Triumfant
Triumfant real-time malware detection and remediation
As I’ve previously noted I’m on the advisory board for Trimufant (I’m at this page). I’m hoping all CTO types will check out this company (and I’m also hoping you don’t mind me blogging about a company I’m advising. After all, I’m associated with them because I believe they are a world-class outfit with a great capability).
In this post I want to bring your attention to a Triumfant press release . It is an announcement that Triumfant now provides real-time malware detection and remediation. Triumfant has long been the leading capability for discovering unexpected changes to computer endpoints, but with their new Triumfant Resolution Manager they build on their ability to deliver zero-day malware protection. Read the rest of this entry »
Enhancing Security and Functionality At The Same Time
Have you ever been sucked into the false debate over how much IT spending should be spent on security? I used to all the time. Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.” That old school formula may well be part of the reason we got into the mess we are currently in. It contributes to thoughts that lead you to think security can be separated. By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.
Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT. I try whenever possible to use the term security and functionality in the same context just to underscore that point.
For example, the goal I continually push regarding security in the federal space is not just one dealing with security. I put it this way: “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.” Putting the goal this ways also underscores that it is not security vs. functionality. Both need to increase.
This goal also cries out for the need for metrics in security and functionality. For functionality there are many customer focused survey methods that can help collect the right metrics. For security, I think one metric stands out above all others: Detected unauthorized intrusions. There are many other important metrics for other dimensions of the security problem, but that one is key. So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly. If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.
That is a dramatic goal. What makes me think it is achievable? In part the dramatic action being put in place today in the federal space. And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods. But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security experts in the federal space today.
As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines. Details of this effort are at http://www.sans.org/cag/
The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance. These controls and metrics include:
Critical Controls Subject to Automated Measurement and Validation:
-
Inventory of Authorized and Unauthorized Hardware.
-
Inventory of Authorized and Unauthorized Software.
-
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
-
Secure Configurations of Network Devices Such as Firewalls and Routers.
-
Boundary Defense
-
Maintenance and Analysis of Complete Security Audit Logs
-
Application Software Security
-
Controlled Use of Administrative Privileges
-
Controlled Access Based On Need to Know
-
Continuous Vulnerability Testing and Remediation
-
Dormant Account Monitoring and Control
-
Anti-Malware Defenses
-
Limitation and Control of Ports, Protocols and Services
-
Wireless Device Control
-
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
-
Secure Network Engineering
-
Red Team Exercises
-
Incident Response Capability
-
Data Recovery Capability
-
Security Skills Assessment and Training to Fill Gaps
The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them. The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.
What should CTOs think about this guidance? As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.
The deeply respected community leader Alan Paller said it this way:
“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute. “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.
Melissa Hathaway Op-Ed on Cyber Security
I wanted to post this in totality for a couple reasons. One is it is something all of us should read. Although I believe most readers of this blog will find no surprises in this op-ed, Melissa has a real talent for capturing information in easy to understand ways and I think we can all borrow lessons from the way she explains things.
Performance Management In Organizations and Computers
There are some interesting analogies between performance management applied to organizations and performance management applied to computers.
In both cases, performance metrics are crucial to success. In organizations, what we reward gets measured, and what gets measured can be more efficiently and effectively done. In our computers, what we decide is important gets measured, and those measurements can help us drive to increasingly effective and efficient performance.
Compliance enhances IT support to the mission
I’ve previously blogged about Triumfant, a company that has mastered
the automated detection and resolution of IT problems. I also think
of them as the world’s greatest compliance monitoring capability. What
do I mean by compliance? I mean compliance in the context of the many
rules, regulations and configurations that external organizations and
the government require, and also compliance with your own policies and guidance.
For those who are not familiar with the full scope of compliance
issues, a great source is the site of the IT Compliance Institute.
Their goal is to be a global authority on the role of technology in
business governance and regulatory compliance. That means they are
driven to seek out regulations, understand the requirements for
compliance, and then help determine the best way to automate that
compliance.
The site holds several white papers and
checklists on topics like IT Audit, Risk Management, keeping up SOX
compliance, Change Management, Logging, Reporting, and Security.
These papers seem to be good primers for any CTO or other enterprise
technologist who needs to understand this domain.
Here are some other thoughts on compliance:
– During my time as a CTO of a DoD Agency, I noticed a shift in how
federal organizations perceived compliance. Federal organizations are
all about compliance, and have long followed mandates like the
Clinger-Cohen Act, FISMA, the many Enterprise Architecture requirements
(like DoDAF or FEA), and a wide variety of other requirements. But
most federal organizations did not treat compliance as a way to
optimize delivery of IT capabilities to users. And most federal
organizations did not have to comply with many of the regulations being
levied on industry (like SOX, for example). That is all changing.
– More recently IT professionals began to see compliance and the need
for automated control of systems as a way of not just complying with
regulation and reporting requirements, but a way of ensuring uptime,
helping speed delivery of new software deployments, helping reduce IT
admin costs, and helping with overall abiity to support the mission.
Add to this new awareness of the importance of compliance the recent
shifting of federal policy towards having agencies produce financial
audits and IT auditing requirements to the same standards as the
commerical sector.
There are more shifts in compliance underway in the federal space,
including a new Federal Desktop Core Configuration (FDCC). I see all
this compliance as a good thing that should be executed in a way that
enhances uptime, enhances security, and enhances the delivery of
capability to end users.
For more on compliance see my previous post http://www.ctovision.com/2008/07/automated-resolution-of-it-problems.html
For more on triumfant see: http://triumfant.com
Disruptive Technologies List Updated
The list of the positive technologies I believe all enterprise Chief Technology Officer s should be tracking has now been updated. Please check it out at:
http://www.ctovision.com/disruptive-technology-list.html
I try to keep this list up by remaining in dialog with enterprise CTO s and soliciting their feedback on the list. I also keep watching what the venture capital folks are investing in and try to closely track what the big IT firms are up to. The result is the list.
I’ve also started writing slightly more detailed reviews of key positively disruptive technologies. I post them under titles “Disruptive Tech:…” and you can find links to those pages on the right hand side of the CTOvision.com blog.
For now this list includes:
- Disruptive Tech: Adapx
- Disruptive Tech: Adobe
- Disruptive Tech: Agent Logic
- Disruptive Tech: Attensity
- Disruptive Tech: Basis Technology
- Disruptive Tech: Centrifuge Systems
- Disruptive Tech: CopperEye
- Disruptive Tech: Endeca
- Disruptive Tech: Forterra Systems
- Disruptive Tech: Initiate Systems
- Disruptive Tech: Inxight
- Disruptive Tech: Language Weaver
- Disruptive Tech: MetaCarta
- Disruptive Tech: PixLogic
- Disruptive Tech: Quantum4D
- Disruptive Tech: Triumfant
See also:
Automated Resolution of IT Problems
In January 2008 I was named to the advisory board of Triumfant, a
company who has mastered the automated detection and resolution of IT
problems. Of all the IT firms I’ve seen, they are the ones with the
most comprehensive approach to automated resolution management and the
only one I’ve seen that can automate the entire lifecycle of IT problem
management, from identification to resolution.
I recently read some very exciting news about Triumfant. They have
just signed a partnership agreement with one of the largest suppliers
of computers to the federal government: computer giant Dell Inc.
Triumfant software will be sold pre-installed on Dell computers to
federal customers running Microsoft Windows XP and Vista.
I take this as a huge endorsement of the Triumfant approach of
automated process monitoring and IT compliance enforcement. This agreement between Triumfant and Dell is
also great news for enterprise CTOs and other technologists who must
meet the mandate of the OMB’s Federal Desktop Core Configuration
(FDCC).
CTOvision Blog 