APRIL 2016VOL. 18 | NO. 3

EARLY READ ON EMV CHIP TECHNOLOGY

CLOUD SECURITY AUTOMATION: ARE WE UP TO THE TASK?

THE SHORT LIST: ENDPOINT PROTECTION

DATA COMPROMISE HOLDS STEADY IN 2016

U.S. GOVERNMENT THROWS MONEY INTO CYBERSPACE

CLOUD SECURITY GATEWAYS RISE TO THE DATA LOSS CHALLENGEAccess security brokers are quickly emerging as the technology of choice for enterprises seeking to implement data loss prevention controls in the cloud.

I N F O R M A T I O N

SECURITY

2 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE is the founder and CEO of investment research and management firm Morningstar.

As of March 1, the Identity Theft Resource Center has identified 100 breaches in 2016 with 1,789,393 re-cords exposed. The numbers are in line with 2015. Busi-ness accounted for the highest number of breaches, at 43, but only 6% of record exposure, with 109,883. Health-care had 40 breaches, with 71% of the data compromised, 1,269,890 records in all. Banking/Credit/Financial repre-sented only four breaches, with 0.2% of the records ex-posed, or 4,382. Other categories included Educational, with 15 identified breaches, and Government/Military with eight.

The status quo points to ongoing issues with secu-rity tools and their implementation. Data loss protec-tion (DLP) is aimed at stopping data compromise, yet

Give a Little, Take a Little: Data Compromise Holds Steady Data breaches can point to issues with security tools and their implementation. Some companies that are putting personally identifiable information at risk may surprise you. BY KATHLEEN RICHARDS

EDITOR’S DESK

FAST COMPANY and Inc. are among the financial publications that have cautioned business readers about data compromise: It’s only a matter of when and how the breach will occur. Unfortunately for pub-

lisher Mansueto Ventures, the when occurred sometime in early 2016.

Employees’ personally identifiable information— Social Security numbers and more—was stolen and used for filing false state-local tax returns. Workers were left to sort out the mess, according to Keith J. Kelly of the New York Post, who reported the breach at the publisher in the first week of March. “The fact that all that data was unen-crypted is pathetic—and ironic as hell,” one staffer reportedly told Kelly.

Indeed, billionaire Joe Mansueto, as the NYPost noted,

3 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

Finally, the White House announced the Cybersecu-rity National Action Plan in February 2016 to address what the president sees as weakness in cybersecurity preparedness across the country, including problems

within the federal government and its skill sets. “The details that are in the language of the plan, which is not a law, nor is the money approved by Congress, are re-ally just getting the basics taken care of, and at what a cost!” says Adam Rice, who looks at the cybersecurity spending plan and new Federal CISO position that was announced along with it. As he points out, the implemen-tation of the plan will depend on the next president. (Uh-oh …) n

KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.

EDITOR’S DESK

implementation is spotty at best. Many systems are purchased for compliance reasons and get underused. Visibility into the protection of personal identifiable information may get worse as more companies move to the cloud.

Employees have embraced the cloud for storage, information sharing and BYOD services, often with-out the blessing of IT. How can IT security teams im-plement cloud DLP policies across environments while preserving the productive use of applications? We look at cloud DLP technologies and best practices that have proved effective for enterprise security programs. Not surprisingly, cloud access security brokers (CASBs) have become a major part of the conversation, reports Jaikumar Vijayan in this month’s cover story.

Many organizations are still in search of effec-tive protection techniques against network and end-point threats that result in data compromise or theft. We polled 700 IT and security professionals at medium-to-large enterprises that have active endpoint security projects or technology purchases in the next 12 months. Many tools once aimed at workstations and serv-ers now offer policy integration and data protection for the tablets and smartphones. In this month’s Readers’ Top Picks, we share the shortlist of endpoint protection suites of those surveyed.

Many organizations are still in search of effective protection techniques against network and endpoint threats that result in data compromise or theft.

4 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

COVER STORY: DLP IN THE CLOUD

CLOUD SECURITY GATEWAYS RISE TO THE DATA LOSS CHALLENGE Access security brokers are quickly emerging as the tech- nology of choice for enterprises seeking to implement data loss prevention controls in the cloud.

ON-PREMISES DATA LOSS prevention strategies alone are no longer sufficient to protect enterprise data against inad-vertent or malicious exposure.

As more workers upload, store and share corporate data in private and public cloud environments, organiza-tions have to confront the realities of protecting data that users access from anywhere at any time through a mix of sanctioned and unapproved devices on services with vary-ing degrees of security. Monitoring and controlling data that is stored in cloud services and downloaded to devices outside the enterprise network has become critical for CIOs and CISOs in today’s environments.

In order to implement effective data loss prevention (DLP) in the cloud, security administrators need to un-derstand which cloud services employees are using and what type of data is being shared, as well as how, when and why this is happening. Unfortunately, for many orga-nizations that’s a lot easier said than done.

By Kathleen Richards

5 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

COVER STORY: DLP IN THE CLOUD

that let CIOs and CISOs gain this sort of visibility and al-low them to categorize and prioritize cloud applications based on the risk they pose to enterprise data. Such dis-covery is critical to enabling effective cloud DLP.

EMERGING ARCHITECTURES Organizations basically have two options for implement-ing DLP in the cloud. One is through the use of a cloud access security broker (CASB) service or software tool, and the other is to inspect data uploaded and stored in the cloud via an API within the application itself.

A CASB is an in-line proxy or gateway that sits be-tween the enterprise and the cloud service provider and inspects data streaming into and out of cloud applica-tions. Not all CASB architectures are the same, and Twit-ter, Facebook and other services that are widely adopted for personal use may complicate sweeping traffic analysis due to employee privacy issues.

“Organizations can direct connections to cloud ap-plications through a gateway that does content inspec-tion based on policies looking for keywords or access to specific cloud applications,” says Fred Kost, senior vice president at cloud security vendor HyTrust Inc., in Mountain View, Calif. “This may benefit some organiza-tions, depending on the connection to the cloud applica-tion and their ability to effectively inspect the application connection.”

CASBs offer a central control point for enforcing

“Cloud data is hard to locate,” says Richard Stiennon, chief research analyst and founder of IT-Harvest. “It may be in so-called shadow IT servers set up by staff. It can be dispersed in thousands of fragments in a cloud storage

solution like Google or Amazon Simple Storage Service or even a Hadoop database.” Sometimes, data can reside in snapshot images of workloads, or be encrypted with a user’s private keys and those belonging to the cloud service provider.

The tendency by remote workers to connect to and use unapproved cloud collaboration services has created a huge shadow IT problem, says Krishna Narayanaswamy, chief scientist at Netskope Inc., a cloud security startup in Los Altos, Calif. The average enterprise uses about 755 cloud apps, only a small fraction of which are actually ap-proved for use by IT.

Several tools and services are commercially available

Employee access to unapproved cloud collaboration services has created a huge shadow IT problem. Of the 755 cloud apps used in an average enterprise only a small fraction are approved by IT.

6 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

COVER STORY: DLP IN THE CLOUD

mechanism in place for their internal network can specify and enforce leak prevention controls for their cloud data. Many CASBs offer templates to identify sensitive data and enable users to define access policies similar to on-premises DLP.

CLOUD APIsWhile CASBs started to gain traction in 2015, APIs are familiar tools that enable developers to program interac-tions—and security controls—at the application level. Cloud service providers offer APIs as a way for enter-prises and security vendors to analyze interactions related to data that has already been uploaded to the cloud. APIs can make it easier for enterprises to inspect these transac-tions for sensitive information—Social Security numbers (SSNs), health information, intellectual property, credit card and financial data—in order to impose the appropri-ate access and security policies. Cloud security is multi-faceted, however; and most attacks happen over APIs, so programming complex interactions between data center and Web components, for example, carries its own risks.

APIs are less intrusive than proxies, but there is a slightly greater risk exposure because data is inspected only after it arrives in the cloud, says Willy Leichter, global director of cloud security at CipherCloud in San Jose, Calif. “Where you need to apply conditional DLP policies that require more processing, the application API mode tends to work better.” Cloud security gateways work

policies in an environment in which users might be remote or mobile, devices are both man-aged and unmanaged, and cloud services are hosted all over the world with different native secu-rity and compliance capabilities. The access security gateway mar-ket, which attempts to address

on-premises cloud and software as a service (SaaS) deployments, is largely populated by startups: Adallom (acquired by Microsoft last July), Elastica (acquired by Blue Coat Systems in November), CipherCloud, Netskope and Skyhigh Networks.

In addition to providing CISOs greater visibility through audit logs and compliance reports, CASB tech-nology can help security administrators enforce en-terprise DLP policies pertaining to encryption, access, authentication and authorization. That’s assuming the or-ganization has classified its data and created the complex set of rules necessary for effective leak prevention.

“Rather than recreate DLP policies already in place, an enterprise can use a CASB to connect their on-prem-ises DLP system to their cloud security provider and ef-fectively extend their policies to data uploaded to the cloud,” says Kamal Shah, senior vice president of products at Skyhigh Networks in Campbell, Calif.

Even companies that don’t have an existing DLP

Kamal Shah

7 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

COVER STORY: DLP IN THE CLOUD

impose security controls on data based on data type and the con-text in which it is being used. But the policies need to be flex-ible enough to ensure that peo-ple who are authorized to access sensitive and secured data in the cloud have access to it as needed. That means enabling a capability

for enforcing DLP that is not just content aware but also context aware in terms of who is accessing the data, from where they are accessing it, why they might be accessing it and whether that access is compliant with associated policies.

“If you think about cloud app traffic, there are tons of transactions and you need a way to narrow down that sea of data to the transactions you really care about,” says Narayanaswamy. “Context means who’s doing the action, on what device, from what location, in what application or category, what the app risk level is, where the data is being hosted and what the activity is,” he says.

For instance, analyzing data that’s uploaded from a desktop computer on the campus network to a cloud storage folder designated for sensitive data may not be as important as inspecting the data that’s downloaded from that same sensitive folder to a remote user on a personal device. By classifying data using context-aware techniques, enterprises can reduce the false positives in

well for enforcing DLP policies on structured data and somewhat less so with unstructured data, he says. “When you talk about unstructured data, it is always a larger problem, because you don’t know what you don’t know.”

CONTEXTUAL ANALYSIS OF TRANSACTIONSAccording to Gartner, by 2020 roughly 85% of large en-terprise will use CASBs for enabling greater visibility into their cloud services for security and compliance purposes. The analyst firm expects that the technology will give companies a way to gain a much more granular under-standing of how workers are consuming cloud services and the risks resulting from such use.

One of the most important qualities of CASBs is that they give enterprises the ability to add critical real-time context to security decisions in the cloud, according to Gartner. For instance, security administrators can use CASBs to develop and enforce policies like restricting or enabling data access based on the location or the time of day. Similarly, they can be used to encrypt certain types of data like SSNs and credit card numbers that are uploaded to the cloud or to deny access to devices that do not meet enterprise security policies.

“Many enterprises doing DLP in the cloud find con-textual-awareness to be a ‘must-have’ for cloud DLP due to the sheer volume of cloud transactions that need to be inspected,” Narayanaswamy says.

Data leak prevention tools allow organizations to

K. Narayanaswamy

8 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

COVER STORY: DLP IN THE CLOUD

that need to be taken to prevent and remediate sensitive data leaks.

In order to be truly effective, a cloud DLP policy must cover Internet traffic outbound from corporate devices to cloud ser-vices and data that is being down-loaded from these sites to devices

outside the enterprise network.By 2017, every enterprise DLP provider will have de-

veloped at least one partnership with a CASB or acquire one, according to Gartner. With a central control point for cloud security, CIOs and CISOs can enforce security policies across multiple apps, instead of relying on each service’s built-in DLP controls.

This can be achieved by logically separating the data classification rules from the enforcement policies, says Narayanaswamy. “Any other approach is knowingly creating a nightmare for your customers.” n

JAIKUMAR VIJAYAN is a freelance writer with over 20 years of experience covering the information technology industry. He is a frequent contributor to Christian Science Monitor Passcode, eWEEK, Dark Reading and several other publications.

detection that plague many legacy enterprise DLP sys-tems, he says.

Context-aware DLP takes into account factors like whether an employee is accessing data on a managed or unmanaged device or where they are located, adds Shah. For instance, a company may need to specifically prevent employees from accessing sensitive information on a per-sonal device or when they are abroad. Or some compa-nies might only want employees to share sensitive data in the cloud with sanctioned business partners while prohib-iting other kinds of use.

CONSISTENT POLICIES ACROSS ENVIRONMENTS Regardless of the architecture that an organization chooses for cloud DLP, it is vital to have a consistent set of policies governing the manner in which protected data is secured and accessed in the cloud and within the enterprise.

The same content-scanning policies that are used for data stored on premises need to be applied to informa-tion stored and shared in the cloud, says Leichter. An or-ganization’s obligation to comply with relevant regulatory requirements like PCI DSS, HIPAA, GLBA and FINRA standards do not change because data has migrated to the cloud. The only thing that really changes is the actions

Willy Leichter

9 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

THE SHORT LIST

By Kathleen Richards

READERS’ TOP PICKS FOR ENDPOINT PROTECTION SOFTWARE Roughly half of survey respondents indicated that their organization is shifting away from static scanning as the primary protection for endpoints.

ENDPOINT PROTECTION SOFTWARE for desktops and servers is adding more and more functionality to respond to the challenging threat climate. Many endpoint protection suites also offer policy integration and data protection for the tablets and smartphones of an increasingly mobile workforce. But according to the North American readers we surveyed, the changes may not be enough.

TechTarget polled 700 IT and security professionals at medium-to-large enterprises, who told us that they had active endpoint security projects or technology purchases in the next 12 months. Nearly half of the respondents said their security investments are being driven by the need to protect against threats not detected by traditional end-point security products; 24% are concerned about too many false alerts or endpoints that are compromised too frequently. For 22%, it’s the all-too-common scenario—they are reacting to a significant breach.

Many organizations are still in search of effective pro-tection techniques against unknown threats and malware.

10 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

Whether that requires layering network and endpoint security products, using existing technologies properly, integrating policies across multiple environments or switching endpoint protection software providers; almost

half of those surveyed said, “There are probably better solutions out there.” Desktop virtualization is part of the endpoint protection of 50% of the organizations sur-veyed. However, less than half (42%) have an endpoint

THE SHORT LIST

Which endpoint issues are you actively trying to solve at this time?

SOURCE: TECHTARGET, 2015; BASED OFF RESPONSES FROM 700 IT AND BUSINESS PROFESSIONALS. RESPONDENTS COULD CHOOSE ALL THAT APPLY.

49% Concern that endpoint attacks and compromises are not being detected by current defenses

24% Too many false alerts

24% Endpoints are compromised too frequently

22% Reacting to significant breach

16% Desire to protect intellectual property stored on endpoint

14% Current solution at endpoints is too complex

12% Concern regarding loss of endpoint due to theft or negligence

13% Other

22%are reacting

to a significant breach

11 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

THE SHORT LIST

personal firewall (20%).Despite the calls for change, when we asked read-

ers which enterprise endpoint protection software they were considering for their current project or purchase, traditional market leaders (with the highest usage among those surveyed) topped their short lists.

In spite of sweeping organizational changes in 2015, Symantec’s Endpoint Protection software remains on the

strategy for employee-owned (BYOD) devices. Enterprises can adopt proactive approaches, accord-

ing to analyst firm Gartner, by using technologies that support application controls, vulnerability analysis and patching on endpoints. Tools that offer a range of protec-tion techniques, whose “efficacy” is evidenced by inde-pendent test labs, may also help.

Traditional endpoint security products have moved well beyond antivirus and personal firewalls, and more products have focused on closing the gap between end-point detection and response. This shift reflects the grow-ing need to identify and remediate threats in less time.

Roughly half of survey respondents indicated that their organization is shifting away from static scanning as the primary protection for endpoints. When asked which approach was most effective for securing endpoints, one third said anomaly detection coupled with quick contain-ment and response; 22% indicated traditional virus scan-ning tools; 20% said tighter account controls preventing admin-level use of systems; and 8% favored whitelisting applications.

Which criteria of an antivirus/antimalware prod-uct are most important? Price ranked first (53%), fol-lowed by efficiency of signature scanning with minimal performance degradation (51%); behavior blocking and monitoring of system calls made by unrecognized soft-ware (50%); ease of remediation, including removal and cleanup of detected attacks (48%); and inclusion of a

How confident are you that your current endpoint security providers

detect and mitigate most or all endpoint attacks?

SOURCE: TECHTARGET, 2015; BASED OFF RESPONSES FROM 700 IT AND BUSINESS PROFESSIONALS.

48% There are probably better solutions out there

24% Extremely confident

19% Verdict still out

9% We need a new provider(s)

12 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

THE SHORT LIST

anomalies and malware. Its back-end databases are stored in the cloud, which offers enterprise users a lightweight client.

Gartner expects enterprise protection platforms to continue to integrate more functionality such as enter-prise mobility management and data loss prevention. “In

short list of 44% of readers. The company split its infor-mation management and security products into two busi-nesses after announcing the strategy in October 2014. Version 12 of the company’s antivirus and personal fire-wall software for desktops and servers running Win-dows, Mac OS X and Linux, was released in November. The software is tied to other technologies, namely Sy-mantec Online Network Advanced Response, or SONAR, to monitor application behaviors to address unknown threats beyond antivirus signatures. Endpoint Protection 12 also supports the company’s Security Technology and Response (STAR) for scanning endpoints and Advanced Threat Protection (ATP) for servers, but some technolo-gies require separate management consoles.

Intel Security (McAfee), another heavy hitter in this category—it has the second largest market share world-wide, according to Gartner—was shortlisted by 35% of the readers surveyed. Sophos Endpoint Protection soft-ware, ranked third with 20%, is focused on prevention and faster detection and remediation. The company uses an evolving network-to-endpoint strategy based on heart-beat synchronization and context-aware security. Like other vendors, Sophos is building on its endpoint security with mobile, and shifting through sensor and threat in-formation with help from its SophosLabs cloud. Webroot also landed on the shortlists of 10% of those surveyed. In a somewhat unique approach, the Webroot SecureAny-where technology relies on behavioral analysis to detect

Which endpoint security products are you considering

for your project?

SOURCE: TECHTARGET, 2015; BASED OFF RESPONSES FROM 460 IT AND BUSINESSPROFESSIONALS. RESPONDENTS COULD CHOOSE ALL THAT APPLY.

Symantec

Intel Security (McAfee)

Sophos

ESET/IBM

Webroot

44%

35%

20%

16%

10%

READERS’ TOP FIVE

13 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

THE SHORT LIST

protection suites are also integrating application con-trols and vulnerability analysis into their mobile offerings, which could satisfy the EMM requirements of smaller-size organizations. n

KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.

the longer term, portions of these markets will be sub-sumed by the EPP market, just as the personal firewall, host intrusion prevention, device control and anti-spy-ware markets have been,” according to Gartner research analysts Peter Firstbrook and Eric Ouellet, who published a report on endpoint protection software in February. Many companies already invest in endpoint and mobile data protection, their research shows. More endpoint

14 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

U.S. GOVERNMENT THROWS MONEY INTO CYBERSPACEThe Cybersecurity National Action Plan proposes the right things, but what has captured the attention of the Beltway is the $19 billion attached to it.

Adam Rice

MODERNIZING FEDERAL IT

THE WHITE HOUSE published the Cybersecurity National Action Plan, or CNAP, in February to address what the president sees as weakness in cybersecurity preparedness across the country—problems within the federal govern-ment, private sector business, even within citizens’ pri-vate lives.

The cybersecurity plan is a continuation of the Obama administration’s efforts to increase the federal govern-ment’s role in cyber regulation and shore up its cyberde-fenses, as well as companies and organizations that are considered critical infrastructure. The Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” that was signed in February 2013, and the passage of the Cybersecurity Information Sharing Act of 2015 last October, has set the stage for CNAP and increases in cybersecurity spending.

CNAP articulates the right things, as many U.S. gov-ernment cyber-initiatives do, but what has captured the attention of the usual sharks swimming around the Belt-way is the $19 billion budget proposal.

The Obama administration’s National Action

15 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

MODERNIZING FEDERAL IT

Plan is laid out in a few categories:

■n Establish a Commission on Enhancing National Cybersecurity (an executive order was issued that same day) to be comprised of “top strategic, business, and technical thinkers from outside of government—in-cluding members to be designated by the bi-partisan congressional leadership.” Translation: Not the best, but the most connected get a seat.

■n Spend $3.1 billion to modernize the federal govern-ment’s IT and make it secure.

■n Hire a Federal CISO to drive changes across the federal government. Time will tell if the position has any real authority. If the Executive Office of the Presi-dent follows the standard U.S. government hiring pro-cess, they will get what they pay for in the $123,175 to $185,100 position.

■n Empower Americans. This is to promote the use of two-factor authentication with a new National Cyber-security Awareness Campaign and to push the federal government toward not using Social Security numbers to identify citizen accounts.

■n Increase cybersecurity spending to $19 billion in the president’s fiscal year 2017.

MORE THAN MONEYSo what does this all mean? The details that are in the language of the plan, which is not a law nor is the money approved by Congress, are really just getting the basics taken care of, and at what a cost! In the larger picture, the federal government cut its own IT budget by $2.4 billion, by asking for $79 billion in FY 2017, down from $81 billion spent in FY 2015. (The $19 billion increases the percentage of the IT budget allotted to cybersecurity spending in FY 2017.)

Although $19 billion for cybersecurity is a shipload of money, it does not solve anything when the money is not

President Barack Obama tours the National Cybersecurity and Communi-cations Integration Center in Arlington, Virginia, in January 2015.

16 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

MODERNIZING FEDERAL IT

So the question is, can more cybersecurity spending get us there from here? Spending monies is the govern-ment’s answer to most problems because it is a shorter term fix then a much harder goal of steering the 2.79 mil-lion government employees, and the supporting services the government manages, toward a more secure IT en-vironment. The government is, well, the government; it comes with all the overhead it has built up over the years. Cybersecurity is complicated, and in most places the gov-ernment does not do “complicated” very well.

The federal government has a decentralized IT orga-nization—IT budgets and personnel are generally sorted out by departments and agencies. The department sec-retaries work with the president and the White House to drive the president’s agenda, but they generally run the day-to-day administration of a department’s offices and programs. While personnel matters, outside of the Department of Defense (DoD), are left to OPM, de-partments hire and manage their own IT organizations, including technology selection.

Many federal departments are comparable to For-tune 500 companies in terms of size and scale. They have thousands of employees and millions in their IT budgets. The DoD is bigger than almost any U.S. corporation, for example, so the scale of some of the IT organizations is enormous.

Federal departments also run their own cybersecurity teams. The FBI and Department of Homeland Security

well spent. Cybersecurity is a complex and specialized field within information technologies. The current state of affairs within the cybersecurity practice across the fed-eral government can at best be described as uneven. The events leading up to the Office of Personnel Management (OPM) breach, in which millions of files on government employees and the database that contained the personally identifiable information (PII) from security clearances was lost to China, highlights some of the deep organiza-tional dysfunction that parts of the government operate under.

Cybersecurity National Action PlanNEAR-TERM GOALS:

■n Commission on Enhancing National Security made up of strategic, business and technical thought leaders outside of government

■n $3.1 billion proposed to modernize federal IT

■n Multifactor authentication for Americans’ online accounts

■n $19 billion in cybersecurity spending in FY 2017, a 35% increase over FY 2016

17 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

MODERNIZING FEDERAL IT

MASSIVE BUDGET, GOVERNMENT PAYSo why is the president’s cybersecurity plan going to make little difference in pushing the security ball forward? The federal government is a grinding bureaucracy run by political appointees and the Senior Executive Sched-ule (SES) staff who manage various departments. Many departments (not all) have a CISO role—an SES posi-tion, which pays less than a cybersecurity engineer in the civilian work place. Getting qualified people from out-side the government to navigate the OPM hiring pro-cess, and then to be deemed worthy of an SES position is hard. Candidates hire consultants to write the nar-ratives on core competencies that rely on form more than substance. In the end, they get what they pay for: a CISO who would never have the resume in the civil-ian world to manage cybersecurity in such large, complex organizations.

The security teams within these departments are typi-cally a mix of government service employees and contrac-tors. The sophistication of their cybersecurity practices varies. The CISOs are usually bound to a CIO, another SES position. The hack at the OPM demonstrates the quality of those employees. Outside of resignations, it is almost impossible to fire or change the job of a govern-ment employee. The departments will outsource non-core functions like IT or IT security, using contracts that are awarded to the lowest bidder. This creates an en-vironment that is ill equipped to handle an issue like

(DHS) provide some support to other departments. The DHS has been pushing hard to become the managed se-curity service provider to the entire federal government—minus the DoD—and to do so by rule, not by exception, as illustrated by their power play in 2014 during the “Heartbleed” OpenSSL vulnerability.

The government is big on rules, rules and more rules. It has spent millions on writing down, in painful details, exactly what needs to be done—and what cannot be done. The Federal Information Security Management Act (FISMA) created an environment that’s all about com-pliance with the administration of systems, not securing them. But you can be FISMA compliant and still have a network the bad guys can infiltrate. To develop a cyber-security plan by computer and manage the administra-tive burden does almost nothing to prevent an advanced persistent threat actor from running roughshod over a network, but that approach does create lots of work and budget for busy government contractors and employees.

Unless there is a fundamental change in the way the government conducts its cybersecurity business, the landscape will remain uneven.

18 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

MODERNIZING FEDERAL IT

things that he thinks are needed to advance the cyberse-curity issues within the U.S. government and to also help the average citizen understand how to keep their digital devices and activities safe. For the most part, the objec-tives of CNAP are modest; it’s just the scale of the plan is huge, and the culture of federal government might not let it work. n

ADAM RICE is the CISO of Cubic Corp. An infosec professional with 17 years of experience, he has served as CISO of Alliant Techsystems; CSO of a global telecommunications company; general manager and vice president of a managed security services business; director in several network-consulting companies; and is a retired U.S. Army noncommissioned officer.

cybersecurity, regardless of the amount of funding. More money will benefit the bureaucracy with more of the same jobs and organizations, but unless there is a funda-mental change in the way the business of cybersecurity is conducted in the government, the landscape will remain uneven.

The CNAP is not funded. The monies are in the bud-get proposal for FY 2016, so this is really just a framework for the White House’s cybersecurity spending plan. The implementation of the cybersecurity plan will fall on the next president. If people with different interests are advis-ing that individual, then who knows—it all might change in a few months anyway.

The president’s cybersecurity plan outlines a few big

19 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

CHIPS AHOY

The U.S. Finally Plugs Into a Global Standard American merchants face potential liability (read: higher costs) for credit card fraud if they failed to migrate their payment systems to EMV chip technology by the October 2015 deadline. One founder of the smartcard standard shares startling numbers.

The number of VISA chip cards grew by 644% in the last year alone. Chip activated merchant locations more than tripled in the second half of 2015.

2015

47.5

78

117.1

141.9

180.6

212.7

FEB

APR

JUN

EAU

GOC

TDE

C

CARDS ISSUED IN U.S. (IN MILLIONS)

SOURCES: JAN.- DEC. 2015 CARDS AND MERCHANT LOCATIONS DATA PER OPERATING CERTIFICATES PROVIDED TO VISA BY CLIENT FINANCIAL INSTITUTIONS; DEC. 2015 U.S. CARD DATA PER VISA NET REPORTING AS OF JAN. 27, 2016. TRANSACTION NUMBER AND VOLUME STATISTICS BASED ON VISA NET DATA FOR UNIQUE LOCATIONS WITH CHIP TRANSACTIONS. SURVEY RESEARCH DATA COMMISSIONED BY VISA, “VISA EMV CHIP CARD MONITOR,” FIELDED IN SEPT. 2015

LOCATIONS IN U.S. (IN THOUSANDS)

FEB130

APR181

DEC766

OCT529AUG

301

JUN247

20 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

CHIPS AHOY

In December 2015, credit payments made with VISA chip cards accounted for 72% of VISA’s total credit volume.

SOURCES: JAN.- DEC. 2015 CARDS AND MERCHANT LOCATIONS DATA PER OPERATING CERTIFICATES PROVIDED TO VISA BY CLIENT FINANCIAL INSTITUTIONS; DEC. 2015 U.S. CARD DATA PER VISA NET REPORTING AS OF JAN. 27, 2016. TRANSACTION NUMBER AND VOLUME STATISTICS BASED ON VISA NET DATA FOR UNIQUE LOCATIONS WITH CHIP TRANSACTIONS. SURVEY RESEARCH DATA COMMISSIONED BY VISA, “VISA EMV CHIP CARD MONITOR,” FIELDED IN SEPT. 2015

Global chip cards: U.S. is the largest market

According to VISA research, 7 out of 10 Americans have at least one chip card in their wallets, while 93% are aware of the move to chip cards.

CountryCards Issued (in millions)

U.S. 212.7

Brazil 124.5

U.K. 120.6

Japan 90.0

Mexico 80.0

Russia 54.5

Canada 46.5

France 44.7

Spain 42.7

2015

TRANSACTIONS IN U.S. CHIP PAYMENT VOLUMEFE

B 7.5M 409MAP

R 12.6M 740M

JUN 34.6M 2.0B

AUG 54.8M 3.4B

OCT 139.4M 8.8B

DEC 230.7M 15.8B

21 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE AUTOMATION HAS sounded like a dirty word to security teams for far too long. We still think of all the things that could go wrong with security au-tomation, reminiscent of the days

when network problems were routinely blamed on “the firewall.”

Moving to the cloud is all about gaining service capa-bilities—rapid delivery, flexibility and scalability—that would take most businesses too long to develop in-house. As enterprises embrace hybrid environments, security functionality will need to become more automated, and embedded into deployment processes, in order to be suc-cessfully implemented into cloud operations.

Sadly, even as development and operations align, security teams continue to be left out of the DevOps

conversation. We are too often seen as roadblocks to rapid development or operations implementations; the group who “slows down” production systems. Application and service deployment into cloud environments is pushing all facets of IT to move much faster.

READY FOR DEVOPSSEC?A number of changes within security teams need to take place before most organizations can fully support and fa-cilitate cloud operations. Gartner’s Neil MacDonald antic-ipated some of these technical and organizational changes early on, in his 2012 blog “DevOps Needs to Become DevOpsSec”:

… information security must change in multiple ways including security infrastructure becoming more

Cloud Security Automation: Are We Up to the Task?Orchestration tools and APIs can help enterprises implement threat detection and response functionality in the cloud. But it requires crossing another divide: DevOps and security. BY DAVE SHACKLEFORD

THE HYBRID LIFE

22 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

THE HYBRID LIFE

within the traditional data center. To facilitate network isolation, an automated detection-and-response cycle is initiated. This process is based on indicators of compro-mise or unusual behavior that isolates the system at the host or virtual/cloud orchestration level, moving it to a virtual switch or network segment dedicated to quaran-tined systems only. Disk and memory forensic acquisition could also be automated, with the images copied to a fo-rensic node in the cloud environment, where encryption is then applied to protect them.

Network and vulnerability scans could be automated, too, continually sweeping cloud environments to deter-mine the inventory of systems and services as well as their overall risk posture. To scale security functions ef-fectively without becoming a roadblock, security teams in the future will need to think like this more and more.

HELP WITH THE SCRIPTCloud security automation has its challenges. Security teams need to familiarize themselves with orchestration tools and even APIs available to help implement preven-tion, detection and response tactics in the cloud. Com-mon frameworks like Chef, Puppet and SaltStack can all help security teams to configure and monitor systems and application services with scripted approaches. Many cloud providers are adding extensible security features and controls, such as Amazon Web Services’ Config and Microsoft’s Azure Security Center, which support policy

adaptive and programmable and making information security representation an integral part of DevOpsSec teams from the genesis of new applications and services.

Whether security teams truly embrace DevOps or not, security needs to be more wholly integrated into cloud-focused development cycles and workload deployments. There are many reasons for this.

Security won’t be able to scale with business opera-tions in the cloud unless it’s tightly coupled to workloads. Imagine a business needs to rapidly increase the number of virtual machine instances running in a cloud environ-ment. Ideally, the VM templates already exist, and the op-erations teams involved create new instances from those templates. If some form of host-based security isn’t em-bedded into the templates ahead of time, however, each new VM will start in a less secure state.

Even if a security agent were in place within the tem-plates, any changes to security policy would need to be rolled out to all new instances, which would slow down operations. A flexible agent would fetch its policy when a new instance started, thus ensuring continuous and up-to-date security.

Quarantine of a cloud system in which malicious be-havior is detected is another use case for security automa-tion. In a cloud environment, security teams likely have fewer tools and less operational control than they would

23 INFORMATION SECURITY n APRIL 2016

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

THE HYBRID LIFE

That speed is faster than most security professionals are comfortable with, but we’ll need to get out of our comfort zone sooner rather than later to keep pace with the next wave of agile cloud computing. Security automation is the way to get there, and we need to embrace it rather than fear it. n

DAVE SHACKLEFORD is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

implementation and assessment. Programmable secu-rity products from Dome9, CloudPassage, HyTrust, and startups like Palerra are changing the information secu-rity market, along with API-driven policy implementation from cloud access security brokers and other security-as-a-service offerings.

None of this comes without risk. Things can go wrong, and they likely will, in some cases. Scripts will fail, legiti-mate traffic will get blocked, cloud instances might be quarantined without cause, and security automation and orchestration tools may come under attack or be mis-used. These risks we have to take, because the alternative is nothing short of obsolescence. Security teams need to work with development and operations side by side, ev-ery step of the way, and that means moving at their pace.

24 INFORMATION SECURITY n APRIL 2016

TechTarget Security Media Group

HOME

EDITOR’S DESK

DLP IN THE CLOUD

READERS’ TOP PICKS: ENTERPRISE

SECURITY

MODERNIZING FEDERAL IT

CHIPS AHOY

THE HYBRID LIFE

TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com

EDITORIAL DIRECTOR Robert Richardson

FEATURES EDITOR Kathleen Richards

EXECUTIVE MANAGING EDITOR Kara Gattine

MANAGING EDITOR Brenda L. Horrigan

SITE EDITOR Robert Wright

SITE EDITOR Peter Loshin

DIRECTOR OF ONLINE DESIGN Linda Koury

COLUMNISTS Marcus Ranum, Dave Shackleford

CONTRIBUTING EDITORS Kevin Beaver, Crystal Bedell, Mike Chap-ple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N. Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman, Karen Scarfone, Joel Snyder, Steven Weil, Ravila Helen White, Lenny Zeltser

EDITORIAL BOARD

Phil Agcaoili, Cox CommunicationsSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, MK Hamilton and AssociatesChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial EnginesMacDonnell Ulsch, PwC U.S.

VICE PRESIDENT/GROUP PUBLISHER Doug Olenderdolender@techtarget.com

Stay connected! Follow @SearchSecurity today.

© 2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written per-mission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER IMAGE AND PAGE 4: ISTOCK