Security Event Information Management - Gartner Report May 2010

Mobile Data Protection - Gartner Report

McAfee grabs Cisco man for global channel role

McAfee has tasked its new global channel chief with improving its ease of doing business with partners.

Alex Thurber has joined the anti-virus giant from Cisco in the post of senior vice president of worldwide channel operations.

McAfee indicated that Thurber’s immediate areas of focus would be to improve ease of doing business by implementing infrastructure improvements. He has also been tasked with driving pay-for-performance programmes.

Before his 10-year stint at Cisco – where he most recently oversaw channel strategy for wireless and emerging technologies – Thurber founded and ran US IT services and consulting firm Thurber Works.

Thurber will report into McAfee’s worldwide sales chief Michael DeCesare, who said: “I am looking to leveraging his 17 years of network and security experience that has given him a deep understanding of what is required to build and grow a value-based channel.”

Thurber said: “McAfee’s commitment to being a world-class channel company and its singular focus on security has proven successful in helping to empower the channel.”

Oops, e-mail security vendor McAfee spills 1400 private names

In a story just dripping with irony, e-mail security vendor, McAfee, has accidentally sent the contact details of some 1400 conference attendees in a spreadsheet attached to a thank you message.

On July 17, McAfee held a security conference at the Sydney Convention Centre. The event was well attended by 1408 guests. But in e-mail a week later thanking people for attending, McAfee added a spreadsheet containing the names, numbers, e-mail addresses, employment details and even dietary requirements of the 1408 people.

As expected, McAfee went into damage control and immediately posted a message to those who received the list asking them to delete it.

But by then the damage was done. Steve Murphy, IT consultant and one of the 1408 people on the list, said the incident was “a real concern”.

“McAfee is brushing over it saying that it was just contact details, but it was the full registration database,” he said. “It is commercial-in-confidence information but these days social engineering is one of the most important aspects of security – it’s the kind of information that anyone can use.”

Murphy, who posted screengrabs of the emails on Flickr, discovered the mistake when he read the email newsletter and follow-up message.

“When I received the second email I was a little amused – until I opened the file and saw what was in there. Once I found out the details, I was horrified.”

A spokesperson for McAfee said the company sincerely apologised for the outcome and the inconvenience caused.

"Due to a human error, the contact list for a seminar [held two weeks ago in Sydney] was mistakenly attached to a promotional e-mail being sent to conference delegates. This contact list included common conference registration information but did not include any financial information," the spokesperson said.

"McAfee managed to intercept this e-mail before it was sent to all recipients, so it is uncertain how many recipients received the list."

McAfee has taken "the appropriate steps" to inform people of the mistake.

"We apologise for this error and are taking steps to ensure it doesn't happen again."

Let’s hope the “appropriate steps” to prevent this type of data loss includes the use of a McAfee Total Protection for Internet Gateways.

By combining email and web security with data loss prevention in one affordable solution, McAfee Total Protection for Internet Gateways helps you protect against malware attacks and keep sensitive information secure, according to the company.

“Automatic enforcement of industry and regulatory controls – Apply policies consistently to stop sensitive and protected data from leaving the enterprise through email and web traffic.”

McAfee getting more aggressive on cloud-based security

McAfee Monday says it intends to expand its security-as-a-service offerings in recognition that customers are opting more and more to adopt cloud-based deployments.

"We already have a good foundation for this," says Marc Olesen, McAfee's senior vice president and general manager of the new software-as-a-service business unit. McAfee Total Protection Service, which has about 5 million users, is primarily cloud-based for endpoint and mail security scanning. In addition, McAfee's Web Protection Service, wholly in the cloud, provides URL filtering and reputation analysis, while the company's Vulnerability Assessment service can scan Internet-facing systems to discover software vulnerabilities.

But McAfee anticipates a much wider push into security-as-a-service in the course of the coming year.

For instance, the company envisions "adding an inside scan, which is not something we deliver today as security as a service," Olesen says. "Today, it's still outside the firewall."

McAfee's Foundstone Enterprise product can be used to scan the corporate intranet, but the company is looking at how to make use of the underlying technology to provide an internal scanning service.

Another area of focus is further developing a cloud-based management console, according to Olesen. "Customers are telling us they want the management in the cloud," he says. "They can get started quickly with it."

One customer, Philadelphia-based Gemino Healthcare Finance, has found it much easier to use McAfee's Web-based management in the cloud for the past two years than having to install and maintain an antimalware management console in-house on a server.

"It's a huge reduction in maintenance," says Peter Herschel, director of IT at the 18-person outfit. He says he's more or less on his own managing all the servers and desktops for the company, which provides financing to hospitals and others healthcare organizations. "I need basic security kept simple."

McAfee is examining methods for log archiving in the cloud, and in particular will be looking at three vertical industries -- telco providers, financial and healthcare -- where new security-as-a-service offerings can be delivered.

McAfee will look at services that telco providers can not only use themselves but offer as services to their customer base. The vendor also intends to expand its e-mail filtering offering to include continuity services.

Not all types of security protection readily lend themselves at this point to a cloud-based deployment, Olesen acknowledges. Data-loss prevention and unified-threat management products, for instance, do not appear to be candidates, but the management of them could.

"It's a gradual shift to the cloud," Olesen says, adding McAfee will be making investments there, mindful that key competitors such as Symantec are also zeroing in on cloud-based services. While not announcing a specific timeframe to achieve the efforts described, McAfee expects that many of its goals will be accomplished within the course of the year.

Heightened data-loss prevention needs fuel arms race between vendors

Data-loss prevention is rapidly becoming the next big battlefield in IT security.

Innovative start-ups in DLP, such as Reconnex, Orchestria, Vontu, Provilla and Tablus have been swallowed up by McAfee, CA, Symantec, Trend Micro and RSA (the security division of EMC), respectively, though independents such as Fidelis Security Systems remain, in addition to open source. With acquired strength in DLP, the established security vendors are now determined to use DLP in new ways, by integrating it into storage systems, desktop anti-malware suites and more.

Though deploying commercial DLP still is expensive — a $100,000 price tag and up is not unusual — the process of filtering content to spot leaks of data, intentional or otherwise, shows signs of starting to become commoditized.

“There’s a lot of duct tape and glue right now to make this work the way you really want,” says Gartner analyst Eric Ouellet of the sophisticated DLP systems on the market today that can watch for sensitive content and block it, or hand it off for encryption before transmission.

Though fairly new, DLP can work remarkably well in detecting sensitive data and issuing warnings or blocking it. But there’s still often a lot of manual labor in registering content and defining policies. Businesses shouldn’t be jumping into it thinking they can instantly “boil the ocean,” Ouellet cautions. Rather, he says they should focus on four or five big categories of data they want to subject to DLP rules. “You have to train the system until you get comfortable with it.”

But what may be a somewhat arduous and expensive process today could give way to much more commoditization and ease of use within the next two years, Ouellet adds. That’s because security vendors see demand for DLP not just in large organizations, such as the financial institutions and insurance companies where DLP first caught on, often driven by regulatory-compliance concerns, but in any type of business that wants to protect sensitive data.

While Microsoft and Cisco haven’t bought DLP start-ups, they’re partnering with RSA to use RSA’s DLP classification technology. The first fruit of the RSA DLP alliance has been Cisco's just-announced integration of DLP into Cisco IronPort.

“We’ve been an early adopter of a number of RSA technologies,” says Erik Heidt, assistant vice president and manager of information technology at Cincinnati-based Fifth Third Bank, which uses IronPort for gateway e-mail security filtering.

Heidt plans to make use of the DLP capability in IronPort as part of an enterprise-wide DLP strategy, though he acknowledges “it could be time-consuming to get data policies written for this.”

Wes Wright, chief technology officer at Seattle Children’s Hospital, sees DLP as the next step to augment the encryption, which is based on GuardianEdge, that the healthcare organization recently deployed for endpoint protection. It seems likely the hospital will make the investment in DLP because management is getting behind it.

"You want to be able to set policies on what’s allowed, and you want to block,” says Wright. The hospital knows where patient health information is stored but having DLP controls on what happens to it after authorized personnel access it would be a big plus.

“I'd do both gateway and endpoint DLP,” says Wright, noting he’s focusing DLP evaluation efforts mainly on vendor products that can do both.

Despite the challenges of DLP today, it seems likely the enthusiasm for it is going to project DLP way beyond its first-generation existence on the gateway and desktop.

In fact, Ouellet even predicts the future will eventually usher in “the content-aware enterprise” where DLP is seamlessly linked into digital rights management and identity and access management. And DLP could provide the foundation for more efficient e-discovery of electronic records.

That’s the vision anyway, and a number of security vendors are eager to embrace it, with pledges of integration with other products frequently heard these days.

“At the end of the day, it’s about information control,” says Gijo Mathew, vice president of security management at CA. “Once you’ve analyzed the information accurately, you can do a lot more than just block it. You can tag it for retention and encryption. There's management of that information, and it could be the foundation for e-discovery systems in litigation.”

In January, CA acquired start-up Orchestria and has renamed the gateway and desktop monitoring product CA DLP. CA DLP is integrated with encryption products from Voltage, PGP and BitArmor so data tagged as sensitive can be automatically handed off to be scrambled before transmission, if it’s not blocked.

“CA is very big in identity and access management,” says Mathew, noting DLP can be tied to CA's identity management product or anything LDAP enable such as Microsoft Active Directory to set DLP policy. If there's a weak point in DLP today, says Mathew, it's that DLP can’t read encrypted documents. “If it can’t read it, it can’t analyze it to block it.”

Hundreds of customers use CA DLP, including Bloomberg, which includes it with their terminals, says Matthew, and even competitor Symantec in the past OEMed Orchestria for content-filtering in Symantec Enterprise Vault.

Symantec acknowledges that's the case but prefers not to discuss that, and instead points toward the security firm's own future plans for Symantec DLP, based on its Vontu acquisition.

What was once Vontu is now called Symantec DLP Discover, Monitor, Prevent and Management with about 300 corporate and government customers using it, says Rob Greer, Symantec’s senior director product management for data-loss prevention products.

Symantec has integrated DLP into its BrightMail e-mail security gateway. There’s also been integration with the Symantec Altiris management software. Altiris v. 7 can be used to deploy and troubleshoot endpoint DLP Prevent and Discover agents.

“Today with the workflow capabilities of Altiris, we can communicate between an endpoint DLP agent and Symantec Endpoint Protection agent,” says Greer.

This capability can be used to solve problems, he notes.

“Say an end user on a laptop is about to check out for the day and copy the crown jewels of the business,” Greer says. “We could today identify that action is occurring, block it with the endpoint DLP, the incident gets recorded in the DLP system, and a message sent to Altiris to lock down that USB drive and doesn’t let anything leave that laptop until the issue is resolved.”

Although today Symantec isn’t at liberty to discuss specific future plans, Greer said work to integrate DLP into Symantec storage systems can be expected. Symantec DLP Discover, for example, has already been integrated into Backup Exec System Recovery. And Symantec intends to introduce some open APIs for DLP.

Arch-rival McAfee is also out on the DLP battlefield, having acquired start-up Reconnexat the end of last year and now has about 500 DLP corporate customers, according to Mike Siegel, McAfee’s senior director of product management.

McAfee’s Host Data Loss Prevention and Network DLP Prevent and Monitor all work with McAfee’s flagship ePolicy orchestrator console, and the host DLP is integrated with McAfee's SafeBoot encryption software to invoke encryption of sensitive data.

McAfee’s host DLP software can be used alone or as an add-on to the flagship endpoint anti-malware security software that's part of McAfee's Total Protection for Data Endpoint suite. But there's still much more to be done, Siegel says.

McAfee is looking at taking the DLP engine and adding it to its Web gateway, e-mail gateway, firewall and intrusion-protection gear, something likely to occur next year, Siegel says.

The DLP battle for the enterprise is under way.

RSA, which has its own Data Loss Prevention Suite based on the Tablus acquisition but has also chosen to strategically partner with Microsoft and Cisco in a DLP technology-sharing arrangement, says DLP is going to end up as the “eyes and ears in many places,” says Tom Corn, vice president of product strategy at RSA.

DLP can be viewed as a standalone product or as a feature in other products, Corn points out. RSA, as part of storage giant EMC which also owns VMware, will be putting DLP capabilities into products in all those realms — though that may take time.

“Our DLP today can see inside Solaris file systems today and in our eRoom product line, and over time, there are reasons why classification technology should get built with back-up solutions,” Corn says. While a lot of the work is still to be done, the vision at EMC/RSA calls for DLP to play a role in eDiscovery and life-cycle management.”

What’s not widely known about DLP is how much work from experts in language and library sciences is required to make content-monitoring work, says Corn. DLP is going to be used not just by speakers of English or other European languages, but by speakers of Chinese and Japanese, and RSA will soon come out with DLP products for that.

Security firms warn of Michael Jackson spam messages

Computer security firms are warning users to be vigilant about spam messages capitalizing the sudden death of U.S. pop star Michael Jackson.

The 50-year-old "King of Pop" was pronounced dead on Thursday afternoon at the Medical Center of the University of California in Los Angeles, after he was in a full cardiac arrest.

Security firm Sophos on Friday reported that about eight hours after Jackson's death, its experts witnessed the first wave of spam messages taking advantage of the breaking news in the subject line and body of the email.

In these messages, the spammers claimed that they have vital information about the death of Michael Jackson to share and asked for a reply.

Experts said the spammers can easily harvest recipients' contact information via a free live email address if users reply to the spam message.

"The untimely death of the King of Pop, Michael Jackson, has sent shockwaves through the entire world -- but unfortunately, this type of huge news story is also the perfect vehicle for spammers to snare vulnerable computer users," Graham Cluley, a senior technology consultant at Sophos, said in a statement.

"These spammers are relying on curious users to reply to their bogus claims, but if you receive one of these messages you just need to delete it," he added.

In addition, security experts at Sophos discovered that cyber criminals were taking advantage of the passing of U.S. actress Farrah Fawcett, a 1970s TV icon who also died on Thursday, to spread fake anti-virus software.

Bad news offers opportunity to spread malicious software, noted Guilherme Venere, an expert at security firm McAfee.

"Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email," he wrote in a posting on the company's blog.

Venere said users should be wary of spam emails offering links to "news" or "pictures" of deceased celebrities, which most of the time will lead to websites touting pharmacy products and even result in the installment of malware on the computers