Profile cover photo
Profile photo
Robert Westervelt
Research Manager IDC | Analyst | Writer
Research Manager IDC | Analyst | Writer

Robert Westervelt's posts

Great CRN news story on Bain's $2.4 billion acquisition of Blue Coat Systems. There's a lot of momentum around Blue Coat, but its potential is deeply rooted in the executive management and product engineer's ability to pull together all of the technology pieces into a coherent set of security offerings.

Post has attachment
Such a lame thing for any company to do. 

Post has attachment
Zscaler is picking up partners to resell its SaaS-based security service, which provides threat detection, content inspection, web filtering and data loss prevention capabilities. The company introduced secure guest WiFi which pits it against OpenDNS, which has a similar service. Zscaler is also aiming at Websense customers - primarily 25 percent of them - which are still using the company's legacy gear for web filtering and limited security capabilities. 

Post has attachment
I spoke briefly about Symantec's breakup and how the security portfolio shapes out. Symantec has some big gaps to fill to remain competitive, I'm told. Innovation has been on hold while the company has been retooling it's internal operations. The rest of the security industry has been moving forward at a rapid pace.

Post has attachment
Lifehacker had a good short list of some of the best two-factor authentication applications available for security conscious users. I've used Google's SMS two-factor service when it first came out and it felt clunky and onerous to use. But that has changed. It now offers an authenticator mobile app to generate verification codes from the device. Another app called Topher is also very good and ties in location data as a verification measure. Adding one of these services could greatly reduce the risk of account hijacking. It makes it more difficult for an attacker to gain control add an account without physical access to the user's mobile device.

Post has attachment
Symantec chose the second night of Rosh Hashanah to name interim CEO Michael Brown as its new chief executive. Brown, an executive with extensive storage industry experience, had been leading the company for the past six months following the firing of CEO Steve Bennett in March. Bennett led a complete internal restructuring of the company but couldn't get it on the growth path fast enough, Brown had said. Bennett also saw a slew of key executive departures during his tenure. 

Post has attachment
The payment industry is girding for a long roll out - some say as long as eight years -- of new payment terminals that support chip-and-PIN or EMV card technology. Looming transition deadlines coupled with the recent string of high-profile credit card breaches may help spur interest in security technologies, but will they be the right ones? Will EMV-enabled card readers be fully encrypted? Can a merchant invest in new payment terminals that can also adopt future mobile payment trends such as Apple Pay or Google Wallet? There is a lot more reporting to come on the Payment Industry Data Security Standards and the long awaited roll out of modern payment systems.

Repeating debunked threat claims to make a point about the seriousness of data security to a group of investors, financial analysts and IT professionals diminishes the core message that security professionals advocate: Security Equals Risk Mitigation.

"We have refrigerators attacking banks," said Tom Leighton, CEO and co-founder of Akamai Technologies, speaking to the group during a discussion at the Bloomberg Enterprise Summit in New York City, April 24.

The Akamai chief executive had the best of intentions when he used the reference, explaining that a refrigerator was used as a reflection point in a distributed denial of service (DDoS) attack. His firm helps keep important Web applications available and defends them if they come under attack. "The key is moving to the cloud where the attacker is," he said.

But the refrigerator weapon reference first made in January by SaaS-based email security firm Proofpoint was debunked earlier this year. Refrigerators offer such low power and are typically behind a router making their use impractical. The latest studies show criminals, mainly with hacktivist intentions, use DDoS as a weapon by hacking into Web servers to harvest their power.

We've come full circle in the threat cycle with claims that Internet-enabled "smart" devices are a cause for serious concern. Remember printers, copiers, fax machines and VoIP phones. Yes, they are vulnerable and at risk. But when a cybercriminal can simply use stolen credentials to gain access to documents and other data, it makes little sense for them to spend money to develop a sophisticated attack that leverages devices.

Manufacturers of smart refrigerators and other so-called Internet-of-things, embedded devices will weigh the cost of adding security mechanisms to the risks they pose. The move to bolster the security of smart meters a few years back was successful not because private sector firms were concerned about cyberterrorists attempting to use them to access the power grid, but because of the heightened awareness of consumer fraud that those devices enabled.  In Puerto Rico, for example, the FBI uncovered a smart meter hacking scheme that helped customers fleece the electric company by modifying the software in smart meters.  At the same time, I recognize the importance of responsibly advocating for stronger measures to protect consumers, businesses and defend against fraud.

What Leighton and perhaps other speakers at the event that day failed to recognize is the technical acumen of those in attendance. I met a number of security professionals at the event, including a chief technology officer at a financial firm in Greenwich, Conn., who regularly attends the annual Black Hat security conference, participates in training sessions there and stays to attend the Defcon hacking conference. He isn't swayed by hyped up threat claims. He's too busy overseeing a team addressing the daily attempts against his company's network.

Now let's focus on the practical message that I hope got across at the Bloomberg event. Leighton and other executives were correct to point out the technical inadequacies that expose the country's financial sector to attackers. He is right in explaining how growing system complexity is causing configuration weaknesses that can be exploited. And how the consistent failure of common security best practices, such as weak and default passwords, enable all threat actors to easily infiltrate corporate networks. Just read any Verizon Data Breach Investigations Report since 2008. Financially motivated criminals, hacktivists and nation-state threat actors don't need to carry out sophisticated attacks. They choose the low hanging fruit because they can. It's easy and it makes their activity cost effective.



Post has attachment
A talk by Bruce Schneier, a security industry rock star, and noted cryptographer reminded me of an interview I heard on NPR about Internet anonymity, Schneier, who was sought by the reporters who received Edward Snowden's NSA documents to help them decipher some of the technical jargon, spoke to security industry professionals on Wednesday about big data and the security, privacy and ethical issues it raises.

My brief story on Schneier's keynote presentation is linked below. I can't stop thinking about the interview NPR had with investigative reporter Julia Angwin and the intimate details she uncovered about herself contained in the servers of some data brokers she investigated. Her information was passed on, bartered and sold by technology providers over what sounds like a digital back alley.  That interview is here: It's worth a listen.

It also reminded me of a story I did about Noam Chomsky who spoke at an MIT summit on the subject last November: And a discussion on the issue between security practitioners at the MIS Institute's Big Data Security conference held last July:

How will a balance between data mining for the public good and personal data privacy and ethical concerns be achieved? Schneier believes it will take some measure of regulation to adequately address all the complex issues.

Post has attachment
I have deep respect for people who speak their mind. There is something transparent about it. The words they speak have consequences, but their frankness reveals openness and honesty that is refreshing. 

Enter Nir Zuk, the chief technology officer of network security powerhouse Palo Alto Networks. I spent nearly an hour interviewing him last week and found myself wanting to spend the entire afternoon with him. His can-do attitude and confidence is infectious and probably why he's been on so many winning engineering teams. 
Zuk is overseeing the build out of his company's next generation firewall appliance to include endpoint capabilities. He's overseen two acquisitions in 2014 as part of that effort. The goal, Zuk insists, is to create a platform that can prevent malware infections, not just detect them. 

Interestingly, Zuk left Check Point Technologies after being the principal creator of the first stateful inspection firewall because, according to an earlier interview with ITWorld, the company had become too large and was fraught with internal politics and a sluggish bureaucratic process. Palo Alto Networks is no longer 250 employees or 700 employees. It's now up to more than 1,300 employees, but Zuk insists that he is keeping the engineering team small enough to foster innovation. He insists that he can maintain the ability to make decisions on a "gut feeling," and not always based on shareholder interests.  His passionate attitude shows no signs of tiring, but is challenged by the constraints of a growing public company. 
Wait while more posts are being loaded