Showing posts with label cybercrime. Show all posts
Showing posts with label cybercrime. Show all posts

Wednesday, September 04, 2013

Cybersecurity is a Necessity, Not an Option, in the Face of Global Security Threats, Says CSC

Transcript of a BriefingDirect podcast on the growing need for cybersecurity as an important organizational goal for businesses and government agencies.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Gardner
Once again, we're focusing on how IT leaders are improving security and reducing risks as they adapt to the new harsh realities of doing business online.

We have a fascinating discussion today, because we're joined for Part 2 of our series with HP strategic partner and IT services and professional services global powerhouse CSC. We'll be exploring how CSC itself has improved its own cybersecurity posture.

With that, please join me in welcoming our guests, Dean Weber, the Chief Technology Officer for CSC Global Cybersecurity. Welcome back, Dean.

Dean Weber: Thank you.

Gardner: We're also here with Sam Visner, Vice President and General Manager for CSC Global Cybersecurity. Welcome back to you too, Sam.

Sam Visner: Thanks, Dana, for this opportunity to discuss this topic.

Gardner: As you recall, in Part 1 of our series, we examined the tough challenges facing companies and how they need to adjust their technology and security operations. We saw how they were all now facing a "weapons-grade threat," as we put it, with big commercial incentives for online attacks and also a proliferation of more professional attackers. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

We also learned how older IT security methods have proven inadequate to the escalating risks that are also expanding beyond corporate networks to include critical infrastructure, supply chains, and even down to devices and sensors.

So today, we'd like to take a deeper dive into how CSC itself is going beyond just technology and older methods to understand a better path to improve cybersecurity.

Let me start with you, Sam. What's the most impactful thing that CSC has done in the past several years, perhaps in concert with HP, that's proven to be a major contributor to a more secure environment?

Visner: There are three things to which I'd point. In the course of any conversation about three things, I'll think of a fourth, a fifth, a sixth, and a seventh in due course, but let me start with three things.

The first is the recognition that cybersecurity is an important issue for any organization today, whether they're a Global 1000 company, a Fortune 500 company, or a government agency, and everybody has a stake in cybersecurity.

Same question

The first thing is that, because everybody has this stake, there has been a recognition that the cybersecurity of the commercial world and the cybersecurity of the public sector are really the same question.

Visner
The commercial world provides the technology on which governments depend. Governments express the interest that the public has and the cybersecurity of those parts of the private sector that manage energy, transportation, critical manufacturing, aerospace, defense, chemicals, banking, healthcare, and any other thing that we call critical infrastructure.

In our company, where we serve both the public sector and private sector, we recognized early on that it made sense to address commercial and public sector cybersecurity from a common strategy. That's the first thing.

The second thing is that we then built a unified capability, a unified P&L, a unified line of business and delivery capability for cybersecurity that brings together our commercial and our public-sector business. We're end to end. So from consulting and assessments, then education, through managed cybersecurity services and systems integration, all the way through incident response, we make our full portfolio available to all our customer set, not just part of our customer set.

And the third thing is -- and I am going to ask Dean Weber to comment on this, because more than anyone else he has been the motivating powerhouse here -- a lot of people think about cybersecurity as tools. What's my firewall? What's my user provisioning? What's my password policy? How am I handling passwords? What should I be doing about endpoint protection?
That's a recipe for disaster, because you're always playing catch up against the problem and you don't even know if the tools work together.

That's a recipe for disaster, because you're always playing catch up against the problem and you don't even know if the tools work together. You certainly don't have the means to take the information that these tools generate, put them together, analyze them and give yourself the big picture that allows you to be effective in understanding the total threat you face and the total situation that you have internal in your organization.

The third thing that has been important is moving from a tools-based perspective to an architecture-based perspective, one in which before we buy tools or develop tools, or even in which we define offerings, we define the architecture of our offerings.

What are we trying to do? How will these offerings fit together in accruing information outside of our enterprise about the global threat environment and inside of an enterprise about everything that affects the security of an organization, from their smartphone, all the way down to their industrial control systems on the shop floor?

What are the offerings that, when knit together, give you a total capability? Then, what are the specific technologies that are pertinent to each of those offerings? So taking an architectural approach as opposed to a product-specific approach is the third basic development.

Again, the public sector and commercial sector have to be approached in a common strategy, the need to build a common organization serving all our customers across the CSC space, and approaching our solutions from an architectural perspective where you fit everything together in terms of offerings, capabilities, and technology. Those would be the three things to which I'd point.

Architectural level

Gardner: Dean Weber, let's get some more input on the shift from a tools perspective or a tactical perspective to that architectural level?

Weber: As Sam pointed out, the idea here is that we need an integrated capability to combat the current and emerging threats. You do that based on a global ability to detect and defer the threats, remediate as quickly as possible from threats that have manifested themselves, and recover.

Weber
Not only are we a services provider of managed security services to enterprise and government, we also consume those services ourselves on the inside. There's no difference. We drink our own champagne, or eat our own dog food, or however you want to put it.

But at the end of the day we have made this very security operations center (SOC)-centric offering, where we have elected to use a common technology framework across the globe. All of our SOCs worldwide use the same security and information event management -- SIEM technology, in this case HP ArcSight.

That allows us to deliver the same level of consistency and maturity, and given some of the advanced capabilities of ArcSight, it has allowed us to interconnect them using a concept we call the global logical SOC, where for data protection and data privacy purposes, data has to reside in the region or country of its origin, but we still need to share threat intelligence, both internally generated and externally applied. The ArcSight platform allows us to build on that basis.

Separate and apart from that, any other tools that we want to bring to bear, whether that's antivirus or vulnerability scanning, all the way up the stack to application security lifecycle, with a product like Fortify, we can plug all of that into the managed framework regardless of where it's delivered on the globe and we can take advantage of that appropriately and auditably across the entire hemisphere or across the entire planet.
The idea here is that we need an integrated capability to combat the current and emerging threats.

Visner: Dean mentioned HP Fortify. As you may know, we're bringing out an application security testing-as-a-service component of our portfolio. It’s an offering. That was done very deliberately. It's a portfolio of offerings that comprise a total capability. Each offering goes through offering lifecycle management to ensure that it conforms to the architecture, and then trade studies to determine which technologies, in this case the HP Fortify technology, are pertinent to that offering.

As we move out on this, what people should expect is not that somebody is going to show up and say, "Buy our tool." Instead, what we're going to be doing is soliciting requirements for tools and technologies, some of which we'll buy or license and some which we'll develop ourselves that conform to the total architectural approach that Dean described. What we're doing with HP Fortify is a perfect example of that very deliberate and methodical approach.

Gardner: It sounds as if an important pillar of those three items you brought up, Sam, the common strategy, unified capability, and architecture, is to know yourself as an organization, to deeply understand where you are, and then be dynamic in terms of tracking that. Do the HP Fortify and HP ArcSight technologies come to bear on that aspect of self-awareness?

Visner: The way I would put it is this. We have to deal with a situation in which we have a broad set of industries that we serve from a cybersecurity perspective. I'm going to take a look at the ArcSight situation here more particularly, because the ArcSight situation is one that had to serve CSC and its customers on a global basis.

Wide range of environments

We do cybersecurity for public-sector organizations, but we also do it for chemical companies, banks, aerospace and defense companies, manufacturing companies, and companies in the healthcare space.

We have to be able to bring together data across a very wide range of environments. Although there are some great global threats out there, some of those threats are being crafted to be specific to some of the industries and some of the government’s activities that we try to safeguard.

Therefore, in the case of ArcSight, we needed an environment that would allow us to use a broad range of tools, some of which may have to be selected to be fit for purpose for a specific customer environment and yet to accrue data in a common environment and use that common environment for correlation and analysis.

This is a way in which our self-awareness as a company that does cybersecurity across many sectors of the private sector, as well as a broad range of public sector organizations, told us that we needed an environment that could accrue a wide range of data and allow us to do correlation.

In terms of what we're doing with Fortify and application security testing,  one of the things we've learned about ourselves is that we're going to support organizations that have very specific applications requirements. In some cases, these requirements will relate to things like healthcare or banking. In some cases, it will be for transactions. In some cases, it will be specific workflows associated with these industries.
We are trying to raise the bar globally to one, high, common level of application security testing.

What’s common to this, we have learned, is the need for secure applications. What’s also common is that globally the world isn’t doing enough in terms of testing the security of applications. This is something we found we could do that would be of value to a broad range of CSC customers. Again, that's based on our own self-awareness of what those customers need in our history.

Remember, our company has been doing independent IT and software work since 1959. One of the things we've learned over 54 years is that there is a wide variety of things that organizations do in terms of making their software really useful, and there is a wide variety in the attention they pay to testing that software from the perspective of security.

We are trying to raise the bar globally to one, high, common level of application security testing. So that’s a way that we are working with it. That’s what the Fortify tool will help us do.

Gardner: Dean Weber, to Sam’s point about the amount of data required to track, understand, and follow, do you consider this a big-data function? We hear, of course, a lot about that in the marketplace these days. How important would general-data and/or big-data capabilities be in a good secure organization? Are they hand in hand?

Weber: They are absolutely hand in hand. As we generate more data across our grids, both sensor data and event data, and as we combine our information technology networks with our operational technology networks, we have an exploding data problem. No longer is it finding a needle in a haystack. It’s finding a needle amongst needles in a haystack.

Big-data problem

The problem is absolutely a big-data problem. Choosing technologies like ArcSight that allow us to pinpoint technology aberrations from a log, alert, or an event perspective, as well as from a historical trending perspective, is absolutely critical to trying to stay ahead of the problem. At the end of the day, it’s all about identity, access, and usage data. That's where we find the indicators of these advanced threats.

As the trade craft of our opponents gets better, as Sam likes to put it, we have to respond, and it’s not easy to respond at that level. One of the reasons that Fortify is going to become one of the cornerstones of our offering is because as we get better at securing infrastructure using the technologies we've already talked about, the next low-hanging fruit is the application vulnerabilities themselves.

Recently, Android announced that they have a vulnerability in their crypto product. There are 900 million Android products that are affected by that. While Google has released a patch for that particular crypto vulnerability, all the rest of the vendors who use an Android platform are still struggling with how to patch, when to patch, where to patch, how do they know they patched.

Visner: And who is responsible for the patch?

Weber: And who is responsible for the patch, absolutely true.
It’s not enough to know that I have got good governance, risk, and compliance (GRC) enterprise-wide password maintenance and password reset.

Gardner: That brings us to this. When you talk about responsibility and tracking, who is doing what and how it’s getting done? We started to talk about key performance indicators (KPIs). How much of a shift have you had to go about there at CSC to put in place the ability to track metrics of success and KPIs? How do you measure and gauge these efforts?

Visner: I'm going to ask Dean to cleanup on my answer, but a lot of people are paying attention to global threat intelligence and threat attribution. That’s really important, but I think what’s even more important is not knowing where the threat came from, or what the motivations are. That’s useful to know, because it can help characterize other aspects of the threat and what you can expect from the threat actor to do, not just in terms of one piece of malware, but an integrated approach.

The other piece of this is understanding yourself. That is to say it’s not enough to know that I have patched my desktop. It’s not enough to know that I have got good governance, risk, and compliance (GRC) enterprise-wide password maintenance and password reset.

I have to know everything about my enterprise today, all the way down to the industrial control systems on the shop floor, the supervisory control and data acquisition systems that coordinate my enterprise, the enterprise databases and applications that I use for global transactions, as well as individual desktops and smartphones.

What we're really talking about is a level of awareness that people are not used to having. They're really not. People don’t worry about what goes on beyond their own computer. Even CIOs haven’t really worried about the cybersecurity of computers that are embedded in manufacturing systems or control systems. Now, I think they have to be.

Swinging back to the awareness question, this is required of us and of any other enterprise to go beyond the status of an individual device to treat the status of the entire enterprise as important corporate knowledge. That's important corporate knowledge.

Holistic global view

Think of it this way, this is an organization that needs to know globally what its credit worthiness is, where its lines of credit are, and how it’s using those lines of credit and its cash instruments globally to manage its cash flow. That’s important corporate knowledge, and it has to be dealt with on a holistic global view. Otherwise it’s worthless.

The same thing is true with cybersecurity, knowing what the effect is. Cybersecurity of a specific server is interesting, but it's actually not nearly as useful as knowing the state of cybersecurity throughout your entire enterprise. That's global corporate knowledge and that's the difference between a piece of information which is interesting and corporate knowledge which is vital, important, and very valuable.

We have to treat the state of cybersecurity in an organization with the same seriousness, and consider it to be the same level of resource and asset, as the global cash flow of a global organization. It's the same thing.

Gardner: Dean Weber, the opportunity to bring big-data capabilities to bear on this problem is one thing that we've addressed, but there is also the operations and organizational side of having reports, delivering reports, measuring those reports, and being able to act on it.
We have to treat the state of cybersecurity in an organization with the same seriousness, and consider it to be the same level of resource and asset, as the global cash flow of a global organization.

What have you done there to allow for a KPI-oriented or a results-oriented organizational approach that leverages of course all the data?

Weber: You've just touched on the value proposition for a global managed security services provider (MSSP) in the fact that we have data sources that span the planet. While CSC as a 90-plus thousand person organization is considered a large scale organization, it pales in comparison to the combined total of CSC's customer base.

Being able to combine intelligence and operational knowledge from multiple enterprises spanning multiple countries and geographic regions with differing risk postures and business models, sometimes even with differing technologies employed in those models, gives us a real opportunity to see what the global threat looks like.

From the distribution of that threat perspective our ability to, within the laws appropriate across the globe and auditable against those laws, share that threat intelligence without rushing up against or breaking those laws is very important to an organization. This ultimately keys to the development of the value proposition of why do business with the global MSSP in the first place.

Gardner: It was interesting to me when Sam said that there's no difference between understanding your financial situation and your security posture. Is there some opportunity for security and cybersecurity to be a driver for even better business practices?

Now, you might start employing these technologies and putting in place these operational capabilities because of an existential threat to your security, but in doing so, it seems to me that you're becoming a far better organization along the way. Have any customers, or have you yourself, been able to demonstrate that taking the opportunity to improve your cyber posture also improves your business posture?

Not well managed

Weber: That's becoming evident. Not everybody gets it yet, but more and more people do. The general proposition is that an organization that doesn't understand, for example, its financial position is not well-managed and isn't a good investment. It probably can't mobilize its resources to support its customers.

It isn't in a position to bring new products to market and probably can't support those products. Or it might find that those product lines are stolen, manufactured at a lower standard by somebody else, and not properly supported, so that the customer suffers, the company suffers, and everybody but the cyber thief suffers.

A financial organization that can't take care of their own financial position can't serve their customers, just as an organization that doesn't understand its cybersecurity posture can't preserve value for shareholders and deliver value for its customers.

Gardner: Dean, looking at this same benefit, what you do for cybersecurity benefits extend to other business benefits, is there a return on investment (ROI) impact where you could measure the investments made for extensive security but then leverage those capabilities in other ways that offset the price. Has that been the case for you or are you aware of anyone that's done the bean counting in such a fashion?
Where the rubber hits the road is more along the lines of keeping the CEO and the CFO out of jail when they have to sign off on things like Sarbanes–Oxley.

Weber: There absolutely is an ROI in security. In fact, there is actually a concept of return on security investment (ROSI), but I would say generally that most people don't really understand what those calculations mean.

Where the rubber hits the road is more along the lines of keeping the CEO and the CFO out of jail when they have to sign off on things like Sarbanes–Oxley. Or the fact that you don't have to make an SEC filing as a result of financial-systems breach that impacts your ability to keep revenues that you may have already attained.

The real return on investment is less measured in savings than it is in -- as Sam likes to say -- keeping us off the front page of "The Wall Street Journal" above the fold, because the real impact to these things traditionally is not in the court of law, but in the court of public opinion.

They tend to look at organizations that can't manage themselves well and end up in the news at not managing themselves well, less favorably than they do for companies that do manage their operations well.

Visner: What is a pound of cybersecurity worth? I'll put it to you this way. What is a pound of stolen intellectual property worth? That that intellectual property means that somebody else is stealing patient data, manufacturing your products, or undermining your power grid.

One way of thinking is that it's not the value of the cybersecurity so much, but the diminished value of the assets that you would lose that you could no longer protect.

Measuring ROI

That’s as good a place as any to measure that ROI. If you do measure that ROI, the question is not how much are you spending on cybersecurity. The question is what would you lose if you didn’t make that spend. That’s where you see the positive return on investment for cybersecurity, because for any organization, the spend on cybersecurity is almost insignificant compared to the value that would be lost if you didn’t make that spend.

When you think about what it cost to bring to market a product, a new pharmaceutical, a new aircraft design, a new jet engine, and what happens if somebody gets there first or undermines your intellectual property, the value of that intellectual property towards what people are prepared to spend and protect is worth it.

Gardner: As we take the lessons internally, can you offer some recommendations for how others could proceed? Are there any aspects of what you've done with HP internally at CSC that maybe provide some stepping stones? What would you recommend in terms of first steps, initial steps, or lessons learned that others might benefit from in terms of what you've done?

Visner: The real question is not what we've done internally, but the internal process we used, for example, in deciding to work with a specific strategic partner. We recognized early on that this is not a one company problem.
This is a problem where we are dealing with weapons grade threats from organized criminals who have vast resources at their disposal.

This is a problem where we are dealing with weapons grade threats from nations-state. This is a problem where we are dealing with weapons grade threats from organized criminals who have vast resources at their disposal. This is a problem of intellect, and therefore, no one organization is going to have sufficient intellect to be able to deal with this problem globally.

As a company, CSC tends to seek out partners to whom we can couple our intellect and get a synergistic result. In this case, the process of making that relationship real when it flows through defining our portfolio, defining the services that comprise the portfolio, managing the development of those services through our offering lifecycle management process, and then choosing companies whose technology provides the needed strength for each one of those offerings, each one of the elements of that portfolio.

In this case, that process serves us well, because we're going to need a wide range of technology. Nobody is in a position to confront this problem on their own -- absolutely nobody. Everybody needs partners here. But the question is whom?

We have people show up on our doorstep with ideas and technologies and products every day. But the real issue is, what is a good organizing principle? That organizing principle has two components. One, you need a wide range of capabilities, and two, you need to choose from among the wide range of technologies you need for that wide range of capabilities. You need a process that’s disciplined and well-ordered.

Believe me, we have people show up and ask why it takes so long, why it's such an elaborated process, and can't you see that our product is absolutely the right one.

The answer is that it's like a single hero going out onto the battlefield. They maybe a very effective fighter, but they're not going to be able to master the entirety of the battlefield. That can't be done. They're going to need partners. They're going to need mates in the field. They're going to need to be working alongside other people they trust.

Strategic partner

So in working with HP and the ArcSight tool as our security information and management player of our global logical SOC, our global logical managed cybersecurity service, and in working with HP Fortify we chose a partner we thought -- and we think correctly -- is a strong long-term strategic partner.

It's somebody with whom we can work. HP recognizes that we do. They're not going to solve this problem on their own. What one company is going to solve a problem on their own when they are up against the global environment of nation-state and trade actors? We all need these partnerships.

Our company is unique in that we've always looked to our partner relations for key technologies to enable offerings in our portfolio.

We've always believed that you go to market and you serve your customers with strategic partners, because we've always believed that every problem that had to be solved would require not only our abilities as an integrator, but the abilities of our partners to help in the development of some of this technology. That’s what makes the most sense.

For a company like CSC that is largely technology-independent, it gives us access to a wide range of technology partners. But as a company, we're smart about the partners that we choose because of the technologies that we have. Although there's a wide range of potential partners, we work with companies that we think are going to be long-term strategic partners against high-value problems and challenges -- in this case HP and cybersecurity respectively.

Gardner: Last word to you, Dean. Just based on your experiences, as the Chief Technical Officer increasing and improving your security posture, are there any lessons learned that you could share for others that are seeking the same path?
Although there's a wide range of potential partners, we work with companies that we think are going to be long-term strategic partners against high-value problems and challenges.

Weber: I'll leave you with two thoughts. One is again the value proposition of doing business with a global business MSSP. We do have those processes and processes in our background where we are trying to bring the best price-performance products to market.

There maybe higher-priced solutions that are fit for purpose in a very small scale, or there may be some very low-price solutions which are fit for purpose in a very large scale, but don't solve for the top-end problems. The juggling act that we do internally is something that the customer doesn't have to do, whether that’s the CSC internal account or any of our outside paying customers.

The second thing is the rigor with which we apply the evaluation process through an offering lifecycle or product lifecycle management program is really part and parcel of the strength of our ability to bring the correct product to market in the correct timeframe and with the right amount of background to deliver that at a level of maturity that an organization can consume well.

Gardner: Well, great. I'm afraid we'll have to leave it there. We've been exploring how IT leaders are improving security and reducing risks as they adapt to the new and often harsh realities of doing business online and we've been learning through the example of CSC itself.

I’d like to offer a huge thanks to our guests. We've been here with Dean Weber, Chief Technology Officer for CSC Global Cybersecurity. Thank you, Dean.

Weber: Thank you.

Gardner: And also Sam Visner, Vice President and General Manager for CSC Global Cybersecurity. Thank you so much, Sam.

Visner: It's been a pleasure. Thank you for having us.

Gardner: And you can gain more insights and information on the best of IT performance management at www.hp.com/go/discoverperformance. And you can always access this and other episodes of our HP Discover Performance podcast series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion of IT innovation and how it's making an impact on people’s lives.  Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingDirect podcast on the growing need for cybersecurity as an important organizational goal for businesses and government agencies. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

    Thursday, July 11, 2013

    Defining the New State for Comprehensive Enterprise Security Using CSC Services and HP Security Technology

    Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business.

    Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

    Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

    Gardner
    Once again, we're focusing on how IT leaders are improving security and reducing risks as they adapt to new and often harsh realities of doing business online. I am now joined by our co-host for this sponsored podcast series, Paul Muller, Chief Software Evangelist at HP Software. Welcome back, Paul. How are you?

    Paul Muller: I'm great, Dana. Thanks for having me back. It's good to be back, and I'm  looking forward to a great conversation.

    Gardner: We do have a fascinating discussion today. We’re going to be learning how HP’s Strategic Partner and IT services and professional services global powerhouse CSC is helping its clients to better understand and adapt to the current cybersecurity landscape. Let's welcome our guests, Dean Weber, Chief Technology Officer, CSC Global Cybersecurity. Welcome, Dean.

    Dean Weber: Hi, Dana. Happy to be here.

    Gardner: Great to have you. And we’re also joined by Sam Visner, Vice President and General Manager, CSC Global Cybersecurity. Welcome.

    Sam Visner: Thank you, and thanks for having us. We’re very grateful. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

    Gardner: This is obviously a hot topic. Now, we can sit here and gnash our teeth, and people can head to the hills, but I don't think that's going to do any good. Let's start with you, Dean. What is the scale of the threat here? Are we only just catching up in terms of the public perception of the reality? How different is the reality from the public perception?

    Weber: The difference is night and day. The reality is that we are under attack, and have been for quite some time. We are, as Sam likes to put it, facing a weapons-grade threat.

    Gardner: Is there something that people are missing in terms of understanding the threat, not just in the severity, but perhaps something else?

    Visner: When I think about the threat, I think about several things happening at once. The first thing is that we’re asking IT, on which we depend, to do more. It's not just emails, collaboration, documents, and spreadsheets. It isn’t even just enterprise systems.

    IT for manufacturing

    It extends all the way down to the IT that we use for manufacturing, to control power plants, pipelines, airplanes, centrifuges, and medical devices. So, the first thing is that we’re asking IT to do more, and therefore there's more to defend. Secondly, the stakes are higher. It's not just up to us.

    Visner
    Government has said that the cybersecurity of the private sector is of public concern. If you're a regulated public utility for power, water, healthcare, finance, or transportation, your cybersecurity is an issue of public interest. So, this isn’t just the public cybersecurity, it's the cybersecurity of the private sector, which is in the public interest.

    Third is the point that Dean made, and I want to elaborate on it. The threat is very different.

    Today, intellectual property, whether or not it's possessed by the public sector or the private sector, if it's valuable, if it's worth something. It's worth something to a bad guy who wants to steal it. And if you have critical infrastructure that you’re trying to manage, and a bad guy may want to disrupt it, because their government may want to be able to exercise power.

    And the threats are different. The threats are not just technically sophisticated. That's something a hacker, a teenager, can do. In addition to being technically sophisticated, they’re operationally sophisticated.
    The threats are not just technically sophisticated. That's something a hacker, a teenager, can do.

    That means this is foreign governments, or in some cases, foreign intelligence services that have the resources and the patience to study a target, a company, or a government agency over a long period of time, use social networking to figure out who has administrative privileges inside of that organization, and use that social networking to identify people whom they may want to subvert and who may help them in introducing malware.

    Then, once they have decided what information they want, who safeguards it, they use their technical sophistication to follow up on it to exploit their operational knowledge. This is what differentiates a group of hackers, who maybe technically very bright, from an actual nation-state government that has the resources, the discipline, the time, and the patience to stick with the target and to exploit it over a long, long period of time.

    So, when we use the term "weapons grade," what we mean is a cyber threat that's hard to detect, that's been wielded by a foreign government, a foreign armed force, or a foreign intelligence service -- the way a foreign government wields a weapon. That's what we’re really facing today in the way of cybersecurity threats.

    Muller
    Muller: You asked if the headlines are simply reflecting what has always been going on, and I think the answer is, yes. Definitely, there is an increased willingness of organizations to share the fact that they have been breached and to share what some of those vulnerabilities have been.

    That's actually a healthy thing for society as a whole, rather than pretending that nothing is going on. Reporting the broken window is good for everybody. But, the reality is the sophistication and the scale of attacks as we have just heard, have gone up and have gone up quite measurably.

    Cost of cybercrime

    Every year we conduct a Cost of Cyber Crime Study with the Ponemon Institute. If we look just at the numbers between 2010 and 2012, from the most recent study in October, the cost impact of cyber crime has gone up 50 percent over that period of time. The number of successful attacks has gone up by two times. And the time to resolve attack is almost doubled as well. So it has become more expensive, greater scale, and it's becoming more difficult to solve.
    The number of successful attacks has gone up two times. And the time to resolve attack is almost doubled as well.

    Gardner: What strikes me as being quite different from the past, too, is when businesses encountered risks, even collective risks, they often had a law enforcement or other regulatory agency that would come to their rescue.

    But, in reading the most recent The New Yorker, the May 20 issue, in an article titled Network Insecurity by John Seabrook, Richard McFeely, the Executive Assistant Director of the F.B.I, says quite straightforwardly, "We simply don't have the resources to monitor the mammoth quantity of intrusions that are going on out there."

    So, enterprises, corporations, governments even can't really wait for the cavalry to come riding in. We’re sort of left to our own devices, or have I got that a little off-base, Dean?

    Weber: The government can provide support in talking about threats and providing information about best practices, but overall, the private sector has a responsibility to manage its own infrastructures. The private sector may have to manage those infrastructures consistent with the public interest. That's what regulation means.

    Weber
    But the government is not going to provide cybersecurity for power companies’ power grid or for pharmaceutical companies’ research program. It can insist that there be good cybersecurity, but those organizations have always had to manage their own infrastructures.

    Today, however, the threat to those infrastructures and the stakes of losing control of those infrastructures are much higher than they have ever been. That's what's amplified now.

    There is also a tradeoff that can be done there in terms of how the government shares its threat intelligence. Today, threat intelligence shared at the highest levels generally requires a very, very high level of security, and that puts it out of reach of some organizations to be able to effectively utilize, even if they were so desirous.

    So as we migrate ourselves into dealing with this enhanced threat environment, we need to also deal with the issues of enhancing the threat intelligence that we use as the basis of decision.

    Gardner: Well, we've defined the fact that the means are there and that the incidences are increasing in scale, complexity, and severity. There is profit motive, the state secrets, and intellectual-property motives. Given all of that, what's wrong with the old methods?

    Current threat

    Weber: Against the current state-of-the-art threat, our ability to detect them, as they are coming in or while they are in has almost diminished to the point of non-existence. If we're catching them at all, we're catching them on the way out.

    We've got to change the paradigm here. We've got to get better at threat intelligence. We've got to get better at event correlation. We've got to get better at the business of cybersecurity. And it has to be a public-private partnership that actually gets us there, because the public has an interest in the private infrastructure to operate its countries. That’s not just US; that’s global.

    Visner: Let me add a point to that that’s germane to the relationship between CSC and HP Software. It's no longer an issue of finding a magic bullet. If I could just keep my antivirus up to fully updated, I would have the best signatures and I would be protected from the threat. Or if my firewall were adequately updated, I will be well protected.

    Today, the threat is changing and the IT environment that we're trying to protect is changing. The threat, in many cases, doesn’t have a known signature and is being crafted by nations/states not to have it. Organizations ought to think twice about trying to do these themselves.

    Our approach is to use a managed cybersecurity service that uses an infrastructure, a set of security operation centers, and an architecture of tools. That’s the approach we're using. What we're doing with HP Software is using some key pieces of HP Software technology to act as the glue that assembles the cybersecurity information management architecture that we use to manage the cybersecurity for Global 1000 companies and for key government agencies.
    Customers, who try to manage a piece at a time, invariably get into trouble, because they can't do it.

    Our security operations centers have set of tools, some of which we've developed, and some of which we've sourced from partners, bound together with HP’s ArcSight Security Information and Event Management System. This allows us to add new tools, as we need to retire old tools, when they are no longer useful.

    They do a better job of threat correlation and analysis, so that we can help organizations manage that cybersecurity in a dynamic environment, rather than leave them to the game of playing Whac-A-Mole. I've got a new threat. Let me add a new tool. Oh, I've got another new threat. Let me add another new tool. That's opposed to managing the total environment with total visibility.

    So that managed cybersecurity approach is the approach that we're using, and the role of HP Software here is to provide a key technology that is the sort of binder, that is the backbone for much of that architecture that allows us to manage organically, as opposed to a piece at a time.

    Customers, who try to manage a piece at a time, invariably get into trouble, because they can't do it. They're always playing catch up with the latest threat and they are always at least one or two steps behind that threat by trying to figure out what is the latest band-aid to stick over the wound.

    Increased sophistication

    Muller: Sam makes a great point here, Dana. The sophistication of the adversary has risen, especially if you're in that awkward position -- you're big enough to be interesting to an attacker, especially when it’s motivated by money, but you are not large enough to have access to up-to-date threat information from some of the intelligence agencies of your national government.

    You're not large enough to be able to afford the sort of sophisticated resources who are able to dedicate the time taken to build and maintain honey pots to understand and hang out in all of the deep dark corners of the internet that nobody wants to go to.

    Those sort of things are the types of behaviors you need to exhibit to stay ahead, or at least to not get behind, of those threat landscape. By working with an organization that has that sort of capacities by opting for managed service, you're able to tap into a skill set that’s deeper and broader and that often has an international or global outlook, which is particularly important. When the threat is distributed around the planet, your ability to respond to that needs to be distributed likewise.

    Gardner: So I'm hearing two things. One that this is a team sport. I'm also hearing that this is a function of better analytics -- of really knowing your systems, knowing your organization, monitoring in real time, and then being able to exploit that. Maybe we could drill down on those. This new end-state of a managed holistic security approach, let's talk about it being a team sport and a function of better analytics. Sam?

    Visner: There's no question about it. It is a team sport. Fortunately, in the United States and in a few other countries, people recognize that it's a team sport. More and more, the government has said that the cybersecurity of the private sector is an issue of public interest, either to regulation, standards regulation, or policy.
    There's no question about it. It is a team sport.

    More and more in the private sector, people have realized that they need threat information from the government, but there are also accruing threat information they need to share with the government and proliferate around their industries.

    That has happened, and you can see coming out of the original Comprehensive National Cybersecurity Initiative of 2006-2007, all the way to the current recent executive order from the President of the United States, that this is a team sport. There is no question about that.

    At the same time, a lot of companies are now developing tools that have APIs, programming interfaces that allow them to work together. Tools like ArcSight provide an environment that allows you to integrate a lot of different tools.

    What's really changing is that global companies like CSC have become a global cybersecurity provider based on the idea that we will do this as a partner. We're not going to just sell a tool to a customer. We're going to be their partner to manage this environment.

    More and more, they have the discussion underway about improved information sharing from the government to the private sector, based on intelligence information that might be provided to the private sector, and the private sector being provided with more protected means to share information relating to incidents, events, and investigations with the public sector.

    Team sport

    At the same time, enterprises themselves know that this has to be a team sport within an enterprise. It used to be that the email system was discreet, or your SAP system was discreet, inside of an enterprise. That might have been 10 years ago. But today, these things are part of a common enterprise and tomorrow they're going to be part of a common enterprise, where these things are provided as a service.

    And the day after that, they'll be provided as a common enterprise with these things as a service on a common infrastructure that we call a cloud. And the day after that, that cloud will extend all the way down to the manufacturing systems on the shop floor, or the SCADA systems that control a railway, a pipeline, or the industrial control systems that control a medical device or an elevator, all the way out to 3D manufacturing.
    The cybersecurity partner and the enterprise have to work together with the public sector and with regulatory and policy authorities.

    The entire enterprise has to work together. The enterprise has to work together with its cybersecurity partner. The cybersecurity partner and the enterprise have to work together with the public sector and with regulatory and policy authorities. Governments increasingly have to work together to build a secured international ecosystem, because there are bad actors out there who don’t regard the theft of intellectual property as cyber crime.

    Now fortunately, people get this increasingly and we're working together. That’s why we're finding partners who do the manage cybersecurity, and finding partners who can provide key pieces of technology. CSC and HP is an example of two companies working together in differentiated roles, but for a common and desirable outcome.

    Three-step process

    Weber: So let me think about how we chop this up, Dana. It’s a three-step process. The first is see, understand, and act -- at the risk of trivializing the complexity of approaching the problem. Seeing, as Sam has already pointed out, is to just try to get visibility of intent to attack, attacks in progress, or worse case, attacks that have taken place, attacks in progress, and finally, how we manage the exfiltration process.

    Understanding is all about trying to unpack the difference between "bragging rights attacks," what I call high-intensity but low-grade attacks in terms of cyber threat. This is stuff that’s being done to deface the corporate website. Don’t get me wrong, it’s important, but in this scheme of things, it’s a distraction from some of the other activities that’s taking place. Also understanding is in terms of shifting or changing your compliance posture for some sort of further action.

    Then, the last part is acting. It’s not good enough to simply to understand what’s going on, but it’s shutting down attacks in progress. It’s being able to take proactive steps to address breaches that may exist and particularly to address breaches in the underlying software.

    We have always been worried about protecting the perimeter of our organization through the technologies, but continue to ignore one of the great issues out there, which is that software itself, in many cases, is inherently insecure. People are not scanning for, identifying, and addressing those issues in source code and binary vulnerability.

    Gardner: Well, it certainly sounds to me as if we're going after this new posture with added urgency because of cybersecurity, but it’s dovetails with a lot of what companies should have been doing for a lot of reasons. That is to get to know yourself better, know your systems better, putting in diagnostics and monitoring capabilities, and elevating those to a more centralized approach for management and reporting.
    These are investments that will pay back dividends in many ways, in addition to helping you mitigate risk.

    Cybersecurity is a catalyst, but these are going to make companies more healthy. These are investments that will pay back dividends in many ways, in addition to helping you mitigate risk. Any thought about why this is just good business, not just good cyber-security prevention? Sam.

    Visner: Security is a journey. Paul was saying that organizations have to stay up with it. They can’t just rest on their laurels regarding their defenses. They have to continually evolve with the threat and to do that means that, as we get better at one level of security, another level of security becomes the low hanging fruit. As we get better at infrastructure security, application security becomes more of an issue.

    And organizations aren’t doing the appropriate level of source code and binary scanning. They aren’t doing the ad hoc or interval scanning that is necessary to make sure that their applications not only were developed correctly, but they were also deployed correctly, and remain correctly deployed throughout their lifecycle.

    Again, this is where integration of the technologies that are available to us today and that has never been done before is important for organizations to consume. With that being said, this is a huge undertaking, to be able to include your application code scanning in with your security event and information management is a difficult prospect. But it's one that CSC and HP have collectively decided to take up.

    Muller: Having terrified everybody, shall we talk about next steps?

    Gardner: We're coming up a bit on the end of our time. Before we sign out, I'd like to try to do just that. What are some of the two or three major pillars that organizations should start to inculcate as a culture, as a priority, given how pervasive these issues are, how existential they are, for some many companies and organizations? What do you have to do in terms of thinking differently in order to start really positioning yourself to be proactive and aggressive in this regard? Let's go down our list of speakers. Let's start with you, Sam.

    Visner: The first thing is that you’ve got to make an adequate assessment of the kind of organization you are. The role information and information technology plays in your organization, what we use the information for, and what information is most valuable. Or conversely, what would cause you the great difficulty, if you were to either lose control of that information or confidence in its integrity.

    That has to be done not just for one piece of an enterprise, but for all pieces of the enterprise. By the way, there is a tremendous benefit, because you can re-visualize your enterprise. You can sort of business-process reengineer your enterprise, if you know on and what information you rely, what information is most valuable, what information, if was to be damaged, would cause you the most difficulty.
    Rather than trying to manage it yourself, get a confident managed cyber-security services provider.

    That’s the first thing I would do. The second thing is, since as-a-service is the way organizations buy things today and the way organizations provide things today, consider taking a look at cybersecurity as a service.

    Rather than trying to manage it yourself, get a confident managed cyber-security services provider, which is our business at CSC, to do this work and be sure that they are equipped with the right tools and technologies, such as ArcSight Security Information and Event Management and other key technologies that we are sourcing from HP Software.

    Third, if you're not willing to have somebody else manage it for you, get a managed cybersecurity services provider to build up your own internal cybersecurity management capabilities, so that you are your own managed cybersecurity services provider.

    Next, be sure you understand, if you are part of critical infrastructure -- and there are some 23 critical infrastructure sectors -- what it is that you are required to do, what standards the government believes are pertinent to your business.

    What information you should have shared with you, what information you are obligated to share, what regulations are relevant to your business, and be sure you understand that those are things that you want to do.

    Strategic investment

    Next, rather than trying to play Whac-A-Mole, having made these decisions, determine that you're going to make a strategic investment and not think of security as being added on and what's the least you need to do, but realize that cybersecurity is as organic to your value proposition as R&D is. It's as organic to your value proposition as electricity is. It's as organic to your value proposition as the good people who do the work. It's not once the least you need to do, but what are the things that contribute value.

    Cybersecurity doesn’t just protect value, but in many cases, it can be a discriminator that enhances the value of your business, particularly if your business either relies on information, or information is your principal product, as it is today for many businesses in a knowledge economy. Those are things that you can do.

    Lastly, you can get comfortable with the fact that this is a septic environment. There will always be risks. There will always be malware. Your job is not to eliminate it. Your job is to function confidently in the midst of it. You can, in fact, get to the point, both intellectually and emotionally, where that’s a possibility.

    The fact that you can have an accident doesn’t deter us from driving. The fact that you can have a cold doesn’t deter us from going out to dinner or sending our kids to school.

    What it does is make sure that we're vaccinated, that we drive well, that we are competent in our dealings with the rest of the society, and that we're prudent, but not frightened. Acting as if we are prudent, but not frightened, is a step we need to take.
    It's as organic to your value proposition as the good people who do the work.

    
Our brand name is CSC Global Cybersecurity. The term we use is Cyber Confidence. We're not going to make you threat proof, but we will make you competent and confident enough to be able to operate in the presence of these threats, because they are the new norms. Those are the things you can do.

    Gardner: Dean, quickly, a number of things from your perspective that our top of line thoughts, and perceptions, ideas that people should consider as they move to this new posture?

    Weber: In addition to what Sam talked about, I'm a huge fan of data classification. Knowing what to protect, gives you the opportunity to decide how much protection is necessary by whatever data classification that is.

    Whether that’s a risk management framework like FISMA, or it’s a risk management framework like the IL Series Controls of the UK Government or similar in Australia, these are risk management frameworks. They are deterministic about the appropriate level of security. Is this public information, in which case all you have to do is worry about whether it’s damaged and how to recover if and when it is? Or is this critical? Is this injurious to life, limb, or the pursuit of profits? And if it is, then you need to apply all the protections that you can to it.

    And last but not least, again, as I pointed out earlier, our ability to detect every intrusion is almost nil today. The state of the threat is so far advanced. Basically, they can get in when they want to, where they want to.

    They can be in for a very long period of time without detection. I would encourage organizations to beef up their perimeter controls for egress filtering and enclaving, so that they have the ability to manage the data that is being actually traded out of their networks.

    Cultural shift

    Gardner: Paul Muller, last word to you, top of the line thoughts, cultural shift what is the new rethinking that needs to take place to get to this new posture?

    Muller: There has been so much great content today that summarizing the action is going to be challenging. Sam made a point. It’s important to be alert, but not alarmed. Do not let security send you into a sense of panic and inaction. Don’t hire an organization to help you write security policy that then just sits on the shelf. A policy is not going to give you security. It’s certainly not going to stop any of bad guys from exfiltrating any of that information that you have.

    I'll say a couple of things. First, it’s not like buying an alarm and locks for your organization. Before, physical security was kind of a process you went through, where you started, it had a start and middle and an end. This is an ongoing process of continually identifying incoming threats and activities from an adversary that is monetized and has a lot to gain from their success.

    It’s an ongoing process. As a result, as we said earlier today, security is a team sport. Find a friend who does it really well and is prepared to invest on an ongoing manner to make sure that they're able to stay here.

    I'd concur with Dean's point as well. Ultimately, it's about the exfiltrating of your data. Put in place processes that help you understand the information that is leaving your organization and take steps to mitigate that as quickly as possible. Those are my highest priorities.
    This is an ongoing process of continually identifying incoming threats and activities from an adversary that is monetized and has a lot to gain from their success.

    I'd also add that if you're having trouble identifying some of the benefits for your organization, and even having trouble trying to get a threat assessment prioritized in your organization, have a look at the Cost of Cyber Crime Study that we've conducted across the Globe, United Kingdom, Germany, Australia, Japan and of course the US, was the third in the series, now we do it annually. You can get to hpenterprisesecurity.com and get a copy of that report and hopefully shift a few of the, maybe more intransigent people in your organization to action.

    Gardner: Well I'm afraid we will have to leave it there. We've been learning how HP’s Strategic Partner and IT Services and Professional Services, global powerhouse CSC is helping its clients to better understand and adapt to the current cybersecurity landscape.

    I like to thank our supporter for this series, HP Software and remind our audience to carry on the dialogue with Paul Muller and others through their blog tweets and their Discover Performance Group on LinkedIn, and I'd also like to thank our co-host Paul Muller.

    Muller: Always a pleasure.

    Gardner: And also huge thanks to our special guests, Dean Weber, the Chief Technology Officer for CSC Global Cybersecurity. Thank you, Dean.

    Weber: Thank you.

    Gardner: And also Sam Visner, the Vice President and General Manager there at CSC Global Cybersecurity. Thanks so much, sir.

    Visner: Thank you, it's been a pleasure.

    Gardner: And a last thank you to our audience for joining this special HP Discovered Performance Podcast. You can learn more about the best of IT Performance Management at www.hp.com/go/discoverperformance and you can always access this in other episodes of our HP Discover Performance Series on iTunes under to BriefingsDirect.

    This is Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this on going discussion of IT innovation and how it's making an impact on people's lives. Thanks again for listening and comeback next time.

    Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

    Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

    You may also be interested in:

    Friday, July 13, 2012

    The Open Group Trusted Technology Forum is Leading the Way to Securing Global IT Supply Chains

    Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make IT supply chains secure, verified, and trusted.

    Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

    Register for The Open Group Conference
    July 16-18 in Washington, D.C. Watch the live stream.

    Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with the Open Group Conference this month in Washington, D.C. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout these discussions.

    The conference focuses on enterprise architecture (EA), enterprise transformation, and securing global supply chains. We're here now to focus on the latest effort to make global supply chains for technology providers more secure, verified, and therefore trusted. We'll examine the advancement of The Open Group Trusted Technology Forum (OTTF), which was established in late 2010.

    We’ve assembled a panel of experts, including some of the major speakers at The Open Group Conference, to provide an update on the achievements at OTTF, and to learn more about how technology suppliers and buyers can expect to benefit. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

    Please join me now in welcoming our panel. We're here with Dave Lounsbury, Chief Technical Officer at The Open Group. Welcome, Dave.

    Dave Lounsbury: Hello, Dana.

    Gardner: We're also here with Dan Reddy, Senior Consultant Product Manager in the Product Security Office at EMC Corp. Welcome, Dan.

    Dan Reddy: Hi, Dana.

    Gardner: We're also joined by Andras Szakal, Vice President and Chief Technology Officer at IBM's U.S. Federal Group, and also the Chair of the OTTF. He also leads the development of The Open Trusted Technology Provider Standard. Welcome back, Andras.

    Andras Szakal: Thank you very much, Dana.

    Gardner: And lastly, we're here with Edna Conway, Chief Security Strategist for Global Supply Chain at Cisco. Welcome, Edna.

    Edna Conway: Delighted to be here, Dana.

    Gardner: Dave Lounsbury, first to you. OTTF was created about 18 months ago, but I suspect that the urgency for these types of supply chain trust measures has only grown. We’ve seen some congressional testimony and we’ve seen some developments in the market that make this a bit more pressing.

    Why this is an important issue, and why is there a sense of urgency in the markets?

    Boundaryless information

    Lounsbury: You framed it very nicely at the beginning, Dana. The Open Group has a vision of boundaryless information flow, and that necessarily involves interoperability. But interoperability doesn't have the effect that you want, unless you can also trust the information that you're getting, as it flows through the system.

    Therefore, it’s necessary that you be able to trust all of the links in the chain that you use to deliver your information. One thing that everybody who watches the news would acknowledge is that the threat landscape has changed. As systems become more and more interoperable, we get more and more attacks on the system.

    As the value that flows through the system increases, there’s a lot more interest in cyber crime. Unfortunately, in our world, there's now the issue of state-sponsored incursions in cyberspace, whether officially state-sponsored or not, but politically motivated ones certainly.

    So there is an increasing awareness on the part of government and industry that we must protect the supply chain, both through increasing technical security measures, which are handled in lots of places, and in making sure that the vendors and consumers of components in the supply chain are using proper methodologies to make sure that there are no vulnerabilities in their components.

    I'm sure that Andras, Edna, and Dan will give us a lot more detail on what those vulnerabilities are, but from an Open Group perspective, I'll note that the demand we're hearing is increasingly for work on standards in security, whether it's the technical security aspects or these global supply-chain aspects. That’s top of everybody's mind these days.

    Gardner: Let’s go through our panel and try to get a bit more detail about what it is that we are trying to solve or prevent. Dan Reddy, what do you view as some of the critical issues that need to be addressed, and why the OTTF has been created in the first place?

    Reddy: One of the things that we're addressing, Dana, is the supply chain item that was part of the Comprehensive National Cybersecurity Initiative (CNCI), which spans the work of two presidents. Initiative 11 was to develop a multi-pronged approach to global supply chain risk management. That really started the conversation, especially in the federal government as to how private industry and government should work together to address the risks there.

    In the OTTF, we've tried create a clear measurable way to address supply-chain risk. It’s been really hard to even talk about supply chain risk, because you have to start with getting a common agreement about what the supply chain is, and then talk about how to deal with risk by following best practices.

    Gardner: Andras, the same question. It seems like a vexing issue. How can one possibly develop the ability to verify deep into the supply chains, in many cases coming across international boundaries, and then bring into some play a standard to allow this to continue with a sense of security and trust? It sounds pretty daunting.

    Szakal: In many ways, it is. One of the observations that I've made over the last couple of years is that this group of individuals, who are now part of this standards forum, have grown in their ability to collaborate, define, and rise to the challenges, and work together to solve the problem.

    Standards process

    Technology supply chain security and integrity are not necessarily a set of requirements or an initiative that has been taken on by the standards committee or standards groups up to this point. The people who are participating in this aren't your traditional IT standards gurus. They had to learn the standards process. They had to understand how to approach the standardization of best practices, which is how we approach solving this problem.

    It’s sharing information. It’s opening up across the industry to share best practices on how to secure the supply chain and how to ensure its overall integrity. Our goal has been to develop a framework of best practices and then ultimately take those codified best practices and instantiate them into a standard, which we can then assess providers against. It’s a big effort, but I think we’re making tremendous progress.

    Gardner: Because The Open Group Conference is taking place in Washington, D.C., what’s the current perception in the U.S. Government about this in terms of its role? Is this a "stand by and watch?" Is this "get involved?" Is there the thought of adding some teeth to this at some point that the government can display in terms of effective roles?

    Szakal: Well, the whole forum arose out of the work that Dan just discussed with the CNCI. The government has always taken a prominent role, at least to help focus the attention of the industry.

    The government has always taken a prominent role, at least to help focus the attention of the industry.



    Now that they’ve corralled the industry and they’ve got us moving in the right direction, in many ways, we’ve fought through many of the intricate complex technology supply chain issues and we’re ahead of some of the thinking of folks outside of this group because the industry lives these challenges and understands the state of the art. Some of the best minds in the industry are focused on this, and we’ve applied some significant internal resources across our membership to work on this challenge.

    So the government is very interested in it. We’ve had collaborations all the way from the White House across the Department of Defense (DoD) and within the Department of Homeland Security (DHS), and we have members from the government space in NASA and DoD.

    It’s very much a collaborative effort, and I'm hoping that it can continue to be so and be utilized as a standard that the government can point to, instead of coming up with their own policies and practices that may actually not work as well as those defined by the industry.

    Gardner: Edna Conway, have we missed anything in terms of being well-versed in understanding the challenge here?

    Conway: The challenge is moving a little bit, and our colleagues on the public side of the public-private partnership addressing supply-chain integrity have recognized that we need to do it together.

    More importantly, you need only to listen to a statement, which I know has often been quoted, but it’s worth noting again from EU Commissioner Algirdas Semeta. He recently said that in a globalized world, no country can secure the supply chain in isolation. He recognized that, again quoting, national supply chains are ineffective and too costly unless they’re supported by enhanced international cooperation.

    Mindful focus

    The one thing that we bring to bear here is a mindful focus on the fact that we need a public-private partnership to address comprehensively in our information and communications technology industry supply chain integrity internationally. That has been very important in our focus. We want to be a one-stop shop of best practices that the world can look at, so that we continue to benefit from commercial technology which sells globally and frequently builds once or on a limited basis.

    Combining that international focus and the public-private partnership is something that's really coming home to roost in everyone’s minds right now, as we see security value migrating away from an end point and looking comprehensively at the product lifecycle or the global supply chain.

    Gardner: We obviously have an important activity. We have now more collaboration among and between public and private sectors as well as the wider inclusion of more countries and more regions.

    Dave Lounsbury, perhaps you could bring us up to speed on where we are in terms of this as a standard. Eighteen months isn’t necessarily a long time in the standards business, but there is, as we said, some emergency here. Perhaps you could set us up in understanding where we are in the progression and then we’ll look at some of the ways in which these issues are being addressed.

    Lounsbury: I’d be glad to, Dana, but before I do that, I want to amplify on the point that Edna and Andras made. I had the honor of testifying before the House Energy and Commerce Committee on Oversight Investigations, on the view from within the U.S. Government on IT security.

    It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing.



    It was very gratifying to see that the government does recognize this problem. We had witnesses in from the DoD and Department of Energy (DoE). I was there, because I was one of the two voices on industry that the government wants to tap into to get the industry’s best practices into the government.

    It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing. How do you validate a long and complex global supply chain in the face of a very wide threat environment, recognizing that it can’t be any single country? Also, it really does need to be not a process that you apply to a point, but something where you have a standard that raises the bar for our security for all the participants in your supply chain.

    So it was really good to know that we were on track and that the government, and certainly the U.S. Government, as we’ve heard from Edna, the European governments, and I suspect all world governments are looking at exactly how to tap into this industry activity.

    Now to answer your question directly -- in the last 18 months, there has been a tremendous amount of progress. The thing that I'll highlight is that early in 2012, the OTTF published a snapshot of the standard. A snapshot is what The Open Group uses to give a preview of what we expect the standards will apply. It has fleshed out two areas, one on tainted products and one on counterfeit products, the standards and best practices needed to secure a supply chain against those two vulnerabilities.

    So that’s out there. People can take a look at that document. Of course, we would welcome their feedback on it. We think other people have good answers too. Also, if they want to start using that as guidance for how they should shape their own practices, then that would be available to them.

    Normative guidance

    Of course, with Andras as the Chair, Edna as the Vice-Chair, and Dan as a key contributor, I'm probably the least qualified one on the call to talk about the current state, but what they've been focusing on is how you would go from having the normative guidance of the standard to having some sort of a process by which a vendor could indicate their conformance to those best practices and standards.

    That’s the top development topic inside the OTTF itself. Of course, in parallel with that, we're continuing to engage in an outreach process and talking to government agencies that have a stake in securing the supply chain, whether it's part of government policy or other forms of steering the government to making sure they are making the right decisions. In terms of exactly where we are, I'll defer to Edna and Andras on the top priority in the group.

    Gardner: Let’s do that. Edna, can you perhaps fill us in on what the prioritization, some of the activities, a recap if you will of what’s been going on at OTTF and where things stand?

    Conway: We decided that this was, in fact, a comprehensive effort that was going to grow over time and change as the challenges change. We began by looking at two primary areas, which were counterfeit and taint in that communications technology arena. In doing so, we first identified a set of best practices, which you referenced briefly inside of that snapshot.

    Where we are today is adding the diligence, and extracting the knowledge and experience from the broad spectrum of participants in the OTTF to establish a set of rigorous conformance criteria that allow a balance between flexibility and how one goes about showing compliance to those best practices, while also assuring the end customer that there is rigor sufficient to ensure that certain requirements are met meticulously, but most importantly comprehensively.

    Register for The Open Group Conference
    July 16-18 in Washington, D.C. Watch the live stream.

    We have a practice right now where we're going through each and every requirement or best practice and thinking through the broad spectrum of the development stage of the lifecycle, as well as the end-to-end nodes of the supply chain itself.

    This is to ensure that there are requirements that would establish conformance that could be pointed to, by both those who would seek accreditation to this international standard, as well as those who would rely on that accreditation as the imprimatur of some higher degree of trustworthiness in the products and solutions that are being afforded to them, when they select an OTTF accredited provider.

    Gardner: Andras, when we think about the private sector having developed a means for doing this on its own, that now needs to be brought into a standard and towards an accreditation process. I'm curious where in an organization like IBM, that these issues are most enforceable.

    Is this an act of the procurement group? Is it the act of the engineering and the specifying? Is it a separate office, like Dan is, with the product security office? I know this is a big subject. I don’t want to go down too deeply, but I'm curious as to where within the private sector the knowledge and the expertise for these sorts of things seem to reside?

    Szakal: That’s a great question, and the answer is both. Speaking for IBM, we recently celebrated our 100th anniversary in 2011. We’ve had a little more time than some folks to come up with a robust engineering and development process, which harkens back to the IBM 701 and the beginning of the modern computing era.

    Integrated process

    We have what we call the integrated product development process (IPD), which all products follow and that includes hardware and software. And we have a very robust quality assurance team, the QSE team, which ensures that the folks are following those practices that are called out. Within each of line of business there exist specific requirements that apply more directly to the architecture of a particular product offering.

    For example, the hardware group obviously has additional standards that they have to follow during the course of development that is specific to hardware development and the associated supply chain, and that is true with the software team as well.

    The product development teams are integrated with the supply chain folks, and we have what we call the Secure Engineering Framework, of which I was an author and the Secure Engineering Initiative which we have continued to evolve for quite some time now, to ensure that we are effectively engineering and sourcing components and that we're following these Open Trusted Technology Provider Standard (O-TTPS) best practices.

    In fact, the work that we've done here in the OTTF has helped to ensure that we're focused in all of the same areas that Edna’s team is with Cisco, because we’ve shared our best practices across all of the members here in the OTTF, and it gives us a great view into what others are doing, and helps us ensure that we're following the most effective industry best practices.

    Gardner: It makes sense, certainly, if you want to have a secure data center, you need to have the various suppliers that contribute to the creation of that data center operating under some similar processes.

    We want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.



    Dan Reddy at EMC, is the Product Security Office something similar to what Andras explained for how IBM operates? Perhaps you could just give us a sense of how it’s done there in terms of who is responsible for this, and then how those processes might migrate out to the standard?

    Reddy: At EMC in our Product Security Office, we house the enabling expertise to define how to build their products securely. We're interested in building that in as soon as possible throughout the entire lifecycle. We work with all of our product teams to measure where they are, to help them define their path forward, as they look at each of the releases of their other products. And we’ve done a lot of work in sharing our practices within the industry.

    One of the things this standard does for us, especially in the area of dealing with the supply chain, is it gives us a way to communicate what our practices are with our customers. Customers are looking for that kind of assurance and rather than having a one-by-one conversation with customers about what our practices are for a particular organization. This would allow us to have a way of demonstrating the measurement and the conformance against a standard to our own customers.

    Also, as we flip it around and take a look at our own suppliers, we want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.

    Gardner: Dave Lounsbury at The Open Group, it seems that those smaller suppliers that want to continue to develop and sell goods to such organizations as EMC, IBM, and Cisco would be wise to be aware of this standard and begin to take steps, so that they can be in compliance ahead of time or even seek accreditation means.

    What would you suggest for those various suppliers around the globe to begin the process, so that when the time comes, they're in an advantageous position to continue to be vigorous participants in these commerce networks?

    Publications catalog


    Lounsbury: Obviously, the thing I would recommend right off is to go to The Open Group website, go to the publications catalog, and download the snapshot of the OTTF standard. That gives a good overview of the two areas of best practices for protection from tainted and counterfeit products we’ve mentioned on the call here.

    That’s the starting point, but of course, the reason it’s very important for the commercial world to lead this is that commercial vendors face the commercial market pressures and have to respond to threats quickly. So the other part of this is how to stay involved and how to stay up to date?

    And of course the two ways that The Open Group offers to let people do that is that you can come to our quarterly conferences, where we do regular presentations on this topic. In fact, the Washington meeting is themed on the supply chain security.

    Of course, the best way to do it is to actually be in the room as these standards are evolved to meet the current and the changing threat environment. So, joining The Open Group and joining the OTTF is absolutely the best way to be on the cutting edge of what's happening, and to take advantage of the great information you get from the companies represented on this call, who have invested years-and-years, as Andras said, in making their own best practices and learning from them.

    Gardner: Edna Conway, we’ve mentioned a couple of the early pillars of this effort -- taint and counterfeit. Do we have a sense of what might be the next areas that would be targeted. I don’t mean for you all to set in stone your agenda, but I'm curious as to what's possible next areas would be on the short list of priorities?

    It's from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise.



    Conway: You’ve heard us talk about CNCI, and the fact that cybersecurity is on everyone’s minds today. So while taint embodies that to some degree, we probably need to think about partnering in a more comprehensive way under the resiliency and risk umbrella that you heard Dan talk about and really think about embedding security into a resilient supply chain or a resilient enterprise approach.

    In fact, to give that some forethought, we actually have invited at the upcoming conference, a colleague who I've worked with for a number of years who is a leading expert in enterprise resiliency and supply chain resiliency to join us and share his thoughts.

    He is a professor at MIT, and his name is Yossi Sheffi. Dr. Sheffi will be with us. It's from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise that not only resides today globally in different pockets, whether it be academia, government, or private enterprise, but also to think about what the next generation is going to look like.

    Resiliency, as it was known five years ago, is nothing like supply chain resiliency today, and where we want to take it into the future. You need only look at the US national strategy for global supply chain security to understand that. When it was announced in January of this year at Davos by Secretary Napolitano of the DHS, she made it quite clear that we're now putting security at the forefront, and resiliency is a part of that security endeavor.

    So that mindset is a change, given the reliance ubiquitously on communications, for everything, everywhere, at all times -- not only critical infrastructure, but private enterprise, as well as all of us on a daily basis today. Our communications infrastructure is essential to us.

    Thinking about resiliency

    Given that security has taken top ranking, we’re probably at the beginning of this stage of thinking about resiliency. It's not just about continuity of supply, not just about prevention from the kinds of cyber incidents that we’re worried about, but also to be cognizant of those nation-state concerns or personal concerns that would arise from those parties who are engaging in malicious activity, either for political, religious or reasons.

    Or, as you know, some of them are just interested in seeing whether or not they can challenge the system, and that causes loss of productivity and a loss of time. In some cases, there are devastating negative impacts to infrastructure.

    Gardner: Andras at IBM, any thoughts on where the next priorities are? We heard resiliency and security. Any other inputs from your perspective?

    Szakal: I am highly focused right now on trying to establish an effective and credible accreditation program, and working to test the program with the vendors.

    From an IBM perspective, we're certainly going to try to be part of the initial testing of the program. When we get some good quality data with respect to challenges or areas that the OTTF thinks need refinement, then the members will make some updates to the standard.

    We'll then be able to take that level of confidence and assurance that we get from knowing that and translate it to the people who are acquiring our technology as well.



    There's another area too that I am highly focused on, but have kind of set aside, and that's the continued development and formalization of the framework itself that is to continue the collective best practices from the industry and provide some sort of methods by which vendors can submit and externalize those best practices. So those are a couple of areas that I think that would keep me busy for the next 12 months easily.

    Gardner: Before we wrap up, I want to try to develop some practical examples of where and how this is being used successfully, and I’d like to start with you, Dan. Do you have any sense of where, in a supply chain environment, the focus on trust and verification has come to play and has been successful?

    I don’t know if you can mention names, but at least give our listeners and readers a sense of how this might work by an example of what’s already taken place?

    Reddy: I'm going to build on what I said a little bit earlier in terms of working with our own suppliers. What we're envisioning here is an ecosystem, where as any provider of technology goes and sources the components that go into our products, we can turn around and have an expectation that those suppliers will have gone through this process. We'll then be able to take that level of confidence and assurance that we get from knowing that and translate it to the people who are acquiring our technology as well.

    As Andras is saying, this is going to take a while to roll out and get everyone to take advantage of this, but ultimately, our success is going to be measured by if we have a fully functioning ecosystem, where this is the way that we measure conformance against the standard, whether you are a large or a small company.

    Further along


    We think that this initiative is further along than most anything else in the landscape today. When people take a look at it, they'll realize that all of the public and private members that have created this have done it through a very rigorous conformance and consensus process. We spend a lot of time weighing and debating every single practice that goes into the standard and how it’s expressed.

    You may be able to read 50 pages quickly, but there is a lot behind it. As people figure out how those practices match up with their own practices and get measured against them, they're going to see a lot of the value.

    Conway: It’s being used in a number of companies that are part of OTTF in a variety of ways. You’ve heard Dan talk about what we would expect of our suppliers, and obviously, for me, the supply chain is near and dear to my heart, as I develop that strategy. But, what I think you will see is a set of practices that companies are already embracing.

    For example, at Cisco, we think about establishing trustworthy networks. Dan’s company may have a slightly different view given the depth and breadth of the portfolio of what EMC delivers to its many customers with integrity. Embedding this kind of supply chain security as a foundational element of what you're delivering to the customer requires that you actually have a go-to-market strategy that allows you to address integrity and security within it.

    Then to flip back to what Dan said, you need areas of discipline, where there are best practices with regard to things like logistics security and electronic fabrication practices, obviously, looking uniquely in our industry which is what the OTTF is focusing on.

    You need areas of discipline, where there are best practices with regard to things like logistics security and electronic fabrication practices.



    If you look deeply, you'll find that there is a way to take a best practice and actually follow it. I just came from Florida, where I was stuck in a tropical storm so I have those storm "spaghetti models" that the media show on the television to predict the path of storm action. If you looked at O-TTPS as a spaghetti model, so to speak, you would have the hub being the actual best practice, but there are already pockets of best practices being used.

    You heard Andras talk about the fact that IBM has a robust methodology with regard to secure engineering. You heard Dan mention it as well. We too at Cisco have a secure development lifecycle with practices that need to be engaged in. So it’s embracing the whole, and then bringing it down into the various nodes of the supply chain and practices.

    There are pockets right now in development, in logistics, and in fabrication already well under way that we are going to both capitalize on, and hopefully raise the bar for the industry overall. Because if we do this properly, in the electronics industry we all use the vast majority of a similar set of supply-chain partners.

    What that will do is raise the bar for the customers and allow those of us who are innovators to differentiate on our innovation and on how we might achieve the best practices, rather than worrying about are you trustworthy or not. If we do it right, trust will be an automatic given.

    Gardner: I have to imagine that going out to the market with the ability to assert that level of trust is a very good position in terms of marketing and competitive analysis. So this isn’t really something that goes on without a lot of commercial benefits associated with it, when it’s done properly. Any reaction to that Andras in terms of companies that do this well? I guess they should feel that they have an advantage in the market.

    Secure by Design

    Szakal: Especially now in this day and age, any time that you actually approach security as part of the lifecycle -- what we call an IBM Secure by Design -- you're going to be ahead of the market in some ways. You're going to be in a better place. All of these best practices that we’ve defined are additive in effect. However, the very nature of technology as it exists today is that it will be probably another 50 or so years, before we see a perfect security paradigm in the way that we all think about it.

    So the researchers are going to be ahead of all of the providers in many ways in identifying security flaws and helping us to remediate those practices. That’s part of what we're doing here, trying to make sure that we continue to keep these practices up to date and relevant to the entire lifecycle of commercial off-the-shelf technology (COTS) development.

    So that’s important, but you also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.

    Gardner: I'm afraid we have to leave it there. We’ve been talking about making global supply chains for technology providers more secure, verified, and therefore, trusted. We’ve been learning about the achievements of OTTF and how technology suppliers and buyers will expect to benefit from that moving forward.

    You also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.



    This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference from July 16 - 20 in Washington, D.C. You’ll hear more from these and other experts on the ways that IT and enterprise architecture support any enterprise transformation as well as how global supply chains are being better secured.

    I’d like to thank our panel for this very interesting discussion. We’ve been here with Dave Lounsbury, Chief Technical Officer at The Open Group. Thanks, Dave.

    Lounsbury: Thank you, Dana.

    Gardner: We’ve also been here with Dan Reddy, Senior Consultant Product Manager in the Product Security Office at EMC. Thanks, Dan.

    Reddy: Thanks, Dana.

    Gardner: We’ve been joined by Andras Szakal, Vice President and Chief Technology Officer at IBM’s US Federal Group as well as the Chairman of the OTTF. Thank you, Andras.

    Szakal: My pleasure, Dana.

    Gardner: And lastly, Edna Conway, Chief Security Strategist for Global Supply Chain at Cisco. Thanks so much for your input.

    Conway: My pleasure. I’ll look forward to seeing everyone in Washington.

    Gardner: Yes, and I’ll look forward to all of your presentations and discussions in Washington as well. I encourage our readers and listeners to attend the conference and learn even more. Some of the proceedings will be online and available for streaming, and you could take advantage of that as well.

    This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator through these thought leadership interviews. Thanks again for listening, and come back next time.

    Register for The Open Group Conference
    July 16-18 in Washington, D.C. Watch the live stream.

    Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

    Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make IT supply chains secure, verified, and trusted. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2012. All rights reserved.

    You may also be interested in: