On the last (ISC)² ThinkT@nk Roundtable webcast (link to the archive is below), I had the good fortune to moderate a very interesting panel about low tech methods for securing your data. Our panelists ranged from the academic to the pragmatist.

• Dr. Hugh Thompson, Chief Security Strategist of People Security
• Chris Trautwein, Information Security Officer at (ISC)²
• Joe Sechman, Director of Sunera‘s Attack & Penetration Testing Practice

What I found most exciting about the event was the sheer number of ideas being offered by the audience members. While I usually have little trouble keeping up with audience questions during these types of events, we had over 400 people in attendance and the ideas were coming at me so fast that we ran out time before getting to all of them. I want to take a minute to share more of what was going on “behind the scenes” and see if this sort of recap is useful to you. Let’s keep the discussion going. Just add your own ideas and thoughts on the roundtable in the comments section below.

1. Being a supporter of the (ISC)² Security Leadership Program, and the sponsor of this event, it was no surprise that 3M’s privacy filters were discussed as a means of guarding against “shoulder surfing”. These filters are now available for just about every mobile device on the market now and seem like a good starting point.
2. Within just a few minutes of the call, Robert Curee from Rite-Solutions, Inc. brought up another obvious choice: laptop cable locks. I can’t even count the number of times someone at a coffee shop has asked me to keep an eye on their new MacBook while they scurried off to the bathroom. This just seems like a no-brainer for the mobile worker.
3. Martin Linda, from Siemens, then quickly added that they issue laptop bags that don’t look so much like laptop bags. Being able to hide the fact that you are even carrying a mobile device, makes you less likely to be targeted. He went on to add that at Siemens, they issue backpacks and other alternatives to traditional laptop bags with each new laptop going out.
4. Just a couple of minutes later, Jospeh Valinotti of Valador piped up that he encourages larger bags for travelers so that they put their personal affects in with their laptops. His theory being that this helps raise awareness because the user is also thinking about their own “stuff”, not just company assets.
5. In a spark of creativity, David Nelson from the FDIC started attaching a small cat bell to his own laptop bag. This simple idea let’s him know when his bag is being  tampered with, even when out of sight such as when going through airport security.

These first few items seem like an easy way to mitigate data theft, but the questions soon shifted toward how to implement these and other controls. Here are some of the key items we captured on the discussion.

• For physical security controls, such as cable locks and laptop bags, integrate with the purchasing department to ensure that every new mobile device getting released to the field comes with these basic protections.
• Train your users on the proper use of these tools and direct them to your company policy regarding their responsibility for protecting company assets, both physical and ephemeral.
• Not only should you reach out to purchasing, but while we were on the topic of policies, Larry Chu from RS Investments reminded us of the need to include HR in the policy making decision. Especially if you use language around penalties the user could face, such as termination.
• While we are on the topic of HR enforcement of policies, Petr McAllister mentioned a policy of “lose your laptop, lose your job” that he recalled from the CSO of Visa who imparted these words of wisdom at RSA back in 2007 or 2008 (if anyone has a link to the presentation, please send it along).

Keep the ideas coming, we had a great discussion and some of the comments on the live were very encouraging.

Very interesting discussion with a variety of relevant viewpoints

Learned a lot of new ideas to help me in preventing mobile data breaches.

Good presentation. Covered a wide range of issues and potential solutions.

Jam-packed with practical real-world tips, this was an excellent presentation!

In case you wanted to watch it again, or pass it along to your colleagues, the archived event is below.

Related articles:

1. Identity Aware Data Protection and Control Abstract: Enterprise data classification has always been a difficult task,...

Brightfly is pleased to announce that Managing Director of Research, Brandon Dunlap will be presenting at this exciting event brought to you jointly by (ISC)² and the International Association of Privacy Professionals (IAPP) on May 10th, 2011.

This event promises to be a day packed full of discussions on common threats and risks to online security and privacy.

In addition to Brightfly’s perspective on building “Guardrails on the Road to the Cloud”, you’ll also  hear from leading members of the security community as they address recent developments across a number of areas that include mobile communications and social media with a focus on effective techniques for ensuring online security and privacy.

This event will be held at the Sheraton Newark Airport:

Just click the button below to register for the event. Hurry, they fill up quickly!

Related articles:

1. (ISC)2 Secure San Diego 2011 Based upon the fantastic feedback on the Competitive Compliance material...
2. (ISC)2 Secure Chicago 2010 Please join Brightfly’s Managing Director of Research, Brandon Dunlap, on...
3. (ISC)2 Secure Chicago 2011 The Business Model of Security: Competitive Compliance v2.0 Built  upon...

[Brandon Dunlap] What is “EnergySec ,“ the Energy Sector Security Consortium, chartered to do?

[Patrick Miller] EnergySec spawned from a group of security professionals in the electric power business in the Pacific Northwest. The group met for professional lunches and shared security information with their trusted peers. No vendors and no regulators were allowed, it was strictly limited to utility personnel. Due to the interconnected nature of the power grid, more peers from further connected utilities began showing up until we outgrew the restaurant model and had to shift to quarterly meetings. This all-volunteer army of security practitioners (including folks from physical security, information security, disaster recovery, business continuity, audit, regulatory, operations, engineering, etc) ultimately grew into a nation-wide non-profit in late 2008. The mission never changed and it is still intact today: security information sharing between trusted peers in the energy sector.

[BD] How are EnergySec and “NESCO,” National Electric Sector Cybersecurity Organization working together?

[PM] EnergySec is the parent non-profit 501(c)(3) organization, and NESCO is a DOE funded program under the EnergySec umbrella. NESCO’s mission is to lead a broad-based, public-private partnership to improve electric sector energy systems cyber security; become the security voice of the electric industry. I think is it easy to see the natural fit for NESCO under EnergySec.

[BD] A lot of folks from the utility sector would disagree with you about the uniqueness of their security needs. How is EnergySec fostering this collaboration and helping to bring down some of the barriers that have plagued this industry historically?

[PM] I think many industries suffer from the “not invented here” syndrome, but the electric sector is notorious for this. SCADA is SCADA, whether it is power, water, oil, gas, manufacturing etc. Sure, there are uniquenesses to how you manage a live industrial control system (from the management application environments to the endpoint field devices) so that you minimize potential impacts to the always-up reliability expectations but this is not unique to the electric sector.

[BD] How can the broader information security community lend a hand to either or both of these two organizations?

[PM] Security isn’t unique to the energy sector. Great security ideas, architectures and approaches are happening every day. The cross-pollination and interdisciplinary discussions are really where the value is realized. We have much to share from our experience securing both business systems as well as industrial/process control systems (SCADA), and we are open to good security ideas from anyone.

If you are interested, then you can join Patrick on February 22nd to learn more about the NESCO project and what it means for the electric industry.  In this informative webinar Patrick Miller, as both CEO of EnergySec and the Principal Investigator on the NESCO project, will discuss in depth:

• what NESCO is
• why NESCO was created
• NESCO’s mission and goals
• the differences between NESCO and EnergySec
• and the supporting role of NESCOR, funding structure, the critical role of industry, our partnerships, outreach efforts and more.

Date and Time: February 22, 2011 10:00 am PST

Event number: 921 850 714

Event password: nesco

Event address for attendees: http://bit.ly/EnergySecWebinar

Call-in toll number (US/Canada): +1-408-600-3600

Access code: 921 850 714

No related articles.

Enterprise data classification has always been a difficult task, but it has also not been enough to ensure data protection. Once classified, the appropriate controls must be in place to govern the appropriate access and use of that data. In this archived event, the last (ISC)² ThinkT@nk Roundtable webcast of 2010, we explore the touchpoints between identity and access management with data protection and how to craft an identity aware data protection strategy.

Panel of Experts:

This roundtable, moderated by Brightfly Managing Director Research, Brandon Dunlap, plays host to the following security industry experts:

• Charlie McClain, CISSP, PhD, Professional Curriculum Vitae, Information Technology Management, Capella University
• Jared Thorkelson, Principal, DLPExperts and a Guest Researcher for us here at Brightfly
• Gijo Mathew, Vice President, Security, CA Technologies

Related articles:

1. Low Tech Data Leakage Protection Simple Ideas For Protecting Against Data Leakage On the last...

Tim Wright, Senior Manager at Kingston Smith Consulting, kicks off the day with “Plastic Security: An Overview of PCI DSS v2.0“ where he will cover the evolution of PCI DSS from v1.2 to v2.0, highlighting all the changes included in the new version.

Following the Q&A with Tim, we’ll have Blake Dournaee, Product Manager from Intel, this event’s sponsor. He’ll be leading a talk titled “Address PCI Compliance with Tokenization”. In this presentation, Blake will explore the benefits of leveraging tokenization as a means of reducing PCI scope.

Up after Blake,  we’ll have Jeffery Sanchez, a Managing Director from Protiviti. Jeffery will be presenting on the myriad of rule interpretations and the way they have changed over time in his session, “Beyond 2.0, What Else is New”.

Closing out the day’s event is an interactive roundtable discussion on “Data Encryption and Trusted Execution Technology”.We’ll bring Tim Wright and Jeffery Sanchez back on the line, along with Jaff Casazza, the Director of Security Technology from Intel’s Data Center Group.

To register your attendance to this enlightening and informative event, just click the button below.

Related articles:

1. e-Symposium: Implementing a DLP Solution Please join Brightfly’s Managing Director of Research, Brandon Dunlap, as...
2. 36th ISACA International Conference I'm in lovely downtown Toronto, ON enjoying poutine and the...
3. Virtualization Compliance Roundtable Please join Brightfly’s Managing Director of Research, Brandon Dunlap, as...

You can download a copy of the report from Gibson Dunn’s website here.

One of the more interesting pieces that I gleaned from this report was the various state bar associations issuing ethics opinions on the use of social media “trickery” to gain additional information. The example cited in the report, from the New York State Bar Association, states that attorneys may view public profile pages, etc., but may not “friend” the person, nor direct a 3rd party to do so.

Chiling perhaps, but nothing sends as clear of a message about your online life as this quote from the report (emphasis mine):

“Another trend last year saw courts holding that there is no expectation of privacy or confidentiality for social networking communications. In Romano, for example, the court held that the production of information from social networking sites did not violate the plaintiff’s right to privacy, regardless of her chosen privacy settings, because the social networks’ terms of use and their inherent nature provide no expectation of privacy.”

Based on a review of 323 decisions (all of which are listed in the report for your reference), this is perhaps the most comprehensive anylsis of the current state of e-discovery available.

Related articles:

1. (ISC)2 Secure Metro New York The CISO/CPO Partnership: Addressing Online Risks Brightfly is pleased to...

Please join Brightfly’s Managing Director of Research, Brandon Dunlap, as he moderates the latest in (ISC)²‘s ThinkT@nk series: “State of Cybersecurity from the Federal CISOs-A New Perspective.” This one hour online roundtable, based on the findings of (ISC)²‘s latest survey of the Government CISO community promises to be an enlightening event.

The live webcast is being held Thursday, May 6th, 2010 at 12:00pm EST/9:00am PST, and includes the following security luminaries on the panel:

• Greg Garcia, President of Garcia Strategies, LLC
• W. Hord Tipton, Executive Director & member of the Board of Directors (ISC)²
• John N. Stewart, Vice President and Chief Security Officer, Cisco
• Michael Castagna, Vice President of Corporate Information Security, Sallie Mae

To learn more about this event and to register your attendance, just click the button below.

Related articles:

1. Brightfly Welcomes John Petruzzi Outspoken industry veteran, John Petruzzi, joins us as Managing Director...
2. e-Symposium: Implementing a DLP Solution Please join Brightfly’s Managing Director of Research, Brandon Dunlap, as...
3. (ISC)2 Secure Metro New York The CISO/CPO Partnership: Addressing Online Risks Brightfly is pleased to...

Thankfully, via The Fraud Files Blog, Tracy has pointed us to a recent piece by Professor David Albrecht on how the push to IFRS is being driven by the Big 4 (and the lesser firms as well). His hypothesis is that since the only organizations embracing the move seem to be the large audit firms, and that they stand in  the best position to profit from the move, that it their greed that propels this change. He goes on to quote Arthur R. Wyatt’s analysis of Arthur Andersen’s implosion as one fueled by greed, and as a canary in the coal mine perhaps, for the future for this industry. A great read, and one that lays many of pieces out in the open for deeper inspection.

Thanks Tracy! Keep up the good work.

Related articles:

1. AICPA Comes out in Favor of IFRS Ok, I was going to leave IFRS alone for a...
2. IFRS: The New Cash Cow Last Friday the SEC released its new roadmap for migrating...

A Timeline of Events

Back in early 2005, Bain Capital Ventures and Castile Ventures joined existing investors in an oversubscribed C round for Network Intelligence. The $12 million injection brought the total invested up to the $25 million mark. As part of the deal, Bain’s Benjamin Nye joined the board. Just over a year later, in June of 2006, EMC announces a definitive agreement to buy RSA for around $2 billion, which RSA shareholders approve on September 14, 2006. Two days later, on September 16th, EMC announces (in the same press release!) that they had a definitive agreement to purchase Network Intelligence and expected to close in the next 2 days.

Fast forward a year and we find Ben Nye taking another board seat, this time at Rapid7, after Bain Capital Ventures tosses them $7 million in growth funding on September 17th. Ben Holzman, also of BCV, joined the board as well. On September 8th, Jon Darbyshire also secures a place at the big boy’s table. A month later, in a what appears to be a growing trend for open source security tools, Rapid7 swoops in and buys Metasploit, effectively underwriting its continued development.

By the second week of November we see Bain Capital Ventures form a “strategic partnership with Archer Technologies which includes an estimated $29 million infusion (we’ve heard numbers as high as $42 million), netting them a 40% stake in the Overland Park, KS firm. As part of the deal, Ben Nye secures a seat on Archer’s board. Shortly after the ink on the deal dries, Archer announces that they are taking out ailing  PwC spin-off and GRC player Brabeion at a fire sale price (around the $10 million invested by Longworth and Fairhaven), closing the deal on January 22nd, 2009. This deal is largely seen as a content play by Archer to roll Braebion’s ESAS-based controls library into the SmartSuite Framework. Braebion CEO Julian Waits, along with about 25% of his employees, joins Archer. Interestingly, Yo Delmar, Braebion’s CMO, doesn’t take the bait and moves on to EMC within a few months as their Director of Strategic Offer Marketing.

By the end of the quarter, Archer announces that Rapid7 has joined as an integration partner, further deepening the ties between the two organizations. At around the same time, Network Frontiers and Archer announce the integration of the Unified Compliance Framework into the SmartSuite Framework, which leads us to question Archer’s content strategy as they are still struggling to choke down the 6000+ controls they inherited in the Brabeion deal.

By May of 2009, EMC has announced the purchase of Configuresoft. Configuresoft had hitched their wagon to the virtualization engine prior to the acquisition,  a smart move as traditional configuration management vendors began to follow suit. Configuresoft was then folded into the Resource Management Software Group at EMC, quite a distance from the RSA side of the house, firmly ensconcing the products in the management, not security and compliance, side of the business.

Still nursing a hangover from the 2010 New Year and we see EMC’s announcement to buy Archer. While we knew that this was brewing for a while, we thought the hurdles that EMC had placed in front of Archer would cause the deal to drag out a bit longer. Rumor has it that the deal was supposed to be announced and closed prior to the 2009 year end. Obviously, this is one of the facets of the deal that points to the “definitive agreement to acquire” as opposed to an outright acquisition announcement but is a press relations tactic employed by EMC regularly so is of little insight on its own.

What Does All of This This Mean?

We think that EMC/RSA might have difficulty with this acquisition. By placing the Configuresoft product line where they did, we think the silos in a company of their size will make any hope of integration between those products and the Archer SmartSuite Framework more difficult, if not impossible (depiste what Chuck Hollis says). This is further exacerbated by the existing relationships that Archer has with security configuration (nCircle and NetIQ) and vulnerability scanning vendors (Qualys and rapid7 to name just a couple)  where integration has already happened.

The ITGRC space has seen it’s fair share of acquisitions that bring together state-based security and IT GRC reporting, much as we have seen the SEIM market do with event-based security. We saw McAfee pick-up Preventsys (R.I.P.), an integration partner of Foundstone’s when they closed that deal and we have watched Symantec’s Control Compliance Suite do a reasonable job of making good on their BindView acquisition. Most recently, we watched Lumension climb up the stack by acquiring Dallas-based Security Works to layer onto their vulnerability and endpoint solutions.

Another contributing factor in the hot mess of post-acquisition integration is around Documentum. A number of large organizations are still storing audit testing and controls information in document-centric systems such as SharePoint or even the purpose built solutions such as those from Paisley (now ThompsonReuters) and OpenPages (built on PwC’s Internal Controls Workbench) which have historically shown little to no integration with compliance automation products.

Considering the deep involvement of Bain Capital Ventures in this deal, along with the cross-pollination of board seats and personal/professional history among the players, it would come as no surprise to see RSA pick up Rapid7 in a wired deal to accelerate the automation of state-based device compliance reporting while they figure out the rest of the integration story.

We also agree with the guys over at Rook that this might mark a bit of a thaw in security deals. The  price tag (rumored to be anywhere from $120 million to $225 million) has woken the sleeping VC giants which have started sniffing around this space for interesting start-ups to fund. Specifically, Thomas Weisel Venture Partners, who has a good bit wrapped up in BigFix could arrange a marriage with an up-and-coming IT GRC player or maybe even an established one such as Agiliance who already has an integration story. Speaking of Agiliance, with their partnership with McAfee, and McAfee’s churn around IT GRC we think that their integration story holds some weight in the context of state-based security and compliance management and could be picked up fairly easily. A start-up in the space that bears mention is Lockpath. Founded by two early members of the Archer team, Chris Caldwell and Chris Goodwin have deep experience in this market and were recently named Microsoft Start-up of the Day.

From the client side of the equation, you rest assured that this has put a chilling effect on burgeoning integration Symantec was working on whereby they were pumping CCS data into the Archer SmartSuite Platform, bypassing their own dashboard. We also think that Archer’s fragmented content strategy will create some issues as RSA figures out how and what to pile into the platform which could drive some simplification in the long term but some pain in the here and now.

Related articles:

1. Details on BlueLane Acquisition While Hoff called this one on October 10th, by linking...

What is particularly alarming about this whole affair (other than the openness of the mudslinging), is the size of the drop in OSTK’s value on Friday the 30th. Gapping up on Monday the 23rd and hitting a high that day of $16.37, it has since given up over $2.00 in two sharp drops. The first was in the early hours of trading on Tuesday (from $16.18 to $15.50), after Mr. Byrne’s press release hit the wires. Just before the markets closed for the Thanksgiving holiday, OSTK was at $15.30. However, on Friday, the 27th, it opened down at $14.42 and has continued to hover below $14.50 today. Black Friday will forever mean something else within the walls of Overstock.com I suspect. All of this, despite their marketing engine churning out multiple releases regarding holiday promotions.

Perhaps airing your audit issues so openly, and through press releases, should be reconsidered as a strategy.

No related articles.