Brent Huston interviews Connie Matthews, who is on the Central Ohio ISSA Board and serves as the Special Events Coordinator. We were fortunate to be involved with the conference this year and the event just keeps getting better and better! Tune in to hear what was learned from this year’s event and ideas for the future!
We hear a lot of questions about how organizations should handle the increasing consumer use of IT services based on the cloud. Services like Dropbox, Google Apps, Github and many others offer unique and powerful tools for users that they have come to depend on in their personal lives, and thus, some of those tools “leak” into their work lives as well. Often this means that data that was once considered corporate in nature is increasingly in play in these largely consumer-focused services. In fact, with the coming iCloud integration from Apple on the horizon into all iOS devices, some organizations are in a down right panic about how to manage these new services in their user populations.
We want to offer up three suggestions for organizations facing these issues (most of us):
Accept that these changes are coming and that they are impactful. If your security focus is still on the “perimeter”, this should be the last of the warning bells. That ship is sinking and FAST. Today, organizations need data-centric controls that allow for flexibility in data usage and protection. Users are in a rapidly dynamic set of locations and using data in a very dynamic set of ways. Your IT architectures and controls need to allow for those changes or face increasing levels of danger and obsolesce. You can not stop consumer cloud services from leaking into your enterprise. Accept it and figure out how to adapt or you will be left behind by competition and brain power.
Create a dialog between users and technology teams to discuss how consumer cloud services are being used today and how they could be leveraged tomorrow. The greater the dialog, the better the insight your team will have into exactly how data is REALLY flowing in and out of your enterprise and how users are getting their work done in the real world. These discussions require trust and ongoing relationships, so begin to foster them in your organization.
Understand your threats and controls. In this new cloud-focused world, especially when consumer-grade tools are all the rage, organizations MUST begin to switch their thinking away from “do the minimum” attitudes and tunnel vision on compliance. Instead, they must create effective security initiatives that focus on the specific data they must protect, the controls they have in place that they have to manage and monitor and the threats that data face when in play. If they build proper security programs around these ideas, not only will their risk decrease, but their compliance problems will likely be automatically ensured as well. At the very least, they will find that the resources needed to comply with regulation x or guideline y has been largely reduced to academic exercises, since they will have data properly mapped, segmented and controlled.
We know these three suggestions have a “soft skills” feel. Maybe you expected a suggestion for more firewalls, detection tools or crypto? But, the real story here is, we need not only better tactical approaches and toolkits to solve the coming security issues we face, but we need a holistic strategy to do it effectively as well. That said, before you invest in another round of cloud-based detection thingees or a new quantum cryptography system with geo-spacial locations for keys, how about we all take a moment, sit down, discuss how users are really working now and what they want for the future? Maybe if we think this next huge step forward through a bit more and take a more strategic approach, we can figure out how to make users happy AND secure their data. Hey, I can dream, can’t I? 🙂
“Compliance-centric security is bleeding us dry.”– Brent Huston, CEO and Security Evangelist for MSI
Listen in as our tech team discusses compliance-centric security, including:
What is compliance-centric security?
Why is it a problem?
How it creates a “do-the-minimum mentality”
What is the alternative to compliance-centric security?
Brent Huston, CEO and Security Evangelist, MicroSolved, Inc. Adam Hostetler, Network Engineer and Security Analyst Phil Grimes, Security Analyst John Davis, Risk Management Engineer Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.
Click the embedded player to listen. Or click this link to access downloads. Stay safe!
Brent interviews two unsuspecting MSI staff who share a few surprising facts. One is associated with a diminutive musical instrument and the other with a state-champion sports team. Take a listen! Surprise Interview
Listen in as our tech team discusses various aspects of APT such as:
How it has been portrayed.
Why it often isn’t an advanced threat
Where do they originate?
What can companies do about APT?
Brent Huston, CEO and Security Evangelist, MicroSolved, Inc. Adam Hostetler, Network Engineer and Security Analyst Phil Grimes, Security Analyst Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.
Since the compromise of the RSA environment several months ago, much attention has been paid to the potential impact of the attack on RSA customers.
Given the popularity of the RSA products and the sensitivity of the processes that they protect, the situation should be taken very seriously by RSA token users.
Last night, RSA made a public announcement that their breach and information stolen in that breach has now been used in attacks against RSA customers. The primary focus, as far as is known, has been the defense sector, but it is very likely that additional threat-focus has been placed on other critically sensitive verticals such as financial and critical infrastructure.
There are a number of things that RSA customers should do, in the advice of MicroSolved, Inc. Below is a short list of identified strategies and tactics:
Identify all surfaces exposed that include RSA components. Ensure your security team has a complete map of where and how the RSA authentication systems are in use in your organization.
Establish a plan for how you will replace your tokens and how you will evaluate and handle the risks of exposure while you perform replacement.
Increase your vigilance and monitoring of RSA exposed surfaces. This should include additional log, event and intrusion monitoring around the exposed surfaces. You might also consider the deployment of honeypots or other drop-in measures to detect illicit activity against or via compromised systems available with the RSA exposed surfaces.
Develop an incident response plan to handle any incidents that arise around this issue.
Increase the PIN length of your deployments as suggested by RSA, where appropriate, based on identified risk and threat metrics.
Teach your IT team and users about the threats and the issue. Prepare your team to handle questions from users, customers and other folks as this issue gains media attention and grows in visibility. Prepare your technical management team to answer questions from executives and Board-level staff around this issue.
Get in contact with RSA, either via your account executive or via the following phone number for EMC (RSA’s parent company): 1-800-782-4362
In the meantime, if MSI can assist you with any of these steps or work with you to review your plan, please let us know. Our engineers are aware of the issues and the processes customers are using to manage this problem in a variety of verticals. We can help you with planning or additional detection and monitoring techniques should you desire.
We wish our clients the highest amount of safety and security as we, as an industry, work through this challenge. We wish RSA the best of luck and the highest success in their remediation and mitigation efforts. As always, we hope for the best outcome for everyone involved.
Thanks for your time and attention to this issue. It is much appreciated, as is your relationship with MicroSolved, Inc.