Posted by Courion Corporation on Tue, May 08, 2012
Courion’s annual CONVERGE customer conference returns to Boston May 20-23 at the Renaissance Boston Waterfront Hotel.
In its 10th year, CONVERGE 2012 will address the challenges of identity and access management in today’s mobile, always-on, cloud-based business environment, ensuring that organizations have the right identity access and governance controls to effectively manage user access, demonstrate compliance and enhance security.
With a focus on access risk management and access intelligence, CONVERGE 2012 features case studies, panel discussions and interactive sessions highlighting critical identity and access management issues. Featured speakers from Courion’s customer base include the American Red Cross, Cape Cod Healthcare, HCR ManorCare, Memorial Hermann Health System, Sun Trust Banks and many more.
Live product demos from Courion, its customers and sponsors will include Courion’s Access Insight™ access intelligence, and CourionLive™ cloud-based IAM solutions. Courion Labs Emerging Technology team will demonstrate the challenges of managing user access to and from mobile devices.
CONVERGE 2012 promises to deliver the information you need to ensure that you have the right strategy and solutions in place to manage access risk in your organization.
To learn more about CONVERGE 2012, click here.
Posted by Kent Welch - Director, Product Management on Tue, Apr 24, 2012
Recently, Courion partnered with NaviSite, a leader in managed cloud services, managed hosting, and managed application services, to deliver CourionLive™ its cloud-based, Software as a Service (SaaS) delivery of Courion’s best of breed Access Risk Management Suite. As the leader in IAM solutions focused on access risk, we knew we needed a proven partner that could deliver CourionLive via a best in class cloud infrastructure with a global footprint, superior managed services and unmatched security expertise. And that’s what we have with NaviSite’s Managed Cloud services. To learn more,
click here.
Posted by Chris Sullivan - VP Customer Solutions on Tue, Apr 17, 2012
In a posting on the LinkedIn Information Security Community group, Ken, a software development manager, posed the question, “Why does everyone have exactly what I don't need? I know how to collect and store large amounts of data. Problem solved. I don't need my SIEM solution to solve that problem for me. What I DO WANT is a "brain" that sits on top of my current data store and do security event detection.”
This was all Chris Sullivan needed to hear before he jumped in and handed Ken just the thing he was looking for.
“Wow... I had almost given up following LinkedIn Groups... What a great thread.
So…Ken's already got the big data. Marko saw a need for BI tool (though didn’t explain why). Ian's recognized that RDB is not the right approach. Everyone is groping around for the answer. What's missing?
What if 18 months ago Courion Labs recognized this problem and redirected all of its focus to working with the smartest people out there to figure this out?
What if they applied adjacent innovation techniques to look for similar patterns/problems that have already been addressed by other industries and applied those techniques?
They would have seen that there's an extraordinary amount of data (big data) that's floating around by dint of just doing security operations and that companies ignore most or it (Ken noted this). At best they are looking into silos like SEIM or DLP (lots of people touched on this).
They would have leveraged the industry's largest collection of collectors (600+) and an open system to get that big data.
They would have realized that traditional relational DB approaches with workflow-centric computing would not work (thank you Ian) – It just takes too long to walk through that much information. They would have gone with something more appropriate like an OLAP cube and data centric design.
They would have realized that even having big data in a high performance cube isn’t a solution for anyone except the guys who sell disk.
What’s missing? A way to think about and organize all of that information. A rich way to interact with it – because artificial intelligence will get you just so far – humans are still smarter so you need to augment them.
They would have taken a time tested approach - One that was done with trader support systems 20 years ago or in the baseball industry in the early part of this century (think the business story behind Brad Pitt and Moneyball – or just Google Sabermetrics).
They would have applied best practices from 600+ Provisioning and Compliance solutions, COSO and FFIEC guidance for thinking about information security management and they would have developed a measurement framework for Access Risk Informatics that considers real time relationships between security events, activity, access, identities, etc.
They would package that into an Access Intelligence Engine that is constantly listening and synthesizing and measuring and alerting.
They would have realized that looking at this galaxy of information would be overwhelming so they would abandon current reporting solutions with bars and pie charts and 2 dimensional presentations of static data. They would have gone with a market leading BI tool for rich, interactive visualizations (thank you Marko) so that you can not only see the 1/10 of 1/10 of 1/10 of 1% of what’s important at any given moment but you can actually do something about it – you can extract all of that information and launch business processes to remediate issues immediately.
They would have called it something special...Like Access Insight™ and they would have released it into the wild 2 weeks ago.
Finally, they would have recognized that, like other industries, the InfoSec profession is about to get turned on its’ head…Fast...and in a big way…Because that's what happened to every other industry that figured out how to effectively use the information that they already have...
They would be organizing the best and brightest execs from across the industry in Boston next month – This time to think about how the role of the CISO and security operations in general is about to change and how to prepare for it. It would be an invitation only thing…but “I know a guy” so if you’re interested in participating and think you can add to the discussion, let me know.
Chris (yes, I’m from Courion Labs :)”
Posted by Courion Corporation on Thu, Apr 12, 2012
According to Verizon's 2012 Data Breach Investigations Report, data breaches have skyrocketed, with 855 incidents and 174 million compromised records in 2011, compared with a low of 4 million records compromised in 2010.
Hacktivists have upped their game. With external attacks from outsiders accounting for 98 percent of data breaches (think organized crime, activist groups, former employees, organizations sponsored by foreign governments) hacking was used in 81 percent of data breaches, and malware reared its ugly head in 69 percent of breaches. With external hacktivists going full throttle, insider breaches appeared meager at four percent, and business partners responsible for less than one percent of the breaches.
Of the victims, 79 percent were targets of opportunity — breached because they were easily exploitable. And 85 percent of those targets of opportunity happened in organizations with less than 1000 employees, with nearly three-quarters in the Retail/Trade and Accommodation/Food Services industries where Point of Service (POS) systems provided the opportunity.
Cybercriminals had a field day with Personally Identifiable Information (PII) (name, address social security number). And if you think that by being compliant with the Payment Card Industry Data Security Standard (PCI DSS) you can't be breached, you need to think again. Just because you're compliant doesn't mean you're secure.
When it came to targeted attacks, companies in the Finance, Insurance and Information sectors were targeted more than other areas — with seven out of 10 targeted attacks against larger businesses. And, strange but true, larger organizations aren't much harder to compromise than smaller ones.
High profile breaches seemed to have occurred on a regular basis in 2011, (think Epsilon, Sony, NASDAQ), and many went unnoticed for weeks and even months. To make matters worse, breaches weren't discovered by the victims; according to Verizon, 92 percent learned about them through third parties.
But what's really unfortunate is that 97 percent of these breaches could have been avoided through the use of simple or intermediate controls!
So what can we do? In today's dynamic business environment, companies have to get onboard with implementing a proven access risk management solution that works for them. One that will protect their business on all fronts — on-premise, in mobile, cloud-based and virtual environments — helping them identify, quantify and manage the risks associated with information access.
Sure, it can be challenging to find a comprehensive solution that offers increased visibility to risks, faster resolution to security and risk issues, and secures your organization from everything the world's throwing at you. So, what have you got to lose by not implementing a strong access risk management solution? Well, maybe everything.
In parting, the Verizon report offers these recommendations to prevent data breaches:
For enterprises:
- Eliminate unnecessary data. If you need to keep it, monitor it.
- Establish essential security controls, and monitor them regularly.
- Monitor and mine event logs for suspicious activity.
- Evaluate your threat landscape and create a prioritized security strategy.
For small-medium businesses:
- Use a firewall on internet-facing services to protect data.
- Change pre-set credentials on Point of Sale (POS) and other systems to prevent unauthorized access.
- Monitor third-parties who manage your firewalls and POS systems.
Posted by Dave Fowler - COO on Wed, Apr 04, 2012
The MasterCard and Visa data breach at Global Payments highlights the vulnerabilities of electronic financial data. In the last few years, financial services companies have improved security, and now hackers are targeting the credit card payment processors. The good news in the Global Payments’ event is they identified “unauthorized access into a portion of its processing system,” sought expert help, and contacted federal law enforcement. Unfortunately these steps were taken after millions of cardholders had their information compromised.
Credit card processors may not be subject to the same regulations as the credit card companies themselves, but any company dealing with highly valuable personal data will clearly become a downstream target as financial institutions tighten up their security systems. It reminds me of the old locksmith’s theory that I can never make your house so secure it can’t be breached, so my goal is to make it tough enough that the thief goes elsewhere. Organizations in every industry are now becoming more aware that their responsibility for their customer information doesn’t stop at their systems, networks or employee devices but extends to their partners, distribution channels and suppliers.
While this may seem like an overwhelming task, the key may well be focusing on those items of greatest risk rather than trying a “boil the ocean” strategy. The hard part is knowing what are the most important assets and activities that might put the information and the company at risk. Unfortunately given the changing nature of our businesses, this can be like trying to tune a car while driving down the highway. The volume of information, and the volume of activity accessing the information, begs for an automated identity and access management solution and an analytics engine (much like business intelligence tools) that can sift through the data and bring some order to the information.
If we are going to keep up with the cat and mouse game with the criminals, we need to get a bigger/faster/hungrier cat. A risk-based focus on protecting information may just be the cat that has the mice looking to go elsewhere.
Posted by Chris Zannetos - CEO on Mon, Apr 02, 2012
The goal that vendors and customers have been trying to achieve in the Identity and Access Management space can actually be described quite simply:
Ensure that the right people have the right access to the right resources…and that they are doing the right things with that access.
Pretty simple, right? Simple to describe, but not at all simple to achieve.
First, there are the complexities of the heterogeneous computing infrastructure. This infrastructure consists of many, many applications, systems and networks. Each of those computing systems has a security model and access control that is optimized for that specific system — and not the whole environment. Bridging those is quite difficult. And the business keeps on changing, which often results in recombination of these varied systems in a single business process. Think the Automated Teller Machine via which the simple business action of transferring money from your savings to checking account requires the integration of funds transfer, passbook savings, demand deposit and account reconciliation applications — all optimized for their specific function, not for you transferring money via an ATM.
And that provides a window into the second major challenge. With computing now the foundation for business operations — whether the business is a bank, a retailer, a healthcare organization, energy concern, an educational institution, etc. — nearly every business action impacts who should have access to what, and what they should do with that access. Whether it is bringing on a new customer, promoting a staff member, releasing a contractor, opening a new office, delivering a new product line…nearly every business action impacts access.
So as a vendor community we have delivered a number of products that help ensure the right people have the right access to the right resources and are doing the right things with that access. How do you achieve this?
1. Get it right the first time
In the User Administration and Governance portion of the IAM market, vendors have provided User Provisioning systems to try to “get it right from the start.” The idea is to directly connect the change of access rights to business processes, such as the hiring process. So when the business action that impacts access occurs, the access is automatically aligned with policy and regulations. This has helped.
2. Verify it is right & Fix it
Vendors have also provided Identity & Access Governance tools such as automated access certification to enable customers to “verify it.” No matter how hard we try to “get it right the first time,” things happen that result in access being out of alignment with policy. IAG capabilities such as access certification enable business and application managers — those responsible for weighing risk and reward for the business — to periodically view who has access to what (and what kind of access they have). As business-driven solutions, they have been built to translate the complexities of that infrastructure into their language of business roles, and business entitlements. This has also helped.
And that very same tool that we used to try to get it right (User Provisioning) can then be used to “fix it.” When a business manager finds that one of his or her staff has excessive access, they can automatically kick off a provisioning process to revert their access to their role, delete it, disable it, etc.
It still isn’t simple to get it right from the start and to be able to verify that access is right as time goes on. But User Provisioning and IAG solutions help customers make great progress in ensuring that the right people have the right access to the right resources and are doing the right things with that access. (If you want to learn how, you can see a replay of a recent Courion webinar on best practices to achieve this.)
However, with all the value that automated User Provisioning and IAG provide, these solutions leave a huge gap in an organization’s ability to ensure the right access. The gap is so large, in fact, that organizations are under significant and growing risk every day that someone will misuse access to harm the organization.
This gap and what to do about it is the subject of my next blog.
Posted by Courion Corporation on Thu, Mar 15, 2012
Courion customer, HealthSpring, one of the largest Medicare Advantage coordinated care plans in the United States, was recently named a finalist for the ISE® Southeast Project of the Year Award. The ISE Southeast Award recognizes the information security executives and their teams who have demonstrated outstanding leadership in risk management, data asset protection, regulatory compliance, privacy, and network security.
Check out the video to learn more about how HealthSpring’s award-winning Identity and Access Management project automated their labor-intensive, manual identity and access management processes — streamlining operational efficiencies, improving compliance accuracy, speed and scalability.
Posted by Courion Corporation on Thu, Feb 23, 2012
Everywhere you look, headlines shouting data breaches abound. Just this month, the Wall Street Journal, eWeek and Techspot have highlighted new details surrounding a decade-long security breach at Nortel Networks. Ten years! Sounds absurd, but by using stolen passwords from top executives, the perpetrators (believed to be working from China) downloaded thousands of company documents including sensitive company information and intellectual property comprising technical papers, R & D reports, business plans and employee emails. This particular example really hits home, showing just how vulnerable organizations are to cyber espionage through user access.
The latest on the Nortel breach, along with the 2011 spear phishing attacks on RSA, The Security Division of EMC, and breaches to the CIA website, U.S. Senate, and government contractors Lockheed Martin and Booz Allen Hamilton, highlight the fact that cyber attacks on U.S. assets are anything but isolated incidents. In fact, these high-profile breaches have led the current U.S. administration to take a hard stance against electronic espionage. Although none of the attacks have been confirmed to be initiated by foreign nations, the Pentagon has declared that any cyber attack against a U.S. asset that is proven to be perpetrated by a foreign power could be interpreted as an act of war and may be answered with measured military force.
The U.K. is taking a strong stance as well. In a recent article, Marc Lee, Courion Director of EMEA Sales, talks about the Information Commissioner’s Office (ICO) highlighting the need for public authorities to step up the development and enforcement of their access risk management policies. This came on the heels of a recent data breach at the Scotland Midlothian Council, which sent confidential and sensitive information on children and their care givers to the wrong recipients.
So while some may think of cyber attacks as acts perpetrated from the “outside,” they’d only be half-right. In many cases, insiders are becoming the biggest risks to the security of critical data. The more vital the information, the more sophisticated and targeted attacks are likely to be. And all of this makes managing access to corporate and public sector resources more important than ever before.
Getting at sensitive data through a user inside an organization – a user who already has all the access rights they need – is not only the most effective way to breach a hardened perimeter defense, but it’s a brilliant way to obfuscate the attack. Organizations need to be on the lookout for “middle man” hackers who may be working for your company, but are really serving as mercenary forces crafting veiled attacks.
Access risk management is a critical aspect of an organization’s Identity and Access Management (IAM) strategy. To that end, companies need to take a closer look at user access within their organizations to ensure that the right people have the right access to the right information and are using that access appropriately. But it’s not enough to know who’s accessing the network -- and verify that the user is approved to do so -- you also need access intelligence to identify and quantify real-time access risk.
While the challenges of managing user access may seem formidable, the result of not managing user access can be devastating. Just ask Nortel.
Posted by Kurt Johnson - VP Strategy on Mon, Feb 06, 2012
Kurt Johnson, Courion’s VP of Strategy & Corporate Development, sat with Tyler Pyburn, host of The Pulse on Technology, to talk about the challenges healthcare providers face protecting access to critical and sensitive data, and Personal Health Information, and the solutions they need to ensure that the right people have the right access to the right information. Check out this video interview and hear how you can address these challenges and more.
Posted by Courion Corporation on Thu, Feb 02, 2012
Protecting against loss of intellectual property and vital data is mission critical, and a big part of what keeps IT managers up at night.
But a recent survey conducted by Courion of IT managers revealed there's a disconnect between the top concerns of IT managers and what they're doing to protect vital corporate information.
While potential loss of sensitive data, corporate reputation, intellectual property or revenue topped the list of risks to the organization, IT managers also struggle with actually identifying their biggest access risks and the need to put processes in place to manage them.
But surprisingly, only 12 percent of those responding conduct reviews more than monthly to certify that user access risk poses no threat to their critical assets. Over 60 percent of IT managers review user access privileges only four times per year or less, and those reviews only ensure companies are observing security and best audit practices — they're not focused on identifying new or growing areas of access risk — such as internal users abusing privileges.
That said, more than half of the survey respondents know they need to start doing things differently. They'd like to use near-real-time graphical profiles of Identity and Access Management (IAM) activities to help them manage the most critical risks to corporate information, but said they currently lack visibility into the access risk management data they need to create the profiles.
Lack of data also prevents IT managers from identifying user access associations and patterns that violate company policies or could enable users to circumvent internal controls. Nearly 60 percent of those polled said they can't compile the data for that kind of analysis from their existing IAM systems, and many who use IAM data to manage risk are doing it manually — it's not only time consuming; it doesn't provide a business context for evaluating access risk.
While survey results show obvious gaps in access risk management programs, they also show that IT managers are very aware about what’s needed to address these gaps. The key is having more access intelligence about their access risk — insight into which users have access to what vital information and knowing if they’re doing the right things with that access.
To learn more, click here.