Network Security

Microsoft: Will the Empire Strike Back?

Andrew Milroy — Tue, 23 Apr 2013 01:41:36 GMT

Microsoft: Will the Empire Strike Back?

To some, the omens look bleak for Microsoft. PC shipments are in decline, and an increasing proportion of IT activity bypasses Microsoft technology entirely. Google and Apple continue to make massive inroads into, what was once, Microsoft territory, forcing Microsoft to react.

Will the trend towards consumerization and ‘Bring Your Own Device’ (BYOD) combined with the move to cloud computing marginalize Microsoft and undermine the fabric of its business model? Indeed, will cloud computing destroy Microsoft’s business model and allow others such as Google and Apple to replace Microsoft within the enterprise?

The answer is no, if Microsoft can develop a coherent marketing strategy that can be understood by its clients. BYOD, cloud computing and the vulnerabilities of Google and Apple’s business models give Microsoft the opportunity to consolidate its dominance in the enterprise.

Windows 8 is an operating environment that can provide a common experience across multiple devices. It can transform tablets into devices that can be used for enterprise activities in addition to consumer activities. Windows 8 smartphones can also be easily integrated with corporate Windows environments and offer management and security features that enterprises are vigorously demanding.

Apple’s presence in the enterprise is driven organically and is not planned. This may benefit it in the short term, as it rides the consumerization trend. But, the company does not have a coherent enterprise strategy, choosing to remain focused on the consumer experience.

Google is developing an enterprise strategy with some success. However, it does continue to generate the vast majority of its revenues from advertising, not by addressing the technology needs of enterprises. It does not have a suite of products that can compete with Microsoft in the enterprise.

To the enterprise, Microsoft represents much of what is deemed to be important such as stability, long term product support, flexibility and standards. It offers upgrade paths and a wide variety of support options to name a few benefits that enterprises attribute to it.

So why is Microsoft not seeing more success? Why is Windows 8 adoption so slow? Perhaps this can be explained by Microsoft’s marketing. Microsoft’s marketing activity does not reflect the strength of its position. Its message seems disjointed and uncoordinated. For example, why did Microsoft not present the separate launches of Windows 8 and the Surface as part of the same overall strategy? Its pricing strategy is muddled. It should aim to make Office 365 ubiquitous in the enterprise and then focus on pricing. So far, it has managed to upset a lot of customers with its Office 365 pricing and made alternatives more attractive.

Microsoft will not beat Apple, Google or Samsung on their territories, by launching devices to compete with them. Its advantage over these firms will be enhanced by leveraging its strength in the enterprise market. In other words, it will succeed by practicing the inverse of consumerization. Until the mid 1990s, mobile phones were primarily used as enterprise devices. They moved from the enterprise, into the consumer market. Similarly, PCs were first popularized in the enterprise and thereafter became commonly used by consumers. Consumerization is a blip in the technology adoption timeline. Are Apple’s recent challenges an indication that it is struggling to manage a slowdown in the trend towards consumerization?

Microsoft can galavanise a shift away from consumerization by promoting the benefits of Windows 8 as an operating environment that can be used on any device. The Surface should be primarily targeted at the enterprise not at the consumer. Once established within the enterprise, workers will also use it for consumer activities and its popularity as a consumer device will grow. Microsoft can create a new market for an operating environment that straddles both enterprise and consumer domains.

If Microsoft cannot wait to strengthen its hand in the consumer market, it could use its vast resources to make some acquisitions of firms that are pioneering new ways of consuming content. For example, acquiring Spotify or Netflix would instantly position Microsoft as a leader in the consumer market.

Microsoft is in a very strong position. It needs to capitalize on this strength in order to re-enforce its position. It must consolidate its enterprise position by focusing on the needs of this huge market. It can then attack the consumer market. It has some great products. It needs to market them more effectively. It needs to be seen by enterprise IT buyers as the IT supplier that can offer one unified, secure, and manageable experience across any device and that these devices can be used for both work and play. To date, it has failed to do this. With a revamped marketing strategy, the Microsoft empire can strike back.

The Incredible Shrinking IT Department

Andrew Milroy — Mon, 08 Apr 2013 02:39:53 GMT

IT departments are set to become smaller. In addition, the role of IT will transform into that of an integrator of services, a driver of innovation and a manager of systems and processes.

These changes are being driven by the widespread use of cloud computing and the increased prevalence of ‘Bring Your Own Device’ (BYOD).

New cloud computing implementations typically use IT resources much more efficiently and effectively than was the case before. Indeed, this model of computing leads to much greater sharing of IT resources, not just within enterprises, but also among enterprises.

Cloud computing offers greater automation of IT activities, such as service provisioning, updates and upgrades. It also reduces the amount of time required to provision new IT resources dramatically, and engenders self service.

Soon, most employees can be expected to procure and manage the devices that they use at work. This also removes a huge amount of work from IT departments.

For these reasons, demand for IT professionals is unlikely to grow, In fact, IT departments will inevitably become smaller.

By how much will IT departments shrink? Indeed, how will the role of the CIO and the IT department change over time?

It is hard to tell how much IT departments will shrink. However, there is evidence of IT departments shrinking as a proportion of the organization being served. At a recent CIO event in Perth, Australia, Vito Forte, CIO of mining firm Fortescue, explained that his company is currently growing at a very fast rate. But, there are no plans to grow the IT department. Other CIOs have made similar comments.

More importantly, the move to cloud computing and BYOD will transform the role of the CIO and IT departments. Traditional IT tasks such as software support, upgrades, and procurement will not be required to the same extent as in on premise IT deployments. Nevertheless, the use of cloud services and BYOD present new challenges. Presently, cloud computing resources are often adopted by business units without any involvement of IT departments. The same applies to BYOD. Some IT departments have resisted these changes and sought to prohibit these activities. This is an unsustainable approach. The IT department of the future will act as a provider of cloud services and an enabler of BYOD. It will focus to a much greater extent on ensuring compliance to company policy and legislation.

Many analysts argue that IT departments will act as brokers of cloud services to their internal customers. This offers limited business value. As app stores are built up internally, this approach will likely accelerate the reduction in the size of IT departments. It will also inhibit the transformation of the IT function into a role that offers significant business value.

Instead, forward thinking IT departments can be expected to position themselves as service integrators within the organization. In other words, they will focus on procuring and integrating cloud services that can add value to specific business activities. They will then seek to ensure that these services are implemented successfully. Once implemented, the transformed business function will manage the systems and processes that the new technology underpins.

While managing systems and processes, the new function will drive innovation within the organization by continually introducing new ways of enhancing business processes using the latest services that are provided from the cloud. The forward thinking CIO’s role will, in many cases, change to Chief Innovation Officer.

IT departments that do not embrace the changes taking place around them, will find themselves becoming less relevant to the organization.

In summary, the IT department will inevitably shrink as a proportion of the overall organization that it serves. But, for forward thinking IT departments, the role will change to that of a service integrator, innovator, and manager of systems and processes. Its value to the business can increase substantially.

2013 Predictions: The Consolidation of IT

Andrew Milroy — Wed, 03 Apr 2013 06:34:37 GMT

It’s that time of year again. The time of year where the world’s IT commentators offer their predictions for the following year. For the past few years, predictions have focused very much on cloud computing, ‘big data’ (a misnomer if ever I have heard one), mobility, social, and consumerization.

All of these technology trends are now having a profound effect on business. I expect that in 2013, these terms will be used less often as cloud/big data/mobility/social/consumerization fatigue kicks in.

2013 will bring us closer to 'the end of corporate IT', a process that has being going on for some time. Indeed, Nicolas Carr wrote about 'the end of corporate IT' in 2005. Cloud computing, social media, analytics and social media are accelerating this trend.

2013 itself, will witness the consolidation of IT, as IT departments shrink and convergence kicks in across the industry. By 2020, will IT departments exist? Will IT be fully embedded into business activities? Will IT have become a utility?

Here are my three predictions for 2013.

#1 IT departments will shrink

The use of cloud services will reduce the need for many traditional IT activities. Cloud services drive automation, self service, and self provisioning to the extent that the need for support services provided by IT departments will decline dramatically.

Consumerization and the use of devices chosen by the employee rather than the employer (BYOD) will also eliminate procurement tasks, traditionally performed by IT departments.

Business and consumer services are increasingly being delivered by apps from mobile devices. The development of basic apps will become a standard skill among the next generation of workers in much the same way as using mobile technology, and office productivity software are standard skills for today’s employees. In other words, a growing number of IT activities will become embedded in non-IT roles.

The complexity of technical tasks being performed by workers, without IT support, is growing while the skills needed to perform complex tasks are less difficult to acquire. This means that ordinary workers will soon be generating outcomes that were once the domain of IT staff. For example, a typical marketing manager will soon be able to develop a basic ‘Amazon style’ store for their company with little or no technical support.

CIOs and their teams will increasingly focus on enabling the use of technology across the organization. Their focus will be on ensuring that when employees use technology, they comply with policies and regulations. They will also seek to add business value by working with other employees and stakeholders to integrate new services and processes into their businesses. Furthermore, today’s developers and technical professionals will be forced to focus on ways that their skills can be used to foster innovation within diverse business activities.

#2 The IT industry consolidates rapidly as convergence occurs

A clear trend has emerged over the past several years whereby, IT firms seek to control and manage the complete user experience. Apple is the best example of this approach. But, others such as Oracle, Cisco and most recently Microsoft, which once focused on specific solution areas, are also becoming more vertically integrated, and offering end to end solutions to their customers. Some call this convergence. Who would have expected Cisco and Oracle to enter the server market a few years ago? Indeed, who would have expected Microsoft to sell hardware products just a year ago?

Infrastructure software and hardware products have become commodities. Growth in these markets will come largely from acquisitions. A growing number of independent IT vendors will struggle to survive as it becomes extremely difficult to differentiate their offerings. Today’s large IT vendors can be expected to acquire remaining point solution vendors that provide differentiated offerings.

There will also be fewer remaining large IT vendors, as they compete with each other for a greater share of shrinking markets for their traditional products and services. The market will be dominated by a handful of technology titans by 2014. These enormous firms will engineer the ability to enter new industries. They will ‘shape shift’ in the manner of some of their more successful and newer competitors. In addition to convergence within the IT industry, convergence between the IT industry and other industries will become more common.

Smart cities, smart grids and telehealth are examples of areas where convergence between IT and other industries will occur more frequently.

Examples of technology firms competing outside their industry include, Apple in the music industry, Google in the financial services industry and Microsoft in the gaming industry.

As technology firms seek growth outside their industry, non-technology firms will increasingly offer industry-specific cloud services. ADP is a very early example this trend. It is an HR services firm that has been offering HR-related cloud services for many years. Financial services firms, governments, retailers and many others are already beginning to offer their own cloud services without significant levels of support from IT firms. As mentioned earlier, IT is becoming embedded into everyday business activities.

Technology is destroying the traditional boundaries between industries. Some of the world’s most successful firms such as Amazon, Google and Apple recognize this. These firms use their brands, their customer relationships and their ‘state of the art’ technology to seamlessly move from one industry to another, terrorizing incumbents in the process.

#3 Apple’s relative decline becomes apparent

Apple has been a pioneer in the IT industry. The company’s phenomenal success has been driven by its focus on user experience and its lack of respect for industry boundaries. It will continue to grow, without a doubt, but the loss of its leadership position in the smartphone market will spread to the tablet market.

In recent months, the company has made a few notable errors. Dropping Google Maps and forcing its customers to use an inferior Apple version is a tipping point for Apple. This is the point at which the company ceased to focus on offering the user the best possible experience. It knowingly forced an inferior experience on its customers so as it could challenge the success of Google Maps.

When Apple launched the iPhone in 2007 and the iPad in 2010, there was a lot of marketing hype around these launches. Arguably, this hype was justified, given that these new products offered customers a new and refreshing user experience. However, the hype surrounding more recent launches has in no way been matched by reality. This damages Apple’s reputation among its loyal followers, who expect significant enhancements, or the use of breakthrough technology, with each Apple launch.

Samsung has already surpassed Apple as the world’s leading manufacturer of smartphones and Google’s Android ecosystem has many more users than Apple’s ecosystem. Apple continues to dominate the tablet market but, with increasing competition, this dominance will not last for much longer.

Apple will no doubt learn from these mistakes, and will continue to flourish for the foreseeable future. But, the errors that it has made have allowed competitors to take market share from Apple at a faster rate than most commentators predicted a year ago.

This brings us to one of the big questions in the IT industry today. Will Microsoft be successful in the world of mobility in 2013? The company has recently launched its own tablet as well as a completely new operating system, Windows 8. Windows 8 promises to offer a common user interface across devices, from traditional PCs to tablets to smartphones. It can allow the corporate user of Microsoft software to seamlessly transition between devices. This is potentially a major breakthrough that could put Microsoft in a very strong position. The company is clearly beginning to shift its focus back onto the overall user experience.

Microsoft has the opportunity to regain some of its previous success, if it remains sufficiently focused on its customers, and does not allow internal disputes to slow its decision making. If these initiatives had taken place one year ago, Microsoft would stand an even better chance of success in the mobile world.

By 2020, the technology firms that remain will be those that can successfully cross industry boundaries while remaining focused on customer experience. This means that technology firms will need to target their offerings to non IT buyers (i.e. not the IT department) In the technology industry, Apple, Amazon and Google have done this. Who else will demonstrate this capability in 2013?

The Normalization of IT Skills

Andrew Milroy — Wed, 03 Apr 2013 03:30:56 GMT

IT skills shortages have been an issue of concern for businesses and governments for more than twenty years. This will change over the next few years as IT skill levels increase, and become embedded into business activities.

In recent years, IT vendors have worked very closely with businesses and governments to ensure that training investments are made, which are centered around their products. Cisco’s Networking Academy is a great example of this. Cisco has partnered very closely with educational institutions and governments, around the world, to promote training around its products. This has created a situation in which people trained in IT networking feel comfortable working with Cisco products. More importantly, it has helped to address the shortfall in IT networking professionals.

However, as IT products become more standardized, cloud computing becomes mainstream, and software takes over from hardware in many areas, demand for IT skills will fall. Cloud computing typically involves the automaton of processes that were once relatively labor intensive. It also engenders the provision of services where users can configure software much more easily than was the case in the past. For example, a user can configure an ‘Amazon style’ storefront very easily for their ecommerce needs. Only a few years ago, the setting up of such a storefront was a highly complex activity that required specialized technical skills.

The skill levels required to carry out tasks that were once considered to be highly complex are falling. Simultaneously, the IT skill levels of the typical white collar worker are increasing. This is leading to less need for IT skills and for a need for ordinary workers to steadily improve their IT skills.

Thirty years ago, the individuals that worked with technology tended to possess comparatively high IT skills levels. Anybody that sought to work with technology required a significant amount of training and most ordinary workers did not touch computers. To many, computers were perceived to be devices with which only scientists worked.

Fifteen to twenty years ago, IT became democratized. PCs were found on the desks of most white collar workers. They became essential tools for carrying out tasks at work. It was soon assumed that ordinary workers would be able to operate PCs and undertake basic tasks with the programs that they were using.

Today, technology is much more embedded in the activities of the ordinary worker. The IT skill level of today’s ordinary worker is much higher than before and the technology tasks that they perform would have been considered to be highly complex in previous years. Assuming that this trend continues, we can assume that ordinary workers will be undertaking even more complex tasks in the years ahead.

In a few years’ time, we can expect ordinary workers to be procuring and managing their technology devices. Additionally, they will be leveraging cloud services to support their activities at work. This will increasingly be done without support from an IT organization.

Obviously, younger workers will come to the workplace with a higher level of IT skills than most of their older colleagues. However, these skills will need to be enhanced throughout their working lives. Older workers have had experience of acquiring new technical skills and will need to continue this until the end of their careers. Organizations will need to ensure that IT training is available to staff throughout their careers.

In summary, IT will become embedded in business activities. The IT skill levels of ordinary workers will continue to rise as IT becomes critical to their day to day activities. Skills that are seen as specialist today or ‘the preserve of the millennial generation’ will be normal in the next few years. This, of course, will have a profound impact on both buyers and sellers of IT products and services.

IT Services Marketing in Asia: Understanding the Confucian Business Culture

Andrew Milroy — Wed, 03 Apr 2013 03:24:53 GMT

In the IT services business, the propensity to purchase services is often different to what might logically be expected. This is particularly obvious in the extremely diverse Asia Pacific region.

For example, organizations in the Philippines, a relatively immature economy with lower labour costs, are more likely to purchase services than organizations in Korea, a mature economy with relatively high labour costs. Why is this? Nobody knows for sure but it appears that the propensity of organizations in a country to purchase services is heavily influenced by 3 cultural and economic variables as follows:

#1 The cost of labour. In mature economies, the cost of employing people with technical skills is often significantly higher than the cost of buying access to skills from a third party. Hence, the countries in the world with the highest propensity to purchase IT services are those with high labour costs. In the Asia Pacific region, the best example of such a country is Australia.

#2 The influence of the Anglo Saxon business culture. Buying IT services from third parties is most widespread in countries that are often described as Anglo Saxon, led by the United States and the United Kingdom. The business culture in these countries has, over the last 25 years, focused on outsourcing ‘non core’ activities. A common belief in the Anglo Saxon business culture is that sourcing services externally can drive down costs, give organizations access to ‘best of breed’ services and offer greater flexibility.

#3 The influence of the Confucian business culture. In the Confucian business culture, which exists in most of Eastern Asia, service is widely perceived to be something that is free. Services are considered to be critical to the differentiation of products. The loss of control associated with sourcing services from third parties is thought to remove a key differentiator from corporate control. Furthermore, paying for such services is anathema to many organizations in East Asia.

Organizations that wish to understand how to sell services into countries in the Asia Pacific region must consider these variables carefully as they develop their marketing strategies. This is particularly important for organizations that generate the bulk of their business from parts of the world that are heavily influenced by the Anglo Saxon business culture.

In a country where the cost of labour is low, the influence of the Anglo Saxon business culture is low and the influence of the Confucian business culture is high, such as Vietnam, the challenges of effectively marketing IT services are profound.

Conversely, in a country where the cost of labour is high, the influence of Anglo Saxon business culture is high and the influence of Confucian business culture is low, such as Australia, the propensity to purchase IT services is extremely high.

A lot of American and European firms are particularly interested in countries in which the cost of labour is high, the influence of the Confucian business culture is high and there is also some Anglo Saxon influence seeping into the business culture. Perhaps the best example of such a country is South Korea. South Korea is Asia’s fourth largest economy and offers significant opportunities to foreign firms. However, selling services in South Korea is proving to be a highly vexing challenge to many US-based IT firms which have the Anglo Saxon business culture in their DNA.

So how should a US-based IT firm, market its services offerings in South Korea? Firstly it must recognize that South Korean customers will expect services to be free, and will show little willingness to pay for them. Thus it makes sense to describe services offerings as products. Perhaps, services offerings could be descried as ‘value enhancement products’. Maybe, if service is bundled with a product, the combined offering could be described as a ‘premium or platinum product’.

Basically, services marketers must consider the Confucian influence on buying behaviour in South Korea and act accordingly. How does the convergence of Anglo Saxon business culture, Confucian business culture and the cost of labour, impact the propensity to buy IT services in China, India and Japan?

Cloud and Mobile Technology Set to End Innovation 'Drought'

Andrew Milroy — Wed, 03 Apr 2013 03:18:35 GMT

It is often stated by senior management figures within large enterprises, that innovation is a key area of focus for them. Despite this focus, the past 50 or 60 years has witnessed a distinct lack of breakthrough innovations. Indeed, there has been an innovation 'drought'.

Innovations made between the late nineteenth century and about 1950 are the ones that are having the most profound impact on our lives today. To be specific, I am referring to innovations and discoveries such as the internal combustion engine, the jet engine, the electric light bulb, the television, the telephone, the radio, modern computing and antibiotics. For a London, Paris or New York City resident who travelled in time from 1910 to 1960, the future would be completely unrecognisable. For a resident of one of these cities who travelled in time from 1960 to 2010, there would be few surprises. In fact, the 1960 time traveller may be disappointed that people were not flying to work, using their own personal jet packs.

Since the 1960s, we have seen some major innovations and discoveries but less than in earlier years. Why has innovation slowed down? Well, there are many views on this matter. Some say that it because of too much regulation. Others say the opposite. My view is that there are several key reasons for this change.

Firstly, as wages increased in the late nineteenth and early twentieth centuries, there was greater focus on finding innovations that could replace labour. This wage growth, in developed economies, slowed dramatically in the 1970s. In mature economies, real wages have not grown significantly since the 1970s. Firms have focussed, to a greater extent, on increasing shareholder value by controlling real wages as opposed to engendering innovation.

A second reason is that firms are also focussing on extracting the largest possible amount of value from existing assets. Since the 1970s, a popular way of doing this is by entering new markets around the globe. So, innovations made in Western countries and deployed in the 1950s and 1960s have been sold into emerging economies in the 1980s, 1990s and 2000s, greatly enriching large multinational organizations, but shifting emphasis away from innovation.

Another key point is that new innovations may impede the ability of large enterprises to maximize the value they get from existing assets. For example, is it in the interests of pharmaceutical firms to develop more effective treatments for cancer, which may affect their ability to fully profit from existing treatments? Is it in the interests of a plastics manufacturer to support research into 3D printing?

Today, breakthroughs in IT are creating enormous opportunities for innovation. We have seen rapid incremental innovation in the IT industry itself. But, new technology has yet to be deployed in a manner that fosters significant innovation across different industries. This is set to change. In any industry, from the automotive industry to, discrete manufacturing to healthcare, the combination of high speed networks, cloud computing and mobile technologies are driving change and, yes, innovation.

I’d love to write about the impact of these technologies on all industries. To make my point, I will focus on examples in the automotive industry, discrete manufacturing and healthcare.

In the automotive industry, GM and others spent years trying to develop autonomous (self driving) cars. By taking advantage of recent IT developments, Google demonstrated how the convergence of IT and the automotive industry leads to innovation. In August 2012, Google announced that a fleet of autonomous vehicles had completed half a million kilometres of accident free test runs. Autonomous cars are expected to become common over the next 10 years. Further innovation around transportation is inevitable and IT is enabling this.

In the manufacturing sector, 3D printing allows designs and techniques to be sourced from the cloud by any device, in any location. This could potentially drive a new industrial revolution and move the world away from mass manufacturing towards the customization of products in locations that are close to the source of demand. Will people make their own goods, to their own specifications, from home? The potential is enormous.

In the healthcare sector, high speed networks and cloud computing can potentially enable care to be delivered to patients in any location. We can expect care to increasingly be given in the patient’s location. At the same time, a decreasing proportion of care will be given in hospitals. Technology can totally change the dynamics of healthcare provision. As these dynamics change, the opportunities for radical new innovation will be immense.

In summary, the last 50 years have witnessed a slowdown in innovation. However, as IT becomes embedded into industries and high speed networks and cloud computing become commonplace, we can expect to enjoy a sustained period of rapid change and innovation.

ICT: 10 Years Ago and 10 Years Ahead

Andrew Milroy — Wed, 03 Apr 2013 03:13:06 GMT

In June this year, Frost & Sullivan will hold its 2013 APAC ICT awards banquet. This is the tenth such banquet. Frost & Sullivan’s Asia Pacific ‘Best Practices’ program has been running since 2003.

This anniversary is a great opportunity for us to reflect on some of the developments in the ICT business over the past 10 years, and to predict some changes over the next 10 years.

Frost & Sullivan’s ‘Best Practices’ program uses research to identify firms that demonstrate outstanding performance in particular sectors. Increasingly, companies that are identified as offering best practices in their sector, are demonstrating innovation and the ability to drive markets through this innovation.

Making predictions around technology developments is, and always has been, a profoundly challenging task. However, we do believe that some powerful trends, that are currently gaining momentum, will strongly influence our technology experience in 2023.

If we go back to 2003, the ‘IPification’ of everything was not yet envisaged. We did not expect telephones to cease to exist. We did not expect voice communications to become just one function that we can use on our preferred devices. We didn’t expect to be carrying powerful IP enabled computing devices in our pockets and handbags. We did not expect to see IP enabled devices being embedded in cars, in consumer good, and in buildings.

The ‘IPification’ of everything is forcing the convergence of ICT, as we know it today, with a whole host of industry specific processes. For example, we are starting to witness manufacturing automation processes converge with IT as IP enabled technology is built into manufacturing activities. This process is creating huge opportunities for innovation as organizations experiment with and test IP enabled technology.

So, against this background, what is our vision for 2023? We will focus on aspects of technology change that will be noticeable to ordinary people and are transformative.

# 1 Today’s PC centred model of computing will no longer exist. It was the standard model of computing in 2003 and is currently changing very rapidly. In 2023, we will inhabit a world where businesses and consumers will access IT resources, and conduct the bulk of their interactions from non PC devices. These devices will include home entertainment units (usually described as TVs or games consoles today), in vehicle consoles, wearable devices such as watches, in addition to a range of tablet and smart phone devices.

#2 The focus of the CIO will transform from a focus on the management and optimization of IT assets to a focus on using technology to underpin innovation within the enterprise. In 2003, the CIO was measured on his/her ability to support enterprise goals within an agreed budget. Today, in 2013, the CIO is increasingly involved in enabling change within the organization. In 2023, the CIO will proactively focus on using technology to drive innovation within the enterprise. The IT department that we know today will cease to exist.

#3 Leading technology firms will change. New firms will emerge that benefit from this change. One thing is for sure. The companies that dominate today’s technology markets and those which dominated in 2003 are unlikely to remain dominant throughout this technology upheaval. Apple and Facebook will wield a lot less influence in 2023 than they do today. Amazon and Google have better odds.

#4 Self service will spread widely across business and other human activity. In 2003, technology driven self service activities were in their infancy. By 2023, supermarkets with check outs will look very old fashioned as self service becomes the typical supermarket experience. Similarly, the entire airline experience will be self service. Printing your own boarding passes and luggage tags will soon be normal. By 2023, the customer will expect a self service experience when dealing with organizations. Apps will take over as the primary form of interaction for customers.

#5 IP technology will be embedded across all industries. For example, this change will lead to IP enabled automation across manufacturing activities. In 2003, automation in manufacturing was typically a proprietary activity, and was not integrated with other forms of computing. By 2023, the development of IP enabled automation, together with the development of 3D printing, will allow manufacturing to move closer to the source of demand. As labour becomes a smaller and smaller proportion of manufacturing costs and customization becomes critical, the benefits associated with offshore manufacturing will become negligible. Expect to see an upsurge in manufacturing activity in North America and Western Europe over the next 10 years.

#6 In 2023, companies will typically have agile, cloud-based IT infrastructures. Combined with the ability to analyse and intelligently use vast amounts of data, this IT infrastructure will make it easier for firms to move into new industries. In 2003, enterprises were usually working with a mix of legacy proprietary technology and distributed systems that restricted their agility. In 2013, we are witnessing a rapid transition towards agile, cloud based IT infrastructures. In 2023, we can expect to see more companies use their agile IT infrastructures, their brands and huge amounts of data to enter new industries. For example, both Google and Amazon are already doing this, in the financial services industry as well as many others. Expect to see the re-emergence of the conglomerate. In 2023, companies will differentiate themselves by the way they use technology, the way the use data, and the way they use their brands.

Frost & Sullivan’s research reveals that successful technology firms are factoring these powerful trends into their strategies. We expect that companies which demonstrate best practices in key ICT sectors to continue to perform excellently. Furthermore, we expect them to play a role in shaping and influencing these exciting trends.

High-Stakes Cybersecurity at Black Hat USA 2012

Chris Rodriguez — Wed, 29 Aug 2012 19:17:47 GMT

It is entirely possible that the Black Hat Conference was set in Las Vegas simply as an ironic statement about the state of information security today. Everyone is gambling. For hackers, the buy-in cost to attack a massive number of websites through simple Web scripts, spam, and malware is minimal. But with a slightly larger investment of time and resources, hackers can target large organizations for much bigger jackpots. Consequently, enterprise organizations are “all-in” whether they want to be or not. The stakes are high, as hackers conducting targeted attacks are not stopping at personal identification information (PII) and are now going for the “secret sauce” recipes. Security breaches that leak state secrets and intellectual property are difficult to measure in dollars but have major sociopolitical implications that can shape the modern world. Worse still, hackers and cyber criminals have stacked the deck and are able to penetrate network defenses through targeted attacks seemingly at will.

So, All is Lost?

For 2012, the prevailing tone underlying every major industry discussion has been defeatism. In the Keynote address given by Shawn Henry, former FBI-guy extraordinaire, we were told that we are all already breached and to accept this fact. Now, I understand the psychology here: that if we convince ourselves that there are malicious actors already in our system then we will be that much more motivated to go find them. However, a paranoid hunt for a phantasm hacker cannot possibly be an efficient use of very limited resources.

On the other hand this defeatist mentality has led other security professionals nearly to the point of surrender. This post calls for companies to cease security awareness training for end-users and to focus instead on security technologies. While it is important to prioritize efforts to focus on the security strategies that are most effective, the urge to give up on the human element is short-sighted. Training at all levels is an essential pillar in any security architecture, and I would argue that training requirements should actually increase for end-users higher up the management ladder.

Who Should Take Responsibility

Henry also indicated that the government was not interested in (or capable of) protecting the private sector. The government considers information security to be the responsibility of each individual business. The idea is that businesses must ward off thieves and burglars in the physical world and should do so in the cyber world. In the very next briefing, Marcus Ranum voiced his concern and distaste for this notion, pointing out that the government should try to defend private businesses as well because the most sophisticated attacks are often perpetrated by nation states and foreign criminal organizations. These organizations could not conduct physical attacks against businesses without recourse, but are free to do so online.

(Henry also said that we should take the fight to the enemy as well, which is clearly not viable or even advisable depending on the attacker. But at that point I was certain he was just jumping the shark for entertainment value).

(Pictured: The Black Hat signal.)

Unfortunately, many businesses do not realize that they are breached until a business partner reports anomalous behavior from the victim’s systems. The FBI and other government organizations will only contact victims once the damage is done. The government is interested in finding and eliminating hacking groups which is admirable but does little to protect businesses from their attacks in the meantime.

Where Do We Go Now?

The point is: the threat is greater than ever. Businesses must implement the foundational layers of security, including next generation firewall, IPS, content filtering, and anti-virus. Leading security vendors such as Check Point and McAfee have been adding new features such as advanced anti-malware, anti-bot technologies, DLP, and threat correlation to better defend customers. Businesses should invest in vulnerability management solutions from innovative vendors such as Qualys and BeyondTrust (acquired eEye).

SMB companies can receive nearly all of these capabilities from UTM solutions, as UTM vendors including Fortinet and WatchGuard license technologies such as anti-virus and IPS from leading vendors such as Kaspersky. In addition, they also maintain a high level of internal product and feature development. Thus, there is no excuse for businesses to lack these essential technologies.

Additionally, new technologies are emerging that will empower businesses to block a large number of threats. Companies such as ClickSecurity and Critical Watch use advanced analytics and security intelligence to identify the most sophisticated and targeted attacks. Considering the massive amounts of log data generated in enterprise organizations and attackers’ skill at remaining undetected, these real-time tools are absolutely necessary to find the most persistent security breaches.

Most importantly, companies must dedicate budget to improve the “human factor” through training, auditing, penetration testing, and analysis. As far as penetration testing goes, everyone should be doing it on a regular basis. Companies that don’t engage in auditing and penetration testing have no insight into their true security posture. Use these guidelines to find reputable and skilled ethical hacker companies. These days, companies such as Trustwave SpiderLabs make it easy to purchase, prioritize, and regularly schedule these engagements with retainer agreements.

The Last Word

The time has come: it is necessary to adapt. But this is not such as bad thing. The best known attacks, Operation Aurora, Stuxnet, and Flame, were based on techniques and vulnerabilities that have been known in the industry for years. We have known that this day would come, but we don’t need to feel like the sky is falling just because it is here. Instead, businesses must learn, understand, strategize, implement, test, and update their information security architectures.

Businesses are betting the house on a bad hand when they rely on outdated security technologies, ignore the human element, and fail to adapt to new threats. But that’s just me: I never gamble with my money—only with my life.

*****

Double down with Industry Analyst Chris Rodriguez by e-mail.

For additional information on hacking, check out the Frost & Sullivan white paper entitled The Importance of Ethical Hacking: Emerging Threats Emphasise the Need for Holistic Assessments or learn more about Network Security.

Black Hat USA Conference 2012: Anti-Malware Analysis Detection

Ben Ramirez — Mon, 06 Aug 2012 02:59:24 GMT

Security research wizard Rodrigo Rubira Branco discussed how his Dissect.pe Project can bring value to organizations globally.

At the beginning of my sit-in, I learned that the security researchers were all from Brazil. I have to admit that I love Brazil due to its festive culture and their cuisine. It should definitely be on your vacation bucket list of ‘must-dos’. But what you must also know is that it possesses some of the most dedicated, highly intelligent security researchers in the world. Let's take a briefing on where malware stands today.

Malware has been a huge thorn for the corporate world these days. According to Panda Security, malware has hit a record high of about 26 million new strains found in 2011. This is quite concerning, considering that corporations and government agencies are trending to bring-your-own device (BYOD) laptops, tablets, and smartphones for their employees. This is because organizations must harden security strategies to protect these BYODs against sophisticated malware or otherwise face a possible catastrophic loss of valuable IP data. But detecting these malware payloads is one of the key challenging aspects security intelligence analysts must endure. While attentively listening to the A Scientific (But Non Academic) Study of How Malware Employs Anti-Debugging, Anti-Disassembly and Anti-Virtualization Technologies lecture, I was delivered some fascinating, yet daunting results in the challenge of combating evolving malware.

Security researcher Rodrigo and his colleagues, Gabriel Negreira Barbosa and Pedro Drimel Neto, discussed how counter-detection methods were being used extensively in millions of malware samples which have been analyzed under their Dissect PE Project. This project is a scalable and flexible automated malware analyzer engine that provides feedback to the security community. Dissect PE allows the security researchers to use ‘plugins’ that can use any computer language (C, Perl, Python, etc) to output malware analysis. This project is being made public and allows security researchers, the media, and partners to share their malware code analysis within this portal on a global level. Some interesting facts that I discovered:

There are 10 dedicated machines located in São Paulo, Bauru and Germany
It receives 150+ gigabytes of malware samples per day
A total of 30+ million unique malware samples have been discovered so far

So what?

So why is this important? We already have companies like FireEye, Bit9, Websense, Symantec, Cisco, McAfee and Damballa performing malware analysis. Well, as it turns out, the recent results that Dissect.pe outputted showed that at least four different Anti-Reverse Engineering (Anti-RE) techniques can detect and even compromise software/hardware processes in order to evade malware detection. Let me briefly provide a definition for each one, as the lecture mentioned:

Anti-Debugging - Techniques to compromise debuggers and/or the debugging process
Anti-Disassembly - Techniques to compromise disassemblers and/or the disassembling process
Obfuscation - Techniques to make the signatures creation more difficult and the disassembled code harder to be analyzed by a professional
Anti-VM - Techniques to detect and/or compromise virtual machines

Even more interesting was the fact that Anti-Virtual Machine detection (Anti-VM) techniques were the most common category discovered. This is because security vendors are commonly using virtual boxes to capture and analyze malware.

So the big question to ask is: Will executives who have purchased commercial security solutions still be awake at night because of insufficient malware detection power? My answer is yes: If security companies are still under the impression that their dedicated malware analyzers are doing an adequate job in determining the presence of malware, then we are in big trouble. This is because malware authors are continuing to rewrite malicious codebases to adapt to these detection systems daily. And with Rodrigo’s findings, it seems the security intelligence community now has a two-fold job in malware analysis: Determining if the threat is malware and if that same malware package is trying to avoid detection by using the four listed techniques!

I have to be forthcoming; I was extremely pleased and ‘sold’ on this project. The real value from using Dissect PE portal serves as a sanity check and as a means to double-check other malware findings on other systems. But as Rodrigo mentioned, there is much more work to be done, and asks other security researchers in the world to include their findings and add their improved algorithms into the project in order to continuously counter these malware evasion techniques.

Rodrigo comically stated that “Brazilians are not that lazy” and they “missed a lot of parties” due to analyzing these millions of samples. But this is the passion that is needed to defeat this never-ending battle against malware.

The Analysis of the Mobile Endpoint Security Products Market - Tackling the Shift to Mobility with a Strong Endpoint Security Solution

Martha Vazquez — Fri, 20 Jul 2012 21:40:56 GMT

I recently published Frost & Sullivan’s 2011 Analysis of the Mobile Endpoint Security Products Market - Tackling the Shift to Mobility with a Strong Endpoint Security Solution. The study is already available on Frost.com for our Information Security subscribers.

Smartphones, tablets, and other mobile devices are quickly replacing traditional laptops and desktops. As we continue to hear the terms bring your own device (BYOD), security and device management is becoming a crucial topic. With the proliferation of smartphones and tablets, the risk of losing corporate or personal data is heightened. The launch of the iPhone in 2008 drove the adoption and acceptance of smartphones in both the consumer and corporate segments of the market, so much that often times individuals use a single smartphone to conduct both business and personal matters. Frost & Sullivan estimates that in 2011, the global smartphone and tablet market reached 509.1 million units shipped and we expect growth in to continue. Specifically, we expect to see increased growth within the Android device market as they gain acceptance within the corporate market. In turn, this will ultimately create more security risks and headaches for IT administrators.

As this market continues to grow, hackers will continue efforts to target smartphones for theft of personal and/or corporate data. With increased demand for mobility, hackers now understand the vastness of the opportunity it presents, and as a result the threat landscape for mobile devices has rapidly evolved to create significant challenges for businesses implementing a mobile strategy. As mobile computing continues to expand with the mobile workforce, cyber criminals will continue to place significant focus on this lowest hanging fruit because of its enormous profit potential.

With the global explosion of wireless devices, software developers have responded to market demands by creating a vast and growing number of business and productivity applications for the mobile workforce. Although this has been a positive development for mobile workers and their employers, organizations continue to struggle to centrally to manage application deployment and ensure that security protection on mobile devices can keep business critical data safe.

With the growth of smartphones and tablets, end users are extending their computer endpoints to these smaller personal devices. Endpoint security vendors are challenged to offer consumer mobile security solutions that provide the same level of protection as one would expect from a typical desktop or laptop computer. While mobile security offerings have evolved from simply protecting devices from anti-malware, protection from malicious applications has become a critical functionality and essential to any solution. As a result, many security companies are offering mobile anti-malware solutions in conjunction with application scanning and protection of data on the device. For the enterprise, endpoint security companies are combining mobile device management solutions. Companies are going beyond just protecting the mobile device, but are now leveraging their capabilities to manage beyond the PC to manage iOS, Android, and Windows mobile devices.

Refer to Frost & Sullivan’s annual global market study “Analysis of the Mobile Endpoint Security Products Market – Tackling the shift to mobility with a strong endpoint security solution” for more information regarding revenue growth, market trends, and competitive analysis.

Martha Gomez Vazquez is occasionally allowed out of her cube, but if not then she can be reached by e-mail martha.vazquez@frost.com

Check Point Announces New Security Technologies for Advanced Threats

Chris Rodriguez — Mon, 30 Apr 2012 17:15:44 GMT

2011 ushered in a new breed of cyber threats that brought major organizations including Google, RSA, and Lockheed Martin to their knees and left many others searching for answers. These attacks were alarmingly sophisticated, effective, and elusive. Furthermore, the sophistication of these attacks indicates well organized crime syndicates and nation-states with deep pockets, which elicited the creation of a new industry term, the “advanced persistent threat” (APT). These threats and a new attacker profile have captivated the security industry’s attention as customers demand adequate protection tools.

Advanced Persistent Threats: Reality or Myth

View more PowerPoint from rahulmohandas

It is no surprise then that entrepreneurial companies such as Critical Watch, FireEye, Bit9, and Click Security now offer solutions specifically designed to help customers defend against APTs. However, despite the widespread concern about APTs, IT organizations are still expected to block the thousands of traditional commodity threats that bombard their networks every day. Therefore, larger security vendors should develop new product functionality of their own to protect customers against APTs.

As multiple security companies attempt to combat these threats, a number of different security technologies and strategies have emerged such as “big data,” intelligence and analytics, anti-bot, advanced anti-malware, and APT detection solutions. While there remains much debate as to which technologies are most effective (or feasible) against advanced threats, there is the sense that every security vendor should be working diligently to block this attack vector.

Small, start-up companies have the benefit of a clear, specific goal such as APT detection and have the business agility to adjust strategies as the market demands. Too often, larger security companies are more reactive and will wait to identify best-of-breed product design and go-to-market strategies before developing a competing offering. Unfortunately, in the modern threat landscape, there is little time for major IT security companies to enjoy the luxury of a learning period.

That is why Check Point’s newest release of its R75 security operating system caught my attention. R75.40 offers compelling new security technologies such as ThreatCloud, Anti-Virus, and Anti-Bot protection. ThreatCloud is a collaborative network designed by Check Point to collect attack and attacker data from the company’s global install base of network gateways, sensors, third-party research, and internal research. This enables Check Point to dynamically deliver real-time updates to customers’ security gateways, thereby ensuring the highest level of protection possible. ThreatCloud also powers Check Point’s anti-bot and advanced anti-malware software blades. These blades utilize multi-tier APT detection and prevention capabilities to block threats that traditional IPS, firewall, and endpoint solutions cannot address.

R75.40 also offers a multitude of additional new features including data leakage prevention remediation and inbound SSL inspection. However, in a time when it seems that every company is vulnerable, Check Point’s advanced security technologies deliver valuable new functionality for customers.

*****

Industry Analyst Chris Rodriguez can be found knee deep in spreadsheets or e-mailed here.

For additional analysis of this market, check out Frost & Sullivan’s annual global market study entitled Analysis of the Unified Threat Management (UTM) Market and the Impact of Convergence or learn more about Network Security.

Dell's Acquisition of SonicWALL Foreshadows the Security Industry's Fate

Chris Rodriguez — Tue, 13 Mar 2012 23:10:21 GMT

“Dude, you’re getting a SonicWALL!”

On Tuesday, March 13, 2012, Dell announced its plan to acquire a leading vendor in the Unified Threat Management (UTM) market, SonicWALL. This will allow Dell to rapidly advance its security portfolio with the addition of next generation firewall, intrusion prevention (IPS) capabilities, SSL VPN, gateway anti-virus, anti-spyware, and content filtering. Dell’s previous foray into the network security industry was its acquisition of managed security services provider (MSSP) SecureWorks and vulnerability/patch management vendor KACE.

The acquisition provides a number of growth opportunities for SonicWALL. First and foremost, this enables SonicWALL to leverage Dell’s vast and mature channel partner program. This also provides SonicWALL with stronger economic stability and name brand recognition from Dell. Additionally, stronger financial backing will facilitate new product development. These factors will help SonicWALL to increase its penetration in the enterprise market, which has been a central focus for many UTM vendors’ growth strategies. As a result, Dell SonicWALL can potentially shake up the UTM market as we know it.

Further still, this announcement is additional evidence of the convergence of IT and security. The goal to achieve “built-in” security has been demonstrated by the acquisition activities of Cisco, Juniper, IBM, and HP, and was most evident with Intel’s acquisition of McAfee.

Fortinet, who has been the market leader in UTM sales for multiple years, has excelled due to its product quality and ongoing product development. Check Point has a highly competitive strategy for the UTM market that focuses on modular solutions. This makes every firewall sale a potential future UTM sale. Both companies have demonstrated solid financial growth in recent years. However, Check Point and Fortinet are also some of the last large dedicated network infrastructure security companies.

So the big question is: how long will stand-alone security vendors find success with “security-only” strategies? At what point will enterprise organizations determine that they should be purchasing security solutions from their IT provider? Can security ever truly be “built-in” considering the constantly evolving nature of network-based threats?

*****

Industry Analyst Chris Rodriguez can be found knee deep in spreadsheets or e-mailed here.

Vendors at RSA tout BYOD solutions - RIM already solved that problem

Rufus Connell — Fri, 02 Mar 2012 21:42:58 GMT

I just spent the week in San Francisco at the RSA 2012 security event. All the usual suspects in the security arena were in attendance. It seemed to me that the #1 theme of the show was the issues around bring your own device (BYOD). Enterprise end users are doing everything they can to be productive, and that has lead to buying their own phones, tablets and applications to get their job done. Security professionals are scared as hell about the risks of corporate data moving to unmanaged devices. Every security company is looking for a solution to let employees BYOD while insulating the corporation from risk.

Ironically, I've been using a Blackberry Playbook for a few months now. I actually carried it around the RSA show floor to show customers Frost & Sullivan’s video capabilities. It did that well. Blackberry has bet a lot of time, effort and focus on this device and the hard work is evident in the finished product. Blackberry markets the Playbook as an enterprise tablet, and the hardware is really well done.

When the Playbook was first launched, my initial reaction was that the lack of a native e-mail client was "Stupid". I was flat out wrong. Perhaps the most interesting feature of the Playbook is the Blackberry Bridge. Supporting a breadth of devices is expensive. Employees running around with huge amounts of corporate information on their personal device, then leaving it at Gourmet Haus Stadt, Cava22, or any other bar is a security nightmare. RIM has figured out a way to solve that problem.

RIM has designed the Blackberry Bridge so it can tie a Playbook to a corporate managed blackberry smart phone. A users that buys itself a Playbook simply installs the bridge application on their smartphone, then takes a picture of a quick response code displayed on the Playbook and the devices are linked. Apple is eating everyone's lunch in the IT world largely because all their device "just work" together. RIM has emulated that perfectly, Playbook and my Bold just work.

The process can be further simplified if BES administrators push the bridge application out to all their users proactively. We recommend that BES administrators push the bridge application to all their Blackberry smart phone users. BES Administrators should make it easy for their users to BYOD a Playbook. We feel that tablet users on a Playbook are much less of a security risk than users with another brand of tablet doing enterprise tasks. Why do we say that?

Once a Playbook is linked to a Blackberry smartphone with the Bridge application, all e-mail, files, or other corporate data that is accessed through the Bridge is stored in an encrypted partition of the Playbook. If the user loses the Playbook, but doesn't lose their phone, whomever has the Playbook cannot access the corporate data. If the user loses both the phone and the Playbook, the BES administrator can use the BES tools to disable the phone, and by proxy disable any access to the corporate data on the Playbook. Its the kind of IT elegance that makes administrators happy. It’s the kind of security that lets corporate risk officers sleep at night.

Unfortunately the Playbook isn't without its blemishes. It does a lot of enterprise tasks that I want to do, browse the web, show customers presentations at trade shows, play angry birds on a plane, but its lack of native enterprise apps becomes obvious very quickly. There aren't enterprise apps available for Frost & Sullivan's CRM system or other leading CRM systems. Major conferencing and collaboration vendors have native apps for iPad and in some cases android tablets. The business application category on the App World cupboard is quite bare. RIM is at a critical crossroads right now, they can't make many more missteps. Additionally RIM has some very strong application development capabilities. We see developers 1st writing for iOS, then Android, then rarely for Playbook. With RIM's focus on enterprise, it may be a good strategy for RIM to develop certain key enterprise applications on its own and give those apps to the relevant stakeholders.

Playbook OS 2.0 was released just before RSA, but the Blackberry Bridge has been solving RSA 2012’s biggest issue for over a year now. To reiterate, Bridge just works. Bridge solves one of enterprise’s biggest problems of the day. Blackberry lets users BYOD, without creating undue risk. Administrators should want end users to BYOD the playbook. The ball is now in RIM’s court to make end users want to BYOD the playbook.

Cybersecurity to be the hottest topic at RSA 2012

Jarad Carleton — Mon, 27 Feb 2012 00:35:36 GMT

ICT Cybersecurity from Frost & Sullivan on Vimeo.

In over 11 years of working with the Global 1000, Fortune 500, and SMB’s to develop custom market intelligence for strategic business planning, there are only a handful of issues that have been as critical for global business as the issue of cybersecurity.

For some organizations, there is the perception that the intense focus on cybersecurity happened quickly, but that isn’t the case. It developed because of a long and bruising security technology “arms race” that has pitted the business and government sectors against foreign governments, organized crime, hacktivists, and terrorist organizations. Although the word cybersecurity is common in today’s global business vernacular, there are still far too many businesses and government organizations that are woefully behind the curve in securing their networks and data.

This fact was highlighted recently in an article “Traveling Light in a Time of Digital Thievery,” where Mike McConnell, Vice Chairman, Booz Allen Hamilton and former Director of National Intelligence & former Director, National Security Agency said “In looking at computer systems of consequence — in government, Congress, at the Department of Defense, aerospace, companies with valuable trade secrets — we’ve not examined one yet that has not been infected by an advanced persistent threat.”

It was also highlighted in another recent article “Cameras May Open Up the Board Room to Hackers.” I’ll admit that originally I was just intellectually intrigued with that threat potential until I found myself in a conference room in Silicon Valley last Friday to present strategic business recommendations to a client that had two video conferencing cameras at the end of the table.

The point is that regardless of the environment, government, business, or personal computing (see article titled “F.B.I. Admits Hacker Group’s Eavesdropping”), the need to heighten cybersecurity defenses in all walks of life is vital. The question many are asking is “can cybersecurity be adequately addressed by the private sector alone?” The answer from my perspective is an unequivocal “no.” Some areas of cybersecurity will never have a hard and quantifiable positive return on investment for private enterprise, which is why government “encouragement” and in some cases, regulation will likely become a necessity.

As a Principal Consultant I am acutely aware of the inefficiencies of government. However, I’m also intimately familiar with the obsession private enterprise has on quarterly earnings and how it can prevent a company from aggressively implementing a comprehensive cybersecurity program. Unfortunately, organizations no longer have the luxury of debating and fighting over how to partner with government to counter the cybersecurity problem today. The fact is that leaders from government and enterprise must find a way to work amicably towards a common goal because the threat is getting worse by the day.

In my recent market insight, “Cybersecurity: A Global Economic Crisis,” frank discussions I had with high-level executives revealed that discovery of new malware around the world skyrocketed and has a compound annual growth rate of around 100% (Figure 1). This malware is responsible for what many experts believe to be the largest transfer of wealth the in the history of the world because it is doing more than stealing credit card numbers, it is stealing intellectual property from nations with economies that rely on innovation to grow (Figure 2). When innovation is stolen, service oriented economies will go bankrupt and where severe economic chaos develops, the potential for armed conflict is never far behind.

This is why the issue of cybersecurity will be the most discussed topic at the 2012 RSA Conference in San Francisco this week. It’s also the reason that everyone, regardless of profession, should pay attention to the cybersecurity debate taking place now in capitals and business centers around the world.

Websense -Allowing organizations to experience a safe move into social networking sites

Martha Vazquez — Wed, 22 Feb 2012 17:48:01 GMT

The demand for web security has increased over time due to the emergence of Web 2.0 threats. The use of these social networking sites continues to be widely more accepting to organizations as a means to boost business communication. Enterprises increasingly utilize social networking sites for marketing its products or services. While the use of all these networking sites is a great resource for organizations to use, there is a concern around the threats and risks involved in using them.

Cybercriminals have found ways through social networking sites to steal personal information from these websites. Social media sites are becoming the top vectors for stealing personal information from users and it’s only going to get worse over time. Cybercriminals are always looking for creative ways to steal user credentials and will use online forums to manipulate users to give send over personal data. So while the usages of these social networking sites are increasing, IT Administrators are under pressure to allow employees to utilize and access these websites. IT administrators are perplexed in finding the means to control the employees from compromising pertinent business and personal data. In addition, you add mobility and remote workers in the equation and you can see where administrators are even more perplexed to try to control mobile devices as well.

Last year when I was working on our Content Filtering research, I saw that many traditional web filtering vendors were looking at providing more granular control to social media sites. I continually heard the mantras around cloud security, social media control and integration- these key topics were the top discussions last year. I recently spoke with Websense and was very impressed with how they are tackling the social media issues that companies are encountering. Websense tackles the problems with a web social control solution that was launched in October 2011. Websense’s new features include more control over employee’s social media usage and bandwidth control.

As a leader in the web filtering market, Websense introduced new URL categories to be included into its web gateway solution therefore combining a more powerful solution that will enhance how employees utilize the web today. Websense can analyze and classify within these 5 new URL categories and can determine to allow access, quota or block:

New URL categories

Dynamic DNS Category- These sites will mask their identity and use Dynamic DNS services and they can be associated with advanced persistent threats (APTs)
Viral Video Category – sites that host rapidly popular videos
Surveillance- Sites that enable real- time monitoring from network cameras, webcams and other video recording devices. Ex. Organizations can allow parents to view cameras set at the day care rather than block them all together
Entertainment Video Category – sites that host videos for entertainment content
Education Video Category – sites that hose academic or instructional videos

Websense’s new social web controls also offers organization more control over how employees can access a social media website such as Facebook, LinkedIn, Twitter or YouTube. The organization can allow an employee to access the site- read comments, but not post anything. The features can also help monitor and control what is being accessed by the employee. Social web controls includes 30 unique controls with 11 dedicated just for Facebook. Since Facebook is constantly changing, Websense offers organizations to block and make granular changes in real- time. Websense can look within a script and offer parts to block and keep open. Doing real- time analysis within a script has differentiated Websense from other web filtering vendors offering social networking sites. Websense continues to work diligently in improving its social networking controls. Recently the company partnered with Facebook to help protect users against clicking on any bad URL links which can lead to malware. The threat landscape quickly changes every day and I believe Websense has what it takes to help organizations enjoy a safe social networking experience.

Martha Gomez Vazquez is occasionally allowed out of her cube, but if not then she can be reached by e-mail martha.vazquez@frost.com

DMARC: End of Spam and Phishing for Good? Maybe, But Proof-of-Concept Still Needed

Ben Ramirez — Thu, 09 Feb 2012 21:04:28 GMT

It was recently announced back in March of 2011 that the DMARC (Domain-based Message Authentication, Reporting & Conformance) organization, consisting of AOL, Facebook, Cloudmark, Linkedin, Band of America, PayPal and other leading organizations, proposed a new operational specification for the current email authentication infrastructure. In short, the proposal would ensure that email senders can prove they are indeed the true originator and receivers can take appropriate actions if the email is spam, junk or should just reject the email all together. The grand scheme of this new specification is to simply reduce or even eliminate spam emails, permanently.

So will this new email authentication protocol actually work? Interestingly, the new proposed changes are borrowing two fairly old email authentication technologies that have not been widely adopted by many companies and organizations, specifically the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) frameworks. Taking a deep dive approach, I will give you an overview of what they are about, their weaknesses and their flaws as a stand-alone solution:

SPF allows owners to specify IP addresses tied to a list of computers that are mapped to a domain name (for example, host computers I designated as authorized email senders on the Domain Name System (DNS) for ben.com, will only been seen by the receivers). However, it has a problem with handling forwarded email messages. This occurs when the sender changes to another ISP and simply begins forwarding emails from their original email address to other non-specified server. With the lack of end-to-end authentication, there is no true way to determine the authenticity of incoming emails as to their origin. Also, spammers can take advantage of SPF’s weakness by forging email addresses and registering those records into DNS servers in order to pass SPF checks. The other issue here is the belief that SPF acts as a spam filter, when it does not. SPF only detects forged emails and so there is still the need to have endpoint security solution on receiving hosts. More importantly, SPF is still considered experimental and is still in its development phase, according to the Request for Comments 4408 (RFC).

DKIM relies on public key cryptography based on a sender email authentication framework. This includes the digital signature, a domain name, and email contents (header and body). DKIM (usually installed in the email server) signs or encrypts the message using a private key. The public key is stored in the DNS servers where the receiver can retrieve and validate the signature by using the public key for genuineness of the sender. The whole point is to ensure that the email has not been modified in any manner and trust is attained between sender and receiver.

Problem: Forwarding once again poses a problem for DKIM. If an email using DKIM is signed, but then forwarded to another mail server (such as a Blackberry server), the message will become modified with added tags (i.e., “Sent from my Blackberry device.”). The end result will be a false positive flag given to the receiver in that the email was compromised and will most likely result in a rejection of the message. Also, in terms of availability and performance, CPU and RAM resources need to be considered when cryptographic functions are being processed on very large volumes of email. DNS servers themselves are prone to DDoS attacks, causing delays and even worse, data loss.

DMARC will attempt to close these two gaps. It will improve the assurance and guidance between the sender and receiver in order to manage failed email messages and reduce or even possibly eliminate spam and phishing attacks compared to today’s current standards. What I see as a problem in the future is lack of adoption and the persistence of spammers circumventing this new proposal. Although many leading companies have joined in, it will take a long time until all mail and DNS servers become standardized with this new protocol, mostly due to smaller organizations with lower capital adopting at a much slower rate. Email attackers could also still create a genuine DMARC complaint email for phishing attacks if crafted carefully. How DMARC will actually address this is yet to come. Nevertheless, this is one positive step in addressing an old problem that has been a thorn for almost everyone in the world.

FIPS 140-2 Certification Reinforces RIM Commitment to Security

Brent Iadarola — Tue, 07 Feb 2012 05:15:43 GMT

BlackBerry smartphones with 7.0 and 7.1 operating systems were recently awarded FIPS 140-2 certification by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC). While the FIPS 140-2 and Common Criteria certification were expected deliverables from RIM, there are some important takeaways from the announcement:

Security Still RIM’s Bread & Butter. FIPS 140-2 is a security standard used to accredit devices or modules that include both hardware and software components. In both the US and Canada, FIPS certification is required before a device can be used by a government agency. These are expensive processes to complete, both in terms of financial expenditures and resources, and RIM’s recent accreditation demonstrates a continued level of commitment to industries such as government, financial services, and healthcare which inherently disseminate highly sensitive information. With 7.0 & 7.1 blackberry devices and the PlayBook now certified under the FIPS program, government agencies and other highly regulated verticals are more apt to deploy an expanded RIM product portfolio.

Reinforces RIM’s Commitment to Government Sector. There has been speculation that some government agencies have become increasingly concerned over the long term viability of RIM. This has been fueled by highly publicized network outages, questions on blackberry’s future OS roadmap, and the company’s overall financial stability. Some analysts have even suggested that RIM may be phased out of certain government agencies as quickly as practical. The reality, however, is that RIM maintains an extremely strong government foothold with over one million active North American government users. Scott Totzke, senior VP of BlackBerry security at RIM, has indicated RIM continues to see 'steady and incremental growth’ in the federal sector in terms of new subscriber acquisition and refresh business. Churn rates are substantially lower in government then other verticals. Moreover, the recent security certifications only reinforce RIM’s commitment to the sector, so RIM’s foothold is unlikely to deteriorate any time soon.

Competitive Environment Intensifies. Nevertheless, the mobile device landscape is evolving and it is inevitable that federal agencies will increasingly evaluate alternatives to blackberry such as Android and iOS devices. The Department of Defense, for example, has developed a secure kernel for the Android 2.2 OS with FIPS 140-2 capability and is currently testing a variety of customized applications. Military contractors, Harris and Intelligent Software Solutions (ISS), are actively developing applications for the iPhone, iPad and the Android platform. The diversity of mobile devices and overall competitive environment will only continue to intensify and, although adoption may move slower then what we have seen in other vertical markets, a more heterogeneous mobile environment in government is inevitable.

How can RIM Maintain Strong Government Foothold? RIM’s announcement of Mobile Fusion was an acknowledgement that RIM (finally) came to terms with the growing diversity of mobile devices in the enterprise. Similar to the early days of mobility in enterprise, RIM was once essentially the only ‘game in town’ for government employees. However, times have changed. Thus, it is critical that RIM stay ahead of the curve in the government sector and be proactive rather than reactive with respect to evolving trends toward device diversity. RIM currently has a number of enterprise beta customers for BlackBerry Mobile Fusion, however, none yet in the federal sector. So some advice for RIM: Leverage your existing foothold in government by continuing to emphasize and enhance core competencies such as advanced security capabilities and commitments to the most stringent security standards, but stay ahead of the curve by aggressively moving forward with Mobile Fusion for Government.

Vulnerability Bounty Hunters

Chris Rodriguez — Fri, 03 Feb 2012 21:45:27 GMT

Bounty hunter. The term conjures up images of anti-heroes and rogues with awesome weapons and tactics in pursuit of the most dangerous criminals (or maybe just mullets). So it may be a surprise that the network security industry has its own version of these vigilantes for hire. Only, instead of searching out dangerous criminals, independent researchers are tasked with discovering and reporting software vulnerabilities.

Unlike modern bounty hunters, an independent researcher only needs to decide that they would like to hunt for software vulnerabilities, then go out and do it. When researchers discover a software bug they can then choose to report it to the appropriate authority (a software vendor, a security company, or the US-CERT). For years, independent researchers did this for peer recognition or from the goodness of their heart.

However, it soon became clear that less scrupulous researchers did this to find and exploit vulnerable programs or to sell these vulnerabilities to criminal organizations. The value of these black market transactions can only be estimated but the most high-impact vulnerabilities can sell for as much as a million dollars. To combat this practice, security vendors developed bounty programs to encourage responsible disclosure and increase research efforts.

While many security companies have offered bug bounty programs, there is now a growing trend of vendors offering rewards of their own. For example, Facebook announced its own program in 2011 and has already awarded $190,000 for original, responsibly-disclosed vulnerabilities. Google has awarded $700,000 since its bounty program debuted in 2010. Microsoft refuses to pay for vulnerabilities, but is focusing on a new strategy to block an entire class of vulnerabilities for a single lump sum of $250,000.

Whether it works or not, Microsoft’s strategy focuses on a long-term solution, which is admirable. Unfortunately, this strategy neglects to address the immediate threat. In effect, vulnerabilities are the keys to a successful cyber attack; therefore the search for these bugs is a constant arms race. By refusing to pay for vulnerabilities, Microsoft reduces the available outlets for responsible disclosure. Fortunately, companies such as HP TippingPoint and VeriSign iDefense are able to pick up this slack with their highly successful vulnerability bounty programs.

In the end, there is a market for everything. The reality is that software vendors face deadlines, budget constraints, and increasing pressure for new features and capabilities. All of these factors ensure that software vendors will not be able to produce flawless programs. Software vendors must improve secure development processes, increase quality testing, and hire penetration testers (and overall have shown tremendous improvement in this area already). This will reduce the number of vulnerabilities and especially the “low-hanging fruit.” But there will always be software bugs. Vendors must be ready and willing to reward researchers for their efforts or prepare to lose business after the next data breach.

****

Industry Analyst Chris Rodriguez can be found knee-deep in spreadsheets or messaged here.

For additional information about vulnerability research, check out Frost & Sullivan’s quarterly study entitled Analysis of the Global Vulnerability Research Market in Q3 2011 or learn more about Network Security.

Forget Your Password? Social Login Is There to Help

Jake Wengroff — Wed, 01 Feb 2012 20:38:16 GMT

This blogpost first appeared on Social Media Today.

=======================

Janrain and Gigya Ease the Pain of Password Amnesia with Social Login, While Providing Rich Profile Data to Publishers and Brands

No doubt you’ve visited some of your favorite websites and forgot your password. And we all know that the ‘Forgot your password?’ is still another nuisance because it requires having to create a new password – which hopefully you’ll remember.

Enter social login: the option to ‘Sign in with Facebook’ or ‘Sign in with Twitter’.

I recently had a chance to catch up with the two largest providers of this social plugin functionality, Janrain and Gigya, to discuss what this means for marketing, publishing, and beyond.

For some insight into consumer adoption of social login, Janrain conducted a study with Blue Research, and learned that a whopping 86% of consumers are bothered by registering at a website, and four in five people are frustrated by the need to create new accounts when registering on a website. Further, 88% admit to having given incorrect information or left forms incomplete when creating a new account at a website (I admit: I’ve done this in the past), and 9 in 10 people (versus 45% in the 2010 study) admit they have left a website if they forgot their password or log-in info, instead of trying to recover their password.

The ability to login using an already-familiar username and password – one’s social network credentials, such as those for Facebook or Twitter – could ease the pain. Indeed, according to the Janrain study, almost eight in ten people want social login to be offered as an alternative.

The Bigger Picture, and Bigger Data
But for marketers, social login is only one small part of the story, as I learned from these companies.

Social login, along with its associated plugins, feeds, and analytics, provides access to a rich trove of data which can be used to fuel marketing strategies, advertising creative and ad serving, and content and product recommendations. As we all know, feedback, opinions, and endorsements drive sales, and what better to draw from than a user’s social graph?

Social login contributes to a growing set of solutions known as social CRM. While in traditional CRM, sales and customer service professionals are responsible for updating the database and populating it with information that leads to more sales or higher customer service levels, social CRM uses social media, and the information collected from public-facing social networks, to capture data about customers and prospects. Analytics are added to this data to predict behavior, and then the company can decide to engage, interact, and ultimately drive them to sales channels.

Counting tweets or Facebook wall posts certainly helps companies understand how their brand and products are received in the market (I recently completed a study on the social media monitoring solutions market, which should be published shortly), but having access to the complete social profiles of the people doing the tweeting or Facebook updating is far, far richer. As such, Janrain and Gigya are on the forefront of the social CRM revolution. As they have advanced analytics products beyond social login, they are well-positioned to integrate their solutions and add a layer of data that can drive overall marketing, content, and product strategy.

‘Social profile data is an emerging category of data, and delivers more insights into registrants and clients,’ notes Lisa Hannah, director of marketing for Janrain.

Clearly, marketers have a significant opportunity to increase conversion rates and online engagement by replacing traditional registration with social login. Both Janrain and Gigya have data about increased engagement, interactivity, and conversion by users who have brought their entire social graph into their web experience. Gigya has an infographic here about social login and site engagement.

However, if the social networks’ API’s are free (for the most part), why would a company need to engage a provider like Janrain or Gigya? ‘This is not set it and forget it technology,’ explains Victor White, senior marketing manager for Gigya. ‘Clients do not have full-time developers or engineers to ensure that this technology can be implemented and maintained, and it saves them a lot of time in development resources.’ Both companies’ pricing is on a sliding-scale SaaS.

Not for Everyone
The downside, of course, is that not everyone uses social login – perhaps because they are OK with remembering yet another username and password (23% of the respondents in the Janrain survey think that websites should not offer social login instead of a traditional registration process), or they are aware that their social data would be shared and are concerned with privacy.

Another downside is that in certain industries or sectors, social sign-in just doesn’t work. Would you sign in to your online bank account with Facebook? Hardly.

The B2B space will see a slower uptake of social login, as personal information scraped from a personal Facebook profile most likely holds little value in B2B or professional services markets. However, a ‘Sign in with LinkedIn’ functionality is available, and while we haven’t really seen much of this – yet – I expect we will. Salesforce.com also has an open API, and interestingly, a ‘Sign in with Salesforce’ option might also become pervasive in the B2B space.

Social login is global, too. Gigya has relationships with Mixi (Japan), Orkut (Brazil), and VKontakte (now rebranded VK.com, in Russia) for access to social profiles and data. Fascinatingly, Chinese social network RenRen has an open API, and is also on board. (So much for the secrecy of social networking in China.)

Finally, the ultimate purveyor of social CRM is perhaps Google. With the launch of Google+, and including data combed from activities on YouTube, Google Docs, Picasa, Maps, and other applications and sites – all through the ‘social login’ of a Gmail account -- Google is building perhaps one of the largest social CRM databases. As such, Google had social login figured out quite some time ago.

Sourcefire FireAMP- Blocking Malware through better Visibility and Controls

Martha Vazquez — Wed, 25 Jan 2012 20:18:20 GMT

Endpoint security is a market that continues to be competitive despite the perception of endpoint security products as a commodity product for enterprises. While endpoint security has become a necessity for businesses, endpoint security vendors struggle to offer competitive pricing models while staying ahead of the newest and most advanced threats and adding new features. In today’s threat landscape, businesses are looking beyond the capabilities of just an anti- virus product, but are looking for solutions that provide an in-depth capability to protect again the newest threats. In recent years, we have also witnessed the demand for better management capabilities with in depth analytic capabilities. This is a broad list of requirements and when I received a briefing from Sourcefire, a well known IPS vendor, around their just released FireAMP™ endpoint security product, I was a little skeptical. At the end of the briefing – I realized that Sourcefire really might be on to something. While not a replacement for anti-virus, FireAMP might just be the missing layer of defense for the modern enterprise.

Sourcefire’s FireAMP is a malware discovery and analysis solution that utilizes big data analytics to identify advanced malware threats. FireAMP is designed to work hand in hand with other malware products and offers an additional layer of protection for enterprises. FireAMP will allow large enterprises to increase their visibility and control of advanced threats that are likely missed by other security solutions.

FireAMP is an extension of Sourcefire’s Agile Security vision. FireAMP utilizes five new capabilities:

FireCLOUD – A cloud-based infrastructure which detects advanced threats by leveraging big data analytics to identify and score missed threats by other security solutions.
File Trajectory – The ability to track and identify the pathway and entrance of the malware within an organization
File Analysis – Utilizes Sourcefire Vulnerability Research team to collect security intelligence and determine to allow or block malware based on its behavior
Outbreak Control – Automatically will block malware without requiring an update form the customers security vendor
Cloud Recall–Continuous in-the-cloud analysis of historical file activity to discover and remediate threats that were previously missed

The basis for Sourcefire’s FireAMP is to create an in-depth security solution that can protect from malware that may not have been picked up by the enterprises’ current antivirus vendor. With threats spreading and becoming advanced so quickly, having one single endpoint security vendor is just not enough. Organizations are still struggling with combating the spread of malware infections. SourceFire’s FireAMP is not intended to replace any antivirus vendor, but is expected to compliment the security solution. While I believe this is a great alternative for enterprises, I do think it may be challenging to convince an enterprise to invest in another endpoint solution. The advantage that Sourcefire has is its existing customer base. Sourcefire will be able to target its existing security customers and convince them to use this solution hand in hand with its IPS or its firewall solutions. FireAMP today only works with Windows and is a stand- alone management console, not yet integrated with Sourcefires’ other security solutions. Sourcefire plans to work on this integration and this will become a greater key value for FireAMP in the future.

Sourcefire FireAmp has some interesting aspects to its reporting capabilities. The level of visibility and control is very detailed. FireAMPs ability to provide an in depth tracking analysis helps determine what user became infected first and provides a pathway of infection. Threats are continuing to be getting worse and increasing every day. By now, we know they are not going away anytime soon. All in all, I believe FireAMP will work great for those organizations that need advanced protection and reporting customization.

The North America Managed Security Service Providers Market (MSSP)" Experiencing Strong Growth during Economic Uncertainties

Martha Vazquez — Wed, 25 Jan 2012 19:19:32 GMT

I recently published Frost & Sullivan’s 2011 Analysis of the Managed Security Service Providers (MSSPs) Market: Experiencing Strong Growth during Economic Uncertainties. The study http://www.frost.com/prod/servlet/report-toc.pag?repid=NA04-01-00-00-00&ctxixpLink=FcmCtx5&ctxixpLabel=FcmCtx6 is already available on Frost.com for our Information Security subscribers. In 2010 and moving though 2011, the MSSP continues to experience strong growth. This can be attributed to organizations evaluating security service providers to deliver capabilities that augment their in- house experience and ability.

Despite healthy growth, the market continues to evolve and incumbent vendors are challenged by new players and increasing demands from customers. Alleviating some of these challenges has been witnessed by the consolidation of several MSSPs in the past few years. The latest MSSP acquisition was with Dell and SecureWorks in 2011. The move for IT companies to include managed security as a service into their portfolio is becoming more important as we also witnessed this with IBM and ISS, and HP with EDS. While managed security is becoming more important for IT companies to offer, MSSPs are also seeing this as a way to expand their capabilities and market growth.

In the past, businesses were skeptical of outsourcing their business and especially their security to another 3^rd party vendor, but today the MSSP model is becoming more accepted by small and large enterprises. There are many reasons why the MSSP model is becoming widely more accepted:

The ability to maintain and manage a secure infrastructure is becoming more complex for business. Organizations are realizing that traditional security practices are not effective enough to prevent data breaches and other attacks.
Maintaining compliance is a necessity for most businesses, but not its core focus. Bringing in a MSSP to help alleviate compliance needs helps businesses focus on other core competencies.
Adopting an MSSP helps offset the costs associated with implementing new products and staffing
The shortage of security expertise is helping to drive businesses to choose an MSSP. Organizations are finding that MSSPs are a viable alternative for businesses that have a shortage of in-house security expertise. As security becomes critical for businesses, the need to have that expertise for various solutions will continue to increase over time.

While there is a need for an MSSP, businesses may be reluctant to adopt such a model which include:

Demonstrating to a business the true ROI for adopting an MSSP model
Getting a business to accept outsourcing than keeping its security in-house

While growth in the MSSP market is favorable for MSSPS, MSSPs still face the daunting task of offering services that continue to increase in demand. Embracing and supporting emerging technologies is a challenge for vendors in the MSSP market. As outsourcing continues to increase and become more popular, businesses are demanding broader platforms/technology support and more flexibility from the vendors.

Along with offering emerging technologies, MSSPs face the challenge offering these services at the lowest possible price. Commoditization in the MSSP market makes differentiating between various MSSPs difficult for customers. Customers have difficulty understanding the benefits offered by selecting one provider over another and as a result MSSPs have seen a downward effect on pricing pressures.

All in all, due to the growth of the MSSP market, Frost & Sullivan expects to see more value added resellers (VARS) and other vendors entering this profitable market. VARs have the advantage of providing more focused, regionalized support to their customers. To succeed in the MSSP market, MSSPs will have to continue to diversify services, adding depth and various deployment options for customers while still providing a cost- effective price.

More additional information regarding revenue growth, market trends and competitive analysis check out Frost & Sullivan’s annual North America market study entitled Analysis of the Managed Security Service Providers Market – Experiencing Strong Growth during Economic Uncertainties

Martha Gomez Vazquez is occasionally allowed out of her cube, but if not then she can be reached by e-mail martha.vazquez@frost.com

Operation Megaupload: Are Companies and Organizations Negligent with Today's Cyber Threats?

Ben Ramirez — Wed, 25 Jan 2012 18:27:25 GMT

Recently, an online retail store called Zappos experienced an enormous cyber attack on January 16, 2012. A data breach occurred resulting in loss (or compromise) of twenty-four million customer names, e-mails, physical addresses, phone numbers and the last four digits of credit card numbers. Although the incident only caused minimum monetary damage to the company in terms of intellectual property and private data, customer reputation and confidence towards the company’s e-commerce system is now lower than ever before. Investigators are still trying to piece together who is responsible for the attack, but this brings us to an important topic on the recent cyber attacks conducted by Anonymous, involving such major sites like the U.S. Department of Justice and Universal Music Group, the largest music record label in the United States.

What does this mean in terms of security posture and infrastructure assurance for these hacked companies? Was complacency to blame for a faulty security system because executives felt there was no need for a security deployment? Did they feel that their sites had negligible information that did not justify a solid security deployment? Apparently, these organizations believed so and as a result, a swift cyber attack overwhelmed their sites and caused denial-of-service and data loss.

The attack was called Operation Megaupload, created by the notorious hacker group Anonymous, a collective group of hackers held responsible for recent attacks on Amazon, Paypal, major credit card companies and even major government sites such as the FBI. The attack was considered retaliation in response to the U.S. government’s recent crackdown on Magaupload.com, a site which the federal government executed a huge piracy indictment towards the popular file hosting site. The FBI, Recording Industry Association of America (RIAA), and Motion Picture Association of America (MPAA) were all targeted attacks by Anonymous.

This is a major wakeup call for these organizations. Certainly, if confidential or private data is not truly an important reason to implement security controls, then public confidence and reputation should be a high priority to do so. It is understandable that capital budgets seems to be the main factor in executive decisions in not deploying a strategic security plan, but they must consider the monetary damage such as lawsuits, overwhelming customer calls (over 1 million calls were made in just one hour after the security incident was declared, causing significant costs in terms of productivity), and the difficulty of rebuilding customer trust. Anonymous doesn’t seem to be leaving anytime soon and others like them are inevitably following their footsteps. As a counter to these types of attacks, executives can purchase DDoS security products from various vendors. Arbor Networks has a long standing tradition in the anti-DDoS space, with a variety of products that can monitor and protect networks from DDoS attacks using real-time analysis in order to detect and mitigate these types of threats. Also, Prolexic is another, newer vendor that mitigates DDoS attacks by redirecting to a Prolexic filter or cleaner device, thereby allowing business continuity.

Perhaps vulnerability assessments were not properly carried out. Maybe risk management underestimated the probability of occurring threats within their IT systems. Whatever the case may be, one thing is certain: Security assurance, awareness and preparation are extremely lacking in today’s IT infrastructure. Hackers are viewed to be one step ahead in comparison to existing security defenses, but if we’ve learned one thing from Anonymous and other hackers it is that we need to be just as competent, persistent and tenacious to keep abreast of the current threats in our chaotic cyber environment. We must recognize that security should not be taken lightly. It should be a top priority for every organization, especially those handling sensitive data. We must admit to the fact that we are not safe from anyone, anytime.

LogRhythm -Why Managed SIEM is the Way to Go

Richard Martinez, Jr. — Thu, 19 Jan 2012 21:46:39 GMT

I recently received an update from LogRhythm. LogRhythm released its 6.0 version a couple of months ago and now was a good time to get an update on the progress of that deployment. Version 6.0 was an important update for LogRhythm as it added the following features:

Accelerated Detection of Threats and Breaches
Automated Intelligent Response
Expanded Embedded Expertise
Accelerated Performance and Extended Support for Big Data

Overall, we like the direction LogRhythm is taking with their product and feel like it’s a good fit for the current SIEM environment. The company’s record YoY growth in Q4 2011 alone, 75%, truly represents the company’s aggressive efforts in channel expansion and overall development of their SIEM. The company also has recently joined Sourcefire Technology Partner Program, giving customers expanded coverage with Sourcefire’s Next-Generation Intrusion Prevention Systems (IPS) and LogRhythm’s latest SIEM features. LogRhythm recognizes the constant pressure organizations face warding off persistent threats and other cyber attacks. This latest move not only builds upon their product but also further validates the power behind their technology.

Given the many SIEM acquisitions that occurred just in 2011, I feel like SIEM-as-a-managed-service is the most viable product direction for SIEM vendors. Look again at last year’s acquiring companies – Solar Winds, IBM, and McAfee – and two things immediately become clear. First, the stand alone SIEM field has become very narrow and second, most of the vendors that were acquired appear to be getting the integration treatment. While this is fine for enterprises building a holistic solution with a single, there’s still going to be many organizations that have existing pieces in place and would prefer to just buy the SIEM from a separate provider.

Martha Vazquez just published her annual North America MSSP research and for the second year in a row, managed SIEM was the fastest growing service in the market. I believe this really speaks to the love/hate relationship that most organizations have with SIEM. They want the detail, the alerts, the data. The problem is that they want someone else to find that needle in the haystack, to tune the data, to create the reports, to send the alerts.

The reporting and the effectiveness of a managed/SaaS SIEM is what will differentiate vendors like LogRhythm from the other many large SIEM players. There’s always going to be a play for an ArcSight, but increasingly I just don’t believe companies want to deal with the beast that is SIEM.

You can email Research Analyst Richard Martinez here.

Enterprise Security for Consumers?

Chris Rodriguez — Tue, 17 Jan 2012 20:54:10 GMT

In recent years, the fiercely competitive UTM market has focused on increasing its penetration in the enterprise market. However, UTM has traditionally been considered a small business play due to limited performance and integration but compelling price points. After years of improvements and innovations, UTM vendors now offer enterprise-grade products that compete with leading point products. While the focus on the high-end market is a respectable strategy, it is not unique. So when a UTM company announces a different strategy, it warrants further discussion.

Cyberoam NetGenie

Cyberoam, an India-based UTM vendor recently announced its NetGenie HOME UTM product. This device provides home router capabilities such as wireless b/g/n, 4 switch ports, and 3G support. NetGenie also includes essential UTM capabilities such as 20 Mbps of firewall throughput, anti-virus (AV), anti-spyware, intrusion prevention (IPS), and web filtering. More importantly, much thought has gone into the user interface to ensure that non-techie customers can deploy this in their homes. NetGenie accomplishes this through a Web page-style management interface with intuitive visual controls and reports. Web content is predefined and categorized based on age group and content to enable different access policies based on the user and time. Thus, parents can ensure that their children do not play games all day and are not exposed to inappropriate material. The $180 price tag may seem steep for a home product but it does include 3 years of AV, IPS, and content filtering updates.

Challenges

However, Cyberoam faces a number of challenges. First, how do they increase customer awareness about a product like this? The average end-user will be unaware of the value of IPS or gateway AV. Most consumers are already well invested in endpoint security software and are not aware of the importance of layered defense. NetGenie’s gateway AV and Web filtering can greatly complement these investments and provide defense-in-depth for laptops and desktop computers that already have security software installed. The bigger selling point will be its ability to address tablets, smartphones, and gaming consoles. These devices are increasingly capable and are rarely protected by endpoint software. I firmly believe that these devices will be increasingly targeted by hackers over the coming years.

Furthermore, resellers don’t typically sell to consumers. The best channel for this product would be retailers, which is a rare channel for enterprise security vendors to interface with, including Cyberoam. Until this product gains momentum, NetGenie’s success hinges on Cyberoam’s ability to gain traction with service providers. Service providers seek to offer value-adding services to their customers and should consider the value of offering “Safe and Secure Internet Access” to their customer base. NetGenie could easily be bundled as a value-adding service or offered as an optional upgrade.

Conclusion

Now, Cyberoam is not the first UTM vendor to offer a small home router/firewall product. However, few products at this price/performance point have shown evidence of careful consideration to consumer-specific needs. Despite the user-friendly interface, it will take some time to increase customer awareness of the product’s value and importance. Additionally, the majority of consumers will fear the requirement for replacing existing routers, as well as the configuration process. Thus, it seems that the primary market for this will be limited to the more tech-savvy consumers for now.

****

Industry Analyst Chris Rodriguez can be found knee deep in spreadsheets or e-mailed here.

Wombat Security Technologies - Better Security Through Training

Robert Ayoub — Thu, 12 Jan 2012 21:23:18 GMT

Recently I had a discussion with a cool vendor out of Pittsburgh, PA named Wombat Security Technologies. Wombat Security Technologies provides cyber security training, end-user assessment, and filtering solutions for clients. Their goal is to assist organizations in combating the very serious cyber security attacks that have gained notoriety in the last few years by providing employees with consistent and relevant training around targeted attacks. The current modules focus on helping users to identify and avoid phishing attacks.

Wombat’s training methods are primarily focused on providing simulated cyber attacks on users and following that with interactive training. In the current modules, cyber attacks consist of phishing emails that are intended to deceive users into erroneously disclosing sensitive information using masqueraded websites, online payment processes or other means of phishing techniques. Once the simulated phishing attack phase is completed, the company uses assessment tools and targeted training programs to evaluate and provide prevention tutorials to specific users or groups that need this training. Administrative graphical tools offer a holistic view for managers as to the business’ readiness and posture in the prevention of phishing attacks.

Wombat’s Interactive Training Software consists of seven different types of training modules which provide education on: email security, password management, smartphones, phishing and social engineering, social networking, URL Training, and Mobility and Travel. The training module consists of 10 minute interactive ‘teachable moments’ which are highly engaging and visually illustrative to the users being educated. This approach, according to Wombat, fosters increased motivation and higher retention of training information.

Although their training tools provide the right direction in the prevention of these types of attacks, I believe that some organizations may be hesitant to deploy the Wombat solution in its current form for a couple of reasons. The current product was developed in an educational environment and still maintains some aspects that are cartoonish and look like a video game. Some organizations are likely to interpret this as “childish” or “non-professional” and may feel that a more serious tone should be deployed across all training sessions. Wombat indicated that a more “professional” option for the training modules is coming.

I can also see end users thinking that the tool could be used to track them and their susceptibility to clicking on bad links as part of disciplinary action. A variety of security technologies tend to illicit this response from users initially, and management should clearly indicate how the data will be used.

I would also like to see Wombat include additional training geared specifically to management on ensuring that their IT staff implements the technical controls such as antivirus programs and browser anti-phishing controls in case a phishing attack does succeed. I feel this kind of training would help bridge the gap between management and IT and give an additional source of support for the IT department.

I think Wombat’s business model around email phishing prevention has a good future ahead of them. Content filtering tools are getting better, but so are the criminals and Frost & Sullivan research consistently indicates that the end user will always be the weakest link in a corporate security strategy. I look forward to an expanded selection of training modules in the future on a wide variety of topics and will be following Wombat more closely moving forward.

Cybersecurity: A Global Economic Security Crisis

Jarad Carleton — Thu, 29 Dec 2011 00:03:30 GMT

I recently developed an 87 slide Market Insight titled "Cybersecurity: A Global Economic Security Crisis" (9856-14) for our Network Security Research Practice that is available to Frost & Sullivan subscribers. In that market insight, there is a chapter titled "Identity Theft: Individuals Today-Organizations Tomorrow," which came to mind after I received an email from the New York Times along with another 8.6 million subscribers (email image attached). Although the company claims that the email was sent by mistake (second email image also attached), it still caused a lot of distress among NYT customers that thought their subscriptions were going to be canceled.

This situation is something that the NYT would like everyone to quickly put behind them, but ever since speaking with executives that specialize in cybersecurity issues, odd emails and social media messages tend to stick in my mind. An excerpt from my Market Insight explains why:

Cybersecurity professionals believe that the next step in the evolution of identity theft will target organizations so criminals can use the identity of companies and government agencies for illicit gain.

In fact, identity theft in its current form is just the start of a series of attacks that will target vulnerabilities created over many years and as the threat evolves, the viability of organizations will be at risk.

It is believed that hackers will be able to damage an individual’s cyber footprints so extensively that legacy IT systems won’t be able to tell the difference between the real person and the stolen identity.

This means that eventually a stolen identity will be unrecoverable, which some in the cybersecurity community refer to as individual obliteration.

Individual obliteration will be a real concern for individuals as well as organizations as techniques evolve over the next 5 years

Fortunately for everyone, the NYT email was not a case of email hacking, phishing, or the beginnings of individual obliteration that could have generated false news stories, a 21st century Orson Welles-like uproar, and stock price swings that cyber criminals could benefit from.

The unfortunate fact however, is that there are significant cybersecurity issues facing private enterprise and governments today that is damaging developed economies and changing the global economic landscape. Cyber espionage targeted at industry and governments is believed to be responsible for the largest shift in wealth in the history of the world, yet few people are aware that it is happening. This one of many reasons why Frost & Sullivan's Information and Communication Technologies Consulting Practice and the Frost & Sullivan Network Security Research Practice have teamed up to provide a closer look at cybersecurity issues in Q4 2011 and will continue to provide analysis and commentary in 2012.

The Death of Enterprise Hardware Vendors

Rufus Connell — Wed, 14 Dec 2011 03:50:15 GMT

Is Google's rumored announcement of "very, very large" Google Apps customers the first death knell for Enterprise Hardware vendors like Avaya, Siemens, Alcaltel Lucent, even Cisco?

The rumors are reported here http://www.mercurynews.com/top-stories/ci_19531412

Imagine a world where a typical desk worker uses Google Apps for productivity, Google Talk for chat, UM and video conferencing, and they access those services through an Android phone, an Apple tablet, and either an inexpensive laptop or a MacBook. For voice calls, they use their smartphone’s native calling, or maybe even Skype or a Google talk application. That world may not be that far away. Companies that have relied on comfortable revenue streams from expensive desktop phone products and core systems seem to have missed the boat. Tight integration with super capable employee owned devices, like iPhones or Android phones, may deliver better UM integration than the incumbents can deliver. Low, predictable costs will give employees devices that they want to own and carry everywhere.

Apple's model of native applications frees enterprise of many of the security risks that have plagued Wintel machines for decades, and Google's cloud model, layered on top of these applications allows enterprises to deploy tightly integrated productivity apps easily, quickly and inexpensively.

To me, the missing piece of the puzzle is SalesForce. The various SalesForce tools along with the ability to buy prebuilt force.com applications or build your own enterprise applications is a critical piece that is missing from Google Apps. Were Google to partner up with SalesForce (or even buy them....) companies could run their entire enterprise on a reliable, predictable cost, platform with real delivery of the CEBP that current enterprise vendors tout. Will Google partner here, or try to develop a platform to compete with force.com?

Although a key watchword of the 1990s was CTI (Computer Telephony Integration) it never really worked right and never recognized its potential. When you next see an ad for a mobile phone, listen for the specs. Dual Core 1Ghz Processors, 64 Gigabytes of Storage, 4G mobile networking, 802.11 b/g/n, it’s not a phone, it is not a limited handheld computer. It is a powerful mobile computer. It makes no sense to think about integrating the laptop to an expensive desktop phone system, the integration is already done and it’s not integration between a laptop and a desktop phone, it is integration of the smartphone with itself by way of the native applications.

We live in a time of economic uncertainty, if you listen to the bears, this will be the case for some time. Enterprises are being forced by young people entering the workforce to provide mobile work solutions so they have to deploy smartphones. Those same enterprises are looking for places to save money, and spending to deploy desktop IP phones, spending to deploy an IP PBX, and then spending on people to maintain those superfluous products will all look like attractive costs to cut.

Is my vision upon us or a pipe dream? My colleague Alaa Sayeed is still quite optimistic about phone shipment growth in his World Enterprise Telephony Platform and Endpoint Markets which can be found here. http://www.frost.com/prod/servlet/report-toc.pag?repid=N942-01-00-00-00 . That said, these deals could be game changers.

All that said, the role of the "land line phone" will never go away completely. Professionals in carpeted environments will demand mobility, but many environments will benefit from fixed devices. Retail, manufacturing, warehouses, hospitality, hospitals all look for tools for mobility, but even ruggedized devices get lost and broken. Many employees and customers in these spaces need a communications device that they can always find and use in a specific spot. The big question is, can our traditional enterprise hardware vendors evolve quickly enough to keep up with the dynamic nature of companies like Google and SalesForce that have embraced tight integration with mobility and deliver it through cloud based services or can they survive on the increasingly niche markets that will still want fixed telephony?

Security and Convenience are mutually exclusive, unless you are Facebook identity management

Rufus Connell — Fri, 16 Sep 2011 19:23:35 GMT

ZDnet recently wrote a good article about how Facebook passwords aren't entirely case sensitive. In a nutshell Facebook identified that sometimes users accidentally activate their caps lock before typing a password. Facebook recognized that since passwords are obfuscated on the screen that the user doesn't know the caps lock is on and their password gets rejected. Now, Facebook doesn't want to frustrate uses so they decided if a users types in a password where every character is reverse capitalized, but the characters are correct, that it will accept the password.

Facebook also recognizes that some mobile devices "help" the user by capitalizing the first letter of a sentence so those devices sometimes automatically capitalize a lower case letter at the start of the password

Short story, you have at least two valid, maybe three passwords for Facebook.

From a security perspective, this means that a brute force attack will break the password somewhat faster. Practically the password security strength hasn't changed. Facebook has other technologies to help identify fraudlent login attempts that backup the username and password so today Facebook users can be pretty confident in their security as long as they follow password best practices.

What are the long term implications?

Obviously facebook wants to avoid inconveniencing users by resetting passswords. Facebook as identified at least two instances where the password system issues a false negative. How many other potential issues are there?

Good passwords have upper and lower case letters, alpanumeric symbols and are at least 8 digits long, or waaaaaay longer if you've read this. Facebook is my friend and has realized that I access my account from my mobile device so Facebook is already helping me out by ignoring an accidentally captialized 1st letter. What's next? On my blackberry the number keys are activated by an alt button. Is Facebook going to start accepting the letter "w" instead of 1? What if I fat finger the shift key instead of Alt or the "sym" key instead of shift? What about Alt instead of shift? The combinations and permutations of accepted passwords jumps from three to many dozens. What other plausible errors can users make?.

Facebook has really embarked on a slippery slope. I want good security to be as easy to use as possible and eliminating false negatives is a noble goal. That said, Facebook is becoming way more than a nice way to share pictures. Facebook is seeing good traction with its Facebook Authentication service. It is pretty critical that companies that take advantage of Facebook's federated identity service realize that Facebook has made what (in security circles) is considered to be a strange decision to reduce the strenth of all its users passwords.