Yes, we're moving the blog to a NEW ADDRESS! This is our LAST POST at www.enterprisesecurityblog.com
NEW BLOG ADDRESS is blog.intellitactics.com
Same high value content - more authors - more posts and COMMENTING!
Please visit us at blog.intellitactics.com
First 10 identified comments on the new blog get a free lunch!!
Posted by Sunil Bhargava at 03:36 PM in compliance, enterprise security management, log management, SAFE Appliances | Permalink | Comments (0) | TrackBack (0)
Sunil Bhargava is vacationing with the "gods" (can you guess where he is?) so we asked Warren Axelrod, a director on the FSTC, writer and speaker what he thought about the recent DHS publicity surrounding the invitation extended to a black hat to sit on the DHS Special Advisory Committee. We thought his response would make an interesting post and it did.
From the desk of WA: Charlie Rose of Public Television interviewed Janet Napolitano, the Secretary of the Department of Homeland Security, on July 29, 2009. Earlier that day she had given a presentation to the Council of Foreign Relations. Charlie Rose noted that DHS had recently hired a hacker and asked,“Why did it take so long?” Secretary Napolitano noted that the hacker volunteered to be on DHS’s Special Advisory Committee, as one of a number of “real experts.” I was amused by how proud the government seemed to be of co-opting black hats and how gleefully they publicized the fact. I recall when the famed l0pht hacker Mudge was on a committee during the Clinton Administration and was dutifully paraded before the cameras.
It might be acceptable to get the bad guys to help in the war against cyber crime, but is it appropriate to brag about it? It has been asserted that safe makers have hired safe breakers in order to build more break-resistant safes. My objection is in making the hackers famous. What message is it sending to kids teetering on the brink of becoming black-hat hackers? That crime pays? That you might be hired into lucrative consulting contracts, given lucrative book contracts (per Kevin Mitnick), or put on a blue-ribbon committee? As a security professional and as a new grandfather I think those are the wrong messages.
Secretary Napolitano also stated in the interview that the private sector owns 85 % of the Nation’s critical infrastructure. The figures I have mostly seen quoted have been in the 70–80 percent range. 85 % is a BIG NUMBER. It obviously means that only 15 percent is being controlled by government. If that is really the case, why does government, including the White House, seem so laid-back about how it’s being protected. If the critical infrastructure is really so heavily run by the private sector, why isn’t the government jumping up and down about the general lack of interest by the private sector in protecting the critical infrastructure. Why did President Obama, in his May 29, 2009 address, indicate that he would not intercede when it comes to private sector efforts, or lack thereof?
If 85% is the right number, the only way to make sure the private sector assumes adequate responsibility for protecting their 85% is putting into law the requirements that will enforce them to do so. I’d much rather see the private sector proactively address the issues and protect the cyber infrastructure without being forced by regulations to do it.
Email marketing@intellitactics.com about where you think Sunil Bhargava is vacationing and if you guess right we'll send you a special gift.
Posted by Sunil Bhargava at 04:00 PM in current affairs | Permalink | Comments (1) | TrackBack (0)
Technorati Tags: black hat, Charlie Rose, Department of Homeland Security, hackers, Intellitactics, Janet Napolitano
From the desk of Warren Axelrod: More than a dozen years ago, I was a big advocate of data mining and analysis using OLAP (on-line analytical processing) to sieve through huge databases and summarize the results to be used as “business information”. I published two articles about data mining and OLAP in Wall Street & Technology magazine. The first was published in the July 1996 issue and has the title “Real-time Decisions, Anywhere, Anytime.” It touted the advances in technology, particularly access via the Internet, as enablers for employees to analyze their companies’ data remotely. The second article, published in December 1996, had the title “Cashing in on Data Mining” and covered the use of data mining and OLAP to discover patterns that would predict trends in generic “customer” behavior. Back in the day, data mining was concerned with data in aggregate for examining patterns and associations at the macro level.
Now there is nothing macro about data mining. A July, 2009 article in the The New York Times by Stephanie Clifford, “Ads Follow Web Users, and Get Deeply Personal”, caught my eye. The article explains how the mega- data gathering and data mining companies, such as the Acxiom and Experian, provide detailed personal information on request. They gather and analyze publicly available information such as the details from warranty cards, magazine subscriptions, etc. Axciom purportedly has “15,000 pieces of data on every American …” These companies can (for a fee) provide detailed reports, including names and addresses of individuals who conform to a set of criteria which the requestor specifies. What causes concern on my part is that Acxiom was a victim of two data breaches, one in 2003 and another in 2004 (neither mentioned in the NYT article),
The lesson here is that technologies and procedures frequently evolve from the benign to the dangerous. Knowing the spending pattern of a group of 100,000 persons is one thing; knowing how you or knowing how I spend money is quite another thing. There is clearly marketing value in both, but the latter exposes us all to what might be considered an invasion of our collected privacy in a way that is seemingly quite legal. Maybe it’s just the way I look at the world, but don’t you think it’s a little hypocritical to have financial firms assiduously protect non-public personal information, while much of the same information is available for a price from the Acxioms of the world? I guess private is becoming a relative term.
Posted by Sunil Bhargava at 06:00 AM in compliance | Permalink | Comments (0) | TrackBack (0)
Technorati Tags: Acxiom, Data Mining, Privacy, Warren Axelrod
This isn't a misprint - for as little as $2500 per month you can take the first step that all companies with effective security have taken to comply with standards and protect critical information. Intellitactics and Quest have put together a great program - security as a service - to get you to take the first step.
There are many reasons that companies and agencies have deferred their SIEM projects: the budget got smaller, the project was cut, we lost the headcount, we had to cut the SIEM project to save jobs in our group, we like maintaining the log collector we built, the dog ate it (the budget that is).
How did your project get stalled, postponed or shelved indefinitely? Every project requires human capital and sometimes you're just short one set of hands. Sometimes the best person, most qualified person is engaged in another high priority project. Budgets do change. Dollars shift to other projects, budgets get smaller in one area to compensate for unavoidable increases in other areas and revenue projections that fund the budget fall short of expectations.Unfortunately the need for effective logging and event management doesn't shift and what the company expects from you - the security team - doesn't get put on hold.
For $2500 you get Intellitactics SAFE- the only SIEM appliance with all the capabilities on one appliance sitting right where you are. Then you decide how much you can do with your SIEM - some of the work, all the work or none of the work at night or weekends. You get a trusted partnership with Quest,a full service managed security service provider. With Quest's security as a service you can do as little or as much work as you choose by augmenting your staff with Quest - using Quest to add the most value.
SIEM is established by SANS as an important first stepin developing an efficient and effective security startegy. It reduces the cost of compliance, mitigates risk by automating monitoring of controls that enforce policy.
For more information on security as a service visit www.intellitactics.com or your virtual security team visit www.questsys.com
Posted by Pam Casale at 09:03 AM in compliance, enterprise security management, events, IT Security ROI, log management, SAFE Appliances, security as a service | Permalink | Comments (1) | TrackBack (0)
An online publication reported that the North American Electric Reliability Corporation (NERC) has approved a set of revised cyber-security standards for the North American bulk power system. NERC is an international self-regulatory authority for ensuring the reliability of the bulk electric power system in North America. It develops and enforces reliability standards, and under the Energy Policy Act of 2005, it has the power to fine violators for standards violations.
The 88% majority approval by the electric industry indicates strong support in the industry for the more stringent standards. "The approval of these revisions is evidence that NERC's industry-driven standards development process is producing results, with the aim of developing a strong foundation for the cyber security of the electric grid," said Michael Assante, Vice President and Chief Security Officer at NERC, in a statement. “The standards, if properly implemented, will develop the capabilities needed to secure critical infrastructure from cyber security threats," the statement noted.
The revised standards define 40 requirements that, when implemented, will provide a solid foundation of sound security practices. Audits for compliance with these comprehensive requirements will begin on July 1, 2009. Entities that fail to comply can be fined up to $1 million per day, per violation in the U.S., with other enforcement provisions in place throughout much of Canada, said NERC.
Being audit ready requires automated log collection and reporting. Intellitactics SAFE offers one fully capable appliance that not only provides audit worthy NERC reports to demonstrate compliance but also automates event monitoring to sustain compliance between audits. Monitoring is a proven strategy for mitigating risk and protecting against costly breaches in security. See SAFE every Tuesday and decide is SAFE is right for you.
Posted by Sunil Bhargava at 11:28 PM in compliance, current affairs, events, log management, SAFE Appliances | Permalink | Comments (1) | TrackBack (0)
Technorati Tags: compliance, Intellitactics, Intellitactics SAFE, Michael Assante, NERC
