Post on 10-Aug-2020
Pre-Event Promotions, Exclusive ISMG Events, Video Interviews with Industry Leaders,
Audio Insights from Leading Vendors, Articles, Blogs, Photos and More from the ISMG Team,
Looking Back on RSA Conference 2014
Highlights and Insights
Overview of Content Created by ISMG, including:
Diamond Media Sponsor of RSA Conference 2014
This year more than any other, RSA Conference was too big for anyone to truly see all of the
event. But we sure tried.
From the Saturday before the event opened until Friday when it closed, ISMG had team
members on the ground at San Francisco’s Moscone Center, staffing both a private media suite
and an expo floor booth, where we recorded video interviews, conducted private briefings and
hosted exclusive events, such as a Meet the Editor cocktail reception and our annual Editorial
Advisers luncheon. Our editors appeared on stage in panel presentations, and in addition to
recording scores of interviews with prominent vendors and thought-leaders, they wrote articles
and blogs about the sessions they attended.
As the sole Diamond Media Sponsor of RSA Conference 2014, we took our job seriously. We
created Security Agenda, an exclusive magazine for the event, and we sent our biggest team
ever to RSA to ensure that we interviewed and heard from as many attendees and sponsors as
possible.
This compilation provides an overview of RSA Conference 2014 coverage, from pre-event
promotional materials to excerpts of our exclusive interviews and other unique content
elements developed for and about the event.
We can’t take you back to re-live this huge conference. But we sure will try.
Best,
Tom Field
Vice President, Editorial
Information Security Media Group
tfield@ismgcorp.com
Tom Field Vice President, Editorial
See the Many Faces – and Voices – of RSA Conference 2014From the Editor
Pre-Event Promotions
HIGHLIGHTS and INSIGHTS
Table of Contents
2014 Brings Shift in Cyber-Attacks 64
2014 Fraud Prevention: 2 Key Steps 64
Advanced Threat Defense 64
Automating Data Analysis 64
Baking Privacy Into Health IT 65
CipherCloud Unveils New Platform 65
Cisco Unveils Open Source Initiative 65
Cryptocurrency an Easy Target 65
Cyberthreat Protection Evolves 66
DDoS Attacks Continue to Grow 66
DDoS: More Defenses Needed 66
FIDO: Beyond ‘Simple’ Authentication 66
Fighting Phone Fraud 67
How Fraudsters Take Advantage of Insiders 67
How Mobile Hacks Threaten Enterprise 67
How to Improve Cybercrime Tracking 67
iBoss Offers Behavioral Analysis 68
Improving Encryption Management 68
InfoSec Investments: Venture Capital’s View 68
Insights on Enhancing Authentication 68
Keys to Secure Content Sharing 69
Log Analysis for Breach Prevention 69
Real Threat Intelligence 69
Securing Network Architecture 69
Securing the Smart Grid 70
Security: Going Beyond Compliance 70
Security Professionals: Time to Step Up 70
The API as an Attack Vector 70
The Evolving Threatscape 71
The Impact of Bit9, Carbon Black Merger 71
Exclusive ISMG Events at RSA Conference 2014 22
RSA Conference 2014: ISMG Adviser’s Luncheon 24
RSA Conference 2014: ISMG Behind the Scenes 26
CareersInfoSecurity Quick Poll 74
Social Media 75
RSA Day One: Editors’ Insights 76
RSA Day Two: Cybersecurity and Fraud 77
RSA Day Three: Conference Themes 78
Breaches: Avoiding ‘Victim’s Fatigue’ 56
Equating Civil Liberties with Privacy 57
DHS Offers Incentive to Adopt Framework 59
Recruiting InfoSec Pros in Tight Market 60
Power of Continuous Threat Protection 44
The Privacy Manifesto 46
The Cybersecurity Canon: Must-Reads 46
Identity as the New Perimeter 47
Rating Cybersecurity Success 47
Break the Fraud Lifecycle 48
The 2014 Breach Landscape 48
Why ID Security Must Evolve 49
How to Fight Targeted Attacks 49
Why Target Breach was Preventable 50
Next-Generation Incident Response 50
How Artificial Intelligence Prevents Fraud 51
Avoiding BYOD? 52
PCI: Retailer Security Failures 30
Michael Daniel Speaks His Mind on Cyberthreats 32
What Next at NIST? 32
Online Identity: The Legal Questions 33
ENISA on Cybersecurity Challenges 33
Retail Breaches: More to Come 34
Navigating the Internet of Things 36
Assessing the EU Threat Landscape 36
FBI on DDoS Response 37
Cybersecurity in India 37
The Evolving Cybersecurity Framework 38
Privacy: What Security Pros Need to Know 40
Patent Disputes: A Legal Update 40
How to Properly Vet Your Cloud Provider 41
Obama Cybersecyrity Aide on Global InfoSec 41
RSA Guide for Healthcare Security Pros 6
RSA Guide for Banking Security Pros 8
RSA Guide for Government Security Pros 10
Preview: RSA Conference 2014 12
ISMG at RSA Conference 2014 14
2014 Fraud Prevention: 2 Key Steps 16
Securing the Smart Grid 17
InfoSec Investments: Venture Capital’s View 18
Baking Privacy Into Health IT 19
Exclusive ISMG Events
Video Interviews with Industry Leaders
Video Interviews with Leading Vendors
Audio Insights from Leading Vendors
Articles, Blogs, Photos and More from the ISMG Team
Looking Back on RSA Conference 2014
Pre-Event Promotions
© 2014 Information Security Media Group6
This year, healthcare information security professionals faced a dilemma: whether to attend RSA Conference 2014 in San Francisco or the annual HIMSS conference in Orlando, put on by the Healthcare Information and Management Systems Society.
Usually the two events are held on separate weeks - often back-to-back -
but this year they are scheduled concurrently.
It’s possible, of course, to split your week and attend parts of both
events. For those healthcare security pros attending RSA Conference
2014 - in whole or in part - there are plenty of meaty topics of appeal.
A review of the RSA Conference 2014 agenda shows several seminars,
panels and speakers of particular interest to healthcare-focused
attendees. Some of my recommendations:
Mobile Device Security
Because so many major health data breaches involve lost or stolen
mobile devices, healthcare security pros might consider taking
advantage of a mobile security tutorial being offered by the SANS
Institute.
The two-day course, called simply “Mobile Device Security” takes place
Sunday, Feb. 23, and Monday, Feb 24, from 9 a.m. to 5 p.m. in Moscone
West, Room 3008. This offering is designed to teach attendees about
the threats mobile devices pose. The hands-on class will offer lectures,
labs and real-world insights. Larry Pesce, a SANS certified instructor,
is leading the course. FYI, he’s now a senior security analyst with
InGuardians, but he previously worked in security and disaster recovery
in healthcare, performing penetration testing, wireless assessments and
hardware hacking.
Medical Device Hacks
If you’ll be attending RSA later in the week, consider the session:
“Turning Medical Device Hacks into Tools for Defenders,” scheduled
RSA Conference Guide for Healthcare Security ProsEditor’s Guide to Key Sessions, Speakers at RSA Conference 2014by Marianne Kolbasuk McGee, Managing Editor, HealthcareInfoSecurity
PRE-EVENT PROMOTIONS
Marianne Kolbasuk McGee
© 2014 Information Security Media Group 7
for Thursday, Feb. 27, from 10:40 a.m. to 11:40 a.m. in Moscone West,
Room 3006. The session will be led by consultants Jamie Gamble
and Tim West of Accuvant Inc. They’ll discuss research that compiles
cybersecurity threats and vulnerabilities into guidelines for the security
community for hardening or assessing medical devices. “Our hope is
to help manufacturers, clinicians and practitioners in securing their
environments,” the presenters say.
Breach Response
Another session of interest to healthcare security pros is: “Anatomy of
a Data Breach: What You Say (or Don’t Say) Can Hurt You,” that’s taking
place on Tuesday, Feb. 25, from 2:40 p.m. to 3:40 p.m. in Moscone West,
Room 2020. The session will look at the critical do’s and don’t’s for
post-breach communication, including what to say (and what not to
say), who to involve and when and how to inform customers, regulators
and the media. Panel participants include Tom Field, vice president
of editorial at Information Security Media Group; Alan Brill, senior
managing director, Kroll; Michael Bruemmer, vice president of Experian
Data Breach Resolution; and Ronald Raether, partner at law firm Faruki
Ireland & Cox P.L.L.
Privacy vs. Security
Health data security professionals seeking a better understanding of
privacy issues should consider attending the seminar, “Privacy Intensive
for Security Professionals: Are You Prepared?” that’s slated for Monday
Feb. 24, from 1:30 p.m. to 5:30 p.m. in Moscone West, Room 2002. The
event, hosted by the International Association of Privacy Professionals,
will help attendees understand why privacy is an increasingly bigger
concern and a growing requirement in an information security
professional’s day-to-day job responsibilities.
Leadership Development
Finally, healthcare security leaders might want to check out a session
that could prove helpful to their own career advancement. “Information
Security Leadership Development: Surviving as a Security Leader” is
slated for Monday, Feb. 24, from 8:30 a.m. to 11:30 a.m. in Moscone West,
Room 3018. A panel of security, risk management and privacy experts will
discuss topics ranging from “making regulations and audit work for you”
to “developing cross-functional leadership skills.” Among the panelists:
Doug Graham, senior director, risk management, EMC Corp.; Robert West,
chief security officer, Intelligent ID; and Dennis Devlin, CISO, CPO and
senior vice president of privacy practice, SAVANTURE.
There’s plenty more to experience at RSA Conference 2014, of course - we
haven’t even scratched the surface. I look forward to hearing from you
about all the highlights of the event.
© 2014 Information Security Media Group8
Fraud and security are always hot topics in the financial services arena. But this year, some risks - such as data breaches linked to third parties and increasingly insecure authentication practices - will definitely get more attention from security pros.
How financial institutions address those risks will be key, whether it’s
through more reliance on data analytics or a better understanding of
emerging malware strains and the cybercriminals or adversaries behind
the attacks. Fortunately, all of these areas of concern are on the agenda
at RSA Conference 2014.
In reviewing this year’s lineup of speakers and sessions, a few highlights
stand out. There are far too many sessions for anyone to attend, of
course. But here are some presenters that will offer timely insights for
those in the financial services industry:
» Daniel Cohen, a phishing expert and head of knowledge
delivery and business development at RSA;
» Nick Selby, an encryption expert and CEO of StreetCred
Software;
» Adam Sedgewick, senior adviser of information technology
for the National Institute of Standards and Technology
and a leading contributor to guidelines for securing the
financial services critical infrastructure.
As for sessions, here are several that will offer important insights:
Securing Critical Infrastructure
On Feb. 25, 4 p.m. to 5 p.m. in Moscone West, Room 3002, Sean McBride,
director of analytics for cyber-intelligence firm Critical Intelligence, will
discuss how the United States delivered malware to industrial objectives
within Iran during his session, “Effects-based Targeting for Critical
Infrastructure.”
RSA Guide for Banking Security ProsEditor’s Guide to Key Sessions and Speakers at RSA Conference 2014by Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity
PRE-EVENT PROMOTIONS
Tracy Kitten
© 2014 Information Security Media Group 9
Data Analytics
On Feb. 25, 4 p.m. to 5 p.m. in Moscone West, Room 2006, Jay Jacobs,
senior data analyst, and Wade Baker, both of Verizon, will review why
big data is not the only data that organizations should rely on in their
presentation, “From Data to Wisdom: Big Lessons in Small Data.” Their
session will examine the state of security data analysis.
Knowing Thy Enemy
On Feb. 25, 2 p.m. to 2:20 p.m. in Moscone West, Room 3022, and again
on Feb. 28, 11:40 a.m. to 12 p.m. in Moscone North, Room 130, Dmitri
Alperovitch of CrowdStrike will explore why it’s not just the attacks,
but the attackers, that organizations need to understand during his
presentation, “The Art of Attribution: Identifying and Pursuing your
Cyber Adversaries.”
Malware for Defense
On Feb. 26, 9:20 a.m. to 10:20 a.m. in Moscone West, Room 3002,
Trustwave’s Ryan Barnet, lead security researcher, and Ziv Mador,
director of security research, will walk through how security products
can be used against hackers during their session, “An Arms Race: Using
Banking Trojan and Exploit Kit Tactics for Defense.”
Taking Down Citadel
And on Feb. 27, 10:40 a.m. to 11:40 a.m. in Moscone West, Room 3002,
presenters Errol Weiss of Citigroup, John Wilson of online security
firm Agari and Richard Boscovich of Microsoft will review the June
2013 takedown of more than 1,500 command-and-control servers for
botnets based on Citadel. During their session, “How Microsoft, FS-ISAC
& Agari Took Down the Citadel Cybercrime Ring,” they will discuss
the coordinated takedown led by Microsoft, the Financial Services
Information Sharing and Analysis Center and Agari.
Executive Editor Tracy Kitten interviews John Whaley of Moka5.
© 2014 Information Security Media Group10
The intersection of government and the private sector is a theme found in a number of sessions at RSA Conference 2014.
Here are my picks for some key sessions government information
security practitioners should consider attending. All of the sessions
mentioned here will be held in Room 2009 at the Moscone Center West.
Seeking Balance
Two panels address vulnerabilities that could be baked-in to information
technologies furnished by foreign manufacturers. Allan Friedman, co-
author of “Cybersecurity and Cyberwar: What Everyone Needs to Know,”
and Jon Boyends, senior adviser for information security at the National
Institute of Standards and Technology, are among the experts who will
explore the impact on policies regarding technology acquisition in the
panel: “Can Government Cybersecurity Policies Balance Security, Trade
and Innovation?” It will be held Tuesday, Feb. 25, at 1:20 p.m.
Later Tuesday, at 2:40 p.m., Debora Plunkett, National Security Agency
information assurance director, participates in the panel: “Facts vs.
Fear: Foreign Technology Risks in Critical Industry Sectors.” Experts will
describe the necessary steps to effectively vet technologies to assure
they’re safe to employ.
Securing Data Centers
Teri Takai, the Department of Defense chief information officer, joins the
former top cybersecurity policymaker at the Department of Homeland
Security, Mark Weatherford, in a Wednesday, Feb. 26, 9 a.m. panel:
“Securing Our Nation’s Data Centers against Advanced Adversaries.”
Hear the panelists assess the standards and best practices being
deployed to secure data centers around the world.
Cybersecurity Framework
The federal government was slated to issue on Feb. 13 the cybersecurity
framework, a set of voluntary best practices aimed to protect the
information assets of the nation’s critical infrastructure. Adam
RSA Guide for Government Security ProsEditor’s Picks of Sessions at RSA Conference 2014by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
PRE-EVENT PROMOTIONS
Eric Chabrow
© 2014 Information Security Media Group 11
Sedgewick, the NIST official who shepherded the framework, will
join other NIST experts and Samara Moore, White House director for
cybersecurity critical infrastructure, in a session called: “An Overview of
the Executive Order Cybersecurity Framework,” at 9:20 a.m. Wednesday,
Feb. 25.
State-Federal Collaboration
Cybersecurity requires a challenging degree of collaboration among
different government offices, particularly when responding to cyber-
incidents. The panel “Government x2: State and Federal Collaboration
on Cybersecurity,” will be held Thursday, Feb. 27, at 9:20 a.m. It will be
moderated by Cheri Caddy of the White House national security team
and include the state of Michigan’s Chief Security Officer, Dan Lohrmann.
DHS Insight
“View from the Inside: DHS Priorities in Cybersecurity,” at noon
Thursday, Feb. 27, will feature the head of Homeland Security’s National
Protection and Program, Suzanne Spaulding, and Phyllis Schneck, deputy
undersecretary for cybersecurity, addressing the areas where DHS will
concentrate on cybersecurity.
Continuous Monitoring
CISOs David Stender of the Internal Revenue Service and Darren Van
Boozen of the House of Representatives will join moderator and former
U.S.-CERT Director Mischel Kwon Friday, Feb. 27, at 9 a.m. for the panel:
“Leading Cybersecurity: Technically Sexy, Programmatically Dowdy.”
They’ll discuss continuous monitoring in the federal government and
how it has broadened the security leaders’ job.
These are just a sampling of the panels, keynote addresses and other
events at the conference of interest to the government information
security professional. Let me know what you think of the conference.
Executive Editor Eric Chabrow interviews attorneys Francoise Gilbert and Ellen Giblin.
© 2014 Information Security Media Group12
The objective for information security leaders this year is clear - to “share, learn and secure,” which is the theme of the RSA Conference 2014, slated for Feb. 24-28 at San Francisco’s Moscone Center.
The objective for information security leaders this year is clear - to
“share, learn and secure,” which is the theme of the RSA Conference
2014, slated for Feb. 24-28 at San Francisco’s Moscone Center.
This year’s event provides IT professionals and business leaders the
opportunity to make connections and capitalize on the ideas, insights
and relationships that may shape the future of information security.
For the eighth straight year, Information Security Media Group is
a sponsor of the RSA Conference, and it’s the only Diamond Media
Sponsor of this world-class event. ISMG is sending its largest team
ever to provide ongoing coverage. And it will host a panel session that
reviews the dos and don’ts for post-breach communication.
Conference Theme
This year’s theme - “Share. Learn. Secure.” - references the need for
collaboration and communication to develop groundbreaking ideas.
Over the course of five days, thousands of attendees from all over the
world will dive into intensive learning at educational sessions plus
take advantage of a large exhibit hall as well as social activities and
networking opportunities.
Conference-goers will learn about the latest trends and technologies
as well as gain insights into new perspectives on the most critical
technical and business issues facing organizations today.
Preview: RSA Conference 2014New Tracks Include Analytics and Forensics, Security Strategy
PRE-EVENT PROMOTIONS
by Jeffrey Roman, News Writer, Information Security Media Group
Jeffrey Roman
© 2014 Information Security Media Group 13
Keynote speakers at this year’s RSA Conference include:
» Scott Charney, corporate vice president, trustworthy
computing, Microsoft Corp.;
» Art Coviello, executive chairman, RSA;
» Kevin Mandia, senior vice president and chief operating
officer, FireEye; and
» Stephen Colbert, host of “The Colbert Report” and best-
selling author.
» To view the full list of keynote speakers, visit RSA’s keynotes
page.
More than 280 educational sessions will be held across 26 tracks,
covering a wide range of critical themes and topics, including:
application security; cloud security and virtualization; hackers and
threats; mobile security; and technology infrastructure.
Two new tracks this year are analytics and forensics and security
strategy. The security strategy track covers policy, planning and emerging
areas of enterprise security architecture and the management issues
of implementing successful security programs, says Hugh Thompson,
program committee chair for RSA Conference.
Beyond adding new tracks, the RSA Conference has also physically
expanded. It now encompasses not just the north and south buildings
of San Francisco’s Moscone Center, but also the previously unused west
building.
ISMG at RSA Conference
ISMG will provide in-depth coverage of this year’s event, bringing its
largest team ever. ISMG will provide daily updates offering insights from
conference speakers, attendees and participating vendors. In its media
suite, ISMG will offer exclusive presentations covering its latest research.
And for the first time, ISMG will be conducting video interviews at its
exhibit on the show floor.
At this year’s event, ISMG is leading a panel session on: Anatomy of a
Data Breach: What You Say (or Don’t Say) Can Hurt You.
Hosted by Tom Field, ISMG’s vice president of editorial, this panel session
will cover the critical dos and don’ts for post-breach communications.
The panel of breach and legal experts will walk through what to say
(and what not to say), who to involve and when and how to inform
customers, regulators and the media. Participants include Alan Brill,
senior managing director at Kroll; Michael Bruemmer, vice president at
Experian Data Breach Resolution; and Ronald Raether, partner at Faruki
Ireland & Cox. The session will be held 2:40 p.m. Tuesday, Feb. 25, in
Room 2020 of Moscone Center West.
© 2014 Information Security Media Group14
Information Security Media Group is geared up to bring you unmatched insights and analysis of all the news and events from RSA Conference 2014.
ISMG will provide in-depth coverage of this year’s event, bringing its
largest team ever to San Francisco for the week-long conference. ISMG
will provide daily updates offering insights from conference speakers,
attendees and participating vendors. In its media suite, ISMG will offer
exclusive presentations covering its latest research. And for the first
time, ISMG will be conducting video interviews at its exhibit on the
show floor.
ISMG at RSA Conference 2014Your Guide to Daily Activities of ISMG During Conference
PRE-EVENT PROMOTIONS
by Jeffrey Roman, News Writer, Information Security Media Group
© 2014 Information Security Media Group 15
Here’s your guide to the daily activities of ISMG, the only Diamond
Media Sponsor of RSA Conference 2014.
Locations
ISMG will be at two locations this year. Be sure to stop by during your
time at RSA Conference to meet with the executive team and group of
seasoned information security editors. ISMG will be available at:
» Booth: South Hall #700
» Media Suite: Mezzanine 236
Events
ISMG will be hosting and participating in a number of sessions this year.
Events include:
Monday: Meet the Editors:
4:00 p.m. - 5:00 p.m., East Mezzanine Room 236: This is an opportunity
to chat with ISMG editors and executive team members to learn about
upcoming events and opportunities for 2014.
Tuesday: Editorial Advisers Luncheon:
12:00 p.m. - 1:00 p.m., East Mezzanine Room 236: An invitation-only
gathering of the movers & shakers who serve on ISMG’s Editorial
Advisory Boards.
Tuesday: Anatomy of a Data Breach:
What You Say (or Don’t Say) Can Hurt You: 2:40 p.m. - 3:40 p.m., Moscone
Center West, Room 2020: Panel features ISMG’s Tom Field; Alan Brill
of Kroll; Michael Bruemmer of Experian; and Ronald Raether of Faruki
Ireland & Cox P.L.L., who walk through post-breach communications,
detailing what to say (and what not to say), who to involve and when
and how to inform customers, regulators and the media.
Wednesday: Health Information Security:
The 2014 Agenda: 12:30 p.m. - 1:30 p.m., East Mezzanine Room 236:
This exclusive briefing and networking reception is for healthcare
information security leaders.
Wednesday: Cyber-Attacks:
How to Reduce Your Risks: 4:30 p.m., East Mezzanine Room 236: This
is an exclusive briefing and cocktail reception for select information
security leaders - reserve your seat now.
Wednesday: Information Security as a Competitive Advantage:
6:00 p.m., inquire for details: ISMG’s invitation-only dinner for senior
security leaders offers the chance to exchange off-the-record insight on
the topic of Security as a Competitive Advantage.
Thursday: Meet the Influencers:
12:30 p.m. - 1:30 p.m., East Mezzanine Room 236: Stop by ISMG’s booth in
the South Expo Hall for your chance to meet with the most influential
leaders in security.
Complete Coverage
Stay tuned throughout RSA Conference 2014 for ISMG’s exclusive video
interviews with thought leaders such as Gartner’s Avivah Litan, Troy
Leach of the PCI Security Standards Council, White House Cybersecurity
Coordinator Michael Daniel and many more.
You can see ISMG’s latest coverage of RSA Conference 2014 by visiting
www.inforisktoday.com/rsa-conference.
Be sure to also follow ISMG on Twitter. Editors will be tweeting content
throughout the week using the hashtag #RSAISMG14. Be sure to stay
connected and see the latest news and insights that ISMG has to offer
from the conference floor.
© 2014 Information Security Media Group16
Two critical steps that banking institutions need to take in 2014 to help prevent fraud are implementing big data analytics and adopting far more sophisticated customer and employee authentication, says Gartner analyst Avivah Litan.
Big data analytics can help banking institutions more quickly detect
early signs of fraud, says Litan, a financial fraud expert and distinguished
analyst for consultancy Gartner Research. “We have so many more
attack vectors than we used to have. But big data analytics allows
companies to get their arms around their data much faster than ever
before.”
With better data analytics, institutions can get a broader view of what’s
going on across all their banking channels, which is important for
identifying fraud patterns, Litan says in an interview with Information
Security Media Group.
She describes an example of how one institution was able to stop a
fraudulent wire transfer. “The guys who were watching the big data
analytics systems saw the fraud about to take place,” she says.
But applying analytics for enterprise-wide fraud mitigation is
challenging because of banks’ disparate systems that are based on legacy
platforms, Litan acknowledges. “As organizations learn to get their arms
around data in real time, the systems that they’ve put in place aren’t
going to be able to keep up that easily,” she says.
Authentication Getting
Stronger
Another important fraud-
prevention measure for
larger banking institutions
this year, Litan says, is
implementing advanced
forms of authentication, such
as continuous behavioral
authentication, which involves
monitoring customers or
employees over time.
“It’s not like you give someone an account and a credential and they’re
all set,” Litan says. “You have to continuously watch their behavior;
watch everything you can about how they navigate, how they use the
endpoints and how they use your institutional accounts.”
But smaller banking institutions need to enhance authentication is less
costly ways, such as by using mobile devices to identify users, Litan
says. “Your identity is bound to the phone through a credential, like
a certificate or even a password, and preferably also a biometric,” she
explains.
In a pre-RSA Conference 2014 interview, Litan also discusses:
» The top three threats banks face for 2014, including insider
risks, social engineering schemes and data breaches that are
out of their control;
» Regulatory guidance and legislation;
» Security challenges banking institutions face because of
open architecture.
2014 Fraud Prevention: 2 Key StepsGartner’s Litan Recommends Action Items
INTERVIEW
by Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity
Watch it online: http://www.inforisktoday.com/interviews/2014-fraud-prevention-2-key-steps-i-2198
© 2014 Information Security Media Group 17
Distributed generation and plug-in motor vehicles are among the emerging security challenges to the smart grid. In an RSA Conference 2014 preview, Gib Sorebo of Leidos discusses the threats to utilities and consumers.
As the smart grid evolves from centralized energy generation, we see
evolving threats such as market manipulation, cascading failure modes
and other impact scenarios, says Sorebo, chief cybersecurity technologist
at Leidos, a science and technology solutions vendor.
But as organizations start to address these vulnerabilities, they must
be careful not to overlook basic preventive measures such as ensuring
accurate data throughout the information chain.
“Even if that [data] isn’t directly controlling something, people may
rely on that information for other things,” Sorebo says. “So make sure
that information is accurate, or that there’s a sanity check that people
are doing - that you’re not completely relying on the machine for
everything.”
In an interview about smart grid security, Sorebo discusses:
» Key threarts and vulnerabilities;
» Risks to utilities and customers;
» New security recommendations he will discuss at RSA
Conference 2014.
Sorebo is a Chief
Cybersecurity
Technologist for Leidos,
where he assists
government and private
sector organizations in
addressing cybersecurity
risks and complying
with legal and regulatory
requirements. He has
been working in the
information technology
industry for more than 20 years in both the public and private
sector. In addition to federal and state governments, Sorebo has
done security consulting in the financial services, health care
and energy sectors. He is currently responsible for coordinating
cybersecurity activities in the energy sector company-wide. He has
been the co-lead of Leidos’ Smart Grid Security practice, where he
established the Smart Grid Security Solutions Center for product
security testing and solution development and contributing to
a variety of other smart grid security research efforts. He also
recently co-authored a book on Smart Grid Security that was
published in December 2011.
Securing the Smart GridGib Sorebo of Leidos Previews RSA Conference 2014 Presentation
INTERVIEW
Information Security Media Group
Watch it online: http://www.inforisktoday.com/interviews/securing-smart-grid-i-2188
© 2014 Information Security Media Group18
What is the venture capital view of the security trends and technologies that will have the most impact on careers in 2014? Alberto Yépez of Trident Capital weighs in with his insights and predictions.
The year’s top security growth areas can be broken down into four main
categories, Yépez says: Mobility, cloud, social media and virtualization.
“All four of those [technologies] are becoming more widely adopted by
the business because you need them to be better engaged with your
customers, better engaged with your suppliers and to be more of a
real-time business,” he says. “But with that adoption comes the fact
that there’s a lot of ... new threat vectors that haven’t necessarily been
completely analyzed or protected.”
Hence, there’s an opportunity for security leaders and pros to add new
value to their organizations and their own careers.
In a pre-RSA Conference 2014 interview about security investments, Yépez discusses:
» Market trends that have shaped today’s market;
» Where the security market is growing in 2014;
» Global trends driving security investments and career
opportunities.
Yépez is a managing director
of Trident Capital and joined
the firm in 2008. He is an
experienced investor and
entrepreneur, actively investing
in IT security, enterprise
software and mobility. Before
joining Trident, he was an
entrepreneur with a successful
track record in building
global businesses. He was
founder, chairman and CEO of
enCommerce, co-CEO and president of Entrust and chairman and CEO of
Thor Technologies. He also held senior management positions at Oracle
and Apple.
In addition, Yépez worked as an “entrepreneur in residence” at Warburg
Pincus, served as executive chairman of a Bain Capital portfolio
company, and was a consultant to the U.S. Department of Defense as
part of the DeVenCI Initiative.
InfoSec Investments: Venture Capital’s ViewTrident Capital’s Alberto Yépez on the 2014 Security Outlook
INTERVIEW
by Tom Field, VP - Editorial, Information Security Media Group
Listen online: http://www.inforisktoday.com/interviews/infosec-investments-venture-capitals-view-i-2187
© 2014 Information Security Media Group 19
Privacy should be built into the design of all healthcare information technology and related processes, says Michelle Dennedy, who’s writing a book on the concept of “privacy by design.”
“There’s been a great groundwork that’s been laid by the universal
adoption across many, many nations of ‘privacy by design,’ the concept
that you should start with privacy at the beginning of the design cycle
and move out,” says Dennedy, chief privacy officer at Intel Security,
formerly called McAfee.
“We believe that privacy engineering is a discrete discipline or field
of inquiry, and that innovation can be defined in using engineering
principles and processes to build the controls and measures into the
processes, systems, components, and products that enable authorized
processing of personal information,” she says. “I think that it helps the
developers and engineers to understand exactly what needs to be done
when you bake in processes.”
Applying “privacy by design” concepts is particularly critical in
healthcare because of the sensitive nature of patient information,
she notes in an interview with Information Security Medai Group.
“Baking in, or engineering in, or planning for [the privacy of] personal
information to be respected in healthcare could not be more important
or germane.
“When you build in the mechanisms from the technology layer such
that information is treated as a design principle, you actually have a
much higher chance of being
able to spread that respect
across a very diverse type of
workforce,” Dennedy says.
If privacy protections are a
more integrated part of the
design of health IT, patients
will benefit by having their
sensitive data more accurately
shared with those who need it,
whether it’s medical specialists
or insurers, she says.
“With personalized medicine ... and more measurement going around
patient outcomes, I think you’re going to start to see the natural
extension of that will be ... the baking in of privacy.”
In March 2012, the Federal Trade Commission issued recommendations
calling for companies to build-in consumer privacy protections at every
stage in developing their products.
In the interview, Dennedy also discusses:
» Why engineering students should be required to take
privacy training as part of their studies;
» How “baking in” privacy policies into health IT might help
healthcare organizations in their privacy and security
compliance efforts;
» The current status of the healthcare industry’s efforts to
build privacy policies into their technology.
Baking Privacy Into Health ITExpert Says Privacy Needs to Be Part of Design
INTERVIEW
by Marianne Kolbasuk McGee, Managing Editor, HealthcareInfoSecurity
Watch it online: http://www.inforisktoday.com/interviews/baking-privacy-into-health-it-i-2183
© 2014 Information Security Media Group20
Exclusive ISMG Events
© 2014 Information Security Media Group 21
© 2014 Information Security Media Group22
As the Diamond Media Sponsor of RSA Conference 2014, ISMG was active on the show floor and in its media suite, conducting scores of interviews, briefings and invitation-only events.
Among the events ISMG hosted for attendees, sponsors and public relations executives:
Monday: Meet the Editors: This was an opportunity to chat with ISMG editors and executive team members to learn about upcoming events and opportunities for 2014.
Tuesday: Editorial Advisers Luncheon:
An invitation-only gathering of the movers & shakers who serve on ISMG’s Editorial Advisory Boards.
Tuesday: Anatomy of a Data Breach: What You Say (or Don’t Say) Can Hurt You:
Panel featured ISMG’s Tom Field; Alan Brill of Kroll; Michael Bruemmer of Experian; and Ronald Raether of Faruki Ireland & Cox P.L.L., who walked
through post-breach communications, detailing what to say (and what not to say), who to involve and when and how to inform customers,
regulators and the media.
Wednesday: Health Information Security: The 2014 Agenda:
Sponsored by Mimecast, this exclusive briefing and networking reception was for healthcare information security leaders, offering a sneak peak at
findings from ISMG’s new Healthcare Information Security Survey. Stay tuned for final survey results.
Wednesday: Cyber-Attacks: How to Reduce Your Risks: Sponsored by CA Technologies, this was an exclusive briefing and cocktail reception for select information security leaders. Attendees saw highlights
of ISMG’s new Targeted Attacks Study and Healthcare Information Security Survey, and they participated in an interactive dialogue about how
organizations can identify and reduce risks.
Wednesday: Information Security as a Competitive Advantage: Sponsored by Mimecast, ISMG’s invitation-only dinner for senior security leaders offered the chance to exchange off-the-record insight on the topic of
Security as a Competitive Advantage. Attendees participated in a lively dialogue on the topic and engaged in valuable post-event networking.
Exclusive ISMG Events at RSA Conference 2014
© 2014 Information Security Media Group 23
The Editorial Advisers Luncheon was an invitation-only gathering of the
movers & shakers who serve on ISMG’s Editorial Advisory Boards.
© 2014 Information Security Media Group24
During RSA Conference 2014, Information Security Media Group held an exclusive luncheon for its editorial advisers, a group of industry thought-leaders who help shape the discussion around information security, privacy and risk management.
The event was held in ISMG’s media suite in East Mezzanine 236 of
the Moscone Center in San Francisco. Advisers and the executive team
at ISMG were able to spend time face-to-face, talking about the top
information security trends in 2014.
RSA Conference 2014: ISMG Adviser’s LuncheonEVENT
Editors and Industry Thought-Leaders Discuss Key Security Topics in 2014
© 2014 Information Security Media Group 25
Advisers and the executive team at ISMG were able to spend time face-to-face, talking about the top
information security trends in 2014.
© 2014 Information Security Media Group26
Information Security Media Group, Diamond Media Sponsor at RSA Conference 2014, was busy conducting video interviews with top leaders in information security, risk management and privacy. Here’s a look at the team behind the scenes.
ISMG editors Tom Field, Tracy Kitten and Eric Chabrow met with many
key thought-leaders, including Gartner’s Avivah Litan, White House
Cybersecurity Coordinator Michael Daniel and ENISA’s Udo Helmbrecht.
These photographs show the editorial team preparing for their video
interviews.
RSA Conference 2014: ISMG Behind the ScenesFEATURE
A Look at the Editorial Team During This Year’s Conference
© 2014 Information Security Media Group 27
ISMG’s executive editors were busy conducting video interviews with top leaders in information security,
risk management and privacy.
© 2014 Information Security Media Group28
Video Interviewswith Industry Leaders
© 2014 Information Security Media Group 29
© 2014 Information Security Media Group30
Troy Leach of the PCI Security Standards Council says data security standards are not failing; they just aren’t being applied continuously. And conformance with the Payment Card Industry Data Security Standard is just one piece of the puzzle.
During this excerpt of a video interview recorded at RSA Conference
2014, Leach discusses:
» The limitations of chip card technology;
» Why PCI data security standards do not cover all
aspects of card-fraud prevention;
» Steps the PCI Council is taking to ensure consumers
and businesses continue to have faith in the
payments system.
PCI: Retailer Security FailuresCouncil Working to Educate Merchants, Congress on Threatsby Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity
FEATURED INTERVIEW
© 2014 Information Security Media Group 31
TRACY KITTEN: Troy, it comes as no surprise that the Target breach
and the Neiman Marcus breaches have really gotten a lot of industry
attention, and recently you testified before Congress and you addressed
some of these emerging retail security risks as well as criticisms against
the U.S. payment systems. In the wake of some of these breaches PCI of
course has come under scrutiny. Can you talk a little bit about how PCI
perhaps failed when it came to some of these point-of-sale breaches?
TROY LEACH: Yes, I think there are a few of things to address, Tracy.
I think the first is that forensic evidence is still coming into focus. So,
we’re still looking for a final forensics reports and understanding of
how all these compromises actually occurred. Now, the most recent
news this week is it appears that they are completely separate types of
attacks.
The second point is to understand the PCI security standards are a
framework, and just like any other framework, they have to be applied
in daily practice. That is why within our standards we talk about
daily exercises, weekly exercises, so that it’s not a once a year mad
scramble to get a checkbox approached to an audit, but rather you’re
incorporating security into your daily practices. I relate it to the fire
security codes. We set the codes, but if you’re not putting the smoke
detectors in the right place, if you’re not changing the batteries on a
regular basis, if you’re taking on some activities that are a little more
dangerous like juggling fire torches next to a flammable drapes, you’re
probably going to have different issues then what the standards can
help you with.
KITTEN: Why would you say that the payment card data security
standards are so difficult to maintain compliance with?
LEACH: I think it’s just like any other type of activity. When you know
it’s the right thing to do, sometimes it’s hard to follow [though]. I
know what foods to eat and that I should be exercising, [but] it’s very
difficult to do that on a regular basis. So, I think what we’ve encouraged
merchants to do is first, remove account data, reevaluate the business
process, and then find ways that you can minimize that data in your
networks by encryption, tokenization, other mechanisms, so that you’re
not trying to manage 100 systems. Maybe you can only manage two or
three systems and simplify that process.
KITTEN: From your perspective, Troy, what would it take for the
payments infrastructure to obtain full end-to-end encryption?
LEACH: Gosh, that is a very good question. I’m not sure if that’s going
to be something we’re going to see very soon. I think what we’ve
recognized is there are other ways that we can probably protect
consumers, and that includes not only protecting the card holder
information that we have, but maybe we change the problem. Maybe
we manage the problem differently by taking what we’ve heard from
announcements around tokenization and having card information that
is a surrogate value that doesn’t have any reusable value for criminals,
and maybe having that as a way forward for the industry. So, maybe it’s
turning the question on its head and evaluating whether or not there
are other values that we can create beside the typical 15-, 16-digit credit
card number.
“The PCI security standards are a framework, and just like any other framework, they have to be applied in daily practice.”
- Troy Leach, PCI Security Standards Council
Watch it online: http://www.inforisktoday.com/pci-retailer-security-failures-a-6552
© 2014 Information Security Media Group32
White House Cybersecurity Coordinator Michael Daniel assesses the
cyberthreat environment facing the nation and explains what the
federal government is doing about it.
In a wide-ranging interview with Information Security Media Group at
RSA Conference 2014, Daniel addresses:
» Balancing privacy and civil liberties with IT security;
» Prospects for a national data breach notification law; and
» Improving cyberthreat information sharing between the
government and private sector.
Daniel came out of near obscurity - he was serving as intelligence
branch chief in the White House Office of Management and Budget
- when President Obama tapped him in May 2012 to succeed Howard
Schmidt as special assistant to the president and cybersecurity
coordinator.
NIST information risk guru Ron Ross previews forthcoming guidance
from the National Institute of Standards and Technology aimed at
helping organizations architect their IT infrastructures to be secure
from the get-go.
In a video interview from RSA Conference 2014 with Information
Security Media Group, Ross also discusses:
» How forthcoming engineering guidance from NIST will help build
IT systems’ trustworthiness, and;
» Beta testing new controls online so stakeholders don’t have to
wait two years between revisions of Special Publication 800-53,
NIST’s controls guidance.
A NIST fellow, Ross leads the institute’s FISMA Implementation
Project, which includes the development of key security standards
and guidelines for the federal government and critical information
infrastructure, Ross also heads the Joint Task Force Transformation
Initiative Interagency Working Group with representatives from NIST,
the federal intelligence community, departments of Defense and
Commerce, the Office of the Director of National Intelligence and the
Committee on National Security Systems.
Michael Daniel Speaks His Mind on Cyberthreats What Next at NIST?White House Cybersecurity Coordinator in an Exclusive Interview
Ron Ross Previews New Guidance from NIST
by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
Watch it online: http://www.inforisktoday.com/michael-daniel-speaks-
his-mind-on-cyberthreats-a-6563
Watch it online: http://www.inforisktoday.com/what-next-at-nist-a-6564
© 2014 Information Security Media Group 33
The more organizations structure business and processes around online
identities, the more they navigate in tricky legal waters, says attorney
Tom Smedinghoff, who offers guidance.
The legal rules that govern online identity systems are complex, touch
numerous parties and come fraught with potential legal challenges.
In a video interview recorded at RSA Conference 2014, Smedinghoff:
» Lays out the key legal issues;
» Tells how organizations are approaching these challenges;
» Offers valuable tips for assessing vulnerabilities.
Smedinghoff is a partner in the Privacy & Data Protection practice
group in the Chicago office of Edwards Wildman Palmer LLP. His practice
focuses on the developing field of information law and electronic
business activities, with an emphasis on electronic transactions,
identity management, data security, privacy, and corporate information
governance issues. He currently serves as Chair of the Identity
Management Legal Task Force of the American Bar Association (ABA)
Section of Business Law, and Co-Chair of its Cybersecurity Committee.
With a decade under its belt, ENISA enters 2014 with a mission to
improve cybersecurity across Europe by collaborating with companion
agencies around the world, says Executive Director Udo Helmbrecht.
Cloud computing and the evolving global threatscape are huge
challenges for EU nations, but the region’s cybersecurity agency is
pursuing new strategies, including a coordinated cyber drill with the
U.S. later this year.
In an interview recorded at RSA Conference 2014, Helmbrecht discusses:
» ENISA’s major accomplishment in Europe;
» Security challenges for the year ahead;
» Strategies for growing the profession.
Helmbrecht has been the Executive Director of ENISA since October
2009. Prior to this, he was the President of the German Federal Office for
Information Security, BSI, for six years, between 2003-2009. Helmbrecht
was nominated by ENISA’s Management Board, from a list of candidates
proposed by the European Commission, after a presentation of his
visions. He was appointed after making a statement to the European
Parliament and replying to MEPs’ questions.
Online Identity: The Legal Questions ENISA on Cybersecurity ChallengesAttorney Tom Smedinghoff on How to Assess Your Unique Risks
Udo Helmbrecht on Agency’s Agenda for 2014
by Tom Field, VP - Editorial, Information Security Media Group
by Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/online-identity-legal-
questions-a-6565
Watch it online: http://www.inforisktoday.com/enisa-on-cybersecurity-
challenges-a-6571
© 2014 Information Security Media Group34
The Target breach was the hot topic for many RSA Conference 2014 attendees, but Gartner’s Avivah Litan was already talking about the next Target - a UK retailer that may have suffered a similar hack, exposing payment card data.
Details were only just emerging, but they confirmed what Litan and
other observers have said: Retail breaches are the fraud du jour, and
similar stories will be breaking in the weeks ahead.
In an excerpt of a video interview recorded at RSA Conference 2014,
Litan discusses:
» How the fraudsters are upping their game;
» Gaps between the attackers and defenders;
» Fraud trends that are most likely to unfold over 2014.
TOM FIELD: What’s the news you can tell me about today?
AVIVAH LITAN: Well, the retail breaches are alive and well. There are
many of them going on, but especially one stands to the forefront of the
news, which is a major $7 billion retailer reportedly based in Mainland
Retail Breaches: More to ComeGartner’s Avivah Litan on 2014 Financial Fraud Trendsby Tom Field, VP - Editorial, Information Security Media Group
FEATURED INTERVIEW
© 2014 Information Security Media Group 35
Europe. Sells a lot of jewelry, and it seems like it’s the same gang that
hit Target. I don’t have the name of the retailer, but I heard it from
some reputable sources, including banks. So it’s just not ending.
FIELD: So, it’s just as predicted. When we saw Target, we saw Neiman
Marcus; several significant retailers have been breached, and we’ve
heard we’d see more.
LITAN: Right. Well, it’s starting to gel more that there are a couple of
things going on. One is this Russian gang that wrote the Target attack
that appears to be behind this other big attack, and then there are the
Black POS more generic threats that are happening, and there are many
retailers that are getting attacked through that.
FIELD: Avivah, based on what you see and hear so far this year, how is
the threat landscape evolving?
LITAN: Well, in the malware space, we’re starting to see managed
services. So, the criminals are taking their kits, like the Zeus we know
about, the SpyEye, and now they’re creating the managed service of it.
And there are a couple of reasons for that. Number one, they get paid
a subscription fee, so they don’t mind doing the maintenance. When it
was a one-time sale and the people that brought it would have to go
to the authors and say ‘There’s a bug in it,’ they got really annoyed at
having to debug it and fix it. But now there’s like a subscription fee,
so they’re much more attuned and open to fixing and maintaining the
software.
The other significance is they are now more removed from law
enforcement because it’s a little bit like Netflix. They are the Netflix
authors, and then they sell it to the customers, and now the customers
are the ones that are launching these attacks. The customers are now
on the frontline with law enforcement, so it removes [the authors]
from getting caught, and they get their subscription fee. And we’re also
seeing the evolution, like this Russian gang that went against Target,
where we’re calling them closed, non-managed malware services. So
it’s just the criminals themselves are running the malware, writing the
malware, cashing it out, and it’s not out in there in the wild for other
criminals to use. So I think that’s how we’re going to see the banking
malware evolve: managed services and then closed attacks. And these
retail attacks are very much affecting the banks. You know, they’re
obviously having a lot of issues with their fraud detection systems. So
that’s the main thing I see hitting financial services.
FIELD: How do you see the solutions evolving?
LITAN: I think it’s just a little bit more of the same, but more emphasis
on big data analytics and crunching all this information and trying to
get rid of all the noise in the system to highlight the alerts. And there
is a lot of promise in big data analytics, I’m just not quite sure it’s really
going to find this needle in the haystack.
Another trend is, okay, we didn’t do such a good job at prevention. The
attack got in, we didn’t do a good job at detection while the attack is
running, so let’s do a great job of as soon as we know it’s there, we’re
finding out that it’s there really quickly and remediating really quickly.
So there’s a big emphasis on time to detect and remediation, as opposed
to prevention because a lot of the prevention is failing.
And the other issue is a lot of these attacks are sitting in the
organization for a year or a few months, and people don’t know about
them. So, the vendors are starting to emphasize: ‘We may not prevent
it, but we’ll detect it immediately, and we’ll help you get rid of it.’ And
there’s also a big emphasis on logging, like keeping all the information
so you can do the right forensics. Forensic investigations are becoming
something very important.
“In the malware space, we’re starting to see managed services.” – Avivah Litan, Gartner
Watch it online: http://www.inforisktoday.com/retail-breaches-more-to-come-a-6555
© 2014 Information Security Media Group36
Just filling available security positions with the right skills is a huge
challenge, says Robert Stroud, incoming ISACA president. This is one of
his key challenges as he takes the reins at ISACA later this year.
In an interview recorded at RSA Conference 2014, Stroud discusses:
» His immediate plans as president;
» The daunting challenge posed by the Internet of things;
» Strategies for growing the security profession.
Stroud is a member of ISACA’s Professional Influence and Advocacy
Committee. ISACA is an independent, nonprofit, global association that
engages in the development, adoption and use of globally accepted,
industry-leading knowledge and practices for information systems. A
past international vice president of ISACA, he serves on its framework
committee. Stroud also is a governance evangelist as well as vice
president of strategy, innovation and service management at CA
Technologies.
The threats, attacks and crimes don’t differ greatly around the world.
What does differ is how each region responds. Freddy Dezeure of CERT-
EU is working to ensure that Europe is ready to respond appropriately.
The organization is only three years old, but in that time it has worked
aggressively to form new alliances throughout the European nations,
Dezeure says. And he also works with other CERT organizations around
the world to improve information-sharing and defenses.
In a video interview recorded at RSA Conference 2014, Dezeure discusses:
» The CERT-EU mission and accomplishments;
» The European threat landscape;
» Top cybersecurity priorities for 2014.
Dezeure graduated as Master of Science in Engineering in 1982. He
was CIO of a private company from 1982 until 1987. After joining the
European Commission in 1987, he has held a variety of management
functions in administrative, financial and operational areas, in
particular in information technology. He has set up the CERT for the EU
institutions, agencies and bodies in 2011 and he has been Head of CERT-
EU since then.
Navigating the Internet of Things Assessing the EU Threat LandscapeISACA’s Rob Stroud on Key Challenges of 2014 Freddy Dezeure of CERT-EU on Responding to
Targeted Attacksby Tom Field, VP - Editorial, Information Security Media Group
by Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/navigating-internet-
things-a-6572
Watch it online: http://www.inforisktoday.com/assessing-eu-threat-
landscape-a-6551
© 2014 Information Security Media Group 37
Cybercrime. Privacy. The power of big data and mobility. These
issues are as challenging to India as they are to any global region.
Vinayak Godse of DSCI discusses his organization’s role in improving
cybersecurity.
Yet, while the challenges are similar, India’s landscape is unique in terms
of regulations and even the varying digital needs of its populace.
In a video interview recorded at RSA Conference 2014, Godse discusses:
» The DSCI mission;
» India’s unique cyber challenges;
» Specific initiatives for the banking and IT sectors.
Godse has total 16 years of experience in information security and IT. He
is Director of Data Protection with Data Security Council of India. He
is managing a program for defining data security and privacy practices,
based on which self regulation mechanism will be established.
Distributed denial of service attacks remain a significant security threat
to organizations in all sectors - particularly financial services. And the
Federal Bureau of Investigation’s Cyber Division is aggressively working
with private sector security leaders to investigate these crimes and
mitigate the effects.
But there remain challenges to creating successful public/private
partnerships and enabling the right level of information exchange about
cyber crimes.
In a video interview recorded at RSA Conference 2014, Malcolm Palmore
of the FBI’s San Francisco office discusses:
» The FBI’s role in DDoS investigations;
» Results of public/private partnerships;
» Lessons learned that are applied to other cybercrime
investigations.
Palmore serves as the assistant special agent in charge of the San
Francisco Division’s Cyber Branch.
Cybersecurity in India FBI on DDoS ResponseVinayak Godse of the DSCI on 2014’s Key Priorities
Malcom Palmore on Value of Public/Private Partnerships
by Tom Field, VP - Editorial, Information Security Media Group by Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/cybersecurity-in-
india-a-6586
Watch it online: http://www.inforisktoday.com/fbi-on-ddos-
response-a-6540
© 2014 Information Security Media Group38
The cybersecurity framework, the package of best IT security practices issued in mid-February, isn’t set in stone, but will evolve in the coming weeks, months and years, says the framework’s point man, Adam Sedgewick.
In a video interview recorded at RSA Conference 2014, Sedgewick:
» Explains the key elements of the cybersecurity
framework, which is designed to help critical
infrastructure operators safeguard their information
assets;
» Addresses critics who say the framework is too
simple to be effective and fails to address the costs to
implement it; and
» Discusses how the cybersecurity framework will
evolve from version 1 that was issued in mid-February.
The Evolving Cybersecurity FrameworkAdam Sedgewick: An Early Assessment on the Frameworkby Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
FEATURED INTERVIEW
© 2014 Information Security Media Group 39
ERIC CHABROW: Take a few moments to tell people who may not
know what the framework is.
ADAM SEDGEWICK: Sure. The framework was developed in response
to Executive Order 13636 improving critical infrastructure cybersecurity.
What it really does is it looks across critical infrastructure; it looks
across industry and identifies best practices and standards that
organizations use to help manage cybersecurity risk. The administration
and the President realized there was a real vulnerability there, and it
was a real challenge for organizations, so they tasked us to develop this
open process to serve as a convener and to work with industry to really
develop an understanding of what those best practices and standards
are, and make it easier for organizations to help manage this challenge.
CHABROW: The framework was issued a few weeks ago. What kind of
feedback have you received?
SEDGEWICK: Generally, the feedback has been pretty positive. Since we
worked with these stakeholders throughout, they had a pretty good
understanding of what it was going to look like. So, while this is the
final version, we’ve been sharing with them drafts throughout, and it’s
all based on conversations that we’ve had with the people that intend
to use it. We’ve been pleased to see in conversations here at RSA that a
lot of organizations are thinking about how to use the framework, and
a lot of the technology providers are thinking about how do their tools
and how do their capabilities help organizations manage cyber risk in
the contest of the framework to make it easier for people to understand
and use.
CHABROW: There have been some criticisms of the framework. One is
its too simple, it’s costly, and also it’s voluntary. Why don’t you address
those issues and why you feel those critics may be wrong?
SEDGEWICK: I think the cost issue is an interesting one because what
we did with the framework was to really focus on the particular
outcomes. When we talked to our stakeholders, they said ‘Let’s think
about what the potential expectations are and then allow us to develop
the best ways to meet those.’ Because the framework is voluntarily,
because it is flexible, we realize that it would only be useful if it
was truly cost-effective and really helped organizations manage this
problem. So, we think that by focusing on the outcomes it helps us to
get there, and a key tenant of risk management is to understand what is
truly cost-effective. We think in a number of ways organizations will use
it and see themselves in the framework and understand how to improve
in a way that is cost-effective and make sense for their business needs.
In terms of the simplicity, I mean that was an interesting thing we
heard early on. Folks said that there are a lot of technical standards out
there that make sense to the technical people, but often … it is difficult
to translate those needs within their organization and to their business
leadership. So the approach we took, and this was something that if you
talked to the stakeholders they will talk about their contributions and
how challenging it was, was to make sure that these concepts were put
in a way that could be easy to understand.
I’d also say in terms of it not being regulatory, but voluntary, we believe
at NIST very strongly that voluntary does not equal weak, and we’ve
seen throughout many different areas that these voluntary programs
and standards can be very strong and develop really effective solution.
One of the key strengths is it allows for flexibility, it allows for growth,
and it allows for organizations that have global business to do these
practices that can help them comply and conform with requirements
across the world.
“We believe at NIST very strongly that voluntary does not equal weak.” – Adam Sedgewick, NIST
Watch it online: http://www.inforisktoday.com/evolving-cybersecurity-framework-a-6553
© 2014 Information Security Media Group40
The privacy profession is evolving rapidly, and security leaders
increasingly need to understand the unique demands and
responsibilities that come with protecting privacy. But where do they
gain this insight?
This is a question that must be addressed within all organizations, say
Malcolm Harkins, chief security and privacy officer at Intel, and Trevor
Hughes, CEO of the International Association of Privacy Professionals.
In a video interview recorded at RSA Conference 2014, Harkins and
Hughes discuss:
» How privacy has evolved in the past year;
» Essential privacy knowledge for security pros;
» Tips for bridging the security/privacy gap.
Harkins is vice president and Chief Security and Privacy Officer (CSPO)
at Intel Corporation.
Hughes is an attorney specializing in e-commerce, privacy and
technology law.
Privacy: What Security Pros Need to KnowMalcolm Harkins, Trevor Hughes on 2014 Privacy Agenda
Lawsuits claiming infringements on information security technology
patents could become more common as the value of the technology
increases in light of the need to prevent breaches, says attorney James
Denaro, who leads the intellectual property practice at the CipherLaw
Group.
But the patent law expert does not expect Congress to make major
changes in federal laws in an effort to crack down on so-called “patent
trolls.”
In a video interview recorded at the RSA Conference 2014, Denaro:
» Defines the term “patent trolls” and sizes up the current legal
landscape in the patent arena;
» Provides an update on potential Congressional action;
» Offers advice on action to take in light of the risk of lawsuits.
Denaro is a registered patent attorney who advises clients on offensive
and defensive applications of intellectual property.
Patent Disputes: A Legal UpdateAttorney James Denaro Warns of More Lawsuits
by Tom Field, VP - Editorial, Information Security Media Group
by Howard Anderson, News Editor, Information Security Media Group
Watch it online: http://www.inforisktoday.com/privacy-what-security-
pros-need-to-know-a-6541
Watch it online: http://www.inforisktoday.com/patent-disputes-legal-
update-a-6550
© 2014 Information Security Media Group 41
Too often enterprises fail to adequately vet their cloud service providers,
which can create security vulnerabilities, according to IT security
lawyers Francoise Gilbert and Ellen Giblin.
When Gilbert asked executives at one cloud service provider what type
of security plan it offered, they responded: “’Oh, that’s not a problem;
we are putting all the data in the cloud, someone else’s cloud,’” she says
in a video interview with Information Security Media Group at the 2014
RSA Conference. “And they were totally clueless.”
Giblin says this is especially true of start-up providers. “It’s a culture
issue as well,” she says. “The start-up environment becomes its own
culture. ... They hear, ‘Oh, you don’t have to do all that. You can just put
it in the cloud. So, that becomes like a mantra.”
In the interview, Gilbert and Giblin:
» Advise enterprises to conduct a risk assessment as part of
contracting cloud services;
» Explain why enterprises often fail to assess properly their service
providers; and
» Outline steps to take to properly vet providers through vendor
management.
White House Cybersecurity Coordinator Michael Daniel says the
toughest international cybersecurity challenge facing the Obama
administration is getting cooperation in coordinating responses to
online crime.
“There are a lot of times when you really would like to be able to take
collective action in cyberspace, to deal with a transnational criminal
organization or to deal with a botnet,” Daniel says in a video interview
with Information Security Media Group. “And that’s very difficult to
coordinate across different jurisdictions. Every government organizes
its cybersecurity a little bit differently and sort of making that latch-up
happen in a way to move at net speed is very, very difficult.”
In an interview on the international facets of cybersecurity recorded
during the RSA Conference 2014 in San Francisco, the special assistant to
the president also discusses:
» Challenges in dealing with the Chinese on IT security;
» Establishing international norms of behavior in cyberspace; and
» How the National Security Agency disclosure on secretly
collecting data of individuals not suspected of wrongdoing and
of government leaders has caused a distraction and created
a challenge for the United States in discussion with allies on
resolving cybersecurity matters (see Obama Hints of Changes in
Surveillance Program).
How to Properly Vet Your Cloud Provider Obama Cybersecurity Aide on Global InfoSecAttorneys Francoise Gilbert, Ellen Giblin on Vendor Management
Coordinating Response to International Cybercrime a Challenge
by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
Watch it online: www.inforisktoday.com/how-to-properly-vet-your-
cloud-provider-a-6545 Watch it online: http://www.inforisktoday.com/patent-disputes-legal-
update-a-6550
by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
© 2014 Information Security Media Group42
Video Interviewswith Leading Vendors
© 2014 Information Security Media Group 43
© 2014 Information Security Media Group44
The old security model is broken, and now is the time to introduce a whole new approach to threat detection and response. This is the message from Dave DeWalt and Kevin Mandia of FireEye.
The threat landscape has changed significantly in the past year, creating
the demand for new security strategies. And with the acquisition of
Mandiant, FireEye also has changed significantly and now provides
security strategies and solutions from first alert to remediation.
In this excerpt of an exclusive video interview recorded at RSA
Conference 2014, DeWalt and Mandia discuss:
» Why the current security model no longer works;
» Today’s evolving threats;
» The most compelling benefits of the FireEye/Mandiant
acquisition.
Power of Continuous Threat ProtectionDave DeWalt and Kevin Mandia of FireEye on the New Security Modelby Tom Field, VP - Editorial, Information Security Media Group
VENDOR INTERVIEW
© 2014 Information Security Media Group 45
TOM FIELD: What is the new security model?
DAVE DEWALT: Well, it goes back to what’s the problem, and then
what’s the model. The problem is the adversaries are very aggressive,
they’re well-funded, it takes a long time to discover the threats that
are in people’s networks. So what are we trying to do as a combined
company? Be the best at detection. So, the first thing out is can we build
a better security model than what’s out there today with traditional
antivirus that can block and detect both known threats as well as
unknown threats?
But job two - and why the companies really fit well together - is not
only do you have to detect, you have to respond. You have to remediate.
You have to fix the problems that are in the network. So the faster you
are at detecting and the faster you are at responding, that’s really the
new security model, alert to fix in minutes.
FIELD: Everyone’s talking about the FireEye-Mandiant acquisition. What
do you find to be the most compelling benefit of this merger?
KEVIN MANDIA: For me, it is that detection capability. At Mandiant, we
are really good at answering the question ‘what happened and what to
do about it?’ after a breach. And for the longest time, the early warning
system that kind of got us involved in those breaches was a government
entity saying, ‘Hey, you’ve been compromised, your intellectual property
has been stolen, and here’s some information about that.’ Over time,
we started witnessing FireEye as the early warning system and the
detection capability that they had, that dynamic inspection of every file
rather than the signature-based stuff, was so much more effective. We
realized if we want to respond to every breach that matters and really
be on the front lines responding to every attack that matters, we need
to align with FireEye because they’re detecting the threats that are
mattering to them.
DEWALT: What I’d maybe add on, too, Tom, is, there’s no silver bullet
here with trying to stop these attacks. But a combination of people and
product is really the platform that you have to put in place. And with
Kevin, with all his personal experience as well as the service business
that Mandiant has built responding to incidents over the years, we
have a great combination of being able to respond with people, but
also automating that response and then detecting. The people-product
combination is really the fit that we have here together: Put the best
product, put the best people on the ground, and you have a nice
company and a good benefit.
FIELD: So Dave, even before the Mandiant acquisition, FireEye was
enjoying explosive growth. Why was it so important for FireEye to be
able to provide security from first alert through remediation?
DEWALT: It was almost probably the biggest ask that we had FireEye:
“It’s great, you’re seeing all these alerts. This detection, it’s kind of
nice. But suddenly we’re seeing thousands of hosts that are infected.
What do we do about this? It’s very costly to respond to these threats
that we’re seeing.” And there was a bit of an illumination that was
occurring with FireEye. It was like, wow, look at all these problems,
but help me fix it. And sort of that’s where Mandiant has come in; they
automate the fix. And if you can make that fixing process cost less and
have less exposure, you’ve really created a real benefit for companies,
and that’s why it’s together.
“What are we trying to do as a combined company? Be the best at detection.” – Dave DeWalt, FireEye
Watch it online: http://www.inforisktoday.com/power-continuous-threat-protection-a-6546
© 2014 Information Security Media Group46
The Privacy Engineer’s Manifesto is the title of Michelle Dennedy’s new
book, and it promises to help professionals get “from policy to code to
QA to value.”
In a video interview recorded at RSA Conference 2014, Dennedy
discusses:
» The mission and audience of her book;
» The state of privacy in 2014;
» How to grow the profession.
As chief privacy officer at Intel Security, Dennedy is responsible for
privacy policies, procedures and governance efforts. Previously, Dennedy
founded The iDennedy Project, a consulting and advisory company
specializing in privacy and security. Dennedy was also previously vice
president for security and privacy solutions at Oracle. She is a co-author
of a soon-to-be-published book: The Privacy Engineer’s Manifesto:
Getting from Policy to Code to QA to Value.
Rick Howard, CSO of Palo Alto Networks, has a new idea for security
pros: the cybersecurity canon of books every cyber pro must read at
least once in their careers. Which titles make the list?
In fact, it’s not just a book list. Howard also has a list of best cyber-hack
movies ever, and he has new ideas for growing the security profession.
In a video interview recorded at RSA Conference 2014, Howard discusses:
» Titles in the cyber canon;
» His choice for top hacker film;
» How to focus on turning around the current staffing crisis.
Howard is the Palo Alto Networks Chief Security Officer. Prior to
joining Palo Alto Networks, Howard was the TASC Chief Information
Security Officer, where he managed the security of both the classified
and unclassified TASC networks. Howard also led the Verisign iDefense
Cyber Security Intelligence business as the GM and Intelligence Director
in charge of a multinational network of security experts who delivered
cybersecurity intelligence products to Fortune 500 companies. He also
led the intelligence-gathering activities at Counterpane Internet Security
and ran Counterpane’s global network of Security Operations Centers.
The Privacy Manifesto The Cybersecurity Canon: Must-ReadsIntel Security’s Michelle Dennedy on the State of Privacy
Rick Howard of Palo Alto Networks on Essential Security Education
by Tom Field, VP - Editorial, Information Security Media Group by Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/privacy-manifesto-a-6570 Watch it online: http://www.inforisktoday.com/cybersecurity-canon-
must-reads-a-6561
© 2014 Information Security Media Group 47
Identity is the new perimeter, and that concept stretches organizations
into lots of new directions when managing access and privileges -
especially in the mobile age, says John Hawley of CA Technologies.
Mobility offers great promise to individuals and organizations alike. But
it also creates new identity and access management headaches that
must be addressed.
In a video interview recorded at RSA Conference 2014, Hawley discusses:
» The notion of identity as the new perimeter;
» The impact of mobility on IAM;
» New announcements from CA re: IAM and mobile.
As Vice President of Strategy for Security Solutions, CA Technologies,
Hawley coordinates the definition of the CA Security vision and
evaluation of new portfolio growth opportunities. He has been working
in the security space for 15 years and is a frequent conference speaker,
focusing on how enterprises embrace new trends to secure the business
but also align security to the discussion in the boardroom.
Identity as the New PerimeterIAM Insight from John Hawley of CA Technologies
by Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/identity-as-new-
perimeter-a-6560
Imagine if an organization received a cybersecurity rating - just like an
individual receives an objective credit report. This is the new model
promoted by Stephen Boyer and his company, BitSight.
The industry is prime for such ratings, and they can become competitive
differentiators for organizations.
In a video interview recorded at RSA Conference 2014, Boyer discusses:
» BitSight’s unique rating system;
» Why there is a need for cyber ratings;
» Whether cybersecurity should be federally regulated, like air
traffic.
Boyer is the CTO, co-founder, and board member of BitSight
Technologies. Previously, he has worked at Saperix, Lincoln Lab, and
Caldera.
Rating Cybersecurity SuccessStephen Boyer of BitSight on His New Model for Grading Security
by Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/rating-cybersecurity-
success-a-6585
© 2014 Information Security Media Group48
Fraudsters continually find new ways to attack, but too many
organizations rely on old, unsuccessful methods to detect and prevent
fraud. This is the premise, says David Mattos, VP Sales, with Easy
Solutions.
It’s time to break the traditional fraud lifecycle and explore new
strategies for fighting these ever-evolving crimes, Mattos says.
In a video interview recorded at RSA Conference 2014, Mattos discusses:
» Why current anti-fraud strategies are ineffective;
» The potential pitfalls of regulatory compliance;
» How to break the fraud lifecycle.
Mattos brings more than 20 years of senior sales technology leadership
to Easy Solutions, along with a deep understanding of how to drive
incremental revenue through direct sales, the channel, and strategic
alliances. As Vice President of Sales for the US and Canada, he is
responsible for the effectiveness of the company’s direct sales force,
finding and securing new channel and partnership opportunities, and
defining sales strategies that fuel growth and new opportunities for
Easy Solutions’ portfolio of advanced fraud prevention solutions.
Break the Fraud LifecycleDavid Mattos of Easy Solutions on Strategies to Fight Fraud
Verizon’s annual data breach investigations report will be released in
the coming weeks, offering perspective on 10 years of breach analysis,
says Wade Baker, one of the report’s key authors.
This year’s report is bigger than ever and reflects the analysis of 50
different contributors, says Baker, Managing Principal, Research and
Intelligence, at Verizon.
In a video interview recorded at RSA Conference 2014, Baker discusses:
» The current breach landscape;
» The data breach evolution;
» A preview of the Verizon breach investigations report.
Baker is the Managing Principal of Risk Intelligence for Verizon. In this
role, he oversees the collection, analysis, and delivery of data relevant
to measuring and managing information risk. Intelligence from these
activities is used to create and improve products, inform personnel
and clients, and share credible research with the security community.
Baker is the creator and primary analyst for Verizon’s Data Breach
Investigations Report series.
The 2014 Breach LandscapeVerizon’s Wade Baker on the Making of the Verizon Breach Report
by Tom Field, VP - Editorial, Information Security Media Groupby Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/2014-breach-
landscape-a-6556
Watch it online: http://www.inforisktoday.com/break-fraud-
lifecycle-a-6554
© 2014 Information Security Media Group 49
In the face of evolving threats and actors, traditional ID security
strategies have been proven inadequate, says Entrust’s Dave Rockvam.
It’s time for a security evolution.
But to raise the bar on ID security, organizations first must assess
their current gaps and gain a better understanding on where attackers
are seeing success, says Rockvam, VP of product management and
marketing communications at Entrust.
In a video interview recorded at RSA Conference 2014, Rockvam
discusses:
» Why current ID security strategies are inadequate;
» Threat trends that are changing the landscape;
» How organizations can address their ID security gaps.
Under Rockvam, Entrust Certificate Services has seen a rapid expansion,
more than doubling since the company went private in 2009. This
growth has helped Entrust shift from a mainly perpetual software
company to a cloud software-as-a-service company, deriving roughly
60 percent of product revenue from cloud, software-as-a-service or
subscription-based offerings.
Why ID Security Must EvolveEntrust’s David Rockvam on How to Mitigate ID Security Risksby Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/id-security-must-
evolve-a-6558
Proofpoint and ISMG have just completed a new Targeted Attacks
survey. What are some of the key findings? Kevin Epstein shares insight
on detecting advanced threats and warding off attacks.
Phishing, Trojans and malvertising are the most common forms of
attack. And despite significant security investments, organizations
continue to be breached because of mistakes made by employees and
partners, says Epstein, VP Advanced Security & Governance, Proofpoint.
In a video interview recorded at RSA Conference 2014, Epstein discusses:
» Results of the new Targeted Attacks Study;
» How to address the human factor;
» Effective security solutions to ward off advanced threats.
Epstein directs Proofpoint’s global product marketing initiatives. He is
also a lecturer at Stanford University and author of the popular trade
book, Marketing Made Easy (Entrepreneur Magazine Press).
How to Fight Targeted AttacksProofpoint’s Kevin Epstein on How to Protect the Targets
by Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/how-to-fight-targeted-
attacks-a-6559
© 2014 Information Security Media Group50
The Target retail POS breach is the most talked-about incident in
recent memory - and it was entirely preventable with available security
solutions, says Adam Tegg, CEO of Wontok Solutions.
Malware attacks against merchants are on the rise, Tegg says, and to
mitigate risks organizations must prioritize their deployment of updated
technology platforms and effective security strategies.
In a video interview recorded on the expo floor of RSA Conference 2014,
Tegg discusses:
» Why the Target breach was preventable;
» Malware trends to watch;
» How to prepare for the pending Windows XP support expiration.
Tegg brings a wealth of experience in delivering growth and
development strategies for innovative companies to Wontok, where he
leads the company’s overall strategy and direction. He played an integral
role in Wontok’s acquisition of SafeCentral in 2011, and has transformed
Wontok into a channel centric global cloud and endpoint security
solutions company.
Why Target Breach Was PreventableAdam Tegg of Wontok Solutions on Fighting Malware
Recent breaches tell the story: Organizations are not entirely prepared
to respond to such incidents. Craig Carpenter of AccessData discusses
the next generation of incident response.
In addition to what he’s learned from AccessData’s own customer
experiences, Carpenter is armed with new insights from a Ponemon
survey.
In this interview recorded on the expo floor of RSA Conference 2014,
Carpenter discusses:
» The flaws in today’s incident response strategies;
» How to define next-generation incident response;
» How to assess and improve current incident response capabilities.
Carpenter is the Chief Marketing Officer of AccessData, overseeing
global marketing strategy and demand generation programs. Prior to
joining AccessData, he was VP of Marketing and Business Development
at Recommind where he pioneered and popularized predictive coding
and predictive information governance into the hottest trends in the
e-discovery and GRC markets, respectively.
Next-Generation Incident ResponseCraig Carpenter of AccessData on How to Improve Response
by Tom Field, VP - Editorial, Information Security Media Groupby Tom Field, VP - Editorial, Information Security Media Group
Watch it online: http://www.inforisktoday.com/target-breach-was-
preventable-a-6543
Watch it online: http://www.inforisktoday.com/next-generation-incident-
response-a-6544
© 2014 Information Security Media Group 51
Watch it online: http://www.inforisktoday.com/how-artificial-intelligence-prevents-fraud-a-6547
Artificial intelligence can be used to enhance security across a number of business sectors, including retail and financial, says Dr. Akli Adjaoute of security firm Brighterion.
By tracing the steps of card usage and device or endpoint access,
security specialists are more effectively linking points of compromise
and preventing fraud, Adjaoute says. And organizations are relying on
artificial intelligence to trace those steps, he adds, by analyzing the
behaviors of transactions and devices.
The use of artificial intelligence for fraud prevention is not a new
concept, and it’s not science fiction, Adjaoute says. Companies such
as MasterCard and RBS WorldPay have for years relied on artificial
intelligence to detect fraudulent transaction patterns and prevent card
fraud, he says.
During this interview recorded at RSA Conference 2014, Adjaoute
discusses:
» How use cases for artificial intelligence have evolved;
» Why artificial intelligence is a necessity for providing a holistic
vision of security; and
» How artificial intelligence could have been used to prevent recent
retail breaches at Target Corp. and Neiman Marcus.
How Artificial Intelligence Prevents FraudDevices and Networks Provide Clues to Suspicious Patternsby Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity
© 2014 Information Security Media Group52
Bring-your-own-device concerns are getting more complex, but most organizations aren’t keeping up with the times, and their outdated policies and procedures prove it, says John Whaley of Moka5.
In fact, BYOD security and best practices are often talked about more
than they are implemented and used, he says.
BYOD is not just about ensuring employees are using secure devices,
Whaley says. It’s about ensuring corporations are protecting intellectual
property when employees access their databases from home. And BYOD
also is about not violating employees’ privacy by inadvertently accessing
personal data on devices they own.
During this interview recorded at RSA Conference 2014, Whaley
discusses:
» How automation can enhance BYOD management;
» Why organizations are reluctant to even broach the topic of
BYOD;
» How regulators may soon mandate certain BYOD policies and
procedures.
Whaley serves as the founder and chief technology officer of Moka5 and
is responsible for the technical vision of the company.
Avoiding BYOD?Why Setting BYOD Policies Is Increasingly Criticalby Tracy Kitten, Executive Editor, BankInfoSecurity and CUInfoSecurity
Watch it online: http://www.inforisktoday.com/avoiding-byod-a-6548
© 2014 Information Security Media Group 53
“BYOD security and best
practices are often talked
about more than they are
implemented and used.”
- John Whaley, Moka5
© 2014 Information Security Media Group54
Articles, Blogs, Photos & MoreFrom the ISMG Team at RSA Conference 2014
© 2014 Information Security Media Group 55
Articles, Blogs, Photos & MoreFrom the ISMG Team at RSA Conference 2014
© 2014 Information Security Media Group56
Cybersecurity is the only crime where the victim needs to apologize, says Kevin Mandia, founder of the data breach mitigation services firm Mandiant.
“It’s startling that it got that way,” he said in a Feb. 27 keynote
address at the RSA Conference 2014 in San Francisco.
Mandia offered a variation of the old saw about two types of
organizations: those that have been breached and those that don’t know
it.
“If you’re an F in cybersecurity or an A in cybersecurity, an attack has
the same chance of being successful,” Mandia said. “If you’re an F in
cybersecurity, you never find out and your boss says, ‘Whew, nothing
happened.’”
Organizations with a grade of A will learn from their experiences and
take steps to mitigate future breaches, he says. But unfortunately, many
of these organizations soon become vulnerable again.
Here’s how Mandia put it: Victims of cyber-attacks expand their IT
security teams shortly after the breach and aggressively combat the
attackers. Six months later, after no new breaches occur, management
thinks, “You know, we don’t have to do this stuff anymore.” The top
cybersecurity experts hired to prevent future breaches get bored and
move onto more challenging jobs. Then, the company gets breached
again.
He characterized this syndrome of companies letting their guard down
as “victim’s fatigue.”
Mandia said it isn’t that cyber-assailants are smarter than IT security
pros hired to safeguard systems. But attackers need only to break into
one device, whereas IT security specialists need to protect thousands of
devices. “It’s easier to shatter crystal than to shape it,” he said.
Mandiant, acquired for more than $1 billion in December by FireEye,
came to prominence a year ago when it released a report directly
implicating the Chinese military in cyber-espionage (see 6 Types of Data
Chinese Hackers Pilfer).
In his address, Mandia revealed that his firm had intercepted resumes
of members of the Chinese attack team bragging about their assaults on
Western organizations.
Breaches: Avoiding ‘Victim’s Fatigue’Kevin Mandia Warns Against Letting Guard Down
ARTICLE
by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
Read it online: http://www.inforisktoday.com/breaches-avoiding-victims-fatigue-a-6581
© 2014 Information Security Media Group 57
Is protecting our civil liberties the same as protecting our privacy?
At one point during his keynote address at the RSA security
conference in San Francisco on Feb. 26, FBI Director James Comey
seems to equate the two. He said safeguarding critical IT doesn’t
mean Americans need to sacrifice their privacy and civil liberties.
But when Comey offered an example on the balance between IT
security and privacy and civil liberties, he mainly referred to civil
liberties.
“I want to touch on issues of privacy for a moment,” Comey said
about 18 minutes in his nearly 25-minute address.
“Some have suggested there is an inherent conflict between protecting
national security and preserving privacy and civil liberties. I disagree.
In fact, I think the ideas of balance and trade-offs are the wrong
framework because they make it seem like a zero-sum game. At our
best, we are looking for security measures that enhance liberty. When
a city posts police officers at a dangerous park so kids and old folks can
use the park, security has promoted liberty.”
Comey said the men and women of the FBI are sworn to protect
national security and civil liberties; he didn’t mention privacy.
A Very Dangerous Place
“The fact of the matter is that the United States faces real threats from
criminals, terrorists, spies and malicious cyber-actors,” the director
said. “That is reality. The playground is a very dangerous place right
now. To stop those threats, the government needs timely and accurate
intelligence to identify threat actors and to figure out what they are
planning. That means we need to conduct electronic surveillance and
collect data about electronic communications. That is also reality. The
real question is this: How do we do that in a way that allows us to
prevent bad things from happening to our own people and our allies,
and, at the same time, protect privacy and civil liberties and promote
innovation?”
In the playground example, Comey addresses civil liberties, but not
privacy. Privacy, of course, is a facet of civil liberties, but our privacy
can be violated without compromising aspects of our civil liberties. The
government could spy on our e-mails without preventing us to speak
out against the government. Our privacy could be violated, but our
rights to speak freely without being punished could go unabated.
Comey’s remarks could be interpreted to mean that under certain
circumstances the government will take steps to protect the nation
against nation states, criminal or terrorist who could do us harm that
could compromise our privacy, and perhaps, civil liberties as well.
Reading Between the Lines
There was another remark in Comey’s speech that could be construed
to condone government activities that could trouble many cybersecurity
practitioners:
Equating Civil Liberties with PrivacyFBI Director Addresses Balancing Rights with Security
BLOG
by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
© 2014 Information Security Media Group58
“I’ve never been someone who is a scaremonger, crying wolf - but I’m
in a serious business, so I want to ensure that when we discuss altering
tools we use to collect information on an individual we believe to be
connected to criminal, terrorist or other unlawful activity, that we
understand the benefits and trade-offs on the other side.”
Could Comey mean that a situation such as the alleged corruption of
a cryptographic algorithm by the National Security Agency published
by the National Institute of Standards and Technology be tolerated to
safeguard critical IT against terrorists or an enemy nation? To be clear,
he didn’t address specifically the allegation against the NSA.
But he added that intelligent people can and do disagree on such
approaches. “That’s the beauty of American life,” he said, “but we need to
make sure that everyone understands the risks associated with the work
we do and the choices we make as a country.”
It’s not that privacy and civil liberties be damned, but the reality is that
in this dangerous world, privacy and civil liberties still can be sacrificed
for the sake of security.
Read it online: http://www.inforisktoday.com/blogs/equating-civil-liberties-privacy-p-1629
© 2014 Information Security Media Group 59
The Department of Homeland Security is offering managed cybersecurity services free of charge as an incentive to get financially strapped local, state and territorial governments to adopt the cybersecurity framework.
DHS will pay for services that would be provided by the Multi-State
Information Sharing and Analysis Center. In revealing the new program
during a Feb. 25 presentation at the RSA Conference 2014, DHS Deputy
Undersecretary Phyllis Schneck did not disclose the program’s cost, but
said it would come out of the department’s budget.
“Our state and local governments protect and enable citizens and
critical infrastructure and often don’t have a lot of budget,” Schneck
says in an interview with Information Security Media Group. “We
want to make sure they have the best cybersecurity in conjunction
with adoption of the cybersecurity framework. The combination of the
policy guidance and the managed services will improve the security
posture of our state and local governments, which is key to our nation’s
cybersecurity and infrastructure resilience.”
The managed services to be offered will include intrusion detection,
intrusion prevention and firewall and network traffic monitoring.
Schneck, the highest ranking DHS cybersecurity official, says the services
provided by the MS-ISAC do not change the local and state governments’
abilities to govern their own networks. “It’s simply great security free
of charge in conjunction with their adoption of the cybersecurity
framework,” she says.
Risk Management
Another DHS official tells Information Security Media Group that the
agency is encouraging local and state governments that will use the
managed services to continue participation in the Critical Infrastructure
Cyber Community program, known as C3, or C-cubed. C3 aims to
support industry in increasing cyber resilience, increase awareness and
encourage organizations to manage cybersecurity as part of an “all
hazards” approach to enterprise risk management.
The National Institute of Standards and Technology earlier this month
unveiled its long-awaited cybersecurity framework, which provides
best practices for voluntary use in all critical infrastructure sectors.
President Obama in 2013 issued an executive order that called on NIST to
collaborate with the private sector to develop IT security best practices
that critical infrastructure providers could voluntarily adopt.
MS-ISAC, a unit of the not-for-profit Center for Internet Security,
provides two-way sharing of information and early warnings on
cybersecurity threats and furnishes a process to gather and disseminate
information about cybersecurity incidents.
DHS Offers Incentive to Adopt FrameworkStates Could Qualify for Free IT Security Managed Services
ARTICLE
by Eric Chabrow, Executive Editor, GovInfoSecurity and InfoRiskToday
Read it online: http://www.inforisktoday.com/dhs-offers-incentive-to-adopt-framework-a-6567
© 2014 Information Security Media Group60
In light of the critical shortage of information security professionals, organizations must strive to become a “center for security excellence” to successfully recruit the specialists they need, says analyst John Oltsik of Enterprise Strategy Group.
The research company’s recent global survey of 600 IT and security
professionals determined that 65 percent find it somewhat difficult to
recruit and hire information security professionals while 18 percent find
it extremely difficult, Oltsik said in a Feb. 24 presentation at the RSA
Conference 2014. The area with the greatest security skills shortage is
cloud computing and server virtualization, mentioned by 43 percent.
Other key shortage areas are endpoint, mobile device and network
security, as well as data analysis/forensics.
Corporate Culture
A key step to successful recruiting of infosec pros, Oltsik says, is
“integrating security into the corporate culture.”
In an interview with Information Security Media Group after his
presentation, Oltsik, senior principal analyst at the Milford, Mass.-based
firm, described some of the components of creating a center for security
excellence: “Security people want exposure to training and they want
exposure to their peers ... and they want to give input to vendors about
their products. If they’re always busy putting out fires, then they can’t
do that. You need to figure out how to make your people more efficient
... so they can build a career.”
Continuing education is essential, he stresses. “The average security
professional is two years behind in terms of knowledge of what the bad
guys are doing,” he contends.
Other steps organizations should take in light of the shortage of
qualified infosec pros, Oltsik says, include:
» Look for opportunities to outsource certain security functions;
» Adopt “intelligent turnkey technologies” that are easier for staff
to use;
» Automate as many tasks as possible.
Recruiting InfoSec Pros in Tight MarketInsights on Creating ‘Center for Security Excellence’
ARTICLE
by Howard Anderson, News Editor, Information Security Media Group
Read it online: http://www.inforisktoday.com/recruiting-infosec-pros-in-tight-market-a-6538
© 2014 Information Security Media Group 61
Candid shots from ISMG’s video interviews. Clockwise from top left:
Garry Sidaway, Global Director of Security Strategy, NTT Com Security;
Francoise Gilbert, managing director, IT Law Group; Dr. Akli Adjaoute,
CEO of Brighterion; Tom Field, VP of Editorial, ISMG.
© 2014 Information Security Media Group62
Audio Insightsfrom Leading Vendors
© 2014 Information Security Media Group 63
© 2014 Information Security Media Group64
While massive DDoS attacks were dominant in 2013, this year, smaller application-layer attacks
going after such things as log-in pages and password files are far more common, says Rich
Bolstridge, chief strategist, financial services, at Akamai Technologies.
Listen online: http://www.inforisktoday.com/interviews/2014-brings-shift-in-cyber-attacks-i-2218
Two critical steps that banking institutions need to take in 2014 to help prevent fraud are
implementing big data analytics and adopting far more sophisticated customer and employee
authentication, says Gartner analyst Avivah Litan.
Listen online: http://www.inforisktoday.com/interviews/2014-fraud-prevention-2-key-steps-i-2198
Advanced, ever-evolving threats call for security solutions vendors to counter with equally
advanced and sophisticated solutions. JD Sherry of Trend Micro discusses new strategic alliances
and product sets dedicated to creating new measures of threat defense.
Listen online: http://www.inforisktoday.com/interviews/advanced-threat-defense-i-2205
By automating data analysis, organizations can enhance their threat intelligence and lessen their
workloads, says Flint Brenton, president and CEO of AccelOps.
Listen online: http://www.inforisktoday.com/interviews/automating-data-analysis-i-2204
2014 Brings Shift in Cyber-Attacks
2014 Fraud Prevention: 2 Key Steps
Advanced Threat Defense
Automating Data Analysis
Akamai’s Rich Bolstridge Outlines Trends
Gartner’s Litan Recommends Action Items
Trend Micro’s JD Sherry on New Strategies, Solutions
AccelOps’ Brenton on Enhancing Threat Intelligence
© 2014 Information Security Media Group 65
Privacy should be built into the design of all healthcare information technology and related
processes, says Michelle Dennedy, who’s writing a book on the concept of “privacy by design.”
Listen online: http://www.inforisktoday.com/interviews/baking-privacy-into-health-it-i-2183
CipherCloud’s Paige Leidig discusses a new offering that helps enable organizations rapidly adopt a
cloud application as it protects sensitive data and ensures compliance to policies and regulations.
Listen online: http://www.inforisktoday.com/interviews/ciphercloud-unveils-new-platform-i-2215
Cisco has launched a new open source initiative focused on application identification, says Scott
Harrell, vice president of the company’s security business group.
Listen online: http://www.inforisktoday.com/interviews/cisco-unveils-open-source-initiative-i-2208
Researchers at Dell SecureWorks have identified some 146 unique malware families that are
targeting cryptocurrencies. Approximately 100 of those have emerged in just the last year, says Pat
Litke, security analysis adviser for the company’s CyberThreat unit.
Listen online: http://www.inforisktoday.com/interviews/cryptocurrency-easy-target-i-2195
Baking Privacy Into Health IT
CipherCloud Unveils New Platform
Cisco Unveils Open Source Initiative
Cryptocurrency an Easy Target
Expert Says Privacy Needs to Be Part of Design
Providing Security in the Cloud
Scott Harrell Explains Project
Joe Stewart and Pat Litke of Dell SecureWorks Discuss Threats
© 2014 Information Security Media Group66
The increasing use of cloud-based resources requires a new approach to protection against
cyberthreats, says Ashley Stephenson, CEO at Corero Network Security.
Listen online: http://www.inforisktoday.com/interviews/cyberthreat-protection-evolves-i-2209
Neustar is about to release a new report on the DDoS threat landscape. What are some of the key
trends to watch? Neustar’s Jim Fink offers a preview of the study’s findings.
Listen online: http://www.inforisktoday.com/interviews/ddos-attacks-continue-to-grow-i-2212
While January’s seemingly isolated distributed-denial-of-service attacks against JPMorgan Chase
and Bank of America may have been a blip, DDoS expert Barrett Lyon says stronger attacks are on
the way.
Listen online: http://www.inforisktoday.com/interviews/ddos-more-defenses-needed-i-2217
Simple credentials, such as passwords, are a hacker’s best friend, says Phillip Dunkelberger of Nok
Nok Labs, a founding member of the FIDO Alliance. That’s why the alliance is working to reduce
reliance on passwords by enabling advanced authentication.
Listen online: http://www.inforisktoday.com/interviews/fido-beyond-simple-authentication-i-2214
Cyberthreat Protection Evolves
DDoS Attacks Continue to Grow
DDoS: More Defenses Needed
FIDO: Beyond ‘Simple’ Authentication
Corero’s Ashley Stephenson on New Defenses
Neustar’s Jim Fink on Global DDoS Trends
Emerging Attack Methods Continue to Take Sites Down
New Protocol Strives to Wipe Out Password Use
© 2014 Information Security Media Group 67
While much of the security focus is on online fraud and major data breaches, organizations of all
sizes and sectors are seeing a rise in phone-based fraud, says Matt Anthony of Pindrop Security.
Listen online: http://www.inforisktoday.com/interviews/fighting-phone-fraud-i-2193
Insiders are often linked to cyber-attacks, says Kevin Bocek, vice president of security strategy and
threat intelligence for Venafi.
Listen online: http://www.inforisktoday.com/interviews/how-fraudsters-take-advantage-insiders-i-2196
Among the biggest cyberthreats enterprises face comes from hacks on consumer mobile devices,
says Caleb Barlow, a director of product management at IBM Security.
Listen online: http://www.inforisktoday.com/interviews/how-mobile-hacks-threaten-enterprise-i-2199
With enhanced analytics, organizations and law enforcement are improving their ability to trace
malware attacks and other advanced persistent threats, says Eward Driehuis of Fox-IT.
Listen online: http://www.inforisktoday.com/interviews/how-to-improve-cybercrime-tracking-i-2203
Fighting Phone Fraud
How Fraudsters Take Advantage of Insiders
How Mobile Hacks Threaten Enterprise
How to Improve Cybercrime Tracking
Matt Anthony of Pindrop on the Rise in Phone-Based Fraud
Venafi’s Bocek on Cyber-Attack Trends
IBM’s Caleb Barlow on a Growing Menace
Fox-IT’s Chandler and Driehuis on Behavioral Analytics
© 2014 Information Security Media Group68
The gateway security solutions provider iBoss Network Security is enhancing its offerings by
incorporating analysis of behavioral movement of traffic in and out of the network.
Listen online: http://www.inforisktoday.com/interviews/iboss-offers-behavioral-analysis-i-2190
As organizations expand their use of encryption to help prevent breaches, they must improve
their management of cryptographic keys, says Prakash Panjwani, senior vice president at SafeNet.
Listen online: http://www.inforisktoday.com/interviews/improving-encryption-management-i-2191
What is the venture capital view of the security trends and technologies that will have the
most impact on careers in 2014? Alberto Yépez of Trident Capital weighs in with his insights and
predictions.
Listen online: http://www.inforisktoday.com/interviews/infosec-investments-venture-capitals-view-i-2187
Too many businesses are worried about how security might adversely affect the user experience,
even among their own workforce, says Bert Rankin, chief marketing officer of ThreatMetrix.
Listen online: http://www.inforisktoday.com/interviews/insights-on-enhancing-authentication-i-2206
iBoss Offers Behavioral Analysis
Improving Encryption Management
InfoSec Investments: Venture Capital’s View
Insights on Enhancing Authentication
Products Tied to Cybersecurity Framework
SafeNet’s Prakash Panjwani Identifies Key Issues
Trident Capital’s Alberto Yépez on the 2014 Security Outlook
Bert Rankin of ThreatMetrix on Filling the Gaps
© 2014 Information Security Media Group 69
As content sharing via mobile devices becomes more common, organizations must make sure
security issues are adequately addressed, says Hormazd Romer, senior director of product
marketing at Accellion.
Listen online: http://www.inforisktoday.com/interviews/keys-to-secure-content-sharing-i-2225
Log analysis is often used for managed security, but are organizations going far enough with the
information they have at their fingertips? Don Gray, chief security strategist for Solutionary, says
there is much more organizations could be doing to predict breaches.
Listen online: http://www.inforisktoday.com/interviews/log-analysis-for-breach-prevention-i-2194
Everyone is talking about threat intelligence, but what are the characteristics that make it useful?
David Duncan of Webroot offers insights on new solutions and partnerships.
Listen online: http://www.inforisktoday.com/interviews/real-threat-intelligence-i-2201
Although the growth of cloud-based data centers offers opportunities to more rapidly deploy
applications, it also raises new security issues, says Steve Pao, senior vice president at Barracuda
Networks.
Listen online: http://www.inforisktoday.com/interviews/securing-network-architecture-i-2200
Keys to Secure Content Sharing
Log Analysis for Breach Prevention
Real Threat Intelligence
Securing Network Architecture
Accellion’s Hormazd Romer on Secure Mobile Productivity
Solutionary’s Don Gray on Steps Companies Can Take to Predict Threats
David Duncan of Webroot on New Partnerships, Solutions
Barracuda’s Steve Pao on Addressing Threats
© 2014 Information Security Media Group70
Distributed generation and plug-in motor vehicles are among the emerging security challenges to
the smart grid. In an RSA 2014 preview, Gib Sorebo of Leidos discusses the threats to utilities and
consumers.
Listen online: http://www.inforisktoday.com/interviews/securing-smart-grid-i-2188
While most organizations are focusing on compliance, they are ignoring basic human-factor
security risks that technology cannot fix, says Hord Tipton, executive director of the International
Systems Security Certification Consortium, better known as (ISC)2.
Listen online: http://www.inforisktoday.com/interviews/security-going-beyond-compliance-i-2197
In the wake of high-profile breaches and data leaks, the government will pay a lot more attention
to information security. Are security pros ready for this scrutiny? Professor Eugene Spafford has
his doubts.
Listen online: http://www.inforisktoday.com/interviews/security-professionals-time-to-step-up-i-2221
The application programming interface is now an attack vector, which creates new security issues,
warns Travis Broughton, IT architect at Intel.
Listen online: http://www.inforisktoday.com/interviews/api-as-attack-vector-i-2192
Securing the Smart Grid
Security: Going Beyond Compliance
Security Professionals: Time to Step Up
The API as an Attack Vector
Gib Sorebo of Leidos Previews RSA 2014 Presentation
Tipton of (ISC)2 Says Technology Can Only Go So Far
Purdue’s Eugene Spafford on Challenges Facing the Profession
Intel’s Travis Broughton on Addressing New Risks
© 2014 Information Security Media Group 71
Traditional fraud has evolved in complexity, changing the threat landscape dramatically. Greg
Maudsley and Preston Hogue of F5 discuss new strategies to mitigate evolving threats.
Listen online: http://www.inforisktoday.com/interviews/evolving-threatscape-i-2211
The recent merger of Bit9 and Carbon Black will eventually result in a single, merged product
offering, says Benjamin Johnson, CTO at Carbon Black.
Listen online: http://www.inforisktoday.com/interviews/impact-bit9-carbon-black-merger-i-2223
The Evolving Threatscape
The Impact of Bit9, Carbon Black Merger
Security Insights from Preston Hogue and Greg Maudsley of F5
Benjamin Johnson Describes New Approach
© 2014 Information Security Media Group72
Looking Back onRSA Conference 2014
© 2014 Information Security Media Group 73
© 2014 Information Security Media Group74
Among ISMG’s Activities at RSA Conference 2014, we conducted mini-surveys of visitors to the ISMG booth. Here are responses to questions we asked in a CareersInfoSecurity Quick Poll about job turnover and satisfaction.
Only 41 percent of respondents are extremely satisfied in their jobs
at a time when retaining information security pros is of paramount
importance. This is a statistic to explore in the coming months.
When was the last time you changed jobs?
37%
33
15
11
4
2 years ago
1 year ago
5 years ago
This is actually my first job
10 years ago
How do you rate your current career satisfaction?
52%
41
7
Somewhat satisfied – open to a better offer
Extremely satisfied - can't seemyself doing anything different
Extremely dissatisfied –time to move on
CareersInfoSecurity Quick Poll
© 2014 Information Security Media Group 75
ISMG’s social media presence during RSA Conference 2014 was unlike any in years
past. Utilizing Twitter, Facebook and LinkedIn, our editorial staff sent out by-
the-minute updates of interviews, session, and events that included interviewee
information, pictures and graphics.
ISMG’s Tweets appeared on timelines over one million times.*
* According to Tweetreach.com
Social Media
783,794 Total ReachOver 1 Million Total Impressions
© 2014 Information Security Media Group76
RSA Conference 2014 is hosted across the street from a Target store. Which is only fitting because the Target retail breach arose in many discussions during day one of the annual security conference. In addition to recent retail breaches, RSA Conference 2014 attendees
discussed last year’s NSA disclosures, the future of payments security
and how to mitigate the risks posed by organizations’ top vulnerability
- people.
See day-one analysis from ISMG’s editorial team, including Tom Field,
Eric Chabrow, Tracy Kitten and Howard Anderson, as they discuss:
» What they overheard in conversations at RSA Conference
2014;
» Highlights of the day’s activities;
» What to expect from the event in the coming days.
RSA Conference Day One: Editor’s InsightsISMG’s Editorial Team Discusses Highlights from RSA Conference 2014
VIDEO
Watch it online: http://www.bankinfosecurity.com/rsa-day-one-editors-insights-a-6568
© 2014 Information Security Media Group 77
In the second full day of RSA Conference 2014, ISMG’s editors recorded exclusive video interviews with industry thought-leaders Troy Leach of the PCI Council, Adam Sedgewick of NIST and Gartner’s Avivah Litan.
So, among the hot topics discussed: the future of the PCI standard;
initial response to the new U.S. cybersecurity framework; and what can
be done to counter the epidemic of retail data breaches.
In a brief roundtable discussion recorded at the end of day two at RSA
Conference 2014, ISMG editors Tom Field, Eric Chabrow and Tracy Kitten
share insights on:
» Key conversations of the day;
» Common security themes discussed by attendees;
» What’s ahead for day three.
RSA Conference Day Two: Cybersecurity and FraudISMG Editors Share Insights, Analysis from RSA Conference 2014
VIDEO
Watch it online: http://www.bankinfosecurity.com/rsa-day-two-cybersecurity-fraud-a-6576
© 2014 Information Security Media Group78
As ISMG’s news team wraps up coverage of RSA Conference 2014, the editors gather to discuss final impressions of the annual security conference. Join Tom Field, Howard Anderson, Tracy Kitten and Eric Chabrow as they discuss:
» Highlights of their final day at the event;
» Common themes shared by attendees;
» Reflections on the week-long event.
RSA Conference Day Three: Conference ThemesISMG Editors Share Insights, Analysis from RSA Conference 2014
VIDEO
Watch it online: http://www.bankinfosecurity.com/rsa-day-three-conference-themes-a-6580
© 2014 Information Security Media Group 79
“RSA Conference 2014 wasn’t about any one
topic. It was about a community – the global
information security community – coming
together to tackle a host of current challenges.
It’s humbling to stand amidst this community
and feel its power.”
- Tom Field, ISMG
902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com
About ISMGHeadquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries.
This information is used by ISMG’s subscribers in a variety of ways —researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.
Contact(800) 944-0401 sales@ismgcorp.com