Orlando Scott-Cowley
by

Protect Against Targeted Attacks Webinar – The Highlights

First of all, I’d like to say a big ‘thank you’ to everyone who attended Tuesday’s Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’.

The interest has been huge, and we’ve made the recording of the session available here. We’ll also be focusing on key themes raised during the session over the coming weeks on this blog.

To start, we thought it would be useful to pull out and reflect on some key quotes from the session.

Recording of Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’ from September 30th 2014, when practical steps to protect your business were outlined by Rick Holland.

Recording of Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’ from September 30th 2014, when practical steps to protect your business were outlined by Rick Holland.

Rick Holland, Principal Analyst, Forrester Research:

- ’67% of the espionage cases in organizations involved phishing’ discussing the Verizon ‘2014 Data Breach Investigations Report‘.

- ‘There are two types of phishing vectors – one the malicious attachment…and two, URLs to malicious sites’.

- ‘The average cost of a data breach is $3.5m up 15% from 2013’ discussing the Ponemon Institute ‘2014 Cost of a Data Breach Study: Global Analysis’ sponsored by IBM. Interestingly, class action law suits of effected customers are part of the calculation and might be a rising trend for organizations to address.

- ‘As it becomes more common for remote workers to operate outside of VPNs (BYOD and BYOC), enterprises must protect the user when they actually click’. ‘Even if users could put something on their mobile device to protect them, they are hesitant from a user experience perspective.’ – this was one of the key points in the session, as traditional approaches to security only protect users on the network and corporate managed devices. It’s important to think beyond this given BYOD and remote working. Protection must be available no matter the device used to access corporate email systems, without increasing the IT overhead or adversely affecting the users’ experience. As Rick suggested, organizations must ‘protect the click’.

- ‘Sometimes the URL isn’t bad at the time of delivery’ the attacker may turn the server over from benign to malicious after the email is sent.’

- ‘URL rewriting is emerging to protect the user…I recommended it as an RFP requirement.’

- ‘Whatever the culture of the organization, use that to (tailor) security training…increasing awareness and propensity to report incidents.’

- ‘(Phishing) is only going to get more and more sophisticated.’- which is why the protection organizations put in place now must be able to stay ahead of the attackers.

Steve Malone, Security Product Manager, Mimecast:

- ‘Phishing is viewed as a technology problem…the usual approach is to add more technology. But the issue is that adding more technology is actually increasing complexity.’ Steve further explained that the most successful approach is two-fold: choosing the right technology coupled with user education.

- ‘As we’ve got better at protecting against these attacks, the attackers have moved the goal posts. We now have to assume all the links in emails are bad.’

- ‘Clean up (post-attack) is generally very difficult and time consuming and the root cause is not addressed.’

- ‘Mimecast’s Targeted Threat Protection addresses advanced attacks in email by rewriting the URLs. It means protection regardless of the device used.’

- ‘We’re building into the service a real-time education component for users.’

It’s clear from the interest and the great questions we received at the end of the presentations that this is a hot topic. The evolution of threats is forcing IT teams to rethink the planning, purchasing and management of their business security systems. In addition, it’s being recognized that in order to stay ahead of the attackers, technology alone is not the answer – the complete solution needs to account for this and train users in a new way.

Please leave a comment or @reply me at @orlando_sc if you’ve any particular areas you want us to cover in our follow up posts.

by

Top Priorities for CIOs over the next Year

We’ve come a long way on the timeline of enterprise information security. About ten years ago we’d finally become used to the idea of a second firewall upgrade and were thinking about dedicated security teams and policies that had a reach much farther than just the IT team.

Today, and into the next twelve months, the list of priorities for CIOs and CISOs is far more complex and only bears a passing resemblance to the past.

The future looks far more advanced, from a security perspective, which by right is an accurate reflection of the nature of the threats that we now face. Traditional security technologies are struggling to keep up, and in many ways have seen their day. Today’s shopping list of security tools would include Mobile Device Management (MDM) services, next generation firewalls and threat detection tools as well as new more active types of host anti-virus; altogether more complex and advanced than the types of tools we were buying just a few years ago.

Also on the agenda are the softer, more human components of information security. Compliance tools and processes have never been more important, neither, and perhaps surprisingly for some, are formal enterprise privacy agreements for users. The latter in response to growing privacy concerns driven by major data leakage and snooping scandals, and the former—your staff—being a new frontier for soft security technologies and training, that seek to secure one of the weakest lines of defense in enterprise.

So all things considered, here are my predictions for the types of projects you’ll be seeing this year:

- Cloud identity and authorization: With the rise of cloud based services in the enterprise, IT teams will need to ensure access control requirements are met across all services. Using third party identity and authorization services that integrate with the cloud and on-premise directory services will be essential to enable the use of cloud services that can match your enterprise authentication policies.

Cloud encryption: If not provided by a cloud security vendor already, more CIOs will demand their data be encrypted in the cloud with a separate cloud encryption tool. Public cloud services will be affected most to guarantee the confidentiality of data for the enterprise as CIOs seek to find ways to protect their information regardless of its storage location.

- Formal privacy programs: Privacy is critical to both customer and end user trust in your organization, with the added benefit of helping you comply with local laws and customs. CIOs will be creating privacy protection controls for their sensitive customer data and personal information that balance business enablement with business protection. This is a new concept for many, but as the line between enterprise and personal computing is increasingly unclear, CIOs will need to establish clear boundaries for data access, storage and monitoring.

- Next generation tech: The ‘next generation’ is never well defined, but we know the current generation of technologies is fast being outmoded. Security technology in particular has become easy for attackers to circumvent, so vendors are responding with next generation, more advanced, security solutions. Spear-phishing is a great example – all the most recent high profile attacks have bypassed traditional email security technologies, by the use of very well crafted malicious emails.

- Threat detection and response: Similarly, as threats change and become more stealth we need to address how we detect and respond to them, given the possibility we may not be able to prevent them all. End point and host detection will play a large role in these new projects as businesses look for ways to quickly detect the outbreak of a problem on an end point and seek to lock it down or remote wipe it as quickly as possible.

- Security governance: This has always been a growing part of a CIO’s responsibilities, and we’ll see IT GRC management and ITSM increase as rigor is brought to bear on the IT department, and the buy-in of IT initiatives by the rest of the organization becomes more normal.

- Mobile device management: BYOD has come and gone, or at least embedded itself in our everyday IT policy. Users, not satisfied with your policies being enforced on their personal devices, appear to be much happier with the containerized or compartmentalized use of business data and apps on those devices. Simply letting users bring their devices into your network is no longer acceptable as it once was, controlling the use or your data on their devices is now essential.

- Testing and training: Security training has always been part of our routine for users. Most new users are given a ‘sheep dip’ when they join, and a rare few given ongoing training thereafter. But, as the value of training is diminished by more successful attacks in the face of well trained staff, real-time testing becomes a more viable solution. There are numerous open source tools available to help you socially engineer your staff; we should expect to see these sort of activities being offered as services in the near future, and should take advantage of them – even if you’ve shied away from classic “pen-testing” in the past.

by

Forrester and Mimecast Webinar: Protecting Against Targeted Attacks

As the torrent of malicious content and spam moved away from our enterprise inboxes to more consumer and social platforms, we were perhaps lulled into a false sense that we’d finally beaten the spam problem.

But this simply isn’t the case. The risks to our enterprise inboxes and data have morphed into more harmful and effective security threats.

Forrester and Mimecast Webinar ‘Protecting Against Targeted Attacks’ - join us next Tuesday, September 30th, at 10am Eastern (1500 UK, 1600 RSA). Register free here:

Forrester and Mimecast Webinar ‘Protecting Against Targeted Attacks’ – join us next Tuesday, September 30th, at 10am Eastern (1500 UK, 1600 RSA). Register free here: http://mim.ec/Zdm7qY

Spear-phishing, or targeted attacks by email, is the next generation of threat our IT teams are scrambling to deal with. Plus, as more high profile security breaches hit the headlines, where spear-phishing is often the initial point of entry, it’s a threat that has got the attention of the C-suite.

So Mimecast is hosting another webinar in our series of ‘Expert Webinars’ to share essential advice on how to protect your business against spear-phishing and targeted attacks -  the webinar is next Tuesday, September 30th, at 1000 Eastern (1500 UK, 1600 RSA) and you can register for free here.

I’ll be joined by two industry experts; Rick Holland, the well-known Forrester Research analysts and IT security commentator, as well as Steven Malone, Mimecast’s own Security Product Manager.

Spear-phishers are specifically targeting you and your business in an effort to steal your intellectual property, customer lists, credit card databases and corporate secrets.

Whereas old style phishing was a scatter gun attack, spear-phishing is specifically targeted at a handful of individuals within a business. The attackers research their targets over many months, often using social media platforms to gain useful information about you. Like phishing, email is the main attack vector for spear-phishing, with well-crafted social engineered emails being the tool of choice.

During the webinar we’ll be discussing: the biggest threats and most dangerous attack tactics. Recent high profile case studies. The real life cost of attacks and the practical steps you can take to protect and educate your users.

Do leave a comment under this post or @reply me at @orlando_sc if you’ve any particular areas you want us to cover next week.

by

Big Data: Focus and Practicality Now Vital

It’s been years in the making and has had its fair share of media hype, but according to Gartner’s August ‘Hype Cycle Special Report for 2014‘ the concept of Big Data has now entered its aptly named ‘Trough of Disillusionment’.

It's been years in the making, but according to Gartner's August 'Hype Cycle Special Report for 2014' the concept of Big Data has now reached the point where we're now in the 'Trough of Disillusionment'.

It’s been years in the making, but according to Gartner’s August ‘Hype Cycle Special Report for 2014′ the concept of Big Data has now reached the point where we’re now in the ‘Trough of Disillusionment’.

And it’s not Gartner alone. Talk to industry stalwarts and a clear message comes back – the honeymoon is over. No longer is it a positive buzzword in meeting rooms. It’s becoming tangible…real people with real salaries and real job titles are now associated with the discipline of managing and making the most of a company’s big (or small) data, both locally and in the cloud.

We’ve come to realize there are a number of opportunities for big data and it’s management, as outlined in IBM’s August report titled ‘The New Hero of Big Data and Analytics‘. In it, a new C-suite role is outlined, along with five areas are a Chief Data Officers (CDOs) can optimize and innovate in:

  1. Leverage: finding ways to use existing data.
  2. Enrichment: existing data is joined up with previously inaccessible (fragmented) data either internal or external.
  3. Monetization: using data to find new revenue streams.
  4. Protection: ensuring data privacy and security, usually in collaboration with the Chief Information Security Officer.
  5. Upkeep: managing the health of the data under governance.

It’s a great list of general outcomes for those who manage data to plan around over the coming years, but what might be even more useful is a planning framework to help develop these plans now.

Obviously this framework will evolve, and to some extent there will be a degree of trial and error as organizations try to wrangle increasingly large data-sets. But I thought it’d be useful to make some suggestions for considerations against these outcomes. So I’ve come up with some key questions to gather information to help in the CDOs strategic planning. Answering yes to most, if not all of these questions is a good indication a CDO in your organization would have a beneficial business impact.

  1. People: as mentioned in IBM’s report – is the CDO’s office a guiding, enforcing authority? Is the office fully aligned to the business and scalable? Are the skills available appropriate? Is the business giving the CDO authority or permission to operate?
  2. Compliance: not just with regional and industry regulation but with the company culture.
  3. Intelligence: how can the right information reach the right people in a digestible form that catches their attention? Does the information remain useful throughout its lifecycle?
  4. CIA: Confidentiality, Integrity and Availability. The triangular cornerstones of any information security policy, no less important. Can your CDO guarantee data CIA, and have board level authority therein?
  5. Technology: which technology providers can help support these outcomes today, and well into the future? Does the chosen technology scale in line with the parabolic growth of data, or is it linear or worse, unpredictable?

It’s by no means a definitive list, but we hope it helps stimulate the conversation around this emerging discipline of curating data to a commercial end. I look forward to sharing ideas with our customers and partners on this over the next few months. And as always, I’d appreciated any comments under this post.