What’s the Biggest Danger to Enterprise Security in the Executive Suite? Upper Management May Be Pushing Technology Beyond the Ability to Protect It.

Posted on February 28th, 2014 by Dan Rampe

IT

A new survey reported by csoonline.com says close to four out of five IT professionals were pressured into deploying inadequately secured software. The survey conducted by Trustwave also found more than 60 percent of respondents said that these rollouts happened one or two times per year, while 16 percent said they happened frequently.

More than 830 CIOs, CISOs (Chief Information Security Officers) and IT security directors and managers at companies with 250 to 5000 employees in the U.S., UK and Germany were surveyed between mid-December 2013 and mid-January 2014. Fully half said the most pressure came from company owners, boards and C-level executives while a third of respondents said the most pressure came from direct managers.

From just those numbers, it would appear telling upper management it didn’t know what it was doing is not the optimum career path to corporate success.

csoonline.com’s Antone Gonsalves asked several experts what they made of the survey’s results:

The findings were not a surprise to Drew Porter, senior security analyst for consulting firm Bishop Fox. Porter often works with companies to plug vulnerabilities in IT that was deployed too fast in order to get competitive features to customers and partners. “They want to have these features and they want it right now,” Porter said. “They worry about the security afterward.”

An example Porter runs into often is a wireless connection to a corporate portal made available to people and employees visiting a company’s campus. HTTPS is often not properly used for secure communications and it is not unusual for companies to skip the requirement of a username and password.

Such poor protection does not sit well with security executives and managers who will sometimes call in consultants to do a security review, so vulnerabilities can be documented and brought to the attention of C-level execs and boards.

“The consultant writes the report, giving the security team ammo to take to upper-management and say, ‘These are problems that we have to fix; these are high-critical items.’”

The emerging technologies that carried the greatest security risks were cloud services, mobile applications and technology to accommodate employees’ desire to use their own mobile devices for work, a trend often referred to as “bring your own device (BYOD),” the study found. Deploying social media was also considered a top risk.

The market pressure to use new technologies is causing security execs to go beyond their level of expertise, Renee Murphy, analyst for Forrester Research, said.

“CISOs are dealing with the pressures of the business telling them to innovate when clearly the (security) technology hasn’t caught up or at least their understanding of the technology hasn’t caught up,” Murphy said.

Securing the wide variety of mobile devices executives and employees want to use on the corporate network is a good example of what’s causing migraines for security pros, Murphy said. Up until the last few years, security executives only had to worry about PCs connecting to networks.

“They’re now having to do crazy amounts of stuff in order to support everything that shows up in their environments everyday,” Murphy said. “I feel their pain.”

For the current situation to improve, business people and security pros will need to come together and work on a “holistic approach” to securing new technologies, Murphy said.

“Security and risk don’t have to inhibit innovation,” she said. “Innovation might have to go a little bit slower in order to accommodate it, but there’s no reason they can’t coexist.”

Overall, a majority of respondents said the pressure to secure their organizations increased last year from 2012 and they expect to experience a similar rise this year, the report found.

The greatest concern was falling victim to a targeted malware attack, followed by the threat of phishing and hackers exploiting unknown vulnerabilities.

The greatest worry from an attack was the loss of customer data, with intellectual property theft coming in second, according to the report. Reputation damage, fines or legal action were less of a concern. To reduce security pressure, more than eight in 10 respondents listed hiring more staff. However, the survey indicated that upper-management appeared to favor hiring managed security service providers. The majority of respondents already partnered with MSSPs or was likely to do so in the future.

Other items on the wish list of security execs included more skills and expertise and more time to focus on security.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

ThreatMetrix Announces Groundbreaker in Enterprise Security. Stops Unauthorized Access to Enterprise Apps with Frictionless Context-Based Authentication Leveraging “The Network”

Posted on February 20th, 2014 by Dan Rampe

RSA Conference

Revolutionary is a word that’s often thrown around lightly. Not this time. ThreatMetrix’s revolutionary new offering vastly improves enterprise security using real-time identity analytics and federated trust. To the organization, this means low TCO (total cost of ownership) and better security. To the user, it means a more hassle-free experience.

As it happens, the ThreatMetrix offering coincides with the RSA Conference 2014, which is scheduled to run from February 24-28 at the Moscone Center in San Francisco. ThreatMetrix will be exhibiting in booth 232 in the South Expo Hall.

Bring-your-own-device (BYOD) and cloud-based applications challenge security professionals to find new ways to improve security from the use of simple username and password verification and cumbersome two-factor authentication — and to find a solution without negatively impacting user experience.

“No enterprise wants to be called out for falling victim to a data breach, as it erodes trust,” said Reed Taussig, president and CEO, ThreatMetrix. “However, if enterprises implement time consuming authentication techniques, this will erode overall productivity and motivate the workforce to find ways around the authentication. This is where frictionless context-based authentication comes into play, which establishes trust for each account login based on fully anonymous user identity, device usage, geolocation, behavior and other factors without compromising consumer identity or workforce efficiency.”

Note that the Gartner Magic Quadrant for User Authentication this past December estimated that by year-end 2016, more than 30 percent of enterprises would be using contextual authentication for remote workforce access.

Benefits to context-based authentication include:

• Frictionless access – Real-time, passive assessment of the login context through frictionless two-factor authentication lets businesses streamline access for known and trusted combinations of accounts and devices. This reduces workforce effort and inconvenience because it doesn’t require additional one-time passwords for each login.

• Increased security – Combining global federated trust identities with context-based authentication enables businesses to quickly and easily identify high-risk connections that have the potential to compromise corporate IP and valuable data. High-risk connections include devices that are part of botnets and the use of spoofed and compromised identities or devices that are known to be involved with fraudulent access across the ThreatMetrix™ Global Trust Intelligence Network (The Network).

• Operational Efficiency – Real-time API-driven big data analytics makes for actionable intelligence at the point of control instead of that information being stored in a data warehouse.

“Enterprise adaptive access control combines contextual information and user credentials to evaluate the risk of users attempting to access resources. Once the purview of e-commerce and financial services, adaptive access is finding an increased role in workforce identity — particularly for mobile device use cases.” — Gartner’s Trent Henry in “Adaptive Access Control Brings Together Identity, Risk and Context.”

ThreatMetrix provides one of the most powerful context-based authentication and fraud prevention solutions on the market by leveraging the vast amount of data in The Network, one of the largest fully anonymized global identity and fraud networks in the world. Through The Network, ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites.

“All ThreatMetrix customers benefit from anonymized shared identity and threat data worldwide across The Network, increasing the quality and value of the data as The Network grows,” said Taussig. “Due to shared data on The Network, in the United States, for example, we have an 80 percent recognition rate for users attempting an account login. This means that for four in five logins, ThreatMetrix recognizes at least one anonymized data point from previous activity in The Network – such as the email address, telephone number or account name. This offers enterprises and other businesses a full 360 degree assessment of a user’s risk to more accurately differentiate between hackers and valid workforce access.”

Federating identities without federating trust is an open invitation to cybercriminals. By combining context-based authentication and a global federated identity network, ThreatMetrix offers the most efficient and cost-effective way for enterprises to reduce the threat of data breaches from unauthorized application access. Here is protection not only from external threats, but from employees who might, for example, share their passwords with colleagues.

In addition to its evolution as a context-based authentication provider for enterprises, ThreatMetrix continues to build trust on the Internet by protecting businesses against threats that include account takeover, payment fraud, fraudulent account registration and multi-channel Web fraud. Industries ThreatMetrix protects include financial services, e-commerce, payments, government agencies and social networks.

To learn more about ThreatMetrix’s context-based authentication and advanced fraud solutions, stop by booth 232 in the South Expo at RSA Conference 2014. During the conference, ThreatMetrix is also a proud sponsor of the Alta Associate’s Executive Women’s Forum Reception, which takes place Wednesday, February 26, 7-9 p.m. at the W Hotel in San Francisco.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.