Browsing category

IBM Security

Access Management, IBM Security, Identity & Access, Identity and Access Management (IAM), Kuppingercole, Security Intelligence & Analytics, Security Products, Security Solutions,

KuppingerCole Report: Leadership Compass of Access Management and Federation

Part of fixing any IT issue is finding the right solution for the problem and ensuring the issue will not happen again. One of the major struggles for the IT industry is finding the right vendors to enlist as protectors.

KuppingerCole’s Leadership Compass report on access management and federation aims to close the gap between the right solution and the right vendor.

Emerging business requirements, such as onboarding business partners, providing customer access to services and adopting new cloud services, require IT to react and find solutions to these communications and collaboration conditions. Access management and federation vendors are closing in to address these needs and enable business agility.

With many vendors in this market segment, the KuppingerCole Leadership Compass provides a view and analysis of the leading vendors and their strengths and weaknesses. The report acts as a guide for the consumer to compare product features and individual product requirements.

Read the KuppingerCole Leadership Compass report

Breaking Down the Leadership Ratings

When evaluating the different vendors and products, KuppingerCole looked into the aspects of overall functionality, size of the company, number of customers, number of developers, partner ecosystems, licensing models and platform support. Specific features, such as federation inbound, federation outbound, backend integration, adaptive authentication, registration, user stories, security models, deployment models, customization and multitenancy, were considered as well.

KuppingerCole created various leadership ratings, including “Product Leadership,” “Innovation Leadership,” and “Market Leadership,” to combine for the “Overall Leadership” rating. With this view, KuppingerCole gives an overall impression of each vendor’s offering in the particular market segment.

Product Leadership is based on analysis of product and services features and capabilities. This view focuses on the functional strength and completeness of each product.

Innovation Leadership focuses on a customer-oriented approach that ensures the product or service has compatibility with earlier versions, as well as supports new features that deliver emerging customer requirements.

Market Leadership is based on market criteria, such as number of customers, the partner ecosystem, the global reach and the nature of responses to factors affecting the market outlook. This view focuses on global reach, sales and service support, and successful execution of marketing strategy.

KuppingerCole Leadership Compass: Access Management and Federation

How IBM Ranks

IBM Security Access Manager (ISAM) is ranked as a leader in the Product, Marketing and Technology Leadership categories. This rating comes from IBM ISAM having one of the largest customer bases of all vendors in the market segment, a strong partner ecosystem, mature access management and strong adaptive authentication. ISAM is among the leading products in the access management and federation market and meets organizations’ growing lists of IT security requirements with broad feature support.

Read the Full Report

Check out the complete report to discover:

  • An overview of the access management and federation market;
  • The right vendor and right solution for your business; and
  • Why IBM ISAM is a leader in Product, Marketing and Technology.

Read the KuppingerCole Leadership Compass report

The post KuppingerCole Report: Leadership Compass of Access Management and Federation appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Lappin

CISO, Compliance, Cybersecurity Legislation, Data Privacy, Data Protection, Data Security, General Data Protection Regulation (GDPR), IBM Security, IBM Security Guardium, Privacy, Privacy by Design, privacy regulations, regulatory compliance, Security by Design,

Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness

The European Union (EU)’s General Data Protection Regulation (GDPR) is about to celebrate its first birthday, and similar regulations scheduled to go into effect early in 2020 — such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA) — will press organizations to look more holistically at how they address privacy. Because I’m an optimist, I think it’s possible a U.S. federal privacy law could also be passed in the next 18 months. In my experience, modern data privacy readiness and controls are largely based on common privacy principles and practices from the GDPR, which began enforcement on May 25, 2018.

But what does that really mean?

Apply GDPR Best Practices to Your CCPA Readiness Plan

Let’s take a step back and look at several of the high-level overlaps between the GDPR and the CCPA as an example. Keep in mind that within each regulation there are fine points that clearly differentiate them. While those are beyond the scope of this article, we suggest seeking legal advice should you need further help on this topic. Here is a high-level review:

  • While definitions vary, the general definition of “personal data” or “personal information” is virtually anything that can be used to identify an individual. Both regulations define and enumerate rules to enforce protecting an individual’s rights around his or her personal information.
  • According to the important right of disclosure or access, individuals have rights to transparency around the collection of their personal data and also to receipt or deletion of the data altogether.
  • The CCPA does not directly impose specific data security requirements, but establishes a right of action for certain data breaches caused by business failure to maintain reasonable security practices and procedures appropriate to the risk. Somewhat similarly, the GDPR requires appropriate technical and organizational measures necessary to ensure security appropriate to the risk.

As these basic overlaps between the GDPR and the CCPA illustrate, there is a set of common principles about transparency, including an individual’s right to access or request deletion of personal data, the need for security, and the potential for substantial penalties for noncompliance. While there are implementation differences between the various regulations — such as which organizations and individuals qualify, personal data definitions and individual rights (access, correction, deletion) — the IT best practices required to help your compliance program are largely the same. Some of these include:

  1. Security and privacy by design and by default;
  2. Locating, identifying and classifying personal data;
  3. Tracking personal data use via audit trails to demonstrate compliance;
  4. Providing for response capabilities to individual requests for access, correction, deletion and transfer of personal data and audit trails to demonstrate compliance;
  5. Implementing security controls according to risk (vulnerability assessments, access controls, activity monitoring, encryption); and
  6. Effectively preparing for and responding to breaches.

A Repeatable Framework for Protecting Regulated Data

In my experience as a practitioner, I find that it’s often helpful to follow a framework that guides you as you bring these best practices to life in your data privacy program. That’s why IBM created a five-step program to help you establish a repeatable process for protecting personal and regulated data, known as the Critical Data Protection Program:

Key features of an approach to protecting personal data

Figure 1: IBM’s Critical Data Protection Program

When it comes to preparing for the CCPA (and other regulations down the road), consider what steps you can take as an IT organization and how you will be working with your privacy/legal/compliance organizations. Your privacy team will undertake many of these activities, including assessments, policy setting and creating business processes.

  1. Start by obtaining executive sponsorship and budgets to support your privacy program. The higher up the executive chain, the better. The changes you may need to make will cross organizational boundaries, so support from the top will be critical to your success.
  2. Next, assess and understand your obligations — in other words, do a gap analysis. This may mean seeking legal counsel. Review your existing privacy policies, notices and statements. Do you have them? Where are they presented, and when were they last updated? Are they clearly written and easy to understand?
  3. Create a cross-functional team. When it comes to implementation, be sure to have all the right stakeholders involved. Privacy is not just a security issue, or even just a privacy issue; your cross-functional team should include departments such as marketing and HR, for example, due to the potentially regulated data they may be dealing with.
  4. Regardless of regulation, you will need to know what personal data assets you store, where they are located and how they are used. You will hear this often referred to as a data map. Data discovery is an essential part of creating a data map; it’s the process of identifying, inventorying and mapping personal data and data flows across your organization. A data security solution can help automate the process to avoid approaching it manually — after all, who couldn’t use fewer spreadsheets and more time?
  5. Review data retention schedules. How long do you retain the personal data you collect? It should be either as long as required for a legitimate business need or as required by law.
  6. Document privacy compliance activities, including processing operations involving personal data.
  7. Develop audit capabilities and processes. You will be required to demonstrate what you are doing to address your compliance obligations. You will need a robust audit plan and process to monitor ongoing conformity and help mitigate risk, both internally and with your data processors and other vendors.
  8. Implement privacy by design and security by design. Although not spelled out in the CCPA, this is an important GDPR requirement and it can save you a lot of redundant work regardless of the regulation. Going forward, if you develop new services and systems, it is likely that you will be expected to embed — by default and by design — processes and features that will help ensure privacy of personal data.
  9. Create breach response and notification protocols. In the event of a breach with the GDPR, under certain scenarios, you have 72 hours to notify the regulatory authority. Other states and jurisdictions have varied timelines; sectoral regulations such as New York’s Department of Financial Services 23 NYCRR 500 also mandate 72 hours. Achieving these tight deadlines may depend on having defined processes and protocols in place for investigating, containing and responding to data breaches.

The bottom line is that approaching any privacy regulation requires a combination of people, process and technology. There is no one solution that can meet all needs. There are many technologies from IBM Security that can help — from data activity monitoring solutions to software-as-a-service (SaaS)-based risk analysis to encryption — and our privacy experts can help you get started in creating or augmenting your privacy program with services such as a CCPA readiness assessment.

Accelerate Your Readiness for New Data Privacy Regulations

Privacy regulations will continue to evolve, both in the U.S. and abroad. While there are many implementation differences, the IT controls and requirements for protecting personal data are largely the same. As you build out your program, don’t forget to leverage the existing investments you’ve made in preparing for other regulations — from both an organizational and technology perspective — to accelerate your readiness for new regulations.

With the right tools in place, you can implement a consolidated approach to help organize and automate your privacy controls program and, in the process, help build trust and accountability, whether with consumers, business partners or employees.

Learn more about privacy regulations: Download the white paper

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Cindy Compert

CISO, Compliance, Cybersecurity Legislation, Data Privacy, Data Protection, Data Security, General Data Protection Regulation (GDPR), IBM Security, IBM Security Guardium, Privacy, Privacy by Design, privacy regulations, regulatory compliance, Security by Design,

Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness

The European Union (EU)’s General Data Protection Regulation (GDPR) is about to celebrate its first birthday, and similar regulations scheduled to go into effect early in 2020 — such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA) — will press organizations to look more holistically at how they address privacy. Because I’m an optimist, I think it’s possible a U.S. federal privacy law could also be passed in the next 18 months. In my experience, modern data privacy readiness and controls are largely based on common privacy principles and practices from the GDPR, which began enforcement on May 25, 2018.

But what does that really mean?

Apply GDPR Best Practices to Your CCPA Readiness Plan

Let’s take a step back and look at several of the high-level overlaps between the GDPR and the CCPA as an example. Keep in mind that within each regulation there are fine points that clearly differentiate them. While those are beyond the scope of this article, we suggest seeking legal advice should you need further help on this topic. Here is a high-level review:

  • While definitions vary, the general definition of “personal data” or “personal information” is virtually anything that can be used to identify an individual. Both regulations define and enumerate rules to enforce protecting an individual’s rights around his or her personal information.
  • According to the important right of disclosure or access, individuals have rights to transparency around the collection of their personal data and also to receipt or deletion of the data altogether.
  • The CCPA does not directly impose specific data security requirements, but establishes a right of action for certain data breaches caused by business failure to maintain reasonable security practices and procedures appropriate to the risk. Somewhat similarly, the GDPR requires appropriate technical and organizational measures necessary to ensure security appropriate to the risk.

As these basic overlaps between the GDPR and the CCPA illustrate, there is a set of common principles about transparency, including an individual’s right to access or request deletion of personal data, the need for security, and the potential for substantial penalties for noncompliance. While there are implementation differences between the various regulations — such as which organizations and individuals qualify, personal data definitions and individual rights (access, correction, deletion) — the IT best practices required to help your compliance program are largely the same. Some of these include:

  1. Security and privacy by design and by default;
  2. Locating, identifying and classifying personal data;
  3. Tracking personal data use via audit trails to demonstrate compliance;
  4. Providing for response capabilities to individual requests for access, correction, deletion and transfer of personal data and audit trails to demonstrate compliance;
  5. Implementing security controls according to risk (vulnerability assessments, access controls, activity monitoring, encryption); and
  6. Effectively preparing for and responding to breaches.

A Repeatable Framework for Protecting Regulated Data

In my experience as a practitioner, I find that it’s often helpful to follow a framework that guides you as you bring these best practices to life in your data privacy program. That’s why IBM created a five-step program to help you establish a repeatable process for protecting personal and regulated data, known as the Critical Data Protection Program:

Key features of an approach to protecting personal data

Figure 1: IBM’s Critical Data Protection Program

When it comes to preparing for the CCPA (and other regulations down the road), consider what steps you can take as an IT organization and how you will be working with your privacy/legal/compliance organizations. Your privacy team will undertake many of these activities, including assessments, policy setting and creating business processes.

  1. Start by obtaining executive sponsorship and budgets to support your privacy program. The higher up the executive chain, the better. The changes you may need to make will cross organizational boundaries, so support from the top will be critical to your success.
  2. Next, assess and understand your obligations — in other words, do a gap analysis. This may mean seeking legal counsel. Review your existing privacy policies, notices and statements. Do you have them? Where are they presented, and when were they last updated? Are they clearly written and easy to understand?
  3. Create a cross-functional team. When it comes to implementation, be sure to have all the right stakeholders involved. Privacy is not just a security issue, or even just a privacy issue; your cross-functional team should include departments such as marketing and HR, for example, due to the potentially regulated data they may be dealing with.
  4. Regardless of regulation, you will need to know what personal data assets you store, where they are located and how they are used. You will hear this often referred to as a data map. Data discovery is an essential part of creating a data map; it’s the process of identifying, inventorying and mapping personal data and data flows across your organization. A data security solution can help automate the process to avoid approaching it manually — after all, who couldn’t use fewer spreadsheets and more time?
  5. Review data retention schedules. How long do you retain the personal data you collect? It should be either as long as required for a legitimate business need or as required by law.
  6. Document privacy compliance activities, including processing operations involving personal data.
  7. Develop audit capabilities and processes. You will be required to demonstrate what you are doing to address your compliance obligations. You will need a robust audit plan and process to monitor ongoing conformity and help mitigate risk, both internally and with your data processors and other vendors.
  8. Implement privacy by design and security by design. Although not spelled out in the CCPA, this is an important GDPR requirement and it can save you a lot of redundant work regardless of the regulation. Going forward, if you develop new services and systems, it is likely that you will be expected to embed — by default and by design — processes and features that will help ensure privacy of personal data.
  9. Create breach response and notification protocols. In the event of a breach with the GDPR, under certain scenarios, you have 72 hours to notify the regulatory authority. Other states and jurisdictions have varied timelines; sectoral regulations such as New York’s Department of Financial Services 23 NYCRR 500 also mandate 72 hours. Achieving these tight deadlines may depend on having defined processes and protocols in place for investigating, containing and responding to data breaches.

The bottom line is that approaching any privacy regulation requires a combination of people, process and technology. There is no one solution that can meet all needs. There are many technologies from IBM Security that can help — from data activity monitoring solutions to software-as-a-service (SaaS)-based risk analysis to encryption — and our privacy experts can help you get started in creating or augmenting your privacy program with services such as a CCPA readiness assessment.

Accelerate Your Readiness for New Data Privacy Regulations

Privacy regulations will continue to evolve, both in the U.S. and abroad. While there are many implementation differences, the IT controls and requirements for protecting personal data are largely the same. As you build out your program, don’t forget to leverage the existing investments you’ve made in preparing for other regulations — from both an organizational and technology perspective — to accelerate your readiness for new regulations.

With the right tools in place, you can implement a consolidated approach to help organize and automate your privacy controls program and, in the process, help build trust and accountability, whether with consumers, business partners or employees.

Learn more about privacy regulations: Download the white paper

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Cindy Compert

Career, Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, Cybersecurity Jobs, IBM Security, Professional Development, RSA Conference, Security Conferences, Security Leaders, Security Leadership, Skills Gap, women leaders,

Women in Security Speak Out at RSAC 2019, But There’s Still a Long Way to Go

Cybersecurity still has a gender diversity gap and a huge talent shortage, but the industry is making progress — albeit slowly. A recent study by Cybersecurity Ventures predicted that women in security will comprise 20 percent of the global workforce by the end of 2019. One in 5 security positions held by women isn’t equity, but it’s a significant improvement; in 2013, women made up only 11 percent of the cyber workforce.

Women are becoming more engaged in the security profession, but they’re still lagging behind the overall technology industry, which is made up of 26 percent women. By some measures, the industry hasn’t even reached the tipping point when it comes to females in executive security leadership roles. A Boston Consulting Group study found that innovation only improves when the workforce includes 20 percent or more women in management positions. Today, just 13 percent of chief information security officer (CISO) roles are held by women, according to Cybersecurity Ventures.

Conversations about women in security frequently focus on the talent pipeline issue, but the skills gap among job candidates doesn’t tell the full story. The industry needs to focus on more than job vacancies to understand systemic issues related to attracting, compensating and retaining female talent in cybersecurity and how a lack of equity is having a negative impact on the performance of security teams. This holistic perspective on the gender problem in security was a focus at RSA Conference 2019, and it’s a critical conversation for surviving the current threat vector.

“As an industry, we face unrelenting waves of new attacks and business challenges,” said IBM Security General Manager Mary O’Brien in Thursday’s keynote, “Change Your Approach to Get it Right.” “And a little better isn’t going to cut it. We need to be exponentially better.”

Women in Security Turn Out for RSAC 2019

Tech conferences are notorious for gender parity issues, including low participation among women professionals. In accordance with the conference theme of “better,” RSAC made several motions to address inclusion at the 2019 event. Prior to the show, conference organizer Sandra Toms predicted it would attract a 20 percent female attendance, or a projected 8,400 women in security according to last year’s totals.

In an interview with the San Francisco Chronicle, Toms expressed excitement around this record-breaking number of female participants.

“It’s nice to wait in line for a restroom,” she said.

RSAC 2018 drew criticism for a lack of gender parity among speakers, including just one female featured out of 20 keynote speakers. This year, the conference doubled the number of keynote spots to 40 and achieved nearly 50 percent gender parity in keynotes. It also ran a half-day training dubbed “She Speaks” to help women in cybersecurity become more effective at delivering conference keynotes and develop the confidence to reach for new opportunities in the workplace.

Conversations at RSAC 2019 have shifted from talent pipeline problems to the total employee experience, including issues of retention and managing diverse teams. According to Executive Women’s Forum Executive Director Lynn Terwoeds, as reported by the San Francisco Chronicle, women in security are four times less likely to be promoted to executive roles than their male peers — and they earn less when they are. The conference kicked off with a Monday mini-track titled “Solving our Cybersecurity Talent Shortage,” which directly addressed the industry’s gender gap throughout the talent pipeline, from candidacy to employee experience.

Define Your North Star for Diversity Efforts

Doing things differently means committing to new and agile models of working, including a diversity of talent and thought.

“The most successful teams I have witnessed started by defining their North Star — knowing where they are and where they want to go and communicating that to the entire organization,” said O’Brien in her keynote. Speaking to her experience working with the most effective and secure organizations, O’Brien noted that “agile security teams include more voices that offer different perspectives to target the real weaknesses.”

The bottom line is that organizations need to achieve inclusive hiring practices to create diverse teams, and they must establish equitable work environments to retain women in security. According to Equili CEO and founder Elaine Marino, 50 percent of women in technology careers leave their jobs within 12 years — twice the rate of male tech professionals. In her Monday presentation titled “Retain and Recruit a Diverse Talent Pool,” Marino called for organizations to rethink every step of the employee experience and create agile teams by:

  • Creating gender-neutral job-postings and tapping new talent pools;
  • Implementing bias-neutral methods of candidate screening;
  • Adopting and refining new interview methodologies;
  • Committing to equal pay and benefits in job offers;
  • Establishing inclusive and safe onboarding practices; and
  • Fostering a respectful culture and paying attention to employee signals.

When Engaging With Youth, It’s Not All About the Money

The key to nurturing tomorrow’s cybersecurity talent pool is continuous engagement with middle school students, said Mandy Galante, director of the Information Technology Institute at Mater Dei Prep High School and the SANS Institute. In Thursday’s talk, “Women in Cybersecurity: Finding, Attracting, and Cultivating Talent,” Galante identified key barriers to engagement when working with youth, stating that young female students are statistically less motivated by money and job security. While money is appealing, it’s not enough for students to gravitate toward a career field, and few teenagers have the wherewithal to track future career choices to job market availability.

Instead, Galante said, young female teens are motivated by the concept of making a difference in the world and earning recognition. Galante and her co-speaker, Michele Guel, distinguished engineer at Cisco, challenged women in security to foster tomorrow’s talent and support workplace equity by:

  • Forming a visible connection with young students to encourage future careers;
  • Maintaining the connection through college with career fairs and workshops;
  • Fostering interest with technical trainings, boot camps and technology conferences;
  • Creating internal and external career opportunities for women; and
  • Offering flexible working arrangements to both women and men.

Youth outreach and education doesn’t need to be confined to the classroom. In her keynote titled “(Girl) Scouting for Talent: The Solution for the Next Generation,” Girl Scouts of America CEO Sylvia Acevedo described what her iconic organization is doing to expose young girls to technology skills, including partnering with technology companies to develop science, technology, engineering and mathematics (STEM) badges and programs designed to prepare girls for careers in cybersecurity.

“Cybersecurity is our voting systems and our water,” Acevedo asserted. “When someone says ‘We can’t recode that sensor,’ we want women in the room who are able to say ‘Yes we can. I did that in middle school.’”

To build confidence and critical thinking skills that transfer across disciplines, the Girl Scouts’ STEM exercises are primarily hands-on activities that require minimal devices.

“I break problems into little pieces, try different solutions. There’s more to it than just numbers,” stated one Girl Scout in a video shown by Acevedo. “Maybe I’ll be a rocket scientist one day. Or a cybersecurity engineer.”

Women Bear the Brunt of Cybersecurity’s Burnout Problem

The issues described in “Cybersecurity’s Dirty Little Secret” don’t apply strictly to women, but they may have a disproportionate impact on women in security. According to Karen Worstell, CEO of the Risk Group, and Selena Worstell, executive editor of ISTP Magazine, burnout is the real industry crisis, and the cost to organizations is staggering. Statistics shared during their presentation revealed that:

  • More than half (57.16 percent) of cybersecurity professionals identify as “burned out”;
  • Forty-one percent of security workers say “crisis management” is “normal”; and
  • One-fifth of cyber professionals have stress-related health problems.

The solution is to initiate a cultural change and create an environment that contributes to growth and self-care. CISOs must work to understand how the workplace culture and job responsibilities impact employees of all backgrounds and demographics. For many organizations, this could include creating more flexible workplace arrangements, offering new benefit structures or pursuing cultural change to support better work-life balance.

It’s Time to Remove Invisible Barriers to Gender Equity

While RSAC 2019 organizers have yet to confirm whether the 28th annual conference indeed hosted the predicted 8,400 women, the eyeball test found participation among female cybersecurity professionals to be at a record high. The keynote speaker agenda featured more women technology experts than ever before. The conversation has shifted to addressing security’s gender problem holistically by creating a better overall employment experience for women in security. Progress has been made toward creating gender parity in the security industry, but there’s still a long way to go.

When Symantec Chief Information Officer (CIO) Sheila Jordan asked a predominantly female room of attendees if they’d ever experienced gender bias in the workplace, nearly every hand went up. The attendees shared stories about how women felt compelled to “self-edit” before speaking, faced invisible barriers to progress and perceived a lack of support.

Hiring and retaining diverse talent, including women in security, is imperative to a better and more secure future. Incremental progress is no longer acceptable. It’s time for leaders and organizations to recognize gender parity as a North Star and collaborate around workplace equity.

The post Women in Security Speak Out at RSAC 2019, But There’s Still a Long Way to Go appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jasmine Henry

Application Security, Blockchain, Data Privacy, Data Protection, Data Security, Encryption, Encryption Keys, IBM Security, Identity & Access, Identity and Access Management (IAM), Identity Governance, Penetration Testing, Security Services, X-Force,

Blockchain: Making the Reward Much Greater Than the Risk

What is the first thought that comes to mind when someone mentions blockchain? Many of you may say bitcoin, which is what’s to be expected considering bitcoin was the first major cryptocurrency that made blockchain a household name. However, bitcoin is only one among a large variety of cryptocurrencies, and while it was the first large-scale implementation of blockchain technology, it is merely one application of many uses by which blockchain can aid society and commerce.

Blockchain technology provides a means to store data in a distributed ledger. The data is stored within a block, where it is digitally recorded and linked together with other blocks, forming a chain. The chain provides the entire history of all recorded data. Data is committed to the chain in the form of transactions. The transactions are only added after they have been validated by the blockchain network’s consensus protocol, so that there is only one version of the truth. Any data stored on the blockchain is “immutable,” meaning it cannot be changed. Also, all network participants have a copy of the data, meaning everything is transparent and everyone has the same version of truth.

The first major implementation of blockchain technology was introduced in 2008 with the release of bitcoin, but it’s only during the past few years that enterprises have come to grasp the technology’s potential. This is happening because the past decade has seen a tremendous reduction in the costs of secure storage, computation power and communications. As a result, more innovation makes its way into mainstream markets, served to average consumers.

The same applies to the business realm. Nowadays, we are starting to see more blockchain adoption across many industries, including financial, food services, healthcare, aviation, automotive and logistics. In 2017, the blockchain market was valued at $708 million. Two separate reports have estimated that by 2024–2025, the market could be valued between $20 to $60 billion. This significant growth represents up to an 8,300 percent increase in the span of less than 10 years.

We are still in the early stages of exploring this technology, and it will take time to fully realize its applications and potential. For example, it took almost 10 years for computers to reach an adoption rate of 80 percent. For enterprises, blockchain technology at scale has only been around since late 2015. So what does this mean, exactly? As we watch a new technology emerge and steadily grow, people who love to be on the cutting edge of technology are excited about the endless possibilities blockchain affords. That said, with new technology also comes new challenges, especially regarding security.

Big Implementations, Limited Experts

The people who deeply understand blockchain infrastructure are typically blockchain developers and architects, whose numbers are increasing, but are still few and far between. If you layer on blockchain security expertise, you will find that number to be even smaller. Hardly any published information or guidance exists about blockchain security.

So what are the implications of developing these full-fledged solutions with little knowledge about the potential attack vectors and risks that could bring the entire system crashing down? Inherently, the decentralized nature of blockchain, coupled with consensus protocols, helps to address some security needs, but the consequences can be dire if security isn’t fully explored.

Blockchain Is Code, and Code Can Be Flawed

As previously mentioned, at its core, the blockchain concept is simple: It is a distributed, immutable, cryptographically assured ledger that can have applications, often called “smart contracts,” interface with it.

A smart contract is made up of numerous lines of code, which are stored within the blockchain. These contracts automatically execute when predetermined terms and conditions are met. They are small programs that replicate processes or business logic and can be used to enforce an agreement between multiple parties in such a way that they can be certain of the outcome without any need for an intermediary.

For example, smart contracts may be used in the healthcare industry. Users’ data, such as blood pressure and other metrics, could be published to a chain, and once a metric rises above a specified threshold, the smart contract could execute actions such as notifying the user and/or processes such as further consultations with specialists to resolve their health problems. A flaw capable of compromising smart contracts could allow an attacker to modify critical details in the code. In the above example, what happens if an attacker is able to affect the business logic or introduce additional code to perform unintended actions?

But as with many powerful technologies, while blockchain is straightforward in concept, if improperly implemented, flaws and vulnerabilities can result in risk and security consequences. Think about what would happen if one could change the smart contract’s data before it is stored on the chain? Data on the chain is supposed to be trusted, right? What about a smart contract flaw that results in business logic not behaving as expected?

In the past few years, X-Force Red has seen a plethora of risks introduced into blockchain ecosystems where it was possible to abuse access controls at the user and administrative levels. For example, some vulnerabilities may enable attackers to inject malicious code into the network, effectively compromising all nodes.

Putting the technology aside, your standard everyday applications (i.e., web/mobile applications) still need to interface with the chain on some level. It has been possible for our penetration testers to compromise these components and pivot to backend systems where there is little to no security, giving an attacker the ability to insert data on the chain or execute any function that is exposed. Functions may include higher-privileged administrative access or accessing data that a user should not have access to. If that happens, how does an environment protect itself against malicious actions?

Raising the Bar on Blockchain Security

Security is about raising the bar high enough that attackers would be extremely hard-pressed to exploit any vulnerability. If they were to attack, they would make enough noise on the network to be detected and incident response procedures would hopefully slam the door shut. So, monitoring from both an application and network level is key to protecting blockchain implementations. Should an internal host be scanning your internal network? I think not!

Another precaution is to take a page out of the renowned television show, “The X-Files,” and trust no one:

  • Build a layered defense where each layer of the solution provides some level of distrust of all the layers above it.
  • Enforce strict access controls both at the application and blockchain layers to prevent overly permissive access and abuse.
  • Ensure there are strong governance controls and processes around the handling of all sensitive information, including key material. Should your certificate authority be disclosed to an unauthorized third party, then it’s game over; they would have full control of your blockchain environment.
  • Implement strong change control and a secure code review process to ensure all configuration settings and source code (i.e., smart contracts) are as secure as possible and do not contain any weaknesses that can be abused.

These are only a handful of basic actions that you can take to help protect the integrity, availability and confidentiality of your blockchain-enabled environment.

At X-Force Red, we have many experienced hackers with blockchain-specific skill sets to perform security assessments and penetration tests on anything within the blockchain technology and connected infrastructure.

IBM is an industry leader in blockchain technology and, as such, our X-Force Red hackers are exposed to numerous areas of the technology while working with leading experts in the field.

This all culminates into possessing a deep technical understanding and the ability to assess any blockchain-enabled solution from an end-to-end perspective. X-Force Red can review the environment from a design/architectural perspective and manually review smart contracts, access controls, configuration of critical components and more. We can also test all applications and technologies that interface with the blockchain, work with key stakeholders and developers to fully realize the potential risks they may face, and assist in reducing the risk of a compromise.

Learn more about X-Force Red’s blockchain testing services

The post Blockchain: Making the Reward Much Greater Than the Risk appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christopher Thomas

Access Management, Credentials Theft, Data Security, Encrpyption, IBM Security, Identity and Access Management (IAM), identity theft, Network Protection, patch, Patch Management, Privileged Access, Software & App Vulnerabilities, Vulnerabilities, Vulnerability Management, X-Force,

Stranger Danger: X-Force Red Finds 19 Vulnerabilities in Visitor Management Systems

Automation is pervasive across our modern world and building lobbies are the latest place affected by the changes. The friendly receptionist or security guard is being replaced by kiosks, and it is big business, with sales expected to exceed $1.3 billion by 2025. These systems are officially called visitor management systems and allow businesses to check a guest in, give them a badge and control access to restricted areas of the facility.

Unlike simple pen and paper, they have the ability to authenticate visitors and provision badges for them in an automated way without allowing anyone to see who else has visited. If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted. If the systems are not working as intended, they can provide a false sense of security to the companies deploying them.

Considering that these systems are intentionally physically exposed to outsiders and have a role in the security of an organization, they should be developed with security in mind throughout the product life cycle and should include physically present attackers in their threat model. However, our team has identified vulnerabilities in a number of visitor management system products that could prevent them from achieving that goal.

Two X-Force Red summer interns (Hannah Robbins and Scott Brink), under the guidance of the X-Force Red research team, took a closer look at the security of five popular visitor management systems and discovered 19 previously undisclosed vulnerabilities across all the vendors. If the vulnerabilities were exploited by attackers, data like visitor logs, contact information and corporate activities could be accessed. They also discovered these systems can be used to establish a foothold to attack corporate networks.

The findings included:

  • Data leakage — information disclosure of personal and corporate data;
  • Keys to the kingdom — several applications had default administrative credentials, which would allow complete control of the application; and
  • Breakout — other identified vulnerabilities could allow an attacker to use Windows hotkeys and standard help or print dialogs to break out of the kiosk environment and interact with Windows, giving an attacker control over the system with the same privileges as the software was given.

What Are the Potential Consequences?

Given control of a visitor management system, an attacker could achieve a number of goals depending on the features of the system in question and the context of how it has been deployed.

Physical access: Attackers who want to perform a physical task like stealing valuable assets or launching physical attacks to compromise computers may be able to acquire a valid badge. Some visitor management systems can even issue and provision radio frequency identification (RFID) badges, giving an attacker a key to open doors. Even if the issued badges are not capable of opening doors, they may still identify an attacker as a trusted outsider. A smile and gentle request for help opening a locked door often goes unchallenged with a valid badge.

Network access: If an attacker’s goal is simply to gain access to the internal network, they may not even need to enter the premises, since the visitor management system itself may have access to the internal network and compromising it could mean gaining a foothold on the network.

Data exfiltration: Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders. Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well.

Closing the Door to Visitor Management System Vulnerabilities

Details for the vulnerabilities disclosed by our X-Force Red team have been provided to the affected vendors in advance in order to allow time for an official fix to be developed and released in advance of this publication.

Apply the patch: Several of the vendors have updated their software or plan to with appropriate patches of changes to functions. If there is no patch, include these systems in a security testing program to confirm the exploitability and apply appropriate techniques to isolate the system from others.

Harden access: Evaluate the privileges the system has and determine if systems requires administrative privileges to run. If not, revoke the privileges and ensure default passwords are not enabled. If network access is not required for the visitor management system to function, it should not be connected to the network.

Encrypt everything: Full-disk encryption should always be used on any system accessible to the public or at risk of theft, such as laptops and kiosks. Since iOS now employs mandatory full-disk encryption backed by a hardware security module, full-disk encryption is already the norm on iOS devices.

Password integrity: If the password can be guessed, the encryption may be rendered moot, so make sure to set a strong password on the device. iOS has a kiosk mode that can be used to prevent users from accessing the full functionality of the device, and this should be employed to add an additional barrier to exploitation.

Learn more about X-Force Red and X-Force Red’s penetration testing services.

LEARN MORE ABOUT X-FORCE RED

The Vulnerabilities

The post Stranger Danger: X-Force Red Finds 19 Vulnerabilities in Visitor Management Systems appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Daniel Crowley

IBM Security, Security Analytics, Security Information and Event Management (SIEM), Security Intelligence, Security Intelligence & Analytics, Security Leaders, Security Leadership, Security Operations Center (SOC), Security Professionals, Threat Detection, Threat Intelligence,

Follow the Leaders: 7 Tried-and-True Tips to Get the Most Out of Your Security Analytics

The practice of analyzing security data for detection and response — otherwise known as security analytics (SA) — comes in many forms and flavors. Consumed data varies from organization to organization, analytic processes span a plethora of algorithms and outputs can serve many use cases within a security team.

In early 2019, IBM Security commissioned a survey to better understand how companies currently use security analytics, identify key drivers and uncover some of the net benefits security decision-makers have experienced. The findings were drawn from more than 250 interviews with information security decision-makers around the globe.

7 Lessons From Top Performers in Security Analytics

Encouragingly, the study revealed rising levels of maturity when it comes to security analytics. Roughly 15 percent of all interviewees scored as high performers, meaning their investigation processes are well-defined and they continuously measure the effectiveness of the output. These respondents are especially strong in terms of volume of investigations (five to 10 times more investigations than the average) and false positives (approximately 30 percent below average). Meanwhile, 97 percent of these leaders successfully built a 24/7 security operations center (SOC) with a total staffing headcount between 25 and 50.

What lessons can organizations with lower levels of SA maturity take away from this shining example? Below are seven key lessons security teams can learn from the top performers identified in the survey:

  1. Top SA performers have a knack for integrating security data. While many mid-performing organizations struggle with this integration and consider the task an obstacle to effective security analytics, leaders identified in the survey have streamlined the process, freeing them to focus on use case and content development.
  2. Nine in 10 high performers have an accurate inventory of users and assets — in other words, they understand the enterprise’s boundaries and potential attack surfaces and continuously update their inventory. This is likely a result of effective, automated discovery using a combination of collected security data and active scanning. By comparison, less than 30 percent of low-performing security teams practice this approach.
  3. A robust detection arsenal contains an equal mix of rule-based matching (i.e., indicators of compromise), statistical modeling (i.e., baselining) and machine learning. In stark contrast, intermediate performers rely more on existing threat intelligence as a primary detection method.
  4. Top performers use content provided by their security analytics vendors. In fact, 80 percent of respondents in this category indicated that the vendor-provided content is sufficient, whether sourced out of the box or via services engagements.
  5. Compared to middling performers, top performers dedicate between two and three times more resources to tuning detection tools and algorithms. To be exact, 41 percent of high performers spend 40 hours or more per week on detection tuning.
  6. High-performing security teams automate the output of the analytics and prioritize alerts based on asset and threat criticality. They also have automated investigation playbooks linked to specific alerts.
  7. Finally, organizations with a high level of SA maturity continuously measure their output and understand the importance of time. Approximately 70 percent of top performers keep track of monthly metrics such as time to respond and time spent on investigation. Low-performing organizations, on the other hand, measure the volume of alerts, and their use of time-based metrics is 60 to 70 percent lower than that of high performers.

Build a Faster, More Proactive and More Transparent SOC

So what do the high performers identified in the survey have to show for their security analytics success? For one thing, they all enjoy superb visibility into the performance of their SOC. While many companies are improving, particularly in the areas of cloud and endpoint visibility, 41 percent of leaders in security analytics claim to have full SOC visibility, compared to 13 percent of intermediate and low performers.

In addition, while lower-performing organizations leverage security analytics to investigate and respond — i.e., react — to threats, high performers use SA to stay ahead of threats proactively. Finally, the leaders identified in the study generate their own threat intelligence and are experts in analyzing security data.

The key takeaway here is that security is a race against time — specifically, to outpace cyber adversaries. Leading security teams know this, which is why they continuously challenge themselves by integrating new data, extracting new insights, implementing smart automation, and, most importantly, measuring the time to detect, investigate and respond.

The post Follow the Leaders: 7 Tried-and-True Tips to Get the Most Out of Your Security Analytics appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bart Lenaerts

cryptocurrency, cryptocurrency miner, IBM Security, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Incident Response (IR), Ransomware, Skills Gap, threat hunting, Threat Intelligence, X-Force,

Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks

Cybercriminals made a lot of noise in 2017 with ransomware attacks like WannaCry and NotPetya, using an in-your-face approach to cyberattacks that netted them millions of dollars from victims. But new research from IBM X-Force, the threat intelligence, research and incident response arm of IBM Security, revealed that 2018 saw a rapid decline in ransomware attacks as cybercrime gangs shifted tactics to remain under the radar.

Ransomware attacks declined by 45 percent between Q1 2018 and Q4 2018, according to the research. That doesn’t mean cybercrime is on the decline, however. Instead, cybercriminals employed cryptojacking, the stealthy theft of computing power to generate cryptocurrency, at a much higher rate. Cryptojacking surged by 450 percent over the course of 2018, according to the newly released “IBM X-Force Threat Intelligence Index 2019.”

Wendi Whitmore, global lead of the IBM X-Force Incident Response and Intelligence Services (IRIS) team, said in an interview that ransomware was highly successful for several years, but the payoff was starting to decline.

“It appears, for a variety of reasons, cybercriminals are getting less money from ransomware attacks and potentially getting a better return on their investment and their time from cryptojacking,” Whitmore said.

IBM X-Force observed a 45 percent decline in ransomware attacks and a 450 percent increase in cryptojacking over the course of 2018, as shown by the trend lines in this chart.

Cryptojacking and Other Stealth Attacks

The term cryptojacking refers to the illicit use of computing resources to generate cryptocurrency such as bitcoin, which peaked in value at nearly $20,000 in late 2017, and Monero, which has generated millions of dollars for cybercriminals over the past decade.

Cryptojacking involves infecting a victim’s computer with malware or through browser-based injection attacks. The malware uses the processing power of the hijacked computer to mine (generate) cryptocurrency. The spike in central processing unit (CPU) usage may cause systems to slow, and enterprises may be affected by the presence of the malware on their network servers and employee devices.

While less destructive than ransomware, the presence of cryptomining malware in enterprise environments is concerning because it indicates a vulnerability that may be exploited in other attacks.

“The victim doesn’t usually know their computer has taken over for that purpose,” Whitmore said.

Yet an even stealthier form of attack doesn’t use malware at all. More than half of cyberattacks (57 percent) seen by X-Force IRIS in 2018 did not leverage malware, and many involved the use of nonmalicious tools, including PowerShell, PsExec and other legitimate administrative solutions, allowing attackers to “live off the land” and potentially remain in IT environments longer. These attacks could allow cybercriminals to harvest credentials, run queries, search databases, access user directories and connect to systems of interest.

Attacks that don’t use malware are much more challenging for defense teams to detect, Whitmore said, because they are leveraging tools built into the environment and can’t be identified through signatures or typical malware detection techniques. Instead, defense teams need to detect malicious commands, communications and other actions that might look like legitimate business processes.

“Attackers are identifying that it’s a lot easier to stay in an organization longer-term if they don’t install anything funny that might get detected by a wide variety of technologies, or by really smart defenders who are constantly looking in the environment to identify something that’s new or different,” Whitmore said.

Attackers are infiltrating IT environments with stealthy techniques that target misconfigurations and other system vulnerabilities, Whitmore said, and using tried-and-true methods that are still very difficult to prevent at a wide scale, such as phishing. Publicly disclosed security incidents involving misconfiguration increased by 20 percent between 2017 and 2018, according to X-Force research. Meanwhile, IBM X-Force Red, an autonomous team of veteran hackers within IBM Security who conduct various types of hardware and software vulnerability testing, finds an average 1,440 unique vulnerabilities per organization.

Still, humans represent one of the largest security weaknesses, with 29 percent of attacks analyzed by IBM X-Force involving compromises via phishing emails. Nearly half (45 percent) of those phishing attempts were business email compromise (BEC) scams, also known as CEO fraud or whaling attacks.

These highly targeted attacks are aimed at individuals responsible for making payments from business accounts, claiming to come from someone inside the organization such as the CEO or chief financial officer (CFO). The FBI reported that between October 2013 and May 2018, BEC fraud had cost organizations $12.5 billion.

Read the complete X-Force Threat Intelligence Index Report

Transportation in the Crosshairs

Among the more surprising findings in this year’s X-Force Threat Intelligence Index report is the level of attacks on the transportation industry, which was the second-most attacked industry in 2018, behind only financial services. In 2017, transportation was the 10th most targeted industry, but in 2018 it was targeted in 13 percent of attacks, behind financial services, which was targeted in 19 percent of attacks.

“That was a pretty surprising finding for us,” Whitmore said. “To see the transportation industry emerge as the second-most impacted industry really means that we’re seeing a lot more activity overall in that industry.”

A few factors changed the game this year, Whitmore noted, including the industry’s growing reliance on data, website applications and mobile apps, and the increasing amount of information consumers are sharing. Transportation companies hold valuable customer data such as payment card information, personally identifiable information (PII) and loyalty rewards accounts. Cybercriminals are interested in targeting that information to monetize it.

Additionally, Whitmore said, there’s “a widespread attack surface in the transportation industry, leveraging things like third-party providers with legacy systems and a lot of communications systems that are out of their direct management.”

Proactive Defenses and Agile Response

There are signs that organizations are increasing their security hygiene by applying best practices such as access controls, patching vulnerabilities in software and hardware, and training employees to spot phishing attempts, Whitmore said.

Yet cybersecurity is a daily fight, and the security skills gap means security teams have to be agile and collaborative while augmenting their capabilities with supporting security technologies and services.

The IBM X-Force Threat Intelligence report offers recommendations for organizations to increase preparedness through preventive measures such as threat hunting — proactively searching networks and endpoints for advanced threats that evade prevention and detection tools.

Additionally, risk management models need to consider likely threat actors, infection methods and potential impact to critical business processes. Organizations need to be aware of risks arising from third parties, such as cloud service providers, suppliers and acquisitions.

Finally, the IBM X-Force Threat Intelligence Index emphasizes remediation and incident response. Even organizations with a mature security posture may not know how to respond to a security incident. Effective incident response is not only a technical matter; leadership and crisis communications are key to rapid response and quickly resuming business operations.

Read the complete X-Force Threat Intelligence Index Report

The post Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Zorabedian

Advanced Attacks, Advanced Threats, Chief Information Security Officer (CISO), CISO, Compliance, Data Protection, Energy and Utilities, General Data Protection Regulation (GDPR), IBM Security, Malware, Ransomware, regulatory compliance, Risk, Risk Management, Security Compliance, Security Conferences, Security Leaders, Security Leadership,

Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event

In June 2017, the cybersecurity world changed. As soon as NotPetya began infecting systems in Ukraine and spreading across Europe and beyond, it became clear that the intent of this worm wasn’t espionage, distributing malware or holding data for ransom. Rather, it was designed to destroy data, shut down systems and create havoc.

One of the most severely impacted organizations was global shipping giant Maersk, which transports 20 percent of the world’s trade goods. When Maersk’s systems went down, it sent shockwaves around the world and caused security observers to shudder. NotPetya was apparently a cyberweapon launched against Ukraine, but a far greater number of countries and organizations became collateral damage.

It was a wake-up call for Maersk, according to Andy Powell, who joined the company as its new chief information security officer (CISO) in June 2018, a year after the NotPetya attack.

“What Maersk was very strong at was our ability to recover,” Powell said in a fireside chat with IBM Security General Manager Mary O’Brien on Tuesday, the opening night of the 2019 IBM Think conference. “Balancing business resilience with preventative measures means that any company can address some of these high-end attacks, but you’ve got to accept that some of them are going to get through. And therefore, you need to be able to recover your business.”

While cybersecurity inevitably changed in the wake of NotPetya, it’s continuing a rapid transformation as businesses digitize and create ever more data. O’Brien and Powell discussed these profound shifts during their chat, along with Kevin Baker, CISO of Westfield Insurance, who underscored the impacts of digital transformation on data security, risk and compliance.

Watch the video from Think 2019

Lessons in Resiliency and Agile Security

In the age of cloud and connected everything, the volume of data being produced has exploded, along with opportunities for greater insights, innovation and new business models. This digital transformation has broad implications for security.

“Our clients want to know where their containers are, they want to know what part of the process is involved, they want to know information around what they’re moving,” Powell said. “We can provide that as part of the transformation.”

To secure digital innovation for clients, alongside its legacy systems, Maersk’s security team has taken an agile approach. Security is frequently seen as a roadblock to innovation, Powell said. Bringing together project teams and the security organization helps speed innovations to market by building security into the process from the beginning.

“The reality is the security people need to be working with them in those teams to actually integrate security from day one, and that’s starting to really pay off, because we’re no longer seen as the outsiders,” Powell said. “We’re seen as somebody who is prepared to adopt the culture and work with them. That teamed approach is very important.”

Focus on Data Security, Risk and Compliance

Ohio-based Westfield Insurance, with $4.9 billion in assets, has been in business since 1848. That means “a lot of data,” Baker said during the Think fireside chat.

“Because of digitization, it’s a veritable explosion of data. Our job is to know what data we have, where it is, how many copies of it we have, where it’s moving, who can access it and what the criticality of that data is so we can focus on data that has a regulatory import,” Baker said.

Baker’s team focuses on governance and risk, monitoring existing regulations like the New York Department of Financial Services (NYDFS) cybersecurity regulation. And they look to the horizon for emerging compliance risks, such as California’s data privacy law, which will take effect in January 2020.

The California Consumer Privacy Act (CCPA) follows in the footsteps of the European Union (EU)’s General Data Protection Regulation (GDPR) with strict data privacy mandates, including a “right to be forgotten,” whereby companies will be required to destroy certain types of customer data.

“‘Forget me’ is a new capability that we have to solve for,” Baker said. “So we’re looking for ways that we can tag the data, move the security control down at the data element, and use the same tagging and process in multiple ways. It’s more than data classification, but it starts there.”

How Can Digital Transformation Help Reduce Complexity?

Digital transformation in business — through the adoption of technologies such as the cloud, artificial intelligence, and mobile and smart devices — has had major implications for the security industry as well. Although security products have made strides in protecting businesses beyond the traditional firewall, complexity is a hidden cost of innovation.

“We believe the No. 1 challenge is the complexity that we — the vendors and our clients — have jointly created,” O’Brien said during her chat at the IBM Think conference, her first as IBM Security general manager. “We got here because we let the latest threat of the day or requirement drive our technology and our strategy. So every time there was a new attack, a new merger, a new regulation, we created a new tool.”

The second problem of security innovation, O’Brien added, is that these products are created, purchased and deployed in silos. They are not integrated and don’t naturally talk to each other. According to O’Brien, it’s time to eliminate this complexity to enable business innovation and transformation.

This past October, IBM Security launched IBM Security Connect, a simple, open and connected cloud platform that can automatically access security data no matter where it resides. This enables security teams to take advantage of existing investments, from IBM or other vendors, without compromising effectiveness.

“You have insights today, but not total insights,” O’Brien said. “But because Connect can tap into your existing data wherever it is, you will see the full picture of your security situation without having to migrate your data or manually integrate it.”

For his part, Baker said limiting the number of tools but integrating them across multiple vendor systems is key to making strides toward his team’s data security goals.

“We elected to use not more security tools, but fewer security tools. We chose tools that were on their own pretty powerful, things like IBM’s QRadar and Guardium. Then we integrated that with other vendors,” Baker explained. “We use these tools to create our own link and do our own analysis. Not just the net-new data, but even the legacy data, and then to analyze that data as a single unit, to track the most critical data. We know that we can’t track it all. We need to zero in on what’s important.”

The post Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Zorabedian

Banking & Financial Services, Career, Cybersecurity Jobs, Digital Identity, Fraud Detection, Fraud Prevention, Fraud Protection, IBM Security, Identity & Access, Identity and Access Governance (IAG), Identity and Access Management (IAM), New Collar, Security Professionals, Trusteer,

How Former Bomb Disposal Expert and Lighting Designer Shaked Vax Pivoted Toward a Cybersecurity Career

There’s no doubt that a cybersecurity breach can blow up a business, but it’s still surprising to hear Shaked Vax, worldwide technical sales leader at IBM Security, compare some aspects of his cybersecurity career to his time with the Israeli Army’s bomb disposal unit.

“One of the key things you are taught when approaching an improvised explosive device (IED) to dismantle it is to avoid coming from the obvious direction — the direction the attacker assumed you will come from,” Shaked explained. “Come from the back, from the side, from the top — however you can approach that is unpredictable.”

The same advice applies to cybersecurity, especially when it comes to the ways in which attackers target the users in their sights. The best way to identify them or launch a counterattack is by using the most innovative tools and approaching from the most unpredictable angle. According to Shaked, that’s how we can use attackers’ own methodologies against them.

Walking on Wires — and Cutting Them

Another link between Shaked’s two lives is caution. He believes, and has learned from experience, that being afraid actually helps to protect you because it makes you more alert. When you are bold and overconfident, that’s when mistakes may happen — whether that means using the wrong approach to dismantle a bomb, or being complacent with your company’s cybersecurity protocols.

“Newsflash: Stuff can hurt you, and you should be super alert when handling it,” the former bomb disposal expert advised. “Being cautious, on your toes and thinking of it as a rivalry allows you to be more in tune, and that’s something I took forward to in my role in cybersecurity. It’s how I operate and think now. It becomes ingrained in your veins and it really gets to be part of you.”

Shining a Light on Cybersecurity

Despite these strong threads between his past and present lives, a career in cybersecurity was not always in Shaked’s vision. He studied theater design at university and later went on to design lighting for rock concerts, operas, theater productions and TV studios.

While studying for his master’s degree, Shaked was offered a job working in an Israeli technology company that created lighting control boards — similar to the soundboards you see at concerts, but used to control the light show.

It was a great springboard for the budding lighting designer because he was hands-on in quality assurance and involved in new features and designs. A chance promotion saw him move into product and marketing management at the company, where he got even more engaged and started leading new offerings and feature designs.

“It was exciting because going to visit a customer meant I was going to meet lighting designers and lighting operators in a rock concert or an opera house or a disco club, which was awesome,” he recalled. “It was a great way to do market research.”

This area of theater design is “very, very technological,” Shaked explained. “You can imagine how much computing power is required to manage hundreds of lights that move and morph in real time, and how many innovative UI concepts need to go into a system to allow the operator to really interact with the show.”

So while he was working with his first love, he was developing another — technology — and becoming fascinated with how it interacts with our world. The dot-com bubble and the rise of the Israeli startup scene in the 2000s excited Shaked, and he wanted to push his technology career further, outside of lighting design. Colleagues recommended him for a role at cybersecurity firm Check Point, and thus his passion for lighting became just a passion again; his career was now cybersecurity.

Shaked moved up the ladder again at Check Point, where he worked in research and development and helped to innovate new security information and event management (SIEM) and Secure Sockets Layer virtual private network (SSL VPN) products, and later jumped around the tech scene as a product manager. He arrived at Trusteer just a few months before it was acquired by IBM Security in 2013.

“Trusteer got acquired by IBM, which gave me a great career path,” he said. “I got to expand in offering management, learning a lot about how a big business manages products and portfolios, and many more business perspectives.”

Shaked Vax approached his cybersecurity career from an unexpected angle

A Positive Spin on Fraud Prevention

As a product manager, Shaked had always been focused on the technology, the customers and the sellers. At IBM, he got to learn the business perspective of what he was doing.

He moved from Israel to Boston with his family three years ago to take on a strategic role, looking to expand the Trusteer business to new markets and solve new problems with the advanced fraud prevention technology. Although it was traditionally focused on banking and financial fraud, Trusteer’s technology is branching out.

“We call it trusted digital identity instead of fraud prevention,” said Shaked. “We’re looking more positively at how we enable businesses to do digital transformation and engage better with their customers over digital channels.”

Shifting focus from the negative implications of fraud and into more positive trust-based messaging is a market evolution, Shaked explained. Many technologies previously used for fraud detection are becoming increasingly intertwined with identity and access management (IAM) tools because identity fraud prevention centers on transparently ensuring that users are who they say they are.

Taking Identity Trust to New Places

“At the end of the day, authentication solutions were designed to correlate and prove digital identities,” said Shaked. “However, what was initially created as fraud solutions does that transparently. It does this without asking you anything, which is where everyone wants to be — passwordless, frictionless.”

Shaked now leads Trusteer’s technical sellers across the world as part of his mission to take the identity fraud prevention technology to new places. Although it’s a relatively new role, he is building the team and driving improvements in how it operates, ensuring that sellers have the tools and knowledge they need across the entire portfolio.

And if you’re wondering, yes, Shaked still occasionally has his hands in lighting design. The bomb disposal work, though, has stayed firmly in the past. These days, he just works hard to stop businesses from blowing up.

The post How Former Bomb Disposal Expert and Lighting Designer Shaked Vax Pivoted Toward a Cybersecurity Career appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff