Forrester Research analyzes the past, present and future of security information vendors and products.

Security information management (SIM) technologies experienced a pretty rocky ride since emerging earlier this decade, industry watchers says, and the ride isn’t over yet for those ready to adapt to customers’ changing needs.

According to Forrester Research, SIM technology drew in enterprise security managers looking to reduce the noise among multiple security devices distributed in large environments, but lost some ground when IDS and IPS technology gained intelligence. SIM products initially used data aggregation and event correlation features similar to those of network management software and applied them to event logs generated from security devices such as firewalls, proxy servers, IDS and IPS devices, and antivirus software. SIM products also normalized data — that is, they translated Cisco and Check Point Software alerts, for example, into a common format so the data could be correlated with one system. Like network management software, SIM tools generally consist of server software, agents installed either on servers or security devices, and a central management console.

Read full story


Regulatory changes are coming for the payment-card industry, say leaders of the PCI Security Standards Council, which is responsible for developing and implementing security standards for cardholder data protection.

The council, which has about 500 participants, just completed the annual process of electing its board of advisors. Cisco and Citrix Systems were among the victorious candidates this week, winning a combined 14 elected positions on the 21-member advisory board, which will be providing feedback on upcoming initiatives.

Among these initiatives are possible new requirements around the use of virtualization and wireless technologies, as well as more definitive answers on how to “scope,” or set the limits of, a PCI assessment.

Still unclear is whether the council will back the concept of end-to-end encryption as a way for the industry to help fight payment-card fraud, such as the breach that struck Heartland Payment Systems earlier this year.

Continue reading the article …

Seventeen percent of companies say it’s only a matter of time before an internal breach occurs

While many companies pay lip service to the concept of risk management, nearly one-third are not devoting any budget to these programs and almost one-quarter have no risk management initiative at all, a new study says.

According to a report published this week by security and compliance vendor Sailpoint, 77 percent of companies surveyed have a risk management function within their IT organizations. However, nearly 30 percent of those companies don’t allocate budget to that function.

“That means nearly 50 percent of the affected companies either do not have, or underfund, their IT risk management activities,” Sailpoint says.

In addition, only 43 percent of respondents said they could present a complete record of user access privileges for each employee in a single day. Forty-two percent said they do not have the ability to immediately remove all access privileges for terminated employees in the event of a large layoff.

Continue reading …

Every CIO needs to know whether an enterprise can enter the cloud and remain both secure and compliant within regulatory restrictions. A panel of cloud computing providers at RSA Conference 2009 in San Francisco debated concerns about compliance, security and interoperability in the cloud, answering some of the following questions:

How secure is cloud computing?

“It’s key to consider your cloud provider’s security. Is it PII? Is it HIPAA? Is it regulatory data? Do these controls meet my regulatory policies?” said Eran Feigenbaum, director of enterprise application security at Google Inc. and former chief information security officer (CISO) at PricewaterhouseCoopers.

Continue reading …

As retailers shut down and liquidate their point of sale systems, guess what else they’re selling?

Without question, 2008 was an eventful year for major financial institutions, with massive losses, questions of solvency and, ultimately, government bailouts now totaling over a trillion dollars. The corporate fire sales, downsizing and mergers now commonplace in the financial industry are a cause for not only serious concern about the health of our economy, but also concerns relating to the security of personal and financial data. With companies being sold and mergers taking place, and on such tight deadlines, mistakes regarding the confidentiality and privacy of the data are likely being made every day. Significant risk is increasing for personally identifiable information entrusted to these firms.

Continue reading ….

PCI DSS is imperfect, but Ben Rothke and Anton Chuvakin say the standard is in security’s best interest. Here they refute common complaints and criticisms of PCI DSS.

Ayn Rand’s 1,100-page treatise Atlas Shrugged deals with the concept of morality of rational self-interest. When dealing with information security professionals, there is likely no greater example of self-interest than the promotion of the PCI Data Security Standard (DSS).

PCI is a pragmatic standard which requires security-comatose organizations to wake up to their responsibilities. And while PCI is only required for companies dealing with credit and debit card holder data, its relevance is germane for any organization.

Continue reading …

Former CISO and Symantec strategic consulting director Ariel Silverstone goes through PCI DSS line by line and offers suggestions to make it more effective

There’s no doubt that the mere existence of a uniform policy — adopted, recommended and even mandated by such firm rivals as American Express, Visa and MasterCard — is a huge step forward.

Before the existence of PCI DSS, it was hard to find two banks that agreed on the same standards, or a merchant that could comply with (at times contradictory) requirements by the major payment industry players.

PCI does make things better, easier, and more understandable. Unfortunately, as is commonly the case on these electronic shores, it does the minimum needed — and sometimes not even that — in its approach.

Continue reading …