Showing posts with label cyber warfare. Show all posts
Showing posts with label cyber warfare. Show all posts

Wednesday, January 04, 2012

Overlapping Criminal and State Threats Pose Growing Cyber Security Threat to Global Internet Commerce, Says Open Group Conference Speaker

Transcript of a podcast in conjunction with The Open Group Conference in San Francisco on how foreign governments and criminal gangs are colluding to attack governments and businesses for profit and power.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with the upcoming The Open Group Conference this January in San Francisco. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout these discussions.

The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security.

We’re here now with one of the main speakers, Joseph Menn, Cyber Security Correspondent for the Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.

Joe has covered security since 1999 for both the Financial Times and then before that, for the Los Angeles Times. Fatal System Error is his third book, he also wrote All the Rave: The Rise and Fall of Shawn Fanning's Napster.

As a lead-in to his Open Group presentation, entitled "What You're Up Against: Mobsters, Nation-States, and Blurry Lines," Joe and I are now going to explore the current cyber-crime landscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Gardner: It seems to me that there has been conventional wisdom about cyber crime and security that if there wasn’t much profit then there was self-regulation in place, and the cost of cyber crime would outweigh the payoffs, and it stayed manageable.

Has that changed? Have we entered a new period where just balancing risks and costs isn't a sufficient bulwark against burgeoning crime and risk?

Menn: I'm not sure that that was ever true, not after cyber crime metastasized beginning in 2003, when the bad-guy spammers in Russia wanted more IP addresses to send mail from after the blacklisting got effective. But, it's increasingly less true than it ever was.

Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pays very, very well, and in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D.

On our end, on the good guys’ side, it's hard if you're a chief information security officer (CISO) or a chief security officer (CSO) to convince the top brass to pay more. You don’t really know what's working and what isn't. You don’t know if you've really been had by something that we call advanced persistent threat (APT). Even the top security minds in the country can't be sure whether they’ve been had or not. So it's hard to know what to spend on.

More efficient

T
he other side doesn’t have that problem. They’re getting more efficient in the same way that they used to lead technical innovation. They're leading economic innovation. The freemium model is best evidenced by crimeware kits like ZeuS, where you can get versions that are pretty effective and will help you steal a bunch of money for free. Then if you like that, you have the add-on to pay extra for -- the latest and greatest that are sure to get through the antivirus systems.

Gardner: When you say "they," who you are really talking about?

Menn: They, the bad guys? It's largely Eastern European organized crime. In some countries, they can be caught. In other countries they can't be caught, and there really isn't any point in trying.

It's a geopolitical issue, which is something that is not widely understood, because in general, officials don’t talk about it. Working on my book, and in reporting for the newspapers, I've met really good cyber investigators for the Secret Service and the FBI, but I’ve yet to meet one that thinks he's going to get promoted for calling a press conference and announcing that they can’t catch anyone.

So the State Department, meanwhile, keeps hoping that the other side is going to turn a new leaf, but they’ve been hoping that for 10 or more years, and it hasn’t happened. So it's incumbent upon the rest of us to call a spade a spade here.

What's really going on is that Russian intelligence and, depending on who is in office at a given time, Ukrainian authorities, are knowingly protecting some of the worst and most effective cyber criminals on the planet.

Gardner: And what would be their motivation? In heaven’s name, why would a sovereign power or an agency therein want to protect cyber criminals?

The same resources, human and technical, that are used to rob us blind are also being used in what is fairly called cyber war.



Menn: As a starting point, the level of garden-variety corruption over there is absolutely mind-blowing. More than 50 percent of Russian citizens responding to the survey say that they had paid a bribe to somebody in the past 12 months. But it's gone well beyond that.

The same resources, human and technical, that are used to rob us blind are also being used in what is fairly called cyber war. The same criminal networks that are after our bank accounts were, for example, used in denial-of-service (DOS) attacks on Georgia and Estonian websites belonging to government, major media, and Estonia banks.

It's the same guy, and it's a "look-the-other-way" thing. You can do whatever crime you want, and when we call upon you to serve Mother Russia, you will do so. And that has accelerated. Just in the past couple of weeks, with the disputed elections in Russia, you've seen mass DOS attacks against opposition websites, mainstream media websites, and live journals. It's a pretty handy tool to have at your disposal. I provide all the evidence that would be needed to convince the reasonable people in my book.

Gardner: In your book you use the terms "bringing down the Internet." I suppose another conventional thought around security is that there is a sort of mutual assured destruction effect where bringing down the Internet would hurt everyone. Is that not the case? Are they really just looking for people’s credit card numbers and petty crime, or is this really a threat to the integrity of the Internet in general?

Menn: Well integrity is the keyword there. No, I don’t think anybody is about to stop us all from the privilege of watching skateboarding dogs on YouTube. What I mean by that is the higher trust in the Internet in the way it's come to be used, not the way it was designed, but the way it is used now for online banking, ecommerce, and for increasingly storing corporate -- and heaven help us, government secrets -- in the cloud. That is in very, very great trouble.

Not a prayer

I don’t think that now you can even trust transactions not to be monitored and pilfered. The latest, greatest versions of ZeuS gets past multi-factor authentication and are not detected by any antivirus that’s out there. So consumers don’t have a prayer, in the words of Art Coviello, CEO of RSA, and corporations aren’t doing much better.

So the way the Internet is being used now is in very, very grave trouble and not reliable. That’s what I mean by it. If they turned all the botnets in the world on a given target, that target is gone. For multiple root servers and DNS, they could do some serious damage. I don’t know if they could stop the whole thing, but you're right, they don’t want to kill the golden goose. I don’t see a motivation for that.

Gardner: I guess if we look at organized crime in historical context, we found that there is a lot of innovation over the decades, over the generations, about how to shake people down, create rackets, protection scams, and so forth. Is that playing out on the Internet as well? Is there some continuity around what organized crime tends to do in the physical world to what they're now attempting to do in the virtual world?

Menn: Sure. The mob does well in any place where there is a market for something, and there isn’t an effective regulatory framework that sustains it -- prohibition back in the day, prostitution, gambling, and that sort of thing. One of the things that’s interesting about the core narrative in my book is that prostitution doesn’t travel very well. Liquor is pretty well legal in most of the countries, but gambling travels very well.

So the traditional Five Families, Gambino-type mobs gravitated toward Internet gambling, and they run some very large enterprises that are offshore. And if you don't pay off, then yeah, somebody actually shows up and breaks your legs. Old school.

The mob does well in any place where there is a market for something, and there isn’t an effective regulatory framework that sustains it.



The Russian and Ukrainian gangs went to extortion as an early model, and ironically, some of the first websites that they extorted with the threat were the offshore gambling firms. They were cash rich, they had pretty weak infrastructure, and they were wary about going to the FBI. They started by attacking those sites in 2003-04 and then they moved on to more garden-variety companies. Some of them paid off and some said, "This is going to look little awkward in our SEC filings" and they didn’t pay off.

There are some people who say organized crime and the Internet don't really mix and don't know how it happened. I've just told you how it happened in the US. Overseas it's not like the mob had a meeting one day and said, "Bob, I think, this Internet thing shows promise. I want you to open a cyber division for it."

The way things work in Russia is that even legitimate businesses have a local patron mobster that they pay tribute to. It's not so much because he is going to shut them down, but because you want one guy to deal with all the other people that are going to shake you down -- other mobsters and cops who are on the take.

Once the cyber gang got big enough, sooner or later, they also wanted the protection of traditional organized crime, because those people had better connections inside the intelligence agencies and the police force and could get them protection. That's the way it worked. It was sort of an organic alliance, rather than "Let’s develop this promising area."

Gardner: Just as in past eras with the need for protection, these cyber criminals look for a safe haven and perhaps pay off people, whether it's physical or virtual, to protect their environment, and then perhaps there is some added collusion along the way.

Have we moved now beyond this "let's just get safe and payoff some people for protection," or is there a two-way street where these cyber criminals are being contracted by some state agencies. How does this further collusion come about?

Proving their worth

Menn: Exactly. That is what happens. Initially it was garden-variety payoffs and protection. Then, around 2007, with the attack on Estonia, these guys started proving their worth to the Kremlin, and others saw that with the attacks that ran through their system.

This has continued to evolve very rapidly. Now the DOS attacks are routinely used as the tool for political repression all around the world --Vietnam, Iran and everywhere you’ll see critics that are silenced from DOS attacks. In most cases, it's not the spy agencies or whoever themselves, but it's their contract agents. They just go to their friends in the similar gangs and say, "Hey do this." What's interesting is that they are both in this gray area now, both Russia and China, which we haven't talked about as much.

In China, hacking really started out as an expression of patriotism. Some of the biggest attacks, Code Red being one of them, were against targets in countries that were perceived to have slighted China or had run into some sort of territorial flap with China, and, lo and behold, they got hacked.

In the past several years, with this sort of patriotic hacking, the anti-defense establishment hacking in the West that we are reading a lot about finally, those same guys have gone off and decided to enrich themselves as well. There were actually disputes in some of the major Chinese hacking groups. Some people said it was unethical to just go after money, and some of these early groups split over that.

In Russia, it went the other way. It started out with just a bunch of greedy criminals, and then they said, "Hey -- we can do even better and be protected. You have better protection if you do some hacking for the motherland." In China, it's the other way. They started out hacking for the motherland, and then added, "Hey -- we can get rich while serving our country."

It is much, much worse than anybody realizes. The US counterintelligence a few weeks ago finally put out a report saying that Russia and China are deliberately stealing our intellectual property.



So they're both sort of in the same place, and unfortunately it makes it pretty close to impossible for law enforcement in [the U.S.] to do anything about it, because it gets into political protection. What you really need is White House-level dealing with this stuff. If President Obama is going to talk to his opposite numbers about Chinese currency, Russian support of something we don’t like, or oil policy, this has got to be right up there too -- or nothing is going to happen at all.

Gardner: What about the pure capitalism side, stealing intellectual property (IP) and taking over products in markets with the aid of these nefarious means? A lot of companies won't want to share details about this, but how big a deal is this now for enterprises and commercial organizations?

Menn: It is much, much worse than anybody realizes. The U.S. counterintelligence a few weeks ago finally put out a report saying that Russia and China are deliberately stealing our IP, the IP of our companies. That's an open secret. It's been happening for years. You're right. The man in the street doesn’t realize this, because companies aren’t used to fessing up. Therefore, there is little outrage and little pressure for retaliation or diplomatic engagement on these issues.

I'm cautiously optimistic that that is going to change a little bit. This year the Securities and Exchange Commission (SEC) gave very detailed guidance about when you have to disclose when you’ve been hacked. If there is a material impact to your company, you have to disclose it here and there, even if it's unknown.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Can't be boilerplate

If it might have, or is reasonably likely to have, a material impact, you have to spell it out. And it can't be boiler plate. It can't just be, "We are an Internet retailer and therefore we are target of hackers and therefore people’s credit cards might get out." No, without divulging what your weaknesses are you have to say, "We have detected hacks in the past and we don’t know but our source code might be gone."

You have to be a little more explicit, and so far, it's basically Google that has really spelled out how badly they got hit. We're going to see a lot more companies say that, and I think that will help wake up Congress and the general public.

Gardner: So the old adage of shining light on this probably is in the best interest of everyone. Is the message then keeping this quiet isn’t necessarily the right way to go?

Menn: Not only is it not the right way to go, but it's safer to come out of the woods and fess up now. The stigma is almost gone. If you really blow the PR like Sony, then you're going to suffer some, but I haven’t heard a lot of people say, "Boy, Google is run by a bunch of stupid idiots. They got hacked by the Chinese."

It's the definition of an asymmetrical fight here. There is no company that's going to stand up against the might of the Chinese military, and nobody is going to fault them for getting nailed. Where we should fault them is for covering it up.

Not only is it not the right way to go, but it's safer to come out of the woods and fess up now. The stigma is almost gone.



I think you should give the American people some credit. They realize that you're not the bad guy, if you get nailed. As I said, nobody thinks that Google has a bunch of stupid engineers. It is somewhere between extremely difficult to impossible to ward off against "zero-days" and the dedicated teams working on social engineering, because the TCP/IP is fundamentally broken and it ain't your fault.

Gardner: Let's say that I'm a leadership individual at a corporation, a Global 500 organization, and I am wondering to what extent this is a risk. Is this something that’s going to be an acceptable cost of doing business? Is this just something I have to deal with when I go to different markets around the world, or is this an existential threat?

We're still seeing record profits by many companies. Google is certainly not hurting. This hasn’t necessarily attacked their bottom line in the same way it attacked their firewall. How serious is this? How serious should it be considered?

Menn: It's an existential threat not only to your company, but to our country and to our way of life. It is that bad. One of the problems is that in the U.S., executives tend to think a quarter or two ahead. If your source code gets stolen, your blueprints get taken, nobody might know that for a few years, and heck, by then you're retired.

With the new SEC guidelines and some national plans in the U.K. and in the U.S., that’s not going to cut it anymore. Executives will be held accountable. This is some pretty drastic stuff. The things that you should be thinking about, if you’re in an IT-based business, include figuring out the absolutely critical crown jewel one, two, or three percent of your stuff, and keeping it off network machines.

Short-term price

Yes, that is a current cost to doing things that might well make you less efficient and that’s a short-term price you have to pay to ensure long-term survival. You have to do that, and there are some creative things that could be done.

For example, say you've got a blueprint for the next widget that is absolutely going to smoke the competition, and it has got to be on a computer that other people can access for some reason. I would make 100 different similar blueprints of the next generation widget, and only a handful of people you trust know which is the right one, and all the others are hooey.

Therefore, if everything gets stolen, they're going to waste a lot of cycles building the wrong widget. That’s the sort of strategic spy-type thinking that I think garden-variety CEOs have got to start engaging it.

Gardner: That’s interesting. So we have to think differently, don’t we?

Menn: Basically, regular companies have to start thinking like banks, and banks have to start thinking like intelligence agencies. Everybody has to level up here.

Gardner: What do the intelligence agencies have to start thinking about?

Menn: The discussions that are going on now obviously include greatly increased monitoring, pushing responsibility for seeing suspicious stuff down to private enterprise, and obviously greater information sharing between private enterprise, and government officials.

But, there's some pretty outlandish stuff that’s getting kicked around, including looking the other way if you, as a company, sniff something out in another country and decide to take retaliatory action on your own.



But, there's some pretty outlandish stuff that’s getting kicked around, including looking the other way if you, as a company, sniff something out in another country and decide to take retaliatory action on your own. There’s some pretty sea-change stuff that’s going on.

Gardner: So that would be playing offense as well as defense?

Menn: In the Defense Authorization Act that just passed, for the first time, Congress officially blesses offensive cyber-warfare, which is something we’ve already been doing, just quietly.

We’re entering some pretty new areas here, and one of the things that’s going on is that the cyber warfare stuff, which is happening, is basically run by intelligence folks, rather by a bunch of lawyers worrying about collateral damage and the like, and there's almost no oversight because intelligence agencies in general get low oversight.

We’re probably also buying a whole bunch of cyber stuff, which is a waste. I mean, they're going to be equivalent of $500 toilet seats, and we’re not going to know about it, because this stuff doesn’t get disclosed.

Gardner: I know that we could go on to this separate subject for hours, but just very briefly how about the area of governance? We know who's in charge when it comes to interstate commerce. We know who is in charge when it comes to managing the monetary system and protecting against counterfeit bills.

Do we really have anyone who is officially in charge of protecting, let's say, in this case, U.S. companies from outside cyber warfare? Is there a defense, legal, or other framework under which the responsibility for protection falls?

It's a mess

Menn: The short answer is it's a mess. The Department of Homeland Security (DHS) is officially in charge of protecting the civilian-owned stuff with the assistance of the Department of Defense (DoD) and the National Security Agency (NSA). The bottom line is that this makes it very tricky, because there's different frameworks involved.

For example, the FBI gets called in to investigate a hack and they discover it's criminal gang X, but that criminal gang may have been motivated to steal defense secrets more than the money. Then, they're supposed to kick it over to the intelligence community, but it's the same people. So we're a lot more handcuffed in all this than our adversaries are.

Gardner: So it's hard to say whose jurisdiction it is, under what circumstances, for how long, and then who gets the ultimate blame if things go right or wrong? I guess criminals would love to see that, right?

Menn: Yup.

Gardner: Okay, we have to wrap up. It's a very fascinating subject obviously. Just quickly looking to the future, we have some major trends. We have an increased movement toward mobility. People using public networks through their mobile carriers increasingly for work and more business-sensitive activities.

We have the drive toward cloud computing. We’ll be putting more of your assets, data, processes, perhaps even IP in a third-party data center, known as a cloud. We’re also seeing the movement toward outsourcing more IT and outsourcing applications in a software-as-a-service (SaaS) field.

The inroads of social networking into the workplace are bad from a security point of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend, which isn't going to go away.



Are these good, bad, indifferent? How does this set of big shifts in IT impact this whole cyber security issue?

Menn: Well, there are some that are clearly dangerous, and there are some things that are a mixed bag. Certainly, the inroads of social networking into the workplace are bad from a security point of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend, which isn't going to go away. That’s bad, although there are obviously mitigating things you can do.

The cloud itself is a mixed bag. Certainly, in theory, it could be made more secure than what you have on premise. If you’re turning it over to the very best of the very best, they can do a lot more things than you can in terms of protecting it, particularly if you’re a smaller business.

If you look to the large-scale banks and people with health records and that sort of thing that really have to be ultra-secure, they're not going to do this yet, because the procedures are not really set up to their specs yet. That may likely come in the future. But, cloud security, in my opinion, is not there yet. So that’s a mixed blessing.

Gardner: Before we close out, it sounds as if it's important for companies to educate themselves on what the real threats are, consider what to do if they are a victim, try to figure out who are their friends in government, and in the third-party private security organizations. Anything else that you think is important, Joe, in terms of getting started in moving toward both defense and offense in anticipating that these issues as you say are potentially existential?

Radical steps

Menn: As I said, you need to think strategically about this, and that includes some pretty radical steps. There are those who say there are two types of companies out there -- those that have been hacked and those that don’t know that they’ve been hacked.

Everybody needs to take a look at this stuff beyond their immediate corporate needs and think about where we’re heading as a society. And to the extent that people are already expert in the stuff or can become expert in this stuff, they need to share that knowledge, and that will often mean, saying "Yes, we got hacked" publicly, but it also means educating those around them about the severity of the threat.

One of the reasons I wrote my book, and spent years doing it, is not because I felt that I could tell every senior executive what they needed to do. I wanted to educate a broader audience, because there are some pretty smart people, even in Washington, who have known about this for years and have been unable to do anything about it. We haven't really passed anything that's substantial in terms of legislation.

As a matter of political philosophy, I feel that if enough people on the street realize what's going on, then quite often leaders will get in front of them and at least attempt to do the right thing. Senior executives should be thinking about educating their customers, their peers, the general public, and Washington to make sure that the stuff that passes isn't as bad as it might otherwise be.

If enough people on the street realize what's going on, then quite often leaders will get in front of them and at least attempt to do the right thing.



Gardner: Very good. We have been talking with Joseph Menn, Cyber Security Correspondent for the Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.

As a lead-up to his Open Group presentation on, "What You're Up Against: Mobsters, Nation-States and Blurry Lines," Joe and I have been exploring the current cyber crime landscape, what can be done to better understand the threat and perhaps begin to work against it.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference from Jan. 30 to Feb. 3 in San Francisco. You'll hear there more from Joe and many other global leaders on the ways that IT and enterprise architecture support enterprise transformation.

So thanks to you Joe Menn for a very fascinating discussion, and I look forward to your presentation in San Francisco. I also encourage our readers and listeners to attend the conference to learn more. Thanks, Joe.

Menn: Thanks very much.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator through these thought leader interviews. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Transcript of a podcast in conjunction with The Open Group Conference in San Francisco on how foreign governments and criminal gangs are colluding to attack governments and businesses for profit and power. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

You may also be interested in:

Monday, October 10, 2011

Complex IT Security Risks Can Only Be Treated With Comprehensive Response, Not Point Products

Transcript of a BriefingsDirect podcast on the surge in security threats to enterprises and the approach companies need to take to thwart them.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Learn more. Sponsor: HP.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the rapidly increasing threat that enterprises face from security breaches. In just the past year, the number of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic.

The path to reducing these risks, even as the threats escalate, is to confront security at the framework and strategic level, and to harness the point solutions approach into a managed and ongoing security enhancement lifecycle.

As part of the series of recent news announcements from HP, we're here to examine how such a framework process can unfold, from workshops that allow a frank assessment of an organization’s vulnerabilities, to tailored framework-level approaches that can transform a company based on its own specific needs. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here to describe how a fabric of technology, a framework of processes, and a lifecycle of preparedness can all work together to help organizations become more secure -- and stay secure -- is our guest. Please join me in welcoming Rebecca Lawson, Director of Worldwide Security Initiatives at HP. Welcome back, Rebecca.

Rebecca Lawson: Thank you. Nice to talk with you again.

Gardner: Rebecca, why now? Why has the security vulnerability issue come to a head?

Lawson: Open up the newspaper and you see another company getting hit almost every day. As an industry, we've hit a tipping point with so many different security related issues -- for example, cyber crime, hacktivism, nation-state attacks. When you couple that with the diversity of devices that we use, and the wide range of apps and data we access every day, you can see how these dynamics create a very porous environment for an enterprise.

So we are hearing from our customers that they want to step back and think more strategically about how they're going to handle security, not just for the short term, when threats are near and present, but also from a longer term point of view.

Gardner: What do you think are some of the trends that are supporting this vulnerability? I know you have some research that you've done. What are your findings? What's at work here that's making these hacktivists and these other nefarious parties successful?

For more detail on the the extent of security breaches, read the
Second Annual Cost of Cyber Crime Study.

Lawson: In HP’s recent research, we've found that thirty percent of the people know that they've had a security breach by an unauthorized internal access, and over 20 percent have experienced an external breach. So breaches happen both internally and externally, and they happen for different reasons. Sometimes a breach is caused by a disgruntled customer or employee. Sometimes, there is a political motive. Sometimes, it's just an honest error ... Maybe they grab some paper off a printer that has some proprietary information, and then it gets into the wrong hands.

There are so many different points at which security incidents can occur; the real trick is getting your arms around all of them and focusing your attention on those that are most likely to cause reputation damage or financial damage or operational damage.

We also noticed in our research that the number of attacks, particularly on web applications, is just skyrocketing. One of the key areas of focus for HP is helping our customers understand why that’s happening, and what they can do about it.

Gardner: It also seems to me that, in the past, a lot of organizations could put up a walled garden, and say, "We're not going to do a lot of web stuff. We're not going to do mobile. We're going to keep our networks under our control." But nowadays that’s really just not possible.

If you're not doing mobile, not looking seriously at cloud, not making your workers able to access your assets regardless of where they are, you're really at a disadvantage competitively. So it seems to me that this is not an option, and that the old defensive posture just doesn’t work anymore.

Lawson: That is exactly right. In the good old days, we did have a walled garden, and it was easy for IT or the security office to just say “no” to newfangled approaches to accessing the web or building web apps. Of course, today they can still say no, but IT and security offices realize that they can't thwart the technology-related innovation that helps drive growth.

Our customers are keenly aware that their information assets are the most important assets now. That’s where the focus is, because that’s where the value is. The problem is that all the data and information moves around so freely now. You can send data in the blink of an eye to China and back, thru multiple application, where it’s used in different contexts. The context can change so rapidly that you have to really think differently about what it is you're protecting and how you're going to go about protecting it. So it's a different game now.

Gardner: And as we confront this "new game," it also appears that our former organizational approach is wanting. If we've had a variety of different security approaches under the authority of different people -- not really coordinated, not talking to each other, not knowing what the right hand and left hand are doing -- that’s become a problem.

So how do we now elevate this to a strategic level, getting a framework, getting a comprehensive plan? It sounds like that’s what a lot of the news you've been making these days is involved with.

No silver bullet

Lawson: You're exactly right. Our customers are realizing that there is no one silver bullet. You have to think across functional areas, lines of business, and silos.

Job number one is to bring the right people together and to assess the situation. The people are going to be from all over the organization -- IT, security and risk, AppDev, legal, accounting, supply chain -- to really assess the situation. Everyone should be not only aware of where vulnerabilities might be, or where the most costly vulnerabilities might be, but to look ahead and say, "Here is how our enterprise is innovating with technology -- Let's make sure we build security into them from the get-go."

There are two takeaways from this. One is that HP has a structured methodical framework approach to helping our customers get the people on the same page, getting the processes from top-down really well-structured so that everyone is aware of how different security processes work and how they benefit the organizations so that they can innovate.

One of the other elements is that every enterprise has to deal with a lot of short-term fixes.



One of the other elements is that every enterprise has to deal with a lot of short-term fixes. For example, a new vulnerability gets discovered in an application, and you've got to go quickly plug it, because it's relevant to your supply chain or some other critical process. That’s going to continue to go on.

But also, long term thinking, about building security in from the get-go; this is where companies can start to turn the corner. I'll go back again to web apps, building security into the very requirement and making sure all the way through the architecture design, testing, production, all the way through that you are constantly testing for security.

Gardner: So as you move toward more of a strategic approach to security, trying to pull together all these different threads into a fabric, you've identified four basic positions: assessment, optimization, management, and transformation. I'm curious, what is it about what you are coming out with in terms of process and technology that helps companies work toward that? What are the high-level building blocks?

Read more on HP's security framework
Rethinking Your Enterprise Security:
Critical Priorities to Consider

Lawson: The framework that I just mentioned is our way of looking at what you have to do across securing data, managing suppliers, ensuring physical assets, or security, but our approach to executing on that framework is a four-point approach.

We help our customers first assess the situation, which is really important just to have all eyes on what's currently happening and where your current vulnerabilities may lie. Then, we help them to transform their security practices from where they are today to where they need to be.

Then, we have technologies and services to help them manage that on an ongoing basis, so that you can get more and more of your security controls automated. And then, we help them optimize that, because security just doesn't stand still. So we have tools and services that help our customers keep their eye on the right ball, as all of the new threats evolve or new compliance requirements come down the pike.

Gardner: I've also heard that you're providing better visibility, but at a more comprehensive level, something called the HP Secure Boardroom. Maybe you could help us better understand what that means and why that's important as part of this organizational shift?

Get more information on the executive dashboard:
Introducing the HP Secure Boardroom.

Lawson: The Secure Boardroom combines dashboard technology with a good dose of intellectual property we have developed that helps us generate the APIs into different data sources within an organization.

The result is that a CISO can look at a dashboard and instantly see what's going on all across the organization. What are the threats that are happening? What's the rate of incidents? What's going on across your planning spectrum?

To have the visibility into disparate systems is step one. We've codified this over the several years that we've been working on this into a system that now any enterprise can use to pull together a consistent C-level view, so that you have the right kind of transparency.

Half the battle is just seeing what's going on every day in a consistent manner, so that you are focused on the right issues, while discovering where you might need better visibility or where you might need to change process. The Secure Boardroom helps you to continually be focused on the right processes, the right elements, and the right information to better protect financial, operational, and reputation-related assets.

Gardner: Rebecca, this reminds me of some of the strength that HP has been developing over the years in systems management. I've been observing and following HP for over 20 years and I can remember doing briefings with HP on OpenView when it was a new product and a new approach to management.

When you think about vulnerabilities, threats, and attacks, the first thing you have to do is have the right visibility. We have technology in our security organization that helps us see and find the vulnerabilities really quickly.



Is there continuity here between the expertise and the depth and breadth that HP has developed in how to manage systems and now bringing that into how to make them secure and to provide automation and policies that can ensure security over time?

Lawson: Yes. And I cannot believe it's been 20 years. That's a great point. Because we've been in the systems management and business service management business for so long, I would elevate it up to the level of the business service management.

We already have a head start with our customers, because they can already see the forest for the trees with regard to any one particular service. Let's just say it's a service in the supply chain, and that service might comprise network elements and systems and software and applications and all kinds of data going through it. We're able to tie the management of that through traditional management tools, like what we had with OpenView and what we have with our business service management to the view of security.

When you think about vulnerabilities, threats, and attacks, the first thing you have to do is have the right visibility. We have technology in our security organization that helps us see and find the vulnerabilities really quickly.

Let's say there's an incident and our security technology identifies it as being suspect, maybe it's just a certain type of database entry that's suspect, because we can associate it with a known bad IP address, we can do that because we have a correlation engine that is looking at factors like bad reputations, DNS entries, and log files, pulling all this together, and mapping that to incidents.

So we can say that this one is really suspect, let's do something about that. It can then initiate an incident record, which then goes to change management, and goes all the way through to remediation. You say, "You know what, we're going to block that guy from now on." Or maybe something happened when you're doing patch management and a mistake happens, or there's some vulnerability that happened during the time frame that somebody was doing the patch.

Integration with operations

Because we have our security technology tied with IT operations, there is an integration between them. When the security technology detects something, they can automatically issue an alert that is picked up from our incident management system, which might then invoke our change management system, which might then invoke a prescribed operations change, and we can do that through HP Operations Orchestration.

For example, if a certain event occurs, we can automate the whole process to remediate that occurrence. In the case of patch management -- something went wrong. It might have been a human error. It doesn't matter -- what happens is that we've already anticipated a certain type of attack or mistake. That's a very long way of saying that we've tied our security technology to our IT operations, and by the way, also to our applications management.

It really is a triad -- security, applications, operations. At HP, we’re making them work together. And because we have such a focus now on data correlation, on Big Data, we're able to bring in all the various sources of data and turn that into actionable information, and then execute it through our automation engine.

Gardner: So the concept here, as with management, is that to find issues around reliability performance requires that über overview approach, and having access to all of these data points and then being able to manage change and portfolio management as well, and then of course the lifecycle of the applications comes into play.

But it strikes me, when I listen to you, that this isn't really a security technology story, it's really a story about a comprehensive ability to manage your IT operations. Therefore, this is not just a bolt-on, something that one or two companies add as a new product to the market. So what differentiates HP? It doesn't strike me that there are not many companies that can pull this all together?

We can't say no to technology, because that's the engine of what makes an enterprise grow and be competitive.



Lawson: That's very true. As I mentioned, there is no one silver bullet. It's a matter of how you pull all the little pieces together and make sense of them.

Every organization has to innovate. We know that technology accelerates innovation. We can't say no to technology, because that's the engine of what makes an enterprise grow and be competitive. Everything new that's created has security already built-in, so that there is no delay down the road, and this is particularly germane in the applications area, as we were mentioning earlier.

Gardner: Rebecca, I've also heard you mention something called the "fabric of technology," and I know you've got a lot of announcements from ArcSight, Fortify and TippingPoint brands within HP. People can look to the news reports and get more information in detail on those particular announcements. But how does the technology news and that concept of a fabric come into play here?

Lawson: Well, let me use an example. Let's say one of your business services is a composite service and you may be using some outside cloud services and some internal services in your SAP system. Because all of the business processes tend to be built on composite technology-based services, you have to have the right fabric of security provision that’s guarding that process so nothing happens in all the various places where it could happen.

For example, we have a technology that lets you scan software and look for vulnerabilities, both dynamic and static testing. We have ways of finding vulnerabilities in third-party applications. We do that through our research organization which is called DVLabs. DV stands for Digital Vaccine. We pull data in from them every day as to new vulnerabilities and we make that available to the other technologies so we can blend that into the picture.

Focused technology

The right kind of security fabric has to be composed of different technologies that are very focused on certain areas. For example, technologies like our intrusion protection technology, which does the packet inspection and can identify bad IP addresses. They can identify that there are certain vulnerabilities associated with the transaction, and they can stop a lot of traffic right at the gate before it gets in.

The reason we can do that so well is because we've already weaved in information from our applications group, information from our researchers out there in the market. So we've been able to pull these together and make more value out of them working as one.

Another example is all of this information then can weave into our security, intelligence, and risk management platform, which is underpinned by our ArcSight technology, Fortify technology, and Tipping Point as well. We can do rigorous analysis and correlation of what would otherwise be very disparate data points.

So not only can we stop things right at the gate with our filters on our IPS, but we can do the analysis that says there's a pattern that's not looking good. Luckily we have built and bought technology that all works together in concert, and that lets you focus on the most critical aspects of keeping your enterprise running.

Gardner: We've talked about assessment. We've talked about change of processes and strategic and framework level activities. We've talked about the boardroom view and how this follows some of the concepts of doing good IT systems management, but we are also of course in the cloud era.

A lot of people think that when the words cloud and security are next to each other, bad things happen, but in fact, that’s not always the case.



I'm curious as to how organizations that may not want to actually do more of this over time themselves, but look for others who are in fact core competency focused on security start doing it. Is there a path toward security as a service or some sort of a managed service hybrid model that we're now going to be moving to as well?

Lawson: Absolutely. A lot of people think that when the words cloud and security are next to each other, bad things happen, but in fact, that’s not always the case.

Once an enterprise has the right plan and strategy in place, they start to prioritize what parts of their security are best suited in-house, with your own expertise, or what parts of the security picture can you or should you hand off to another party. In fact, one of our announcements this week is that we have a service for endpoint threat management.

If you're not centrally managing your endpoint devices, a lot of incidents can happen and slip through the cracks -- everything from an employee just losing a phone to an employee downloading an application that may have vulnerabilities.

So managing your endpoints devices in general, as well as the security associated with the endpoints, make a lot of sense. And it’s a discrete area where you might consider handing the job to a managed services provider, who has more expertise as well as better economic incentives.

Application testing

Another great example of using a cloud service for security is application testing. We are finding that a lot of the web apps out in the market aren't necessarily developed by application developers who understand that there's a whole lifecycle approach involved.

In fact, I've been hearing interesting statistics about the number of web apps that are written by people formerly known as webmasters. These folks may be great at designing apps, but if you're not following a full application lifecycle management practice, which invokes security as one of the base principles of designing an app, then you're going to have problems.

What we found is that this explosion of web apps has not been followed closely enough by testing. Our customers are starting to realize this and now they're asking for HP to help, because in fact there are a lot of app vulnerabilities that can be very easily avoided. Maybe not all of them, but a lot of them, and we can help customers do that.

So testing as a service as a cloud service or as a hosted or managed service is a good idea, because you can do it immediately. You don't incur the time and money to spin up a testing of center of excellence – you can use the one that HP makes available through our SaaS model.

Gardner: As part of your recent announcements, moving more toward a managed services provider role, is something that you are working on yourselves at HP and you are also enabling your ecosystem partners. Perhaps we can wrap up with a little bit more detail about what you are going to be offering as services in addition to what you are offering as professional services and products.

One of the great things about many of the technologies that we've purchased and built in the last few years is that we're able to use them in our managed services offerings.



Lawson: One of the great things about many of the technologies that we've purchased and built in the last few years is that we're able to use them in our managed services offerings.

I'll give you an example. Our ArcSight product for Security Information and Event Management is now offered as a service. That's a service that really gets better the more expertise you have and the more focused you are on that type of event correlation and analysis. For a lot of companies they just don't want to invest in developing that expertise. So they can use that as a service.

We have other offerings, across testing, network security, endpoint security, that are all offered as a service. So we have a broad spectrum of delivery model choices for our customers. We think that’s the way to go, because we know that most enterprises want a strategic partner in security. They want a trusted partner, but they're probably not going to get all of their security from one vendor of course, because they're already invested.

We like to come in and look first at establishing the right strategy, putting together the right roadmap, making sure it's focused on helping our customer innovate for the future, as well as putting some stopgap measures in so that you can thwart the cyber threats that are near and present danger. And then, we give them the choice to say what's best for their company, given their industry, given the compliance requirements, given time to market, and given their financial posture?

There are certain areas where you're going to want to do things yourself, certain areas where you are going to want to outsource to a managed service. And there are certain technologies already at play that are probably just great in a point solution context, but they need to be integrated.

Integrative approach

M
ost of our customers have already lots of good things going on, but they just don't all come together. That's really the bottom line here. It has to be an integrative approach. It has to be a comprehensive approach. And the reason is that the bad guys are so successful causing havoc is that they know that all of this is disconnected. They know that security technologies tend to be fragmented and they're going to take advantage of that.

Gardner: You've had a lot of news come out, and we've talked about an awful lot today. Is there a resource that you could point to that folks can go and perhaps get a more detailed, maybe in one spot, a security wellspring perhaps? What would you suggest?

Lawson: I'd definitely suggest going to hp.com/go/enterprisesecurity. In particular, there is a report that you can download and read today called the "HP DVLabs’ Cyber Security Risks Report." It’s a report that we generate twice a year and it has got some really startling information in it. And it’s all based on, not theoretical stuff, but things that we see, and we have aggregated data from different parts of the industry, as well as data from our customers that show the rate of attacks and where the vulnerabilities are typically located. It’s a real eye opener.

It’s a little startling, when you start to look at some of the facts about the costs associated with application breaches or the nature of complex persistent attacks.



So I would just suggest that you search for the DVLabs’ Cyber Security Risks Report and read it, and then pass it on to other people in your company, so that they can become aware of what the situation really is. It’s a little startling, when you start to look at some of the facts about the costs associated with application breaches or the nature of complex persistent attacks. So awareness is the right place to start.

Gardner: Very good. We've been listening to a sponsored podcast discussion on how to confront security at the framework and strategic level and how to harness the point solutions approach into a managed and ongoing security enhancement lifecycle benefit.

We have been joined in our discussion today by Rebecca Lawson, Director of Worldwide Security Initiatives at HP. Thanks so much, Rebecca.

Lawson: Thank you so much, Dana. It’s great to talk to you.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Learn more. Sponsor: HP.

Transcript of a BriefingsDirect podcast on the surge in security threats to enterprises and the approach companies need to take to thwart them. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

Tuesday, February 15, 2011

Expert Panel: As Cyber Security Risks Grow, Architected Protection and Best Practices Must Keep Pace

Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on how enterprises need to change their thinking to face and avert cyber security threats.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today we present a sponsored podcast discussion in conjunction with The Open Group Conference, held in San Diego the week of February 7, 2011. We’ve assembled a panel to examine the business risk around cyber security threats.

Looking back over the past few years, it seems like threats are only getting worse. We've had the Stuxnet Worm, The WikiLeaks affair, China-originating attacks against Google and others, and the recent Egypt Internet blackout. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

But, are cyber security dangers, in fact, getting that much worse? And are perceptions at odds with what is really important in terms of security protection? In either event, how can businesses best protect themselves from the next round of risks, especially as cloud, mobile, and social media and networking activities increase?

How can architecting for security become effective and pervasive? We'll pose these and other serious questions to a panel of security experts to examine the coming cyber business risks and ways to head them off.

Please join me now in welcoming our panel, Jim Hietala, the Vice President of Security at The Open Group; Mary Ann Mezzapelle, Chief Technologist in the CTO's Office at HP, and Jim Stikeleather, Chief Innovation Officer at Dell Services.

Gardner: As I mentioned, there have been a lot of things in the news about security. I'm wondering, what are the real risks that are worth being worried about? What should you be staying up late at night thinking about, Jim?

Stikeleather: Pretty much everything, at this time. One of the things that you're seeing is a combination of factors. When people are talking about the break-ins, you're seeing more people actually having discussions of what's happened and what's not happening. You're seeing a new variety of the types of break-ins, the type of exposures that people are experiencing. You're also seeing more organization and sophistication on the part of the people who are actually breaking in.

The other piece of the puzzle has been that legal and regulatory bodies step in and say, "You are now responsible for it." Therefore, people are paying a lot more attention to it. So, it's a combination of all these factors that are keeping people up right now.

Gardner: Is it correct, Mary Ann, to say that it's not just a risk for certain applications or certain aspects of technology, but it's really a business-level risk?

Key component

Mezzapelle: That's one of the key components that we like to emphasize. It's about empowering the business, and each business is going to be different. If you're talking about a Department of Defense (DoD) military implementation, that's going to be different than a manufacturing concern. So it's important that you balance the risk, the cost, and the usability to make sure it empowers the business.

Gardner: How about complexity, Jim Hietala? Is that sort of an underlying current here? We now think about the myriad mobile devices, moving applications to a new tier, native apps for different platforms, more social interactions that are encouraging collaboration. This is good, but just creates more things for IT and security people to be aware of. So how about complexity? Is that really part of our main issue?

Hietala: It's a big part of the challenge, with changes like you have mentioned on the client side, with mobile devices gaining more power, more ability to access information and store information, and cloud. On the other side, we’ve got a lot more complexity in the IT environment, and much bigger challenges for the folks who are tasked for securing things.

Gardner: Just to get a sense of how bad things are, Jim Stikeleather, on a scale of 1 to 10 -- with 1 being you're safe and sound and you can sleep well, and 10 being all the walls of your business are crumbling and you're losing everything -- where are we?

Stikeleather: Basically, it depends on who you are and where you are in the process. A major issue in cyber security right now is that we've never been able to construct an intelligent return on investment (ROI) for cyber security.

We're starting to see a little bit of a sea change, because starting with HIPAA-HITECH in 2009, for the first time, regulatory bodies and legislatures have put criminal penalties on companies who have exposures and break-ins associated with them.



There are two parts to that. One, we've never been truly able to gauge how big the risk really is. So, for one person it maybe a 2, and most people it's probably a 5 or a 6. Some people may be sitting there at a 10. But, you need to be able to gauge the magnitude of the risk. And, we never have done a good job of saying what exactly the exposure is or if the actual event took place. It's the calculation of those two that tell you how much you should be able to invest in order to protect yourself.

So, I'm not really sure it's a sense of exposure the people have, as people don't have a sense of risk management -- where am I in this continuum and how much should I invest actually to protect myself from that?

We're starting to see a little bit of a sea change, because starting with HIPAA-HITECH in 2009, for the first time, regulatory bodies and legislatures have put criminal penalties on companies who have exposures and break-ins associated with them.

So we're no longer talking about ROI. We're starting to talk about risk of incarceration , and that changes the game a little bit. You're beginning to see more and more companies do more in the security space -- for example, having a Sarbanes-Oxley event notification to take place.

The answer to the question is that it really depends, and you almost can't tell, as you look at each individual situation.

Gardner: Mary Ann, it seems like assessment then becomes super-important. In order to assess your situation, you can start to then plan for how to ameliorate it and/or create a strategy to improve, and particularly be ready for the unknown unknowns that are perhaps coming down the pike. When it comes to assessment, what would you recommend for your clients?

Comprehensive view

Mezzapelle: First of all we need to make sure that they have a comprehensive view. In some cases, it might be a portfolio approach, which is unique to most people in a security area. Some of my enterprise customers have more than a 150 different security products that they're trying to integrate.

Their issue is around complexity, integration, and just knowing their environment -- what levels they are at, what they are protecting and not, and how does that tie to the business? Are you protecting the most important asset? Is it your intellectual property (IP)? Is it your secret sauce recipe? Is it your financial data? Is it your transactions being available 24/7?

And, to Jim's point, that makes a difference depending on what organization you're in. It takes some discipline to go back to that InfoSec framework and make sure that you have that foundation in place, to make sure you're putting your investments in the right way.

Stikeleather: One other piece of it is require an increased amount of business knowledge on the part of the IT group and the security group to be able to make the assessment of where is my IP, which is my most valuable data, and what do I put the emphasis on.

One of the things that people get confused about is, depending upon which analyst report you read, most data is lost by insiders, most data is lost from external hacking, or most data is lost through email. It really depends. Most IP is lost through email and social media activities. Most data, based upon a recent Verizon study, is being lost by external break-ins.

When you move from just "I'm doing security" to "I'm doing risk mitigation and risk management," then you have to start doing portfolio and investment analysis in making those kinds of trade-offs.



We've kind of always have the one-size-fits-all mindset about security. When you move from just "I'm doing security" to "I'm doing risk mitigation and risk management," then you have to start doing portfolio and investment analysis in making those kinds of trade-offs.

That's one of the reasons we have so much complexity in the environment, because every time something happens, we go out, we buy any tool to protect against that one thing, as opposed to trying to say, "Here are my staggered differences and here's how I'm going to protect what is important to me and accept the fact nothing is perfect and some things I'm going to lose."

Gardner: Perhaps a part of having an assessment of where you are is to look at how things have changed, Jim Hietala, thinking about where we were three or four years ago, what is fundamentally different about how people are approaching security and/or the threats that they are facing from just a few years ago?

Hietala: One of the big things that's changed that I've observed is if you go back a number of years, the sorts of cyber threats that were out there were curious teenagers and things like that. Today, you've got profit-motivated individuals who have perpetrated distributed denial of service attacks to extort money. Now, they’ve gotten more sophisticated and are dropping Trojan horses on CFO's machines and they can to try in exfiltrate passwords and log-ins to the bank accounts.

We had a case that popped up in our newspaper in Colorado, where a mortgage company, a title company lost a million dollars worth of mortgage money that was loans in the process of funding. All of a sudden, five homeowners are faced with paying two mortgages, because there was no insurance against that.

When you read through the details of what happened it was, it was clearly a Trojan horse that had been put on this company's system. Somebody was able to walk off with a million dollars worth of these people's money.

State-sponsored acts

So you've got profit-motivated individuals on the one side, and you've also got some things happening from another part of the world that look like they're state-sponsored, grabbing corporate IP and defense industry and government sites. So, the motivation of the attackers has fundamentally changed and the threat really seems pretty pervasive at this point.

Gardner: Pervasive threat. Is that how you see it, Jim Stikeleather?

Stikeleather: I agree. The threat is pervasive. The only secure computer in the world right now is the one that's turned off in a closet, and that's the nature. You have to make decisions about what you're putting on and where you're putting it on. I's a big concern that if we don't get better with security, we run the risk of people losing trust in the Internet and trust in the web.

When that happens, we're going to see some really significant global economic concerns. If you think about our economy, it's structured around the way the Internet operates today. If people lose trust in the transactions that are flying across it, then we're all going to be in pretty bad world of hurt.

Gardner: All right, well I am duly scared. Let's think about what we can start doing about this. How should organizations rethink security? And is that perhaps the way to do this, Mary Ann? If you say, "Things have changed. I have to change, not only in how we do things tactically, but really at that high level strategic level," how do you rethink security properly now?

Mezzapelle: It comes back to one of the bottom lines about empowering the business. Jim talked about having that balance. It means that not only do the IT people need to know more about the business, but the business needs to start taking ownership for the security of their own assets, because they are the ones that are going to have to belay the loss, whether it's data, financial, or whatever.

We need to connect the dots and we need to have metrics. We need to look at it from an overall threat point of view, and it will be different based on what company you're about.



They need to really understand what that means, but we as IT professionals need to be able to explain what that means, because it's not common sense. We need to connect the dots and we need to have metrics. We need to look at it from an overall threat point of view, and it will be different based on what company you're about.

You need to have your own threat model, who you think the major actors would be and how you prioritize your money, because it's an unending bucket that you can pour money into. You need to prioritize.

Gardner: How would this align with your other technology and business innovation activities? If you're perhaps transforming your business, if you're taking more of a focus at the process level, if you're engaged with enterprise architecture and business architecture, is security a sideline, is it central, does it come first? How do you organize what's already fairly complex in security with these other larger initiatives?

Mezzapelle: The way that we've done that is this is we've had a multi-pronged approach. We communicate and educate the software developers, so that they start taking ownership for security in their software products, and that we make sure that that gets integrated into every part of portfolio.

The other part is to have that reference architecture, so that there’s common services that are available to the other services as they are being delivered and that we can not control it but at least manage from a central place.

You were asking about how to pay for it. It's like Transformation 101. Most organizations spend about 80 percent of their spend on operations. And so they really need to look at their operational spend and reduce that cost to be able to fund the innovation part.

Getting benchmarks

I
t may not be in security. You may not be spending enough in security. There are several organizations that will give you some kind of benchmark about what other organizations in your particular industry are spending, whether it's 2 percent on the low end for manufacturing up to 10-12 percent for financial institutions.

That can give you a guideline as to where you should start trying to move to. Sometimes, if you can use automation within your other IT service environment, for example, that might free up the cost to fuel that innovation.

Stikeleather: Mary Ann makes a really good point. The starting point is really architecture. We're actually at a tipping point in the security space, and it comes from what's taking place in the legal and regulatory environments with more-and-more laws being applied to privacy, IP, jurisdictional data location, and a whole series of things that the regulators and the lawyers are putting on us.

One of the things I ask people, when we talk to them, is what is the one application everybody in the world, every company in the world has outsourced. They think about it for a minute, and they all go payroll. Nobody does their own payroll any more. Even the largest companies don't do their own payroll. It's not because it's difficult to run payroll. It's because you can’t afford all of the lawyers and accountants necessary to keep up with all of the jurisdictional rules and regulations for every place that you operate in.

Data itself is beginning to fall under those types of constraints. In a lot of cases, it's medical data. For example, Massachusetts just passed a major privacy law. PCI is being extended to anybody who takes credit cards.

Because all these adjacencies are coming together, it's a good opportunity to sit down and architect with a risk management framework. How am I going to deal with all of this information?



The security issue is now also a data governance and compliance issue as well. So, because all these adjacencies are coming together, it's a good opportunity to sit down and architect with a risk management framework. How am I going to deal with all of this information?

Plus you have additional funding capabilities now, because of compliance violations you can actually identify what the ROI is for of avoiding that. The real key to me is people stepping back and saying, "What is my business architecture? What is my risk profile associated with it? What's the value associated with that information? Now, engineer my systems to follow that."

Mezzapelle: You need to be careful that you don't equate compliance with security? There are a lot of organizations that are good at compliance checking, but that doesn't mean that they are really protecting against their most vulnerable areas, or what might be the largest threat. That's just a letter of caution -- you need to make sure that you are protecting the right assets.

Gardner: It's a cliché, but people, process, and technology are also very important here. It seems to me that governance would be an overriding feature of bringing those into some alignment.

Jim Hietala, how should organizations approach these issues with a governance mindset? That is to say, following procedures, forcing those procedures, looking and reviewing them, and then putting into place the means by which security becomes in fact part-and-parcel with doing business?

Risk management

Hietala: I guess I'd go back to the risk management issue. That's something that I think organizations frequently miss. There tends to be a lot of tactical security spending based upon the latest widget, the latest perceived threat -- buy something, implement it, and solve the problem.

Taking a step back from that and really understanding what the risks are to your business, what the impacts of bad things happening are really, is doing a proper risk analysis. Risk assessment is what ought to drive decision-making around security. That's a fundamental thing that gets lost a lot in organizations that are trying to grapple the security problems.

Gardner: Jim, any thoughts about governance as an important aspect to this?

Stikeleather: Governance is a critical aspect. The other piece of it is education. There's an interesting fiction in both law and finance. The fiction of the reasonable, rational, prudent man. If you've done everything a reasonable, rational and prudent person has done, then you are not culpable for whatever the event was.

I don't think we've done a good job of educating our users, the business, and even some of the technologists on what the threats are, and what are reasonable, rational, and prudent things to do. One of my favorite things are the companies that make you change your password every month and you can't repeat a password for 16 or 24 times. The end result is that you get as this little thing stuck on the notebook telling them exactly what the password is.

So, it's governance, but it's also education on top of governance. We teach our kids not to cross the street in the middle of the road and don't talk to strangers. Well, we haven't quite created that same thing for cyberspace. Governance plus education may even be more important than the technological solutions.

The technical details of the risks are changing rapidly, but the nature of the risk themselves, the higher level of the taxonomy, is not changing all that much.



Gardner: One sort of push-back on that is that the rate of change is so rapid and the nature of the risks can be so dynamic, how does one educate? How you keep up with that?

Stikeleather: I don't think that it's necessary.

If you just introduce safe practices so to speak, then you're protected up until someone comes up with a totally new way of doing things, and there really hasn't been a lot of that. Everything has been about knowing that you don't put certain data on the system, or if you do, this data is always encrypted. At the deep technical details, yes, things change rapidly. At the level with which a person would exercise caution, I don't think any of that has changed in the last ten years.

Gardner: We've now entered into the realm of behaviors and it strikes me also that it's quite important and across the board. There are behaviors at different levels of the organization. Some of them can be good for ameliorating risk and others would be very bad and prolonged. How do you incentivize people? How do you get them to change their behavior when it comes to security, Mary Ann?

Mezzapelle: The key is to make it personalized to them or their job, and part of that is the education as Jim talked about. You also show them how it becomes a part of their job.

Experts don't know

I
have a little bit different view that it is so complex that even security professionals don’t always know what the reasonable right thing to do it. So, I think it's very unreasonable for us to expect that of our business users, or consumers, or as I like to say, my mom. I use her as a use case quite a lot of times about what would she do, how would she react and would she recognize when she clicked on, "Yes, I want to download that antivirus program," which just happened to be a virus program.

Part of it is the awareness so that you keep it in front of them, but you also have to make it a part of their job, so they can see that it's a part of the culture. I also think it's a responsibility of the leadership to not just talk about security, but make it evident in their planning, in their discussions, and in their viewpoints, so that it's not just something that they talk about but ignore operationally.

Gardner: One other area I want to touch on is the notion of cloud computing, doing more outsourced services, finding a variety of different models that extend beyond your enterprise facilities and resources.

There's quite a bit of back and forth about, is cloud better for security or worse for security? Can I impose more of these automation and behavioral benefits if I have a cloud provider or a single throat to choke, or is this something that opens up? I've got a sneaking suspicion I am going to hear "It depends" here, Jim Stikeleather, but I am going to go with you anyway. Cloud: I can't live with it, can't live without it. How does it work?

Stikeleather: You're right, it depends. I can argue both sides of the equation. On one side, I've argued that cloud can be much more secure. If you think about it, and I will pick on Google, Google can expend a lot more on security than any other company in the world, probably more than the federal government will spend on security. The amount of investment does not necessarily tie to a quality of investment, but one would hope that they will have a more secure environment than a regular company will have.

You have to do your due diligence, like with everything else in the world. I believe, as we move forward, cloud is going to give us an opportunity to reinvent how we do security.



On the flip side, there are more tantalizing targets. Therefore they're going to draw more sophisticated attacks. I've also argued that you have statistical probability of break-in. If somebody is trying to break into Google, and you're own Google running Google Apps or something like that, the probability of them getting your specific information is much less than if they attack XYZ enterprise. If they break in there, they are going to get your stuff.

Recently I was meeting with a lot of NASA CIOs and they think that the cloud is actually probably a little bit more secure than what they can do individually. On the other side of the coin it depends on the vendor. I've always admired astronauts, because they're sitting on top of this explosive device built by the lowest-cost provider. I've always thought that took more bravery than anybody could think of. So the other piece of that puzzle is how much is the cloud provider actually providing in terms of security.

You have to do your due diligence, like with everything else in the world. I believe, as we move forward, cloud is going to give us an opportunity to reinvent how we do security.

I've often argued that a lot of what we are doing in security today is fighting the last war, as opposed to fighting the current war. Cloud is going to introduce some new techniques and new capabilities. You'll see more systemic approaches, because somebody like Google can't afford to put in 150 different types of security. They will put one more integrated. They will put in, to Mary Ann’s point, the control panels and everything that we haven't seen before.

So, you'll see better security there. However, in the interim, a lot of the software-as-a-service (SaaS) providers, some of the simpler platform-as-a-service (PaaS) providers haven’t made that kind of investment. You're probably not as secured in those environments.

Gardner: Mary Ann, do you also see cloud as a catalyst to a better security either from technology process or implementation?

Lowers the barrier

Mezzapelle: For the small and medium size business it offers the opportunity to be more secure, because they don't necessarily have the maturity of processes and tools to be able to address those kinds of things. So, it lowers that barrier to entry for being secure.

For enterprise customers, cloud solutions need to develop and mature more. They may want to do with hybrid solution right now, where they have more control and the ability to audit and to have more influence over things in specialized contracts, which are not usually the business model for cloud providers.

I would disagree with Jim in some aspects. Just because there is a large provider on the Internet that’s creating a cloud service, security may not have been the key guiding principle in developing a low-cost or free product. So, size doesn't always mean secure.

You have to know about it, and that's where the sophistication of the business user comes in, because cloud is being bought by the business user, not by the IT people. That's another component that we need to make sure gets incorporated into the thinking.

Stikeleather: I am going to reinforce what Mary Ann said. What's going on in cloud space is almost a recreation of the late '70s and early '80s when PCs came into organizations. It's the businesspeople that are acquiring the cloud services and again reinforces the concept of governance and education. They need to know what is it that they're buying.

There will be some new work coming out over the next few months that lay out some of the tough issues there and present some approaches to those problems.



I absolutely agree with Mary. I didn't mean to imply size means more security, but I do think that the expectation, especially for small and medium size businesses, is they will get a more secure environment than they can produce for themselves.

Gardner: Jim Hietala, we're hearing a lot about frameworks, and governance, and automation. Perhaps even labeling individuals with responsibility for security and we are dealing with some changeable dynamics that move to cloud and issues around cyber security in general, threats from all over. What is The Open Group doing? It sounds like a huge opportunity for you to bring some clarity and structure to how this is approached from a professional perspective, as well as a process and framework perspective?

Hietala: It is a big opportunity. There are a number of different groups within The Open Group doing work in various areas. The Jericho Forum is tackling identity issues as it relates to cloud computing. There will be some new work coming out of them over the next few months that lay out some of the tough issues there and present some approaches to those problems.

We also have the Open Trusted Technology Forum (OTTF) and the Trusted Technology Provider Framework (TTPF) that are being announced here at this conference. They're looking at supply chain issues related to IT hardware and software products at the vendor level. It's very much an industry-driven initiative and will benefit government buyers, as well as large enterprises, in terms of providing some assurance of products they're procuring are secure and good commercial products.

Also in the Security Forum, we have a lot of work going on in security architecture and information security management. There are a number projects that are aimed at practitioners, providing them the guidance they need to do a better job of securing, whether it's a traditional enterprise, IT environment, cloud and so forth. Our Cloud Computing Work Group is doing work on a cloud security reference architecture. So, there are number of different security activities going on in The Open Group related to all this.

Gardner: What have you seen in a field in terms of a development of what we could call a security professional? We've seen Chief Security Officer, but is there a certification aspect to identifying people as being qualified to step in and take on some of these issues?

Certification programs

Hietala: There are a number of certification programs for security professionals that exist out there. There was legislation, I think last year, that was proposed that was going to put some requirements at the federal level around certification of individuals. But, the industry is fairly well-served by the existing certifications that are out there. You've got CISSP, you've got a number of certification from SANS and GIAC that get fairly specialized, and there are lots of opportunities today for people to go out and get certifications in improving their expertise in a given topic.

Gardner: My last question will go to you on this same issue of certification. If you're on the business side and you recognize these risks and you want to bring in the right personnel, what would you look for? Is there a higher level of certification or experience? How do you know when you've got a strategic thinker on security, Mary Ann?

Mezzapelle: The background that Jim talked about CISSP, CSSLP from (ISC)2, there is also the CISM or Certified Information Security Manager that’s from an audit point of view, but I don't think there's a certification that’s going to tell you that they're a strategic thinker. I started out as a technologist, but it's that translation to the business and it's that strategic planning, but applying it to a particular area and really bringing it back to the fundamentals.

Gardner: Does this become then part of enterprise architecture (EA)?

Mezzapelle: It is a part of EA, and, as Jim talked, about we've done some work on The Open Group with Information Security Management model that extend some of other business frameworks like ITIL into the security space to have a little more specificity there.

Gardner: Last word to you, Jim Stikeleather, on this issue of how do you get the right people in the job and is this something that should be part and parcel with the enterprise or business architect?

At the end of the day it's the incorporation of everything into EA, because you can't bolt on security. It just doesn't work.



Stikeleather: I absolutely agree with what Mary Ann said. It's like a CPA. You can get a CPA and they know certain things, but that doesn't guarantee that you’ve got a businessperson. That’s where we are with security certifications as well. They give you a comfort level that the fundamental knowledge of the issues and the techniques and stuff are there, but you still need someone who has experience.

At the end of the day it's the incorporation of everything into EA, because you can't bolt on security. It just doesn't work. That’s the situation we're in now. You have to think in terms of the framework of the information that the company is going to use, how it's going to use it, the value that’s associated with it, and that's the definition of EA.

Gardner: Well, great. We have been discussing the business risk around cyber security threats and how to perhaps position yourself to do a better job and anticipate some of the changes in the field. I’d like to thank our panelists. We have been joined by Jim Hietala, Vice President of Security for The Open Group; Mary Ann Mezzapelle, Chief Technologist in the Office of the CTO for HP, and Jim Stikeleather, Chief Innovation Officer at Dell Services.

This is Dana Gardner. You’ve been listening to a sponsored BriefingsDirect podcast in conjunction with The Open Group Conference here in San Diego, the week of February 7th, 2011. I want to thank all for joining and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on how enterprises need to change their thinking to face and avert cyber security threats. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in: