Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Stay informed on the latest security exploits, industry news, research, solutions, and more.
we want to hear from you >
I recently hosted a Websense customer round-table discussion with 20 CSOs from top U.S. companies. We swapped war stories, hashed out the security challenges they face every day and they shared how they’ve been successful. These CSOs work in a variety of industries, including federal, finance and healthcare. Recently, there have been a number of highly public targeted attacks, which led to a lengthy discussion on spear-phishing. I found their insights very valuable and I wanted to share some key points...
With the hectic travel schedule of first quarter wrapping up I had some spare time to think about advocating a fresh approach to security for the spring. I know it’s not the beginning of the year, but if your schedule is anything like mine, this may be the first time you’ve had a minute to spare since the calendar moved to 2012. With everything in the threat landscape changing so frequently, it’s important to reassess your current status and plan for the coming year, whenever we can come up for air. So, I came up with the following nine tips to help you get a fresh start this spring:
<CONTINUE>
Just a quick post here as we all get set for the giant Lollapalooza that is the RSA Conference. There are a few really interesting sessions, so I thought I’d share my top picks and get your thoughts.
So—what am I most interested in seeing? Well if you caught my recent article in CSO Magazine, you know I’m big on IP protection. There’s a panel discussion called “Elephant in the Room: Intellectual Property Hacking” (session ID HOT-108) that I’m definitely attending.
Another one is, “CISOs Check the Weather: Beyond the Hype of Cloud Security” (session ID CLD-201) with my good friend, Jerry Archer, the CSO of Sallie Mae and members of the Cloud Security Alliance that I think is going to be worth the price of admission.
Then, because we know we are only as secure as our people, there’s a panel on social engineering called, “Human Hacking Exposed: 6 Preventative Tips That Can Save Your Company” (session ID HOT-204).
Gene Hodges, Websense CEO will be on a panel discussion, “Top Security Weathermen Forecast the Cloud” with some other security luminaries. That is session number SECT-301 on March 1.
I’m also hoping to check out "BYOD: Securing Mobile Devices You Don’t Own" (session ID MBS-303) and "Three Ways to Lose Data and One Way to Stop It" (session ID DAS-202).
I’m stilling looking at the rest of the agenda, but wanted to share with you those sessions to take a look at. I’m looking forward to seeing you all there.
Remember to use the show for what it is - an opportunity to connect with peers. Don’t over pack your session schedule. Make time to talk with folks during breaks or at after hours events. Have fun! Head to the Rapid 7 party! KPMG is holding arrival cocktails on Monday. Websense is hosting our own cocktail party on Wednesday. Let me know if you would like to go. We’ll have more than a hundred leaders of the security world there.
Drop me a message or connect with me on LinkedIn if you’d like to get together sometime during the show.
Feel free to leave a comment about any sessions you are looking forward to.
Do you think data breaches are up or down in 2011 compared to 2007 or 2008? The official answer may surprise you. According to DatalossDB and the 2011 Data Breach Investigations Report by Verizon, the number of records compromised per year has been decreasing since its 2008 peak. But these reports are missing something very important. It all comes down to what is reported. Last year I met with more than 450 CIOs and CSOs, and almost all of them said that incidents are way up. New breaches are constantly making headlines, so why is there a discrepancy between our perception and what these reports are finding?
Many industry reports focus on the never-ending stream of leaked or stolen personally identifiable information (PII). Most laws and industry standards, such as PCI DSS, also concentrate on PII. But there is something that could be more dangerous to lose than PII and that isn't getting enough attention in data breach reports—intellectual property (IP).
(More)
As the Websense CSO, I often get a chance to discuss key security issues with other CSOs and CISOs worldwide. I was recently in St. Louis speaking with a group of CISOs about how they are preparing for 2012. Right now, many companies are meeting to discuss how to allocate budget and resources for the new year. Often it also means discussing what went well and what didn’t.
So, how should you speak to your board of directors about threats and security? ...
Recently, the Wall Street Journal posted a great article on “What to Do if You've Been Hacked,” and I think there are a few items that should be looked at a little more closely.
The article explores the traditional forensics and communications approach to dealing with the aftermath of a data breach. I’d like to take it a step further to discuss how you can prevent future hacks from happening.
In a number of recent cases we’ve where one hack can lead to another. It’s a potentially embarrassing situation for a company and a potentially career-threatening event for a CISO or CSO.
So, what should you do?
Read more
In my last post I discussed a push toward a more unified security strategy within the public and private sector. Today, I want to discuss why companies need to change their security strategy to stay ahead of the threats they face. This topic was something that came up a lot last week at the Austin NG security summit.
Ten years ago a great security program consisted of anti-virus, IDS, and firewalls – but now those protections have lost their effectiveness. Unfortunately, those three outdated security technologies now make up a huge portion of InfoSec spend. And the remaining small pittance is allocated to deal with the most advanced threats we have seen. Doesn’t seem like a fair fight does it?
Research from Poneman says 90 percent of all companies have been compromised in the last year. Many were targets of advanced malware that compromised web and email channels. Traditional signature-based security measures DO NOT catch these threats. They are too complex and change too fast for those old security measures to keep up.
Compound that with the fact that IT security is now on the CEO’s radar and the board is asking questions about security strategy. I’ve spoken to hundreds of CISOs and CSOs over the last year and the recent data breach headlines are catching their attention. More than ever the IT team is being asked: What is our current risk posture? How do we reduce risk? What is our situation? Are we going to be compromised? What is our strategy? This is our chance. Using this momentum and interest we must change the way we operate and the way executives think about security programs.
The first step is acknowledgement: You have to realize that at some point you will be compromised and the bad guys will get in. It’s not a matter of IF an APT or a targeted attack will strike; it’s a matter of WHEN. There is no silver bullet.
But, all is not lost! Once you’ve accepted this, the next step is to begin to change the way you plan. You need to be able to get the tools in place to be able to communicate to executives:
“I am going to prevent X amount of attacks. And of the guys that get in, I’m going to know in X amount of time, and I will have them contained in X amount of time. We can significantly reduce the probability that they will be able to access, our most important data.” Make sure you have the technology, people, and processes to back up your claims.
This is the new strategy we have to adopt and share. In the next blog, I’ll share the successful strategies I’ve seen from some of the best organizations and CSOs who have adopted this approach. We’ll look at the most common entry and exit points of attacks and how these successful CSOs are focusing their technology investments in those areas.
In the meantime, how many of you have had conversations with your executive team about your security posture? Has this increased in frequency in the last year? Let me know in the comments below.
Recently, I was speaking with a CSO of a major corporation and the topic of how much money is made with cybercrime came up. Now, many of us talk about the proliferation of easily monetizable cybercrime, but because it is an invisible enemy, some people have trouble understanding the threat. I wanted to quickly share with you a great article that should be required reading for everyone in IT security:http://www.wired.com/magazine/2011/01/ff_hackerville_romania/all/1
The story covers the evolution of the small town of Râmnicu Vâlcea, Romania and how it went from having “a decades-old chemical plant and a modest tourism industry” to become what the article calls “Cybercrime Central.”
I’ve been on the road quite a bit and have collected a lot of good information that I want to share with you all. Most of what’s been attracting my attention is the recent crop of targeted attacks. For every one you hear about in the news, another 50 occur behind the scenes. I’ve spent a lot of time working with CIOs and CISOs to help them develop a strategy to protect against these threats.
One place where targeted attacks were a huge topic of conversation was at the U.S. Security Confab event that I attended last week. It’s hosted annually by my friends Jerry Archer, CISO Sallie Mae, Dave Cullinane, CISO EBAY, and Bob Bragdon, Publisher CSO Magazine. If you have never attended I highly recommend it (as if you needed an excuse to spend a week in California). It’s one of the best security conferences in the world.
APTs, targeted attacks, and advanced malware were the common threads that permeated the majority of the presentations. The resounding theme was also the lack of shared strategy and organization within the security community against our common enemy – cybercriminals. Right now when one of us is attacked we share the information upstream with the government, but we fail to turn that into any real, viable intelligence for the private sector. Don’t you think it would be helpful if we had a standardized way to share the intelligence in a standard format that details the “who” and the “how” of the attack? And I’m not just talking about U.S. here; this could be global as well. In this scenario, thousands of companies would be protected instantaneously when one of us learns of a new cyber threat.
Recently, we took a step in the right direction when the Pentagon announced that cyber space is a new battleground. A cyberspace attack on U.S. assets is now considered equal to an attack occurring on U.S. soil. At the same time Department of Defense Secretary, William J. Lynn III acknowledged the need for cooperation. He said:
“Strong partnerships with other U.S. government departments and agencies, the private sector and foreign nations are crucial. Our success in cyberspace depends on a robust public/private partnership. The defense of the military will matter little unless our civilian critical infrastructure is also able to withstand attacks.”
This is a great step, but we must continue to organize within the security community, since the bad guys are already organized and many of us stand on our own. Click here to read more about the Pentagon news.
This week I am attending the Austin NG security summit, so next week I will be talking about successful strategies to protect against ATPs and targeted attacks as well as any great insights from the Austin summit. In the meantime, let me know if you have any questions.
