LogBlog

« June 2009 | Main | August 2009 »

Medium Sized Vendors Are Best Positioned in the Security Battle

Ralph DeFrangesco's blog on IT Business Edge raised a good question on "best of breed" versus "a single comprehensive solution" in the security industry.

Ralph favors a comprehensive solution:

Perhaps there is a middle ground?

First priority when buying security solutions? SECURITY!

Here is the rub, the threat landscape evolves so quickly, it is difficult for large vendors with long development cycles to keep up to date.

However, startups which are too small may not be viable in this tough economic climate.

Perhaps the solution is for medium sized vendors to take the lead and to develop a focused product portfolio.

McAfee is one such example of a "focused" suite vendor. McAfee has multiple product lines, integrated around their ePO platform and APIs. The product portfolio is a lot more focused (and a lot more successful) thanOracle or Computer Associates. Another example is LogLogic. We are by now a medium sized company building a comprehensive portfolio of products in security and log management, integrated around our open log management platform and APIs. LogLogic recently made its first acquisition by buying Exaprotect.  Exaprotect had two complementary product lines  in security event management and security change management. The combined products deliver better visibility and control at a lower cost.

You can read more on the acquisition http://bit.ly/rLlJt.

Posted July 23, 2009 in | Permalink | Comments (0)

« June 2009 | Main | August 2009 »

HIPAA Gone Bad: Hospital Fined for Doing the Right Thing

Why is Kaiser Permanente being fined for doing the right thing when it comes to privacy and information protection?

See here.

Kaiser Permanente’s Bellflower Hospital is also finding out how serious federal officials are about HIPAA privacy rules. This current incident involves the records of Nadya Suleman's octuplets. The hospital has been fined $187,500 for failing to protect their medical privacy.

Kaiser Permanente’s Bellflower Hospital apparently didn’t take seriously it’s role in protecting patient’s medical records as this is the second time it has been fined. The first was in May for employees looking at Suleman’s medical information. The find then was $250,000.

It is true that Kaiser nurses inappropriately looked at octomom Nadya Suleman's healthcare records. But Kaiser is also one of few hospitals that has sophisticated monitoring technology in place to detect that privacy violations are occurring so that they can take disciplinary action.  In this case, they promptly fired the nurses involved, see here.

At the time of the firing, I thought of writing a blog congratulating Kaiser.  They are doing something right!  Few hospitals can detect such privacy violations and even fewer hospitals are willing to go public with the findings and openly fire employees.  People in the security industry know that 100% prevention of these type of violations is impossible.  Nurses need access to patient records.  Setting access rights on patient information too tight could cost human lives.  What if at the crucial moment in patient's treatment, a nurse is denied access to a patient file?  You get the picture.  Therefore, where you cannot 100% prevent access to information, you must monitor access to information.  And if those people abuse their access privileges, you discipline them.  This is what Kaiser did.

So why exactly is Kaiser being punished so hard?  Are regulatory oversight bodies implicitly saying that it would have been better for Kaiser NOT to do any monitoring, not to detect the privacy violations and NOT to fire the nurses? 

I still believe Kaiser was doing the right thing and they should be applauded, rewarded, not punished for it!  If I have the choice, I will be a patient at Kaiser any day.

Posted July 22, 2009 in | Permalink | Comments (0)

« June 2009 | Main | August 2009 »

AlwaysOn Global 250: Another One for the Trophy Case!

By Lex van den Berghe
LogLogic Customer Evangelist

AO.SS09.250Winner.150px

We're thrilled to announce that LogLogic has been named one of the 2009 AlwaysOn Global 250 Top Private Companies this year! We were selected based on our growth, market opportunity, quality of innovation and customer traction.

Here's more about this award from AlwaysOn:
The AO Global 250 represents the best of emerging innovators and disrupters from all the technology sectors we cover, and therefore is our most distinguished annual competition. The companies are demonstrating significant innovation, substantial customer adoption, large market potential, noticeable buzz, and are well on their way to creating tremendous value for their investors.

Receiving this accolade reflects our dedication to leading the industry with innovative approaches to operations, compliance and IT security management. Of course, we must thank our customers, without whom we wouldn't be able to learn, grow and be Gartner's #1 leading log management vendor.

This year, we've focused on bringing customers more visibility and control by powering security management, database security and compliance management solutions with our log management platform. We understand that companies' IT budgets are now smaller than ever. We've consolidated technologies by bringing the Exaprotect team on board so our customers will get more value out of their spend, and we're not stopping there. Stay tuned for what's to come!

Posted July 16, 2009 in | Permalink | Comments (0)

« June 2009 | Main | August 2009 »

Is the United Kingdom at Risk of Korean Cyberattacks due to Government inaction?

Last month, hot on the heels of the US, the UK government published three documents outlining its strategy and position on “cybersecurity”. The Cabinet Office published the “Cyber Security Strategy” and the “Security for the next generation” documents and the Department for culture, media and sport published the long awaited “Digital Britain” report.

Perhaps unsurprisingly, considering this is the first time Cybersecurity has been discussed at any great length if at all, I found the reports quite vague and strategy focussed rather than actually giving out any specific advice or regulation. Clearly these initiatives are a start but as the Korean cyber attacks of the past week point out clearly: foreign governments and criminals are many steps ahead.

I also came away thinking about how the UK documents position shared-responsibility amongst IT departments. In my experience many areas of IT operate in silo’s which results in a lack of important information exchange. These reports don’t go far enough in terms of defining responsibilities and raising awareness of who, how and what should be communicated. It’s all a bit woolly.

The US cybersecurity directives imply businesses should set a baseline for all business from a security perspective – is the UK behind in its approach and weak by not setting out a clear mandate? The recommendations for security awareness and individual responsibility are pretty basic and undefined. It does make my cynical side come out and ponder whether these reports are sincere or just fodder to distract the media from the enormous number of UK government data leaks! They need to take the bull by the horns and get their own house in order. Make security actionable and lead by example - by far the best approach.

With any security or information protection law both the US and UK governments face an uphill battle because of a strong privacy movement.  Protecting the safety of the public at large could invariably compromise the privacy of few – it’s a trade off but just how far will IT go to protect corporate data?  I recently wrote about this in an article for Computer Weekly (see How far should IT managers go to protect corporate data?) – take a read and let me know your thoughts.

 

Posted July 10, 2009 in Security | Permalink | Comments (0)

« June 2009 | Main | August 2009 »

Better security by spending less? Six tips from CISOs on how to spend on security.

During the Gartner IT Security Summit, we conducted informal interviews with CISOs on how to justify security spending in a tough economy. This blog is summarizing the collective wisdom of some the brightest minds in security.

How do you determine how much to spend on security?

How to fight for your budget?

How to move costs to somebody else’s budget?

How to be more efficient?

How to be more effective?

In addition, we ran an ad-hoc poll on our blog (see below) which received more than twenty (20) responses at the time of writing (the poll is still live so check on the latest updated results). When asked what is the most effective to get security budgets approved:

57% voted “must do for compliance”

33% voted “prevent a data breach”

5% voted “avoid negative press”

5% voted “saves us money”

The security industry is rapidly maturing. Previously security spending was often a fixed percentage of a company’s IT budget and regarded as an obligatory tax, a cost of doing business (also called “cover your ass”). Nowadays, companies are working towards concrete security benchmarks, dictated by external regulations (compliance) or internal risk assessments.

This is good, because spending more doesn't always mean more secure. Enterprises spend anywhere from 5% to 12% of their total IT budget on security. Avoiding incidents is less expensive than surviving incidents. Thus companies with the lowest number of incidents (highest level of security) also tend to be the organizations with the lowest spending on security.

Here are six golden nuggets to optimize security spending:

1. Agree upon an end-goal for the security efforts

Define the end-state of security that the organization is striving for. CIOs are fearful of security being a bottom-less spending pit, so use external compliance (such as PCI), internal control frameworks, for example CobiT 4 or ISO 27001, or perform a risk assessment to define the desired “end-state” and list gaps, in order of priority, to achieve the end-state.

2. Perform some benchmarking in your industry

Attend local peer networking meetings to compare notes with fellow CISOs. Use third party studies on adoption rates of certain technologies. Nothing works better than to tell your CIO that 80% of companies in your industry have installed or are considering a particular technology. Benchmarking data is sparse but some good studies come from Gartner (publishing their “maturity curves”), Aberdeen (recent study on best-in-class log management – subject of previous blog) and the SANS Institute (get their latest market study here).

3. Make the risk real with concrete examples

Risk is an abstract concept. If you tell your CIO: “we have a 5% chance of ending up on the front-page of the Wall Street Journal” (in a bad way), that is not as powerful as showing the article written up on a competitor that suffered a security breach.

4. Measure progress and success

There is no widespread agreement on which security metrics to use, but some great work was done by the Center for Internet Security (thanks to Anton Chuvakin for pointing this out to me). They recently published the CIS Security Metrics Guide (v. 1.0.0). Download the metrics here or direct PDF link. Some examples of metrics recommended include: mean-time to incident discovery, incident rate, mean-time to recovery, mean-time between security incidents and more in the areas of application security, configuration change management, financial, patch management and vulnerability management.

5. Transfer security spending to other budgets

If all else fails, transfer security spending to another budget. Security efforts like log management and security change management could also be justified as productivity enhancement tools for the network operations or system administration group. Maybe your privileged user monitoring project could be paid or by the roll-out of virtualization (since hypervisor administrators have far-reaching privileges, they should be monitored).

6. Take a platform approach

John Pescatore at Gartner recommended at the recent Gartner IT Security summit:

“Take a Platform Approach - By 2010, only 10% of emerging security threats will require the deployment of a tactical, best-of breed solution, compared with 80% in 2005.”

Pescatore identified Security information and event management as one such platform. Rather than buying a point solution for IT GRC management, maybe use the embedded compliance mapping and dashboard capabilities of your SIEM platform. Similarly, rather than rolling out a point solution for database activity monitoring, build on top of your SIEM platform. Expanding and optimizing an existing solution is often cheaper than deploying a brand new one. You can leverage much of your existing investments and training and integration costs will be lower.

With the maturing of the security discipline and emerging security frameworks and metrics, best-in-class organizations are now focusing on the results of security spending. If you work towards a clear goal, it doesn’t matter how much you spend to get there. In fact, if you are and you increase security efficiency and effectiveness, you might be able to reduce security spending. That is welcome news for CIOs in a difficult economy.

Posted July 07, 2009 in | Permalink | Comments (0)

Visit loglogic.com

I ♥ Logs

Subscribe to this blog’s feed RSS

June 2010
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      
Categories
Archives
Blogroll
Blogroll
Compliance
Good Reading
LogLogic
LogLogic Partners
Sites We Watch