Oldest trick in the book. Put up a sign that says “Free Beer” and it’s guaranteed you’ll catch the attention of the masses. Well, we’re giving something away that’s even better than free beer…how about free money? One thousand dollars to be precise.

Every LogLogic customer has a great story to tell and we want to hear yours…and your story could win you a cool grand!

Send us your detailed story about how LogLogic helped you overcome a difficult challenge in your IT environment, identify a serious breach, achieve critical regulatory compliance, or save your organization time and money. You all rely on LogLogic every day to keep your companies secure and compliant, and we want to hear about your real-world experiences in the trenches and on the front-lines of your IT environments.

Whether you’re benefiting from our log management, security event management, compliance management, or database security management solutions, we want to pay you a thousand bucks for your story. Check out some of our existing customer success stories to help get your creative juices flowing.

Send us your LogLogic stories no later than March 15th. A panel of LogLogic judges will read your submissions and select the two best stories, who will each win one thousand dollars!

You can find details about our “Tell Us Your Story” contest by visiting http://www.loglogic.com/tellusyourstory/

Do yourself a favor and send me your story. A thousand bucks will buy you a lot of beer, and everyone knows that nothing tastes better than free beer.

Oh, and while I’ve still got your attention, I’m stoked to announce that LogLogic made the finalists list in the Network Computing Awards for 2010, so do us a favor and visit the on-line awards page to cast your vote for LogLogic in the Testing & Monitoring Product of the Year category.

LogLogic’s customers and their stories are the lifeblood of my job, and I never tire of their real-world tales from ‘the trenches.’

Case in point: I recently sat down with a LogLogic customer, one of the largest equity firms in the world, to discuss Sarbanes-Oxley (SOX) and database security. As you can well imagine, companies in financial services are deliciously tempting targets for hackers, so federal regulations like SOX aim to create guidelines that will keep databases secure.

This customer told me that current regulations like SOX are ambiguous and difficult to understand, and that you could ask ten different experts a question about SOX and actually receive ten different answers. “The intent is good, but the execution is poor,” they said. In particular, small businesses that lack resources will find it very difficult to achieve compliance. Adding to the challenge is the fact that regulations like SOX are a moving target: you might pass an audit today, but next year, with a different auditor, you might fail. Different auditors have different standards and different interpretations of the ambiguous regulations.

Of course, SOX is not all bad. Our customer noted that one of SOX’s up-sides is the requirement that breached companies must notify the people affected. This helps to educate the public and keep companies honest. In addition, the risk of public embarrassment compels companies to spend more money on security than they otherwise would. This increased focus on security helps to prevent data breaches from occurring.

This global equity firm maintains four separate data centers with operations in 20 different countries, and they use LogLogic’s log management and security event management products. SOX compliance was the primary driver that prompted them to approach us. When they were evaluating solutions, one of their top priorities was the ability to create detailed reports. They told us, “Most solutions we looked at seemed to have just slapped on reporting as an afterthought. LogLogic’s in-depth, customizable reports have given us unprecedented insight into changes in our infrastructure and help us to demonstrate compliance.” This unsolicited assessment of our reporting capabilities is something I hear echoed by nearly every customer I have the pleasure of chatting with.

We place great value on the feedback we receive from our customers, especially when it helps us improve our solutions or provides us with tips and insights that we can share with our customer base worldwide. I’m currently in the process of talking with a number of our financial services clients about industry challenges and best practices. Check back for more customer mini case studies and stay tuned for a report of our findings…

Got a cool LogLogic story? Send it to me at Lex.vandenberghe@loglogic.com

Its war! The Iranians attacked the Chinese. The Chinese attacked Iran… and Google… and Adobe (and 30 others). The governments of France and Germany warned their citizens against using Internet Explorer in response.

Is our security so poor that we’re just throwing good money after bad? Should we just adopt the Facebook model and assume that everything we do is now public knowledge?

It’s all too easy for IT staff to get lost in the noise about secure configurations, patch Tuesdays and checklists, and to rarely give the time to building a “defense in depth”.

Key to providing a more complete security solution are Intelligence, Vigilance and Surveillance. Together, they build a framework that defines normal and abnormal behavior. For example, if a company usually sees 1000 transactions a day by monitoring activity, when the system peaks at 3000 transactions, we can detect an anomaly. And by applying intelligence, such as knowing it’s the last week of the quarter, we can understand that 3000 is a non-threatening happenstance.

Monitoring application activity for changes in behavioral patterns and proactively acting upon them is vital to providing depth of security. Lets remember here, that whilst the headlines are all fun and games, you’re defending against top-of-line criminals: not people who want to delete your hard drive or put cute messages on your website, but people who want to steal all your data for profit. As both NASA and the US Army were reminded recently, information is stored in databases, and databases have huge exploitable holes. Deploying LogLogic Database Security Manager (DSM) provides the kind of zero-day control required to respond to data leakage attacks. DSM is a Data Leak Prevention service that protects structured data in your databases, and provides the necessary compensating controls to reduce your risk of exposure.

Relying on security patches or rotating firewall ports is not a comprehensive security solution. DSM is a must-have tool in your risk management strategy, ensuring that the crown jewels of your enterprise are not sneaking out, undetected, over the wire.

Firstly, congratulations to Mike Rothman on joining Securosis.

Now, on to my Verizon post. Mike correctly pointed out that I drank too much over Christmas, and that what I said about being safe was fluffy and careless. In my defense, I was having post-Christmas fun, not submitting a whitepaper, or advising anyone on strategy. I’d just spent 400 words telling people to be vigilant, and not believe Verizon’s roses-round-the-door view of 2010. Plugging my products seemed like too good an opportunity to pass.

And in Verizon’s defense, I doubt the author really meant to sound cavalier either. After all, Top 10s are just a way of letting off steam after a long year.

Over at Forrester, the big brains have put out a much more reasonable, more nuanced piece.
I like the Forrester document; it’s in tune with what I’m seeing happening here in Silicon Valley.

So, without further ado, here’s my take on their predictions:
A) Data security budgets will flat-line
I expect this to be true, after all, we’re in a tight spot money-wise at the moment, but some context is required. Firstly, I think that whilst spending on security will flat-line, spending on IT will fall. Meaning that security as a whole will now get a bigger slice of the pie, and therefore, will have greater visibility at the Board and “C-level” within companies. I don’t know of any B-2-B companies that are officially cutting list prices at the moment, but they all seem to be discounting heavily to secure purchase orders. So, now security has a greater share of the pie, buying even more vendor goods, which actually helps everybody. Greater buying power equals cheaper products, means more deployments, which in turn, means greater security. Win/Win. Hurrah for the recession!

B) Enterprises will strike better deals on DLP
This is really a very specific version of what I just said. DLP dealers like Websense, McAfee & Symantec sold roughly nothing last year. The DLP market exploded in to life when some very early adopters paid Vontu a boat-load of cash for early access products. 4 Years have passed since then, and nobody has really bought anything of note. Deep discounting during a recession is business as usual. If you want a DLP prediction, here’s one. Companies will stop pretending they can deploy content filters to prevent breaches, and instead, will focus on education and after-the-fact forensics. Or as we like to think of it over here, Log Management.

C) Cloud data concerns will begin to dissipate
Correctly, in my opinion, Forrester defines “the cloud” as being made up of totally different types of services, each with their own audience, scope, problems, and security concerns. These sub-clouds are: interactive apps (Facebook); hosted apps (Exchange); application APIs (Google Maps); application components (SimpleDB); infrastructure (Amazon); and physical space (GoDaddy). So the headline “concerns dissipate” is a little misleading. As Dimitri said, no one is going to trust the likes of Facebook or Flickr to improve to the satisfaction of a CISO, and everyone already trusts the physical security vendors with their array of cameras, motion sensors and armed guards. What is really top of mind then, are the hosted apps, and the infrastructure bits-and-pieces that can be assembled in to enterprise applications. Forrester is right; we will gradually learn to trust these boys. The key word here is “gradually”. Here at LogLogic we already outsource our email and web service - and we’re very comfortable. We use SalesForce, and again, are happy that our customers are not being mixed in a big pot with our competitors’. But are we going to roll our finance, logistics and engineering secrets out to the cloud? Not yet. If ever. Clever word that “gradually”. It allows Forrester to be both right, and wrong.

D) Full disk encryption will continue its slow and steady march
Full disk encryption is on the rise! Hmmm. A bit like the sea levels. Yes they’re going up, but it’s imperceptible to the human eye - for now. Encryption clearly is a superb idea. But until its 100% transparent to the frustrated sales guy with his laptop, hundreds of miles from tech-support, its not going to be mainstream.

E) Creative vendor couplings will renew interest in ERM
Simply put, no. Well, yes. Creative vendors will seek ERM partnerships, but the examples given by Forrester are all about DLP. So, my question to you is, does tying two technologies, which don't quite fulfill their promise, together, make them attractive? Of course not. ERP will still be hard to deploy. DLP will still over promise, and under deliver. The future of data control is at a fork. We either go the 1984 route, and try to control everything, or we use education, forensics, and public discipline. Big Brother appeals to Silicon Valley because we think we can build it. But as we found out at Christmas, no security is 100% effective, there are no silver bullets, but vigilance and education can go a long way to solving the problem.

So, how do you best educate? My mom always says, (and she’s a teacher), teach by example. To help improve risk management what we need are tools that can analyze what’s gone wrong, and can demonstrate breaches to the masses. We have acronyms for that: SEM & SEIM. Here’s what Gartner, and others, think you need to know.

If you read the Forrester report, 90% of which I agree with, you’ll come to this conclusion: if you’re in business, spend security money wisely, educate your staff, deploy defenses where they’re proven, and be ready to swiftly, comprehensively and immutably document breaches. And stay vigilant. The bad guys are slippery like a worm.
Of course I’m biased, but that’s what we do here at LogLogic. We let you get on with running your businesses, making all that money, giving all those people a safe place to work, and should anything go wrong, we help you remediate.

Happy (safe, compliant, responsible) New Year.

Andy Morris, Product Marketing Director, LogLogic

Blame the victim.  This was a common defense in sexual assault cases I helped prosecute when I worked as prosecutor.  Unfortunately this mentality applies not just to rape cases, but also to companies where critical data has been breached – even when the criminals are the ones stealing the data.

One of the biggest data breaches in recorded history hit Heartland Payment.  This is a bona fide case of the bad guys attacking networks and compromising critical data.  In Heartland Payment’s case, the data breach wasn’t found for many months and Heartland Payments has no idea of how many credit card numbers were jeopardized.  Potentially millions of credit card numbers, but no one knows for sure (or at least they are not saying so publicly).  To deal with the publicity and legal fall out, Heartland established a website (www.2008breach.com) to deal with the breach.  The bad guys were caught pretty quickly after the breach was discovered (see: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=214303553)  and they have already pleaded guilty (see: http://news.cnet.com/8301-27080_3-10423008-245.html).  

But the fact that the bad guys were brought to justice did not exonerate Heartland .  Just this last month, Heartland Payments paid a settlement to American Express of $3.5 million for damages associated with the breach.  Amex apparently was the smaller of the three settlements Heartland will have to pay as they still have not settled with Visa or MasterCard yet.

Okay, so Heartland is a big company, but smaller businesses have been hit with law suits for failing to protect data.  RockYou, a Facebook app, was recently sued in San Francisco in a class action lawsuit (see: http://news.cnet.com/8301-1009_3-10423042-83.html).  Again it was certified bad guys stealing the data.  But because RockYou didn’t take reasonable security precautions to protect that data, they are now facing a very expensive suit and all the negative publicly that that entails.  I am sure that RockYou didn’t want to get profiled by CNET for this reason.

Beyond the civil suits, there is the potential of criminal action.  Just ask HealthNet and Wentworth-Douglass Hospital.  Both companies have suffered data breaches that have resulted in investigations of  by their state’s attorney general office (See here and here). 

The bottom line is that no company should expect sympathy if data in their care gets breached.  Consumers, plaintiffs, and regulatory agencies are just as likely to blame your company as they are the bad guys.   You’re the victim of the data theft, but unless your company has taken all the available precautions it can, you’ll also be viewed as one of the “bad guys”

I read Dimitri's take on the Verizon Top 10 Security Predictions for 2010 and thought I'd take a swing at it myself.

Verizon’s security predictions for 2010 are interesting partly because of their insightfulness, and partly due to their lack of insight. You can read their full list of predictions at here, but if you’ll allow me, let me play scrooge.

1) Services will protect themselves.
No they won’t. What most services will do, is appear to protect themselves. They’ll respond to a few highly publicized events with new user interface options that people won’t use properly, and will give the fake appearance of positive change.

2) Malware will not evolve.
This seems about right. Why go to all that fuss and expense of evolving, when most networks still aren’t protected against threats that were discovered ages ago? Mass outbreaks, of course, are for show-off-bored-kids; these days the real money is “on the fringes”. You know, like the Russian Mafia exploiting high street banks for millions. So, no real concern there then. Except that we’re in a recession, and it’s our money they’re stealing.

3) Consumers are getting smarter.
This is possibly the most dangerous of all the predictions. I don’t know if it will be true or false, but as security experts we have to assume it’s false, and build a world that protects the naive, the innocent, the gullible, and that chap that runs with scissors.

4) Windows 7 will be more robust than expected.
Well that’s a low bar - remember Windows 7 was launched on Oct 22, and exploits started turning up as far back as April, but Verizon is right to turn the focus on ISV’s. After all, hackers are after money, and that’s buried in data, and that’s handled by ISV software.

5) Serious finger pointing will occur – criminals think twice.
Yes and no. Finger pointing will occur, but criminals will just shrug. Maybe this is a good time to have a debate about Capital Punishment deterring murderers?

6) Breaches will increase.
Yes they will. The lust for money is powerful motivator.

7.) Nothing happens to non-PCs 8.) CaaS works 9.) Virtualization is not attacked 10.) China will be blamed for everything.
Lets hope so :: I don’t care :: More hoping :: Seems fair.

What does LogLogic predict for 2010? Regardless of whether, all, some, or none, of Verizon’s predictions come true, networks will still be left vulnerable, applications will be un-patched, user error will causes breaches in protocol, and criminals will successfully knock down walls.

But not on a LogLogic protected infrastructure.

We can prevent, capture and prove compliance for whatever 2010 throws at your systems.
LogLogic customers are predicting a stress free, safe 2010.
(No lead paint was used in the making of this post – no thanks to China. Or Nigeria. Or Eastern Europe.)

Verizon Security recently posted a set of 10 predictions for 2010 on their security blog. I have my own opinions about their predictions as you'll read below.

To see Verizon’s original predictions, click here:2010 Security Predictions

Our friends at Verizon Security feel that services like Facebook, Google, Twitter, and TinyURL will work to get better controls in place regarding criminal content. They believe that their business model is at stake if they don’t attempt to flag or eradicate nefarious activity... advertisers will start pulling their dinero. And my response to that is "of course they will!" It's an obvious statement. The online services will absolutely do more to try to curb illegal behavior. If they don’t do it, who will?

The recent FaceBook"apps" scandal has made everyone scratch their heads and realize that they're allowing a number of different programs to have access to their accounts and with that, some level of personal information. Twitter has been hacked over and over again. MySpace has vulnerabilities left/right and center. So to say that services will protect themselves is obvious. Whether these hacks or illicit behavior take place to them or on their networks is a variable. It all depends on the vulnerabilities discovered. The web after all is Swiss cheese. Admitting that is the first step.

Our friends at Verizon also feel that Malware will not evolve this year, that Botnets will stay the same as a whole, and there won't be any mass outbreaks or targeted attacks. Personally, I don’t see evolution as necessary when the same ole vulnerabilities still exist. Security best practices weren't followed until specific verticals created requirements to do so. The result was PCI, HIPAA, SOX, ISO17799, and more pop up every day. If businesses would stop thinking of security as an outflow of cash, and instead think of it as a necessary cost of doing business, we'd all be a whole lot safer. The outbreaks will happen when yet another bored 14-year-old finds a vulnerability and decides he’s going to be the next big thing. And chances are, he’ll be rewarded with a big security job somewhere. Funny how that works.

The security team at Verizon also feel that consumers are getting smarter. The impression that there are fewer newbies on the internet, and services are more secure, and that people are generally more aware might be true. In one respect, however, I wholeheartedly disagree. As P.T. Barnum once articulately stated, "A sucker is born every minute." This hasn't changed. Sure, people aren't responding to instant messages on AOL asking for usernames and passwords, but the phishing sites are getting better, the vulnerabilities are becoming more public and people are still falling victim. Think back to the days of "Don't open executables!" which became "Don't open .SCR files!" followed by "Don't open macros!" and then the ActiveX nonsense for malware. At the end of the day, although the public is getting a wee bit wiser, the trojan writers are getting better-er. Claiming that people are more intelligent because your friends haven't been scammed in a while says little about the state of public affairs.

Number four on Verizon’s list states that Windows7 (not necessarily IE8) will prove to be more robust than anticipated (vs. Vista), and that applications are the new targets. These are two completely different statements, and I’m not sure why they ended up in the same paragraph together.

First off, I should warn you – take what I’m about to say with a grain of salt as I am a world-class Windows hater. I will do my best not to let my absolute loathing of all things Microsoft seep out. Oh well. So much for that.

Windows7 is more robust than Vista, but that's not saying much. It’s like saying a 2009 Honda Civic is more robust than a 2008 Honda Civic just because there's new standard leather trim. It's still a Honda Civic. It's still the same car. It’s just dressed up prettier. Windows fans will go on and on about this-and-that device support and stability. We’ll all stay tuned for that one.

Attacking applications as the next step is fairly obvious. Of course crooks are going to go for applications. Applications aren't written to be secure. Writing for security is much more time consuming and therefore more expensive. Coding for security has to be the next evolution in application development. Write for security as the first step. Make security the high priority. Don't write the app, then go back to see if it's secure. This is what causes world class /fail.

Number five on Verizon’s list of 2010 predictions is that government and non-tech organizations worldwide will become increasingly frustrated over SMTP, DNS and SPAM, and they’ll find phishing more and more difficult to thwart. They believe that Microsoft’s legal efforts to can-that-spam, along with a high-profile arrest will somehow cause all the other SPAMMERS in the world to shake in their boots and think twice about their line of work.

*yawn*

Spammers are nothing more than ticks on the backside of the internet. They exist. They suck off their hosts. And then they fall off. If we want to end SPAM tomorrow we have to make the punishment for spamming so severe that the mere thought of it will make these hoodlums shake in fear. Follow the money. Who is profiting? Is it the manufacturer of said product? Is it a reseller? Follow the money. Then once you get them, go after the people who actually BOUGHT something due to a SPAM email. The only reason spammers still SPAM is because someone is buying. Those people should be prosecuted for even responding to SPAM.

Verizon Security also believes that breaches will increase, but on a smaller scale with fewer records compromised. They feel that more money theft will take place with account staff credentials being compromised. And they also believe mid-size businesses will be hit with some sort of compliance mandate to force them to do the right thing. Where Verizon and I disagree is that I see this going in the opposite direction. I see more breaches, more records compromised, more insider threats, more phishers, and more crooks using Western Union to transfer money. 

What I'd love to see is a better than best practices compliance mandate to supersede all mandates. From small business to large enterprise, make everyone play by the same rules regardless of vertical, regardless of industry, regardless of income. One compliance mandate to rule them all. That compliance mandate should not only represent best practices, but step it up a few levels. 

Also, if there was blanket worldwide legal policy that applied to ALL cyber-crooks globally, these scoundrels would no longer go unpunished. A couple of thousand dollars stolen from an account in the U.S. goes a LONG way in some other countries, and not only is it relatively easy to commit these crimes, but there are really no legal deterrents in place to discourage these high tech pickpockets in other countries. Hoodlums can make millions (yes, millions) without any fear of prosecution, and the temptation to pick such low-hanging (albeit forbidden) fruit is very difficult to resist. Let's get downright hardcore on the legal front. Let’s take down these wrongdoers.

Verizon Security went out on a limb when they stated that nothing of note is going to happen to phones, PDA’s, and Macs. Really? Uh…no. Just two weeks ago we all learned about a sneaky little trick to invade unlocked iPhones who have SSH enabled with default passwords. This is just step one. If you look at how many iPhones are on the market, you can see the huge motivation for delinquents to act-a-fool. I see the mobile phone market getting its fair share of security issues.

Although I think Verizon Security has a high level view of what takes place on the side of security, it seems some of the predictions are off in left field somewhere.

One prediction I believe nobody will dispute though, is that 2010 will be a very exciting year in security. And if we're lucky, a few people will realize they need log management to keep an eye on the security of their infrastructure. Stay tuned. ]]> http://blog.loglogic.com/2009/12/top_10_security_predictions_for_2010.php http://blog.loglogic.com/2009/12/top_10_security_predictions_for_2010.php Security Mon, 28 Dec 2009 00:00:00 -0800 By Lex van den Berghe, LogLogic Customer Evangelist

The Wall Street Journal today broke news with a story detailing an FBI probe into the possible theft of tens of millions of dollars from Citigroup by a Russian gang of cyber-crooks. But what strikes me as odd and controversial isn’t the theft itself or even the growing trend of this kind of crime, but that Citibank and the "government source" are at odds.

What gives? Are we looking at a bit of irresponsible, shoot-from-the-hip reporting by the Wall Street Journal or something else? This story is clearly a big deal – I mean, we’re talking about *tens of millions* of dollars…and the FBI has allegedly gotten involved.

There’s no denying that priority and urgency continues to escalate as cyber-crime transitions from science fiction to hard reality and cyber-crime has become top-of-mind with consumers of all demographics.

According to the WSJ story, the Citibank attack was initially detected over the summer, but reports seem to indicate that the attack may have actually occurred a year earlier. So, how is it that all that cash went <poof!> and we haven’t heard about it until now. Or even stranger, what’s behind Citigroup’s claim that the thefts never occurred and the WSJ’s report is not true. Joe Petro, managing director of Citigroup's Security and Investigative services, said, "We had no breach of the system and there were no losses, no customer losses, no bank losses." He added later: "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true." One important thing to note is that Mr. Petro is not in PR, but rather part of Citi’s security arm. This gives his assertions more credibility. (Sorry PR folks).

I’m no conspiracy theorist by nature, but something definitely smells fishy here.

Folks…the truth is out there. And finding it ain’t rocket science. LogLogic’s log management and security event management tools literally record everything as it happens in even the most complex IT environment, leaving a convenient breadcrumb trail behind that anyone can follow. This breadcrumb trail includes every key stroke, file movement, login, breach, etc…like DNA left behind at the scene of a crime. Deploying these tools in your business IT environment is equivalent to installing one of those black boxes, or flight recorders that they put in every airplane.

As a consumer, I’m always relieved to hear that institutions like Citi bear the burden of absorbing financial losses resulting from these sorts of cyber-crimes, and those of us whose accounts have been cleaned out, usually do get our money back. But that’s not enough. I want these cyber-scumbags to pay for their crimes and more important, I want future cybercriminals to think twice before they choose the dark path. If every institution out there that we trust to guard our money or personal information start using the right tools to safeguard these commodities, things might be a bit different.

LogLogic’s architectural premise is to handle the ingestion of logs from unknown sources, and to have flexibility as to the kinds of devices, logs or target locations. Additionally, we even offer a unique feature allowing automatic identification of log sources. This is where the system can match a stream to a type of log for agile reporting and normalization.

We’ve also designed our licensing model to embrace such agile or fluid computing models, and not be tightly licensed to a specific target, device or log source. In this way we’re not only the leader in Log Management, but we’re also enabling many ESSP, MSP and cloud enabling Telco clients to have flexibility in their logging demands. This is being done all while tracking data that’s dynamically moved around their asset pool.

With LogLogic, we leave no log left behind, and there’s no cloud too opaque.

Cloud computing tops Gartner's “Top 10 Strategic Technologies for 2010.” They define a strategic technology as “one with the potential for significant impact on the enterprise in the next three years.” Gartner is somewhat right here. The fundamental problem I have is that the industry has bucketed anything that can be loosely defined as cloud, virtual, consolidatory, or anything on the network in the same term being cloud. All of us loosely interchange public, private and cloud services to our whims which quite frankly confuses the general public.

To be fair, Gartner does predict that through 2012, “IT organizations will spend more money on private cloud computing investments than on offerings from public cloud providers.” This is great, but I long for the day where this nebulous or opaque term can be segmented into public clouds, private clouds and more importantly ITaaS. This is not only a trend for 2010 but has been feverishly worked on through the last 24 months. It has been wrapped up in a pretty bow and proclaimed as ‘cloud’ for the convenience of propping up the ‘invisible dog leash’ fad-based early startups that infest the wannabe public cloud offerings (or so they think).

Getting back off my hobbyhorse, there are two primary reasons (amongst many) why the enterprise will not make major strides towards the public cloud– lack of visibility and multi-tenancy issues which cloak the real concern over critical data security.

Lack of visibility

The public cloud is opaque and lacks a level of true accountability that will paralyze any enterprise account from releasing their prized data assets to a set of unknown entities. Look at the value proposition - no one consuming the service has visibility into the infrastructure. The provider themselves aren’t looking at the infrastructure. Are SLAs relevant? And if so, who can enforce or even monitor them?

The public cloud has received so much buzz in large part because it professes to offer significant cost savings over buying, deploying and maintaining an in-house IT infrastructure. While this is massively appealing, it doesn’t answer any of the fundamentals of Quality of Service, network and data security to name a few. Imagine the concern of opening up your internal systems with a direct pipe into the ‘cloud’. This is the equivalent of leaving your data center door open, while your data center adjoins a ‘how to hack systems’ symposium .

Multitenancy Issues

The second reason why businesses of any real size will not make the leap to the public cloud is: Multitenancy. Wikipedia (the font of all knowledge) defines multitenancy as “a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants).” In other words, many people using the same IT assets and infrastructure.  

So here’s the rub, EC2, Google, etc., provide true multi-tenancy but at what cost to compliance and security? What about such hot topics such as PCI or forensics? How safe are the tenants on a system? Who is on the same system as you, a hacker or perhaps your dearest competition? How secure is the isolation between clients? What data have you trusted to this cloud? If you buy the argument, it will be your patient records, payroll, client list, etc. It will be essentially your most important data assets. I have to think this would be a good test of data asset Darwinism.

Cloud computing needs to cover its assets

Until the public cloud can provide visibility all the way down to the IT infrastructures most simple asset – logs - enterprises simply won’t risk it. To be deployed properly, a public cloud needs to understand logs and log management for purposes such as security, business intelligence, IT optimization, PCI forensics, parsing out billing info, and the list goes on.

Until then, in the grand scheme of risk mitigation, enterprises will fear the cloud and per my recommendation, segment public cloud from ITaaS in a private cloud. It’s a shame but as we’ve clubbed all the terms into a single bucket. It turns all the lights red and in fact there’s a tremendous value in cloud computing. But public clouds and enterprise computing are a world apart and should be treated as such. And there are whole rafts of risks to be consider along the way.

The case, known as ”Bilski v. Kappos” (AKA “In Re Bilski”), has to do with what subject matter can be protected by a patent. In this case, the inventors, Bernard L. Bilski and Rand Warsaw, filed a patent application for a process of hedging risk in energy contracts. The requirement is that invention must be “concrete” and” produce a useful result”.

The US Patent and Trademark Office (USPTO) rejected the inventors’ application, on the grounds that it was too ill-defined. In legal terms, the claimed invention was an un-patentable abstract idea. The inventors appealed to the patent appeals board, and this was rejected as well.

The inventors then appealed to Federal Court, which decided the case “en banc.” When an appeals court decides a case “en banc” this means that the entire appeals court, not just a subset of the sitting judges (which is the norm), writes the decision in the case. En banc decisions are typically reserved for the most important cases – cases where precedent setting law is likely to result.

The case affects a class of patents know as "business methods" patents. While business method patents have been around for a very long time (the Piggly-Wiggly supermarkets were founded based on a patented business process), the case State Street Bank v. Signature Financial Group in 1998, widened the scope for patenting of business processes.

While we all wait with bated breath for the decision of the Supreme Court in Bilski v. Kappos, I had a chance to ponder the impact this decision could have on LogLogic and other private technology start-ups.

If the Supremes decide that the Bilski “invention” is in fact patentable subject matter, as in-house counsel for an innovative technology company, I am going to be forced to spend a lot more of my time filing new patents.

Why? LogLogic is an innovative, start-up company and we can’t afford to let another company patent our business processes. Rather than just looking at getting patents for our core technology, I would then need to think about getting patents for all our businesses processes – how we handle RMA’s, how we handle technical support calls, etc.

While I won’t mind spending more time on patents, as a shareholder in LogLogic, I wonder if that is the best use of LogLogic’s engineers, product management, etc. time. I would rather that they spend their precious hours in the day innovating and creating the next generation of log management products and services or providing support and services to our loyal customers.

Yes, patents are important and our engineers at LogLogic should spend some time on patent applications. But if the Supreme Court widens the scope of patentable material to the extent that the Mr. Bilski and Mr. Warsaw ask, then we will need to think about protecting with a patent all of our business processes, lest someone else patent the process ahead of us.

What’s interesting is that most of the developed world does not offer patent protection for businesses processes. My question would be whether it would be better for US competitiveness to have such extensive patent protection?

I think not. Such extensive patent protection would inevitably lead to more legal wrangling. More discussions with patent trolls, er patent licensing firms and more payments of licensing fees. I would rather we spend our time innovating and competing globally, rather than rushing to the patent office every time we come up with a new business process.

Let’s not kid ourselves…although we’d all like to think that our health care organizations are worthy of our trust and good faith (and many are), when all is said and done, they are businesses and they need to keep the bottom line in mind at all times. These new “self-service” breach notification rules could put some of us on the unpleasant receiving end of what happens when the fox holds sentry over the chicken coop.

With that said, it’s worth pointing out that in a recent independent survey of several hundred IT practitioners in the healthcare industry, a whopping 80 percent of the respondents reported that their organization had experienced one or more data breaches involving the loss or theft of electronic health information in the past year!

The real solution is stringent monitoring, along with input from an external party, like a privacy ombudsman. This is a model followed today by many press organizations, as well as police departments with regard to misconduct complaints.

Read the full article here: http://bit.ly/4CaTPG

EVP Marketing and Strategy

As the national debate about overhauling the $2.5 trillion United States healthcare system rages, the federal government is already investing tens of billions of dollars as part of the stimulus program to push our medical care industry to shift from paper to computer records.

In our rush to computerize patient records to reap the benefits of higher quality of care and safety, and to better control fraud, who is making sure that our private medical records are being protected?

To better understand the issues, we at LogLogic spoke with some of our largest healthcare customers about their steps to bolster patient privacy protection. We also partnered with the independent research firm the Ponemon Institute to survey 542 senior IT practitioners from healthcare organizations with an average of more than 1,000 employees about how secure they believe electronic patient medical records are.

According to the October 2009 Ponemon report, “Electronic Health Information at Risk: A Study of IT Practitioners,” 80 percent of healthcare organizations had experienced at least one incident of lost or stolen electronic health information in the past year – four percent had more than five patient data breaches. More than two-thirds of these healthcare organizations had already digitized at least a quarter of their patient records and a third had digitized more than half.

The most surprising finding was the almost three-quarters of respondents said their organization failed to make patient record protection a priority.

At LogLogic, we think this presents a unique opportunity for IT security professionals to take a leadership role in this critical national issue. There are new rules mandated by the Health Insurance Portability and Accountability Act (HIPAA) that became effective in September that are important steps towards bridging the traditional gap between “Cover Your Ass” compliance and real IT security.

To find out more highlights and read a complete copy of the Ponemon Institute study and the LogLogic healthcare customer survey, please take a moment to register at our site at www.loglogic.com/resources/analyst-reports/ponemon-electronic-health-info-at-risk/

In LogLogic’s interviews with senior security professionals responsible for overseeing the protection of hospital patient records, a consensus emerged that best practices in securing patient privacy go beyond HIPAA compliance. New technologies allow hospitals to more closely monitor and protect patient privacy than ever before. The recent changes in HIPAA also put more stringent requirements on medical organizations to secure patient privacy. Hospital security professionals today have a unique opportunity to be patient privacy heroes.

If you’re in the healthcare industry, do you feel you have a role to play as a privacy hero? Let us know. We want to hear from you.

Back in simpler times, the “high tech” approach to breach notification was a gang of domestic geese or peacocks posted as sentries ‘round the farm to squawk bloody murder whenever strangers approached the property line. Times have changed, as has the definition of “high tech”…but the basic principles and necessity of effective breach notification remain the same.

I spoke with Sudha Iyer, Director of Product Management at LogLogic, and she shared her two cents on breach notification and why it pays to be prepared…

It seems that not a day goes by without a report of a data breach, or a discussion of the latest attack of the Conficker (or other malware) variant. Lest organizations become desensitized to such attacks, I’ve noticed that that breach notifications can have a negative impact on the organization’s net worth.

Take the case of Heartland Payment Systems (NYSE - HPY) for example. When markets opened after Heartland’s public announcement of their credit card breach in January 2009, their stock price shrunk to $8.54 and plummeted to $3.95 by March 2009.  Today, Heartland is fortunate that their stock is almost back to its pre-breach notification price of $14.53.

Despite the continuous flood of public breach notifications like Heartland Payment Systems, I find it troubling that so many organizations continue to act as if they are immune to such attacks. Has the barrage of public breach notifications bred enough apathy so as to undermine the primary reasons for public notifications in the first place? I thought breach notifications were meant to…

·  Spur the offending organization into action to put in place the necessary process, people and technology to do the right thing for the individual(s) and the business to which they are accountable.

·  Serve as a warning to other organizations to do the same before their data is compromised.

Consider the healthcare industry. The Health Information Technology for Economic and Clinical Health Act (HITECH) includes a health care breach notification law. This interim final rule on the HITECH Act just became effective on September 23^rd, and the law requires any organization covered under the Health Insurance Portability and Accountability Act (HIPAA) to notify patients of a data breach involving their personal health information. Will this law, especially with its recent amendments that critics say completely guts the original intent of the bill, achieve the aforementioned aims of data breach notification? This leads to a larger question, does data breach notification adequately protect the consumer or patient whose information is compromised?

If there’s a lesson to be learned here, it would have to be: “Don’t put off until tomorrow, what you can do today.” Rather than be vulnerable and exposed to attack, enterprises should enact the proper defenses and alerts to fend off the perpetrators. If your high tech “farm” could use a good flock of geese or peacocks, check us out…we can help!