Following hot on from the InfoSec Europe trade show at the start of May 2012 was the IT Security Analyst’s forum, organised by Eskenzi PR, brought forward this year to avoid the Olympic events over the summer. As usual, the forum attracted analysts from most of the well-known firms from both Europe and USA.
On day two of the event, vendors and analysts got together for a round table with a group of fifteen chief information security officers (CISO) responsible for ensuring information security in UK enterprises. Hot issues discussed included:
The changing role of the CISO
One organisation said IT was now reporting in to a broader security function, raising the CISO above the CIO. Others were not sure this would be a good approach for their business. One CISO had recently been promoted to CIO, taking security knowledge and expertise to a higher level via another route. In some banks and technology companies the CISO is now a board level position or a direct board level report. All agreed there was growing board interest in IT security, although there was often a mismatch of priorities between the board and CISO.
There was general agreement that focussing on securing data was essential to achieving good overall security, although few CISOs believed they were really in control of their entire organisation’s data.
One CISO said the solution lies in focussing on “red data” which for most organisations is less than 10% of all data (but “which 10%?” asked another). Data loss prevention (DLP) and digital right management (DRM) tools provide insight, but users moan about interruptions to work flow. There is also a cultural shift required to get users to classify data, a necessary part of the overall success.
There was no doubt that user awareness is important, but there was debate how to go about ensuring it. One organisation put posts about IT security issues on the employee expenses portal; “the one place all are bound to visit”. One issue raised is as employees become more aware they are more likely to report incidents, driving up the statistics. The point was also made that training helps with mass market threats but will be less effective when it comes to advance threats. Awareness also requires joined-up thinking in businesses; one CISO noted that has department had been busy raising the awareness of the risk of e-Christmas cards while another part of the business was busy sending them.
Securing the use of mobile devices
Mobile devices were certainly top of mind when it came to information security, but there were doubts about some of the technology. Some CISOs felt that some of approaches to securing iPhones and Android devices in effect turned them into BlackBerry like devices, which took away many of the benefits that users were looking for. Some were creating guest networks for providing visitors to their premises with internet access. It was also pointed out that anti-virus and encryption only work on employer owned devices, but as more and more employees demanded to use their own devices control is lost; there is “no right to wipe, it is a shift in power, we have to make it happen” stated one CISO. Another said they we now “designing for BYOD” (bring your own device).
Securing the cloud
Some agreed with Quocirca’s own view that the main issue is perception; convincing the “control gods” said one CISO. The security considerations are not that different than those for internally deployed IT systems. Some saw cloud based services are just another form of outsourcing and they should be used when they are the most effective way of delivering a require aspect of IT and as with any outsourcing contract appropriate SLAs need to be in place. Others were less sure the cloud was like other forms of outsourcing and one stated “the [cloud] market is for small organisations”.
Identity and access
The cloud may enable all sorts of outsourcing, but one CISO was firm in their belief that “you cannot outsource identity”. There were also doubts expressed about single sign-on (SSO) which has been “promised for thirty years, it is a myth perpetuated by vendors, however, you can achieve reduced sign on”. Regardless of history, there is a growing recognition of the need for SSO especially when it comes to access software-as-a-service applications and application programming interfaces (API). There is also the growing need to manage machine identities, although when it came to mobile devices one CISO clearly felt it was the users that presented the problem “[we are] 99.9% sure it is the phone but only 80% sure it is the user”.
The first day of the forum had seen the usual speed dating between security vendors and analysts. This year Quocirca’s time table seemed to be dominated by security intelligence. This included:
- nCircle whose Suite 360 product collects data for vulnerability analysis and for gauging the effectiveness of network security, it has just announced an on-demand version called nCircle Pure Cloud – so another cloud based security service for the CISOs to consider.
- AlienVault is a SIEM (security information and event management) vendor; its product has been donated to the open source community and is dubbed OSSIM (open source Security Information and Event Management). Its main news is the appointment of a new management team attracted from HP’s ArcSight and Fortify acquisitions. Perhaps underlining one CISOs comment that acquisitions “kill good products”. That said, with a major new round of redundancies coming at HP, perhaps anywhere seemed safer than staying for the individuals involved.
- More open source from Sourcefire who has added an end-point protection capability to its Snort based “next-generation” firewall. Coined FireAMP, the new capability detects malware on network connected end-points and allows policies to be applied around application usage. So a measure of hands-off end-point security for mobile devices that CISOs seem to accept is needed.
- For those worried about who has been accessing what documents Varonis provides such intelligence across Windows, UNIX and Linux based file servers as well as Microsoft SharePoint and Exchange. By way of an example, it can spot things such as an email mark as read, but not by the intended recipient. Another tool available to address the recognised need by CISOs to have information security at the core of overall IT security.
- Venafi is a provider of encryption management tools. It has just released a tool called Venafi Assessor which seeks out all the SSL certificates on a given network and helps to quantify risk; “we thought we had 6,000, actually had 15,000”. Useful to help solve some of the identity concerns raised by CISOs.
- Integralis is a managed security service provider (MSSP), who can help CISOs manage many of the problems identified by the CISOs. Integralis has its own SIEM tools and a correlation engine to help achieve this and used McAfee ePO to make management easier.
- ISACA was unveiling the latest version of COBIT, reminding us all there is need for some standards in the mix
Thanks to Eskenzi PR, the vendors who paid for the event and the CISOs for their time. Quocirca certainly came away with a lot more insight, albeit clear that in some areas there is no single answer to the thorny issues of IT security.