INFORMATION Vol. 18 | No. 1 SECURITYdocs.media.bitpipe.com/io_12x/io_129441/item... · mains a major challenge for threat defense. In our Feb-ruary cover story, award-winning technology

february 2016Vol. 18 | No. 1

CLOUD POLICY BRINGS RISK OUT OF THE SHADOWS

DECONSTRUCTING THE EmERGENCY INCIDENT RESPONSE PROCESS

RICHARDSON: IP FAILS TO ADDRESS THE INTERNET OF THINGS

NEW DEFENSES, HYBRID CLOUDS AND ‘CONNECTIONS OTHERS mISS’

THE SHORT LIST: • CLOUD SECURITY • DATA

PROTECTION

I N F O R M A T I O N

SECURITY

Under AttAck? 2016 defenses escApe compromise

Cyberthreats are learning fast from defenses that detect them. New strategies focus on what happens next.

5READERS’ TOP FIVE

2 iNformatioN security n february 2016

HOmE

EDITOR’S DESK

PERSISTENT DAmAGE CONTROL

CLOUD SECURITY

THE HYBRID LIFE

IN THE IR

DATA LOSS PREvENTION

RICHARDSON: IoT UNPLUGGED

and machine learning—user behavior analytics, for example—promise different ways of looking at the same problems.

Even with new levels of granularity, security analysis that connects the dots in a timely fashion (or at all) re-mains a major challenge for threat defense. In our Feb-ruary cover story, award-winning technology journalist Rob Lemos reports on attack techniques that continue to evade threat defenses. Attackers are becoming more skilled at not only avoiding detection by vulnerability scanners, but also hiding from the automated analysis techniques that security firms rely on to detect malicious programs. They are also learning from companies’ threat defenses, Lemos writes. The DarkHotel group fingerprints any system on which its program runs to detect an analy-sis environment, and then encrypts that data and stores it.

New Defenses, Hybrid Clouds and ‘Connections Others miss’We often talk about shifts in information security, but this year marks a few major turning points. BY KATHLEEN RICHARDS

editor’s desk

S ome people Are well-known for finding connections that others miss: Steven Levitt and Stephen Dubner applied economic principles to everyday life, kicking off the data analytics craze,

more than a decade ago with Freakonomics. Author Mal-com Gladwell, best known for his series of books and New Yorker articles, has mined history, science and psychology to look at underdogs and outliers. Remember the 10,000 hours rule?

As 2016 gets underway, many security professionals will have the opportunity to look at advanced threats and indicators of compromise through a different lens. On-premises and off, vendors will continue to beat the drum of interconnected technologies that offer holistic ap-proaches. Threat defense tools with enhanced algorithms


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



arena,” he says. To find out more, check out his column and IoTAgenda.com, which launched in late December.

The holidays have come and gone and so far ... crick-ets. Has the mandatory rollout of EMV chip payments at US retailers improved security? (Maybe not, I encoun-tered several brick and mortars that were not using their card machines.) With or without EMV, fundamental

shifts are reshaping information security. Yet best prac-tices such as patching known vulnerabilities are still lack-ing at many organizations. These lapses are often based on lack of prioritization or staffing shortages.

In his book, David and Goliath: Underdogs, Misfits and the Art of Battling Giants, Gladwell tells companies and people seeking success to “use what you’ve got.” That advice holds true for threat defense. n

Kathleen RichaRds is the Information Security magazine features editor. Follow her on Twitter: @RichardsKath.

editor’s desk

What steps can enterprises take to bolster their threat de-fenses in light of these advanced threat techniques? Our analysis helps you lay the groundwork for 2016.

Many security professionals will also have to come up with new ways to do their jobs in the cloud in the coming year. “Whether you like it or not, this is the new normal,” says Dave Shackleford, principal consultant at Voodoo Security. “Security teams need to make risk-based deci-sions with incomplete information, and that means plac-ing some degree of trust in the cloud provider.” He looks at key issues like cloud security policy and ways to suc-cessfully bridge on-premises and cloud in his new col-umn, “The Hybrid Life.”

What project initiatives are readers involved in this year? We look at survey respondents who indicated plans to invest in cloud security and data loss prevention (DLP) technologies in the next 12 months. Data protection is the common thread in both categories. Not surprisingly, technology integration scored high among the readers polled; 70% said they are more likely to deploy DLP products if they are offered as a suite of interconnected tools.

The Internet of Things (IoT) will also require security professionals to rethink plain old Internet security, says Robert Richardson, editorial director of TechTarget’s se-curity media group. “Killer cars and new flanks for at-tack may be valid security issues, but they don’t do justice to three big problems that the IoT brings to the security

As 2016 gets underway, security professionals will have the opportunity to look at advanced threats through a different lens.

http://internetofthingsagenda.techtarget.com/

https://twitter.com/richardskath


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



cover story: Persistent damage control

NEW DEFENSES IN 2016 AvOID BIGGER COmPROmISE Worried that attackers may know your infrastructure better than you do? Adversaries are learning fast from defenses that detect them. New strategies focus on what happens next.

Arden peterkin hAs little faith that antivirus software can be effective against today’s cyberthreats.

In the past, the security architect deployed antivirus software on 80,000 endpoints in a large Georgia school district’s network to prevent a security attack. While the software reported “all clear,” a quick look at the device logs for the network confirmed infected systems were still communicating with known command-and-control sites.

“The actual management console was showing that ev-erything was great, but when we looked at the logs, they showed that the network was totally infected,” says Peter-kin, a security contractor with Reamer & Associates.

Today, Peterkin still uses antivirus technology as a first measure to weed out obvious cyberthreats but fo-cuses on other technologies to stop increasingly sophis-ticated threats targeting his users. Protecting roughly 25,000 teachers and more than 175,000 students requires proactive management of vulnerabilities, constant mon-itoring of network events and a focus on guarding any critical data. Peterkin and the other members of the se-curity team use three different agents on most endpoints,

By Robert Lemos

http://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




provider SentinelOne. “Criminals will become much more sophisticated, and nations [intent on espionage] have huge budgets, which will fuel continuous innova-tion, almost without limit.”

Defenders will have difficulty combatting the increas-ingly sophisticated security attack without the right tools. Security experts and professionals are looking at a hand-ful of other technologies to better secure the network.

“There are many fronts you have to focus on and, un-fortunately, we have to excel on every front. But the at-tacker only has to be successful—or lucky—on a single front,” Peterkin says.

BAsic fAilUresWhile the landscape of attacks, vulnerabilities and mo-tives is changing, security professionals stress that most companies should not worry about the more advanced at-tacks until they can deal with the basics. NSS Labs, which monitors security attacks against test networks, estimates that 98% of attacks are criminal or vandalism, and not the advanced espionage that garners the largest headlines.

manage the network’s defenses with a security informa-tion and event monitoring (SIEM) system, and liberally encrypt important data.

Yet he is always looking for better ways to catch in-creasingly advanced security attacks, and he is not alone. As the security community enters 2016, the arms race be-tween attackers and defenders continues. While few com-panies plan on doing away with endpoint protection in 2016, security professionals stress that other approaches are necessary.

Better hidinG plAcesThat’s because adversaries are becoming more skilled at not only avoiding detection by antivirus scanners, but hiding from the automated analysis techniques that secu-rity firms rely on to detect malicious programs. The Dyre family of malware, for example, detects the number of processing cores on which its target’s operating system runs to identify whether the malware is being watched by security analysts. (Analysis systems typically run on vir-tual machines with their operating systems assigned to a single core for performance reasons.)

In a recent version of its software, the DarkHotel group of cyber spies fingerprinted any system on which the program runs to detect an analysis environment and went a step further by encrypting the data in memory.

“Unfortunately, threats will continue to evolve,” says Ehud Shamir, chief security officer of endpoint security

“There are many fronts you have to focus on and, un fortunately, we have to excel on every front.”

— Arden Peterkin, Reamer & Associates

http://labs.lastline.com/dyre-malware-does-it-play-nice-in-your-sandbox

http://labs.lastline.com/dyre-malware-does-it-play-nice-in-your-sandbox

http://labs.lastline.com/defeating-darkhotel-just-in-time-decryption


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




threats out there in the world. It is not reasonable that all organizations can check themselves against everyone.”

However, by looking at specific cyberthreat areas, companies will find that newer technologies offer some interesting possibilities.

GettinG in the netWorkAttackers are finding new ways to infect the first sys-tem and gain access. Five years ago, attackers would take days to create scans for known vulnerabilities, usually targeting a vulnerable service on an operating system or popular application. Now, however, attackers are tak-ing hours—or less—and often targeting less well-known software.

Within a day of the public disclosure of two backdoors in Juniper Networks’ firewalls in late December, for ex-ample, attackers and security researchers were already scanning for appliances with the vulnerability and found thousands—possibly as many as 26,000—of systems with one of the two backdoors.

Vulnerable software is often not even required if companies frequently make mistakes configuring criti-cal applications. Internet scanning service Shodan found 35,000 open instances of the database MongoDB in Octo-ber, exposing more than 680 terabytes of data.

Much of the vulnerability scanning is routed through anonymizing proxies or networks. When IBM researchers looked at the traffic coming to clients’ Web sites from the

In its annual Data Breach Investigations Report, Verizon found that seven out of every eight breaches boiled down to one of three basic attacks: Physi-cal theft, errors in hosting or de-livering data, or compromised credentials and privilege misuse. In fact, almost half of breaches could be stopped if companies

implemented two-factor authentication and vulnerability management, according to Jonathan Nguyen-Duy, chief technical officer for Verizon’s security group.

“These are basic things that companies are still failing to do,” he says. “We are still not patching vulnerabilities that we have known about for weeks, months or years. Even when we have perfect information, we are still not using it because we are overwhelmed.”

More technology is not necessarily the answer. Often a new security system results in a massive influx of data, much of it false alarms. Companies should focus on get-ting out from underneath all the data produced by in-formation technology and alerts created by ostensibly “helpful” security technologies, says Phil Burdette, senior security researcher for the Counter Threat Unit at Dell SecureWorks.

“I think organizations need to prioritize what they are trying to defend against,” he says. “There are lots of

Jonathan Nguyen-Duy

http://searchsecurity.techtarget.com/news/4500244307/Verizon-DBIR-2015-tackles-data-breach-costs-predictions

http://searchsecurity.techtarget.com/news/4500244307/Verizon-DBIR-2015-tackles-data-breach-costs-predictions


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




TOR anonymizing network, much of the traffic consisted of vulnerabilities scans, says John Kuhn, senior security threat researcher with IBM Managed Security Services. IBM’s data shows the top targets of traffic coming out of TOR and directed at business websites are vulnerability scanning and attempts at attacking the databases behind the websites, a technique known as SQL injection.

“A lot of the vulnerability scanning we see coming from the [TOR] network is against Web infrastructure,” Kuhn says. “They have always done that in the past, but they are trying to ramp that effort up.”

SIEM systems are key for keeping abreast of the vul-nerabilities in a network and prioritizing the updates of vulnerable software. Focusing on the most serious vulner-abilities is critical, but having another technology—such as a next-generation firewall or Web application fire-wall—to block other attacks is crucial, according to Neal Hartsell, executive vice president for product manage-ment at NSS Labs.

“Even if you conduct penetration tests daily, you can-not approach the problem by saying that you are going to do a good job of closing every door and window,” Hartsell says. “So the question becomes how do you focus on what really matters?”

Keeping up will be difficult, however. NSS Labs cur-rently tracks some 13 active exploit kits that delivered more than 38,000 unique exploits in 2015.

Even if they could close down every vulnerability,

security professionals still have to worry about their users. Phishing will continue to be a popular way to get into a network. While run-ning unauthorized applications may become harder, attackers are getting better at convincing users to install malicious software. The top ways that attackers are cur-rently getting into networks are

through exploiting vulnerable databases, conning users via spear phishing into downloading malware, and find-ing ways to run malware directly, according to IBM’s X-Force research team.

“As defenses become better, we will see more social engineering attacks,” says Giovanni Vigna, chief technol-ogy officer and co-founder of security firm LastLine. “It is very difficult to prevent them technologically.”

infections And tAkinG controlOnce an attacker exploits a vulnerability—whether tech-nological or a user—their next step is to extend their compromise. Yet that is changing as well: The adversaries are learning from defenses that detect them, looking into the security logs and finding ways to hide their activities.

While the use of malware continues to be the most popular way to jump from system to system, a sub-set of sophisticated attackers are instead co-opting

Giovanni Vigna


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



Security companies are also aiming lower in the op-erating-system stack, essentially running their software in a position where they can observe all activity on the device. Whether this is done through instrumentation or virtualization, the technique can create better endpoint protection software that does not attempt to recognize a signature but an objective, says SentinelOne’s Shamir. Adversaries could use packers or encryption to change the digital pattern of a keylogger but the software still needs to tap into the keyboard driver, he says.

“Because we are that low in the kernel, we don’t care if you are encrypting your data or using a metamorphic approach, because at some point you have to execute your payload,” Shamir says. “So we don’t need to see the sam-ple beforehand, unlike antivirus software.”

stoppinG the dAtA from GettinG oUtAttackers are also focusing on improving their ability to sneak data out of the target network. Called exfiltration, the act is the way an attacker gets paid for all their ef-fort—copying intellectual property, diplomatic cables, credit-card numbers or usernames and passwords. Be-cause creating a secure environment is so difficult in a dynamic business environment, companies often need to put a greater focus on responding to breaches and block-ing attackers from achieving their aims, says Verizon’s Nguyen-Duy.

“The thinking in the industry now is that, if you are a

administrators’ identities and then using standard admin-istration tools to further their compromise and escape advanced defenses, such as application-whitelisting tech-nologies. In 2010, attackers most often resorted to key-logging—about 40% of all information security attacks used keyloggers, according to Verizon’s 2015 Data Breach Investigations Report. Now more than half of security at-tacks focus on gathering credentials, the report found.

Managed security firm Dell SecureWorks, for exam-ple, has seen the remote desktop protocol (RDP), Win-dows Management Instrumentation, PowerShell and automation features, such as scheduled tasks and BITS-Admin, used to extend attackers’ control throughout a compromised network.

“The challenge is that they are using the native tools in the environment that they are attacking,” Dell Secure-Works’ Burdette says. “Often, the attackers end up know-ing the network better than their victims.”

The simplest way to prevent many of these security at-tacks is to use a second, or even third, factor for remote access to any important accounts. Doing so can mitigate the risk of a user entering their password into a fake site or installing a malicious application. In addition, tools for tracking privilege users and detecting anomalous user be-havior can alert security teams when a user is attempting to access parts of the network or databases that they are not allowed to log into. Such an approach also defends against insider threats.



HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




monitoring of data stores could prevent even successful attack-ers from turning a compromise into an actual breach, says IBM’s Kuhn.

“Once you have the database, you have the data,” he says. “If you can make that data worth-less, then you can defeat the at-tacker, but we have to pick these

things up much earlier in the chain, so they do not be-come much more serious down the road.”

In the end, the fundamental change is not a particular technology but the mindset. Rather than focus on a spe-cific technology that could solve security—the proverbial “silver bullet”—companies are looking at security attacks as a business risk that needs to be mitigated, says Veri-zon’s Nguyen-Duy.

“In many ways, we have gone from prevention and detection to risk mitigation,” he says. “When you talk to CISOs across the world, what they are being asked is to talk about the risk posture.” n

RobeRt lemos is an award-winning technology journalist who has reported on computer security and cybercrime for 18 years. He currently writes for several publications focused on information security issues.

large company, you are already breached,” he says. “We have stopped thinking about attacks in terms of prevent-ing them; it is really now about trying to stop the exfiltra-tion of the data itself.”

Reamer & Associates’ Peterkin agrees, and argues that any information-security program needs to have two prongs: An effort to protect the devices and computers employees use and protection around the data.

“As much as possible focus on the endpoints, but with the understanding that they will always be compromised—someone will always click on a link or there will be a vulnerability that does not get patched,” he says. “At the same time, you need to prevent the breach, so make sure that your data repositories are actively monitored.”

Preventing attackers from achieving their aims is per-haps where the greatest changes will come in the next few years.

Companies are finding more efficient and effective ways to identify important data and encrypt it. Some end-point technologies, such as the distributed data platform from startup Ionic Security, promises the ability to per-vasively encrypt nearly all data and set granular access controls so that only the right people have access to the information. In addition, such techniques could allow companies to retroactively prevent access to stolen data, if they know they have been breached.

Pervasive encryption combined with continuous

John Kuhn


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



By Peter Loshin

the short list: cloud security

READERS’ TOP PICKS FOR CLOUD SECURITY PRODUCTSThe top companies and cloud security products organizations consider when they seek to reduce their cloud vulnerabilities.

As pUBlic, privAte, and hybrid cloud deployments gain traction, demand for cloud security products keeps grow-ing, too, and cloud security vendors aim to keep up. IT and business professionals who participated in our 2015 North American data reported significant movement to the cloud, with an attendant demand for cloud security products that deliver much the same security as compa-nies use on-premises.

An overwhelming majority of the readers sur-veyed—79% of 1,854—plan to invest in upgraded or new cloud security products in order to secure their current or planned cloud environments in the next 12 months. All but 3% of respondents’ organizations have virtualized at least some part of their computing environment (44% have virtualized at least half, and 72% more than a quar-ter of their infrastructure).

cloUd secUritY technoloGies in demAndIt should come as no surprise, then, that readers are seeking vendors who can provide a full spectrum of security services over the cloud.When we asked survey


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




respondents which types of cloud security products they were considering, 64% said “data protection,” a broad category, which includes encryption, data loss protection, data activity monitoring, backup/recovery and more. Al-most as many readers—57%—chose “network security,” another large product area, which encompasses antivirus, firewall, intrusion detection and intrusion prevention sys-tems, VPN and more. (See: What’s Ahead in the Clouds.)

Too many point security tools, however, increase both complexity and operational cost. “Selecting security products for the cloud could exacerbate that issue,” says Doug Cahill, senior analyst at Enterprise Strategy Group, who advises companies to seek technologies that oper-ate in a hybrid environment and support cloud-native conventions.

“Support for hybrid, or multi-cloud, environments al-lows for consistency of policy to be applied across dispa-rate infrastructures to unify an organization’s security posture from on-premises to the cloud,” he adds.

That includes being able to manage firewall rules, in-tegrity monitoring and vulnerability scanning from a sin-gle management console that controls both on-premises and cloud resident servers.

“Because of the lack of access to the egress point—and, thus, inability to deploy network security controls to protect cloud-resident workloads—security professionals will also want to evaluate workload-centric security so-lutions, which are truly cloud-aware,” says Cahill. These

Data protection (Encryption, DLP, DAM, backup/recovery)

Network security (AV, firewall, IDS/IPS, VPN)

Identity and access management

Vulnerability management (Pen testing, patching, configurations)

Security event management (Log management, SIEM)

Security management/compliance (Audit, GRC, BC/DR, user awareness)

Tokenization

source: techtarget, 2015; based off respoNses from 1,554 it aNd busiNess professioNals. respoNdeNts could choose all that apply

What’s Ahead in the CloudsWhich technologies do you plan to evaluate to

provide security for cloud-based initiatives?

64%

57%

50%

46%

42%

42%

19%


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




protection through agentless network-based threat detec-tion and a unified management console.

The Data Center Security product can support multi-cloud environments, according to Cahill, “with its ability

products support cloud computing conventions like ephemeral instances in an auto-scaling group, server tags and integration into DevOps automation platforms such as Chef Software and Puppet.

As for what it means to have a “cloud firewall,” Cahill offered three different variations: a cloud secu-rity services model, a host-based model and an app-aware firewall outsourced from a software-as-a-service (SaaS) provider. “Some organizations are deploying the control plane in the cloud, including those for firewalls, to gain operational efficiency from eliminating the need to de-ploy and manage such management servers on-premises.”

dAtA protection in the cloUdSymantec was the clear winner among readers both for cloud data protection (39%) and for identity and access management (33%). The software vendor builds on its broad base of security and storage products to extend cov-erage into the cloud (See Readers’ Top Five: Cloud Data Security). The company sold its Veritas information man-agement business to The Carlyle Investment Group in 2015 in order to focus on information security.

While major players such as IBM, RSA/EMC (ac-quired by Dell in 2015, pending regulatory approval), CA Technologies and Trend Micro made the shortlist, Solar-Winds, PGP (acquired by Symantec) and CipherCloud are also in the mix at many enterprises.

Symantec’s Data Center Security offers intrusion

Cloud Data SecurityWhich cloud “data protection” vendors

are you considering?

39% Symantec Corp.

29% IBM

25% RSA/EMC Corp.

22% CA Technologies Inc.

20% Trend Micro Inc.

source: techtarget, 2015; based off respoNses from 978 it aNd busiNess professioNals. respoNdeNts could choose all that apply.



HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




Security.) The networking company offers a broad range of cloud security products, including Cisco Cloud Web Security, cloud-based services that monitor Web us-age, including network and file behaviors, using threat

protect disparate infrastructures comprised of on-prem-ises and cloud-resident workloads from intrusion and compromise.” He says it does this “by applying secu-rity controls such as integrity monitoring, tamper pro-tection for server hardening across [environments] and more, from a central console enabling a unified security posture.”

Symantec’s Data Loss Prevention engine also inte-grates with products that cloud access security brokers (CASBs) like Skyhigh Networks offer, according to Cahill, which allows them to delegate “more resource intensive content inspection tasks for both monitoring and application of policy.”

Encryption management in the cloud is a growing is-sue for many organizations. Security professionals need to decide whether “the control they gain from having custody and, thus, managing their encryption keys ver-sus allowing their CSP to do so, is worth the incremental operational cost,” says Cahill. An alternative is to take a hybrid approach and retain control over keys for the en-terprise’s most sensitive data assets. Companies that need to protect certain data elements in their SaaS applications should consider encryption technologies with native app integration.

netWork secUritY in the cloUdFor cloud network security, 50% of readers surveyed chose Cisco. (See Readers’ Top Five: Cloud Network


Cloud Network SecurityWhich cloud “network security”

vendors are you considering?

50% Cisco

27% McAfee (Intel Security Group)

24% Check Point Software Technologies Ltd.

23% Juniper Networks Inc.

22% Barracuda Networks Inc.

source: techtarget, 2015; based off respoNses from 880 it aNd busiNess professioNals. respoNdeNts could choose all that apply.


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




networking company.While Cisco got the most votes, enterprises are

also considering cloud network security products from McAfee (Intel Security Group), Check Point Software Technologies, Juniper Networks and Barracuda Networks on their shortlists. Palo Alto Networks, Dell SonicWALL, Fortinet and HP were not far behind, followed by Rack-space and CloudPassage. n

PeteR loshin is a site editor for SearchSecurity at TechTarget. He was previously a technical editor for software reviews at BYTE Magazine, as well as a TCP/IP network engineer at a research laboratory in Cambridge, Mass. He has written several books, including TCP/IP Clearly Explained and Simple Steps to Data Encryption: A Practical Guide to Secure Computing. Follow him on Twitter: @PeterLoshin.

information from the company’s global network.“By being cloud delivered, Cisco’s Web proxy protects

an increasingly mobile workforce’s access to and use of email, the Web and a plethora of other cloud services,” Cahill says.

Since most readers’ organizations (77%) have to adhere to regulations or policies that make it imperative to know the physical location of sensitive data stored in the cloud, choosing Cisco for cloud network security may also have something to do with the company’s efforts to comply with data security and protection standards across physical, logical and virtualized environments through Cisco’s Intercloud Services. Cisco’s cloud security offer-ing adheres to “European data privacy principles, consent of individual data owners, and performance of contracts, including the EU Model Clauses,” according to the

https://twitter.com/PeterLoshin


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



the hybrid life

BUsiness leAders WAnt to use the cloud, period. For years now, security profes-sionals have raged against the machine, looking for possible ways to dissuade leadership within their respective or-

ganizations that cloud computing is a losing proposition from a security standpoint. However, the cloud offers dis-tinct advantages over what we can often build in-house, business leaders know it, and that means we’ve essentially lost the battle when it comes to cloud policy.

In a September SANS Institute survey focused on cloud architecture and security, 83% of the 485 IT profes-sionals surveyed indicated that they are building hybrid clouds, with 61% citing faster time to deployment as their main driver for cloud implementation and 54% saying they use cloud services because they can’t scale their

own systems in-house. These findings align with an earlier report from

KPMG that found business executives moving to cloud are focused primarily on business transformation and performance, followed by agility and then cost savings. To put it bluntly, cloud is happening—so deal with it.

Most of the security professionals I know have already come to this realization.

BridGinG the visiBle divideThat said, most organizations are not moving all of their data and their workloads to the public cloud. This means that we’ll continue to maintain some internal infrastruc-ture while connecting our environment to a variety of different cloud services over time. The big question: How best to do this, especially since many cloud service

Cloud Security Policy Brings Risk management Out of the ShadowsTo put it bluntly, cloud is happening—so deal with the data classification and information security decisions upfront. BY DAvE SHACKLEFORD

https://www.sans.org/reading-room/whitepapers/analyst/orchestrating-security-cloud-36272

http://www.kpmg.com/US/en/about/alliances/Documents/2014-kpmg-cloud-survey-report.pdf


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



the hybrid life

providers (CSPs) are not altogether forthcoming with security information?

Before worrying about CSPs and a lack of transpar-ency, however, first put together a cloud security policy, especially if your organization doesn’t have one. A cloud security policy (or a cloud-specific section of an outsourc-ing policy at a minimum) defines the types of data that can and cannot move to the cloud, and how to address the risks for each type. Who can make decisions about shifting workloads to the cloud? And from a technical standpoint, who is authorized to migrate or access the data across different applications and environments? This information is critical for cloud risk assessment and risk management decisions later on.

Here are some key questions to ask when you’re put-ting together a cloud security policy:

n Do you have an executive sponsor? Without backing from a c-level executive or top-level group, it is unlikely that your cloud security policy will have the proper or-ganizational support that it needs to be accepted and enforced.

n Determine who will “sign off” for cloud projects: Is this the CIO? If not, who? Defining the procurement work-flow for approval and review is critical; this may not be covered in its entirety in the policy, but should have some basic elements addressed.

n Does your cloud security policy address the sensitiv-ity and classification levels of specific data types (struc-tured and unstructured data, intellectual property, financial and accounting information, customer and employee records, personally identifiable information? The standard way to tackle this issue is to reference existing classification policies and data types/levels—that is, assuming your organization has these policies in place; most don’t. The cloud security policy should specify what can and cannot be done—relocation, for example—with particular data types.

n Does your cloud security policy specifically address compliance? If you must comply with various internal policies, government mandates, data security laws and privacy regulations, then mentioning these compliance obligations explicitly in the cloud security policy will im- prove your alignment with the other controls in place.

Once you have a sound policy defined, the rest of your approach to cloud security comes down to cloud risk as-sessment and risk management. When someone in your organization wants to use cloud services, you can check the policy, see what kind of data and assets are involved, and then perform some risk assessment of the cloud pro-viders. Sounds simple, right? Unfortunately, there are lots of reasons why security assessment of cloud providers is challenging.


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



the hybrid life

UnknoWn risk profilesCloud providers don’t usually offer many details about security controls and processes—not to you, not to any-one. Why should they? Business just keeps getting better, so they’re not likely to open the kimono anytime soon. You’ll get a variety of audit reports like the SSAE 16 SOC2 or perhaps an ISO standards review (27001 or 27002 are the most common). Even those reports won’t satisfy your needs entirely, because they’re usually a bit vague and only apply to specific areas of the CSP’s environment.

Whether you like it or not, this is the new normal. Security teams need to make risk-based decisions with incomplete information, and that means placing some degree of trust in the cloud provider. You’re also unlikely to get contract statements, including SLAs, changed with the biggest providers unless your organization is very large and bringing a big book of business to them.

There’s another factor to consider here—most of the larger cloud providers probably have a better grip on security than you do. Does this mean you should trust them completely? Of course not: Security is a challenge for everyone, and we need to do our homework whenever

someone has our systems, applications and data in their environment.

Do the diligence, read the contracts, review the audit reports; and ultimately, make sure that you can remain compliant and meet your most critical security needs within the cloud provider’s environment. You’ll find new options available from vendors and security service pro-viders for your hybrid cloud, which means you can still get the job done—but you’ll need to do it differently than before. For the foreseeable future, the name of the game in security when it comes to cloud is adaptability and flexibility … which is why you’re using the cloud in the first place, right? n

dave shacKlefoRd is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



By Jaikumar Vijayan

mANAGING THE FIvE PHASES OF EmERGENCY INCIDENT RESPONSEWhat to expect when you engage a third-party IR provider to contain your crisis

in the ir

it’s the middle of the holiday season and your servers and network are running at full capacity when you notice a domain controller suddenly acting weirdly. Soon, users start complaining about errors in accessing resources. Someone wants to know why users are getting locked out of their accounts. All sorts of suspicious login activity are going on across the network. Before you know it, there’s a full-blown crisis on your hands that your security team cannot manage on its own.

If you are like many other organizations, this is prob-ably when you might bring in an emergency incident re-sponse provider to help handle the crisis. Professional IR teams basically provide incident handling services for fees ranging from a few hundred bucks per hour to tens of thousands of dollars, depending on the scope of the breach and the amount of work that needs to be done to remediate it during the incident response process.

Providers of professional IR services can quickly bring the additional resources and the expertise that compa-nies often need to handle a rapidly unfolding threat. But there’s a lot you need to do to get the best out of these


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



in the ir

incident response unit.The IR provider will use the

information the client provides to get an idea of the scope of the security incident and to decide what kind of resources, including onsite staff, might be required to address the issue. “When an or-ganization contacts an incident response provider they should

have a discussion that conveys the scope of the problem, as they know it, to make sure that the consultant under-stands the situation they are getting into,” Aldridge says. “This is especially important so you don’t get mismatched expectations.”

the contrActinG phAseOnce the IR provider has had an opportunity to assess the situation, their next step will be to provide you with some kind of a quote or estimate for what they think it will take to handle the incident. The proposed contract should typ-ically contain a detailed explanation of the services they will provide, including whether the IR provider will ac-tually help remediate the problems or help you identify them so you can fix them yourself.

It’s important in this hiring phase to work out and understand the documentation, access and knowledge that the service provider will need in order to handle the

services, and that begins with a clear understanding of how the emergency incident response process works and what to expect when you hire an IR provider to handle an ongoing crisis.

scopinG the proBlemThe first thing an IR provider is going to want to know when you call them is as detailed an explanation as possi-ble of what’s going on. Organizations that are in the midst of a multilayer malware attack or network intrusion often do not have a full idea of the origin or scope of the prob-lem. Still, it’s vital to gather as much detail as possible. “Normally, when a customer reaches out to an incident response company the first thing they are going to want to know is what is going on,” says Bob Shaker, director of strategic operations, cyber readiness and response at Symantec.

An IR provider will want information on why you think your organization has been compromised, when you discovered it, how it was discovered and whether it was first spotted by someone internally or reported to the organization by the FBI, law enforcement or some other entity, like a credit card company.

It’s vital in the scoping phase to have individuals from the organization who know exactly what kind of infor-mation they can provide the IR provider in the form of log data and other forensic evidence, says Jim Aldridge, security-consulting director at FireEye’s Mandiant

Jim Aldridge


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



in the ir

says Symantec’s Shaker. “When there is a crisis the person who should sign off on a contract is usually in a war room somewhere and now you have to chase them down.”

Make sure to keep your insurance company, general consul and other stakeholders informed on what’s going on so everybody is on the same page, he says.

investiGAtinG the issUe The IR provider will need whatever information you can provide, like system and network logs, network layout diagrams, system images, network traffic behavior and more to piece together what might be going on.

Often there’s a tendency by organizations to panic when things start going wrong and the gut reaction is to shut systems down to prevent more bad things from happening to them. Awful idea, says Shaker. “The num-ber one important thing is not to power things off. Once you shut things off you have actually erased a consider-able amount of evidence, especially the memory resident stuff.”

The investigating team uses the information your or-ganization provides, as well as information it gathers on its own from endpoints and other sources via proprietary interrogation tools, to identify and document file names, file hashes and other threat indicators, according to Kevin Strickland, senior incident response consultant at Dell SecureWorks.

incident, according to Chris-topher Pierson, chief security officer and general consul at Viewpost, an online payment platform. “This is critical to en-suring the right resources are brought to bear,” he says. Compa-nies that have apps and services running in the cloud are some-times restricted in the kind of fo-

rensic parties they can bring in to investigate a incident, so it is important to work through such details ahead of signing the contract.

Also, it’s vital to find out are what kind of investigative skills the IR provider has as well as the technology, tools and threat intelligence it can bring to bear in handling a security incident, adds Sanjeev Sah, director of security and chief security officer at Texas Children’s Hospital.

Generally, it is a great idea to engage an incident pro-vider on a retainer basis before you actually experience a breach. (See: “Four Tips for Getting the Most Out of Your IR Provider.”) Then you don’t have to waste critical time in working through such details in the contract process or in explaining your organization’s incident response pro-cess in the middle of a major crisis.

The last thing you want is to have to find and chase down someone in your organization with the authority to sign off on the contract when an incident is unfolding,

Christopher Pierson

(Continued on page 22)


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



in the ir

Four Tips for Getting the most Out of Your IR ProviderenGAGinG A third-pArtY emergency incident response pro-vider can help organizations quickly contain a develop-ing security incident but csos need to be ready to take advantage of the specialized skills such services bring to the table. here are four tips on what you need to do to get the most out of your ir provider.

n have a plan. it’s important to have a security incident response plan, exercise it regularly, and have all your partners selected before you actually need any of it, says christopher pierson, cso and general counsel at View-post. the incident response process should already have the internal team in place populated with representa-tives from privacy, legal, security, pr, technology and the executive management function.

n know What to Ask. make sure you know what ques-tions to ask before selecting an ir provider, says sanjeev sah, director of security and cso at texas children’s hos-pital. before signing up with fireeye’s mandiant incident response service, sah verified their track record, and made sure the service provider had the technology and the threat intelligence capabilities needed to handle ma-jor incidents in the healthcare industry.

n Be proactive. don’t wait until you need an ir provider; have at least two potential partners on standby, says pierson. “it is great to work the high level plan out ahead of time, to work with the selected vendor and share the security incident response plan with them, and even better—to practice a table top exercise with this provider and the teams on the ground so that when something happens the response is well known.”

n Be prepared. make sure you have the information your ir provider needs in order to respond to a develop-ing situation. you need to be able to readily make avail-able system and network logs, network diagrams and topologies, incident and event management data, net-work flows, user activity logs and inventory management information.

“if a company does not have accurate and up-to-date network diagrams or data maps, the job of the incident response party is that much harder,” pierson says. “it is also advantageous to review the incident response plan with an external team, internal partners, and oth-ers so that the right tools are present in the environment ahead of time to better facilitate this task.” —J.V.


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



in the ir

“You want to make sure the attackers don’t know you are on to them,” says Strickland. “It is very important to understand what is happening before you make any dras-tic changes.”

forensic reportinGThe reports that the IR provider delivers once the issue has been properly contained, together with any recom-mendations, are vital to conveying the nature and scope of the breach to all stakeholders.

The incident responder needs to be able to commu-nicate what happened and what they did to contain the situation during the incident response process in a clear, concise and jargon-free manner. Accurate language is vi-tal to ensuring that a situation is not mistakenly down-played or overhyped. A security compromise for instance is different from an actual network breach, and calling one the other can detract from the quality and accuracy of the report.

Finally, the third-party provider should treat your in-cident as the most important one they need to handle, says Shah. “It helps make sure that a team is available when you need them, on pre-negotiated terms.” n

JaiKumaR viJayan is a freelance writer with over 20 years of experience covering the information technology industry. He is a frequent contributor to Christian Science Monitor Passcode, eWEEK, Dark Reading and several other publications.

This is the part where the IR provider usually is able to inform the organization what happened, how the in-trusion might have started or how malware was intro-duced on the network, what tools the threat actors are using and what needs to be done to contain the issue. “We are going to provide this information and tell them here is the action we need to take,” says Strickland. If the recommended options are difficult, there can be some back and forth at this stage, he says.

contAinment And remediAtionThe team responsible for remediation and containment often works in tandem with the team doing the incident investigation, according to FireEye’s Aldridge. “We have two workstreams: One is an investigative workstream aimed at addressing what systems, what data, what ac-counts may be compromised; the second is remediation.” As the investigating team learns more facts about the se-curity incident, it feeds the information to the remedia-tion workstream and together with the client works on addressing the identified issues.

It’s vital during the containment and remediation phase not to tip your hat off to the attackers. When at-tackers know they have been spotted, they often tend to take evasive action that may end up driving them deeper into your network and making them even harder to find in the process.

(Continued from page 20)


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



By Kathleen Richards

the short list: data loss Prevention

ON THE AUDIT TRAIL: READERS’ TOP PICKS FOR DATA LOSS PROTECTION The DLP products that organizations consider, when they seek to address sensitive data and compliance.

the hiGhlY pUBlicized data breaches of recent years have focused greater attention on data loss protection and the ramifications of compromised networks. Our 2015 survey of North American readers underscored the demand for data protection technologies and the complexity of the vendor and tools landscape as mobile, cloud and the In-ternet of Things take hold.

Out of 4,635 readers surveyed last fall, 25% told us they planned to invest in data loss prevention (DLP) products in the next 12 months. While there is greater de-ployment of encryption technologies (64%), among those surveyed, DLP products (41%) and database security tools (42%) were in a dead heat, followed by mobile and BYOD data protection (28%).

Gartner defines DLP products as a set of tools used to find, identify and classify data using content inspection and contextual analysis. Whether the data is at rest, in use or in motion, these tools enable organizations to ap-ply one or more policies for regulatory compliance (PCI, HIPAA, PII, state or national law), endpoint protection on fixed and mobile devices, and intellectual property


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




protection. Longstanding DLP products, from data dis-covery and classification to network and endpoint DLP, are becoming more robust as vendors attempt to keep ahead of fast-moving changes.

Our survey indicated as much: 70% of respondents said they are more likely to deploy DLP products if they are offered as a suite of interconnected tools, while 30% favored specific point solutions such as an email DLP product. Endpoint monitoring and monitoring traffic on networks and a central console were the highest feature priorities among readers, followed by content discovery, email integration and policy-based management.

Symantec and McAfee (Intel Security Group) eeked out the top spot on readers’ short lists—no clear favor-ite emerged, as the top companies earned only 6% of the votes. They both offer network, storage and endpoint DLP. Microsoft, Varonis Systems, Websense and Trend Micro also got a nod from readers who plan to upgrade or roll out data loss protection.

According to Gartner, by 2017 every enterprise DLP provider will have developed at least one partnership with a cloud access security broker partner or acquire one.

Symantec is on trend. The malware company has extended its DLP to email and storage services. Cloud access security brokers such as Zscaler and Netskope have DLP capabilities (Symantec’s former CEO, Enrique Sa-lem, is a Netskope board member). Netskope is also look-ing at integration with data classification vendors such

as Titus, and with on-premises DLP tools, such as those from Symantec, noted Deborah Kish, Gartner principal research analyst, during an October presentation on DLP trends.


Data Loss PreventionWhich dlp vendors are you considering

for your data protection project?

6% Symantec Corp.

6% McAfee/Intel Security Group

5% Microsoft Corp.

5% Varonis Systems Inc.

2% Raytheon/Websense, Trend Micro Inc.

source: techtarget, october 2015; based off respoNses from 1,000 it aNd busiNess professioNals. respoNdeNts could choose all that apply.


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




protect data that is stored in a public cloud.As more companies move toward digital business

models, having mechanisms in place for data discovery and data classification is important to lower risk, said Kish. Managed DLP (discovery and classification likely first) will become more widely available, as organizations seek to outsource data loss protection.

She may be right. One-third (34%) of the readers sur-veyed are currently evaluating cloud-based or managed security service providers for their DLP initiatives. Many businesses lack the skill sets and dedicated resources to effectively manage data privacy and risk, especially in complex mobile and cloud security environments.

In addition to cloud support, DLP products in the next five years are likely to offer software-defined networking and virtualization functions, DLP remediation during the DLP cycle and sandboxing for behavioral analysis, among other features.

Some people may not associate Microsoft with DLP, but the company is working to change that perception, with a flurry of activity in recent months. Microsoft is extending its DLP compliance and data protection ca-pabilities—currently found in messaging applications in Microsoft Exchange and Office 365—to OneDrive for Business, SharePoint Online and Office 16. In addition to content analysis and audit reporting across cloud environ-ments, Microsoft is opening up its Office 365 Compliance Center and audit APIs to other ticketing systems, and ac-tively seeking partnerships. Office 365 will also support DLP remediation options, encryption as an action and DLP policy tips natively all the way down to the client.

Other security technologies will continue to reshape the DLP product market, according to Johna Till Johnson, CEO of Nemertes Research. Johnson expects to see more integration between security information event manage-ment, DLP monitoring and user behavior analytics, tools that profile and track users rather than systems. The hu-man factor and data security awareness remains a key challenge for security programs.

What types of data are organizations most concerned with protecting? Three-quarters (74%) of respondents said personally identifiable information, such as customer credit card numbers and healthcare information, was viewed as “particularly critical” data, alongside corporate financial data (62%) and intellectual property (58%). Less than a third (28%) of those surveyed said they needed to (Continued on page 27)

One-third of those sur veyed are evaluating cloud-based or managed security service providers for their DLP initiatives.


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




source: techtarget, october 2015; based off respoNses from 2,660 it aNd busiNess professioNals.

Corporate Watchdog: Looking for Sensitive InformationWhich of the following factors are the top three most important drivers for your data protection project?

69%

53%

46%

20%

20%

17%

16%

16%

6%

4%

Meeting compliance/audit requirements

Attempting to avoid future data breach

Protection of intellectual property

Desire to protect intellectual property stored on endpoints

Increase in the value of assets being protected

Requirements of third-party business partner

Concern regarding loss of endpoint due to theft or negligence

Reaction to prior data breach

New group/division/merger must be brought up to corporate standards

Other


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR




Sensitive Information).“Many organizations buy DLP solutions because they

have to or because they have regulatory compliance they need to adhere to,” says Kish.

“A lot end up actually turning it off because it creates more headaches with audits and events that have secu-rity teams chasing their tails,” she says. “Instead, treat it as a process, one that the entire leadership team works on during the entire life cycle of data.” And stop throwing boxes at it. n

Kathleen RichaRds is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.

As many companies are finding out, DLP in the cloud offers some challenges, however. “The bottom line is that regardless of whether or not your data is hosted by a third party, you’re still responsible as an organization for that data,” says Kish.

When it comes to data discovery and classification, security professionals need to find DLP tools that meet their use cases and then map the organization to a frame-work. According to the survey respondents, “meeting compliance and audit requirements” (69%) ranked high-est on their lists, followed by “attempting to avoid fu-ture data breach” (53%) and “protection of intellectual property” (46%). (See: Corporate Watchdog: Looking for

(Continued from page 25)


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR


RICHARDSON: IoT UNPLUGGED Internet of thinGs experts talk about two distinct

problems when IoT security issues are brought up. There’s the specter of hackable cars and escala-tors made murderous by malicious actors who’ve overridden the safety controls. Beyond that, Inter-

net-connected machines and their data will lead to an ex-ponential growth of the attack surface.

The attack surface problem, at least as popularly un-derstood, was summed up in a post by software engineer Ben Dickson, a guest contributor for TechCrunch: “More connected devices mean more attack vectors and more possibilities for hackers to target us; unless we move fast to address this rising security concern, we’ll soon be fac-ing an inevitable disaster.”

Dickson’s conclusion doesn’t, as a point of logic, nec-essarily follow, however. The huge deployment of tablet

computers has not been identified as the root of any ma-jor breaches or malware outbreaks so far, in large measure because those devices are arguably far more secure than a typical desktop Windows machine.

The IoT security issues related to cars you’ve seen on the evening news. Stuff that moves will kill you if it moves the wrong way at the right time. I’m not saying that’s not a legitimate worry, though just how big a deal it is will be very hard to say for a while.

Killer cars and new flanks for attack may be valid secu-rity issues, but they don’t do justice to three big problems that IoT brings to the security arena.

1. it’s too mUch for ipYou hear a lot of talk about how IPv6 will enable IoT be-cause we’ll need a lot more unique IP addresses than you

IP Fails to Address the Internet of ThingsA new ecosystem is needed for smart objects and machine-to-machine communications. But where does that leave security? BY ROBERT RICHARDSON

iot unPlugged

http://techcrunch.com/2015/10/24/why-iot-security-is-so-critical/


HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



iot unPlugged

a more conventional fashion. Some version of minimal-stack wireless will emerge as a dominant standard, but even with one specification, the IoT devices get less smart while the networks they build grow exponentially more complex. If we can’t really secure the current Internet, the Supernet is going to be that much more resistant to law and order, I’ll bet.

3. WArs Are messY And people Get hUrtRight now, IoT devices connect to smartphones, which connect to servers that crunch data for their respective apps. But the different IoT applications—smartphones, wristbands, lightbulbs, medical devices and so on—don’t yet interconnect. We see the beginnings of API mash-ups. Further interconnection will almost certainly have to wait until the local, non-IP networks know how to aggre-gate data in a coordinated way, which will require com-mon development and deployment ecosystems.

Think of it as the OS wars played out again, but with more moving parts. Or the browser wars. In each case, battles were won by adding features, including function-ality no one knew they needed. Goofy extra features, of course, add vulnerabilities. Expect plenty of both. n

RobeRt RichaRdson is the editorial director of TechTarget’s Security Media Group. He recently launched IoTAgenda.com. Follow him on Twitter: @cryptorobert.

can have in IPv4 (whose block space is already depleted in the American Registry for Internet Numbers). To a de-gree, that’s probably true, but as MeshDynamics founder and CTO Francis daCosta puts it in Rethinking the Inter-net of Things: A Scalable Approach to Connecting Everything, “this mistakes address space for addressability.”

He argues that the billions of IoT devices “cannot be individually managed; they can only be accommo-dated. It will simply not be possible to administer the addressing of this huge population of communicating ma-chines through traditional means such as IPv6.” The way daCosta sees it, a whole lot of self-organizing of local net-works is going to happen. Imagine the possibilities for mis-chief when most of what happens on the world’s networks not only isn’t monitored but quite possibly cannot be.

2. ip is too BiGIt probably doesn’t make sense for tiny sensors in cheap, everyday objects to run a full IP stack either. So there’s some minimal local network protocol out there to be de-veloped or extended. The local networks will then gate-way to chunks of the enterprise or industrial network that will interact with the rest of the IPv6 space only on an as-needed basis. Bluetooth gives us minimalist net-working, but it is only experimentally capable of multi-point networking. Low-power wireless protocols such as Google’s Thread, an IPv6-based specification for smart home devices, are early attempts to address this issue in

http://internetofthingsagenda.techtarget.com/

http://net-of-things.blogspot.com/


TechTarget Security Media Group

HOmE

EDITOR’S DESK


CLOUD SECURITY

THE HYBRID LIFE

IN THE IR



TechTarget 275 Grove Street, Newton, mA 02466www.techtarget.com

editorial director Robert Richardson

features editor Kathleen Richards

eXecutiVe maNagiNg editor Kara Gattine

maNagiNg editor Brenda L. Horrigan

site editor Robert Wright

site editor Peter Loshin

director of oNliNe desigN Linda Koury

columNists marcus Ranum, Dave Shackleford

coNtributiNg editors Kevin Beaver, Crystal Bedell, mike Chap-ple, michele Chubirka, michael Cobb, Scott Crawford, Peter Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N. Hayden, David Jacobs, Nick Lewis, Kevin mcDonald, Sandra Kay miller, Ed moyle, Lisa Phifer, Ben Rothke, mike Rothman, Karen Scarfone, Dave Shackleford, Joel Snyder, Steven Weil, Ravila Helen White, Lenny Zeltser

editorial board

Phil Agcaoili, Cox CommunicationsSeth Bromberger, Energy Sector Consortiummike Chapple, Notre DameBrian Engle, Health and Human Services Commission, Texasmike Hamilton, MK Hamilton and AssociatesChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich mogull, SecurosisTony Spinelli, Equifaxmatthew Todd, Financial EnginesDon Ulsch, PwC U.S.

Vice presideNt/group publisher Doug [email protected]

Stay connected! Follow @SearchSecurity today.

© 2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written per-mission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and vir-tual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER IMAGE AND PAGE 4: RYCCIO/ISTOCK

mailto:[email protected]

https://twitter.com/SearchSecurity

http://reprints.ygsgroup.com/m/techtarget