highlights and insights - paramount assure and ideas/rsa... · infosec investments: venture...

Pre-Event Promotions, Exclusive ISMG Events, Video Interviews with Industry Leaders,

Audio Insights from Leading Vendors, Articles, Blogs, Photos and More from the ISMG Team,

Looking Back on RSA Conference 2014

Highlights and Insights

Overview of Content Created by ISMG, including:

Diamond Media Sponsor of RSA Conference 2014

This year more than any other, RSA Conference was too big for anyone to truly see all of the

event. But we sure tried.

From the Saturday before the event opened until Friday when it closed, ISMG had team

members on the ground at San Francisco’s Moscone Center, staffing both a private media suite

and an expo floor booth, where we recorded video interviews, conducted private briefings and

hosted exclusive events, such as a Meet the Editor cocktail reception and our annual Editorial

Advisers luncheon. Our editors appeared on stage in panel presentations, and in addition to

recording scores of interviews with prominent vendors and thought-leaders, they wrote articles

and blogs about the sessions they attended.

As the sole Diamond Media Sponsor of RSA Conference 2014, we took our job seriously. We

created Security Agenda, an exclusive magazine for the event, and we sent our biggest team

ever to RSA to ensure that we interviewed and heard from as many attendees and sponsors as

possible.

This compilation provides an overview of RSA Conference 2014 coverage, from pre-event

promotional materials to excerpts of our exclusive interviews and other unique content

elements developed for and about the event.

We can’t take you back to re-live this huge conference. But we sure will try.

Best,

Tom Field

Vice President, Editorial

Information Security Media Group

[email protected]

Tom Field Vice President, Editorial

See the Many Faces – and Voices – of RSA Conference 2014From the Editor

Pre-Event Promotions

HIGHLIGHTS and INSIGHTS

Table of Contents

2014 Brings Shift in Cyber-Attacks 64

2014 Fraud Prevention: 2 Key Steps 64

Advanced Threat Defense 64

Automating Data Analysis 64

Baking Privacy Into Health IT 65

CipherCloud Unveils New Platform 65

Cisco Unveils Open Source Initiative 65

Cryptocurrency an Easy Target 65

Cyberthreat Protection Evolves 66

DDoS Attacks Continue to Grow 66

DDoS: More Defenses Needed 66

FIDO: Beyond ‘Simple’ Authentication 66

Fighting Phone Fraud 67

How Fraudsters Take Advantage of Insiders 67

How Mobile Hacks Threaten Enterprise 67

How to Improve Cybercrime Tracking 67

iBoss Offers Behavioral Analysis 68

Improving Encryption Management 68

InfoSec Investments: Venture Capital’s View 68

Insights on Enhancing Authentication 68

Keys to Secure Content Sharing 69

Log Analysis for Breach Prevention 69

Real Threat Intelligence 69

Securing Network Architecture 69

Securing the Smart Grid 70

Security: Going Beyond Compliance 70

Security Professionals: Time to Step Up 70

The API as an Attack Vector 70

The Evolving Threatscape 71

The Impact of Bit9, Carbon Black Merger 71

Exclusive ISMG Events at RSA Conference 2014 22

RSA Conference 2014: ISMG Adviser’s Luncheon 24

RSA Conference 2014: ISMG Behind the Scenes 26

CareersInfoSecurity Quick Poll 74

Social Media 75

RSA Day One: Editors’ Insights 76

RSA Day Two: Cybersecurity and Fraud 77

RSA Day Three: Conference Themes 78

Breaches: Avoiding ‘Victim’s Fatigue’ 56

Equating Civil Liberties with Privacy 57

DHS Offers Incentive to Adopt Framework 59

Recruiting InfoSec Pros in Tight Market 60

Power of Continuous Threat Protection 44

The Privacy Manifesto 46

The Cybersecurity Canon: Must-Reads 46

Identity as the New Perimeter 47

Rating Cybersecurity Success 47

Break the Fraud Lifecycle 48

The 2014 Breach Landscape 48

Why ID Security Must Evolve 49

How to Fight Targeted Attacks 49

Why Target Breach was Preventable 50

Next-Generation Incident Response 50

How Artificial Intelligence Prevents Fraud 51

Avoiding BYOD? 52

PCI: Retailer Security Failures 30

Michael Daniel Speaks His Mind on Cyberthreats 32

What Next at NIST? 32

Online Identity: The Legal Questions 33

ENISA on Cybersecurity Challenges 33

Retail Breaches: More to Come 34

Navigating the Internet of Things 36

Assessing the EU Threat Landscape 36

FBI on DDoS Response 37

Cybersecurity in India 37

The Evolving Cybersecurity Framework 38

Privacy: What Security Pros Need to Know 40

Patent Disputes: A Legal Update 40

How to Properly Vet Your Cloud Provider 41

Obama Cybersecyrity Aide on Global InfoSec 41

RSA Guide for Healthcare Security Pros 6

RSA Guide for Banking Security Pros 8

RSA Guide for Government Security Pros 10

Preview: RSA Conference 2014 12

ISMG at RSA Conference 2014 14

2014 Fraud Prevention: 2 Key Steps 16

Securing the Smart Grid 17

InfoSec Investments: Venture Capital’s View 18

Baking Privacy Into Health IT 19

Exclusive ISMG Events

Video Interviews with Industry Leaders

Video Interviews with Leading Vendors

Audio Insights from Leading Vendors

Articles, Blogs, Photos and More from the ISMG Team

Looking Back on RSA Conference 2014

Pre-Event Promotions

© 2014 Information Security Media Group6

This year, healthcare information security professionals faced a dilemma: whether to attend RSA Conference 2014 in San Francisco or the annual HIMSS conference in Orlando, put on by the Healthcare Information and Management Systems Society.

Usually the two events are held on separate weeks - often back-to-back -

but this year they are scheduled concurrently.

It’s possible, of course, to split your week and attend parts of both

events. For those healthcare security pros attending RSA Conference

2014 - in whole or in part - there are plenty of meaty topics of appeal.

A review of the RSA Conference 2014 agenda shows several seminars,

panels and speakers of particular interest to healthcare-focused

attendees. Some of my recommendations:

Mobile Device Security

Because so many major health data breaches involve lost or stolen

mobile devices, healthcare security pros might consider taking

advantage of a mobile security tutorial being offered by the SANS

Institute.

The two-day course, called simply “Mobile Device Security” takes place

Sunday, Feb. 23, and Monday, Feb 24, from 9 a.m. to 5 p.m. in Moscone

West, Room 3008. This offering is designed to teach attendees about

the threats mobile devices pose. The hands-on class will offer lectures,

labs and real-world insights. Larry Pesce, a SANS certified instructor,

is leading the course. FYI, he’s now a senior security analyst with

InGuardians, but he previously worked in security and disaster recovery

in healthcare, performing penetration testing, wireless assessments and

hardware hacking.

Medical Device Hacks

If you’ll be attending RSA later in the week, consider the session:

“Turning Medical Device Hacks into Tools for Defenders,” scheduled

RSA Conference Guide for Healthcare Security ProsEditor’s Guide to Key Sessions, Speakers at RSA Conference 2014by Marianne Kolbasuk McGee, Managing Editor, HealthcareInfoSecurity

PRE-EVENT PROMOTIONS

Marianne Kolbasuk McGee

© 2014 Information Security Media Group 7

for Thursday, Feb. 27, from 10:40 a.m. to 11:40 a.m. in Moscone West,

Room 3006. The session will be led by consultants Jamie Gamble

and Tim West of Accuvant Inc. They’ll discuss research that compiles

cybersecurity threats and vulnerabilities into guidelines for the security

community for hardening or assessing medical devices. “Our hope is

to help manufacturers, clinicians and practitioners in securing their

environments,” the presenters say.

Breach Response

Another session of interest to healthcare security pros is: “Anatomy of

a Data Breach: What You Say (or Don’t Say) Can Hurt You,” that’s taking

place on Tuesday, Feb. 25, from 2:40 p.m. to 3:40 p.m. in Moscone West,

Room 2020. The session will look at the critical do’s and don’t’s for

post-breach communication, including what to say (and what not to

say), who to involve and when and how to inform customers, regulators

and the media. Panel participants include Tom Field, vice president

of editorial at Information Security Media Group; Alan Brill, senior

managing director, Kroll; Michael Bruemmer, vice president of Experian

Data Breach Resolution; and Ronald Raether, partner at law firm Faruki

Ireland & Cox P.L.L.

Privacy vs. Security

Health data security professionals seeking a better understanding of

privacy issues should consider attending the seminar, “Privacy Intensive

for Security Professionals: Are You Prepared?” that’s slated for Monday

Feb. 24, from 1:30 p.m. to 5:30 p.m. in Moscone West, Room 2002. The

event, hosted by the International Association of Privacy Professionals,

will help attendees understand why privacy is an increasingly bigger

concern and a growing requirement in an information security

professional’s day-to-day job responsibilities.

Leadership Development

Finally, healthcare security leaders might want to check out a session

that could prove helpful to their own career advancement. “Information

Security Leadership Development: Surviving as a Security Leader” is

slated for Monday, Feb. 24, from 8:30 a.m. to 11:30 a.m. in Moscone West,

Room 3018. A panel of security, risk management and privacy experts will

discuss topics ranging from “making regulations and audit work for you”

to “developing cross-functional leadership skills.” Among the panelists:

Doug Graham, senior director, risk management, EMC Corp.; Robert West,

chief security officer, Intelligent ID; and Dennis Devlin, CISO, CPO and

senior vice president of privacy practice, SAVANTURE.

There’s plenty more to experience at RSA Conference 2014, of course - we

haven’t even scratched the surface. I look forward to hearing from you

about all the highlights of the event.


Fraud and security are always hot topics in the financial services arena. But this year, some risks - such as data breaches linked to third parties and increasingly insecure authentication practices - will definitely get more attention from security pros.

How financial institutions address those risks will be key, whether it’s

through more reliance on data analytics or a better understanding of

emerging malware strains and the cybercriminals or adversaries behind

the attacks. Fortunately, all of these areas of concern are on the agenda

at RSA Conference 2014.

In reviewing this year’s lineup of speakers and sessions, a few highlights

stand out. There are far too many sessions for anyone to attend, of

course. But here are some presenters that will offer timely insights for

those in the financial services industry:

» Daniel Cohen, a phishing expert and head of knowledge

delivery and business development at RSA;

» Nick Selby, an encryption expert and CEO of StreetCred

Software;

» Adam Sedgewick, senior adviser of information technology

for the National Institute of Standards and Technology

and a leading contributor to guidelines for securing the

financial services critical infrastructure.

As for sessions, here are several that will offer important insights:

Securing Critical Infrastructure

On Feb. 25, 4 p.m. to 5 p.m. in Moscone West, Room 3002, Sean McBride,

director of analytics for cyber-intelligence firm Critical Intelligence, will

discuss how the United States delivered malware to industrial objectives

within Iran during his session, “Effects-based Targeting for Critical

Infrastructure.”

RSA Guide for Banking Security ProsEditor’s Guide to Key Sessions and Speakers at RSA Conference 2014by Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity


Tracy Kitten


Data Analytics

On Feb. 25, 4 p.m. to 5 p.m. in Moscone West, Room 2006, Jay Jacobs,

senior data analyst, and Wade Baker, both of Verizon, will review why

big data is not the only data that organizations should rely on in their

presentation, “From Data to Wisdom: Big Lessons in Small Data.” Their

session will examine the state of security data analysis.

Knowing Thy Enemy

On Feb. 25, 2 p.m. to 2:20 p.m. in Moscone West, Room 3022, and again

on Feb. 28, 11:40 a.m. to 12 p.m. in Moscone North, Room 130, Dmitri

Alperovitch of CrowdStrike will explore why it’s not just the attacks,

but the attackers, that organizations need to understand during his

presentation, “The Art of Attribution: Identifying and Pursuing your

Cyber Adversaries.”

Malware for Defense

On Feb. 26, 9:20 a.m. to 10:20 a.m. in Moscone West, Room 3002,

Trustwave’s Ryan Barnet, lead security researcher, and Ziv Mador,

director of security research, will walk through how security products

can be used against hackers during their session, “An Arms Race: Using

Banking Trojan and Exploit Kit Tactics for Defense.”

Taking Down Citadel

And on Feb. 27, 10:40 a.m. to 11:40 a.m. in Moscone West, Room 3002,

presenters Errol Weiss of Citigroup, John Wilson of online security

firm Agari and Richard Boscovich of Microsoft will review the June

2013 takedown of more than 1,500 command-and-control servers for

botnets based on Citadel. During their session, “How Microsoft, FS-ISAC

& Agari Took Down the Citadel Cybercrime Ring,” they will discuss

the coordinated takedown led by Microsoft, the Financial Services

Information Sharing and Analysis Center and Agari.

Executive Editor Tracy Kitten interviews John Whaley of Moka5.


The intersection of government and the private sector is a theme found in a number of sessions at RSA Conference 2014.

Here are my picks for some key sessions government information

security practitioners should consider attending. All of the sessions

mentioned here will be held in Room 2009 at the Moscone Center West.

Seeking Balance

Two panels address vulnerabilities that could be baked-in to information

technologies furnished by foreign manufacturers. Allan Friedman, co-

author of “Cybersecurity and Cyberwar: What Everyone Needs to Know,”

and Jon Boyends, senior adviser for information security at the National

Institute of Standards and Technology, are among the experts who will

explore the impact on policies regarding technology acquisition in the

panel: “Can Government Cybersecurity Policies Balance Security, Trade

and Innovation?” It will be held Tuesday, Feb. 25, at 1:20 p.m.

Later Tuesday, at 2:40 p.m., Debora Plunkett, National Security Agency

information assurance director, participates in the panel: “Facts vs.

Fear: Foreign Technology Risks in Critical Industry Sectors.” Experts will

describe the necessary steps to effectively vet technologies to assure

they’re safe to employ.

Securing Data Centers

Teri Takai, the Department of Defense chief information officer, joins the

former top cybersecurity policymaker at the Department of Homeland

Security, Mark Weatherford, in a Wednesday, Feb. 26, 9 a.m. panel:

“Securing Our Nation’s Data Centers against Advanced Adversaries.”

Hear the panelists assess the standards and best practices being

deployed to secure data centers around the world.

Cybersecurity Framework

The federal government was slated to issue on Feb. 13 the cybersecurity

framework, a set of voluntary best practices aimed to protect the

information assets of the nation’s critical infrastructure. Adam

RSA Guide for Government Security ProsEditor’s Picks of Sessions at RSA Conference 2014by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday


Eric Chabrow


Sedgewick, the NIST official who shepherded the framework, will

join other NIST experts and Samara Moore, White House director for

cybersecurity critical infrastructure, in a session called: “An Overview of

the Executive Order Cybersecurity Framework,” at 9:20 a.m. Wednesday,

Feb. 25.

State-Federal Collaboration

Cybersecurity requires a challenging degree of collaboration among

different government offices, particularly when responding to cyber-

incidents. The panel “Government x2: State and Federal Collaboration

on Cybersecurity,” will be held Thursday, Feb. 27, at 9:20 a.m. It will be

moderated by Cheri Caddy of the White House national security team

and include the state of Michigan’s Chief Security Officer, Dan Lohrmann.

DHS Insight

“View from the Inside: DHS Priorities in Cybersecurity,” at noon

Thursday, Feb. 27, will feature the head of Homeland Security’s National

Protection and Program, Suzanne Spaulding, and Phyllis Schneck, deputy

undersecretary for cybersecurity, addressing the areas where DHS will

concentrate on cybersecurity.

Continuous Monitoring

CISOs David Stender of the Internal Revenue Service and Darren Van

Boozen of the House of Representatives will join moderator and former

U.S.-CERT Director Mischel Kwon Friday, Feb. 27, at 9 a.m. for the panel:

“Leading Cybersecurity: Technically Sexy, Programmatically Dowdy.”

They’ll discuss continuous monitoring in the federal government and

how it has broadened the security leaders’ job.

These are just a sampling of the panels, keynote addresses and other

events at the conference of interest to the government information

security professional. Let me know what you think of the conference.

Executive Editor Eric Chabrow interviews attorneys Francoise Gilbert and Ellen Giblin.


The objective for information security leaders this year is clear - to “share, learn and secure,” which is the theme of the RSA Conference 2014, slated for Feb. 24-28 at San Francisco’s Moscone Center.

The objective for information security leaders this year is clear - to

“share, learn and secure,” which is the theme of the RSA Conference

2014, slated for Feb. 24-28 at San Francisco’s Moscone Center.

This year’s event provides IT professionals and business leaders the

opportunity to make connections and capitalize on the ideas, insights

and relationships that may shape the future of information security.

For the eighth straight year, Information Security Media Group is

a sponsor of the RSA Conference, and it’s the only Diamond Media

Sponsor of this world-class event. ISMG is sending its largest team

ever to provide ongoing coverage. And it will host a panel session that

reviews the dos and don’ts for post-breach communication.

Conference Theme

This year’s theme - “Share. Learn. Secure.” - references the need for

collaboration and communication to develop groundbreaking ideas.

Over the course of five days, thousands of attendees from all over the

world will dive into intensive learning at educational sessions plus

take advantage of a large exhibit hall as well as social activities and

networking opportunities.

Conference-goers will learn about the latest trends and technologies

as well as gain insights into new perspectives on the most critical

technical and business issues facing organizations today.

Preview: RSA Conference 2014New Tracks Include Analytics and Forensics, Security Strategy


by Jeffrey Roman, News Writer, Information Security Media Group

Jeffrey Roman


Keynote speakers at this year’s RSA Conference include:

» Scott Charney, corporate vice president, trustworthy

computing, Microsoft Corp.;

» Art Coviello, executive chairman, RSA;

» Kevin Mandia, senior vice president and chief operating

officer, FireEye; and

» Stephen Colbert, host of “The Colbert Report” and best-

selling author.

» To view the full list of keynote speakers, visit RSA’s keynotes

page.

More than 280 educational sessions will be held across 26 tracks,

covering a wide range of critical themes and topics, including:

application security; cloud security and virtualization; hackers and

threats; mobile security; and technology infrastructure.

Two new tracks this year are analytics and forensics and security

strategy. The security strategy track covers policy, planning and emerging

areas of enterprise security architecture and the management issues

of implementing successful security programs, says Hugh Thompson,

program committee chair for RSA Conference.

Beyond adding new tracks, the RSA Conference has also physically

expanded. It now encompasses not just the north and south buildings

of San Francisco’s Moscone Center, but also the previously unused west

building.

ISMG at RSA Conference

ISMG will provide in-depth coverage of this year’s event, bringing its

largest team ever. ISMG will provide daily updates offering insights from

conference speakers, attendees and participating vendors. In its media

suite, ISMG will offer exclusive presentations covering its latest research.

And for the first time, ISMG will be conducting video interviews at its

exhibit on the show floor.

At this year’s event, ISMG is leading a panel session on: Anatomy of a

Data Breach: What You Say (or Don’t Say) Can Hurt You.

Hosted by Tom Field, ISMG’s vice president of editorial, this panel session

will cover the critical dos and don’ts for post-breach communications.

The panel of breach and legal experts will walk through what to say

(and what not to say), who to involve and when and how to inform

customers, regulators and the media. Participants include Alan Brill,

senior managing director at Kroll; Michael Bruemmer, vice president at

Experian Data Breach Resolution; and Ronald Raether, partner at Faruki

Ireland & Cox. The session will be held 2:40 p.m. Tuesday, Feb. 25, in

Room 2020 of Moscone Center West.


Information Security Media Group is geared up to bring you unmatched insights and analysis of all the news and events from RSA Conference 2014.

ISMG will provide in-depth coverage of this year’s event, bringing its

largest team ever to San Francisco for the week-long conference. ISMG

will provide daily updates offering insights from conference speakers,

attendees and participating vendors. In its media suite, ISMG will offer

exclusive presentations covering its latest research. And for the first

time, ISMG will be conducting video interviews at its exhibit on the

show floor.

ISMG at RSA Conference 2014Your Guide to Daily Activities of ISMG During Conference


by Jeffrey Roman, News Writer, Information Security Media Group


Here’s your guide to the daily activities of ISMG, the only Diamond

Media Sponsor of RSA Conference 2014.

Locations

ISMG will be at two locations this year. Be sure to stop by during your

time at RSA Conference to meet with the executive team and group of

seasoned information security editors. ISMG will be available at:

» Booth: South Hall #700

» Media Suite: Mezzanine 236

Events

ISMG will be hosting and participating in a number of sessions this year.

Events include:

Monday: Meet the Editors:

4:00 p.m. - 5:00 p.m., East Mezzanine Room 236: This is an opportunity

to chat with ISMG editors and executive team members to learn about

upcoming events and opportunities for 2014.

Tuesday: Editorial Advisers Luncheon:

12:00 p.m. - 1:00 p.m., East Mezzanine Room 236: An invitation-only

gathering of the movers & shakers who serve on ISMG’s Editorial

Advisory Boards.

Tuesday: Anatomy of a Data Breach:

What You Say (or Don’t Say) Can Hurt You: 2:40 p.m. - 3:40 p.m., Moscone

Center West, Room 2020: Panel features ISMG’s Tom Field; Alan Brill

of Kroll; Michael Bruemmer of Experian; and Ronald Raether of Faruki

Ireland & Cox P.L.L., who walk through post-breach communications,

detailing what to say (and what not to say), who to involve and when

and how to inform customers, regulators and the media.

Wednesday: Health Information Security:

The 2014 Agenda: 12:30 p.m. - 1:30 p.m., East Mezzanine Room 236:

This exclusive briefing and networking reception is for healthcare

information security leaders.

Wednesday: Cyber-Attacks:

How to Reduce Your Risks: 4:30 p.m., East Mezzanine Room 236: This

is an exclusive briefing and cocktail reception for select information

security leaders - reserve your seat now.

Wednesday: Information Security as a Competitive Advantage:

6:00 p.m., inquire for details: ISMG’s invitation-only dinner for senior

security leaders offers the chance to exchange off-the-record insight on

the topic of Security as a Competitive Advantage.

Thursday: Meet the Influencers:

12:30 p.m. - 1:30 p.m., East Mezzanine Room 236: Stop by ISMG’s booth in

the South Expo Hall for your chance to meet with the most influential

leaders in security.

Complete Coverage

Stay tuned throughout RSA Conference 2014 for ISMG’s exclusive video

interviews with thought leaders such as Gartner’s Avivah Litan, Troy

Leach of the PCI Security Standards Council, White House Cybersecurity

Coordinator Michael Daniel and many more.

You can see ISMG’s latest coverage of RSA Conference 2014 by visiting

www.inforisktoday.com/rsa-conference.

Be sure to also follow ISMG on Twitter. Editors will be tweeting content

throughout the week using the hashtag #RSAISMG14. Be sure to stay

connected and see the latest news and insights that ISMG has to offer

from the conference floor.


Two critical steps that banking institutions need to take in 2014 to help prevent fraud are implementing big data analytics and adopting far more sophisticated customer and employee authentication, says Gartner analyst Avivah Litan.

Big data analytics can help banking institutions more quickly detect

early signs of fraud, says Litan, a financial fraud expert and distinguished

analyst for consultancy Gartner Research. “We have so many more

attack vectors than we used to have. But big data analytics allows

companies to get their arms around their data much faster than ever

before.”

With better data analytics, institutions can get a broader view of what’s

going on across all their banking channels, which is important for

identifying fraud patterns, Litan says in an interview with Information

Security Media Group.

She describes an example of how one institution was able to stop a

fraudulent wire transfer. “The guys who were watching the big data

analytics systems saw the fraud about to take place,” she says.

But applying analytics for enterprise-wide fraud mitigation is

challenging because of banks’ disparate systems that are based on legacy

platforms, Litan acknowledges. “As organizations learn to get their arms

around data in real time, the systems that they’ve put in place aren’t

going to be able to keep up that easily,” she says.

Authentication Getting

Stronger

Another important fraud-

prevention measure for

larger banking institutions

this year, Litan says, is

implementing advanced

forms of authentication, such

as continuous behavioral

authentication, which involves

monitoring customers or

employees over time.

“It’s not like you give someone an account and a credential and they’re

all set,” Litan says. “You have to continuously watch their behavior;

watch everything you can about how they navigate, how they use the

endpoints and how they use your institutional accounts.”

But smaller banking institutions need to enhance authentication is less

costly ways, such as by using mobile devices to identify users, Litan

says. “Your identity is bound to the phone through a credential, like

a certificate or even a password, and preferably also a biometric,” she

explains.

In a pre-RSA Conference 2014 interview, Litan also discusses:

» The top three threats banks face for 2014, including insider

risks, social engineering schemes and data breaches that are

out of their control;

» Regulatory guidance and legislation;

» Security challenges banking institutions face because of

open architecture.

2014 Fraud Prevention: 2 Key StepsGartner’s Litan Recommends Action Items

INTERVIEW

by Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity

Watch it online: http://www.inforisktoday.com/interviews/2014-fraud-prevention-2-key-steps-i-2198


Distributed generation and plug-in motor vehicles are among the emerging security challenges to the smart grid. In an RSA Conference 2014 preview, Gib Sorebo of Leidos discusses the threats to utilities and consumers.

As the smart grid evolves from centralized energy generation, we see

evolving threats such as market manipulation, cascading failure modes

and other impact scenarios, says Sorebo, chief cybersecurity technologist

at Leidos, a science and technology solutions vendor.

But as organizations start to address these vulnerabilities, they must

be careful not to overlook basic preventive measures such as ensuring

accurate data throughout the information chain.

“Even if that [data] isn’t directly controlling something, people may

rely on that information for other things,” Sorebo says. “So make sure

that information is accurate, or that there’s a sanity check that people

are doing - that you’re not completely relying on the machine for

everything.”

In an interview about smart grid security, Sorebo discusses:

» Key threarts and vulnerabilities;

» Risks to utilities and customers;

» New security recommendations he will discuss at RSA

Conference 2014.

Sorebo is a Chief

Cybersecurity

Technologist for Leidos,

where he assists

government and private

sector organizations in

addressing cybersecurity

risks and complying

with legal and regulatory

requirements. He has

been working in the

information technology

industry for more than 20 years in both the public and private

sector. In addition to federal and state governments, Sorebo has

done security consulting in the financial services, health care

and energy sectors. He is currently responsible for coordinating

cybersecurity activities in the energy sector company-wide. He has

been the co-lead of Leidos’ Smart Grid Security practice, where he

established the Smart Grid Security Solutions Center for product

security testing and solution development and contributing to

a variety of other smart grid security research efforts. He also

recently co-authored a book on Smart Grid Security that was

published in December 2011.

Securing the Smart GridGib Sorebo of Leidos Previews RSA Conference 2014 Presentation

INTERVIEW

Information Security Media Group

Watch it online: http://www.inforisktoday.com/interviews/securing-smart-grid-i-2188


What is the venture capital view of the security trends and technologies that will have the most impact on careers in 2014? Alberto Yépez of Trident Capital weighs in with his insights and predictions.

The year’s top security growth areas can be broken down into four main

categories, Yépez says: Mobility, cloud, social media and virtualization.

“All four of those [technologies] are becoming more widely adopted by

the business because you need them to be better engaged with your

customers, better engaged with your suppliers and to be more of a

real-time business,” he says. “But with that adoption comes the fact

that there’s a lot of ... new threat vectors that haven’t necessarily been

completely analyzed or protected.”

Hence, there’s an opportunity for security leaders and pros to add new

value to their organizations and their own careers.

In a pre-RSA Conference 2014 interview about security investments, Yépez discusses:

» Market trends that have shaped today’s market;

» Where the security market is growing in 2014;

» Global trends driving security investments and career

opportunities.

Yépez is a managing director

of Trident Capital and joined

the firm in 2008. He is an

experienced investor and

entrepreneur, actively investing

in IT security, enterprise

software and mobility. Before

joining Trident, he was an

entrepreneur with a successful

track record in building

global businesses. He was

founder, chairman and CEO of

enCommerce, co-CEO and president of Entrust and chairman and CEO of

Thor Technologies. He also held senior management positions at Oracle

and Apple.

In addition, Yépez worked as an “entrepreneur in residence” at Warburg

Pincus, served as executive chairman of a Bain Capital portfolio

company, and was a consultant to the U.S. Department of Defense as

part of the DeVenCI Initiative.

InfoSec Investments: Venture Capital’s ViewTrident Capital’s Alberto Yépez on the 2014 Security Outlook

INTERVIEW

by Tom Field, VP - Editorial, Information Security Media Group

Listen online: http://www.inforisktoday.com/interviews/infosec-investments-venture-capitals-view-i-2187


Privacy should be built into the design of all healthcare information technology and related processes, says Michelle Dennedy, who’s writing a book on the concept of “privacy by design.”

“There’s been a great groundwork that’s been laid by the universal

adoption across many, many nations of ‘privacy by design,’ the concept

that you should start with privacy at the beginning of the design cycle

and move out,” says Dennedy, chief privacy officer at Intel Security,

formerly called McAfee.

“We believe that privacy engineering is a discrete discipline or field

of inquiry, and that innovation can be defined in using engineering

principles and processes to build the controls and measures into the

processes, systems, components, and products that enable authorized

processing of personal information,” she says. “I think that it helps the

developers and engineers to understand exactly what needs to be done

when you bake in processes.”

Applying “privacy by design” concepts is particularly critical in

healthcare because of the sensitive nature of patient information,

she notes in an interview with Information Security Medai Group.

“Baking in, or engineering in, or planning for [the privacy of] personal

information to be respected in healthcare could not be more important

or germane.

“When you build in the mechanisms from the technology layer such

that information is treated as a design principle, you actually have a

much higher chance of being

able to spread that respect

across a very diverse type of

workforce,” Dennedy says.

If privacy protections are a

more integrated part of the

design of health IT, patients

will benefit by having their

sensitive data more accurately

shared with those who need it,

whether it’s medical specialists

or insurers, she says.

“With personalized medicine ... and more measurement going around

patient outcomes, I think you’re going to start to see the natural

extension of that will be ... the baking in of privacy.”

In March 2012, the Federal Trade Commission issued recommendations

calling for companies to build-in consumer privacy protections at every

stage in developing their products.

In the interview, Dennedy also discusses:

» Why engineering students should be required to take

privacy training as part of their studies;

» How “baking in” privacy policies into health IT might help

healthcare organizations in their privacy and security

compliance efforts;

» The current status of the healthcare industry’s efforts to

build privacy policies into their technology.

Baking Privacy Into Health ITExpert Says Privacy Needs to Be Part of Design

INTERVIEW

by Marianne Kolbasuk McGee, Managing Editor, HealthcareInfoSecurity

Watch it online: http://www.inforisktoday.com/interviews/baking-privacy-into-health-it-i-2183


Exclusive ISMG Events


As the Diamond Media Sponsor of RSA Conference 2014, ISMG was active on the show floor and in its media suite, conducting scores of interviews, briefings and invitation-only events.

Among the events ISMG hosted for attendees, sponsors and public relations executives:

Monday: Meet the Editors: This was an opportunity to chat with ISMG editors and executive team members to learn about upcoming events and opportunities for 2014.

Tuesday: Editorial Advisers Luncheon:

An invitation-only gathering of the movers & shakers who serve on ISMG’s Editorial Advisory Boards.

Tuesday: Anatomy of a Data Breach: What You Say (or Don’t Say) Can Hurt You:

Panel featured ISMG’s Tom Field; Alan Brill of Kroll; Michael Bruemmer of Experian; and Ronald Raether of Faruki Ireland & Cox P.L.L., who walked

through post-breach communications, detailing what to say (and what not to say), who to involve and when and how to inform customers,

regulators and the media.

Wednesday: Health Information Security: The 2014 Agenda:

Sponsored by Mimecast, this exclusive briefing and networking reception was for healthcare information security leaders, offering a sneak peak at

findings from ISMG’s new Healthcare Information Security Survey. Stay tuned for final survey results.

Wednesday: Cyber-Attacks: How to Reduce Your Risks: Sponsored by CA Technologies, this was an exclusive briefing and cocktail reception for select information security leaders. Attendees saw highlights

of ISMG’s new Targeted Attacks Study and Healthcare Information Security Survey, and they participated in an interactive dialogue about how

organizations can identify and reduce risks.

Wednesday: Information Security as a Competitive Advantage: Sponsored by Mimecast, ISMG’s invitation-only dinner for senior security leaders offered the chance to exchange off-the-record insight on the topic of

Security as a Competitive Advantage. Attendees participated in a lively dialogue on the topic and engaged in valuable post-event networking.

Exclusive ISMG Events at RSA Conference 2014


The Editorial Advisers Luncheon was an invitation-only gathering of the

movers & shakers who serve on ISMG’s Editorial Advisory Boards.


During RSA Conference 2014, Information Security Media Group held an exclusive luncheon for its editorial advisers, a group of industry thought-leaders who help shape the discussion around information security, privacy and risk management.

The event was held in ISMG’s media suite in East Mezzanine 236 of

the Moscone Center in San Francisco. Advisers and the executive team

at ISMG were able to spend time face-to-face, talking about the top

information security trends in 2014.

RSA Conference 2014: ISMG Adviser’s LuncheonEVENT

Editors and Industry Thought-Leaders Discuss Key Security Topics in 2014


Advisers and the executive team at ISMG were able to spend time face-to-face, talking about the top

information security trends in 2014.


Information Security Media Group, Diamond Media Sponsor at RSA Conference 2014, was busy conducting video interviews with top leaders in information security, risk management and privacy. Here’s a look at the team behind the scenes.

ISMG editors Tom Field, Tracy Kitten and Eric Chabrow met with many

key thought-leaders, including Gartner’s Avivah Litan, White House

Cybersecurity Coordinator Michael Daniel and ENISA’s Udo Helmbrecht.

These photographs show the editorial team preparing for their video

interviews.

RSA Conference 2014: ISMG Behind the ScenesFEATURE

A Look at the Editorial Team During This Year’s Conference


ISMG’s executive editors were busy conducting video interviews with top leaders in information security,

risk management and privacy.


Video Interviewswith Industry Leaders


Troy Leach of the PCI Security Standards Council says data security standards are not failing; they just aren’t being applied continuously. And conformance with the Payment Card Industry Data Security Standard is just one piece of the puzzle.

During this excerpt of a video interview recorded at RSA Conference

2014, Leach discusses:

» The limitations of chip card technology;

» Why PCI data security standards do not cover all

aspects of card-fraud prevention;

» Steps the PCI Council is taking to ensure consumers

and businesses continue to have faith in the

payments system.

PCI: Retailer Security FailuresCouncil Working to Educate Merchants, Congress on Threatsby Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity

FEATURED INTERVIEW


TRACY KITTEN: Troy, it comes as no surprise that the Target breach

and the Neiman Marcus breaches have really gotten a lot of industry

attention, and recently you testified before Congress and you addressed

some of these emerging retail security risks as well as criticisms against

the U.S. payment systems. In the wake of some of these breaches PCI of

course has come under scrutiny. Can you talk a little bit about how PCI

perhaps failed when it came to some of these point-of-sale breaches?

TROY LEACH: Yes, I think there are a few of things to address, Tracy.

I think the first is that forensic evidence is still coming into focus. So,

we’re still looking for a final forensics reports and understanding of

how all these compromises actually occurred. Now, the most recent

news this week is it appears that they are completely separate types of

attacks.

The second point is to understand the PCI security standards are a

framework, and just like any other framework, they have to be applied

in daily practice. That is why within our standards we talk about

daily exercises, weekly exercises, so that it’s not a once a year mad

scramble to get a checkbox approached to an audit, but rather you’re

incorporating security into your daily practices. I relate it to the fire

security codes. We set the codes, but if you’re not putting the smoke

detectors in the right place, if you’re not changing the batteries on a

regular basis, if you’re taking on some activities that are a little more

dangerous like juggling fire torches next to a flammable drapes, you’re

probably going to have different issues then what the standards can

help you with.

KITTEN: Why would you say that the payment card data security

standards are so difficult to maintain compliance with?

LEACH: I think it’s just like any other type of activity. When you know

it’s the right thing to do, sometimes it’s hard to follow [though]. I

know what foods to eat and that I should be exercising, [but] it’s very

difficult to do that on a regular basis. So, I think what we’ve encouraged

merchants to do is first, remove account data, reevaluate the business

process, and then find ways that you can minimize that data in your

networks by encryption, tokenization, other mechanisms, so that you’re

not trying to manage 100 systems. Maybe you can only manage two or

three systems and simplify that process.

KITTEN: From your perspective, Troy, what would it take for the

payments infrastructure to obtain full end-to-end encryption?

LEACH: Gosh, that is a very good question. I’m not sure if that’s going

to be something we’re going to see very soon. I think what we’ve

recognized is there are other ways that we can probably protect

consumers, and that includes not only protecting the card holder

information that we have, but maybe we change the problem. Maybe

we manage the problem differently by taking what we’ve heard from

announcements around tokenization and having card information that

is a surrogate value that doesn’t have any reusable value for criminals,

and maybe having that as a way forward for the industry. So, maybe it’s

turning the question on its head and evaluating whether or not there

are other values that we can create beside the typical 15-, 16-digit credit

card number.

“The PCI security standards are a framework, and just like any other framework, they have to be applied in daily practice.”

- Troy Leach, PCI Security Standards Council

Watch it online: http://www.inforisktoday.com/pci-retailer-security-failures-a-6552


White House Cybersecurity Coordinator Michael Daniel assesses the

cyberthreat environment facing the nation and explains what the

federal government is doing about it.

In a wide-ranging interview with Information Security Media Group at

RSA Conference 2014, Daniel addresses:

» Balancing privacy and civil liberties with IT security;

» Prospects for a national data breach notification law; and

» Improving cyberthreat information sharing between the

government and private sector.

Daniel came out of near obscurity - he was serving as intelligence

branch chief in the White House Office of Management and Budget

- when President Obama tapped him in May 2012 to succeed Howard

Schmidt as special assistant to the president and cybersecurity

coordinator.

NIST information risk guru Ron Ross previews forthcoming guidance

from the National Institute of Standards and Technology aimed at

helping organizations architect their IT infrastructures to be secure

from the get-go.

In a video interview from RSA Conference 2014 with Information

Security Media Group, Ross also discusses:

» How forthcoming engineering guidance from NIST will help build

IT systems’ trustworthiness, and;

» Beta testing new controls online so stakeholders don’t have to

wait two years between revisions of Special Publication 800-53,

NIST’s controls guidance.

A NIST fellow, Ross leads the institute’s FISMA Implementation

Project, which includes the development of key security standards

and guidelines for the federal government and critical information

infrastructure, Ross also heads the Joint Task Force Transformation

Initiative Interagency Working Group with representatives from NIST,

the federal intelligence community, departments of Defense and

Commerce, the Office of the Director of National Intelligence and the

Committee on National Security Systems.

Michael Daniel Speaks His Mind on Cyberthreats What Next at NIST?White House Cybersecurity Coordinator in an Exclusive Interview

Ron Ross Previews New Guidance from NIST

by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday


Watch it online: http://www.inforisktoday.com/michael-daniel-speaks-

his-mind-on-cyberthreats-a-6563

Watch it online: http://www.inforisktoday.com/what-next-at-nist-a-6564


The more organizations structure business and processes around online

identities, the more they navigate in tricky legal waters, says attorney

Tom Smedinghoff, who offers guidance.

The legal rules that govern online identity systems are complex, touch

numerous parties and come fraught with potential legal challenges.

In a video interview recorded at RSA Conference 2014, Smedinghoff:

» Lays out the key legal issues;

» Tells how organizations are approaching these challenges;

» Offers valuable tips for assessing vulnerabilities.

Smedinghoff is a partner in the Privacy & Data Protection practice

group in the Chicago office of Edwards Wildman Palmer LLP. His practice

focuses on the developing field of information law and electronic

business activities, with an emphasis on electronic transactions,

identity management, data security, privacy, and corporate information

governance issues. He currently serves as Chair of the Identity

Management Legal Task Force of the American Bar Association (ABA)

Section of Business Law, and Co-Chair of its Cybersecurity Committee.

With a decade under its belt, ENISA enters 2014 with a mission to

improve cybersecurity across Europe by collaborating with companion

agencies around the world, says Executive Director Udo Helmbrecht.

Cloud computing and the evolving global threatscape are huge

challenges for EU nations, but the region’s cybersecurity agency is

pursuing new strategies, including a coordinated cyber drill with the

U.S. later this year.

In an interview recorded at RSA Conference 2014, Helmbrecht discusses:

» ENISA’s major accomplishment in Europe;

» Security challenges for the year ahead;

» Strategies for growing the profession.

Helmbrecht has been the Executive Director of ENISA since October

2009. Prior to this, he was the President of the German Federal Office for

Information Security, BSI, for six years, between 2003-2009. Helmbrecht

was nominated by ENISA’s Management Board, from a list of candidates

proposed by the European Commission, after a presentation of his

visions. He was appointed after making a statement to the European

Parliament and replying to MEPs’ questions.

Online Identity: The Legal Questions ENISA on Cybersecurity ChallengesAttorney Tom Smedinghoff on How to Assess Your Unique Risks

Udo Helmbrecht on Agency’s Agenda for 2014



Watch it online: http://www.inforisktoday.com/online-identity-legal-

questions-a-6565

Watch it online: http://www.inforisktoday.com/enisa-on-cybersecurity-

challenges-a-6571


The Target breach was the hot topic for many RSA Conference 2014 attendees, but Gartner’s Avivah Litan was already talking about the next Target - a UK retailer that may have suffered a similar hack, exposing payment card data.

Details were only just emerging, but they confirmed what Litan and

other observers have said: Retail breaches are the fraud du jour, and

similar stories will be breaking in the weeks ahead.

In an excerpt of a video interview recorded at RSA Conference 2014,

Litan discusses:

» How the fraudsters are upping their game;

» Gaps between the attackers and defenders;

» Fraud trends that are most likely to unfold over 2014.

TOM FIELD: What’s the news you can tell me about today?

AVIVAH LITAN: Well, the retail breaches are alive and well. There are

many of them going on, but especially one stands to the forefront of the

news, which is a major $7 billion retailer reportedly based in Mainland

Retail Breaches: More to ComeGartner’s Avivah Litan on 2014 Financial Fraud Trendsby Tom Field, VP - Editorial, Information Security Media Group

FEATURED INTERVIEW


Europe. Sells a lot of jewelry, and it seems like it’s the same gang that

hit Target. I don’t have the name of the retailer, but I heard it from

some reputable sources, including banks. So it’s just not ending.

FIELD: So, it’s just as predicted. When we saw Target, we saw Neiman

Marcus; several significant retailers have been breached, and we’ve

heard we’d see more.

LITAN: Right. Well, it’s starting to gel more that there are a couple of

things going on. One is this Russian gang that wrote the Target attack

that appears to be behind this other big attack, and then there are the

Black POS more generic threats that are happening, and there are many

retailers that are getting attacked through that.

FIELD: Avivah, based on what you see and hear so far this year, how is

the threat landscape evolving?

LITAN: Well, in the malware space, we’re starting to see managed

services. So, the criminals are taking their kits, like the Zeus we know

about, the SpyEye, and now they’re creating the managed service of it.

And there are a couple of reasons for that. Number one, they get paid

a subscription fee, so they don’t mind doing the maintenance. When it

was a one-time sale and the people that brought it would have to go

to the authors and say ‘There’s a bug in it,’ they got really annoyed at

having to debug it and fix it. But now there’s like a subscription fee,

so they’re much more attuned and open to fixing and maintaining the

software.

The other significance is they are now more removed from law

enforcement because it’s a little bit like Netflix. They are the Netflix

authors, and then they sell it to the customers, and now the customers

are the ones that are launching these attacks. The customers are now

on the frontline with law enforcement, so it removes [the authors]

from getting caught, and they get their subscription fee. And we’re also

seeing the evolution, like this Russian gang that went against Target,

where we’re calling them closed, non-managed malware services. So

it’s just the criminals themselves are running the malware, writing the

malware, cashing it out, and it’s not out in there in the wild for other

criminals to use. So I think that’s how we’re going to see the banking

malware evolve: managed services and then closed attacks. And these

retail attacks are very much affecting the banks. You know, they’re

obviously having a lot of issues with their fraud detection systems. So

that’s the main thing I see hitting financial services.

FIELD: How do you see the solutions evolving?

LITAN: I think it’s just a little bit more of the same, but more emphasis

on big data analytics and crunching all this information and trying to

get rid of all the noise in the system to highlight the alerts. And there

is a lot of promise in big data analytics, I’m just not quite sure it’s really

going to find this needle in the haystack.

Another trend is, okay, we didn’t do such a good job at prevention. The

attack got in, we didn’t do a good job at detection while the attack is

running, so let’s do a great job of as soon as we know it’s there, we’re

finding out that it’s there really quickly and remediating really quickly.

So there’s a big emphasis on time to detect and remediation, as opposed

to prevention because a lot of the prevention is failing.

And the other issue is a lot of these attacks are sitting in the

organization for a year or a few months, and people don’t know about

them. So, the vendors are starting to emphasize: ‘We may not prevent

it, but we’ll detect it immediately, and we’ll help you get rid of it.’ And

there’s also a big emphasis on logging, like keeping all the information

so you can do the right forensics. Forensic investigations are becoming

something very important.

“In the malware space, we’re starting to see managed services.” – Avivah Litan, Gartner

Watch it online: http://www.inforisktoday.com/retail-breaches-more-to-come-a-6555


Just filling available security positions with the right skills is a huge

challenge, says Robert Stroud, incoming ISACA president. This is one of

his key challenges as he takes the reins at ISACA later this year.

In an interview recorded at RSA Conference 2014, Stroud discusses:

» His immediate plans as president;

» The daunting challenge posed by the Internet of things;

» Strategies for growing the security profession.

Stroud is a member of ISACA’s Professional Influence and Advocacy

Committee. ISACA is an independent, nonprofit, global association that

engages in the development, adoption and use of globally accepted,

industry-leading knowledge and practices for information systems. A

past international vice president of ISACA, he serves on its framework

committee. Stroud also is a governance evangelist as well as vice

president of strategy, innovation and service management at CA

Technologies.

The threats, attacks and crimes don’t differ greatly around the world.

What does differ is how each region responds. Freddy Dezeure of CERT-

EU is working to ensure that Europe is ready to respond appropriately.

The organization is only three years old, but in that time it has worked

aggressively to form new alliances throughout the European nations,

Dezeure says. And he also works with other CERT organizations around

the world to improve information-sharing and defenses.

In a video interview recorded at RSA Conference 2014, Dezeure discusses:

» The CERT-EU mission and accomplishments;

» The European threat landscape;

» Top cybersecurity priorities for 2014.

Dezeure graduated as Master of Science in Engineering in 1982. He

was CIO of a private company from 1982 until 1987. After joining the

European Commission in 1987, he has held a variety of management

functions in administrative, financial and operational areas, in

particular in information technology. He has set up the CERT for the EU

institutions, agencies and bodies in 2011 and he has been Head of CERT-

EU since then.

Navigating the Internet of Things Assessing the EU Threat LandscapeISACA’s Rob Stroud on Key Challenges of 2014 Freddy Dezeure of CERT-EU on Responding to

Targeted Attacksby Tom Field, VP - Editorial, Information Security Media Group


Watch it online: http://www.inforisktoday.com/navigating-internet-

things-a-6572

Watch it online: http://www.inforisktoday.com/assessing-eu-threat-

landscape-a-6551


Cybercrime. Privacy. The power of big data and mobility. These

issues are as challenging to India as they are to any global region.

Vinayak Godse of DSCI discusses his organization’s role in improving

cybersecurity.

Yet, while the challenges are similar, India’s landscape is unique in terms

of regulations and even the varying digital needs of its populace.

In a video interview recorded at RSA Conference 2014, Godse discusses:

» The DSCI mission;

» India’s unique cyber challenges;

» Specific initiatives for the banking and IT sectors.

Godse has total 16 years of experience in information security and IT. He

is Director of Data Protection with Data Security Council of India. He

is managing a program for defining data security and privacy practices,

based on which self regulation mechanism will be established.

Distributed denial of service attacks remain a significant security threat

to organizations in all sectors - particularly financial services. And the

Federal Bureau of Investigation’s Cyber Division is aggressively working

with private sector security leaders to investigate these crimes and

mitigate the effects.

But there remain challenges to creating successful public/private

partnerships and enabling the right level of information exchange about

cyber crimes.

In a video interview recorded at RSA Conference 2014, Malcolm Palmore

of the FBI’s San Francisco office discusses:

» The FBI’s role in DDoS investigations;

» Results of public/private partnerships;

» Lessons learned that are applied to other cybercrime

investigations.

Palmore serves as the assistant special agent in charge of the San

Francisco Division’s Cyber Branch.

Cybersecurity in India FBI on DDoS ResponseVinayak Godse of the DSCI on 2014’s Key Priorities

Malcom Palmore on Value of Public/Private Partnerships

by Tom Field, VP - Editorial, Information Security Media Group by Tom Field, VP - Editorial, Information Security Media Group

Watch it online: http://www.inforisktoday.com/cybersecurity-in-

india-a-6586

Watch it online: http://www.inforisktoday.com/fbi-on-ddos-

response-a-6540


The cybersecurity framework, the package of best IT security practices issued in mid-February, isn’t set in stone, but will evolve in the coming weeks, months and years, says the framework’s point man, Adam Sedgewick.

In a video interview recorded at RSA Conference 2014, Sedgewick:

» Explains the key elements of the cybersecurity

framework, which is designed to help critical

infrastructure operators safeguard their information

assets;

» Addresses critics who say the framework is too

simple to be effective and fails to address the costs to

implement it; and

» Discusses how the cybersecurity framework will

evolve from version 1 that was issued in mid-February.

The Evolving Cybersecurity FrameworkAdam Sedgewick: An Early Assessment on the Frameworkby Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday

FEATURED INTERVIEW


ERIC CHABROW: Take a few moments to tell people who may not

know what the framework is.

ADAM SEDGEWICK: Sure. The framework was developed in response

to Executive Order 13636 improving critical infrastructure cybersecurity.

What it really does is it looks across critical infrastructure; it looks

across industry and identifies best practices and standards that

organizations use to help manage cybersecurity risk. The administration

and the President realized there was a real vulnerability there, and it

was a real challenge for organizations, so they tasked us to develop this

open process to serve as a convener and to work with industry to really

develop an understanding of what those best practices and standards

are, and make it easier for organizations to help manage this challenge.

CHABROW: The framework was issued a few weeks ago. What kind of

feedback have you received?

SEDGEWICK: Generally, the feedback has been pretty positive. Since we

worked with these stakeholders throughout, they had a pretty good

understanding of what it was going to look like. So, while this is the

final version, we’ve been sharing with them drafts throughout, and it’s

all based on conversations that we’ve had with the people that intend

to use it. We’ve been pleased to see in conversations here at RSA that a

lot of organizations are thinking about how to use the framework, and

a lot of the technology providers are thinking about how do their tools

and how do their capabilities help organizations manage cyber risk in

the contest of the framework to make it easier for people to understand

and use.

CHABROW: There have been some criticisms of the framework. One is

its too simple, it’s costly, and also it’s voluntary. Why don’t you address

those issues and why you feel those critics may be wrong?

SEDGEWICK: I think the cost issue is an interesting one because what

we did with the framework was to really focus on the particular

outcomes. When we talked to our stakeholders, they said ‘Let’s think

about what the potential expectations are and then allow us to develop

the best ways to meet those.’ Because the framework is voluntarily,

because it is flexible, we realize that it would only be useful if it

was truly cost-effective and really helped organizations manage this

problem. So, we think that by focusing on the outcomes it helps us to

get there, and a key tenant of risk management is to understand what is

truly cost-effective. We think in a number of ways organizations will use

it and see themselves in the framework and understand how to improve

in a way that is cost-effective and make sense for their business needs.

In terms of the simplicity, I mean that was an interesting thing we

heard early on. Folks said that there are a lot of technical standards out

there that make sense to the technical people, but often … it is difficult

to translate those needs within their organization and to their business

leadership. So the approach we took, and this was something that if you

talked to the stakeholders they will talk about their contributions and

how challenging it was, was to make sure that these concepts were put

in a way that could be easy to understand.

I’d also say in terms of it not being regulatory, but voluntary, we believe

at NIST very strongly that voluntary does not equal weak, and we’ve

seen throughout many different areas that these voluntary programs

and standards can be very strong and develop really effective solution.

One of the key strengths is it allows for flexibility, it allows for growth,

and it allows for organizations that have global business to do these

practices that can help them comply and conform with requirements

across the world.

“We believe at NIST very strongly that voluntary does not equal weak.” – Adam Sedgewick, NIST

Watch it online: http://www.inforisktoday.com/evolving-cybersecurity-framework-a-6553


The privacy profession is evolving rapidly, and security leaders

increasingly need to understand the unique demands and

responsibilities that come with protecting privacy. But where do they

gain this insight?

This is a question that must be addressed within all organizations, say

Malcolm Harkins, chief security and privacy officer at Intel, and Trevor

Hughes, CEO of the International Association of Privacy Professionals.

In a video interview recorded at RSA Conference 2014, Harkins and

Hughes discuss:

» How privacy has evolved in the past year;

» Essential privacy knowledge for security pros;

» Tips for bridging the security/privacy gap.

Harkins is vice president and Chief Security and Privacy Officer (CSPO)

at Intel Corporation.

Hughes is an attorney specializing in e-commerce, privacy and

technology law.

Privacy: What Security Pros Need to KnowMalcolm Harkins, Trevor Hughes on 2014 Privacy Agenda

Lawsuits claiming infringements on information security technology

patents could become more common as the value of the technology

increases in light of the need to prevent breaches, says attorney James

Denaro, who leads the intellectual property practice at the CipherLaw

Group.

But the patent law expert does not expect Congress to make major

changes in federal laws in an effort to crack down on so-called “patent

trolls.”

In a video interview recorded at the RSA Conference 2014, Denaro:

» Defines the term “patent trolls” and sizes up the current legal

landscape in the patent arena;

» Provides an update on potential Congressional action;

» Offers advice on action to take in light of the risk of lawsuits.

Denaro is a registered patent attorney who advises clients on offensive

and defensive applications of intellectual property.

Patent Disputes: A Legal UpdateAttorney James Denaro Warns of More Lawsuits


by Howard Anderson, News Editor, Information Security Media Group

Watch it online: http://www.inforisktoday.com/privacy-what-security-

pros-need-to-know-a-6541

Watch it online: http://www.inforisktoday.com/patent-disputes-legal-

update-a-6550


Too often enterprises fail to adequately vet their cloud service providers,

which can create security vulnerabilities, according to IT security

lawyers Francoise Gilbert and Ellen Giblin.

When Gilbert asked executives at one cloud service provider what type

of security plan it offered, they responded: “’Oh, that’s not a problem;

we are putting all the data in the cloud, someone else’s cloud,’” she says

in a video interview with Information Security Media Group at the 2014

RSA Conference. “And they were totally clueless.”

Giblin says this is especially true of start-up providers. “It’s a culture

issue as well,” she says. “The start-up environment becomes its own

culture. ... They hear, ‘Oh, you don’t have to do all that. You can just put

it in the cloud. So, that becomes like a mantra.”

In the interview, Gilbert and Giblin:

» Advise enterprises to conduct a risk assessment as part of

contracting cloud services;

» Explain why enterprises often fail to assess properly their service

providers; and

» Outline steps to take to properly vet providers through vendor

management.

White House Cybersecurity Coordinator Michael Daniel says the

toughest international cybersecurity challenge facing the Obama

administration is getting cooperation in coordinating responses to

online crime.

“There are a lot of times when you really would like to be able to take

collective action in cyberspace, to deal with a transnational criminal

organization or to deal with a botnet,” Daniel says in a video interview

with Information Security Media Group. “And that’s very difficult to

coordinate across different jurisdictions. Every government organizes

its cybersecurity a little bit differently and sort of making that latch-up

happen in a way to move at net speed is very, very difficult.”

In an interview on the international facets of cybersecurity recorded

during the RSA Conference 2014 in San Francisco, the special assistant to

the president also discusses:

» Challenges in dealing with the Chinese on IT security;

» Establishing international norms of behavior in cyberspace; and

» How the National Security Agency disclosure on secretly

collecting data of individuals not suspected of wrongdoing and

of government leaders has caused a distraction and created

a challenge for the United States in discussion with allies on

resolving cybersecurity matters (see Obama Hints of Changes in

Surveillance Program).

How to Properly Vet Your Cloud Provider Obama Cybersecurity Aide on Global InfoSecAttorneys Francoise Gilbert, Ellen Giblin on Vendor Management

Coordinating Response to International Cybercrime a Challenge


Watch it online: www.inforisktoday.com/how-to-properly-vet-your-

cloud-provider-a-6545 Watch it online: http://www.inforisktoday.com/patent-disputes-legal-

update-a-6550



Video Interviewswith Leading Vendors


The old security model is broken, and now is the time to introduce a whole new approach to threat detection and response. This is the message from Dave DeWalt and Kevin Mandia of FireEye.

The threat landscape has changed significantly in the past year, creating

the demand for new security strategies. And with the acquisition of

Mandiant, FireEye also has changed significantly and now provides

security strategies and solutions from first alert to remediation.

In this excerpt of an exclusive video interview recorded at RSA

Conference 2014, DeWalt and Mandia discuss:

» Why the current security model no longer works;

» Today’s evolving threats;

» The most compelling benefits of the FireEye/Mandiant

acquisition.

Power of Continuous Threat ProtectionDave DeWalt and Kevin Mandia of FireEye on the New Security Modelby Tom Field, VP - Editorial, Information Security Media Group

VENDOR INTERVIEW


TOM FIELD: What is the new security model?

DAVE DEWALT: Well, it goes back to what’s the problem, and then

what’s the model. The problem is the adversaries are very aggressive,

they’re well-funded, it takes a long time to discover the threats that

are in people’s networks. So what are we trying to do as a combined

company? Be the best at detection. So, the first thing out is can we build

a better security model than what’s out there today with traditional

antivirus that can block and detect both known threats as well as

unknown threats?

But job two - and why the companies really fit well together - is not

only do you have to detect, you have to respond. You have to remediate.

You have to fix the problems that are in the network. So the faster you

are at detecting and the faster you are at responding, that’s really the

new security model, alert to fix in minutes.

FIELD: Everyone’s talking about the FireEye-Mandiant acquisition. What

do you find to be the most compelling benefit of this merger?

KEVIN MANDIA: For me, it is that detection capability. At Mandiant, we

are really good at answering the question ‘what happened and what to

do about it?’ after a breach. And for the longest time, the early warning

system that kind of got us involved in those breaches was a government

entity saying, ‘Hey, you’ve been compromised, your intellectual property

has been stolen, and here’s some information about that.’ Over time,

we started witnessing FireEye as the early warning system and the

detection capability that they had, that dynamic inspection of every file

rather than the signature-based stuff, was so much more effective. We

realized if we want to respond to every breach that matters and really

be on the front lines responding to every attack that matters, we need

to align with FireEye because they’re detecting the threats that are

mattering to them.

DEWALT: What I’d maybe add on, too, Tom, is, there’s no silver bullet

here with trying to stop these attacks. But a combination of people and

product is really the platform that you have to put in place. And with

Kevin, with all his personal experience as well as the service business

that Mandiant has built responding to incidents over the years, we

have a great combination of being able to respond with people, but

also automating that response and then detecting. The people-product

combination is really the fit that we have here together: Put the best

product, put the best people on the ground, and you have a nice

company and a good benefit.

FIELD: So Dave, even before the Mandiant acquisition, FireEye was

enjoying explosive growth. Why was it so important for FireEye to be

able to provide security from first alert through remediation?

DEWALT: It was almost probably the biggest ask that we had FireEye:

“It’s great, you’re seeing all these alerts. This detection, it’s kind of

nice. But suddenly we’re seeing thousands of hosts that are infected.

What do we do about this? It’s very costly to respond to these threats

that we’re seeing.” And there was a bit of an illumination that was

occurring with FireEye. It was like, wow, look at all these problems,

but help me fix it. And sort of that’s where Mandiant has come in; they

automate the fix. And if you can make that fixing process cost less and

have less exposure, you’ve really created a real benefit for companies,

and that’s why it’s together.

“What are we trying to do as a combined company? Be the best at detection.” – Dave DeWalt, FireEye

Watch it online: http://www.inforisktoday.com/power-continuous-threat-protection-a-6546


The Privacy Engineer’s Manifesto is the title of Michelle Dennedy’s new

book, and it promises to help professionals get “from policy to code to

QA to value.”

In a video interview recorded at RSA Conference 2014, Dennedy

discusses:

» The mission and audience of her book;

» The state of privacy in 2014;

» How to grow the profession.

As chief privacy officer at Intel Security, Dennedy is responsible for

privacy policies, procedures and governance efforts. Previously, Dennedy

founded The iDennedy Project, a consulting and advisory company

specializing in privacy and security. Dennedy was also previously vice

president for security and privacy solutions at Oracle. She is a co-author

of a soon-to-be-published book: The Privacy Engineer’s Manifesto:

Getting from Policy to Code to QA to Value.

Rick Howard, CSO of Palo Alto Networks, has a new idea for security

pros: the cybersecurity canon of books every cyber pro must read at

least once in their careers. Which titles make the list?

In fact, it’s not just a book list. Howard also has a list of best cyber-hack

movies ever, and he has new ideas for growing the security profession.

In a video interview recorded at RSA Conference 2014, Howard discusses:

» Titles in the cyber canon;

» His choice for top hacker film;

» How to focus on turning around the current staffing crisis.

Howard is the Palo Alto Networks Chief Security Officer. Prior to

joining Palo Alto Networks, Howard was the TASC Chief Information

Security Officer, where he managed the security of both the classified

and unclassified TASC networks. Howard also led the Verisign iDefense

Cyber Security Intelligence business as the GM and Intelligence Director

in charge of a multinational network of security experts who delivered

cybersecurity intelligence products to Fortune 500 companies. He also

led the intelligence-gathering activities at Counterpane Internet Security

and ran Counterpane’s global network of Security Operations Centers.

The Privacy Manifesto The Cybersecurity Canon: Must-ReadsIntel Security’s Michelle Dennedy on the State of Privacy

Rick Howard of Palo Alto Networks on Essential Security Education

by Tom Field, VP - Editorial, Information Security Media Group by Tom Field, VP - Editorial, Information Security Media Group

Watch it online: http://www.inforisktoday.com/privacy-manifesto-a-6570 Watch it online: http://www.inforisktoday.com/cybersecurity-canon-

must-reads-a-6561


Identity is the new perimeter, and that concept stretches organizations

into lots of new directions when managing access and privileges -

especially in the mobile age, says John Hawley of CA Technologies.

Mobility offers great promise to individuals and organizations alike. But

it also creates new identity and access management headaches that

must be addressed.

In a video interview recorded at RSA Conference 2014, Hawley discusses:

» The notion of identity as the new perimeter;

» The impact of mobility on IAM;

» New announcements from CA re: IAM and mobile.

As Vice President of Strategy for Security Solutions, CA Technologies,

Hawley coordinates the definition of the CA Security vision and

evaluation of new portfolio growth opportunities. He has been working

in the security space for 15 years and is a frequent conference speaker,

focusing on how enterprises embrace new trends to secure the business

but also align security to the discussion in the boardroom.

Identity as the New PerimeterIAM Insight from John Hawley of CA Technologies


Watch it online: http://www.inforisktoday.com/identity-as-new-

perimeter-a-6560

Imagine if an organization received a cybersecurity rating - just like an

individual receives an objective credit report. This is the new model

promoted by Stephen Boyer and his company, BitSight.

The industry is prime for such ratings, and they can become competitive

differentiators for organizations.

In a video interview recorded at RSA Conference 2014, Boyer discusses:

» BitSight’s unique rating system;

» Why there is a need for cyber ratings;

» Whether cybersecurity should be federally regulated, like air

traffic.

Boyer is the CTO, co-founder, and board member of BitSight

Technologies. Previously, he has worked at Saperix, Lincoln Lab, and

Caldera.

Rating Cybersecurity SuccessStephen Boyer of BitSight on His New Model for Grading Security


Watch it online: http://www.inforisktoday.com/rating-cybersecurity-

success-a-6585


Fraudsters continually find new ways to attack, but too many

organizations rely on old, unsuccessful methods to detect and prevent

fraud. This is the premise, says David Mattos, VP Sales, with Easy

Solutions.

It’s time to break the traditional fraud lifecycle and explore new

strategies for fighting these ever-evolving crimes, Mattos says.

In a video interview recorded at RSA Conference 2014, Mattos discusses:

» Why current anti-fraud strategies are ineffective;

» The potential pitfalls of regulatory compliance;

» How to break the fraud lifecycle.

Mattos brings more than 20 years of senior sales technology leadership

to Easy Solutions, along with a deep understanding of how to drive

incremental revenue through direct sales, the channel, and strategic

alliances. As Vice President of Sales for the US and Canada, he is

responsible for the effectiveness of the company’s direct sales force,

finding and securing new channel and partnership opportunities, and

defining sales strategies that fuel growth and new opportunities for

Easy Solutions’ portfolio of advanced fraud prevention solutions.

Break the Fraud LifecycleDavid Mattos of Easy Solutions on Strategies to Fight Fraud

Verizon’s annual data breach investigations report will be released in

the coming weeks, offering perspective on 10 years of breach analysis,

says Wade Baker, one of the report’s key authors.

This year’s report is bigger than ever and reflects the analysis of 50

different contributors, says Baker, Managing Principal, Research and

Intelligence, at Verizon.

In a video interview recorded at RSA Conference 2014, Baker discusses:

» The current breach landscape;

» The data breach evolution;

» A preview of the Verizon breach investigations report.

Baker is the Managing Principal of Risk Intelligence for Verizon. In this

role, he oversees the collection, analysis, and delivery of data relevant

to measuring and managing information risk. Intelligence from these

activities is used to create and improve products, inform personnel

and clients, and share credible research with the security community.

Baker is the creator and primary analyst for Verizon’s Data Breach

Investigations Report series.

The 2014 Breach LandscapeVerizon’s Wade Baker on the Making of the Verizon Breach Report

by Tom Field, VP - Editorial, Information Security Media Groupby Tom Field, VP - Editorial, Information Security Media Group

Watch it online: http://www.inforisktoday.com/2014-breach-

landscape-a-6556

Watch it online: http://www.inforisktoday.com/break-fraud-

lifecycle-a-6554


In the face of evolving threats and actors, traditional ID security

strategies have been proven inadequate, says Entrust’s Dave Rockvam.

It’s time for a security evolution.

But to raise the bar on ID security, organizations first must assess

their current gaps and gain a better understanding on where attackers

are seeing success, says Rockvam, VP of product management and

marketing communications at Entrust.

In a video interview recorded at RSA Conference 2014, Rockvam

discusses:

» Why current ID security strategies are inadequate;

» Threat trends that are changing the landscape;

» How organizations can address their ID security gaps.

Under Rockvam, Entrust Certificate Services has seen a rapid expansion,

more than doubling since the company went private in 2009. This

growth has helped Entrust shift from a mainly perpetual software

company to a cloud software-as-a-service company, deriving roughly

60 percent of product revenue from cloud, software-as-a-service or

subscription-based offerings.

Why ID Security Must EvolveEntrust’s David Rockvam on How to Mitigate ID Security Risksby Tom Field, VP - Editorial, Information Security Media Group

Watch it online: http://www.inforisktoday.com/id-security-must-

evolve-a-6558

Proofpoint and ISMG have just completed a new Targeted Attacks

survey. What are some of the key findings? Kevin Epstein shares insight

on detecting advanced threats and warding off attacks.

Phishing, Trojans and malvertising are the most common forms of

attack. And despite significant security investments, organizations

continue to be breached because of mistakes made by employees and

partners, says Epstein, VP Advanced Security & Governance, Proofpoint.

In a video interview recorded at RSA Conference 2014, Epstein discusses:

» Results of the new Targeted Attacks Study;

» How to address the human factor;

» Effective security solutions to ward off advanced threats.

Epstein directs Proofpoint’s global product marketing initiatives. He is

also a lecturer at Stanford University and author of the popular trade

book, Marketing Made Easy (Entrepreneur Magazine Press).

How to Fight Targeted AttacksProofpoint’s Kevin Epstein on How to Protect the Targets


Watch it online: http://www.inforisktoday.com/how-to-fight-targeted-

attacks-a-6559


The Target retail POS breach is the most talked-about incident in

recent memory - and it was entirely preventable with available security

solutions, says Adam Tegg, CEO of Wontok Solutions.

Malware attacks against merchants are on the rise, Tegg says, and to

mitigate risks organizations must prioritize their deployment of updated

technology platforms and effective security strategies.

In a video interview recorded on the expo floor of RSA Conference 2014,

Tegg discusses:

» Why the Target breach was preventable;

» Malware trends to watch;

» How to prepare for the pending Windows XP support expiration.

Tegg brings a wealth of experience in delivering growth and

development strategies for innovative companies to Wontok, where he

leads the company’s overall strategy and direction. He played an integral

role in Wontok’s acquisition of SafeCentral in 2011, and has transformed

Wontok into a channel centric global cloud and endpoint security

solutions company.

Why Target Breach Was PreventableAdam Tegg of Wontok Solutions on Fighting Malware

Recent breaches tell the story: Organizations are not entirely prepared

to respond to such incidents. Craig Carpenter of AccessData discusses

the next generation of incident response.

In addition to what he’s learned from AccessData’s own customer

experiences, Carpenter is armed with new insights from a Ponemon

survey.

In this interview recorded on the expo floor of RSA Conference 2014,

Carpenter discusses:

» The flaws in today’s incident response strategies;

» How to define next-generation incident response;

» How to assess and improve current incident response capabilities.

Carpenter is the Chief Marketing Officer of AccessData, overseeing

global marketing strategy and demand generation programs. Prior to

joining AccessData, he was VP of Marketing and Business Development

at Recommind where he pioneered and popularized predictive coding

and predictive information governance into the hottest trends in the

e-discovery and GRC markets, respectively.

Next-Generation Incident ResponseCraig Carpenter of AccessData on How to Improve Response

by Tom Field, VP - Editorial, Information Security Media Groupby Tom Field, VP - Editorial, Information Security Media Group

Watch it online: http://www.inforisktoday.com/target-breach-was-

preventable-a-6543

Watch it online: http://www.inforisktoday.com/next-generation-incident-

response-a-6544


Watch it online: http://www.inforisktoday.com/how-artificial-intelligence-prevents-fraud-a-6547

Artificial intelligence can be used to enhance security across a number of business sectors, including retail and financial, says Dr. Akli Adjaoute of security firm Brighterion.

By tracing the steps of card usage and device or endpoint access,

security specialists are more effectively linking points of compromise

and preventing fraud, Adjaoute says. And organizations are relying on

artificial intelligence to trace those steps, he adds, by analyzing the

behaviors of transactions and devices.

The use of artificial intelligence for fraud prevention is not a new

concept, and it’s not science fiction, Adjaoute says. Companies such

as MasterCard and RBS WorldPay have for years relied on artificial

intelligence to detect fraudulent transaction patterns and prevent card

fraud, he says.

During this interview recorded at RSA Conference 2014, Adjaoute

discusses:

» How use cases for artificial intelligence have evolved;

» Why artificial intelligence is a necessity for providing a holistic

vision of security; and

» How artificial intelligence could have been used to prevent recent

retail breaches at Target Corp. and Neiman Marcus.

How Artificial Intelligence Prevents FraudDevices and Networks Provide Clues to Suspicious Patternsby Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity


Bring-your-own-device concerns are getting more complex, but most organizations aren’t keeping up with the times, and their outdated policies and procedures prove it, says John Whaley of Moka5.

In fact, BYOD security and best practices are often talked about more

than they are implemented and used, he says.

BYOD is not just about ensuring employees are using secure devices,

Whaley says. It’s about ensuring corporations are protecting intellectual

property when employees access their databases from home. And BYOD

also is about not violating employees’ privacy by inadvertently accessing

personal data on devices they own.

During this interview recorded at RSA Conference 2014, Whaley

discusses:

» How automation can enhance BYOD management;

» Why organizations are reluctant to even broach the topic of

BYOD;

» How regulators may soon mandate certain BYOD policies and

procedures.

Whaley serves as the founder and chief technology officer of Moka5 and

is responsible for the technical vision of the company.

Avoiding BYOD?Why Setting BYOD Policies Is Increasingly Criticalby Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity

Watch it online: http://www.inforisktoday.com/avoiding-byod-a-6548


“BYOD security and best

practices are often talked

about more than they are

implemented and used.”

- John Whaley, Moka5


Articles, Blogs, Photos & MoreFrom the ISMG Team at RSA Conference 2014


Cybersecurity is the only crime where the victim needs to apologize, says Kevin Mandia, founder of the data breach mitigation services firm Mandiant.

“It’s startling that it got that way,” he said in a Feb. 27 keynote

address at the RSA Conference 2014 in San Francisco.

Mandia offered a variation of the old saw about two types of

organizations: those that have been breached and those that don’t know

it.

“If you’re an F in cybersecurity or an A in cybersecurity, an attack has

the same chance of being successful,” Mandia said. “If you’re an F in

cybersecurity, you never find out and your boss says, ‘Whew, nothing

happened.’”

Organizations with a grade of A will learn from their experiences and

take steps to mitigate future breaches, he says. But unfortunately, many

of these organizations soon become vulnerable again.

Here’s how Mandia put it: Victims of cyber-attacks expand their IT

security teams shortly after the breach and aggressively combat the

attackers. Six months later, after no new breaches occur, management

thinks, “You know, we don’t have to do this stuff anymore.” The top

cybersecurity experts hired to prevent future breaches get bored and

move onto more challenging jobs. Then, the company gets breached

again.

He characterized this syndrome of companies letting their guard down

as “victim’s fatigue.”

Mandia said it isn’t that cyber-assailants are smarter than IT security

pros hired to safeguard systems. But attackers need only to break into

one device, whereas IT security specialists need to protect thousands of

devices. “It’s easier to shatter crystal than to shape it,” he said.

Mandiant, acquired for more than $1 billion in December by FireEye,

came to prominence a year ago when it released a report directly

implicating the Chinese military in cyber-espionage (see 6 Types of Data

Chinese Hackers Pilfer).

In his address, Mandia revealed that his firm had intercepted resumes

of members of the Chinese attack team bragging about their assaults on

Western organizations.

Breaches: Avoiding ‘Victim’s Fatigue’Kevin Mandia Warns Against Letting Guard Down

ARTICLE


Read it online: http://www.inforisktoday.com/breaches-avoiding-victims-fatigue-a-6581


Is protecting our civil liberties the same as protecting our privacy?

At one point during his keynote address at the RSA security

conference in San Francisco on Feb. 26, FBI Director James Comey

seems to equate the two. He said safeguarding critical IT doesn’t

mean Americans need to sacrifice their privacy and civil liberties.

But when Comey offered an example on the balance between IT

security and privacy and civil liberties, he mainly referred to civil

liberties.

“I want to touch on issues of privacy for a moment,” Comey said

about 18 minutes in his nearly 25-minute address.

“Some have suggested there is an inherent conflict between protecting

national security and preserving privacy and civil liberties. I disagree.

In fact, I think the ideas of balance and trade-offs are the wrong

framework because they make it seem like a zero-sum game. At our

best, we are looking for security measures that enhance liberty. When

a city posts police officers at a dangerous park so kids and old folks can

use the park, security has promoted liberty.”

Comey said the men and women of the FBI are sworn to protect

national security and civil liberties; he didn’t mention privacy.

A Very Dangerous Place

“The fact of the matter is that the United States faces real threats from

criminals, terrorists, spies and malicious cyber-actors,” the director

said. “That is reality. The playground is a very dangerous place right

now. To stop those threats, the government needs timely and accurate

intelligence to identify threat actors and to figure out what they are

planning. That means we need to conduct electronic surveillance and

collect data about electronic communications. That is also reality. The

real question is this: How do we do that in a way that allows us to

prevent bad things from happening to our own people and our allies,

and, at the same time, protect privacy and civil liberties and promote

innovation?”

In the playground example, Comey addresses civil liberties, but not

privacy. Privacy, of course, is a facet of civil liberties, but our privacy

can be violated without compromising aspects of our civil liberties. The

government could spy on our e-mails without preventing us to speak

out against the government. Our privacy could be violated, but our

rights to speak freely without being punished could go unabated.

Comey’s remarks could be interpreted to mean that under certain

circumstances the government will take steps to protect the nation

against nation states, criminal or terrorist who could do us harm that

could compromise our privacy, and perhaps, civil liberties as well.

Reading Between the Lines

There was another remark in Comey’s speech that could be construed

to condone government activities that could trouble many cybersecurity

practitioners:

Equating Civil Liberties with PrivacyFBI Director Addresses Balancing Rights with Security

BLOG



“I’ve never been someone who is a scaremonger, crying wolf - but I’m

in a serious business, so I want to ensure that when we discuss altering

tools we use to collect information on an individual we believe to be

connected to criminal, terrorist or other unlawful activity, that we

understand the benefits and trade-offs on the other side.”

Could Comey mean that a situation such as the alleged corruption of

a cryptographic algorithm by the National Security Agency published

by the National Institute of Standards and Technology be tolerated to

safeguard critical IT against terrorists or an enemy nation? To be clear,

he didn’t address specifically the allegation against the NSA.

But he added that intelligent people can and do disagree on such

approaches. “That’s the beauty of American life,” he said, “but we need to

make sure that everyone understands the risks associated with the work

we do and the choices we make as a country.”

It’s not that privacy and civil liberties be damned, but the reality is that

in this dangerous world, privacy and civil liberties still can be sacrificed

for the sake of security.

Read it online: http://www.inforisktoday.com/blogs/equating-civil-liberties-privacy-p-1629


The Department of Homeland Security is offering managed cybersecurity services free of charge as an incentive to get financially strapped local, state and territorial governments to adopt the cybersecurity framework.

DHS will pay for services that would be provided by the Multi-State

Information Sharing and Analysis Center. In revealing the new program

during a Feb. 25 presentation at the RSA Conference 2014, DHS Deputy

Undersecretary Phyllis Schneck did not disclose the program’s cost, but

said it would come out of the department’s budget.

“Our state and local governments protect and enable citizens and

critical infrastructure and often don’t have a lot of budget,” Schneck

says in an interview with Information Security Media Group. “We

want to make sure they have the best cybersecurity in conjunction

with adoption of the cybersecurity framework. The combination of the

policy guidance and the managed services will improve the security

posture of our state and local governments, which is key to our nation’s

cybersecurity and infrastructure resilience.”

The managed services to be offered will include intrusion detection,

intrusion prevention and firewall and network traffic monitoring.

Schneck, the highest ranking DHS cybersecurity official, says the services

provided by the MS-ISAC do not change the local and state governments’

abilities to govern their own networks. “It’s simply great security free

of charge in conjunction with their adoption of the cybersecurity

framework,” she says.

Risk Management

Another DHS official tells Information Security Media Group that the

agency is encouraging local and state governments that will use the

managed services to continue participation in the Critical Infrastructure

Cyber Community program, known as C3, or C-cubed. C3 aims to

support industry in increasing cyber resilience, increase awareness and

encourage organizations to manage cybersecurity as part of an “all

hazards” approach to enterprise risk management.

The National Institute of Standards and Technology earlier this month

unveiled its long-awaited cybersecurity framework, which provides

best practices for voluntary use in all critical infrastructure sectors.

President Obama in 2013 issued an executive order that called on NIST to

collaborate with the private sector to develop IT security best practices

that critical infrastructure providers could voluntarily adopt.

MS-ISAC, a unit of the not-for-profit Center for Internet Security,

provides two-way sharing of information and early warnings on

cybersecurity threats and furnishes a process to gather and disseminate

information about cybersecurity incidents.

DHS Offers Incentive to Adopt FrameworkStates Could Qualify for Free IT Security Managed Services

ARTICLE


Read it online: http://www.inforisktoday.com/dhs-offers-incentive-to-adopt-framework-a-6567


In light of the critical shortage of information security professionals, organizations must strive to become a “center for security excellence” to successfully recruit the specialists they need, says analyst John Oltsik of Enterprise Strategy Group.

The research company’s recent global survey of 600 IT and security

professionals determined that 65 percent find it somewhat difficult to

recruit and hire information security professionals while 18 percent find

it extremely difficult, Oltsik said in a Feb. 24 presentation at the RSA

Conference 2014. The area with the greatest security skills shortage is

cloud computing and server virtualization, mentioned by 43 percent.

Other key shortage areas are endpoint, mobile device and network

security, as well as data analysis/forensics.

Corporate Culture

A key step to successful recruiting of infosec pros, Oltsik says, is

“integrating security into the corporate culture.”

In an interview with Information Security Media Group after his

presentation, Oltsik, senior principal analyst at the Milford, Mass.-based

firm, described some of the components of creating a center for security

excellence: “Security people want exposure to training and they want

exposure to their peers ... and they want to give input to vendors about

their products. If they’re always busy putting out fires, then they can’t

do that. You need to figure out how to make your people more efficient

... so they can build a career.”

Continuing education is essential, he stresses. “The average security

professional is two years behind in terms of knowledge of what the bad

guys are doing,” he contends.

Other steps organizations should take in light of the shortage of

qualified infosec pros, Oltsik says, include:

» Look for opportunities to outsource certain security functions;

» Adopt “intelligent turnkey technologies” that are easier for staff

to use;

» Automate as many tasks as possible.

Recruiting InfoSec Pros in Tight MarketInsights on Creating ‘Center for Security Excellence’

ARTICLE

by Howard Anderson, News Editor, Information Security Media Group

Read it online: http://www.inforisktoday.com/recruiting-infosec-pros-in-tight-market-a-6538


Candid shots from ISMG’s video interviews. Clockwise from top left:

Garry Sidaway, Global Director of Security Strategy, NTT Com Security;

Francoise Gilbert, managing director, IT Law Group; Dr. Akli Adjaoute,

CEO of Brighterion; Tom Field, VP of Editorial, ISMG.


Audio Insightsfrom Leading Vendors


While massive DDoS attacks were dominant in 2013, this year, smaller application-layer attacks

going after such things as log-in pages and password files are far more common, says Rich

Bolstridge, chief strategist, financial services, at Akamai Technologies.

Listen online: http://www.inforisktoday.com/interviews/2014-brings-shift-in-cyber-attacks-i-2218

Two critical steps that banking institutions need to take in 2014 to help prevent fraud are

implementing big data analytics and adopting far more sophisticated customer and employee

authentication, says Gartner analyst Avivah Litan.

Listen online: http://www.inforisktoday.com/interviews/2014-fraud-prevention-2-key-steps-i-2198

Advanced, ever-evolving threats call for security solutions vendors to counter with equally

advanced and sophisticated solutions. JD Sherry of Trend Micro discusses new strategic alliances

and product sets dedicated to creating new measures of threat defense.

Listen online: http://www.inforisktoday.com/interviews/advanced-threat-defense-i-2205

By automating data analysis, organizations can enhance their threat intelligence and lessen their

workloads, says Flint Brenton, president and CEO of AccelOps.

Listen online: http://www.inforisktoday.com/interviews/automating-data-analysis-i-2204

2014 Brings Shift in Cyber-Attacks

2014 Fraud Prevention: 2 Key Steps

Advanced Threat Defense

Automating Data Analysis

Akamai’s Rich Bolstridge Outlines Trends

Gartner’s Litan Recommends Action Items

Trend Micro’s JD Sherry on New Strategies, Solutions

AccelOps’ Brenton on Enhancing Threat Intelligence


Privacy should be built into the design of all healthcare information technology and related

processes, says Michelle Dennedy, who’s writing a book on the concept of “privacy by design.”

Listen online: http://www.inforisktoday.com/interviews/baking-privacy-into-health-it-i-2183

CipherCloud’s Paige Leidig discusses a new offering that helps enable organizations rapidly adopt a

cloud application as it protects sensitive data and ensures compliance to policies and regulations.

Listen online: http://www.inforisktoday.com/interviews/ciphercloud-unveils-new-platform-i-2215

Cisco has launched a new open source initiative focused on application identification, says Scott

Harrell, vice president of the company’s security business group.

Listen online: http://www.inforisktoday.com/interviews/cisco-unveils-open-source-initiative-i-2208

Researchers at Dell SecureWorks have identified some 146 unique malware families that are

targeting cryptocurrencies. Approximately 100 of those have emerged in just the last year, says Pat

Litke, security analysis adviser for the company’s CyberThreat unit.

Listen online: http://www.inforisktoday.com/interviews/cryptocurrency-easy-target-i-2195

Baking Privacy Into Health IT

CipherCloud Unveils New Platform

Cisco Unveils Open Source Initiative

Cryptocurrency an Easy Target

Expert Says Privacy Needs to Be Part of Design

Providing Security in the Cloud

Scott Harrell Explains Project

Joe Stewart and Pat Litke of Dell SecureWorks Discuss Threats


The increasing use of cloud-based resources requires a new approach to protection against

cyberthreats, says Ashley Stephenson, CEO at Corero Network Security.

Listen online: http://www.inforisktoday.com/interviews/cyberthreat-protection-evolves-i-2209

Neustar is about to release a new report on the DDoS threat landscape. What are some of the key

trends to watch? Neustar’s Jim Fink offers a preview of the study’s findings.

Listen online: http://www.inforisktoday.com/interviews/ddos-attacks-continue-to-grow-i-2212

While January’s seemingly isolated distributed-denial-of-service attacks against JPMorgan Chase

and Bank of America may have been a blip, DDoS expert Barrett Lyon says stronger attacks are on

the way.

Listen online: http://www.inforisktoday.com/interviews/ddos-more-defenses-needed-i-2217

Simple credentials, such as passwords, are a hacker’s best friend, says Phillip Dunkelberger of Nok

Nok Labs, a founding member of the FIDO Alliance. That’s why the alliance is working to reduce

reliance on passwords by enabling advanced authentication.

Listen online: http://www.inforisktoday.com/interviews/fido-beyond-simple-authentication-i-2214

Cyberthreat Protection Evolves

DDoS Attacks Continue to Grow

DDoS: More Defenses Needed

FIDO: Beyond ‘Simple’ Authentication

Corero’s Ashley Stephenson on New Defenses

Neustar’s Jim Fink on Global DDoS Trends

Emerging Attack Methods Continue to Take Sites Down

New Protocol Strives to Wipe Out Password Use


While much of the security focus is on online fraud and major data breaches, organizations of all

sizes and sectors are seeing a rise in phone-based fraud, says Matt Anthony of Pindrop Security.

Listen online: http://www.inforisktoday.com/interviews/fighting-phone-fraud-i-2193

Insiders are often linked to cyber-attacks, says Kevin Bocek, vice president of security strategy and

threat intelligence for Venafi.

Listen online: http://www.inforisktoday.com/interviews/how-fraudsters-take-advantage-insiders-i-2196

Among the biggest cyberthreats enterprises face comes from hacks on consumer mobile devices,

says Caleb Barlow, a director of product management at IBM Security.

Listen online: http://www.inforisktoday.com/interviews/how-mobile-hacks-threaten-enterprise-i-2199

With enhanced analytics, organizations and law enforcement are improving their ability to trace

malware attacks and other advanced persistent threats, says Eward Driehuis of Fox-IT.

Listen online: http://www.inforisktoday.com/interviews/how-to-improve-cybercrime-tracking-i-2203

Fighting Phone Fraud

How Fraudsters Take Advantage of Insiders

How Mobile Hacks Threaten Enterprise

How to Improve Cybercrime Tracking

Matt Anthony of Pindrop on the Rise in Phone-Based Fraud

Venafi’s Bocek on Cyber-Attack Trends

IBM’s Caleb Barlow on a Growing Menace

Fox-IT’s Chandler and Driehuis on Behavioral Analytics


The gateway security solutions provider iBoss Network Security is enhancing its offerings by

incorporating analysis of behavioral movement of traffic in and out of the network.

Listen online: http://www.inforisktoday.com/interviews/iboss-offers-behavioral-analysis-i-2190

As organizations expand their use of encryption to help prevent breaches, they must improve

their management of cryptographic keys, says Prakash Panjwani, senior vice president at SafeNet.

Listen online: http://www.inforisktoday.com/interviews/improving-encryption-management-i-2191

What is the venture capital view of the security trends and technologies that will have the

most impact on careers in 2014? Alberto Yépez of Trident Capital weighs in with his insights and

predictions.

Listen online: http://www.inforisktoday.com/interviews/infosec-investments-venture-capitals-view-i-2187

Too many businesses are worried about how security might adversely affect the user experience,

even among their own workforce, says Bert Rankin, chief marketing officer of ThreatMetrix.

Listen online: http://www.inforisktoday.com/interviews/insights-on-enhancing-authentication-i-2206

iBoss Offers Behavioral Analysis

Improving Encryption Management

InfoSec Investments: Venture Capital’s View

Insights on Enhancing Authentication

Products Tied to Cybersecurity Framework

SafeNet’s Prakash Panjwani Identifies Key Issues

Trident Capital’s Alberto Yépez on the 2014 Security Outlook

Bert Rankin of ThreatMetrix on Filling the Gaps


As content sharing via mobile devices becomes more common, organizations must make sure

security issues are adequately addressed, says Hormazd Romer, senior director of product

marketing at Accellion.

Listen online: http://www.inforisktoday.com/interviews/keys-to-secure-content-sharing-i-2225

Log analysis is often used for managed security, but are organizations going far enough with the

information they have at their fingertips? Don Gray, chief security strategist for Solutionary, says

there is much more organizations could be doing to predict breaches.

Listen online: http://www.inforisktoday.com/interviews/log-analysis-for-breach-prevention-i-2194

Everyone is talking about threat intelligence, but what are the characteristics that make it useful?

David Duncan of Webroot offers insights on new solutions and partnerships.

Listen online: http://www.inforisktoday.com/interviews/real-threat-intelligence-i-2201

Although the growth of cloud-based data centers offers opportunities to more rapidly deploy

applications, it also raises new security issues, says Steve Pao, senior vice president at Barracuda

Networks.

Listen online: http://www.inforisktoday.com/interviews/securing-network-architecture-i-2200

Keys to Secure Content Sharing

Log Analysis for Breach Prevention

Real Threat Intelligence

Securing Network Architecture

Accellion’s Hormazd Romer on Secure Mobile Productivity

Solutionary’s Don Gray on Steps Companies Can Take to Predict Threats

David Duncan of Webroot on New Partnerships, Solutions

Barracuda’s Steve Pao on Addressing Threats


Distributed generation and plug-in motor vehicles are among the emerging security challenges to

the smart grid. In an RSA 2014 preview, Gib Sorebo of Leidos discusses the threats to utilities and

consumers.

Listen online: http://www.inforisktoday.com/interviews/securing-smart-grid-i-2188

While most organizations are focusing on compliance, they are ignoring basic human-factor

security risks that technology cannot fix, says Hord Tipton, executive director of the International

Systems Security Certification Consortium, better known as (ISC)2.

Listen online: http://www.inforisktoday.com/interviews/security-going-beyond-compliance-i-2197

In the wake of high-profile breaches and data leaks, the government will pay a lot more attention

to information security. Are security pros ready for this scrutiny? Professor Eugene Spafford has

his doubts.

Listen online: http://www.inforisktoday.com/interviews/security-professionals-time-to-step-up-i-2221

The application programming interface is now an attack vector, which creates new security issues,

warns Travis Broughton, IT architect at Intel.

Listen online: http://www.inforisktoday.com/interviews/api-as-attack-vector-i-2192

Securing the Smart Grid

Security: Going Beyond Compliance

Security Professionals: Time to Step Up

The API as an Attack Vector

Gib Sorebo of Leidos Previews RSA 2014 Presentation

Tipton of (ISC)2 Says Technology Can Only Go So Far

Purdue’s Eugene Spafford on Challenges Facing the Profession

Intel’s Travis Broughton on Addressing New Risks


Traditional fraud has evolved in complexity, changing the threat landscape dramatically. Greg

Maudsley and Preston Hogue of F5 discuss new strategies to mitigate evolving threats.

Listen online: http://www.inforisktoday.com/interviews/evolving-threatscape-i-2211

The recent merger of Bit9 and Carbon Black will eventually result in a single, merged product

offering, says Benjamin Johnson, CTO at Carbon Black.

Listen online: http://www.inforisktoday.com/interviews/impact-bit9-carbon-black-merger-i-2223

The Evolving Threatscape

The Impact of Bit9, Carbon Black Merger

Security Insights from Preston Hogue and Greg Maudsley of F5

Benjamin Johnson Describes New Approach


Looking Back onRSA Conference 2014


Among ISMG’s Activities at RSA Conference 2014, we conducted mini-surveys of visitors to the ISMG booth. Here are responses to questions we asked in a CareersInfoSecurity Quick Poll about job turnover and satisfaction.

Only 41 percent of respondents are extremely satisfied in their jobs

at a time when retaining information security pros is of paramount

importance. This is a statistic to explore in the coming months.

When was the last time you changed jobs?

37%

33

15

11

4

2 years ago

1 year ago

5 years ago

This is actually my first job

10 years ago

How do you rate your current career satisfaction?

52%

41

7

Somewhat satisfied – open to a better offer

Extremely satisfied - can't seemyself doing anything different

Extremely dissatisfied –time to move on

CareersInfoSecurity Quick Poll


ISMG’s social media presence during RSA Conference 2014 was unlike any in years

past. Utilizing Twitter, Facebook and LinkedIn, our editorial staff sent out by-

the-minute updates of interviews, session, and events that included interviewee

information, pictures and graphics.

ISMG’s Tweets appeared on timelines over one million times.*

* According to Tweetreach.com

Social Media

783,794 Total ReachOver 1 Million Total Impressions


RSA Conference 2014 is hosted across the street from a Target store. Which is only fitting because the Target retail breach arose in many discussions during day one of the annual security conference. In addition to recent retail breaches, RSA Conference 2014 attendees

discussed last year’s NSA disclosures, the future of payments security

and how to mitigate the risks posed by organizations’ top vulnerability

- people.

See day-one analysis from ISMG’s editorial team, including Tom Field,

Eric Chabrow, Tracy Kitten and Howard Anderson, as they discuss:

» What they overheard in conversations at RSA Conference

2014;

» Highlights of the day’s activities;

» What to expect from the event in the coming days.

RSA Conference Day One: Editor’s InsightsISMG’s Editorial Team Discusses Highlights from RSA Conference 2014

VIDEO

Watch it online: http://www.bankinfosecurity.com/rsa-day-one-editors-insights-a-6568


In the second full day of RSA Conference 2014, ISMG’s editors recorded exclusive video interviews with industry thought-leaders Troy Leach of the PCI Council, Adam Sedgewick of NIST and Gartner’s Avivah Litan.

So, among the hot topics discussed: the future of the PCI standard;

initial response to the new U.S. cybersecurity framework; and what can

be done to counter the epidemic of retail data breaches.

In a brief roundtable discussion recorded at the end of day two at RSA

Conference 2014, ISMG editors Tom Field, Eric Chabrow and Tracy Kitten

share insights on:

» Key conversations of the day;

» Common security themes discussed by attendees;

» What’s ahead for day three.

RSA Conference Day Two: Cybersecurity and FraudISMG Editors Share Insights, Analysis from RSA Conference 2014

VIDEO

Watch it online: http://www.bankinfosecurity.com/rsa-day-two-cybersecurity-fraud-a-6576


As ISMG’s news team wraps up coverage of RSA Conference 2014, the editors gather to discuss final impressions of the annual security conference. Join Tom Field, Howard Anderson, Tracy Kitten and Eric Chabrow as they discuss:

» Highlights of their final day at the event;

» Common themes shared by attendees;

» Reflections on the week-long event.

RSA Conference Day Three: Conference ThemesISMG Editors Share Insights, Analysis from RSA Conference 2014

VIDEO

Watch it online: http://www.bankinfosecurity.com/rsa-day-three-conference-themes-a-6580


“RSA Conference 2014 wasn’t about any one

topic. It was about a community – the global

information security community – coming

together to tackle a host of current challenges.

It’s humbling to stand amidst this community

and feel its power.”

- Tom Field, ISMG

902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com

About ISMGHeadquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries.

This information is used by ISMG’s subscribers in a variety of ways —researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.

Contact(800) 944-0401 [email protected]

highlights and insights - paramount assure and ideas/rsa... · infosec investments: venture...

Documents