First Person Podcast Series

The Evolution of Application Security Part II

Thur, 11 Sep 2008 19:22:00 GMT

There is a significant and growing interest in application security. While most organizations have been pre-occupied with securing the perimeter, it is the cost and consequence of insidious insider attacks that is keeping security executives awake at night. Are you ready for the next big security challenge - security at the application level?

It’s hard to fix what canIt’t be measured. Organizations wishing to control the security of their applications are in need of application security metrics. Using such metrics, organizations can measure and communicate the security strength of applications or the applications ability to withstand attacks.
This two part podcast features Dr. Warren Axelrod talking with Sunil Bhargava, CTO for Intellitactics starts with the evolution of application security and related metrics and finishes with suggestions for overcoming the challenges inherent in measuring application security strength using currently available tools and methods.

About Sunil Bhargava
Sunil Bhargava brings more than 20 years of industry experience in enterprise technology, security practices, and product and business management to Intellitactics. Extensive experience gained from consulting to leading-edge organizations in the US, Asia, and Europe solidified his focus on assisting clients in crafting solutions to meet their requirements and implementing needed change. As chief technology officer for Intellitactics, Bhargava draws on this experience as he works with Fortune 500 companies and major government agencies to identify trends and requirements for leveraging information security best practices, technology, and processes to manage enterprise risk. Prior to joining Intellitactics, Bhargava co-founded INTECH, a technology consulting firm. Previously, he provided management consulting to numerous technology firms, including WisdomWare as chief technology officer, OneSoft as vice president of technology, and Clip Genius as co-founder and chief technology officer. He holds a Bachelor of Science degree in Computer Engineering and a Master of Science degree in Software and Systems from George Washington University.

About Warren Axelrod
Warren Axelrod is a well known presenter on information security topics and has published books and articles on a variety of IT topics. He holds a Ph.D. in managerial economics from the Johnson Graduate School of Management at Cornell University and honors bachelor's and master's degrees in electrical engineering, economics and statistics from the University of Glasgow, Scotland. Combining his academic achievements with 25 plus years in security and technology with the world’s leading financial services companies, his perspective and guidance on which investments have the greatest impact on a company’s security posture is comprehensive and pragmatic.

Today Dr Axelrod is responsible for privacy and information security at a prominent New York financial firm. His responsibilities include the definition and enforcement of security and privacy policy and procedures in addition to developing awareness programs to ensure success. Dr. Axelrod is a member of several security industry associations: the SIFMA Privacy Committee, the SIFMA Information Security Subcommittee, the FSSCC R&D Committee and several BITS risk and security working groups. His career includes many honors including leading his team to be recognized by Computerworld’s Premier 100 Best in Class Award for early and effective implementation of a leading security information and event management solution.

The Evolution of Application Security Part I

Wed, 10 Sep 2008 16:19:06 GMT

There is a significant and growing interest in application security. While most organizations have been pre-occupied with securing the perimeter, it is the cost and consequence of insidious insider attacks that is keeping security executives awake at night. Are you ready for the next big security challenge - security at the application level?
It’s hard to fix what canIt’t be measured. Organizations wishing to control the security of their applications are in need of application security metrics. Using such metrics, organizations can measure and communicate the security strength of applications or the applications ability to withstand attacks.
This two part podcast features Dr. Warren Axelrod talking with Sunil Bhargava, CTO for Intellitactics starts with the evolution of application security and related metrics and finishes with suggestions for overcoming the challenges inherent in measuring application security strength using currently available tools and methods.
About Sunil Bhargava
Sunil Bhargava brings more than 20 years of industry experience in enterprise technology, security practices, and product and business management to Intellitactics. Extensive experience gained from consulting to leading-edge organizations in the US, Asia, and Europe solidified his focus on assisting clients in crafting solutions to meet their requirements and implementing needed change. As chief technology officer for Intellitactics, Bhargava draws on this experience as he works with Fortune 500 companies and major government agencies to identify trends and requirements for leveraging information security best practices, technology, and processes to manage enterprise risk. Prior to joining Intellitactics, Bhargava co-founded INTECH, a technology consulting firm. Previously, he provided management consulting to numerous technology firms, including WisdomWare as chief technology officer, OneSoft as vice president of technology, and Clip Genius as co-founder and chief technology officer. He holds a Bachelor of Science degree in Computer Engineering and a Master of Science degree in Software and Systems from George Washington University.
About Warren Axelrod
Warren Axelrod is a well known presenter on information security topics and has published books and articles on a variety of IT topics. He holds a Ph.D. in managerial economics from the Johnson Graduate School of Management at Cornell University and honors bachelor's and master's degrees in electrical engineering, economics and statistics from the University of Glasgow, Scotland. Combining his academic achievements with 25 plus years in security and technology with the world’s leading financial services companies, his perspective and guidance on which investments have the greatest impact on a company’s security posture is comprehensive and pragmatic.
Today Dr Axelrod is responsible for privacy and information security at a prominent New York financial firm. His responsibilities include the definition and enforcement of security and privacy policy and procedures in addition to developing awareness programs to ensure success. Dr. Axelrod is a member of several security industry associations: the SIFMA Privacy Committee, the SIFMA Information Security Subcommittee, the FSSCC R&D Committee and several BITS risk and security working groups. His career includes many honors including leading his team to be recognized by Computerworld’s Premier 100 Best in Class Award for early and effective implementation of a leading security information and event management solution.

Intellitactics Update 2008

Thu, 14 Feb 2008 16:19:06 GMT

What Customers can expect in 2008. Speakers: Intellitactics Management Team.

Information Security in Healthcare: Why Compliance Pays

Wed, 10 Feb 2008 16:19:06 GMT

The Health Insurance Portability and Accountability Act (HIPAA) requires health care organizations to enforce security controls that promote the confidentiality, integrity, and availability of all personal health information. HIPAA requires that these organizations use risk-based methods to protect this information and comply with guidelines for achieving minimum information security levels. Failure to comply with these rules can lead to penalties ranging from fines to imprisonment, as well as damage to the reputation of the organization and its leaders. The mandates are clear, yet health care organizations continue to suffer from lack of management support and struggle with implementing effective and efficient information security best practices. Recognizing that health care organizations have become increasingly dependent on information and technology to deliver health care services, taking steps to protect that information becomes a high priority. Meeting this need necessitates senior leadership focus on effective information security governance and support, which requires integration of security into the strategic and daily operations of an organization.

Why is risk assessment such a critical component of an effective information security program? What should healthcare executives be doing to integrate information security processes into their risk activities? Why is deliberate log management crucial to obtaining increased security and compliance? And why are policies and controls crucial for an organization to have in place?

In this podcast conversation, Intellitactics talks with Frank Irving, Editor of Advance for Health Information Executives, about:

- Reasons why healthcare organizations fail to properly fund security initiatives and ways security executives can motivate business leaders to proactively address security needs
- How to facilitate the audit process
- Resources available to help executives implement, evaluate, and manage their information security programs.

About Frank Irving:

Frank Irving, the founding editor of ADVANCE for Health Information Executives, has 20 years experience in trade publishing, all within the IT and health care fields. During his career, his publications have won the Jesse Neal Award for best series of articles and the Computer Press Award for best newspaper. He has addressed industry groups, such as the CIO Roundtable Forum and The Kennedy Group, on emerging technologies and companies in health care. In addition, Frank has served on the planning committees and advisory boards of health care IT conferences, including the National Managed Healthcare Congress. He holds a B.A. degree in Economics from the University of Virginia.

Containing Costs of Incident Investigations: Security Event Management First, Forensic Analysis Second

Wed, 19 Dec 2007 19:19:22 GMT

The continued proliferation of security breaches and regulatory mandates requiring consumer notification in the event of a breach has made incident investigation a requirement in many enterprises. Public disclosure and the need to manage resulting negative exposure has driven the need to be as responsive and accurate as possible when reporting the scope of a breach. Organizations must therefore rapidly investigate incidents to determine the actual extent of an incident.

What do we need to do streamline the investigative process and reduce its cost burden? How can forensic analysis reduce the cost of incident investigation? Why is the use of security event management critical in determining whether, given the firm’s risk management strategy, incurring the costs of a forensic investigation is warranted.

In this podcast conversation, Intellitactics talks with Michael Montecillo, Security Analyst with Enterprise Management Associates, about:

- The importance of forensic analysis for streamlining the investigative process and reducing its cost burden
- The benefits of forensic analysis and how it can help an enterprise determine whether an incident should trigger public notification
- The double-edged sword of forensic investigation – expensive, resource intensive
- The importance of security information and event management in determining if and when a forensic investigation is necessary

About Michael Montecillo:

At Enterprise Management Associates, Michael Montecillo focuses on the emerging application security industry, as well as IT security risk compliance and governance. Prior to joining Enterprise Management Associates, Michael was the vulnerability management coordinator of one of the most well-reputed state government IT security organizations in the nation, where he developed and implemented a program to assess the entire state infrastructure for vulnerabilities. Michael began his career in 2004 performing risk assessments and audits of highly-critical systems and applications for a large consolidated state government IT department in a role that would eventually be dedicated to the state’s police organization. He holds an EnCase Certified Examiner (EnCE) certification, a Certified Ethical Hacker (CEH) certification, and Vulnerability Assessment Technician Level One certification from the Department of the Army Do-It-Yourself Vulnerability Assessment program (DITYVAP). He graduated from Michigan State University with a B.A. in Telecommunications.

Information Security: Key to Achieving Agency Mission Goals

Tue, 04 Dec 2007 19:22:25 GMT

In striving to fulfill their missions, agencies are increasingly confronted by dynamic operational environments laced with changing threats, vulnerabilities, and technologies. They face challenges ranging from managing large, complex information technology infrastructures and numerous information systems to complying with laws, regulations, and standards to obtaining adequate staffing with requisite information security skills and expertise. It’s commonly understood that information and information systems serve as a fundamental enabler for agencies to meet their primary objective of serving the American public. The confidentiality, integrity, and availability of information is paramount to being able to deliver these services, yet information security programs and implementations often suffer from lack of management commitment and inadequate resources. Recognizing that agencies have become increasingly dependent on information and technology to accomplish mission and performance goals, taking steps to protect that information becomes a high priority. Meeting this need necessitates senior leadership focus on effective information security governance and support, which requires integration of security into the strategic and daily operations of an organization.

About Elizabeth Chew:

Liz Chew is a Supervisory Information Security Specialist in the Security Management and Assistance Group, within the NIST Computer Security Division. Her group’s missions include developing NIST Standards and Guidelines, including those mandated by the Federal Information Security Management Act (FISMA), and numerous outreach efforts, including support to the:
• Health IT Security initiative with the Department of Health and Human Services
• Federal Computer Security Program Managers’ Forum
• Information Security and Privacy Advisory Board (ISPAB)
• Federal Information Systems Security Educators’ Association (FISSEA)
• Information Systems Security Line of Business (ISS LOB) initiatives
• Computer Security Resource Center (CSRC) website, which averages over 3.6 million hits per month

Liz was previously the computer incident response program manager for the Department of Justice, and while at the Food and Drug Administration, she led a project to harmonize efforts with the Center for Drug Evaluation and Research and pharmaceutical manufacturers to ensure secure data interchange goals were achieved. Prior to her Federal Government experience, she worked as a LAN analyst contractor for the Nuclear Regulatory Commission and United States Navy. She is a current Certified Information Systems Security Professional (CISSP) and former Certified Novell Engineer.

Managing Risk with Controls

Mon, 03 Dec 2007 18:04:23 GMT

With the continuing attention on regulatory compliance, many organizations are still investing significant time and money in an attempt to protect themselves from negative audit findings. Some investment choices are successful in the short term, but many organizations have discovered that passing an audit does not necessarily make an organization more secure. A more effective strategy for enterprise risk management starts with a security policy and risk assessment, and is maintained through the use of controls to protect critical information assets. Incorporating control frameworks within a security program enables efficiencies in identifying and assessing threats, correcting vulnerabilities, and ultimately minimizing the impact to the availability of critical business services. Join Intellitactics for a discussion on managing risk by implementing and monitoring the performance of controls and an examination of an approach that minimizes the impact and cost of audits while increasing the overall security posture of the organization.

About Matt Mosley CISSP, CISM, CISA
Senior Technical Account Director

Mr. Mosley has 15 years of experience with rapid growth high-tech companies, developing unique and pioneering solutions to handle rapidly changing situations. Starting in the basement of a Maryland town home in 1992, Mr. Mosley helped to build the four-person Internet startup DIGEX into a 500-employee public company. While at DIGEX, he designed, implemented and managed the worlds first ‘web farm’ and build custom information sharing solutions for Fortune 500 companies. Mr. Mosley's career includes a variety of engineering and technical management positions with companies including ISS, WarRoom Research, Cyber Security, Inc. and Intellitactics. He has consulted for over two dozen Fortune 100 companies and was a founding member of the ISP Security Consortium, an organization dedicated to improving security amongst Internet providers through the sharing of information and experience.

Mr. Mosley studied engineering at the University of Maryland, and has held the CISSP credential since 1997. He also holds the CISA credential and is a member of the Project Management Institute and ISACA.

Pragmatic Approach to Managing Security Investment

Thu, 30 Aug 2007 20:00:14 GMT

Two popular questions: “Are we spending enough to ensure the desired security posture?” and “How much security spending is enough?” are asked in boardrooms of security conscious companies around the world. These questions are difficult to answer because today’s spending is ‘enough’ as long as the enterprise is secure and ‘not enough’ the day after a security breach makes the headlines.

These two questions are usually followed by “Are we secure?” While YES is the desired answer to this question it is also an answer that is difficult to give with a high degree of certainty, without qualification. There is no simple or direct answer to this question because security organizations are constantly challenged by dynamic security environments that are producing events that can quickly make any answer obsolete.

What is needed today is a pragmatic approach for assessing the current security posture and determining whether security spending is in fact enough to sustain the state of security. Join Intellitactics for the new podcast in the First Person Series as they interview Warren Axelrod, a prominent writer, speaker and information security executive. Mr. Axelrod has frequently written on the topic of return on investment: first in his book “Outsourcing Information Security” and most recently as a contributor to a new book “Managing Information Assurance in Financial Services“.

About Warren Axelrod
Warren Axelrod is a well known presenter on information security topics and has published books and articles on a variety of IT topics. He holds a Ph.D. in managerial economics from the Johnson Graduate School of Management at Cornell University and honors bachelor's and master's degrees in electrical engineering, economics and statistics from the University of Glasgow, Scotland. Combining his academic achievements with 25 plus years in security and technology with the world’s leading financial services companies, his perspective and guidance on which investments have the greatest impact on a company’s security posture is comprehensive and pragmatic.
Today Dr Axelrod is responsible for privacy and information security at a prominent New York financial firm. His responsibilities include the definition and enforcement of security and privacy policy and procedures in addition to developing awareness programs to ensure success. Dr. Axelrod is a member of several security industry associations: the SIFMA Privacy Committee, the SIFMA Information Security Subcommittee, the FSSCC R&D Committee and several BITS risk and security working groups. His career includes many honors including leading his team to be recognized by Computerworld’s Premier 100 Best in Class Award for early and effective implementation of a leading security information and event management solution.

Making it work: The Convergence of IT Operations and Security Management

Thu, 19 Jul 2007 20:48:31 GMT

The synergies between security and IT operations management are evident. For example configuration management is a primary tool for remediating IT security vulnerabilities and exposures, while the service desk is a primary tool for managing security processes in IT and event response. In a larger sense, security directly benefits IT service delivery priorities by managing risks to the availability and performance of critical resources, while disciplined IT operations management delivers more effective security.

This does not mean, however, that many -- or even most -- businesses have seamlessly integrated their security and IT management operations. All too often, the missing connections between IT operations and security management result in complex and fragmented architectures and organizational inefficiencies. Unfortunately, these conditions create a fertile environment for undetected intrusions and cyber attacks propagate. Compounding the management challenges is the fact that IT spending is essential for keeping pace with change and for positioning IT as a competitive differentiator for the business. Spending on security is no exception to this rule. Spending on security is most influenced by outside sources like compliance with regulatory standards, industry policy mandates and threats. Spending on compliance, IT operations governance and security is not an option.

How can the enterprise bring the critical domains of IT operations and security management together in order to leverage a company’s IT investment and management of risk strategy? How will the decisions made to converge IT operations and security preserve the resources that are essential to maintaining the competitive advantage of the business?

Scott Crawford, Senior Analyst with Enterprise Management Associates has written extensively on IT Governance, Risk and Compliance. As a former CSO, Scott offers the latest trends and perspectives balanced with pragmatic thinking and learning from his real life experiences. In this podcast conversation, Scott talks John Angelastro, Senior Director of Central Security with SunGard Availability Services, about:

- The high cost of the disconnect between security and operations management

- Trends in the convergence of security and operations management and the benefits to be gained

- Business and customer needs driving the convergence

- Developing an integration game plan

- The Catch-22: Resolving security issues and system optimization

- Why Risk Management is “The New Black” in IT and crucial for successful integration

- The crucial role SIEM plays in delivering more effective security, compliance and IT governance

High Priority: Management of Risk

Thu, 19 Jul 2007 20:23:22 GMT

In recent years, IT has been confronted with a range of challenges unlike any seen before.

§ Corporate embarrassment and substantial losses due to regulatory penalties have prioritized security threats for IT and for executives faced with the threat of non-compliance.

§ Regulatory compliance continues to impose accountability that strain resources already under pressure to do

Fraud Hits Where it Hurts Most - The Bottom Line

Wed, 21 Mar 2007 19:26:31 GMT

Fraud management continues to be a mission-critical function as global statistics show an increase in both the number of incidents of fraud and the loss per incident. In the United States, the Federal Trade Commission identified a 34% increase in total fraud between 2003 and 2005, when the fraud bill reached $648 million, and has recently reported that fraud cost $1.2B in 2006. The Association for Payment Clearing Services revealed that online fraud losses in Great Britain increased 55% in 2006 over 2005. While compliance has created more attention and spending to prevent fraud, sound management is essential to both protect the organization and prevent erosion of marketplace trust. Those that do not keep up in fraud management are impacted twice - first by the initial loss, then again by at attracting perpetrators thwarted by better equipped organizations. As security professionals battle to protect their organization and maintain trust, they need a holistic fraud management strategy that goes beyond point solutions to include a layered integration of technology with people, policy, and process. With increased scrutiny from the press, regulators, consumers, patients, and other clients, CISOs are asking questions like, “What’s the best approach to protect against fraud?” “What technology do I need in my arsenal?” “Where do I begin?”

Please join Sunil Bhargava, Vice President of Product Management with Intellitactics for an informative podcast on the Enterprise Fraud Management and why proactive security practices that include security information and event management will play a crucial role in protecting the organization. Agenda

· Enterprise fraud – the risk and the evolving enemy

· Thinking like a fraudster – moving beyond defensive strategies

· The three P’s – Policy, Process, People

· Why do I need security information and event management in my arsenal?

· How do I develop a fraud management game plan?

· Best practices for preventing, detecting, reacting

· Benefits beyond fraud management

Security Spending On The Rise - How to Justify Spending and Communicate Effective Programs

Fri, 09 Mar 2007 19:22:41 GMT

Khalid Kark, Senior Security Analyst with Forrester Research, discusses the state of security spending in North America. Central to his guidance is how to use security metrics, actionable reports, and proactive security practices to get more from security spending and justify future investment.