"With all the focus on security at the conference, we had a lot of interesting conversations at our booth. Most of the MSPs were hearing the cyber focus loud and clear. One common concern, though, was that their customers may not be getting the message. Hearing how we are able to offer our current MSP customers scalable, automated protection was on target for them. We explained how some of our MSP clients are offering our privileged account protection as a premium option in their hosted packages."
"It’s only recently that the image of the cyber bad guy has changed from the lone wolf in his mother’s basement chugging caffeine and eating chips to the professional cyber attacker. Now many will include the shadowy agents of foreign governments as bad guys that may come after them."
| August, 2015
"Board level members know that breaches are inevitable and they may be held liable for their failure to guide the company toward an operational posture that responds immediately and appropriately. In its oversight role, the board will continue to push the CEO or corporate president for answers on how the company will achieve acceptable losses via a cyber-defense strategy. The concept of acceptable loss is not new for the CFO and CEO; however, when it comes to the spooky and complex world of IT, it appears as though there is a blind spot that is being ignored at the peril of careers."
"Over the weekend we all got a few wake-up calls with home control automation from Insteon and Chrysler. Both of these may seem like anomalies, but the true story is that the nature of poor security, lack of automated patching of embedded systems, and generally lousy IT security services for public IOT systems is an epidemic that will make life miserable in ways that were never conceived of a decade ago."
"It is a tragedy that the Executive Branch as well as NIST and the NSA have been preaching the gospel of security by design, segmentation of data and control, proper identity management, and effective monitoring. Here with OPM we have an agency entrusted with the defense of its government employees ignoring the guidance given by the government, and outright failing to implement off-the-shelf technologies that are common in the commercial realm. A fix for the problem was a phone call away to virtually any of the defense contractors in the beltway who have been dealing with these types of attacks for decades."
"The fundamental concept is that cyber-warfare has now reached the level that intrusions and credential/privilege misuse can be impossible to detect. Therefore, strong medicine is necessary to treat patients of diseases that are fatal if left untreated, but undetectable in many cases. Our latest technology makes the assumption that intruders are in your environment, undetected. You have to decide how long you are willing to allow them to nest and have access to your systems."
"Today's reality is that cyber warfare is a game of speed, attrition and acceptable loss. Intrusions will be successful some fraction of time and when successful, they will expose every static credential, hash, cached credential, and ticket on compromised systems that you have used – along with those that have connected to your systems. The takeover of your environment happens in minutes and typically will persist for hundreds of days undetected."
"SSH configuration information can be used to report on and to determine proper SSH and SSH Key configuration and to identify the security configuration of the systems surrounding the use of SSH Keys. SSH Key details show where the key is and what accounts it is tied to. SSH Keys that are discovered are now being included for potential management and SSH connectivity."
| February, 2015
"In most of the cyber attack cases, the prevailing public response has been that the attacks were so complex and overwhelming that no reasonable care could have been taken to protect against them. With that position, many of the hacked companies (prior to the attacks),purchased cyber-warfare insurance and then proceeded to cut IT investment in security under the theory that there was no point spending money for something that does not work and for which you can be insured (force majeure theory)."
| January, 2015
"We are happy to announce a joint development program with the RSA Identity Management and Governance team to provide not only attestation of privileged access capabilities, but also privilege management for RSA customers."