McAfee » compliance http://blogs.mcafee.com Blog Central Thu, 30 Oct 2014 21:39:39 +0000 en-US hourly 1 Shedding light on ‘Shadow IT’ http://blogs.mcafee.com/business/shedding-light-on-shadow-it http://blogs.mcafee.com/business/shedding-light-on-shadow-it#comments Thu, 09 Jan 2014 17:19:11 +0000 http://blogs.mcafee.com/?p=32485 BYOD, BYOA, BYOx. The IT industry is full of acronyms depicting its constant evolution and relationship with the professional world. First came the devices; employees saw the power of personal devices and insisted on using them in the workplace. And so the consumerisation of IT was born. After the devices came the apps. Companies reported […]

The post Shedding light on ‘Shadow IT’ appeared first on McAfee.

]]>
BYOD, BYOA, BYOx. The IT industry is full of acronyms depicting its constant evolution and relationship with the professional world. First came the devices; employees saw the power of personal devices and insisted on using them in the workplace. And so the consumerisation of IT was born.

After the devices came the apps. Companies reported greater productivity and higher employee satisfaction at enabling Bring-Your-Own-Device policies, but attention then turned to the applications being used. And IT executives were left wondering whether they would face a similar ‘revolution’ to the one that followed BYOD  – the ‘Bring-Your-Own-Apps’ trend where employees choose the virtual tools needed to empower their devices and facilitate jobs. Recent research we conducted alongside Frost & Sullivan’s Stratecast proves that the app revolution is already here, but with some slightly insidious repercussions – ‘Shadow IT.’

Our global study, which questioned IT and enterprise decision-makers, aimed to uncover the extent and risks of unauthorised Software-as-a-Service (SaaS) applications. It found that more than 80 per cent of employees use non-approved SaaS applications in their jobs, with IT employees actually using a higher number than other company employees.

These SaaS applications are also referred to as ‘Shadow IT’, a term which broadly describes the use of technology solutions within an enterprise that have not been approved by the IT department or adhere to policies. Why is this happening? Low-cost, ease of access and ease of maintenance are factors, as is the cloud, which acts as a vehicle for employees to acquire and deploy these applications without involving anyone else. This ‘self-serve’ behaviour puts business at risk; in most cases, IT departments and security professionals are unaware of the extent of ‘Shadow IT’ and consequently are underprepared.

The current state and prevalence of ‘Shadow IT’ presents a great opportunity for resellers looking to engage with the many businesses struggling to understand their sprawling software use and the security implications of this. Deploying SaaS apps without the appropriate technical knowledge means corporate standards for data protection and encryption may be unknowingly neglected. This is particularly important for businesses managing sensitive customer or third-party data. Resellers should recognise the much needed help and guidance businesses need to ensure systems are in place to mitigate against the associated risks that deploying non-approved applications have within business. Although employees’ intentions aren’t malicious and are indicative of a workforce trying to be productive in a hyper-competitive market, the use of ‘Shadow IT’ within business can have severe repercussions on security and compliance.

The study highlighted a lack of understanding on the part of the employee, and lack of awareness and readiness on the part of the businesses that pressingly need to be addressed. Similarly with BYOD, the answer is not preventing employees from using these apps — it’s about striking the right balance between flexibility and control.

The channel can and should work with IT and business leaders to create and support policies that enable employees to use the apps they need while still minimising corporate risk. These policies should be built around security solutions that provide employees with secure access to a broad range of recognised SaaS options. The ability to control app usage – for example allowing users to access Facebook but restricting the ‘chat’ function or automatically encrypting files before they are uploaded to a file-sharing site – is also key. Tools like McAfee Web Gateway can track web traffic and automatically provide proactive protection against malware, as well as block undesirable URLs, prevent outbound data loss and enforce acceptable usage policies.

The right security solution, together with education, policy control and consistent communication with employees can make the difference between a business that is agile, innovative and competitive or closed and removed from the opportunities around them. The channel has a crucial role in helping enterprises to shine a light on this new behaviour and ensure that when it comes to the competition, they aren’t left behind.

The post Shedding light on ‘Shadow IT’ appeared first on McAfee.

]]>
http://blogs.mcafee.com/business/shedding-light-on-shadow-it/feed 0
Walking the Talk on Public-Private Partnerships http://blogs.mcafee.com/business/security-connected/walking-the-talk-on-public-private-partnerships http://blogs.mcafee.com/business/security-connected/walking-the-talk-on-public-private-partnerships#comments Fri, 16 Aug 2013 17:22:14 +0000 http://blogs.mcafee.com/?p=28473 There’s been a lot of talk about the value of public-private partnerships in moving the U.S. toward a more robust cyber security posture. And let’s be honest:  there’s also been a lot of private sector skepticism about how much the Administration really believed in the concept or how much they would do to make it […]

The post Walking the Talk on Public-Private Partnerships appeared first on McAfee.

]]>
There’s been a lot of talk about the value of public-private partnerships in moving the U.S. toward a more robust cyber security posture. And let’s be honest:  there’s also been a lot of private sector skepticism about how much the Administration really believed in the concept or how much they would do to make it happen.  I’m delighted to say that, so far, those skeptics have been proven wrong. Through both the NIST framework and the list of positive incentives recently released, this Administration is demonstrating that they really get it on cyber security partnerships.

To help secure the nation’s critical infrastructures, NIST is working with the private sector to design a Cybersecurity Framework – a set of core practices to develop capabilities to manage cyber security risk. McAfee participates in this effort, as do many other experts from government and industry, and while it’s difficult to bring all these players together, NIST is making good progress. The Administration has also kept its promise that the framework will be voluntary for owners/operators of critical infrastructure and other players such as IT companies or suppliers of products and services – a feature that’s key to the framework’s success and key to solidifying trust with the private sector.

To encourage critical infrastructure companies to adopt the framework, the Administration recently came out with recommendations for positive incentives, and these are also a step in the right direction. The incentives include such concepts as cybersecurity insurance, grants, limits on liability, streamlined regulation and increased funding for R&D.  Promoting incentives rather than additional regulation is exactly the right course, because with more regulation we risk having a more compliant power or water company, but not necessarily a more secure one.

With both initiatives – the framework and the incentives – the Administration is showing supporters and critics alike that they’re serious about partnering with the private sector and serious about keeping the fixes voluntary. I commend them for that. This way we can work collaboratively to secure our critical infrastructures so they’re able to resist cyber attack and recover quickly if they do incur attacks. That should be the greatest incentive of all.

To learn more about the cybersecurity executive order, the latest progress, and how you can participate, download the McAfee EO 13636 Solution Brief.

The post Walking the Talk on Public-Private Partnerships appeared first on McAfee.

]]>
http://blogs.mcafee.com/business/security-connected/walking-the-talk-on-public-private-partnerships/feed 0
Five Factors That Make D.C. Region a Cybersecurity Hub http://blogs.mcafee.com/business/security-connected/five-factors-that-make-dc-cybersecurity-hub http://blogs.mcafee.com/business/security-connected/five-factors-that-make-dc-cybersecurity-hub#comments Wed, 29 May 2013 13:37:55 +0000 http://blogs.mcafee.com/?p=25465 McAfee is based in Silicon Valley, but we know there’s more to tech than California. We recently joined the National Institute of Standards and Technology to launch the National Cybersecurity Center of Excellence, a joint effort among high-tech business, federal, state and local government and local universities located in Rockville, Md. The goal of the […]

The post Five Factors That Make D.C. Region a Cybersecurity Hub appeared first on McAfee.

]]>
McAfee is based in Silicon Valley, but we know there’s more to tech than California.

We recently joined the National Institute of Standards and Technology to launch the National Cybersecurity Center of Excellence, a joint effort among high-tech business, federal, state and local government and local universities located in Rockville, Md. The goal of the NCCoE is simple: to identify and help deploy real-world cybersecurity tools that ordinary businesses can use to secure their own networks. Ten other high-tech companies, Johns Hopkins University, the University of Maryland and the National Security Agency have committed their own personnel to the effort.

We’re particularly proud of our participation for lots of reasons, but it’s the combination of the players – the public-private part — that made this alliance particularly compelling.

Try as they may, most parts of the country have not succeeded in replicating the success that tech hubs like Silicon Valley have achieved. Greater Washington D.C. is a success story in its own right, and we think the NCCoE is another reason the DC region will continue to make its mark in computer security.

Every place is different, of course, but five factors seem to make for success when development is the goal.

RESEARCH

Tech is ultimately about smart people doing smart things with the tools they have, and education is the foundation of all of it. The source of Silicon Valley’s brainpower is clear enough: The region hosts a multitude of universities, foremost among them Stanford and Berkeley. DC area universities have received significant funding from the federal government and in many cases enjoy a close relationship with the nearby National Security Agency itself. Schools such as George Mason and James Madison in Virginia, the University of Maryland and Johns Hopkins in Baltimore head the list.

FUNDING

Cutting edge tech is important, but banks won’t fund it until it’s well established, so the path from startup to success can be a difficult one. Angel investors and venture capitalists are necessary components to any successful tech region, and that’s a part of the business world that’s clearly growing near the nation’s capital. New Enterprise Associates just up the road in Baltimore and In-Q-Tel have funded more than their share of startups in the area.

RISK TAKING

Anyone in business knows there are risks to trying to make a profit, but not everyone sees risk the same way. The best high-tech regions recognize that failure is often the prelude to success and won’t automatically penalize those who can’t make a go of a certain venture. Smart dealmakers don’t want to know that you failed — they want to know why.

The nation’s capital isn’t famous for risk taking, but the region’s business community increasingly is. Sequestration and ongoing budget pressures have accelerated the push towards the private sector and away from the old government-contractor mentality. The end result is a slow transformation of the region into an area of authentic innovation.

MOBILITY

It’s a factor many overlook, but it’s there nonetheless: Many, many people in tech aren’t just mobile; they’re from another country altogether. The fact is huge numbers of high-tech innovators in the U.S. left their home countries because they knew the US was still the land of opportunity and remains so today. Go to Silicon Valley, come to greater DC, walk around any top computer science school and you will see the same thing: Brilliant engineers with all the drive you could ask for making amazing discoveries in a country that has claimed them not for their ethnicity, but for the excellence of their work.

GOVERNMENT THAT WON’T GET IN THE WAY

You don’t have to be libertarian to recognize one simple fact: The business climate that government sets is hugely important. Places such as Silicon Valley, Northern Virginia and Suburban Maryland are for the most part left of center politically.  I’ll leave it to other to say why tech regions tend to lean liberal, but when it comes to business issues, these same regions look a lot like their red-state neighbors. Light-touch regulation yields real results not just for the companies directly affected but for the whole, decidedly prosperous places in which they operate.

THE FUTURE

Cybersecurity is booming. We take little joy in the reasons why, but we at McAfee are honored to be part of the solution to fighting the threats we face. We hope and expect our efforts here in suburban Maryland will bring a stronger, more secure future in cyberspace.

The post Five Factors That Make D.C. Region a Cybersecurity Hub appeared first on McAfee.

]]>
http://blogs.mcafee.com/business/security-connected/five-factors-that-make-dc-cybersecurity-hub/feed 0
Getting Assurance in a Time Constrained World http://blogs.mcafee.com/business/security-connected/getting-assurance-in-a-time-constrained-world http://blogs.mcafee.com/business/security-connected/getting-assurance-in-a-time-constrained-world#comments Mon, 20 May 2013 17:34:04 +0000 http://blogs.mcafee.com/?p=24904 Nothing is as frustrating as when something goes wrong, especially when you have time constraints.  NIST has just released Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations where a few notable items have been added to increase the confidence that security, practices, procedures and architectures of information systems […]

The post Getting Assurance in a Time Constrained World appeared first on McAfee.

]]>
Nothing is as frustrating as when something goes wrong, especially when you have time constraints.  NIST has just released Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations where a few notable items have been added to increase the confidence that security, practices, procedures and architectures of information systems accurately mediates and enforces security policy. Assurance is now a key element according to NIST’s Ron Ross in an interview with Information Security Media Group. It’s also the first time that this publication includes privacy within its title.

McAfee’s soon to be announced endpoint suite will provide a new level of assurance with real-time protection, management and more importantly results. Incorporating Intel hardware-assisted security through Deep Defender assures that systems are free of rootkits and blocks these kinds of APT’s. Some may argue that this type of advanced protection would be hard to cost-justify but having it included in our suite now provides one of the industry-changing ways to stronger security.  What used to be a nice-to have can now be a key component to keeping things on-track and secured.  It’s been estimated that up to 5 hours could be spend per system re-imaging them after detection of a rootkit.  Isn’t our time and resources better spent elsewhere than dealing with aftermath of a preventable situation?

But it’s also important to prove that the right level of protection has been enabled and where you may have gaps. Today this has to be accessible within minutes. McAfee Risk Advisor’s global risk dashboard allows you to quickly drill down to get granular details of a threat and how it relates to the specific assets in your organization. It lets you know where additional controls might be needed to combat the current threats of concern and target activities that will make the most of your time combating security risks. Time is precious and we want to make it easier for you to get the security that will protect the systems and infrastructure so you can provide the privacy controls that are right for your business.

 -Kim Singletary

The post Getting Assurance in a Time Constrained World appeared first on McAfee.

]]>
http://blogs.mcafee.com/business/security-connected/getting-assurance-in-a-time-constrained-world/feed 0
Response Now as Important as Prevention http://blogs.mcafee.com/business/security-connected/response-now-as-important-as-prevention http://blogs.mcafee.com/business/security-connected/response-now-as-important-as-prevention#comments Fri, 24 Feb 2012 18:17:26 +0000 http://blogs.mcafee.com/?p=14083 The National Institute of Standards and Technology (NIST) has updated its Computer Security Incident Handling Guide to take into account the increasingly dire state of cyber security. As anyone who has followed the rush of high-profile incursions over the past year knows, it’s looking less and less possible to prevent the inevitable attack, no matter […]

The post Response Now as Important as Prevention appeared first on McAfee.

]]>
The National Institute of Standards and Technology (NIST) has updated its Computer Security Incident Handling Guide to take into account the increasingly dire state of cyber security. As anyone who has followed the rush of high-profile incursions over the past year knows, it’s looking less and less possible to prevent the inevitable attack, no matter how many security controls and technologies you put in place. Instead, thanks to the increase in stealthy persistent threats, early, rapid, effective detection and response is now as important or possibly even more important than prevention, according to the guide. The guide also emphasizes the importance of reporting attacks to law enforcement, service providers, and developers of vulnerable hardware and software so that future attacks can be prevented and additional victims spared.

What about prevention? The guide emphasizes that prevention strategies and technologies are still critical for reducing the number of attacks, since prevention is much less expensive than mitigation and organizations can quickly become overwhelmed as the number of attacks increases.

The guide is full of valuable, detailed advice and information, recommending that organizations carefully document their incident response handling roles, responsibilities, policies, and procedures and do an extensive analysis of lessons learned after each attack and response to continually improve their response capabilities. It even covers handling the inevitable media response to a high profile attack.

As for the response itself, it should be implemented by carefully chosen and trained incident response teams. The guide outlines the following guidelines, with much more detail than you’ll see here:

1. Document everything, including every action taken, every piece of evidence, and every conversation with users, system owners, and others.

2. Recruit coworkers to provide assistance. Even the smallest company or incident will need at least one person to perform actions while the other documents them.

3. Analyze the evidence to confirm an incident has occurred. You may need to do additional research and reach out to technical professionals within your organization to help you better understand the evidence.

4. Notify the appropriate people within the organization immediately, including the CIO, head of information security, and the local security manager. Tell only those who need to know, and make sure you use secure communications to do so.

5. Notify US-CERT and/or other external organizations for assistance in dealing with the incident.

6. Stop the incident if it is still in progress either by disconnecting affected systems from the network or modifying firewall and router configurations in the case of a DOS attack.

7. Preserve evidence using backups of affected systems and log files containing incident information.

8. Wipe out all effects of the incident by eradicating malware infections and Trojan files, reversing all changes made to systems, rebuilding the systems from scratch, or restoring them from a backup.

9. Identify and mitigate all exploited vulnerabilities to prevent the incident from happening again.

10. Confirm that operations have been restored to normal including data, applications, and all affected services.

11. Create a final report detailing what happened and how it was responded to. At some point the report should also include a “lessons learned” section based on an in-depth discussion and analysis after the incident has passed.

The NIST is accepting comments on the guide draft until March 16th.

The post Response Now as Important as Prevention appeared first on McAfee.

]]>
http://blogs.mcafee.com/business/security-connected/response-now-as-important-as-prevention/feed 0