TheInfoPro » Security

High-risk Staff? Executives and IT Are Equally Risky

dkennedy — Tue, 03 Jan 2012 08:36:38 +0000

Written by Daniel Kennedy, Research Director for Information Security

It has long been a subject of discussion in security departments, and entire vendor business offerings are built around it: How do you control and monitor the activities of high-risk users in your system’s environment? But who are the highest risk users? We asked that very question in our Wave 14 Information Security Study, and while most of the results are as expected, at least one might be a surprise.

When it comes to the personnel types security managers are most concerned about, contractors and temporary staff easily top the list, doubling the percentage of responses over the next-highest answer, remote employees.

An equal percentage of respondents, 11%, believe the highest threat to be IT staff with elevated privileges or executive management personnel’s use of computing resources. While that may seem surprising, the idea that technology employees with the “keys to the kingdom” in terms of passwords and production access are only as risky as senior executives, these are both staff types that typically have the authority to bypass security controls if they elect to. The first can simply abuse the privileges they have been issued to do their jobs; the second has the organizational authority to potentially force a bypass of security controls.

When asked if they were more concerned about internal or external security events, security managers recorded a nearly even split. Twenty-two percent (22%) were most concerned about internal, another 22% were concerned about external threats, and the majority, 55%, said they were equally concerned about internal and external security threats.

Reflecting that split, 39% reported that the majority of their security incidents were internal, and 33% said the majority of incidents originated externally. Eleven percent (11%) reported they had not had a security incident, that they were aware of, in the past 12 months.

Possibly Related Posts:

Webinar: 2012 Information Security Forecasts

dkennedy — Thu, 15 Dec 2011 21:41:35 +0000

2012 Information Security Forecasts – Who Will be the Winners & Losers?
Wednesday, December 14, 2011 2:00 PM – 2:45 PM EST

Replay Link: 2012 Information Security Forecasts

Some of the key trends we will be discussing from our Information Security study are:

Information Security spend is strong with many diverse drivers:

Directionally for 2012, Information Security Professionals are not planning a slowdown. Thirty-seven percent are planning an increase in spend, with 16% planning a decrease.
Thirty-nine percent are spending more in 2011 vs. 2010, and only 15% are spending less – showing the resiliency of the market in challenging economic times.
In the one-on-one interviews, decision-makers detailed compliance, mobile devices and preventing data loss as the drivers for spending increases.

Data Leakage Prevention (DLP) and Application-Aware Firewalls are products on
the move:

Data Leakage Prevention (DLP) resides in the top spot of TheInfoPro’s proprietary Information Security Technology Heat Index™, which gauges immediacy of planned implementation for 40 technologies, as the G2000 look to protect custodial and intellectual property data from leaking out of their environment.
The traditional antivirus vendors, Symantec (SYMC) and Intel’s (INTC) McAfee, look to benefit with rollouts of both endpoint and network DLP on tap.
Application-Aware Firewalls make a nice jump in the Heat Index, with Palo Alto and Check Point (CHKP) benefiting from the 28% of in-plan implementations.
Palo Alto will be a vendor to watch as it is beginning to replace some of the major incumbent providers with its application-visibility-based approach.

Possibly Related Posts:

Who Does Infosec Report To?

dkennedy — Mon, 12 Dec 2011 21:51:23 +0000

Written by Daniel Kennedy, Research Director for Information Security

At an information security leadership conference years ago, the debate topic was raised: “Who should the information security head report to?” A number of different reporting structures were represented at the table, and each security lead made his or her impassioned argument as to why it was best that security be situated in IT, legal, compliance, finance, audit, or other arrangement.

To hear it as well as sources in the information security trade press, you would assume there is little alignment organization to organization as to where the information security department sits. Here as with many similar questions, TheInfoPro has an advantage; we can simply ask a critical mass of security managers where information security sits in the organization, to see where the org chart’s evolution is taking us. The response: It is still information technology.

Originally published as a ThursdayTIP to the respondent network of TheInfoPro. Would you like to receive all of the ThursdayTIP reports when they are fist released? Sign up here for TheInfoPro’s respondent network.

Information Security Division

Perhaps concerning, only 70% of enterprises identify information security as its own department within the organization, which one can extrapolate to there being 30% of firms where there is no single dedicated security resource in place. Ninety-two percent (92%) situate information security somewhere within IT, whether it is reporting directly to the chief information officer (CIO), 36%, or the head of IT, 20%, or buried further down the IT management food chain. Of the 8% outside of IT, popular repsonses for who security officers report into included the head of compliance, the COO, internal audit, or to a head of risk management.

Respondents provided the following comments illustrating where the security role fits within their organizations:

“This is difficult for me to answer. If you count heads, the answer is yes, but of all the people doing security work, do they all fall under security? No. It’s tough to answer this without potentially skewing the data.”
“Yes – within IS, there are five departments: network services, clinical systems, business operations, and executive info systems, IT governance.”
“We are part of infrastructure management org, which is part of the business process organization. This will change when we name a CISO, who will report directly to the CIO. We will be a separate function from IT and infrastructure management.”
“CIO, he is also the CISO.”

Included in this narrative is the final bullet above, which illustrates the somewhat common, but nonetheless dubious arrangement, where the same person is responsible for both IT management and information security. I say dubious because clear separation of duties issues emerge in such an arrangement, where the yin of wanting to deliver on IT projects is not balanced properly against the yang of considering those implementations in a security risk management context, which frequently adds additional requirements and may even close off certain paths of implementation based on incurring too great a risk to the enterprise.

Possibly Related Posts:

Tracking Exciting Vendors, Security Wave 14

dkennedy — Mon, 28 Nov 2011 09:00:13 +0000

Written by Daniel Kennedy, Research Director for Information Security

Far and away, the choice of both large and midsize enterprises for the most exciting vendor this wave in terms of products and services was next generation firewall maker Palo Alto Networks. The application-aware firewall or next generation firewall, a fusion of the capabilities of stateful and application firewalls, is generating a good buzz amongst respondents: “Palo Alto’s probably the most innovative I’ve dealt with, specifically their application discovery or app[lication] identity.”

The second most exciting vendor in aggregate (full sample) is FireEye with its advanced malware detection solutions, buoyed strongly by responses amongst midsize enterprises. Rounding out the list of exciting vendors are industry stalwarts EMC (RSA), Symantec, and Intel (McAfee).

The application-aware firewalls also lead the network security pack with a heat score of 62, and a 28% in use figure that could jump 33% based if pilots and near-term plans come to fruition. Of the respondents with application-aware firewalls on their roadmaps, 39% of respondents see their organizations spending more in 2012, with Palo Alto Networks seeing the lion’s share of the benefit. If the company can convert on long-term implementation plans by respondents’ enterprises, it could carve out a healthy niche of a firewall market currently dominated by Cisco and Check Point in our studies.

Anti-botnet solutions have had a warmer reception amongst the midsize enterprises, while 14% have a solution in place, another 14% have an implementation in their plans down the road, with FireEye looking to benefit. Still, the technology appears not ready for prime time, with 73% of midsized enterprises reporting no plans for integrating these products.

What do respondents have to say on the top two exciting vendors?

“Palo Alto – I like their mobile solutions.”
“We’ve looked at FireEye and haven’t formed any opinion about whether to move forward.”
“Palo Alto – next generation, not tied to traditional monitoring, but threat ID allows you to make rules more granular.”
“We are very impressed with FireEye’s approach. In that space, other vendors will catch up.”
“[Palo Alto does] a single pass instead of Fortinet’s multiple proxy, which hammers the resources and doesn’t give enough granularity in reporting. It’s a more cohesive design.”
“FireEye’s virtual machine-based detection system for malware. It anticipates malware and tells you what may likely be malware before you can get signatures out.”

Possibly Related Posts:

Realities of IT Consumerization Will Be a Boone for Mobile Device Management

dkennedy — Tue, 22 Nov 2011 21:09:12 +0000

Written by Daniel Kennedy, Research Director for Information Security

IT consumerization is spreading into the enterprise environment, causing enterprise network managers some pain. As one respondent notes: “It’s common right now, adoption rate and the non-official adoption rate of high technology that can potentially be integrated into our enterprise is just out of control, just like a wildfire. Seems like we’re chasing after it with policy and tools; the end user is leading the pack. We even have some of that denial going on in our organization. Lots of people, technically savvy people, know how to read how to do [technical] things [to mobile devices] on the internet. A huge underground thing going on with mobile devices, everything. BlackBerries [these days], everybody chuckles, you still have a BlackBerry?”

The most common manifestation of this trend as our respondently aptly noted is the smartphone. The table below, you can see there is both an existing mass of non-enterprise issued devices today – to the point where they far outnumber enterprise issued devices – and that in the next 24 months the presences of non-enterprise devices will increase at twice the rate of enterprise-issued devices. Forever gone are the days of managing an environment that consists of a BES server and a handful of executive BlackBerries.

Originally published as a ThursdayTIP to the respondent network of TheInfoPro. Would you like to receive all of the ThursdayTIP reports when they are first released? Sign up here for TheInfoPro’s respondent network.

Current level, and projected growth, of smartphones connected to the enterprise network.

As is often the case, pain is a precursor to possibilities, in this case for mobile device management solutions. Mobile device management, or MDM, software is responsible for securing, monitoring, and assisting in the management of multiple different providers, operating systems, hardware across mobile devices in an environment. The primary goals of implementing such a solution are reducing the provisioning and support costs for dealing with a multitude of devices accessing enterprise data, and to ensure the security controls around having that data accessed by a variety of mobile devices.

When we asked respondents what types of non-enterprise devices were being connected to the network, the top answer at 50% came back as, perhaps not surprisingly, Apple. Forty-three percent (43%) of respondents noted a significant impact of non-enterprise mobile devices to the enterprise network.

In terms of vendors, RIM still leads the space for MDM technology in the enterprise, but according to respondents Good Technology is on its heels, with a number of implementations planned over the next six months.

Below is a sampling of user sentiment about MDM gathered thus far:

“[We’re] using leading-edge mobile device management, Good Technology.”
”McAfee has a new mobile management tool that is pretty cool. It allows you to segregate the device. Good Technology also offers mobile device management for the corporate network.”
“Support is the greatest pain point. Our management doesn’t understand the impact of mobile to date or the future impacts.”

Of course we’ll have a fuller picture of the MDM space at the close of our ninth Networking Study.

Possibly Related Posts:

Spending on Information Security Continues to Outpace the Rest of Corporate IT According to Latest Bi-Annual Study of the Global 2000 by TheInfoPro

dkennedy — Thu, 17 Nov 2011 17:47:48 +0000

High Profile Breaches and Mobile Devices are key spending drivers according to a report authored by Daniel Kennedy, former Wall Street Chief Information Security Officer and now Research Director for Information Security at TheInfoPro

NEW YORK, November 17, 2011 – TheInfoPro, a division of leading analyst and data company The 451 Group, recently released the findings from its bi-annual study of the Information Security market, where the source of the data is in-depth, one-on-one interviews with over 150 decision-makers in the Global 2000. Key findings include:

Information Security spend is strong with many diverse drivers:

Directionally for 2012, Information Security Professionals are not planning a slowdown. Thirty-seven percent are planning an increase in spend, with 16% planning a decrease.
Thirty-nine percent are spending more in 2011 vs. 2010, and only 15% are spending less – showing the resiliency of the market in challenging economic times.
In the one-on-one interviews, decision-makers detailed compliance, mobile devices and preventing data loss as the drivers for spending increases.

Data Leakage Prevention (DLP) and Application-Aware Firewalls are products on the move:

Data Leakage Prevention (DLP) resides in the top spot of TheInfoPro’s proprietary Information Security Technology Heat Index™, which gauges immediacy of planned implementation for 40 technologies, as the G2000 look to protect custodial and intellectual property data from leaking out of their environment. The traditional antivirus vendors, Symantec (SYMC) and Intel’s (INTC) McAfee, look to benefit with rollouts of both endpoint and network DLP on tap.
Application-Aware Firewalls make a nice jump in the Heat Index, with Palo Alto and Check Point (CHKP) benefiting from the 28% of in-plan implementations. Palo Alto will be a vendor to watch as it is beginning to replace some of the major incumbent providers with its application-visibility-based approach.

The Information Security study was led by newly appointed Research Director Daniel Kennedy. “Information Security spending is very solid in 2011, and looks to remain that way for 2012. It is not difficult to see why, as significant data breaches in the last few years have never been far from the front page. In addition, environmental complexity continues to increase, including the effects of virtualization and cloud implementations, and consumer IT starts to drive enterprise IT requirements, especially in the mobile computing space,” cites Kennedy.

Prior to joining TheInfoPro, Kennedy was a Partner in the information security consultancy Praetorian Security, LLC, where he directed strategy on risk assessment and security certification. Before that, he was Global Head of Information Security for D.B. Zwirn & Co. (now Fortress Investment Group), as well as Vice President of Application Security and Development Manager at Pershing LLC, a division of the Bank of New York.

About TheInfoPro Information Security Study
The Information Security study is completed biannually and is based on hour-long interviews with Information Security decision-makers at large enterprises in North America. The study focuses on large enterprises: technology roadmaps, vendor performance, forward-looking spending plans, top projects, pain points and organizational metrics. This most recent study had a particular focus on the impact of virtualization, cloud and mobile devices on an organization’s security efforts. A sampling of vendors covered in the Vendor Performance and Technology Roadmap components of the study include: Cisco (CSCO), Check Point (CHKP), Juniper Networks (JNPR), Rapid7, WhiteHat Security, Websense (WBSN), Sourcefire (FIRE), Palo Alto Networks, Fortinet (FTNT), Oracle (ORCL), Dell (DELL), EMC (EMC), Microsoft (MSFT), Blue Coat (BCSI), Trend Micro, Sophos, HP (HPQ) and FireEye. For additional information, or to order this report, please contact sales@theinfopro.com.

About TheInfoPro
TheInfoPro is a division of The 451 Group and a leading advisory and research firm that provides real-world perspectives on the customer and market dynamics of the information technology landscape. Using a unique research methodology that harnesses the collective knowledge and insights of leading IT organizations worldwide, TheInfoPro serves as a conduit between IT decision-makers, technology providers and institutional investors. To learn more, visit http://www.theinfopro.com or email sales@theinfopro.com.

About The 451 Group
The 451 Group is a leading technology-industry analyst and data company focused on the business of enterprise IT innovation. The company provides critical and timely insight into the market and competitive dynamics of innovation in emerging technology segments. Clients of the company – at vendor, investor, service-provider and end-user organizations – rely on The 451 Group’s insight to support both strategic and tactical decision-making. The 451 Group is headquartered in New York, with offices in key locations, including San Francisco, Washington DC, London, Boston, Seattle and Denver.

MEDIA CONTACT:
Lynn Schwartz
Newsmaker Group for The 451 Group
lschwartz@newsmakergroup.com
(973) 736-7118

Possibly Related Posts:

SIEMquisitions

dkennedy — Mon, 14 Nov 2011 21:51:01 +0000

Written by Daniel Kennedy, Research Director for Information Security

On Oct. 4, IBM announced the acquisition of security information and event management (SIEM) provider Q1 Labs for approximately $575 million, according to The 451 Group’s M&A KnowledgeBase. This is at least the third SIEM solution IBM will have established under its umbrella, but potentially also the most expansive solution when it comes to capturing the emerging combination of log management, network monitoring and security monitoring solution space. With this acquisition, IBM plans to create a new Security Systems division led by Q1’s current CEO, Brendan Hannigan.

This move follows Hewlett-Packard’s acquisiton of ArcSight nearly a year ago, and precedes further consolidation in the space; NitroSecurity was also announced as being brought into Intel’s McAfee last week. With this shakeup, IBM is poised to occupy the fourth spot in SIEM market share, according to the results of respondent interviews for the Wave 14 Information Security Study. HP’s acquisiton of ArcSight makes it the de facto leader of the space, with 6% of in plan implementations also going its way. EMC’s enVision product (RSA) and Symantec round out the top of the pack.

SIEM enterprise market share, 14th security study.

The most recent information security study shows SIEM installations at a fairly mature 53% in use in enterprise environments, with 6% of respondents seeing new implementations in their short-term plans and 18% having SIEM installations on the radar in their longer-term project planning. Thirty-three percent (33%) of respondents see increased spending in 2012 on SIEM solutions, with 60% projecting a flat spend into next year.

What do respondents think of the product IBM has acquired? The trend in responses bends positive:

“Q1 Labs’ product is very innovative.”
“[We’ll look at] enVision, Q1 Labs, Symantec.” (In response to a question about spending plans for 2012 for SIEM solutions.)
“We are in woeful need of consolidation. We are evaluating whether to continue on with enVision or use something new. We did a POC with Q1 Labs, or [we may] go to SecureWorks as a third party.”
“Just had this discussion; there are others, like Q1 Labs and EMC enVision.” (In response to a question about switching off another SIEM vendor’s product.)
“The company [Q1 Labs] is innovative. They remain fresh in terms of feature set. They are a small company, and they are subject to being swallowed up! They need to keep the system ‘capable’ at all times, especially keeping up with the patches.”

Possibly Related Posts:

Eight Years After Being Declared Dead, IDS and IPS Keep on Kicking

dkennedy — Tue, 08 Nov 2011 22:55:38 +0000

Written by Daniel Kennedy, Research Director for Information Security

It has been eight years since a well-known technology research company declared intrusion detection/prevention systems (IDS/IPS), those sentinels at the edge of the network that scream out alerts every time they think they see bad traffic masquerading as allowed flow through the firewall, a market failure. Scoring 10th (IPS) and 16th (IDS) on the Heat Index (a relative measure of user demand) for the Wave 14 Security Study, and sitting at a healthy 70% implemented in enterprise environments, the death of IDS has been greatly exaggerated.

Market share, intrusion detection systems.

Intrusion detection systems stand at 70% in use with 15% of respondents reporting implementations in their plans. Intrusion prevention systems are at 60% implemented, with 13% stating that implementations are in their plans. Spending holds steady, with 71% maintaining their spending level and 17% anticipating a greater level of 2011 spending. The sweet spot in pricing and implementation falls under $100,000, with 30% spending between $100,000 and $500,000 on their implementations.

Two of the problems identified nearly a decade ago, cost and throughput, continue to be an issue according to user narratives:

“IDS/IPS in-line – the price point to have a certain level of performance is very high.”
“Opex this year as we move from NIPS to NIDS – it’s a bandwidth issue. We’re increasing bandwidth pipes, and IPS is less effective and creates problems. Moving to IDS and go on alerts vs. blocking.”

The original postulate that many of the functions of the IDS would be subsumed into other edge equipment including the firewall also still holds water for some IT managers:

“I’m not spending anything directly on IPS/IDS – it’s in the firewall.”

And a number of firms have moved to managed services offerings:

“We have a package deal with IBM for security – vulnerability management, NIDS/NIPS, etc. – and that’s about $3 million a year.”

All that said, the product vertical is still going strong in enterprises, with winners and losers being enumerated as we continue to study the results of the Wave 14 Security Study:

“Since TippingPoint was acquired by 3Com, then HP, there have been some support issues.”
“I like the Sourcefire IDS.”
“I really like Sourcefire! They have an event classification within an IDS product. Compared to their competitors, they use open source rules. TippingPoint or Cisco, you can’t do that. Sourcefire has a great management console as well. I can’t think of any weakness since they fixed the backup issues.”

Possibly Related Posts:

They are the 11 percent (or less) who really get security

dkennedy — Tue, 01 Nov 2011 18:04:00 +0000

TheInfoPro In The News – Excerpt from original article from CSO Online:

“With that increased risk environment, one would hope enterprises are becoming more strategic in how they deal with the challenges. But that’s sadly not the case, according to this year’s annual Global Information Security Survey, conducted by CSO and CIO magazines in partnership with PricewaterhouseCoopers. More than 9,600 business and technology executives from around the world took the survey, and 43 percent of them believe their organizations are IT security leaders.
….
“There are two ways to look at that data,” says Daniel Kennedy, research director for information security and networking at the research firm TheInfoPro. “You can be glad they’re confident about their security posture, they must have some reason behind that. I do wonder however, if there is something along the lines of the Dunning-Krueger bias, in which unskilled people make poor decisions but don’t realize their own incompetence.”"

http://www.csoonline.com/article/692897/they-are-the-11-percent-or-less-who-really-get-security

Possibly Related Posts:

Firewall Fight

dkennedy — Sat, 22 Oct 2011 09:04:02 +0000

Written by Daniel Kennedy, Research Director for Networking

It has been a long time since network firewalls, those technological barriers designed to prevent unwanted communications between networks, could be considered a technology on the move. Sitting comfortably with 99% of respondents having the technolgy in use (per TheInfoPro’s Wave 13 Information Security Study), spending changes are usually budgeted around either network expansion or a technology refresh. Or, as one respondent put it: “It is purely procedure. When we have to buy new boxes, we are forced to look at alternatives.”

In looking at those alternatives, enterprise respondents are slowly gravitating back toward Check Point, away from the market-share leader for years in our research, Cisco. Spending levels with Check Point are stronger than the nearest two competitors, with 28% spending more with Check Point in 2011, with Cisco at 12% and Juniper at 14%. Are older PIX firewalls being yanked out, but ASAs not being put in?

Sec14 Primary Providers - Network Firewalls

Two studies ago, Cisco owned 55% of the market share to Check Point’s 39% and Juniper’s 14%. In the previous wave of research, Cisco sat steady at 55% to Check Point’s 36% and Juniper’s slightly better 17%. Come 2011, Check Point has closed the gap, sitting a single percentage point behind Cisco in market share among respondents, with Juniper falling back to 11% and Palo Alto’s application-aware firewall rising from below 1% to 4%.

Why the change? Respondent commentary on satisfaction with Check Point’s products is instructive here, but also portends a brewing cost issue in the way product licensing is handled:

“No other vendor has the manageability that Check Point has. They need to take their competition more seriously, and they need to be more innovative.”
“Check Point has great technology. They are still extremely expensive; they need to do more discounting. The capex up front is workable, but the maintenance starts off at 40%! They really need to fix this.”
“Check Point is the market leader, and they have excellent resources. Price is an issue with them. Their licensing is enough to make you crazy. There is a line item for everything!
“As you can see, we love Check Point. The products are rock-solid, and the technology is great. What makes them so successful is the quality of their GUIThe only down side is the configuration. The product has become big and complex. This would be tough for a new buyer, a very steep learning curve.”

Cisco, the market-share leader for firewalls in our research, offers a slightly more mixed bag of commentary, but leans to the positive side. Again, we see cost and ease of use as opportunities for improvement voiced by the respondent base:

“Ease of access to skills. Everyone knows Cisco. The brand is strong and the tech support is good. Nothing great, but good in the security arena. The ease of use with their firewall is a problem. The log feeds are not as good as Check Point. It is tough to navigate. We will look at some other vendors that seem to be easier to use and offer greater features.”
“Cisco is very diversified – too much so.”
“Apart from the cost, which seems too high, and the fact that others seem to be passing Cisco in this space (in terms of innovation and functionality), we like and know how to use this product, so there’s a comfort factor we’ll have to take into account.”
“Cisco has a great market shareWe choose to do business with Cisco over, let’s say Check Point, because ASA offers a common platform. Support and trainability is also a lot easier. Check Point does not have the granularity. The cost for the products is high. Perhaps Mr. Chambers needs a cut in pay!”

Finally, why is Juniper stagnating? One respondent provided this reasoning:

“They [Juniper] were the Bentley in the firewall market, and decided to chase Cisco by making everyday automobiles – their firewall solutions are poor – they killed their offering.”

Possibly Related Posts: