RSA SFO 2011 is done

This week has been a blitz of sessions, one-on-one deep discussions, and random swarms of passionate people descending on any table to discuss all things information security.  The sessions were good, the products somewhat interesting, and the networking was fantastic.  I did my best to tweet as much as I could from sessions throughout the conference, but there is a theme I saw and wanted to share for debate and consumption.

The risks are severe and quite frankly the offensive capability of attackers (individuals, attack teams like Anonymous, and nation state sponsored groups) is excellent.  Organizations are suffering from exfiltrated data at an alarming scale, and lack of maturity in managing these threats is ad-hoc.

A single vendor this would come across as F.U.D., but this was expressed by the Director of the NSA, and at nearly every session and keynote.

So what does this mean?  Well, much like at RSA there is a need to translate and form an opinion, or lovingly called the ‘Apply Slide’.  Below are the points that resonated for me – in no particular priority order:

• There is a need for a more meaningful appreciation of what is valuable to every organization.  This discussion needs to happen with the management, legal, risk management, internal audit, and technology leadership.  A primary effort of bringing these individuals together is to ascertain what is valuable and what forms may it exist throughout the business.
• A sophisticated incident handling process is needed.  This is a topic highlighted by the likes of Google and Signal Intelligence experts.  The point though was lost I feel to the majority of attendees.  The need is not simply to have trained team members with tools to be activated in the case of a breach.  That is needed, but there is a much deeper need:
  • The maturing and sustaining of a firmwide global effort to respond to every infection / malware-instance / behavioral anomaly.  Here is the thesis:  Today most of these are addressed through a help desk function that follows a decade old process of risk identification and remediation.  The common response is to update patches and have the behavior cease (removal of the error is considered a “fix”).  It is widely accepted that the attackers and infection tools are highly sophisticated, and removal is not a linear path nor a guarantee of a “clean” system.  In addition the statistics reinforce this fact when we look at the effectiveness of the anti-virus tools, the amount of malware that is unique and unknown, and the percentage of exfiltration events that occur resulting from this code.  Finally, there is a stigma to ‘activating an incident response’ team in many organizations.  Together these create an atmosphere where keyloggers / botnets / stuxnet / and similar malware toolsets can infect, avoid destruction, increase infiltration, and have intelligent exfiltration of desired data.
• Cloud was a very popular topic all week, and despite professional annoyance of the media focusing on a single aspect of information technology one simple fact remains true.  These sessions were packed.  The information provided was not clear and visibility remains beyond immediate grasp.  So – my response here is … these sessions were packed and the term is everywhere, because we do not have this at a state of understanding.  I foresee this will be a long and great area to continue developing.

Thank to everyone and hope to see you again  – soon!

James DeLuccia

Security News – inspired by #RSAC

This week is the RSA Conference in San Francisco and despite itself being a huge conference with great people in attendance, there is also numerous other satellite conferences happening (BSidesSF and Cloud Summit).  All that brain power is bound to generate some discussion and research reports generally are released during this PR window.  So, here is a few items that (new and old) jumped out to me getting much discussion and would be valuable to restate.  As always, I will be punching up my notes to share as things that are meaningful are presented.

First stop the CIO of the U.S. Government:  on DarkReading: “White House CIO Lays Out ‘Cloud First’ Strategy To Streamline Bloated Government IT”.  This is generally a repeat of his prior strategy laid out before the security community [Direct D/L] and the Wall Street Journal.  Nonetheless worth zipping through:

In the same stream of thought (both highlighted at Cloud Summit) is the initiation of the updating the “Security Guidance for Critical Areas of Focus in Cloud Computing” by the Cloud Security Alliance.  Note this is a collaborative group and passionate and knowledgeable persons are highly sought – if you can give your time and help.  The prior version is available here for download.

True Cost of Compliance put forward by Ponemon Institute and TripWire (released January 2011) – right off the top states that the average non-compliance costs are more than $5 million dollars than the cost to comply.  Here is the link to the report – no registration required, very nice.  Also interested what that cover graphic is hiding…

Plenty of great streams of information flowing from the conference on twitter – set search filters to: #RSAC #RSA and of course, if you like a specific area (NIST, ISO, Cloud) hit those tags up too… This week is going to produce enough reading for a few flights across the pond for us all!

Enjoy,

James DeLuccia

 

Thomson Reuters Cost of Compliance Survey 2011: 86% expect regulatory change

A new survey was released today from Thomson Reuters and Complinet based on 337 global practitioners within the Financial Services sector.  The survey focused on GRC and how organizations are focused on addressing the risks this year compared to prior years.  While this is principally focused on the Financial aspects of Risk management, Fraud, and legal aspects there are some interesting takeaways.

The first that 71% of the professionals expect a need of greater resources and time to address an expected 83% increase in regulation and regulatory compliance requirements.  The link, requires registration, not my favorite.  It does provide the survey report – a short 4 pages, and the prior years at 6 pages.  Not very deep, but some interesting points – the reports may be garnered from this link.

One aspect that was interesting was how little Internal Audit is brought into these conversations on dealing with the business risk.  It is in direct opposite of what one would consider appropriate – and one I find consistent with the Information Security teams.  The lesson here, engage Internal Audit .. no need to re-invent risk management techniques (btw: I feel the same way of risk management within I.A. when compared against the insurance industry).

For a technical focused report on compliance – check out the latest Ponemon Institute Report here.

See you all at RSA SFO 2011,

James DeLuccia

Visa allows international Merchants to not demonstrate PCI DSS compliance

On February 11, 2011 Visa announced an interesting program that promotes and demonstrates the fraud deterrence strength of the Europay, MasterCard and Visa (EMV) smartcard standard and are also equipped to accept both contact-based and contactless transactions.  Those organizations that have at least 75% of their transactions originating from smartcard-enabled terminals will not have to demonstrate compliance.  This is perhaps a reflection of Visa weighing the risks and benefits of technology from a risk management point of view.  A win for merchants certainly, as this technology is widely adopted in many parts of the world.

As a reminder, all organizations within the Payment Card Industry must be compliant with the data security standard, but the nuance of demonstration / attestation is based on the channel and volume of each individual card.  This program of Visa does not impact the other Card brands, so international Merchants will still need to consider these within their global compliance and security programs.

An interesting writeup on the article is available at Computerworld here.  The press release is here.

The deployment in the U.S. requires both adoption at the Merchant level, and the consumers too.  It would be interesting to compare the costs of the EMV architecture vs. the compliance costs of organizations.  I also wonder if the net benefit of requiring security controls to be meaningfully applied to sensitive data (in this case PCI) does not raise all the “boats” (read: other sensitive data types), as it is more likely that security safeguards are applied broadly.  Is this demonstrated by 28% reduction in identity thefts in 2010?

See you in San Francisco at RSA 2011,

James DeLuccia

RSA Conference Session – Beyond PCI DSS, final thoughts

RSA 2009 is finished; the vendors have packed up; the speakers have shuffled out of the lounge, and what remains is a compendium of excellent thoughts captured in real-time on blogs and Twitter alike.  For Twitter search for #RSA or #RSAC and for blogs, well hit Google or simply start here.  Business wise – the conference had lighter attendance (anecedotaly) and the vendors were on the edge of Cloud | Security | Recession-Antidotes.  Session wise – they were better this year then last year – the Department of Justice presentations on Data Breach investigations and the Hoff on Cloudisms were quite good and worth the travels.

Last year I spoke on the Synergies of Regulations, a core tenet of my book, and this year I pushed deeper with BEYOND PCI DSS.  The session abstract for this year was:

“The payment card industry standard for data security world centers blindly around PCI DSS, but that is not the only duty of companies and persons.  Explore the worst and most often boggled sections of PCI DSS.  Beyond PCI, discuss with peers the labyrinth of existing publications and control guidance / requirements published by government, state, and international authorities that we must address.”

PCI DSS is a very troubling issue based on the attendees to this session.  The session was full with a range of persons from vendors (10% of room) to businesses complying with PCI DSS (70%), and the remainder being made up between a VC and a few indepedents.  A great bonus of RSA is that they make video recordings available online; however, my session was not part of that digital wonder, so I will try to recap a few of the strongest points below:

• “Compliance (PCI) provides a metric to determine security – without the compliant requirements the business of security becomes stale” – Top Industry Manufacturer
• The perception of business / security / governance / auditors is skewed towards PCI DSS (Somali pirates) and the business SLA and other regulations (Great Report Released last week) are being placed in a back seat.  PCI part of the Program towards delivering operational integrity through IT infrastructure, systems, and computing processes.
• Intensely vet the AUDITOR and less the firm. The firm conducting the audit must have Fidelity, but selecting the A-Team is a predominant indicator of having a strong control environment.
• “Convince your QSA” – When going through the audit you shouldn’t be arm wrestling over controls, but these points of “negotiation” should be done through an existing, mature, and accurate Risk Assessment Program.  Caution should be focused here to not materially affect your ethics or that of your company – convice should be a mutually agreed upon state, and not a “do this or we fire you” situation.  Audits are supposed to validate compliance and / or provide a set of lenses highlighting how to enhance operations.

All quotes are in fact quotes from EVP / CIOs who attended session – comments are my own…

Thank you to everyone who attended and for each that did not receive a book during the giveaway, you may find additional copies at Amazon.

Kind regads,

James DeLuccia