BitArmor acquired by Trustwave!

Exciting news for us and pleased to announce the acquisition of BitArmor by Trustwave! The press release is here..

Quick FYI - Trustwave is a leader in delivering compliance and security solutions for thousands of large and small customers across the globe. The have a great story about PCI as well. Great to be part of an awesome company!

We believe this is an absolute perfect fit with our vision of information-centric security, our Smart Tag technology and how Trustwave sees the world of security and compliance.

Will post more in a few days.. Lots to do so gotta run!

New Cisco report on state of security

Cisco has just released their annual state of security report - the Cisco Annual Security Report. It mentions the normal stuff that you hear - more malware, 40% more spam in 2010, more banking trojans etc. Scary stuff, no doubt. Read more about it here.

But the stuff that worries me is what is missing (or not highlighted) in the report - i.e. data security in the enterprise. While I, being also a consumer, appreciate the issues pointed out here, the data breached from enterprises also causes significant pain.

Trojans, malware, viruses will always be around and I think we have to expect this going forward. How do we ensure that these get relegated to just annoyances and not become a security threat? This is where an information-centric approach works best - once the data is protected, only the right user opening up the document with the right application can decrypt it. The malware thus cannot access protected data since it does not have the right permissions. This might reduce the impact of much of today's malware - at least for enterprise data.

For transactional consumer data (i.e. credit card information submitted during a web session etc), we have to think of other but similar techniques...

Hannaford case reversal

Some interesting developments for those who have been following the rulings in the Hannaford breach case - the judge had ruled that since cardholders were not affected economically because credit cards were stolen (banks will cover any losses to cardholders), they dont have a civil case against Hannaford.

However, the judge recently reversed himself and asked the Maine supreme court whether "inconvenience" that the cardholders went through should be compensated... Interesting fork and one that could have strong impact to the retailers if the Maine Supreme Court indeed thinks so..

The bottom line is whether retailers should take more care of data entrusted to them - while the judge had a very narrow view of "loss" to the consumer, the defense believes that they have a shot in making cardholder rights heard...

Should be interesting to see the developments..

One million dollars!

As an award that is... Express Scripts has reportedly put up $1M to anyone who can provide information leading to the arrest of those responsible. Apparently the thieves wanted to get the most from the stolen data - sell it to the highest bidder or extort Express Scripts to keep it safe!

Looks like extortion is the new black- from talk show hosts to stolen data! Be interesting to see where this takes the industry. But my question is - is this extortion because the criminals do not have a market demand for the stolen data? If it has a ready market, why bother with extortion?

Josh Corman at IANS

Just attended an interesting keynote by Josh Corman at the IANS event in Boston this morning. Very though-provoking stuff - he also has an article about it in CIO magazine.

Being a good marketer, Josh trimmed down the 8 secrets to 7 (but wait!, one was free and he counted from zero, so we are back to 8 :)). I had previously discussed one of his takes in this blog.

The interesting part about listening to the discussion live, is Josh's emphasis on risk. He believes that we as security professionals have been so caught up with managing around compliance mandates, we have not stepped back to think about what risk we are mitigating.

Excellent point - especially when it relates to projects on hand. Would you do disk encryption based on the knowledge that 31% of all breach incidents are the result of lost and stolen laptops? Of course you would. However, would you rethink your decision if you also know that these lost laptops account for only 9% of all data lost? Hmmm does FDE only reduce risk by 9%?

That begs the question, what else reduces risk by a larger percentage? Interesting topic and subject for another post....

Virtualization and PCI standard - can we do better?

The wheels are turning for another version of the PCI standard. And this time virtualization security is a big focus in the development of the standard. Commendable, I say. Virtualization will become a bigger deal (more than it is today) and almost all organizations will have some form of virtual environments setup.

However, are we prone to repeat the same mistakes? We still seem to be stuck in the legacy world of protecting infrastructure - security professionals have no time to look beyond the normal, staple, security diet of anti-malware, IDS/IPS, firewalls etc, to where the more active threats are.

How do we bring the security world (as well as the business world) forward to rethink how to enable secure business? I have strong opinions on this - I believe an information-centric security approach is vital and imperative in virtualized environments. In fact, I can go so far as to say that this is the only logical and enforceable method, that enables virtualization to be all-it-can-be - so that business can be all it can be!

Let not PCI be a reflection of the past threats - let it become what we need now and prepare us for the future. This is the only way it can stay relevant and useful.

Gartner - Pay now or pay (a lot) later!

Read a few weeks ago a very interesting (and perhaps one of the few) analyst reports that analyze the costs of a fixing a breach as compared to prevention. Check it out here..

The basic premise of Gartner analyst, John Girard, is that the costs of prevention are insignificant compared to the costs of cleanup - less than 2%! How can management of any organization look at this and say that "let's cross our collective fingers" and hope for the best?

Data protection if done correctly, does not have to be expensive. I just read this article based on a survey that said most organizations in MA feel that the costs of data security are hurting firms. While I agree there is an investment to be made. the costs of cleanup are far higher. In fact a recent Ponemon report showed that over 60% of organizations have had breaches in the last 12 months - what this means is any organization has a 60+% chance of a breach!

Any organization should at least start protecting its most vulnerable assets - data in vulnerable locations. Be it on mobile devices such as laptops, USB devices or on file shares.

These costs are minimal compared to the costs of payment later...