have something really
unique to say and just need a
venue to say it. This, of course,
means the quality of our innovation is on the upswing. It does
seem logical. The challenges we
face are greater than ever before
and without creative approaches,
we simply won’t meet them.
The kinds of problems
addressed this year were signs
of the times. The general
categories we saw addressed
included data leakage prevention, security analysis of source
code, smartphone security,
fraud detection, and creative
uses of virtualization for
improved security – to tag a
few of the eight. The companies ranged from mature to one
self-styled “stealth start-up”
with a fascinating solution for
problems, such as the recent –
and, perhaps, overpublicized
– WikiLeaks episode.
But enough of the preliminaries. Ladies and gentlemen, here,
without further ado, are the
eight winners and finalists in
the Security Innovators Throwdown. Enjoy!
f you were a cyber detective trying to
catch attackers what would you do?
First, you would need to detect the
fact that an attack actually was happening.
Then, you probably would want to identify the attacker and
take some action to
prevent them from
returning without
your knowledge. You
certainly would want
to understand the skill level of the attacker
so you could implement appropriate countermeasures to prevent their
return. If it was a script kiddie,
you might want to take some
affirmative action to scare them
away. If it was a skilled intruder,
you would surely want to take
defensive measures as well. Or
you might just deploy the Mykonos Security Appliance and let it
do the job for you.
We spent about an hour on
the phone with one of the company’s founders and came away
with the strong impression that
the level of thinking and analysis
in this start-up is absolutely
amazing. As a digital investigator for many years, I know
exactly how to go about tracing
an attack, and know it is very
difficult to do and not always successful.
There are reasons for this, and Mykonos
seems to have captured them all and provided solutions to them.
One of the most interesting aspects to
this product is its methodology. It mimics
very closely the steps an analyst would take.
First, it addresses pre-attack activity. Preattack is important because the probes and
scans done by an adversary may give important information about the adversary’s
location, skill level and identity. During this
phase, the attacker is led into a code-level
honeypot and is presented with appropriate
responses of increasing complexity and difficulty. Mykonos calls this process “hoops
and hurdles.”
st
Place
For example, if the adversary does a
simple SQL injection attack and then gets
to a password file, a fake password file is
returned. Then the adversary will attempt
to crack the passwords and, if successful,
is allowed to log into the honeypot using
the bogus credentials. Meanwhile, the tool
is profiling the attacker and responding
appropriately – “appropriately” meaning
based on policies you set up.
Also, from the first indication that the
attacker is attempting or is going to attempt a
compromise, the appliance tags the attacker
AT A GLANCE
Company: Mykonos Software
www.mykonossoftware.com
Product: Mykonos Security Appliance
Price: Starts at $25,000.
What it does: Detects attacks, tags and
profiles attackers, and responds automatically to attacks.
using multiple methods, including hidden,
encrypted cookies, among other methods.
That way, no matter where the attacker
comes from, they are identifiable. These tags
are persistent and redundant so that simply
removing one does not get rid of the tag.
Another very interesting aspect is the
recognition that what is good for Mykonos
– profi ling the attacker – is also good for
the attacker – profi ling Mykonos. Since the
earliest days of anti-virus (AV) software,
when virus writers reverse-engineered
McAfee’s .dat fi les to learn the bit patterns
the software used to identify a particular
virus, the idea of the attacker profi ling
the target’s defenses and then developing countermeasures has been popular.
Mykonos makes every individual appliance somewhat different and adds the
capability for the user to add to that. The
result is that no two Mykonos appliances
look exactly alike to the
attacker. That prevents
attackers from creating
a profi le of the Mykonos
honeypot and attempting
to circumvent it.
Administration is very
straightforward. The webbased admin console lets
you drill down into events
and get detailed information about them. The
console even sports a nifty
geolocation capability that
helps pinpoint the source
of an attack attempt.
Finally, the appliance
does not require configuration of a rules engine.
Setup is very simple and
the product is up and running almost out
of the box. However, if you want to create
new custom processors, Mykonos, resellers
or your own team can do that. It is the custom processors that provide detection and
countermeasures. However, the appliance
comes with a full library of processors for
typical attack types.
Overall, there is no question that the Mykonos Security Appliance is information security innovation at its finest. It is no wonder that
this young start-up – beta launched in 2010
– is our Throwdown winner this year and we
predict very big things for them in the future.
Starting at $25,000 for the base model, the
appliance may be the smartest buy of the year
for any organization with an online presence.
Next
M.A.D. Partners
econd place in the Throwdown went
to M.A.D. (Mobile Application
Development) Partners for its Mobile
Active Defense platform. The company’s
Mobile Enterprise Compliance and Security
(MECS) Server
v1.1 is a device,
virtual device or
SaaS offering that
controls access
to applications
for smartphones. The position of M.A.D.’s
founders when they started the company
three years ago was that application stores
are the largest single malicious software
delivery mechanism in the world. That position has not changed, but the ability of companies that have smartphone users to protect
their enterprises has. Our judges were just
M.A.D. enough to give this company the
thumbs-up for second place.
According to M.A.D., there are two
approaches to dealing with apps: the so-called
BlackBerry approach (basically the phone as
a dumb terminal) and the sandbox approach.
The trouble with the latter is that the user can
bypass the sandbox by turning it off because
it, itself, is an app. And, of course, jailbreaking is a common practice and that also opens
these devices up to a variety of security problems, most of which are application-borne.
So what is needed, the partners reasoned,
was an approach that amounts to a network
access control (NAC) system for applications.
And that, basically, is what the MECS server
is. MECS targets Apple devices, Droid-based
devices, Windows Mobile 6.1 and 6.5, and
Symbian-based products. BlackBerry already
is, arguably, the most natively secure.
If one is downloading a computer application to a PC on the organization’s enterprise,
the user would need permission to load it
into their computer. That permission usually
is not granted lightly, and most users do not
have administrator rights on company PCs.
M.A.D. figures that smartphones should be
no different. But achieving this control had to
be easy. The MECS server does the trick.
First, the MECS server configures just like
a firewall, so system administrators already
S
nd
Place
Previous
»
» GROUP TEST l Security Innovators Throwdown
Hatha Systems
know how to set it up. Second, smartphone
users must go through the MECS Server to
access the internet. When the smartphone
tries to access the internet, it sets up a VPN
to the MECS server. That server can reside
physically at the organization or it can
manifest as a SaaS service in the cloud. If the
site that the smartphone wants to browse
is allowed by the MECS Server’s policy, the
connection is made.
Often an organization will want to accommodate private email accounts, such as Gmail
or Yahoo for users. M.A.D. has a private
AT A GLANCE
Company: Mobile Application Development Partners LLC
www.mobileactivedefense.com
Product: Mobile Enterprise Compliance
and Security (MECS) Server v1.1 by Mobile
Active Defense
Price: As a SaaS service, as an appliance
or as a virtual appliance, the physical appliance retails for $4,995, plus annual per
seat licensing.
What it does: Application access control
– smartphone security.
email server to which the MECS Server
can direct users for that purpose while still
protecting the enterprise from infection, compromise or misbehaving applications. MECS
Server encrypts all traffic between the phone
and the server and offers content filtering and
geolocation-based firewall rules. The firewall
rules and configuration are not just for look.
In fact, MECS includes a full stateful inspection firewall, content filtering and blacklists
and whitelists.
Management is easy and users can create
policies to control and enforce passwords
while permitting access to such things as
iTunes and YouTube. There is a wipe feature
so that if the smartphone is stolen it can be
wiped remotely preventing unauthorized
access by unknown third parties.
Pricing for the MECS Server is very flexible. For smaller organizations, the SaaS
model probably is appropriate.
So when your organization starts to use
smartphones, be aware of the risks of apps.
Implement a NAC for apps to protect your
organization from compromise through these
very powerful devices. And, you knew this
was coming, didn’t you? Don’t get mad, get
M.A.D. MECS Server.
everal years ago, I had a conversation with Mary Ann Davidson, the
CSO at Oracle, about code review.
At the time – well before the current state
of the practice – she bemoaned the fact
that they have
to go through
thousands of
lines of code
per day looking for security flaws and it was
an extremely tedious task. Now, there is a
company that has taken a unique approach to
solving the code review problem and it is one
of our two runners-up in the Throwdown.
Hatha Systems’ Knowledge Refi nery
is not just another code review product,
though. The core mission of the product
is to extract an impact analysis from the
source code that can tell the analyst what
the consequences of a particular flaw are
likely to be. It does this by extracting
knowledge of the environment in which the
application runs so that in- and outbound
data flows can be examined and the impact
of security gaps assessed.
One of the techniques that the product
uses to make complicated interactions clear
is graphical mapping. Once it has parsed
and analyzed the target source code, the
tool creates a map of the interactions and
interdependencies. This map, referred to
as a call map, makes relationships clear
and unambiguous. It can show function
calls made or the targets of the calls. Once
the map is complete, the user can use
color coding to identify flaws and their
consequences. The product can examine
metadata and draw conclusions about versioning as well, highlighting older versions
of application modules that may inadvertently have been mixed into a newer version
of the application under analysis.
From a security perspective – just one of
the areas that Knowledge Refi nery addresses – it is important to understand the security elements, pathways and weaknesses
in an application’s source code. For this
reason, among others, the product restricts
its analysis to source code, performing a
static analysis to learn everything about the
S
code, including its functionality and the
security inherent – or not – in the target
application. Focusing on identifying impact
allows management of risk in an informed
environment. Simply knowing the flaws in
a piece of source code is not enough.
International standards-based, Knowledge Refi nery can analyze COBOL, C and
Java sources. It is modular, making it easy
to configure and it keeps its data in an
Oracle backend database for large projects
or in XMI format for smaller endeavors.
The idea behind Knowledge Refi nery is
that, like refi ning crude oil into gasoline,
source code can be refi ned to give the
information wanted as you analyze code
for faults. It lets users get what they want,
when they want it.
By some standards, this product may
seem a bit pricey, but it is the real deal.
This is source code analysis – far more
than simple review – at its best and most
AT A GLANCE
Company: Hatha Systems
www.hathasystems.com
Product: Knowledge Refinery
Price: Starts at $100,000 per one million
lines of code analyzed per year.
What it does: Parses application code and
enables the information to be analyzed.
detailed. This is a full-blown analysis environment. The protection a developer gets
from upstream disaster just by analyzing
impacts is more than worth the price of
admission. Installation and support are
included in the price, and custom analysis,
system integration and training are available at extra cost.
As we spoke with the Hatha folks, we
could not avoid recognizing the seriousness
of their commitment. These are people who
believe that it is possible to produce clean
code. In an age when it is not uncommon
for the consumer to be the beta tester, the
notion of clean code is a sort of Holy Grail.
Much has been said about the ultimate
solution to cybersecurity vulnerabilities:
Write clean code. However, writing and
delivering clean code requires testing and
analysis, something that many companies
do not seem to have time for. Knowledge
Refi nery makes it possible to analyze
sources, assess impacts and determine the
likely upstream risk associated with those
impacts. We think that those are good
things and apparently so did the judges at
the Throwdown because Hatha Systems
was chosen as one of the runners-up.
If you are writing lots of code – and
especially if your code has security implications – you need to have a look at Knowledge Refi nery. It beats any similar tool
we’ve seen so far.
Next
Global Velocity
Silver Tail Systems
raud in today’s financial websites is
a serious problem. It is growing at
breakneck speed with the introduction of new forms of crimeware, much of
which is built to the standards that we, as
legitimate
software purchasers, expect
from commercial products. Our second runner-up,
Silver Tail Systems, has taken on the fraud
community with a suite of three products,
one of which the company showed at the
Throwdown.
Silver Tail is an interesting firm. The
founders and key managers are alumni of
eBay, Google, PayPal, IBM and the National
Security Agency. These folks have spent their
professional lives fighting fraud and have
come together at a forward-thinking company to build fraud-fighting software and
services. At last year’s Throwdown, we saw
Silver Tail’s forensic product and it garnered
a lot of interest. This year, the company
showed its new tool called Mitigation.
Mitigation interacts with websites and
responds to every mouse click. It is rulebased and is the near-perfect tool for
addressing today’s modern fraud techniques,
such as screen scraping. But the real power
in Mitigation is its ability to modify a website’s business flows to circumvent fraudulent behavior without rewriting the website
code. This is important for two reasons.
First, it takes a long time for IT resources
to analyze bad behavior, figure out mitigation, write the code, test it, put it into
production and deploy it to web servers.
Second, once that time and effort has been
expended, it takes the bad guys just a relatively small amount of time to change their
behavior and address another weakness.
Mitigation also works well with Silver Tail
Systems Forensics. That tool helps develop
policies that tell Mitigation what needs to be
done. Mitigation and Forensics are a helpdesk-in-a-box for addressing fraud.
So, given all of that, what kinds of fraud
are we talking about? I watched a very interesting demo as I was discussing the product
Kormox
F
Previous
he prospect that an
impending product
could have prevented
the WikiLeaks scandal, according to this “stealth” start-up’s
founder, was tantalizing indeed.
What struck us was the fact that
this device can classify all of the
critical information within a manager’s purview and obtain actionable insights about that data and
the risk it presents. Further, it can
classify usage, access and sharing,
and then implement what the
company calls “surgical controls”
that balance collaboration and
security. And it claims to do all of
this in just a few minutes.
One of our first questions was,
“How is this different from a
traditional data leakage preven-
T
AT A GLANCE
ou need to create content
management policies,
take actions when a
policy is violated, manage both
applications and content, see
both clear text and encrypted
data for recognized encryption
types, perform data leakage
control – and you want to do all
of this at wire speeds. That is a
pretty tall order and it usually
would require more than one
product to accomplish. But the
Global Velocity GV-2010 does
all of this and it does it in a
single appliance.
When we spoke with the
folks at Global Velocity – the
company’s corporate headquarters is in Clayton, Mo., with an
office in Palo Alto, Calif. – we
were impressed with what we
termed “DLP on steroids.” This
is one hot box. The company,
which took its first product to
the streets in 2006, is small and
has had a string of successes.
Among its credentials are eight
patents, with seven more pending. Its strong point is that, even
at wire speeds, many views of
the data passing into and out of
the enterprise allow deep analysis. Creative visualization aids
the analyst with views.
This product even makes
suggestions for things you
probably should exclude from
Y
with one of the founders.
A fraudster had planted
malware that scraped the
screen and sent the information home. It then used that to create a
false screen while it looted the accounts that
the screen represented.
Since, basically, Mitigation is a rules
engine, all that was necessary was to tell it
what bad behavior we were concerned with
– screen scraping, for example. Once we
knew that, we could write a rule to prevent
it. Not only were we able to quickly write the
rule to prevent the bad behavior, we were
able to do it so that legitimate users never
knew that we had done anything. That was
important because the fraud would have
reflected in the users’ interactions with the
site, and changes would, potentially, alter
the way they performed those interactions.
Because the system adds web server filters,
deployment takes less time than changing
HTML code in the web pages themselves.
Simply fixing the problem is not enough,
though. You must also know that a problem
is occurring and must have a way to analyze
it. Analysis can come from Silver Tail Systems Forensics, to be sure, but it also can
come from your SIEM product. Add to that
a case management tool available from Silver
Tail, and you have a pretty powerful system.
Another aspect that impressed us was
the scalability of the product. We were
enthused by this last year as well when we
AT A GLANCE
Company: Silver Tail Systems
www.silvertailsystems.com
Product: Mitigation
Price: No actual price provided. Two-year
term licenses based on the number of
users monitored.
What it does: Adjusts website flows to
stop fraudsters while offering no impact to
legitimate users.
saw the Silver Tail Systems Forensics tool:
300,000 clicks per second is a lot of clicks in
not much time. However, a large web farm
takes a lot of traffic, and if the anti-fraud
tool chokes at heavy volume it may not be of
much use. That certainly is not the case here.
Fraud is a major problem today, and the
targets of fraud are legitimate web users.
Unfortunately, there are many tools that help
fraudsters get around anti-fraud products.
The Silver Tail suite of anti-fraud systems is a
very good starting point in our view and the
view of the other judges at the Throwdown.
Mitigation rounds out that suite by providing
a rapid solution to the HTML reconfiguration problem that used to be the only way to
combat fraud against websites.
»
Company: Global Velocity
www.globalvelocity.com
Product: GV-2010
Price: Starts at $150,000.
What it does: Content
control and deep analysis at
wire speeds.
analysis because they are likely
to be false positives. When
was the last time your IDS did
that? The GV-2010 focuses
on outbound content control
and it achieves its performance
because most of the work is
done in hardware and fi rmware
rather than software. That
allows pattern matching and
deep packet analysis.
We liked this product and
the company for their creative
approach to a real problem:
deep analysis at very high
speeds and reduction of the
number of boxes needed to put
on our perimeters. Starting at
$150,000, this is not a cheap
product, but what it does is well
worth the freight.
Besides, what would it cost to
replace it with several boxes, all
of which require implementation
and administration? Being plugand-play, the GV-2010 reduces
time to return on investment so,
in our view, there is no downside to the tool. If your data and
enterprise are important to you,
and of course they are, this one is
worth a closer look.
AT A GLANCE
Company: Kormox
www.kormox.com
Product: To be announced
4Q 2011.
Price: To be announced.
What it does: Surgical control over access to organizational data/information.
tion (DLP) tool?” The answer: a
DLP system needs the granular
details of the data to make decisions about it. This product
– due in the fourth quarter
– develops those details so preknowledge is not necessary.
The offering operates in a
completely unstructured environment and its focus at the start is
classifying the most critical information within the control of the
manager using it. Once that data
is classified, the product obtains
insights about how the data is
used. It examines, correlates and
analyzes the information and
metadata contained wherever
that information is stored. That
can mean tens of thousands of
locations. The tool looks at email
servers, desktop PCs, file servers,
shares and more.
Kormox is one-and-a-half
years old and was started by former Microsoft employees. They
are focused on next-generation
data classification, and their
unnamed product is in open
beta. We have not seen this
product, but are awaiting access
to a beta version anxiously. If
this sounds interesting to you,
one of the principals at Kormox
urges you to consider being
part of the open beta.
Next
Invincea
T
AT A GLANCE
his is one of our personal
favorites. Invincea Browser Protection is an early
– and very creative – use of virtualization to protect endpoints
from malware. Since a huge
percentage of malware infections
start while surfing the web, this
product is right on the money in
terms of a waiting market.
The idea behind Browser
Protection is simple. Its execution, perhaps not so. The idea
is to build an independent virtual machine, put the browser
inside, and limit the interaction between the guest virtual
machine (VM) and the host.
Of course, you need to keep
everything independent, recognize zero-day attacks, keep the
browsing environment pristine,
and never, ever, let the bugs
from the outside world migrate
to the protected bare metal.
Invincea took all of these
things into account. The VM
is independent of the host. It
does not use the host operating system for anything except
launching the guest. From then
on, the guest is completely
independent with its own pared-
T
Previous
SentryCom
his company comes to us
from Israel, and expects
to have a full U.S. presence in late 2011. It has been
around since 2005, and MACS
VoiceProof is its latest product.
MACS is the Managed Authentication and Crypto Server. Its
purpose is to provide a secure
mechanism for authenticating
and transferring data to specified secure applications.
Simply, MACS VoiceProof
works by setting a secure path
between the user and the
destination, and managing
that path. Authentication can
occur in a variety of ways, but
is always validated through the
use of a voice command. This
is not voice biometrics per se.
It is more like a challenge and
response where the response is
a voice command by the user.
This precludes man-in-themiddle attacks. It also precludes
malware attacks since the
malware is incapable of voice
response.
That is its real strength since
many of today’s worst attacks
involve malware harvesting of
confidential information and
connecting to a mothership
ip
to exfiltrate it. If malware
attempts to interpose itself
lf
in a transaction and harvest remote data, the
attempt will fail since
the malware cannot
complete the authentication.
The MACS can be
implemented by the
organization as a physical server or can take
advantage of the server in
the cloud. In late 2011,
Company: Invincea
www.invincea.com
Product: Browser Protection
Price: Starts at $60/user.
What it does: Isolates
browser from passing malware
to the host computer.
down OS and instantiation of
the familiar browser. It does not
try to recognize malware from
signatures. If anything tries to
make an unauthorized alteration
to the VM environment, the VM
self-destructs and rebuilds from
a protected gold copy stored
elsewhere on the host. It then
retains the user’s bookmarks and
is ready to go without any user
intervention.
Browser Protection supports
Internet Explorer, and there
is a Firefox implementation in
beta. We found that interesting
since the guest OS for Firefox is
Linux, an OS relatively impervious to malware. No matter.
Invincea has ensured that the
VM presents with a Windows
look so users will feel right at
home. The VM is hardened and
contains a layer of sensors to
identify attempts to compromise
the environment.
»
GROUP TEST l WCM
Web content management includes overseeing all of those data flows that are related to surfing
the web. Peter Stephenson and the SC Lab team put 12 offerings through their paces.
SentryCom will be providing
that service through Amazon
Web Services. In addition to
online banking, other candidates for this protection include
online gaming, e-commerce
and e-voting. Not only does
the server provide authentication, it secures the data channel
between the user and the target.
This approach shows a lot of
promise. It is part of the push
to come up with secure ways to
defeat the current – and future
– waves of crimeware. We have
seen several approaches and
this one is as good as any and
better than most. It certainly is
a company to watch and there
very likely will be a place for
its approach in the pantheon of
secure transaction methods.
PICK OF THE LITTER
The iBoss Enterprise Filter is solid,
priced right and full-featured.
This one is our Best Buy this
month.
For its value and well-rounded
capabilities, we make EdgeWave
iPrism Web Security our Recommended product this month.
LAB APPROVED
AT A GLANCE
Company: SentryCom
www.sentry-com.net
Product: MACS VoiceProof
Price: Starts at $15/user
per year.
What it does: Provides
secure authentication and
data transmission for highrisk connections, such as
online banking.
Update: In the review of
Tesline-Service S.R.L.’s Rohos
Logon Key Server v2.7.6 in the
January issue, our reviewer
Michael Lipinski said the product does not support Windows 7.
This was based on his review of
the support materials and documents provided by the company,
as well as the company website,
where there was no mention of
Windows 7 support. However,
after publication, the vendor informed us that the product does
in fact support Windows 7 and
now has updated the documentation on its website to properly
indicate this.
f all the areas of information security that
have spawned a variety
of tools and tool types, content
management has got to be close
to the top. Over the years we
have had web firewalls, web
content management (WCM)
tools, email content management and content management
in general. All of these have
converged somewhat, but
web content has become more
focused.
includes managing all of those
data flows that are related to
surfing the web. Today that covers more than 70 percent of all
end-user computing, according
to some sources. Certainly the
percentage is quite large regardless of what the specific number
is. That means that there is a lot
of opportunity to be exposed to
web-borne mischief. Browser
protection vendor Invincea
estimates that web-borne
threats are up 225 percent and
that application layer exploits,
particularly PDF exploits, were
the leading cause of infections
in 2009. Now it is 2011, and the
prospects are not much better.
With that in mind, this web
content management group
was one of our largest over the
past 12 months. We certainly
can see why. But has the genre
really changed so much? Mike
Stephenson, SC lab manager,
put the batch of products – 12
in all – through their paces and
virtually all of them made good
showings. However, the real
improvements this year seem
O
to be user-related areas, such
as easier-to-use screen layouts,
simpler policy management and
better reporting.
systems often are deployed
as gateways and really act as
content filters or firewall-type
products. The idea is that when
something tries to enter the
enterprise from the web, you
should be able to identify it
and remove it. Products vary
in their remediation ability, but
they vary little in their ability
to catch malicious web-borne
attacks. All seemed to us to be
quite competent.
However, in the midst of
the good news – appropriate pricing/feature sets, solid
functionality, and more – there
is a shadow. As the nature of
web-based threats evolves to
become far more complex than
it was in the past, some security
pros are asking if WCM is the
right answer. For example, one
comment that we have heard
recently is that the level of web
firewalls and WCM is about
where anti-virus was 10 years
ago, because of their dependence on signatures, reputation
and blacklists/whitelists. That
debate likely will rage for some
time, but it may have merit.
Some companies have turned
to isolated secure browsing
networks, some have addressed
the problem with sandboxes
and virtual machines, and some
have depended on the supposed security capabilities of
the browser itself. This, really,
is a case of two things: appro-
priate level of web security and
understanding the problem in
depth.
There may be times for
extreme solutions to the webbased malware problem. And,
arguably, those times may
become far more frequent as
time passes. However, today,
as you will see, there is a pretty
robust crop of WCM tools
that are properly scaled. There
also is a good set of more
extreme tools if that is what
you need or want. We recommend that you take a very close
look at the tools featured in this
issue and use that as your baseline going forward,
We can recommend just
about any of these products
and, as always, you need to
know your situation before
you can make a selection and
deploy effectively. One of the
potential problems with WCM
is that they can be finicky
beasts. So, deploying this gateway – along with anti-virus or
other gateways – can be challenging. Given that, however,
the lab tests went smoothly.
Fully effective on first powerup or not, the WCM batch that
we saw were a solid group of
performers and we recommend
that you give them a close look.
Analyze your network and your
requirements and then go pick
out the product that fits your
particular needs. With a dozen
players in the web content
management market, it is a safe
bet that you’ll find something
that fits.
Next
GROUP TEST l Web content management
GROUP TEST l WCM
䢇=yes 嘷=no
Specifications for web content management tools
Product
Deploys inline
Deploys as a proxy
Scans traffic
for viruses
Scans traffic
for spyware
䢇
䢇
䢇
䢇
䢇
Barracuda Web Filter 410 v4.4
䢇
嘷
䢇
䢇
䢇
Cyclope Internet Filtering Proxy v4.0
䢇
䢇
嘷
嘷
嘷
EdgeWave iPrism Web Security v6.5
䢇
䢇
䢇
䢇
䢇
GFI WebMonitor - Unified Protection Edition
䢇
䢇
䢇
䢇
嘷
M86 Security Web Filter v4.0
䢇
嘷
䢇
䢇
䢇
Optenet WebSecure v6.4.300
䢇
䢇
䢇
䢇
䢇
Phantom Technologies iBoss Enterprise
䢇
䢇
䢇
䢇
䢇
SonicWALL NSA 4500 v5.8
䢇
嘷
䢇
䢇
䢇
Sophos Web Appliance v3.3.6
䢇
䢇
䢇
䢇
䢇
SpamTitan Technologies WebTitan v3.5
䢇
䢇
䢇
䢇
嘷
Trend Micro InterScan Web Security Virtual
䢇
䢇
䢇
䢇
䢇
Integrates with
Active Directory
Supports
Internet Explorer
Supports
Mozilla Firefox
Supports
Apple Safari
Astaro Security Gateway 220 v8
䢇
䢇
䢇
䢇
Barracuda Web Filter 410 v4.4
䢇
䢇
䢇
䢇
Cyclope Internet Filtering Proxy v4.0
䢇
䢇
䢇
䢇
EdgeWave iPrism Web Security v6.5
䢇
䢇
䢇
䢇
GFI WebMonitor - Unified Protection Edition
䢇
䢇
䢇
䢇
M86 Security Web Filter v4.0
䢇
䢇
䢇
䢇
Optenet WebSecure v6.4.300
䢇
䢇
䢇
䢇
Phantom Technologies, Inc iBoss Enterprise
䢇
䢇
䢇
䢇
SonicWALL NSA 4500 v5.8
䢇
䢇
䢇
䢇
Sophos Web Appliance v3.3.6
䢇
䢇
䢇
䢇
SpamTitan Technologies WebTitan v3.5
䢇
䢇
䢇
䢇
Trend Micro InterScan Web Security Virtual
䢇
䢇
䢇
䢇
Previous
Barracuda Web Filter 410
Provides application protocol
Astaro Security Gateway 220 v8
Product
Astaro Security Gateway 220
»
»
Vendor Barracuda Networks
Price
$3,999 with no per-user
Vendor Astaro
Price
$2,425 for up to 150 users
Contact www.astaro.com
he Astaro Security Gateway includes several
features, including URL
fi ltering, gateway-based spyware
and virus protection, application
protocol blocking, such as IM
and P2P, and HTTPS scanning.
We found this product to be
easy to deploy and confi gure.
The initial setup takes only a
few minutes and is guided by
a wizard at first login to the
appliance web-based interface.
This wizard helps set up the
network configuration as well
as an initial policy. At the
completion of the wizard, the
appliance is pretty much ready
to go and further confi guration
can be done via the intuitive
web-based interface.
This interface also serves as
the way to manage the appliance.
The administrator can easily
tweak and deploy new policies,
as well as set up Active Directory
integration for more granular
control. There are also several
other authentication options
available, including IP address,
eDirectory support, LDAP and
RADIUS. As for a fi ltering capability, this tool comes loaded
with a solid database that covers
96 different web categories for
solid control over prohibited and
allowed content.
Documentation included an
easy-to-follow quick start sheet,
as well as a full administrator
T
guide built into the appliance
interface. The guide covered
basic management of the appliance through advance configuration of features. We found this
guide to be easy to read with
many screen shots and stepby-step instructions, as well as
many configuration examples.
Astaro offers two subscription-based plans that include
access to phone and email
technical support, as well as free
support through an online user
forum. There is also an area on
the website that includes documentation downloads, as well as
other support resources, such as
a knowledge base and instructional videos.
At a price just over $2,400
for up to 150 users, we find this
product to be a good value for
the money. The Astaro Security
Gateway incorporates several
solid features with easy management and granular control.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
OVERALL RATING ★★★★★
Strengths Easy to set up with
granular filtering controls.
Weaknesses None that we found.
Verdict Solid performer that has
been around a bit. Just a bit pricey.
fees, plus Energize
Updates: $1,099 for one year.
Contact barracudanetworks.com
ike most of the other
products in the category,
the Barracuda Web Filter
offers web content fi ltering as
well as application blocking
and protection from malware
coming in at the gateway, but
it also has several functions
that appeal to the enterprise in
terms of deployment options.
This fi lter can be deployed as
a standalone single appliance
or as several across the various
departments, and policy can
be managed from a single unit.
This appliance also features
a downloadable agent that
installs on employee laptops to
ensure that even when employees are offsite they still adhere
to the internet usage policies.
fairly simple to deploy and configure. The only slight downside to setting up the appliance
is that everything is done manually without the use of wizards. With that said, the steps
are easy and do not take very
long to complete. The fi rst part
of the deployment is to connect
a keyboard and monitor to the
appliance to configure IP and
network information. After the
information has been entered,
all further management is done
through a web interface.
Documentation included a
short quick-start guide illustrating the steps necessary to get
the appliance up and running
L
in the network, as well as a full
administrator’s guide. The guide
included many step-by-step configuration instructions, as well
as a few diagrams but very little
in the way of screen shots.
Barracuda offers three levels
of support to customers. Each
offers various options, including phone and email technical
support, access to firmware
updates and access to dedicated
engineers.
At a cost just under $4,000 for
the device, plus an annual subscription fee of around $1,100,
this appliance may seem a little
pricey, but we find it to be an
excellent value for the money
based on the fact that there are
no per-user fees. It is really easy
to use, as well as quite scalable
for any environment.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★✩
Performance
★★★★★
Documentation
★★★★✩
Support
★★★★★
Value for money
★★★★★
Strengths Easy-to-use features and
scalable deployment options.
Weaknesses The addition of a
deployment wizard would make the
installation easier.
Verdict Barracuda has been around
a long time and build a quality
product. We’d like to see an updated
installation procedure with configuration wizards to help speed the
deployment process, though.
Next
Cyclope Internet Filtering
Proxy
Vendor Cyclope
Price
$12 per user, with 50-99
user group, for one year, and
30 percent of purchase
renewal after one year.
Contact www.cyclope-series.com
he Cyclope Internet Filtering Proxy is an application
that can be installed to a
server within the environment
to turn it into a web fi lter. This
product is quite reminiscent
of web proxies a few years ago,
but it still provides some nice
functionality and features. This
product allows for web content
fi ltering, as well as fi ltering fi le
types, web objects and web
extensions.
Installation is quite straightforward and requires nothing
in the way of special hardware.
The application itself can
be installed on almost any
Windows-based machine, which
then acts as the server. Once
the application is installed from
the executable, all management
is done through a simple web
interface. This interface is quite
intuitive to navigate, and we
found it comfortable to use.
While this tool does not have
a ton of features, it does offer
some reasonable integration into
the environment. Policy can be
assigned using already existing users and groups in Active
Directory, and the fi lter itself
supports Internet Explorer,
Firefox and Opera.
T
Previous
Documentation included
installation and user guides,
both in PDF format. The installation guide provided the steps
to install the product, as well
as how to configure the client
machines to proxy through
the server. The user guide provided a fairly good overview
of how to manage and use the
product. Both guides included
several screen shots and were
easy to follow.
Cyclope includes the fi rst
year of technical support in
the purchase price of the product. Customers have access to
phone, email and remote assistance during this period. After
the fi rst year, customers can
purchase additional assistance
via a support contract. Customers also can access an online
knowledge base for free.
At a price of $12 per user, this
product is an average value for
the money. It is a web fi lter in
the most literal terms of being
a web fi lter: It gives some good
basic functionality, but without
very many bells and whistles.
SC MAGAZINE RATING
Features
★★★✩✩
Ease of use
★★★★★
Performance
★★★★✩
Documentation
★★★★✩
Support
★★★★★
Value for money
★★★✩✩
OVERALL RATING ★★★★✩
Strengths Easy to deploy with low
overhead.
Weaknesses Basic functionality.
Verdict Good product that needs
some more capabilities to play with
the big boys and girls.
EdgeWave iPrism
Web Security
Vendor EdgeWave
Price
$18,250 for 1,000 users,
including appliance,
one-year subscription and
one-year basic maintenance.
Contact www.edgewave.com
he iPrism Web Security
appliance from EdgeWave
is designed with the
enterprise environment in mind.
This product boasts a solid feature set, including
categorized web
and application
databases, a botnet
database, dynamic anti-virus
engine and dynamic application
protocol classification. This tool
also allows for the option of
multiple deployed appliances,
which can be managed centrally
or stand by themselves.
We found deployment to
be quite simple. The first step
is done by connecting to the
appliance with a computer and
running the web-based setup
wizard. This wizard not only
allows for quick setup of the
networking information, but
also assists in creating a base
policy. At the completion of
the wizard, the appliance can
be placed into the environment
and can be set up to run in
either proxy mode or inline and
transparent.
This solution has a lot of
flexibility built in for easy and
configurable management. All
administration is done via the
easy-to-navigate, web-based
interface. Policies can be eas-
T
ily configured based on the
already existing Active Directory, eDirectory or Apple Open
Directory users and groups in
the enterprise, which allows for
transparent integration with the
already existing infrastructure.
paper quick-start guide, as well
as several PDF user guides. The
main one is the administrator
guide, which illustrates how to
configure and manage the appliance in an easy-to-read format.
EdgeWave includes basic support in the purchase price for
customers. This includes access
to phone-based technical assistance during business hours, as
well as 24/7 email support.
At a price of $18,250 for 1,000
users, we fi nd this product to be
a good value for the money. The
iPrism appliance offers a lot
of functionality that is easy to
manage at a reasonable price.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
Strengths Highly configurable,
enterprise-grade appliance.
Verdict For its well-rounded
capabilities and value, we make this
one our Recommended product
this month.
GFI WebMonitor - Unified
Protection Edition
Vendor GFI
Price
$725 for 25 seats.
Contact www.gfi.com
he GFI WebMonitor
provides out-of-the-box
protection that can be
deployed as a standalone service
or as a plug-in for Microsoft
ISA Server. This tool features a
web fi lter, as well as a scanning
capability, to search for viruses,
trojans, spyware and phishing
sites, which it then blocks to
keep these intrusions from coming into the network. WebMonitor scans web browsing traffic as
well as fi le downloads for potential risks and, if a threat is found,
it will seamlessly remove the
infected fi le and notify the user.
This offering is installed from
an executable and can be run
from a Windows Server or client operating system. There is
little overhead with this product
so it does not require an overly
powerful machine and it installs
in just a few minutes. At the
completion of the install, all
management is done through
a management application that
we found to be fairly simple to
navigate. The tree-based layout
of the application is reasonably
intuitive, and we found that it
took only a few minutes to get
comfortable with the interface.
This product offers a great
amount of flexibility for such
T
a small install. Many policies
can be easily configured with
just the click of a button or by
checking a box. One thing that
we really liked about the product was the main dashboard.
This provides an excellent
bird’s eye view of all web activity in near real time for up-tothe minute statistics.
Documentation consisted of
a full user manual that is accessible through the help menu
after the product is installed.
We found this guide to be wellorganized and easy to follow.
GFI offers free support to
customers for 30 days after
the initial installation of the
product. After 30 days, customers must purchase additional
assistance through a support
agreement.
At a price starting at $725
for 25 seats, this product can
become expensive for larger
environments, especially given
that the price is for the software
only. However, the GFI WebMonitor does offer some very
nice capabilities, including several anti-virus scanning engines,
so we fi nd it to be a good value
for the money.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★✩
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
Strengths Nice feature set with
many configurable options.
Weaknesses Slightly pricey for a
software-only product.
Verdict Definitely worth looking at
if you can afford the overall cost of
supporting hardware.
»
» GROUP TEST l Web content management
iBoss Enterprise Filter
Vendor iBoss Web Filters, a division
Price
of Phantom Technologies
$1,500 for the hardware/
software, plus one-year
activation/updates: $795.
Contact http://iphantom.com
he iBoss Enterprise Filter includes a massive
array of protection from
web-based threats, as well as
control over applications and
web browsing. This
appliance features
a massive URL
database along
with gateway-level protection
from spyware, malicious code
and phishing attempts. Also
featured is a large application
protocol fi lter that can block
IM, P2P, streaming media and
various fi le types.
easy to deploy and confi gure.
The initial confi guration is
done manually by connecting
either through a console port
or to the initial IP address of
the appliance through a web
browser. Once connected to the
appliance, the IP and network
information are entered and the
device can be placed into the
network. All further configuration and management is done
via the web GUI. We found the
interface to be quite intuitive
to navigate due to a well-organized layout.
Configuration is also quite
simple. The box comes loaded
with a decent default fi ltering
policy that can be tweaked to
match the needs of the environment, or the administrator can
T
choose to create custom policies. Policies can then be easily
deployed using existing Active
Directory or eDirectory groups
and users, or by IP address.
short quick-install guide that
provides the steps to get the
appliance up and running in
the environment. There is also
a more in-depth deployment
guide that includes these same
steps but with more detail and
screen shots.
Customers who purchase the
iBoss Enterprise Filter receive
basic phone and email technical
support, as well as access to an
online knowledge base and other
resources at no cost.
At a price of $1,500, plus
$795 per year, activation fee,
this product offers an excellent
value for the money. The iBoss
Enterprise Filter offers a nice
feature set with easy-to-use controls for a reasonable cost.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
Strengths Full feature set including
a vast application control library.
Verdict Solid, priced right and fullfeatured, this one is our Best Buy
this month.
Next
M86 Web Filter
Vendor M86 Security
Price
$24,415.
Contact www.m86security.com
he Web Filter from M86
is a highly configurable
web fi lter and reporting
engine designed for even the
largest of environments. This
product includes a web fi lter
that not only uses URLs and
keywords but also IP addresses
and packet footprint data from
a large library to stay up to date
on problem sites. It also features
a large list of more than 90
applications it can block, including IM and P2P applications.
Even though this appliance
has a highly comprehensive
feature set, it is still quite easy
to deploy and configure. The
initial configuration is done by
connecting a monitor and keyboard to the appliance itself and
running through a short textbased setup wizard. This wizard
helps set the IP and network
information, as well as the initial username and password, to
access the appliance through the
web GUI. After the setup wizard is complete, the web GUI
is accessed from a computer on
the network where a few minor
steps to complete initial configuration are done. From there the
appliance is up and running and
all further management is done
via the web-based interface.
This appliance features several
policy options, including the
T
Previous
Optenet WebSecure
“X-Strikes” setting. With this
setting, administrators can create a policy-violation threshold
that will lock a user’s computer.
To unlock it they will need to
contact the administrator. The
M86 Web Filter also incorporates safe-search technology, as
well as advanced internet usage
policy controls.
M86 offers full, 24/7 support to customers as part of its
annual subscription service.
At a price of $24,415 for the
hardware, software, one year of
support and reporting for 1,000
users, this product is not inexpensive by any means. However,
we do fi nd it to be a solid value
for large environments that
require granular control and a
lot of flexibility.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
Strengths Highly configurable,
feature-packed appliance.
Weaknesses Can be pricey for some
environments.
Verdict M86 is a venerable player
in this market with superior field
research and solid products. This
really deserves your attention if
you can afford a bit higher price tag
for WCM.
SonicWALL NSA 4500
Vendor SonicWALL
Price
$4,995 for appliance, plus
Vendor Optenet
Price
Subscription price with
standard support for 1,000
users: $10.20/user for one
year = $10,200.
Contact www.optenet.com
he WebSecure appliance
from Optenet offers a
multitude of deployment modes for the enterprise,
including proxy, bridge, sniffer,
ICAP and gateway or router
deployment. This appliance
features the Kaspersky Lab
anti-virus engine to protect the
environment from phishing and
malware before they come into
the environment.
Our appliance arrived pretty
much ready to go. The initial
setup involved connecting to the
appliance via the web GUI to
customize the IP and network
settings. The web-based interface was quite simple to navigate,
but it did take us a few minutes
to understand how policies were
configured and applied.
We did fi nd, however, that
this appliance comes preloaded
with a ton of preconfigured
policies, including a somewhat
overly tight “No Distractions”
policy. While we are all for preconfigured policy to help create
a starting point, we found this
one to block sites that may not
necessarily be distractions, such
as MSN, Microsoft’s portal.
T
With that said, this appliance
does have several other great
functions, such as application
control that can block IM, P2P,
remote access and several other
application protocols.
short deployment guide and a
much more in-depth administrator guide.
At a price of $10,200 per year
for 1,000 users, this product is
quite expensive, especially considering you are only paying to
lease the hardware. We fi nd this
product to be an average value
for the money. While it does
have some nice features, it can
become quite costly as an ongoing charge.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★✩
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★✩✩
Strengths Nice feature set with
many preloaded policies already in
place out of the box.
Weaknesses Expensive: Annual
software cost starts at around $10
per user per year.
Verdict Pricey but solid.
$2,830 for CFS bundle for
one year
Contact www.sonicwall.com
he SonicWALL NSA 4500
is another in the line of
heavy, enterprise-grade
hardware. This appliance features highly configurable policy
controls and a ton of features.
If fully loaded, the NSA can
not only be a powerful content
fi lter but a full security gateway
as well. On the content fi lter
side, this appliance features the
SonicWALL content fi ltering
service, which leverages the SonicWALL dynamic database of
millions of URLs, IP addresses
and domains to block problematic content from being viewed
within the enterprise.
We found this solution to be
a straightforward install. The
appliance must be registered
via the SonicWALL website
before installation begins, but
that only takes a few minutes.
After registration is complete,
the appliance can be plugged
into the network and initial configuration can begin. The initial
configuration takes only a few
minutes as well.
At the completion of the setup
wizard, the real configuration
takes place. This is all done
through the web-based interface,
and getting some of the configuration completed is slightly
confusing. It is here where zones
T
must be created and policies
configured. The good news is
that this product offers high flexibility and can be configured to
meet the requirements of almost
any environment.
This appliance comes with a
very nice getting-started guide,
as well as an in-depth administrator guide. The getting-started
guide offers more than just a few
steps to get the appliance turned
on. This guide features clear,
step-by-step instructions to also
get a basic configuration in place,
as well as how to activate all the
various services on the appliance.
At a price just shy of $8,000
for both the hardware and a
year of the content fi ltering
service, this product is a good
value for the money. The SonicWALL NSA can provide a
great amount of flexible functionality for a decent price.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★✩
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
Strengths Highly configurable
policies to meet the needs of any
environment.
Weaknesses Advanced configuration can be slightly confusing.
Verdict SonicWALL always has
been one of our favorites. Bring
your security engineer to the demo,
though. It may need their support.
»
Sophos Web Appliance
Vendor Sophos
Price
$2,495 hardware,
plus $18.33 per user.
Contact www.sophos.com
he Sophos Web Appliance features a solid URL
and reputation fi lter that
uses more than 50 different categories to scan web pages, as well
as real-time malware scanning
to protect the enterprise from
several web-based threats. By
scanning the content of the fi le
rather than just the fi le extension, this appliance also has the
ability to scan many various fi le
types for threats.
Deployment of this appliance is quite easy. When the
appliance is plugged into a web
browser on a network-connected
machine, the first time a connection is made the appliance
launches a short setup wizard.
This wizard not only helps set
IP and network configuration
but also assists in setting up a
base policy. At the completion
of the wizard, the appliance will
register with Sophos and download the latest software updates
so that as soon as it reboots it is
ready to go.
All management is done
through the web GUI. We
found this GUI to be intuitive
to navigate with a very clean
and organized layout. Along
with this layout is a well-puttogether dashboard with current
statistics, such as web traffic
and recently blocked sites and
viruses. The default policy
T
established at the initial setup
is solid but can be tweaked or a
new custom policy added easily.
short setup guide, as well as an
installation guide and a help
document. We found the setup
and installation guides to be
nicely put together with clear
step-by-step instructions and
screen shots, but the appliance
help fi le was very basic and
included no screen shots.
Sophos offers standard support to all customers and that
includes 24/7/365 phone and
email technical assistance, as
well as other resources.
At a price just under $2,500
for the appliance itself, and then
$18 per user, this could become
pricey for larger environments.
However, the tool does offer
some very solid out-of-the-box
functionality that is easy to manage, which is why we fi nd it to be
a good value for the money.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★✩
Support
★★★★★
Value for money
★★★★✩
Strengths Easy setup and deployment, and good out-of-the-box
policy.
Weaknesses Can become quite
pricey for large-scale deployments.
Verdict This is a solid tool that
comes at a price.
Next
SpamTitan Technologies
WebTitan
Vendor SpamTitan Technologies
Price
$850 per year for 50 users.
Contact www.spamtitan.com
ebTitan from SpamTitan Technologies has
changed and matured
over the years to become quite a
comprehensive web management
appliance. It can either be downloaded as an installation to a
bare metal server or installed in
a VMware ESX environment as
a virtual machine to which users
proxy for internet browsing.
We chose to install on a bare
metal server from the downloadable installation ISO. The
installation of the operating
system itself was quick and easy,
and we were up in about 15
minutes. From there the rest of
the deployment is completely
manual with no help from a
setup wizard. However, the
documentation does a good job
of outlining the steps to get the
appliance up and running.
The appliance comes with a
nice default policy ready to go
that can serve as an excellent
starting point for policy configuration. However, an administrator can create custom policies
quickly and easily through the
interface, as most settings follow
an on-or-off pattern.
quick-start guide for installing
W
Previous
the operating system, as well as
a quick-start guide outlining the
initial configuration.
Customers purchasing WebTitan receive full technical support
as part of the annual subscription price. This includes phone
assistance during working hours
and 24/7 email support, as well
as access to an online knowledge
base and user forum.
At a price starting at $850
for a 50-user license for one
year (including support), this
product is a good value for the
money. While you may have
to purchase the hardware, the
system can run on a mid-level
server, so the cost will not be
overly high. We fi nd this tool
combines a good feature set
with very easy-to-use controls.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★✩
Performance
★★★★✩
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
Strengths Easy to configure policies and simple to manage.
Weaknesses No deployment wizard.
Verdict Not quite as easy to set up
as we’d like, but certainly well done
once you get it going.
Trend Micro InterScan Web
Security Virtual Appliance
Vendor Trend Micro
Price
$15.82 per seat for
v1,001-2,000 users.
Contact http://us.trendmicro.com
he Trend Micro InterScan Web Security
Virtual Appliance and
the Advanced Reporting and
Management module work
together to become a serious
web security and reporting tool.
The appliance itself features the
ability to handle security risks,
such as malware, viruses and
spyware, while allowing administrators to construct granular
web policy that is transparent
to the user. This combined with
the Advanced Reporting and
Management Server can provide
in-depth analysis of enterprisewide internet usage.
This appliance can be
deployed either as a virtual
machine in an ESX environment
or as a bare metal server installation. When installed to a server,
the appliance can support
transparent bridge mode, proxy
mode, WCCP and ICAP deployments, which give an excellent
amount of flexibility. The install
itself, it is quite straightforward.
After install is complete, all
configuration and management
is done through an easy-touse, web-based interface. The
installation of the reporting
server follows the same steps as
T
the appliance, and when installation is complete it can be
connected to the appliance to
begin managing the reporting
capabilities.
Documentation included
well-organized installation and
administrator guides. These
featured a few screen shots,
although more would be helpful.
Trend Micro includes no-cost
basic phone and email technical support eight-hours-a-day/
five-days-a-week with purchase.
Users also can access an online
support area with a knowledge
base, technical documentation
and other resources. As well,
customers can purchase premium support packages at an
additional cost.
At a price of just under $16
per seat for just the license
before any hardware is purchased, this solution can be an
expensive investment. However,
we fi nd it to be a good value for
the money based on its comprehensive and easy-to-manage
feature set and multiple deployment flexibility.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★✩
Support
★★★★★
Value for money
★★★★✩
Strengths Several deploy methods,
and the tool can be installed as a
virtual server in VMware ESX.
Weaknesses Can be expensive
if actual hardware is chosen.
Documentation could use more
screen shots.
Verdict Well thought-out product
that could use a tad more sophistication in the documentation.
Next
Feb. 15, 2011 • San Francisco
2011 SC Awards U.S.
2011 SC Awards U.S.
The Judges
Innovation evolution
Contents
The Judges .............................................................................. 49
The Sponsors .......................................................................... 50
Reader Trust Awards
Best Anti-Malware Gateway .................................................... 51
Best Anti-Malware Management ........................................... 51
Best Computer Forensics Tool ................................................52
Best Data Leakage Prevention ................................................52
Best Email Content Management ...........................................53
Best Email Security ..................................................................53
Best Endpoint/UTM Security..................................................54
Best Enterprise Firewall ...........................................................54
Best Identity Management Application ..................................55
Best Integrated Security-UTM Product ..................................55
Best IDS/IPS Product ..............................................................56
Best IPsec/SSL VPN ................................................................56
Best Managed Security Service ..............................................57
Best Mobile/Portable Device Security ...................................57
Best Multifactor Product .........................................................58
Best Policy Management Application .....................................58
Best Security Information/Event
Management (SIEM) Appliance...........................................59
Best Vulnerability Management Tool ......................................59
Best Web Application Firewall ................................................ 60
Best Web Content Management Product.............................. 60
Excellence Awards
Best Enterprise Security Solution ........................................... 61
Best Regulatory Compliance Solution.................................... 61
Best Security Company...........................................................62
Best SME Security Solution ....................................................62
Rookie Security Company of the Year.....................................63
Professional Awards
Best Professional Certification Program ................................63
Best Professional Training Program ....................................... 64
Best Security Team ................................................................. 64
CSO of the Year ........................................................................65
Editor’s Choice Award ..............................................................65
EDITORIAL
EDITOR-IN-CHIEF Illena Armstrong
2011 SC AWARDS U.S.
SENIOR EVENTS MANAGER
Natasha Mulla
Any organization’s success is reliant
more than ever before on a range of
technologies. To neglect messaging to
customers through social media is marketing suicide. Failing to arm staff with
iPhones, Androids or BlackBerries
is productivity folly. Missing chances
to educate constituents through the
corporate website is a dissemination
misstep. So, too, however, is the failure
to safeguard all these networking
avenues on which we all have come to depend.
Cybercriminals, after all, are experiencing huge profits
through these same forms of communication. Web application
attacks, social engineering and any number of other online assaults are happening with a frequency never seen before. That’s
because today’s savvier cyberattacker understands just as well
as any leading business executive that the ways to enhance the
good ole’ bottom line is by taking advantage of the leading edge
in business operations. And, we mustn’t forget the exposures of
customer data or intellectual property being made by disgruntled
and laid-off employees during economic recessions.
With still more schemes, no doubt, being devised, information
security professionals are key to keeping businesses safe, customer and consumer information protected, and the overall critical
infrastructure of the country running smoothly and soundly.
The SC Awards U.S. takes pride in celebrating these individuals for their embrace of innovation and technological advancement and, ultimately, their seeming unfaltering tenacity that
we honor each year through our Reader Trust, Excellence and
Professional Awards categories. While the first of these categories
is decided by faithful SC Magazine readers from the end-user
community, the Excellence and Professional Awards are judged
by a specially chosen panel selected for their industry expertise
and long-standing experience.
The professionals, companies and solutions we call out tonight
represent the best of the information security marketplace. Just
as the technological landscape in which we all seem to be thriving
continues to evolve, so too have these leading industry minds. It
is our honor to extend congratulations to them all.
– Illena Armstrong, editor-in-chief, SC Magazine
WESTERN REGION SALES MANAGER
Matthew Allington (415) 346-6460
EVENTS COORDINATOR
Anthony Curry
NATIONAL ACCOUNT MANAGER EVENT SALES
Mike Alessie (646) 638-6002
U.S. SALES
SALES/EDITORIAL ASSISTANT
Brittaney Kiefer (646) 638-6104
VP OF PRODUCTION Louise Morrin
ADVERTISING DIRECTOR
David Steifman (646) 638-6008
GROUP CIRCULATION MANAGER
Sherry Oommen (646) 638-6003
SENIOR PRINT & DIGITAL
CONTROLLER Krassi Varbanov
EASTERN REGION SALES MANAGER
Mike Shemesh (646) 638-6016
EXECUTIVE EDITOR Dan Kaplan
MANAGING EDITOR Greg Masters
REPORTER Angela Moscaritolo
DESIGN AND PRODUCTION
ART DIRECTOR Brian Jackson
Previous
MANAGEMENT
MANAGING DIRECTOR Lisa Kirk
CHAIRMAN William Pecover
DEPUTY MANAGING DIRECTOR
Tony Keefe
CO-CHAIR
Illena Armstrong
is editor-in-chief
of SC Magazine. She
and her team have
received 19 ASBPE
Awards for excellence.
CO-CHAIR
Greg Bell is global
services leader, information protection and
business resiliency, at
KPMG LLP
CO-CHAIR
Mark Weatherford
is VP/CSO at NERC.
He received the 2010
CSO of the Year award
from
SC Magazine.
Dennis Brixius
serves as VP & CSO
of The McGrawHill Companies. He
received the 2007 CSO
of the Year award from
SC Magazine.
Dave Cullinane is
CISO and VP at eBay.
Formerly, he was
CISO for Washington
Mutual.
Jerry Dixon is director of analysis for Team
Cymru.
Thomas Dunbar
manages XL Group’s
information risk management. He received
the 2006 CSO of the
Year award from
SC Magazine.
Gene Fredriksen
is the senior director
and global information
security officer for Tyco
International.
Stephen Fridakis is
the chief, IT programs
& quality assurance
division of IT solutions
& services (ITSS), at
UNICEF.
Jonathan Gossels
is president of
SystemExperts Corp., a
provider of IT compliance and IT security
consulting services.
Renee Guttmann is
VP, information security and privacy officer
at Time Warner.
Stacey Halota
is VP, information security and privacy, at The
Washington Post Co.
She received the 2009
CSO of the Year award
from SC Magazine.
Maurice Hampton is information
security and privacy
services leader at Clark
Schaefer
Consulting.
John Johnson is
security program manager at John Deere. He
is a frequent speaker at
industry events.
Steve Katz is president of Security Risk
Solutions. He has been
called the grandfather
of all CISOs for his
early work at Citigroup.
Charles Kolodgy is a
research vice president
for IDC’s security
products service.
Daniel Lohrmann
is Michigan’s CTO.
He was named 2008
CSO of the Year by
SC Magazine.
Bob Maley is a
principal at Inceptara.
Formerly, he was
CSO of the state of
Pennsylvania.
Jim Maloney is
president and CEO of
Cyber Risk Strategies, providing IT risk
management services
to CSOs and CIOs.
Randolph Sanovic
has been an information security professional since 1974,
working at Mobil,
United Healthcare and
General Motors.
Stephen Scharf is
SVP and global CISO
for Experian.
Jody Westby is CEO
of Global Cyber Risk
and also serves as
distinguished fellow
for Carnegie Mellon
CyLab.
Next
2011 SC AWARDS U.S.
2011 SC Awards U.S.
The Sponsors
SC Magazine would like to thank all of our sponsors for their generous support of the
2011 SC Awards U.S. Their involvement has made this event possible, which helps raise
professional standards in the information security industry worldwide.
ArcSight
Cisco
Entrust
nCircle
www.arcsight.com
www.cisco.com
www.entrust.com
www.ncircle.com
ArcSight, an HP company, is
a leading global provider of
cybersecurity and compliance
solutions.
Cisco security balances protection and power to deliver secure
collaboration. With Cisco,
customers can connect, communicate and conduct business
securely while protecting users,
information, applications and the
network.
Entrust IdentityGuard enables
organizations to layer security
– according to access requirements or the risk of a given
transaction – across diverse
users and applications.
nCircle is the leading provider of automated security and
compliance auditing solutions.
More than 4,500 enterprises,
government agencies and service
providers around the world rely
on nCircle’s proactive solutions.
NetWitness
Qualys
Symantec
Teleperformance
www.netwitness.com
www.qualys.com
www.symantec.com
www.teleperformance.com
NetWitness provides the world’s
most powerful real-time network security analysis platform.
NetWitness helps organizations
detect, prioritize and remediate
complex IT risks that are invisible to other technologies.
Qualys is the leading provider
of on-demand IT security risk
and compliance management
solutions delivered as a service.
Qualys’ software-as-a-service solutions are deployed in a matter
of hours anywhere in the world.
Symantec is a global leader in
providing security, storage and
systems management solutions
to help consumers and organizations secure and manage their
information and identities.
The world’s leading provider of
outsourced CRM and contact
center services has been developing and managing customer
acquisition, customer care,
technical support and debt collection programs for companies
around the world.
Reader Trust Award
Reader Trust Award
BEST ANTI-MALWARE GATEWAY
BEST ANTI-MALWARE MANAGEMENT
WINNER
WINNER
Cisco Systems for
Cisco Web Security
www.cisco.com/go/security
Cisco Web Security enables
organizations to fully capture
the potential of the web as a
collaboration and productivity
tool while mitigating its risks,
protecting users from malware
delivered via the web while
enforcing acceptable use and
data security policies.
A multilayer threat defense
protects users from malware, while Web Reputation
and Outbreak Intelligence
– powered by the Cisco
Security Intelligence Operation – combine with multiple anti-malware engines to
provide leading protection and
accuracy against both known
and zero-hour threats.
The solution provides
several business advantages,
including predictable cost
models, with flexible choice
between opex and capex;
improved user productivity
enabling choice and mobility,
reducing productivity lost to
malware, and controlling how
the web is used; the ability to
securely enable social networking and media, bringing new
marketing opportunities and
improving employee retention
while mitigating security risk.
In addition, the tool offers
several technical advantages,
including security accuracy as
the Cisco SIO combines with
multiple third-party AV/AMW
signature engines; high performance/low latency provides
best user experience; simple
deployment, with choice of
deployment options; reduction
in complexity for distributed
enterprises; and reduction in
management/maintenance
requirements.
Cisco Web Security
customers have consistently
reported a two to three times
reduction in end-user malware
infections when replacing a
competitive solution.
McAfee for McAfee
Endpoint Protection Suite
www.mcafee.com
McAfee Endpoint Protection
includes sophisticated antimalware protection to protect
companies from the various
vectors that cybercriminals use
to infect endpoints and steal
data. This solution includes
a number of technologies to
stop viruses, trojans, rootkits,
spyware, adware, spam, phishing attacks and other malware.
It provides a set of layered
technologies that are deployed
on the endpoint or email servers to prevent malware from
infecting endpoints.
This tool includes multiple
technologies to provide a layered protection scheme to stop
malware that differentiates
it from competitors. McAfee’s virus-scanning solution
includes buffer overflow protection to stop buffer overflow
attacks, access protection rules
to limit/stop damage from malware, and on-access caching
to speed up malware performance. Finally, it includes
anti-spam and anti-malware
protection that is deployed
on email server (Domino or
Exchange) to provide another
layer of protection. All this
technology is managed by a
single integrated management
console making it easy and
more cost effective to manage
This solution helps surpass
corporate budgetary requirements by allowing a customer
to purchase a competitively
priced suite of technologies that
provides complete protection against all malware. This
solution not only comes with
complete malware protection, it
also includes a desktop firewall,
device control and anti-spam
for email servers. This added
protection eliminates the need
to purchase other standalone
products from McAfee or other
vendors, allowing companies to
consolidate and save.
Finalists 2011
Tenable Network
Security
www.tenable.com
Tenable Network Security is a
privately held company founded
in 2002 by security product
innovators Ron Gula, Renaud
Deraison and Jack Huffard.
• ESET for ESET NOD32
Antivirus 4
Tripwire
www.tripwire.com
Tripwire is a leading global
provider of IT security and compliance automation solutions.
Thousands of customers rely on
Tripwire’s integrated solutions
to help protect sensitive data,
prove compliance and prevent
outages.
• Kaspersky Lab Americas for
Kaspersky Open Space Security
• McAfee for McAfee
Endpoint Protection Suite
• Microsoft for Forefront Client
Security
• Sophos for Sophos
Endpoint Security and Data
Protection
Finalists 2011
• Cisco for Cisco Web Security
• M86 Security for M86 Secure Web Gateway
• McAfee for McAfee Web Gateway Anti-malware
• Sophos for Sophos Web Security Appliance
• Websense for Websense Web Security Gateway
Previous
Next
2011 SC AWARDS U.S.
2011 SC AWARDS U.S.
Reader Trust Award
Reader Trust Award
Reader Trust Award
Reader Trust Award
BEST COMPUTER FORENSICS TOOL
BEST DATA LEAKAGE PREVENTION
BEST EMAIL CONTENT MANAGEMENT
BEST EMAIL SECURITY
WINNER
WINNER
organizations take ownership
of unstructured data, such as
documents, spreadsheets and
email. Symantec DLP 10.5
provides companies with a
defense-in-depth approach
to their security strategy and
provides content-aware data
leakage prevention capabilities.
The tool enables compliance
to pass audits. Merchants and
agents that fail to comply with
the Payment Card Industry
(PCI) Standard face potential
fi nes from the major credit
card companies, as well as
possible termination of their
ability to process credit card
transactions.
Further, the solution enables the maintaining of brand
reputation and customer trust.
Data breaches result in churn
or turnover of customers. The
industries with the highest
churn rates are pharmaceuticals, communications and
health care (6 percent), followed by fi nancial services
(5 percent).
WINNER
WINNER
Finalists 2011
Fina
Finalists 2011
ArcSight for ArcSight Logger
• ArcS
• Cisco Systems for Cisco
IronPort
Email DLP
Iron
• Cloudmark for Cloudmark
k
DesktopOne
• Guid
Guidance Software for
EnCase
Forensic
EnC
McAfee for McAfee Data
• McA
Loss Prevention (DLP)
• McAfee for McAfee Web SaaS
• NetW
NetWitness for
NetWitness
NextGen 9.5
NetW
• RSA Security for RSA Data
Loss Prevention (DLP) Suite
• Sophos for Sophos Email
Security Appliance
Quest Software for Quest
• Ques
ChangeAuditor
Chan
• Syma
Symantec for Symantec Data
Loss Prevention
• Symantec for Symantec
Brightmail Gateway
Guidance Software for
EnCase Forensic
www.guidancesoftware.com
The computer is an infallible
witness. It cannot lie. Digital
evidence contains an unfiltered
account of a suspect’s activities,
recorded in his or her direct
words and actions. This type of
evidence can provide the pivotal data investigators need to
turn an open investigation into
an open and shut case. In order
to obtain and analyze this information in a rapid, cost-effective
manner, investigators need a
solution to help them produce
evidence for existing charges,
identify accomplices, add to
charges and provide leads for
other unsolved investigations.
EnCase Forensic provides
investigators with a powerful
platform that collects digital
data, performs analysis, reports
on findings and preserves them
in a court vetted, forensically
sound format.
Organizations who use EnCase Forensic as their standard
investigation solution experience a significant increase in
productivity which equates to
decreased cost per investigation. Without EnCase Forensic,
investigators must spend countless hours combing through
mountains of data, searching
for information that may be
relevant to their investigation.
By using EnCase Forensic an
investigator can automate the
laborious process into a few
simple steps. EnCase Forensic
can search and collect evidence
from vast datasets with unparalleled speed and accuracy.
With EnCase Forensic’s
ability to acquire data from
most commonly used operating
systems and to perform disklevel forensics on the acquired
data efficiently, organizations
are able to reach case resolution
faster than ever before. Now
organizations can complete
more casework with the same
number of resources.
Symantec for Symantec
Data Loss Prevention
www.symantec.com
Symantec Data Loss Prevention (DLP) delivers a unified
solution to discover, monitor
and protect confidential data
wherever it is stored or used.
Symantec offers comprehensive coverage of confidential
data across endpoint, network
and storage systems – whether
the users are on or off the
corporate network. By measurably reducing risk, Symantec
gives organizations new
confidence to demonstrate
compliance while protecting
their customers, brand and
intellectual property.
Symantec Data Loss Prevention 10.5 is the current version
of Symantec’s leading data
security suite, which enables
the use of social media while
guarding against data loss.
The tool protects information
in private clouds and helps
Brightmail Gateway
www.symantec.com
Symantec Brightmail Gateway delivers comprehensive
inbound and outbound messaging security, with effective
and accurate anti-spam and
anti-virus protection, advanced
content fi ltering, data loss prevention and email encryption.
It is simple to administer and
catches more than 99 percent
of spam with less than one in a
million false positives.
Real-time automatic antispam and anti-virus updates
leverage the Symantec Global
Intelligence Network, with
more than 120 million antivirus sensors, 240,000 firewall
and intrusion detection sensors,
managed security deployments,
and Symantec’s patented Probe
Network of more than 2.5 million decoy accounts.
Symantec Brightmail Gateway has helped customers save
thousands of IT dollars and
hours of lost productivity each
year by effectively blocking
spam, reducing downtime due
to malware and other threats,
and protecting against data
breaches. By blocking threats
at the gateway, the solution
preserves internal network and
server capacity. With more than
90 percent of spam blocked at
connection time, Brightmail
Gateway dramatically reduces
the size of spam quarantines.
Automated updates and
intuitive management mean
that email administrators do
not need to spend time actively
managing email security.
According to projections
by market intelligence and
advisory services firm IDC,
Symantec is the market share
leader in the overall messaging security market, with 22.8
percent market share as of
2008. Deployments for Symantec Brightmail Gateway have
grown by more than 35 percent
over the last year.
Sophos for Sophos Email
Security Appliance
www.sophos.com
Email security has evolved
well beyond the essentials of
providing anti-spam and antimalware fi ltering to now taking
responsibility for the confidentiality, integrity and authenticity of electronic mail traffic,
while also being expected to
guard against the leakage of
sensitive data. The Sophos
Email Appliance provides bestof-breed email security and
data protection by integrating
all these critical capabilities
into a single, easy-to-manage
appliance.
“From an overall feature and
performance perspective, the
Sophos solution was definitely
one of the most impressive appliances at this particular price
point,” said SC Magazine Technology Editor Peter Stephenson
in his Group Test review of the
tool in the March 2010 issue.
The appliance includes
protection against the latest
zero-day threats and spam
using reputation fi ltering,
in-the-cloud lookups and advanced malware protection.
As well, Sophos SPX Email
Encryption seamlessly
integrates with the Sophos
DLP engine to provide email
encryption.
Prepackaged intelligence
provides hundreds of sensitive data types across several
regions, available out-of-thebox with updates managed by
SophosLabs.
Administrators can easily
import data-defi nitions from
the Sophos data leakage
prevention (DLP) engine for
consistent policy at the desktop and easy customization of
sensitive data types. Content
management policy setup is
simple using wizards to assist
in scanning email content for
sensitive data, as well as to log,
flag, quarantine, and encrypt
messages.
Finalists 2011
Fina
• Acce
AccessData Group for Forensic
ic
Toolkit
Tool (FTK)
• Trend Micro for Trend Micro
Data Loss Prevention
• Proofpoint for Proofpoint
Finalists 2011
Fin
•C
Cisco Systems for Cisco IronPort Email Security
DataMotion for SecureMail
•D
SonicWALL for SonicWALL E-Class ESA ES8300
•S
•S
Sophos for Sophos Email Security Appliance
• Sy
Symantec for PGP Universal Gateway Email
• Webroot for Webroot Email Security Service
Previous
Next
2011 SC AWARDS U.S.
2011 SC AWARDS U.S.
Reader Trust Award
Reader Trust Award
Reader Trust Award
Reader Trust Award
BEST ENDPOINT/UTM SECURITY
BEST ENTERPRISE FIREWALL
BEST IDENTITY MANAGEMENT APPLICATION
BEST INTEGRATED SECURITY-UTM PRODUCT
WINNER
WINNER
WINNER
WINNER
Endpoint Protection 11.0
www.symantec.com
As the internet threat landscape has evolved over the
past few years to become more
complex and insidious, cybercriminals are now primarily
motivated by fi nancial gain
instead of simply achieving
notoriety. They are therefore
using increasingly stealthy,
sophisticated and organized
attacks. Mitigating security
risks is more challenging for
corporations due to heterogeneous technologies, increasing
threats and vulnerabilities,
organizational alignment,
expanding regulatory scopes
and budget constraints.
Symantec Endpoint Protection (SEP) features a number
of advanced threat prevention
technologies to deliver an unmatched defense against malware for laptops, desktops and
servers. It delivers advanced
technology to protect against
today’s sophisticated threats
and threats not seen before.
It includes proactive technologies that automatically
analyze application behaviors
and network communications to detect and actively
block threats. It also provides
device and application control
features to manage actions and
secure data.
SEP leverages other leading
security technologies and IT
investments organizations may
already have in place, including leading software deployment tools, patch management
tools and security information
management tools.
SEP delivers a lower total
cost of ownership by reducing
administrative overhead.
Symantec Global Services
offers a range of services that
guide customers through the
migration, deployment, operation and management of SEP
and help them realized the
full value of their investment.
Cisco Systems for
Cisco ASA 5585-X
www.cisco.com
The increasing need for users to
access dynamic real-time content from multiple sources, coupled with the requirement to
access data anytime, anywhere
and from a wide range of devices, has placed extraordinary
demands on network speed, as
content is pulled from multiple
sources, yet expected by users
in “real-time.” In response,
enterprise data centers have
grown exponentially over the
past several years to keep pace
with the increasing demands
for network connectivity.
Moreover, compliance,
data security and fear of the
unknown have led to BandAid fixes applied to the old
data center scheme. Data
centers need to deliver highperformance connectivity, while
ensuring those connections
remain secure.
Many datacenters are now
full, and therefore require
more efficient methods to
deliver secure, high performance connectivity. The Cisco
ASA 5585-X fills this need by
delivering unprecedented scalability, superior performance
and leading-edge security – in a
compact, 2RU form factor.
The Cisco ASA 5585-X combines a proven proven firewall
with the a comprehensive IPS
and a high performance VPN.
The ASA 5585-X hardware
delivers 8X performance
density of competitive firewalls
by supporting the highest VPN
session counts, twice as many
connections per second, and
4X the connection capacity of
competitive firewalls to meet
the growing needs of today’s
most dynamic organizations –
all in a compact 2RU footprint.
Additionally, the ASA 5585X provides the option to have
a fully integrated chassis, or to
integrate additional services as
the needs of the business grow.
IBM for IBM Tivoli Identity
and Access Assurance
www.ibm.com
IBM Tivoli Identity and
Access Assurance provides
efficient and compliant access
for the right people to the
right resources at the right
time. It centralizes and automates management of users,
authentication, access, audit
policy and provisioning of user
services, then closes the loop
with industry-leading capabilities for monitoring user activity
and detecting and correcting
situations out of compliance
with security policy.
It provides ID management
from on-boarding users and
assigning appropriate access
rights, to changing user roles
and modifying privileges, to
terminating user access rights
at the end of the user lifecycle.
Access management provides
secure authentication of users,
including unified SSO (enter-
prise, web, federated), and enforces access policies once the
user has been authenticated.
User compliance auditing
enables monitoring, auditing
and reporting on user activity,
helping facilitate compliance
with organizational policies
and regulatory mandates, and
reducing the risk of internal
threats by monitoring users for
abnormal behavior.
The tool is unique in supporting Private Desktop, which
maintains multiple secure
desktops, one per kiosk user.
And, it is integrated with
a comprehensive security
portfolio, including data and
application security. Also, the
tool helps reduce costs for
managing accounts, groups,
policies, credentials and access
rights throughout the user
lifecycle with a single-vendor
solution that reduces TCO and
complexity. Organizations can
better manage risk with automated audit reporting and the
security compliance dashboard.
SonicWALL for SonicWALL
NSA 2400MX
www.sonicwall.com
Businesses require robust
security to protect against
today’s emerging and varied
threats. They also need flexible
switching to communicate
effectively in a fast-pace global
marketplace. The SonicWALL
NSA 2400MX makes achieving both of these goals possible
in one easy-to-use, affordable,
consolidated solution.
With more threats to protect
against and decreasing budgets
and staff to work with, the
2400MX provides IT managers
with a cost-effective solution
that features real-time comprehensive network protection,
high-speed intrusion prevention, file and content inspection, and powerful application
control capabilities, all without
compromising network performance. The 2400MX delivers
comprehensive security.
It offers high-speed performance that removes the
network bottleneck, and flexibility with intelligent switching
capabilities to fit any small- and
medium-sized or distributed
organization.
The SonicWALL Network
Security Appliance (NSA)
2400MX overcomes the limitations of existing security solutions by scanning the entirety
of each packet for all known
internal and external threats in
real-time. Built on a high-speed
multi-core processing platform,
the NSA 2400MX provides
deep packet inspection without adversely impacting the
performance of mission-critical
networks and applications.
The NSA 2400MX features
SonicWALL’s Clean VPN deep
packet inspection architecture.
This ensures decontamination
of mobile user and branch
office traffic, preventing vulnerabilities and malicious code
from being introduced into the
corporate network.
Al Zollar
IBM general manager
of Tivoli Software
Finalists 2011
Fin
•C
Check Point Software
Technologies
for Check Point
T
UTM-1
U
McAfee for McAfee Total
•M
Protection
for Endpoint,
P
Enterprise
Edition
E
Finalists 2011
• Astaro Internet Security for Astaro Security Gateway
Finalists 2011
• Fortinet for FortiGate-1240B
• So
E-Class
Network Security
E
Appliance
(NSA) E8500
A
• Cisco Systems for Cisco ASA 5585-X
• NETGEAR for NETGEAR ProSecure UTM25
• Fortinet for FortiGate-3950B
• SonicWALL for SonicWALL NSA 2400MX
• McAfee for McAfee Firewall Enterprise
• Sophos for Sophos Endpoint Security and Data Protection
Sophos for Sophos Endpoint
• So
Security
and Data Protection
S
• Palo Alto Networks for Palo Alto Networks PA-4000 Series
next-generation firewalls
• Sy
Symantec for Symantec Endpoint
Protection
11.0
P
• SonicWALL for SonicWALL E-Class Network Security
Appliance (NSA) E8500
Finalists 2011
• CA Technologies for CA Identity Manager
• IBM for IBM Tivoli Identity and Access Assurance
• Microsoft for Forefront Identity Manager 2010
• NetIQ for NetIQ Identity & Access Management Solution
• Novell for Novell Identity & Access Management
Previous
Next
2011 SC AWARDS U.S.
2011 SC AWARDS U.S.
Reader Trust Award
Reader Trust Award
Reader Trust Award
Reader Trust Award
BEST IDS/IPS PRODUCT
BEST IPSEC/SSL VPN
BEST MANAGED SECURITY SERVICE
BEST MOBILE/PORTABLE DEVICE SECURITY
WINNER
WINNER
WINNER
Sourcefire for Sourcefire IPS
(based on Snort)
www.sourcefire.com
The Sourcefire IPS, based on
the Snort detection engine,
provides organizations with
comprehensive protection
against today’s sophisticated
and evolving threats.
Organizations rely on
Sourcefire to protect their
networks from malicious attacks and emerging threats.
This year, Sourcefire has
enhanced its IPS to address
new and evolving attacks and
vulnerabilities, providing
customers with the visibility
and intelligence-driven data
necessary to proactively combat
today’s threats.
One of the greatest advantages of the Sourcefire IPS is the
knowledgeable community of
more than 300,000 open source
Snort users, which contribute
up-to-the-minute intelligence
on new and evolving threats.
With the knowledge of the
global open source community, and the expertise of
the Sourcefi re Vulnerability
Research Team (VRT), the
company regularly leads the
industry in protecting users
from new vulnerabilities and
emerging threats.
Recently, in an independent test of leading IPS
solutions conducted by NSS
Labs, Sourcefi re earned the
highest security effectiveness
score, stopping 90 percent
of all attacks after tuning. In
addition, the Sourcefi re IPS
delivered 95 percent of the
advertised performance using
a real-world traffic mix.
One testimonial came from
Jeff Sherwood, a security
professional formerly at H&R
Block where he implemented
the Sourcefi re IPS. He spoke
at the 2010 Gartner Security
Summit about how Sourcefi re’s adaptive network security tools helped drive down
compliance costs.
WINNER
Cisco Systems for
Cisco ASA Secure Remote
Access solution
www.cisco.com/go/vpn
The Cisco ASA Secure Remote
Access solution gives IT
administrators a single point
of control to assign granular
access based on both user
and device. It provides full
and controlled client-based
network access to web-based
applications and network
resources for a highly secure,
flexible remote access deployment with AnyConnect Secure
Mobility client, the Cisco VPN
Client, and third-party VPN
clients, including those from
Microsoft and Apple.
The AnyConnect client
raises the bar by making the
experience more seamless and
more secure than ever. The
client provides a secure connectivity experience across a
broad set of laptop and mobile
devices, including Apple
iPhones. As mobile workers
roam to different locations, an
always-on, intelligent VPN enables AnyConnect to automatically select the most optimal
network access point and adapt
its tunneling protocol to the
most efficient method, such
as Datagram Transport Layer
Security (DTLS) protocol for
latency-sensitive traffic, including VoIP traffic or TCP-based
application access.
Robust posture assessment
capabilities protect the integrity of the corporate network
by restricting VPN access
based on an endpoint’s security
posture. Prior to establishing
connectivity, a system may
be validated for compliance
with various anti-virus, personal firewall, or anti-spyware
products, and may undergo
additional system checks. An
advanced endpoint assessment
option is available to automate
the process of remediating
out-of-compliance endpoint
security applications.
Finalists 2011
Finalists 2011
• Check Point Software
Technologies for Check
Point IPS Software Blade
• Cisco Systems for Cisco ASA Secure Remote Access solution
• Cisco for Cisco Intrusion
Prevention System
• HP TippingPoint for HP
TippingPoint IPS
Secureworks Managed
Security Services
www.secureworks.com
SecureWorks provides nearly
3,000 clients with a comprehensive set of integrated
managed security services
and cutting-edge research to
successfully combat current
and emerging cyberthreats.
SecureWorks’ solutions
include a full suite of web application protection services,
as well as managed services for
fi rewalls, network IDS/IPS,
UTM appliances, host IPS and
log management. In response
to requests for flexible security
solutions, SecureWorks delivers its services under a fully
managed, co-managed, monitored or self-service model
to accommodate the needs of
businesses of all sizes.
The company’s proprietary,
purpose-built Sherlock Security Management Platform is
the backbone of all Secure-
Works’ services enabling the
monitoring of virtually any
event source for correlation,
retention and analysis. As a
result, SecureWorks processes
13 billion security events a
day. It is this unparalleled
view into the attack landscape,
coupled with SecureWorks’
Threat Intelligence, robust
architecture and seamless
delivery system, that enables
the company to provide the
very best in MSS.
SecureWorks’ flexible
services allow clients to experience much greater ROI
on their existing security
investments. A Forrester study
reported that SecureWorks
client PG&E, a California
utility, saw benefits of lower
cost associated with outsourcing security monitoring to
SecureWorks, cost avoidance
in development fees and lower
risk of loss due to security
breaches because of a more
robust, enterprise-level view of
security monitoring.
Endpoint Protection
Mobile Edition
www.symantec.com
Mobile devices are now far
more sophisticated than ever
before and provide greater
corporate access and store more
data. This has made them an
increasingly popular target for
hackers. They also become a
higher target for theft and their
size makes them much easier
to misplace. Their computing power also makes them a
convenient alternative to the
traditional laptop. As a result,
companies need to find a way to
manage these devices and make
sure they are secure. To do this
effectively, companies need
to treat these devices as they
would any other endpoint, and
managing them from a single
console is the next logical step.
Symantec Endpoint Protection
Mobile Edition is integrated
with the Symantec Management
Platform, which enables IT
professionals to manage, secure,
update and protect multiple
devices from a central console.
The main differentiators include integration and complete
mobile device lifecycle management. Security is one out of a
few elements in a comprehensive mobile device security strategy. Competitors are currently
cobbling together mobile device
security and management solutions that Symantec brought to
market more than a year ago.
Currently, organizations are
focused on managing and protecting the myriad of endpoints
accessing their networks. Companies must broaden their focus
to protect the data contained on
these devices. Different types
of data are subject to a variety
of regulations. This may change
the measures that must be in
place on the device. By focusing
on the data, companies are better equipped to ensure they are
compliant and secured to the
appropriate level.
Finalists 2011
Fin
• Citrix Systems for Citrix Access Gateway
• F5 Networks for BIG-IP Edge Gateway
•G
Good Technology for Good for
Enterprise
E
• Juniper Networks for SA Series SSL VPN Appliances
IronKey for IronKey Enterprsie
• Ir
• SonicWALL for SonicWALL Secure Remote Access (SRA) EX7000
McAfee for McAfee Enterprise
•M
Mobility
Management
M
Sophos for Sophos
• So
SafeGuard
Enterprise
S
• McAfee for McAfee
Network Security
Platform
• Sy
Symantec for Symantec Endpoint
Protection
Mobile Edition
P
• Sourcefire for Sourcefire
IPS (based on Snort)
Finalists 2011
• Entrust for Entrust Managed PKI
• McAfee for McAfee SaaS Total Protection
• RSA, the security division of EMC, for RSA Adaptive Authentication
• SecureWorks for SecureWorks Managed Security Services
• Symantec for Symantec Managed Security Services
Previous
Next
2011 SC AWARDS U.S.
2011 SC AWARDS U.S.
Reader Trust Award
Reader Trust Award
Reader Trust Award
Reader Trust Award
BEST MULTIFACTOR PRODUCT
BEST POLICY MANAGEMENT APPLICATION
BEST SECURITY INFORMATION/
EVENT MANAGEMENT (SIEM) APPLIANCE
BEST VULNERABILITY MANAGEMENT TOOL
WINNER
WINNER
RSA, the security division
of EMC, for RSA SecurID
Authentication
www.rsa.com
RSA SecurID two-factor authentication secures corporate
resources requiring users to
identify themselves with two
factors – something they know
(PIN) and something they
have (a code that changes every 60 seconds). RSA SecurID
integrates seamlessly within
organizations’ infrastructure,
supporting 350-plus applications and devices, including
virtual private networks
(VPNs), wireless access
points, web applications, and
network operating systems.
The strength of security,
broad application support and
the variety of authentication
methods make RSA SecurID
the authentication solution of
choice for more than 30,000
organizations and 40 million
people worldwide.
The solution is interoperable
with more than 350 products
and platforms from more than
200 vendors, making it easier
to adopt within a customer’s
environment. RSA SecurID
offers the more secure timebased OTP and comes in a
variety of form factors – from
hardware tokens that store
certificates and decrypt hard
drives, to software tokens
embedded in smartphones,
laptops, USB drives, biometric
devices and SMS on-demand
authentication. All hardware
tokens have lifetime warranties and are most reliable in
industry, saving organizations
time and money on redeploying damaged tokens. The RSA
SecurID solution is available
via on-premise (software or appliance), through MSSPs and
SaaS providers.
Business benefits include
enabling employee mobility,
opening up new channels for
business and decreasing the
cost of technical support.
Cisco Systems for Cisco
Network Admission
Control Appliance
www.cisco.com/go/nac
Cisco Network Admission
Control Appliance (NAC)
provides policy-based access
control to critical network
resources for both users and
devices. Specifically, it meets
three market needs: It addresses policy compliance by
enabling corporate governance, defining a consistent
access policy for all users and
devices throughout the network and centralizing access
policy creation, distribution,
auditing, and management.
Second, it strengthens
security by providing policyenforced access to network
resources, securing access via
all access methods, including
wired, wireless and VPN connections. It provides visibility
into who and what is on the
network and what behavior is
allowed while connected, and
ensures endpoint devices are
authorized and healthy.
And third, it provides
increased efficiency by dynamically assigning appropriate
access and services for users
and their devices, thereby
providing consistent user and
device experience, simplified
guest access and sponsorship,
and automatic discovery and
classification of non-authenticating devices on networks.
Cisco NAC is the most
comprehensive network access
control solution for policybased network access policy
enforcement and compliance. It covers managed and
unmanaged assets, deals with
employee and non-employee
devices, and helps ensure
compliance of wireline and
wireless-connected endpoints,
VPN access and guest users.
Cisco NAC helps ensure that
connected remote and mobile
endpoints also conform to access security policy.
WINNER
ArcSight for ArcSight ESM
http://arcsight.com
ArcSight ESM is the core
analysis engine for managing threats and risks with the
ArcSight platform. It provides
real-time correlation of threats
and risks across all systems
in the enterprise. ESM helps
enterprises understand who is
on the network, what data they
are seeing, and which actions
they are taking. It identifies the
relevance of any given event by
placing it within the context of
who, what, where, when and
why that event occurred and
its impact on business risk.
ArcSight ESM correlates and
analyzes all the log, event and
transaction information generated by an enterprise’s systems
to find potential security threats
and risks. It provides the
real-time monitoring, historic
analysis and automated response necessary to manage the
WINNER
higher level of risk associated
with doing business in today’s
digital world.
ArcSight was purpose-built
for flexibility and its products
are customer-driven. ArcSight’s first customers were
U.S. intelligence agencies
that couldn’t tell the company
the devices they wanted to
monitor, so it had to build a
very flexible technology that
could easily adapt to changing
use cases.
Other companies build
technologies for specific uses
in specific verticals, which
produced limited architectures
that are not easily adaptable or
scalable. ArcSight, however, has
the broadest interoperability,
most flexible and powerful correlation engine and the ability
to scale like no one else.
According to IDC, ArcSight
ESM is the leader in security
information event management (SIEM), with 19 percent
market share.
Qualys for QualysGuard
Vulnerability Management
(VM)
www.qualys.com
QualysGuard Vulnerability
Management (VM) provides
the easiest-to-deploy and most
comprehensive way to reduce
security risk. All a company
needs is a web browser to scan
its network and applications in
order to spot and fix vulnerabilities and collect compliance
data. Delivered via a softwareas-a-service (SaaS) architecture, the cost of QualysGuard
VM is, on average, 50 to 90
percent less than traditional
software-scanning solutions.
With QualysGuard VM,
organizations can effectively
maintain control over their network security with centralized
reports, verified remedies, and
full remediation workflow capabilities with trouble tickets. The
tool provides comprehensive
reports on vulnerabilities and
compliance issues for systems
and applications, including
severity levels, estimated times
to fix, impact on business, plus
trend analysis on security and
compliance issues.
To date, Qualys has the
largest vulnerability management deployment in the world,
scanning more than 700,000
devices globally using 300
scanner appliances in more
than 53 countries.
QualysGuard is the only solution in the market delivered via
a true SaaS model.
With the SaaS approach, Qualys
has simplified the process of
vulnerability scanning with
no infrastructure to deploy
or manage, saving time and
resources, plus giving managers
and auditors a continuous view
of the company’s security and
compliance posture.
Leading analysts, including
Forrester, Gartner and IDC,
have reported Qualys’ market
leadership in vulnerability
management.
Finalists 2011
• Cisco Systems for Cisco Network Admission Control Appliance
• McAfee for McAfee Policy Auditor
• NetIQ for NetIQ Secure Configuration Manager
• Symantec for Symantec Control Compliance Suite
• Tripwire for Tripwire Enterprise 8.0
Finalists 2011
• ArcSight for ArcSight ESM
• Q1 Labs for QRadar SIEM
Finalists 2011
• RSA, the security division of EMC, for RSA enVision Platform
• Entrust for Entrust IdentityGuard
• IBM for IBM Tivoli Access Manager for Enterprise Single Sign-On
• Imprivata for Imprivata OneSign
• Symantec for Symantec Security Information Manager
• Tripwire for Tripwire Log Center
Finalists 2011
• McAfee for McAfee Risk Management Solution
• nCircle Network Security for nCircle IP360/WebApp360
• PhoneFactor for PhoneFactor
• RSA, the security division of EMC, for RSA SecurID Authentication
• Qualys for QualysGuard Vulnerability Management (VM)
• Rapid7 for NeXpose
• Symantec for VIP Authentication Service
• Secunia for Secunia Corporate Software Inspector (CSI)
• Tenable Network Security for Tenable Security Center 4.0
Previous
Next
2011 SC AWARDS U.S.
2011 SC AWARDS U.S.
Reader Trust Award
Reader Trust Award
Excellence Award
Excellence Award
BEST WEB APPLICATION FIREWALL
BEST WEB CONTENT MANAGEMENT PRODUCT
BEST ENTERPRISE SECURITY SOLUTION
BEST REGULATORY COMPLIANCE SOLUTION
WINNER
WINNER
WINNER
WINNER
Web Application Firewall
Service
www.sonicwall.com
While small and medium-sized
businesses (SMBs) are increasingly adopting Web 2.0 applications and are being served up
SaaS solutions directly from
the cloud, they often lack the
in-house capabilities to keep up
with the rapidly evolving challenges of web security. But increasingly, the Web 2.0 business
tools are becoming targets for
criminal attacks – such as SQL
injection, parameter manipulation, cross-site scripting and
denial-of-service (DoS). The
SonicWALL Web Application
Firewall (WAF) Service offers a
complete, affordable, out-ofbox compliance solution that
allows any company to leverage
its existing infrastructure as a
licensable, add-on module to
the SonicWALL Secure Remote
Access platform.
The Web Application
Firewall feature is testament
to SonicWALL’s commitment
to ensure key features of its
enterprise products are also
available to the SOHO (small
office/home office) and SMBs
space. The WAF is available
across SonicWALL’s complete
SRA line – the world’s No.
one-selling SSL VPN product line – providing users
with easy-to-use, secure and
clientless remote access with
a broad range of applications
and resources on the corporate
network. SonicWALL WAF
Service applies reverse proxy
analysis of Layer 7 traffic
against known signatures,
denies access upon detecting
web application malware and
redirects users to an explanatory error page. Acceleration
features include content
caching, compression and connection multiplexing,
and improve the performance
of protected websites, significantly reducing transactional
Websense for Websense
Web Security Gateway
www.websense.com
Social networking sites, such
as Facebook and Twitter,
are becoming ubiquitous in
the workplace for recruiting,
collaboration and professional
networking. Open access to
social media is both beneficial
and challenging, as Web 2.0
sites expose a network to data
theft and leakage. Consequently, the risks from usergenerated content on these
sites is rendering traditional
security technologies, such as
anti-virus and URL fi ltering,
ineffective, as they lack the
ability to protect the actual
content of dynamic, everchanging Web 2.0 sites.
Websense Web Security
Gateway, combined with data
leakage prevention (DLP),
continually updates content
classification and provides
up-to-the-second threat pro-
tection, thereby enabling organizations to leverage Web 2.0
resources without worrying
about zero-day malware, inappropriate content or disclosing
sensitive information.
Websense Web Security
Gateway is the only solution to
include Websense Triton Architecture, the unification of
web, email, and DLP security
across both on-premise and
security-as-a-service (SaaS)
platforms. By consolidating
multiple content security
products and platforms, customers dramatically lower cost
of ownership.
The tool provides zero-day
malware protection. The Websense Advanced Classification
Engine (ACE) protects against
malicious scripts and zero-day
threats that circumvent antivirus products. ACE analyzes
web traffic in real time, categorizing dynamic Web 2.0
content, blocking zero-day
malware and preventing confidential data loss.
Tripwire for Tripwire
Enterprise 8.0
http://tripwire.com
Reflective of Tripwire’s mission
as an IT security and compliance automation solution
provider, Tripwire Enterprise’s
customer base of 5,000 extends into vertical industries,
including government, energy,
financial services, retail, manufacturing, education and entertainment. When Tripwire entered the SIEM market in early
2010 to grow the company
into a multisolution provider,
Tripwire Enterprise customers
immediately benefited from
the integration of the two
products and accounted for 54
percent of TLC customers. As
a company, Tripwire currently
services customers across 88
different countries.
Tripwire offers a three-tiered
approach to customer service
and with training courses.
Essential Services offers fun-
damental support to customers
getting started with Tripwire,
including remote implementation and on-site deployment
assistance, health checks and
upgrades. Part of this offering
is “Quick Start” – a package
tailored toward customers
looking for distance support
during their deployment
process. Advanced Services
assists customers in streamlining the control processes and
custom policy development.
Managed Services are provided
in the form of Tripwire Remote
Operations, which remotely
delivers infrastructure
management, security and
compliance best practices, reduced total cost of ownership,
data collection and on-demand
technical expertise.
Tripwire Enterprise continues to evolve through ongoing
roadmaps that reflect both
the IT compliance market
strategic needs and the tactical
needs of the company’s expansive installed base.
nCircle Network Security
for nCircle Suite360
www.ncircle.com
More than 4,500 enterprises,
government agencies and service providers worldwide rely
on nCircle’s suite of solutions
to manage and reduce security
risk and automate compliance
on their networks. nCircle
has won numerous awards for
growth, innovation, customer
satisfaction and technology
leadership, including being
bestowed the Inc. 5000 award
for four consecutive years and
named winner or finalist in six
industry awards in 2010 alone.
nCircle continues to increase
its customer and partner base
worldwide. Its customers have
been extremely loyal, demonstrated by receiving high
marks in customer satisfaction
feedback, large attendance at
its Customer Advisory Council
and User Group meetings,
and strong interest shown in
the desire to integrate new
suite products and services as
they are released. nCircle has
found this loyalty to be the best
reference and often creates new
customers, as individuals leaving organizations have become
a champion of nCircle at their
new endeavor.
nCircle offers an exceptional
level of support as proven by its
99 percent customer retention
rate and the bestowment of the
Outstanding Award for Highest
Customer Satisfaction by a
leading industry publication.
Customer satisfaction continues to be nCircle’s No. 1 priority. nCircle makes significant
investments in research and
analysis to deliver vulnerability
signature updates in addition to
standard product maintenance.
nCircle’s support and maintenance programs offer customers the flexibility to choose the
level of support that best meets
their needs – all including standard 24/7/365 availability and a
customer portal.
Finalists 2011
• Barracuda Networks for Barracuda Web Filtering
• McAfee for McAfee Web Gateway
• Sophos for Sophos Web Security Appliance
• Websense for Websense Web Security Gateway
• Zscaler for Zscaler Web Security Service
Finalists 2011
Finalists 2011
• Citrix Systems for NetScaler Application Firewall
• McAfee for McAfee Total Protection for Compliance
• F5 Networks for BIG-IP Applicaiton Security Manager
• Imperva for SecureSphere Web Application Firewall
• IBM for IBM Security Network IPS with Web App Protection
• SonicWALL for SonicWALL Web Application Firewall Service
• Modulo for Modulo Risk Manager NG
Finalists 2011
• ArcSight for ArcSight Enterprise Security Manager (ESM)
• nCircle Network Security for nCircle Suite360
• Core Security Technologies for CORE IMPACT Pro
• Agiliance for Agiliance RiskVision
• Juniper Networks for Junos Pulse
• Qualys for QualysGuard PCI
• McAfee for McAfee ePolicy Orchestrator
• Tenable Network Security for Tenable SecurityCenter 4.0
• Tripwire for Tripwire Enterprise 8.0
Previous
Next
2011 SC AWARDS U.S.
2011 SC AWARDS U.S.
Excellence Award
Excellence Award
Excellence Award
Professional Award
BEST SECURITY COMPANY
BEST SME SECURITY SOLUTION
ROOKIE SECURITY COMPANY OF THE YEAR
BEST PROFESSIONAL CERTIFICATION PROGRAM
WINNER
WINNER
WINNER
WINNER
Qualys
www.qualys.com
Qualys is the leading provider
of on-demand IT security risk
and compliance solutions –
delivered as a service. Qualys
solutions enable organizations
of all sizes to easily and costeffectively ensure that their
business-technology systems
remain highly secure and within
regulatory compliance.
Qualys’ flagship product,
QualysGuard, is the widest
deployed on demand IT security and compliance solution
in the world. It performs more
than 500 million IP audit scans
(maps and scans) with 7,000
scanner appliances in more than
85 countries, and QualysGuard
is used by more than 4,000
organizations, large and small,
including 42 of the Fortune 100
and 15 percent of the Global
Forbes 2000. For the fourth
consecutive year, Qualys was
recognized as one of the fastest
growing private companies by
Inc. magazine. Over the past
three years, when the economy
challenged every organization
in every industry around the
world, Qualys showed a 104
percent growth.
Since its inception, Qualys
has worked closely with
customers on a comprehensive
software-as-a-service (SaaS)
security product line to keep
business-technology systems
secure and within regulatory
compliance. Qualys launched
QualysGuard in 2000, delivering a highly accurate and
easy-to-use scanning technology
for vulnerability management
(VM) and pioneered a new
approach to delivering security
applications through the web.
Since then, Qualys has
expanded its products beyond
vulnerability management into
helping customers reach full IT
security compliance through
defining policy, auditing and
documentation with QualysGuard Policy Compliance.
Qualys for
QualysGuard Express
www.qualys.com
QualysGuard Express is used
by more than 3,000 small
and medium-size enterprises
(SME) around the world as an
on-demand solution that automates the process of identifying
security vulnerabilities, tracking
remediation and meeting
regulatory compliance requirements. QualysGuard Express
flourished in the SME space
due to its simple packaging,
ease-of-use and ability to save
customers time and money and
show immediate ROI.
Leading analysts, including
Forrester, IDC and Gartner,
have recognized Qualys’
leadership in the vulnerability management market. The
“Forrester Wave: Vulnerability
Management, Q2 2010” report
states: “Qualys led the pack
because of its strong vulnerability assessment capability,
forward-thinking strategy, and
exceptional customer reviews.”
According to the report,
QualysGuard leads the market
in terms of strategy and execution and is the largest vulnerability management vendor in
terms of revenues.
Qualys works closely with
customers to constantly improve its products in real time.
A library of customer success
stories and presentations can be
found here: http://www.qualys.
com/customers/.
QualysGuard Express includes free service and support.
Also, Qualys technical support
includes free web-based customer training, technical training, certification workshops
and access to user conferences
and online training.
Qualys also provides
customers with automated
quality testing of the platform
and continuous updates and
enhancements of vulnerability
signatures without the need for
customer initiation.
Mobile Active Defense
(M.A.D.)
mobileactivedefense.com
Mobile Active Defense
(M.A.D.)’s customer profiles
consist of some of the largest
organizations in the world. In
addition to the United States,
the company has developed
strong relationships across
Asia, Europe, Australia and the
Middle East. It began delivering solutions in June 2010 and
attributes its growth and reach
into Fortune-level accounts
to the fact that its Mobile
Enterprise Compliance and Security (MECS) Server solution
extends existing enterprise and
network security policies across
mobile platforms with complete
encryption, granular firewall
controls and a suite of antivirus, malware, content filtering
and device management tools
keeping networks secure and
compliant from breaches and
data leaks of smartphones.
Using zero-footprint technology, M.A.D. offers IT and IS
professionals what they have
been waiting for: a mobile
security solution that allows
compliancy. M.A.D. provides
the enterprise and the carrier
with comprehensive mobile privacy, security and compliance
tools. Just as BES has secured
BlackBerry for years by offering complete security critical
to enterprises, M.A.D. offers
fully integrated, platformindependent controls for the
mobile enterprise that comply
with dozens of regulatory
guidelines for platforms such as
iPhone, iPad, Windows Mobile,
Android and Symbian.
One of M.A.D.’s customers
probably said it best: “We have
had the types of controls needed
for security and compliance with
BlackBerry for years. It is critical
that we demand the same level
of security be used to mitigate
against the risk inherent in all
mobile devices now that they are
appearing in the enterprise.”
SANS Institute for
GIAC Security Expert (GSE)
www.giac.org
Since it was introduced in
2003, the GIAC Security
Expert (GSE) credential has
been one of the most prestigious certifications in information security. Practitioners
aspiring to obtain the GSE
often work for years to build
experience and master the applicable skills. A real certification program does not educate
or strengthen knowledge per
se, instead its true purpose is
to establish a validated set of
skills so an employer understands the level of competency
they are getting when hiring
or promoting a certified professional. The GSE culminates
with two days of hands-on
performance-based testing,
ensuring candidates can
harden Windows and Unix
systems, configure IDS and
fi rewalls, analyze real network
traffic and incident data,
penetration test live systems,
and create professional quality
reports. GIAC stands behind
the fact that each individual
it certifies at the GSE level is
a true expert in information
security.
The GSE’s performancebased, hands-on nature is truly
unique. Arguably, no other
certification in the information
security industry covers this
breadth or depth of real-world
IT security job responsibilities.
Those who earn the GSE can
go head-to-head with the most
advanced, current attacks and
come out on top. They are
truly experts.
The security industry needs
technical experts who can
make difficult decisions and
perform difficult tasks, rather
than more entry-level practitioners. The performancebased GSE exam is an expertlevel, hands-on credential
and is well respected for this
reason.
Finalists 2011
• McAfee for McAfee SaaS Endpoint and Email Protection
• Qualys for QualysGuard Express
• Sophos for Sophos Endpoint Security and Data Protection
• Symantec for Symantec Endpoint Protection Small Business Edition
• Webroot for Webroot Web Security Service
Finalists 2011
• SANS Institute for GIAC Security Expert (GSE)
• SANS Institute for GIAC Certified Intrusion Analyst (GCIA)
Finalists 2011
Finalists 2011
• Information System Audit and Control Association for Certified in the
Governance of Enterprise IT (CGEIT) Certification
• Barracuda Networks
• ActiveBase
• NetWitness
• AlertBoot
• Qualys
• Avecto
• Information System Audit and Control Association for Certified
Information Systems Auditor
• RSA, the security division of EMC
• Confidela
• Learning@Cisco for Cisco Security Certifications
• Trustwave
• Invincea
• Websense
• Mobile Active Defense (M.A.D.)
Previous
Next
2011 SC AWARDS U.S.
2011 SC AWARDS U.S.
Professional Award
Professional Award
Professional Award
Professional Award
BEST PROFESSIONAL TRAINING PROGRAM
BEST SECURITY TEAM
CSO OF THE YEAR
EDITOR’S CHOICE AWARD
WINNER
WINNER
(ISC)2 for (ISC)2 Educational
Programs
www.isc2.org/education
(ISC) 2 offers a range of education opportunities for both
its members and prospective
members, all of which are
based on the (ISC) 2 CBK,
a continuously updated
taxonomy of information
security topics essential to the
profession.
For current members,
(ISC) 2 offers many opportunities to earn continuing
professional education (CPE)
credits to maintain certification, including one- and
two-day conferences, seminars
at industry events and online
seminars – many of which are
offered for free. For potential
current members looking
to add another certification,
(ISC) 2 offers Official CBK
Review Seminars for the
CISSP, CISSP concentrations,
SSCP, CAP and CSSLP, in
both classroom and eLearning
environments. Whether taken
in the classroom or online, all
Review Seminars are taught by
(ISC) 2 authorized instructors,
each of whom is up-to-date on
the latest information securityrelated developments and is an
expert in credential-specific
domains. All (ISC) 2 Review
Seminars also feature postseminar self-assessments.
In addition to real-world
(ISC) 2 CBK Review Seminars
held throughout the world
for prospective certification
candidates, (ISC) 2 offers Live
OnLine CBK Review Seminars for the CISSP and two
concentrations (the ISSAP and
ISSMP), as well as the CSSLP.
(ISC) 2 continues to develop
new programs using multiple
delivery platforms to address
issues within the industry
– including free continuing
professional education to its
members in the form of oneday live events and half-day
online seminars.
Go Daddy
www.GoDaddy.com
Go Daddy’s security team
exists at the epicenter of the
company’s operations. As the
world’s largest domain name
registrar and top web hosting
provider, Go Daddy serves
more than 8.3 million customers. With more than 43 million
domain names under management and as the authoritative
DNS provider for one-third of
the internet, Go Daddy puts its
security team at the forefront,
ensuring a safe online experience for users across the globe.
In its six years of operation,
the security team has matured
from one person to more than
50. It works around the clock,
running robust, 24/7 network and security operations
centers, monitoring 100,000
security events per second.
Dedicated team members are
constantly monitoring for
attacks or anomalies across
Go Daddy’s security systems,
proactively detecting threats
and working swiftly to eliminate them.
The team’s success rate is a
testament to its vigilant security
strategy, blocking more than
100 million attacks every day.
As the dominant carrier of
the world’s websites, Go Daddy
has the critical responsibility of
ensuring a safe online experience not only for Go Daddy
customers, but also for internet
users across the globe. As such,
Go Daddy executives hold a
deep-seated level of respect for
the company’s security team.
The security team propels
its CISO daily, working closely
with departments across the
organization to make sure
security is a key requirement
– not an afterthought – of Go
Daddy solutions. Under the
directives of the CISO, the
team serves as a bastion of
security for all other departments within the company, and
ultimately, for its customers.
WINNER
Scott Sysol
CSO/VP IT service
management and security,
CUNA Mutual Group
www.cunamutual.com
In the financial services
industry, IT in general and IT
security in particular plays a vital yet sometimes unrecognized
and unrewarded role. Some
people notice the function only
when things go wrong. Working (and succeeding) in this
field requires not just technology talent but a clear understanding of the unique rhythms
of industry, as well as constant
awareness of the diverse pressures of external threats, internal compliance controls and
the effect of each measure and
implementation on productivity enterprise-wide. It also
takes a thick skin. And from
the CISO’s office, building a
strong team takes a good mix
of experience, persistence and
constant communication. It is
also important to realize when
specific individuals who might
otherwise have unique skills
don’t fit the team, and take
steps to change the structure.
Sysol has in the past worked
with senior executives who
simply didn’t understand the
complexities of information
security. But, it is important to
remember that their concerns
are valid.
Again, credibility goes a long
way. Moreover, even executives who don’t understand
the specifics of information
security threats are well aware
of the compliance mandates
governing internal procedures.
The CISO who cannot only
demonstrate familiarity with
the relationship between
government restrictions and
internal processes, but also
tie regulations and threats to
real world – with examples,
case studies, horror stories and
benefits – will gain influence
throughout the company. Sysol
has made this a top priority.
WINNER
The Identity Theft
Council
identitytheftcouncil.org
The Identity Theft Council
uses a community-based,
grassroots approach to tackling
identity theft in a whole new
way – by creating a national
network of local action partnerships comprised of everyone
who has a stake in the fight
against America’s fastest-growing crime: law enforcement,
local banks and credit unions,
businesses, schools, community
groups, and victims.
The goal of the Identity
Theft Council is two-fold – to
use trained and vetted volunteer counselors to provide
the local, person-to-person
support to identity theft
victims that law enforcement
cannot; and to fi nd more
creative and effective ways to
make consumers more aware,
vigilant and involved in their
own protection.
Not only is the council
training and educating the
next generation of consumers, it is also preparing these
students for the workplace
and teaching them how their
awareness and vigilance will
play a valuable role.
Established in early 2010
in the San Francisco area, the
nonprofit council was founded
by security veteran Neal
O’Farrell with the support
of local law enforcement and
Intersections, a provider of
identity risk management services. The council is supported
nationally by Intersections,
the Independent Community
Bankers of America, the Council of Better Business Bureaus,
the Online Trust Alliance,
Elder Financial Protection
Network, and the Identity
Theft Assistance Center.
The council is active
throughout the Bay area and
is now preparing to launch
branches in hundreds of communities across America.
Finalists 2011
• GoDaddy.com for Go Daddy Security
• ING for Security Operations Center
• Teleperformance for TelePerformance
• Troy University for Troy University IT Security Team
• USAA for Enterprise Security Group (ESG)
Finalists 2011
From left to right: Steve Schwartz, Intersections; Neal O’Farrell, founder of the Identity Theft
Council; Denise Gregor, Abraham Lincoln High School; Karen Lodrick, victim and advocate; Mark
Jackson, Alameda County District Attorney’s Office; Inspector Anne Madrid, Hayward Police Department; Craig Spiezle, the Online Trust Alliance; Joyce Carcaise, Intersections; Paul Henderson,
chief prosecutor, San Francisco District Attorney’s Office; Lt. Jones Wong, San Francisco Police Department; Jenefer Duane, founder, the Elder Financial Protection Network.
• Foreground Security for Foreground Security Training
• InfoSec Institute for InfoSec Institute
• (ISC)2 for (ISC)2 Educational Programs
• SANS Institute for SANS Institute
Finalists 2011
• Security University for Security University’s Q/ISP Qualified/
Information Security Professional Training Program
• David Billeter, InterContinental Hotels Group
• The Training Camp for IT Professional Certification Training
• Tim Waggoner, National Government Services
• Jason Taule, General Dynamics Information Technology
• Scott Sysol, CUNA Mutual Group
Previous
Next
Smarter technology for a Smarter Planet:
LastWord
What 99.9% system uptime
means to a kilo of gold.
Before tech, process and policy
IT departments
deploy new DLP
technologies
without fully
engaging the
business side,
says Integralis’
Michael Gabriel.
D
ata leakage prevention
(DLP) is garnering
a lot of attention as
a cure-all for risk management. Yet deployments often
get a bad rap for being too
burdensome on an organization’s processes. Many IT
professionals – and their
management – wonder if
they’re getting the right ROI
given the perceived pain and
effort involved.
We often see that DLP
technologies are recommended before examining
how they will work within a
company’s existing security
policies and processes. Is
there an understanding of
how and why data is being
collected? Do administra-
tors know where sensitive
information is and how
it migrated there? Who
internally and externally is
contributing to and interacting with this data? And how
will the response to security
incidents be managed?
In a rush to secure their
enterprises, reduce risk and
meet compliance regulations,
IT departments are deploying new DLP technologies
without fully engaging the
business side of a company.
This is forcing fundamental
changes in business processes, rather than adapting DLP
to the requirements of that
organization.
The key to successful
DLP solutions is to first look
at business processes and
existing data and security
requirements.
Understand the core
business operational or
compliance issues up front,
matching the business and
data processes to the DLP
application or tool. What
kind of regulatory issues
– such as the Gramm-LeachBliley Act or HIPAA – need
to be considered, or how
might third-party data
compliance requirements,
such as PCI, affect new DLP
options? Business processes
also drive data acquisition
and data flow strategies so,
for example, what kinds
of protections are required
for both data in motion
(email) and data at rest
(fi le sharing)?
Before making a full DLP
deployment, make sure data
protection and response policies reflect how an organization can reasonably respond.
For example, to cut back
on the false positives that
impact time and resources,
business units need to work
with IT to defi ne, and refi ne
with testing, exactly what
kind of incidents are flagged
as a violation. Policy testing
should be defi ned based
on using actual data (e.g.,
fi ngerprinting), not pattern
matching/regular expressions, whenever possible.
Understanding business
processes will also determine who needs access to
what kind of information.
IT can implement appropriate logical access rules and
restrictions to protect sensitive or classified data. Doing
First look
at business
processes and
existing data
and security
requirements.”
all this up front avoids
retooling the system and
eliminates early user frustrations that often stymie new
DLP projects.
Further, create a tiered
incident response process so
that the proper level of management and support teams
are responding or contributing to decisions about how
to react to security threats.
Where is the first line of
response? Instead of IT
reporting every incident
or providing summaries
directly to senior decisionmakers, an incident response
team should be empowered
to research the incident and
its cause. Was the event
intentional or does it reflect
some inconsistency in policy
or a flawed DLP action?
Data leakage prevention
systems and tools provide
powerful safeguards for
organizations reconciling
the need for collecting and
harnessing data with the
need to manage risk and
compliance. Creating an
equal level of assurance that
these implementations will
be successful and yield ROI
and acceptance across the
enterprise requires a joint
IT and business-level team
working to defi ne and apply
the organizational processes
to new DLP disciplines and
tools.
Michael Gabriel is director of
the FLIGHT Data Protection
Practice at Integralis.
It means that the futures contract for that gold can trade instantly and more securely. The Dubai Gold & Commodities
Exchange (DGCX) has maintained their complex network of worldwide members for four years without a single
security breach due to malware, and without any unplanned downtime. The DGCX worked with IBM Security
Solutions to help implement an intrusion prevention system that builds security into every aspect of their online
trading services and proactively adapts to ever-evolving threats. A smarter business is built on smarter software,
systems and services.
Let’s build a smarter planet. ibm.com/exchange
A data visualization of the settlement prices
for gold, silver and other commodities from
March 1 to September 1, 2010.
IBM, the IBM logo, ibm.com, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names
might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. © International Business Machines Corporation 2011.
Previous
Next
for Mac
Cross-platform protection
— one console
Our award-winning ESET NOD32® Antivirus is the faster, smarter, easier-to-manage
defense against Internet threats. With a unified management console that scales to
support small and large business networks, ESET NOD32 delivers advanced proactive
protection for all your endpoints, whether they are running Windows, Mac or Linux.
www.eset.com

Pills from Canada Embedded in danger Feeding frenzy

Transcription

Similar documents

Lightning Fast Search Solutions for the Enterprise

save these instructions important safeguards

HERBST APPLIANCE The Herbst appliance is used to correct the

NASC 16 Dallas Flyer

Cisco Recruitment Session* When

teasmade instruction manual

Foot Massager Manual

Popcorn Maker

Symantec™ Messaging Gateway Small Business Edition

PACTrio Owners Manual