McAfee Antivirus
McAfee at Interop 2012
This week, our McAfee team is gearing up to attend Interop 2012, May 8-10 in Las Vegas! If you’re at the show, stop by our booth #421 where VP of Network Security Greg Brown and myself will be performing product demos and presentations throughout each day on the McAfee Network Security Platform, Enterprise Security Manager and more.
This year, McAfee Network Security was also selected as a Best of Interop finalist in the security category. The Best of Interop awards recognize some of the world’s most innovative technologies, and McAfee is proud to be a part of Interop’s mission to foster innovation within the business technology marketplace. In addition, be sure to pick up a Network Security game card while you’re there for a chance to win one of 3 iPads, 8 Kindles, and other exciting prizes.
The winners will be announced on Tuesday, May 8 at 3:00 pm on the expo floor, so keep your fingers crossed!
McAfee will also be heading up two presentations during the conference:
Leveraging Time Travel & Teleportation to Secure Invisible Networks
Greg Brown, McAfee VP Network Security
Virtualization has been the single largest driver in data center change over the past three years. Network fabric technology and software-defined networking are rapidly replacing the decade-old tiered network architectures. As advanced targeted attacks are becoming more prolific and cheaper to engineer, network security technologies must evolve to deal with invisible wires, non-deterministic network paths, and increasingly complex attack techniques. How can you keep up with the ever-expanding threat?
Location: Mandalay Bay K
Date: Thursday, May 10, 2012
Time: 11:00 AM-11:45 AM
Wireless Security: Solutions, or Just More Problems?
Neil King, McAfee VP Product Management
While one is never “done” when it comes to security, successful strategies for mobile security are now in place at many organizations. But with new challenges appearing on an almost daily basis, viable security implementations require a combination of tools, techniques, and best practices in order to achieve their vital mission. This session will present an outline of security challenges and how these can be optimally addressed in a mobile environment.
Location: Lagoon L
Date: Thursday, May 10, 2012
Time: 9:00 AM-10:00 AM
For those of you both at the show and following along at home, be sure to connect with @McAfeeBusiness on Twitter for live updates and photos straight from Las Vegas.
And for even more Twitterverse fun, a Top Secret Tweet-Up location will be announced via the @Interop handle sometime during the show, open to all. So attendees, keep watch on that #Interop hashtag for your chance to stop by, say hello and network with your fellow conference tweeters!
April #SecChat Recap: Data Center Security and the Cloud
We kicked off our April #SecChat discussion by asking what security factors our community believed were inhibiting organizations from adopting cloud for the data center. The topic of control was quickly touched upon, as @LabNuke pointed out that access control is a key concern, and @KentMcGovern mentioned a loss of direct control over the environment. @BrianContos chimed in that with robust access controls and data protection, these objections to the cloud could lessen, even for organizations with critical infrastructure.
Another topic of concern was compliance and auditing. As @lkovnat mentioned, organizations have to consider data recovery if a cloud provider is being investigated – for example, in the recent case of MegaUpload. @KentMcGovern mentioned PCI DSS as another compliance concern, and how organizations will need to make sure that they still meet PCI standards when migrating to a cloud provider.
Still, these compliance concerns mentioned above will vary depending on which services will be cloud-based, and what data organizations choose to place in a cloud environment. As @BrianContos brought up, tagging data as it enters the cloud is essential in order to define what information resides there, even if it’s an unknown. And yet, therein lies another problem, as @Infosec_Tourist pointed out, metatagging can become a covert channel in and of itself.
Another question we sourced to our audience was whether or not compensating controls could provide the necessary trust of cloud providers in order to accelerate the adoption phase. @JadedSecurity chimed in that controls would have to be built into the application layer – and therefore the environment itself must be treated as hostile. So, if you build compensating controls into the application before releasing it, you should be able to trust them. @e_desouza added that if those applications can be reported on by a third party – like a digital certificate – they can become much more powerful.
Specifically, the most important compensating controls cited by our participants were application controls, encryption, and logical separation. One issue @JadedSecurity and @infosecmafia pointed out, however, was that despite their importance, hardware controls are usually taken out of the equation for many organizations. When you buy cloud services, you rarely have control over hardware, or how to manage, update or harden your instance.
But what about Software-as-a-Service (SaaS) providers? According to many of our participants, SaaS solutions still have a long way to go, specifically when it comes to the comingling of data. One issue that @msarrel brought up is that service providers’ security measures and responses need to be agreed upon up front. Another, according to @adammontville, that there is little to no flexibility in terms of consumer-grade SaaS. Nevertheless, @Shpantzer asserted that some SaaS services are quite secure, having been audited “to the hilt” by government agencies and enterprises for years. While @JadedSecurity agreed with this, he also noted that it all depends on your risk tolerance.
In a related question, @e_desouza asked what participants believed should be the role of cloud providers when it comes to responsibility for security and risk management. According to @adammontville, cloud providers have a responsibility boundary. Yet, according to @infosecmafia, if you are willing to put your applications and customer data in the cloud, you should be responsible for security testing. Why should a provider be responsible for a data breach of an app or service that a customer provides?
@e_desouza followed up by asking if our followers believed a day would arrive when cloud providers would have to take full responsibility for breaches. @andrewsmhay and @KentMcGovern didn’t think so – or at least, not without legislation and financial penalties. On the other hand, @erikremmelzwall was more optimistic, stating that responsibility will follow as customers evolve in security awareness. When it comes to legislation, @erikremmelzwall claimed that new legislature would only make customers more demanding of cloud providers as their risk value increases. @andrewsmhay pushed back, as he believes that legislation can be extremely useful, since without penalty, there is no motivation for providers to take security seriously.
In the end, there were some thoughtful final impressions to sum up our April #SecChat, with @adammontville stating that we’re still in for a wild ride in the cloud, especially as in-house security fundamentals continue to lag behind. @LabNuke added that we must remember that what was secure yesterday may be wide open today, due to undiscovered and unmitigated vulnerabilities. Constant monitoring, risk assessment and controls are needed, and as @KentMcGovern pointed out, our industry will need to adapt and overcome, and never stop learning.
Thanks again to everyone who joined our April chat. It’s always an educational experience, and we hope to see you all again during our May #SecChat on Embedded Security – 5/17 at 11am PT. Stay tuned here in the Security Connected blog and on Twitter at @McAfeeBusiness for more details on the topic, and how to join the chat.
Security Considerations in Enabling Big Data – Snake in the Grass (Part 1)
Big Data holds a lot of promise – from the potential to change business models to the ability to rapidly refine services and goods that traditionally took years of industry speculation. But the utilization of Big Data isn’t just about mining data within your organization. It’s also about tying it to larger data stores and services. It’s about enhancing data at the point of transaction, through social media interactions, and through multiple other sources. From a security perspective, I believe more connections must be allowed to flow into the organization. Field devices must feed in near real time to centralized data repositories, and analysts need access to it all.
The US government has also taken notice of Big Data’s big potential. The Obama Administration recently unveiled a Big Data Research and Development Initiative, which will see at least six government agencies making a large investment with the goal of “greatly improving the tools and techniques needed to access, organize and glean discoveries from huge volumes of digital data”. It takes experience to leverage this kind of analysis. For example, it’s the kind of activity that enables retailers like Target to determine the likelihood that any one shopper might be pregnant, simply by analyzing the purchasing trends of individuals through predictive analytics. Data has always been used to help hone in on business prospects and opportunities, but now this same phenomena is stretching beyond sales and marketing. Many other industries are looking at how they too can leverage larger and larger data sets.
Both the financial and large retail markets have experience in the data dilemma, but most have focused on their own data collected over time. The Red Flags rule prompted earlier detection of identity fraud for financial institutions, while retailers continue to capture sensitive customer information by luring them with special offers and loyalty programs. Last years’ Epsilon email breach, which disclosed the email addresses and affiliated relationships with the marketing programs of several retailers and banking institutions, caused real concerns about targeted spear-phishing attacks that use this sensitive information. It’s not only businesses looking to profit from this analytic data, but also cybercriminals.
As more and more industries utilize their own data, they’re also expanding out, leveraging other sources to gain richer business insight. Whether the objective is to drive dynamic business decision, get in touch with customers, or predict situations to mitigate risk, there are bad guys out there that may want unauthorized access. Even though you may just be starting the process of gleaning information from big data, or as I like to think of it, ‘finding the needle in the haystack’, please consider the security and privacy issues. Businesses and organizations need to put the right security controls and monitoring in place to make Big Data successful – and not a liability.
For more information on the benefits and risks associated with Big Data, stay tuned here in the blog for Part 2 of this series, and be sure to follow us on Twitter at @McAfeeBusiness.
Information Security Within Emerging Markets: Brazil
With the world’s 10th largest economy and 5th largest population, Brazil’s economic acceleration and technical growth are second only to China when it comes to emerging economies. Not unsurprisingly, this rapid acceleration of economic power and supporting technology has made Brazil a prime target for cyber attacks for well over a decade.
As one of the first countries to offer online banking, Brazil was also one of the first countries to experience cyber attacks on financial organizations. With its very capable and growing IT labor pool, Brazil is also considered to be home to some of the most talented hackers and cybercrime organizations. And as with most cyber attacks, those in Brazil typically have financial or political motivations.
While McAfee offers a number of products and solutions that are relevant to organizations within Brazil, we’ll only focus on a few key areas:
Cloud & Virtualization: Brazil has long had issues with critical infrastructure, including a few high-profile outages that many argue were the result of cyber attack. To keep up with the rapid growth across all verticals, IT is turning to virtualization and cloud solutions. Virtualization of desktops, applications, and servers promises tremendous advantages in organizational efficiency, security, and manageability.
McAfee works with leading virtualization vendors to provide purpose-built security controls such as the McAfee Management for Optimized Virtual Environments (MOVE) platform, which provides security in tandem with efficacy gains such as increased server density, helping to reduce costs.
Security-as-a-Service (Saas): Neck and neck with global competitors, cloud capabilities are particularly relevant for organizations in Brazil. Cloud services such as McAfee Security SaaS can help save time, effort, and costs by leveraging the cloud for faster time-to-protection to secure their business. As with any country with a large number of Internet users, cloud services can help mitigate the flood of malware that propagates through common email and web-based activities in Brazil, especially when deployed in conjunction with McAfee’s anti-malware solutions for endpoint.
Dynamic Whitelisting: Critical infrastructure can reap many benefits from modernization, but modernization also creates risk. Blacklisting solutions don’t work well in many environments in Brazil, where the primary focus is on integrity and scan-based solutions. They require frequent updates, large installation footprints, and are resource intensive. Instead, McAfee offers dynamic whitelisting, which employs a strategy of only allowing known good activities. This means that updates are much less frequent, if needed at all, network connectivity isn’t required, and it is far less resource intensive. In this way, security can be achieved without negatively impacting system operational integrity.
Bringing It All Together
While all these point solutions and services add value for both security and compliance, they can also add complexity. The McAfee Security Connected framework reduces this complexity with McAfee’s electronic policy orchestrator (ePO) and security information and event management (SIEM). McAfee ePO with SIEM allows for centralized management, investigation, and reporting across disparate products, allowing these products to enrich each other while reducing time and resource demands.
For more information on security for emerging markets, look out here in the blog for our next series installment, and be sure to follow us on Twitter at @McAfeeBusiness.
Situational Awareness: Why You Need It, How You Get It
This morning, we announced McAfee Enterprise Security Manager (ESM), an enterprise-class SIEM with true, real-time situational awareness.
At its best, situational awareness in IT security is real-time knowledge of every bad actor and potentially damaging event in the changing environment around us. Extreme as it may sound, IT security managers need the agility of a quarterback who always avoids the sack, coupled with the vision of a coach who’s high up in the press box, scanning the field and calling the plays. Altogether, knowing, seeing, evading, anticipating, preventing—that’s situational awareness. IT managers need it in spades, because they must continuously monitor current and emerging threats, understand the dangers they pose to the assets they protect, and dynamically adapt their game plans to the evolving threat landscape.
But extracting actionable insights from digital reams of security data is no simple matter. It requires collecting, processing, and correlating multiple streams of internal and external data, then understanding their local implications in a global context.
The Roots of Situational Blindness
The great quarterbacks are those with an ability to accelerate analysis and decision-making. In the security game, that boils down to reducing “time to root cause.” Achieving this requires overcoming traditional IT enironmental and organizational obstacles. Examples include:
- IT department silos – Functional divisions are common in IT organizations. This means that no one sees the big picture, and incidents are investigated in isolation, without collaboration.
- Untapped log data – Many organizations keep logs only for compliance, not operational forensics. But these histories can be indispensable for identifying ongoing attacks and predicting future ones—if they are available.
- Offline analytics – Most security forensics are deployed for post-mortem analysis, but their greatest value is actually during an event, when they can help prevent or contain damage.
- No predictive capability – Most organizations are not yet capable of getting ahead of threats by determining their power to do harm and predicting their future trajectories.
- A narrow view of threats and vulnerabilities – Many organizations remain willfully unaware of threats beyond their own network perimeter, or of vulnerabilities beyond their Microsoft apps and OS’s.
The Solution: Bring It All Together
To achieve situational awareness of the threat landscape as it changes in real time, IT organizations need to break down the technical partitions that separate security teams and their data. That means obtaining management tools such as McAfee ePolicy Orchestrator® (McAfee ePOTM) and McAfee Enterprise Security Manager (ESM), which are specifically designed to eliminate silos and tightly integrate administration and analysis.
McAfee ePolicy Orchestrator (ePO) is the industry-leading security management console letting IT administrators unify security operations across endpoints, networks, data, and compliance solutions. It provides end-to-end security visibility and powerful automation features that reduce incident response times, strengthen protection, and decrease the complexity of managing risk and security. . McAfee ePO can share data seamlessly with third-party solutions and links up with McAfee ESM through a two-way connection, to optimize threat tracking and risk assessment.
McAfee ESM is an enterprise-class security information and event management system (SIEM) that identifies, correlates, and remediates threats, wherever they arise. It integrates logs, events, and data from throughout your environment and puts them in context with real-time feeds from McAfee Global Threat Intelligence. And it helps you find the information you need to identify incident root causes quickly and efficiently. Like McAfee ePO, it integrates seamlessly with other key McAfee security solutions.
Just like on the football field, in IT security, you need to know everything that’s going on around you at every instant. With McAfee security solutions, you can gain the situational awareness that puts you at the top of your game.
Positioning the Security Team Using Influence: Part 2
In my first post on styles of influence, I discussed rationalizing – a style characterized by a logical perspective that does not account for emotional or political considerations. Its utility is limited to circumstances were quantifiable and verifiable metrics dominate the decision-making process. Unfortunately, the analysis of information security risk is handicapped by a lack of actuarial data to strengthen a rational analysis.
Our exploration into influence continues by examining a style that leverages the perceived power of organizational policies, standards, and best practices to support an argument.
Asserting
In their article, When Your Influence Is Ineffective, Chris Musselwhite and Tammie Plouffe describe the assertive individual as relying on company policies, rules, authority, and self-confidence to influence others. Without awareness and finesse, however, the influencer can be seen as being overbearing or aggressive. “This can lead to resistance or resentment accompanied by passive aggressive or negative behavior, which can result in compliance when the influencer really needs commitment.”
Security engineers, analysts, and auditors are apt to use security policies or industry best practices as the foundation of their guidance rather than addressing business needs. While valid in its substance, these appeals to authority are perceived negatively, as they rarely take into account the business drivers that motivate initiatives.
Security professionals forget that the business will rarely tolerate a security policy that hinders business. Unless it is coupled with a State or Federal mandate, policy is often set aside for competitive advantage. Many of my clients have granted policy waivers to executives and suppliers in order to facilitate business. Any attempt to impose contrary governance ended up on a report that reflected the concerns of the security team. End of story.
Success Tip
Policy alone is not enough to deter business decisions that open the business to attack. Assertive professionals should connect security investments to business priorities when trying to influence decision makers. Security professionals should also be aware of the political interpretation of any policies they choose to enforce. It is important that this style be used with peers or with reports, and not advised for use when influencing upwards or working with collaborative groups.
Next week we will explore a style associated with diplomacy and compromise – negotiating. While useful in resolving conflicts and finding new solutions to problems, this style can also be abused to benefit a particular party. Stay tuned to the @McAfeeBusiness for more tips and case studies highlighting the fusions of information security and business.
Join @McAfeeBusiness for #SecChat 4/19: Data Center Security and the Cloud
Recent trends show that organizations large and small are flocking to the cloud in efforts to cut overhead costs and boost the energy efficiency of their data centers. According to a recent AMI-Partners study, more than 30% of SMBs are currently using the cloud to store data, a number that is only expected to grow over time. At this point it is clear that cloud computing is here to stay – the question is how to leverage these technologies securely.
Along with the benefits of cloud computing come additional risks and complexities that can make IT admins feel like they’re losing control of the data center. Cloud adoption has blurred the boundaries that have traditionally defined what needs to be protected, giving IT less control over application usage and greater potential for vulnerabilities.
Next Thursday, 4/19 at 11am PT, we want to hear your take: What are some of the specific security factors you believe are inhibiting cloud adoption? How does your organization feel about using SaaS-based services such as Salesforce.com, or box.com? Do you believe it would accelerate an organization’s adoption phase if compensating controls could be put in place to provide trust of public cloud providers? What are the biggest audit and compliance concerns you have in regards to public cloud environments, and where do you see this space evolving as time goes on?
Join us and voice your opinion on the pros and cons of public, private and hybrid cloud computing, and the challenges these solutions present to modern data center security.
Logistics: How do I participate in #SecChat?
1. Find
- Search for the #SecChat hashtag (via TweetChat, TweetDeck, or a Twitter client) and watch the real-time stream.
2. Follow
- @McAfeeBusiness will get the conversation rolling by posing a few questions to participants.
3. Engage!
- Tweet your reactions, questions and @reply’s to the chat, making sure to use the #SecChat hashtag.
- #SecChat should last about an hour.
March #SecChat Recap: Critical Infrastructure Security
As we kicked off our March #SecChat on critical infrastructure, the first question on many participants’ minds was one of definition: What makes an infrastructure critical in the first place?
There seem to be countless general definitions for critical infrastructure floating around, and quite a few short lists of which infrastructures should be included. None of these lists or definitions should be considered definitive, as the criteria will continue to expand over time. As our followers pointed out, “critical” could define any infrastructure whose prolonged disruption would cause significant distress. This includes industries we traditionally think of as critical infrastructure, like gas, oil and electric, but it can also include things like the Internet, which many modern infrastructures now rely on.
One point of agreement quickly reached, however, was the fact that critical infrastructure has been, and is now, a target for organized attack.
One interesting question posed by @CaffSec was whether or not Internet connectivity should be built in to critical infrastructure, given the added threat of cyber attack. The fact that network connectivity is now vital to so many critical systems can be a troubling thought, as @ChetWisniewski pointed out, the most damaging attacks cause cascading failure. If the Internet or the power grid goes, so do many other critical services. Still, @JadedSecurity asserted that taking critical infrastructure off the Internet would only remove the word “cyber” from the threat – critical infrastructure is and always will be at risk.
Another point touched upon was that the combination of old and new makes many industries more vulnerable. @JadedSecurity and @ChetWisniewski chimed in that the reason SCADA systems seem to be in the spotlight more often is that they’re still being configured with unrealistic assumptions of isolation. @LabNuke agreed, adding that the situation gets complicated because although many organizations want to upgrade legacy systems, the upgrades can be prohibitively expensive and hard to justify to business higher-ups.
When asked about some non-technical strategies for improving CI security, @chrisjager suggested an improvement in training, authorities and delegations, incident handling and change management, while @ArchangelAmael noted that end user training has been effectively ignored in the past. In addition, @JadedSecurity noted that executives now expect to be able to use any and all personal devices at work – a security risk that the organization is not necessarily equipped to handle, or willing to pay for.
Finally, one of our last topics on the table was government assistance – what can the government do to help or hinder the protection of critical infrastructure? I believe that accelerated depreciation or refundable tax credits would encourage CI companies to invest in security resources. But as @japi999 pointed out – are governments ready to increase their cyber defense budget, even if it means putting less money towards traditional defense? It’s a tough question, and something to watch closely as time goes on.
Thanks to everyone who joined us for this month’s #SecChat discussion. It was great to hear the input of so many industry thought leaders, and I look forward to seeing some of you in next month’s chat!
Our April #SecChat will be held on Thursday, April 19th at 11am PT on the topic of Datacenter Security. Stay tuned for more detailed information on the topic here in the blog, and from @McAfeeBusiness on Twitter.
Positioning the Security Team Through Influence: Part 1
Last week I discussed how information security is broken at the relationship level. This was illustrated by highlighting some challenging outcomes from the dysfunctional communications between security teams and their business customers. While several remediation strategies were posed, the essential approach to enhancing the role of security professionals is to enhance their organizational influence. This article kicks off a series exploring basic influence styles, the associated pitfalls, and guidance for their proper application.
According to Chris Musselwhite and Tammie Plouffe, “In today’s highly matrixed workplace, your ability to influence others can be key to your professional success.” Their article When Your Influence Is Ineffective addresses the challenge of influencing the many personalities which comprise the typical corporate culture. “The bottom line:” write Musselwhite and Plouffe, “since we naturally default to the one (sometimes two) styles that work best at influencing us, our influencing ability and our effectiveness to influence others will remain limited until we develop influence style agility.”
The lesson highlighted in this article is simple in its expression but complex in its implications – strategy and tactics must guide the application of influence. Influence styles are a reflection of the influencers and, by extension, their team. Thus, they must understand the situations to which different styles are applicable. “While the influencer may gain the short-term desired outcome, he or she can do long term damage to personal effectiveness and the organization.” Just as a poorly used network scanning tools can lead to disruptions of I.T. networks, amateur attempts to influence can result in disruptions in the professional network or long-term denial-of-influence.
We start our exploration with Rationalizing, a style defined by the use of rational and logical arguments. Its usefulness relies on the availability of reliable data that can be analyzed objectively.
Rationalizing
This style is effective in cultures that value a dispassionate view of problems, a view that rarely dominates corporate decisions. Influencers that “ignore value-based solutions, or fail to consider the emotions or feelings of others…can be perceived as competitive or self-serving, and may generate a competitive response.”
Forgetting the emotional and political dimensions of any decision will diminish or nullify the power of a rational appeal. While reviewing network architecture and implementation artifacts for a client, I commented that they lacked information I needed to approve the design. Informing the security manager of these issues, I noticed a contentious shift in the way he related to me. Although the engagement ended on a positive note, I had to spend additional time to ensure that I was seen as a trusted advisor.
Success Tip
This style is effective when combined with styles that recognize the political and business decision drivers, such as negotiating and bridging. Associating mutually accepted metrics with business objectives is one approach to using this style effectively. Most importantly – always analyze data in the context of the initiatives that take priority for the business.
Stay tuned to the @McAfeeBusiness Twitter feed for more tips and case studies highlighting the fusion of information security and business.
Information Security Within Emerging Markets
I’m kicking off a series of blog posts over the coming weeks and months related to emerging markets. Look for countries such as Mexico, Brazil, Peru, Colombia, and South Africa to be discussed. Later, we’ll explore other countries including those in Asia as well as Europe and the Middle East.
The terms “emerging markets” and their subset “frontier markets” demand a bit of definition before I go too much further. Warning – pretty much every resource has a different list and a different definition.
The simplest way to think about emerging markets is a country with an economy and stock market in the early phases of development juxtaposed with developed, industrialized nations such as the United States, Germany and Japan. Countries in the emerging markets category generally include China, India, Russia, Brazil, Colombia, Mexico, South Africa, Hungary, Poland, Thailand, Vietnam and about 20 others depending on which list you are looking at.
Frontier markets are a subset of emerging markets that are generally smaller and less liquid. They include: Estonia, Zimbabwe, Kuwait, Sri Lanka, and about 20 others.
I recently wrote an article for (In)Secure Magazine on this topic in which I discuss my personal experiences working in these countries and addressing information security. I focused on a few areas including threats, trends, workforce, regulations, and infrastructure.
While the threats and trends within emerging and developed markets are very similar, the way those threats and trends are approached can be, and should be, quite different – including the types of security products and services that take priority. Because of finite resources, lacking educational systems, limited regulatory controls, and faulty infrastructure, information security strategies must be “tweaked” in accordance with that particular country’s challenges and capabilities in mind if they are to be successful.
Stay tuned for more country-specific details on this topic here in the blog, and be sure to follow @McAfeeBusiness on Twitter for daily updates on McAfee news and events.