Here are my slides from a lecture I gave 2 years ago correlating a drop in stock price with news of a data breach. Please forgive the short post, I’m just throwing this out there in response to today’s #secchat.

ProPay-Sarrel – Shareholder Value

I spoke with Lori MacVittie of F5 Networks about what they’re seeing in terms of security attacks.  The F5 Networks equipment, which I had thought of as load balancers and such, is actually really good at intercepting and reporting on network traffic.  For example, if an attacker were manipulating packet headers then since all the traffic flows through the BIG-IP, it is easy to find anomalies in the BIG-IP.  There’s also an application security firewall (Application Security Manager) that runs on top of BIG-IP.

One of the things they’re seeing with attacks like Apache killer and BEAST is that they have become application specific – javascript, known exploits in web server software.  The user goes to the attacked site, downloads malware and spreads it.  This is very hard to prevent.  The user thinks he’s on a familiar site, but it has been hacked, then the malware gets downloaded and installed.

Users can download a javascript DDOS tool without knowing it, or participate in a cross site scripting attack unwittingly.  “The application providers need to do a better job protecting their sites in general,” says Laurie.  It’s like a public service for application providers to protect their own stack so that end users are protected.

Because we can’t control the endpoint we need to do a better job of securing the applications and web sites that.  In this way, hackers have a way of exploiting a series of trust relationships.  Mobile devices may go outside the firewall, get infected, and then come back inside the firewall.

In this way, consumers aren’t only at risk, they’re becoming part of the attack.  As attackers move up the stack and figure out how to involve more users unknowingly they will.  This spreads out the threat in such a way that it is difficult to address.  Now you’ve got a DDOS coming in from all over the world, not from a few dozen servers.

“Everybody is a suspect now.  Every connection needs to be examined as an attack of some kind.”  The traffic inspection tool becomes much more important at this point.  Websites need to protect themselves in order to protect users.  When attackers use the protocol itself as part of their strategy, then it is very difficult to search for anomalies and detect them.

Potential solutions include running a web application firewall, conducting regular vulnerability scans, scan code before implementing it.  Make sure that the web app firewall is configured to scan incoming and outgoing traffic to better find anomalies.  Use some of the security features built into your load balancer, which are usually not used because people think of the devices just as load balancers.  Use all the tools at your disposal in a layered approach.

Attacks are now being combined, where an attacker could use a DDOS to mask an attack on the application.

Joe Stewart, Dell SecureWorks’ Director of Malware Research, and the Counter Threat Unit (CTU) research team have long been researching Advanced Persistent Threat (APT) hacking activity. Since different entities may use the term APT differently, it is important to define the term as used in this analysis. According to Stewart , APT is best defined as “cyber-espionage activity targeted at government, industry or activists.”
To date, Stewart and the CTU have catalogued over 60 different families of custom malware involved in APT activity. Stewart and the CTU have developed countermeasures and Threat Intelligence to detect this malware. During this research, Stewart discovered that the hackers using these APT malware families sometimes use a common tool in order to disguise the location of their command-and-control (C2) servers. This tool is known as “HTran”.
HTran is a connection bouncer, sort of like a simplified reverse proxy server. Hackers can install an HTran listener on a host anywhere on the Internet (most often on hacked third-party servers), and bounce incoming connections back to their real C2 server. HTran was authored by “lion”, a well-known Chinese hacker and reported founder of the Honker Union of China (HUC), a patriotic hacking group in the People’s Republic of China (PRC). The name “HTran” actually stands for “HUC Packet Transmit Tool”.
What led Stewart to the discovery of the common use of HTran was an error message that HTran emits to connecting clients whenever the hidden backend C2 server is unreachable. By creating a system to establish regular connections to a list of over 1,000 IP addresses known by the CTU to be associated with APT activity bouncers, Stewart was able to uncover several HTran installations that eventually reported error messages revealing the IP address of the true C2 controllers. While all of the found HTran installations were on computers in the U.S., Europe, Japan and Taiwan, all of the hidden C2 controllers they redirected traffic to were located on just a few networks in the PRC.
Two of the families of malware, where variants were discovered using HTran bouncers, can be directly connected to the RSA Security breach disclosed in March 2011, based on related samples analyzed by Stewart that use C2s from the list disclosed in the CERT bulletin “EWIN-11-077″.
All of the detected HTran and hidden C2 IP addresses are listed in the full report, along with information and Snort signatures which can enable other institutions to detect HTran error messages in network
traffic and possibly uncover not only latent APT activity, but also the true destination of any data that would be exfiltrated.

I had the opportunity to interview Joe Stewart from Black Hat about HTran.

The research started as Joe focused on APT because of a number of reasons.  He set about to classify APT, to survey the malware environment and how the APT malware is related as well as how the infrastructure they share is related.  A bunch of malware samples related to but not used in the RSA attack and looking at the network traffic he saw a pattern.  It was an error message from HTran saying that it couldn’t bounce.  So he wondered, how many of these bouncers are there and can we find out where the systems are that are on the other side of the bouncer.

HTran basically gives away the IP address of the hosts that are on the back side.  HTran came out in 2000 and is a popular bouncer used widely in hacking so this is significant because it could lend insight to how to combat HTran.

He’s got over 6,000 back end hosts identified and over 60 individual strains of malware isolated as results of this analysis.  After resolving all of the host names he ended up with about 1000 IP addresses.  He started to connect to them every 10 minutes with software he wrote to obtain that error message from the servers.  From those 1000 he ended up with 18 back end servers.

Joe’s written 2 snort rules to detect the activity so this functionality has been rolled out to SecureWorks customers already.  The snort rules were publicly posted on Wednesday so anyone running an open source based IPS can take advantage of this knowledge.  Someone who has malware using the HTran network could install these rules and spot the traffic in order to protect themselves.

The research is available in full.

Cyber security experts and government policy makers from around the world are gathering at Queen’s University Belfast to develop the first ever global technology research strategy to counter cyber terrorism.

The inaugural World Cyber Security Technology Research Summit is being held at Queen’s Centre for Secure Information Technologies (CSIT) – the UK’s lead centre for cyber security research in this area. The summit will address the current risk to global cyber security as well as outline potential future threats to information systems. The select group of world experts will share current trends in cyber security, look at security threats likely to emerge over the next five to ten years and agree on an international strategy for developing research that will safeguard the ‘Internet of tomorrow’.

The summit comes just weeks after the UK government announced that cyber crime was costing the UK economy £27 billion a year. The cost is made up of £21 billion of costs to businesses, £2.2 billion to government and £3.1 billion to citizens.

Danny Kennedy, Minister for Employment and Learning, opened the summit. During his welcoming address, the Minister said: “The significance and benefit of the cutting edge work being carried out by Queen’s has been demonstrated with their status as the UK Integrated Knowledge Centre for Secure Information Technology, a development which will create significant opportunities in the local economy, as well as enhancing the skills base within Northern Ireland.

“It is a great honour for the University and, of course, the city of Belfast, to host the inaugural World Cyber Security Technology Research Summit, and thus play a part in helping to develop an international strategy on cyber security.”

He continued by saying: “With the goodwill, knowledge and expertise that the summit has now brought together, I have absolutely no doubt that the outcome from today’s event will ultimately bring huge benefits to wider society.”

The Minister concluded by commending Queen’s for the excellence of the research being carried out within this field at the Centre for Secure Information Technologies, and highlighted that it will play a pivotal role in enabling that success to be attained.

Professor John McCanny, CSIT principal investigator, said: “CSIT recognises there is a lot being done on current cyber threats, but there is not a lot of collective thinking about what is coming next.

“It is hard to say exactly what the Internet will become, but we can see a world where it will be core to the very fabric of society. It will be part of our critical infrastructure; providing essential services and becoming an even bigger part of our lives – being used in assisted living; allowing computers to drive our cars, deliver our groceries and monitor and manage our health. It is therefore very important that we develop a strategy to protect ourselves against cyber technology attacks. With such a range of experts attending we expect to come up with the first ever global strategy to protect against cyber crime.

“This summit is the first of its kind and will really mark out the future of cyber technology around the world. The risks associated with the Internet extend from individuals to nations. Internet security is a major issue at a national and international level and there are a number of programs and initiatives around the world where both governments and industry are looking to solve some of the problems we face in this area. We at CSIT believe that ‘Belfast 2011’ will be the first of many summits over coming years, and may even be the beginning of an international movement of collaboration and co-operation to safeguard against cyber terrorists of the future.”

The summit at Queen’s puts the University and Belfast on the map as leading the research into global cyber security. Guests from UK Home Office, U.S. Department of Commerce, U.S. Cyber Consequences Unit, Stanford University, Carnegie Mellon University, BAE Systems, Thales and IBM among others, illustrate the scale of the expertise at the summit.

My latest blog post for CIOUpdate.com went live this morning.  I talk about some of the trends I saw at RSA last week including emphasis on securing virtual and mobile environments.

RSA 2011- Industry Focusing on Virtualization, Mobility and Data — CIOUpdate.com.

M86 Security bi-annual report focuses on second half of 2010 cyber threats and key trends; more complex Trojans and next generation malware on the way, social network attacks continue to increase

Orange, Calif. – February 14, 2011 – Frustrated email users may have noticed a significant drop in spam in recent months, but cybercriminals are gaining ground with creative new phishing methods and making exploit kits more robust, according to the latest Security Labs Report from M86 Security, the global expert in real-time Web and email threat protection, which was released today.

Investigating the cyber threat trends in the second half of 2010 for its bi-annual report, M86 Security Labs analyzed spam, phishing, and malware activity, and tracked global Internet security trends. Millions of email messages, infected Web pages and malware samples were reviewed and then correlated with their own Web exploit and vulnerability research, providing M86 with a unique vantage point to report on these trends.

“What is especially noteworthy is that our findings demonstrate that vulnerabilities already patched are continuing to be successfully used for malicious gain. Organizations and individuals must get better at updating their applications and staying ahead of attacks on their devices and their networks,” said Bradley Anstis, vice president of technical strategy, M86 Security. “While the M86 Security Labs report notes that great strides are being made in thwarting cyber-criminal attempts, there is always something else coming through the back door.”

Key findings by the M86 Security Labs for the second half of 2010:
Email Spam is Declining, though Far from Dead: According to the M86 Security Labs research, spam volume has slowed considerably, down to one-third the level at year end when compared to June 2010. Using the M86 Security Labs Spam Volume Index, which tracks changes in the volume of spam received by representative domains, the research shows that spam reduction was affected by botnet disruptions and the closure of a popular affiliate program. This is the lowest since November 2008, when the rogue hosting provider McColo was taken offline.

Botnet Take-downs and Spamit.com Closure: Notably, Spamit.com, an underground affiliate program used by several spamming botnets, was shut down in late September 2010. Spamit.com was linked to Glavmed and the “Canadian Pharmacy” brand of bogus online pharmacies. The Rustock botnet was most affected, with its spam output drastically reduced. However, plenty of other botnets moved up to take its place, and trends in this threat category will continue to be monitored for changes and increases. Other spamming categories in the top four include those for replica watches, fake diplomas and cheap watches. In August, notorious spammer/botnet, Pushdo/Cutwail, was taken down, resulting in a significant spam volume decrease due to a coordinated takedown attempt by security researchers. According to Anstis, such efforts are typically short lived, with the botnets returning to their normal activities. Another well-known botnet, Mega-D, has been taken down multiple times since 2008, only to return. In November 2010, the FBI identified and apprehended Oleg Nikolaenko, a Russian behind the botnet. The botnet since has generated less than 5 percent spam by volume. M86 Labs analysts point to the continuing need to go after and prosecute botnet operators for more long-term impact on spam operations and volumes.

Third-Party Phishing on the Rise: The good news about phishing is that such practices delivered via email are declining dramatically as users are becoming more aware of fake e-mails claiming to be from banking institutions. The bad news: cyber-thieves have found more effective means of stealing bank information from users visiting legitimate banking websites. Malware, including Trojans like SpyEye and ZeuS, are increasingly popular methods for criminals to make off with personal and financial information.

Additionally, attacks posing as third-party agencies such as the IRS and the New Zealand Department of Inland Revenue are being used to phish for a user’s bank account information under the guise of receiving bogus tax refunds. This makes it easier for thieves to obtain information from unsuspecting users by providing multiple options to the user to select the bank of their choice, thus eliminating the guessing game typically played to determine where a user conducts their banking. UK banking customers have been similarly affected, receiving a falsified email purporting to be from HM Revenue and Customs with the same legitimate looking page with options for all banks in that specific region.

Exploit Kits with Virus Scanners, Social Network Attacks Increase: As previously reported by M86 Security, the popularity of exploit kits is on the rise. The newest trend is that more kits are offering services to their customers thus becoming more of a “one-stop shop.” The scanning module in the Siberia Exploit kit and Neosploit’s new Malware-as-a-Service offering are just a couple of significant examples signaling a shift in exploit kit capabilities.

While traditional forms of spamming via email are down, spam techniques using such social networking sites as Twitter, Facebook and LinkedIn, continue to expand. The LinkedIn scam has a legitimate look and feel, inviting users to connect with others in their “network,” only to be connected with the Phoenix exploit kit infection page, which tries to exploit the victims’ computer through various vulnerabilities. The M86 Security Labs report also tracks the top 10 exploit kits being used worldwide.

To download the complete version of the latest M86 Security Labs Report, please go to http://m86.it/2h2010

About M86 Security Labs

M86 Security Labs is a group of security analysts specializing in Email and Web threats, from spam to malware. They continuously monitor and respond to Internet security threats. The Security Labs’ primary purpose is to provide a value-added service to M86 customers as part of product maintenance and support. This service includes frequent updates to M86’s unique, proprietary anti-spam technology, SpamCensor, as well as Web threat and vulnerability updates to the M86 Secure Web Gateway products. The updates allow M86 customers to proactively detect and block new and emerging exploits, threats and malware.

Data and analysis from M86 Security Labs is continuously updated and always accessible online at http://www.m86security.com/labs and on Twitter at http://twitter.com/m86labs

About M86 Security

M86 Security is the global expert in real-time threat protection and the industry’s leading Secure Web Gateway provider. The company’s appliance, software, and Software as a Service (SaaS) solutions for Web and email security protect more than 24,000 customers and over 17 million users worldwide. M86 products use patented real-time code analysis and behavior-based malware detection technologies as well as threat intelligence from M86 Security Labs to protect networks against new and advanced threats, secure confidential information, and ensure regulatory compliance. The company is based in Orange, California with international headquarters in London and development centers in California, Israel, and New Zealand. For more information about M86 Security, please visit: www.m86security.com.

Vendors and Service Providers Benefit from Simplified Access to Messaging Security, Web Security, Antivirus

RSA Conference, San Francisco, CA – February 14, 2011 — Commtouch® (NASDAQ: CTCH) today announced the introduction of its new unified Internet security solution, which brings together messaging security, Web security and antivirus into a single engine.

The unified engine can be integrated into the products of security and networking vendors and into service providers’ infrastructure. Typical solutions that would benefit from the unified engine are software or hardware solutions or services that combine multiple security technologies, such as unified threat management (UTM), secure content filtering gateways and SaaS security solutions.

“With a combined ‘triple-play’ solution, each technology leverages the other to create an even stronger barrier against ever-increasing blended threats,” said Amir Lev, Commtouch’s CTO. “From a business perspective, the single interface also reduces short and long-term integration and operational costs.”

The three security technologies cross-enhance each other by sharing intelligence about Internet threats, providing better protection overall. There are several instances in which this information exchange would take place.  For example, if a phishing web site threat is detected, the malicious URL is shared with Commtouch Anti-Spam so that emails containing the phishing link can be blocked. This data-sharing is enabled by Commtouch’s cloud-based GlobalView™ Network, which collects and analyzes billions of Internet transactions in real-time.

Using an integrated detection engine offers some clear technical benefits to the vendors and service providers that incorporate it into their solutions:

• Enhances performance by reducing resource utilization compared to the larger footprint required by separate components
• Significantly reduces integration time of all three services since there is a unified interface

The unified solution is a win-win on the business side, since it significantly simplifies operations. There is:

• one vendor to manage
• one invoice to process
• one address for support
• one company to interface with for training, roadmap discussions, or any type of technical or operational updates

Each of the three solutions within the unified engine is best-of-breed, and they are available individually as well. These industry-leading stand-alone solutions also benefit from the shared security information distributed via the GlobalView Network.

“This new engine presents a unified interface across our product lines, providing a thoroughly integrated, simplified, and cost-effective combination of technologies for our partners,” concluded Mr. Lev.

The single engine includes the following products: GlobalView™ Web Security, Anti-Spam, Command Antivirus®, and Zero-Hour™ Virus Outbreak Protection.  The Command Antivirus division was acquired from Authentium in September, 2010.

More Information

To learn more about Commtouch’s new triple-play product, contact info@commtouch.com.

About Commtouch

Commtouch® (NASDAQ: CTCH) provides proven Internet security technology to more than 150 security companies and service providers for integration into their solutions. Commtouch’s GlobalView™ and patented Recurrent Pattern Detection™ (RPD™) technologies are founded on a unique cloud-based approach, and work together in a comprehensive feedback loop to protect effectively in all languages and formats. Commtouch’s Command Antivirus utilizes a multi-layered approach to provide award winning malware detection and industry-leading performance. Commtouch technology automatically analyzes billions of Internet transactions in real-time in its global data centers to identify new threats as they are initiated, enabling our partners and customers to protect end-users from spam and malware, and enabling safe, compliant browsing. The company’s expertise in building efficient, massive-scale security services has resulted in mitigating Internet threats for thousands of organizations and hundreds of millions of users in 190 countries. Commtouch was founded in 1991, is headquartered in Netanya, Israel, and has a subsidiary with offices in Sunnyvale, California and Palm Beach Gardens, Florida.

Stay abreast of the latest news at the Commtouch Café:
http://blog.commtouch.com. For more information about enhancing security offerings with Commtouch technology, see http://www.commtouch.com or write to info@commtouch.com.

Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.

New Solution Allows Users to Integrate Critical Security Event Information in Minutes

(Los Angeles, CA – February 15, 2011) Security information and event management (SIEM) solutions have become a must-have in IT environments because the technology helps make sense of the vast quantities of data provided by security software and appliances across the network. But for all the advantages of SIEM, until now the solutions had one troubling blind spot. While SIEM can correlate volumes of security data to create a picture of singular events, by itself it lacks the ability to tie those events to the most powerful users and processes within IT.

Lieberman Software Corporation today announced that the latest version of Enterprise Random Password Manager™ (ERPM), the company’s flagship privileged identity management (PIM) solution, provides deep, out-of-the-box integration with ArcSight ESM™, RSA enVision™, and the Q1 Labs QRadar™ Security Intelligence Platform. Available at no additional cost to supported customers, ERPM now includes an intuitive setup Wizard that customers can use to configure integration with these SIEM systems in only minutes.

Once customers enable the integration features in ERPM, the PIM and SIEM technologies work in concert to ensure that only authorized personnel can access an organization’s most sensitive data, change configuration settings, and run programs on the network.

“Our collaboration with leading SIEM providers has eliminated a single, critical blind spot that was present in these solutions,” said Philip Lieberman, president of Lieberman Software. “These technical integrations allow IT staff to correlate the most powerful and potentially disruptive human and automated actions with the individuals responsible. Prior to this integration, the lack of individual accountability was a key missing element in SIEM.”

About the PIM and SIEM Integration

In most large organizations, IT staff and the software that links computers, databases and applications all maintain access through privileged account credentials. Widely shared and seldom changed, these “super user” accounts grant access to read and alter sensitive data, change configuration settings and run programs everywhere on the network.

Because SIEM systems were not designed with privileged identities in mind, they have no way to tie security events that are triggered through use of these accounts with the individuals and processes responsible.  This lack of visibility can leave IT staff with too little information to make informed decisions and the inability to differentiate between routine security events and potentially damaging – or even criminal – activity.

The integrations between ERPM and SIEM technology close this visibility gap by showing IT staff not only when and where critical events occurred, but also precisely who was responsible for any action that required the use of highly “super user” accounts. ERPM and leading SIEM solutions also work together to generate an audit trail to correlate the actions taken by privileged users with the security events that might result.  By removing anonymity, the products introduce accountability for all users who access the organization’s most critical IT resources – revealing who had access to what systems and data, when and for what purpose.

The ERPM integrations with SIEM solutions are available immediately at no cost to supported customers. The company anticipates announcing additional integrations with SIEM systems in the near future.

Lieberman Software is exhibiting the latest version of ERPM in booth 529 at RSA Conference in San Francisco, CA this week.

About Lieberman Software Corporation

Lieberman Software provides privileged identity management and security management solutions that protect the multi-platform enterprise. By automating time-intensive IT administration tasks, Lieberman Software increases control over the computing infrastructure, reduces security vulnerabilities, improves productivity and helps ensure regulatory compliance. As Pioneers of Privileged Identity Management^SM Lieberman Software not only developed the first software solution to address this need, its products continue to lead the market in features and functionality. The company is headquartered in Los Angeles, CA with an office in Austin, TX. For more information, see www.liebsoft.com.

San Ramon, California – February 14, 2011 – DeviceLock, Inc., a worldwide leader in endpoint data leak prevention (DLP) software solutions, today announced that DeviceLock 7—the first version to extend its leading contextual controls to a wide breadth of network protocols and to expand its content filtering features for endpoint security—is production-ready and generally available for purchase.

The DeviceLock Endpoint DLP Suite addresses the needs of medium to large enterprises that require a simple and affordable approach to preventing unauthorized data loss from Microsoft Windows endpoints. DeviceLock 7’s core component exerts contextual control over local data channels on protected computers. These include all peripheral devices and ports, connected smartphones/PDAs, and even document printing locally or to the network. From familiar and centralized Microsoft Windows Active Directory Group Policy Objects (GPOs) and companion consoles, DeviceLock administrators can dynamically manage distributed agents that enforce centrally defined DLP policies that permit, mitigate or prohibit data flows based on user, data type, interface, flow direction, state of encryption, date and time, and other threshold criteria.

With the separately licensed NetworkLock component, contextual protocol control is extended to FTP/S, HTTP/S, SMTP/S, Telnet, instant messengers, webmail, and social networking applications such as Twitter, MySpace and Facebook. Another new module, ContentLock, enables the monitoring and filtering of files, communications, and other data objects based on content rules that leverage context, regular expressions, numerical conditioning and Boolean operators. Pre-configured templates for detecting common data patterns, sensitive keywords, document properties, file types, and more are included and simple to configure or copy to make customized rules. The complete package delivers an unprecedented level of functionality among endpoint DLP solutions in the same price range.

“Few enterprises have implemented DLP despite the fact that data security is a #1 concern. A 2010 Forrester study found that just 15% of the market has a solution in place. Cost and complexity are holding back the remainder. This release of DeviceLock breaks that log jam on both counts,” said David Matthiesen, Director of Sales for DeviceLock in the Americas. “DeviceLock 7 makes enterprise-class endpoint DLP practical for the mainstream corporate market and affordable for organizations of any size and budget. Its modular structure and licensing program make it convenient to step up from DeviceLock’s leading contextual control over peripheral PC ports and devices to add the equivalent controls over endpoint network communications. From there, you can easily add content filtering for the most sensitive or suspect data flows across any of these channels. Each step can be taken when it makes sense per compliance needs and within budget cycle constraints.”

Recognizing more than 80 data file formats and over 4,000 file types, ContentLock extracts and filters the content of data copied to removable drives and plug-n-play storage devices, as well as all shadowed printing operations and data that are transmitted over other input/output channels on endpoint computers. This includes endpoint IP protocols, network-aware applications, email, instant messengers, clipboard, and social media sites covered by NetworkLock if both modules are licensed and configured. A packaged file-archive handling feature provides further protection from leakage from compressed file archives. NetworkLock adds port-independent network protocol and application detection and filtering, message and session reconstruction with file, data, and parameter extraction, as well as event logging and full or conditional data shadowing.

In the same effective way that DeviceLock currently integrates with TrueCrypt, PGP, and other removable device encryption products, DeviceLock 7 supports the Windows 7 native data encryption solution for removable drives – BitLocker To Go™. DeviceLock customers can use Microsoft-backed data encryption technology with DeviceLock on their Windows 7 endpoints at no additional cost. As BitLocker To Go can be centrally managed via Microsoft Active Directory like DeviceLock, their combination delivers to customers all the capabilities of endpoint DLP with built-in removable media encryption, while offering both functional advantages and significant cost savings.

Content filtering brings new efficiency and scalability to DeviceLock’s data shadowing function across the spectrum of endpoint data and communication channels. Now customers can filter recorded data streams down to just those pieces of information meaningful to security auditing, incident investigations and forensic analysis before saving in the shadow log. This tremendously reduces storage space and network bandwidth requirements for shadow log collection back to the central database.

DeviceLock 7 is designed to seamlessly scale from small to large installations and simplify DLP deployment and management that is normally performed by in-house Windows administrators using available server and network resources. Customers can enhance their endpoint data security with content-aware and network control capabilities through the same well-proven MMC-style management interface instantly familiar to Windows security administrators. Most new users can learn and configure DeviceLock for the enterprise in just a few days. With DeviceLock Group Policy Manager, a custom-made MMC snap-in for Windows Group Policy Object Editors, DeviceLock’s transparent agents can be deployed, fully managed and maintained across the organization from within an existing Active Directory domain or forest. DeviceLock also supports LDAP, workgroup, and standalone Windows endpoint implementations.

About DeviceLock, Inc.

Since its inception in 1996 as SmartLine, DeviceLock, Inc. has been providing endpoint device control and data leak prevention software solutions to businesses of all sizes and industries. Protecting more than 4 million computers in more than 60,000 organizations worldwide, DeviceLock has a vast range of corporate customers including financial institutions, state and federal government agencies, classified military networks, healthcare providers, telecommunications companies, and educational institutions. DeviceLock, Inc. is an international organization with offices in San Ramon (California, US), London (UK), Ratingen (Germany), Moscow (Russia) and Milan (Italy).

I spoke at the Financial Planning Association’s annual meeting in Denver in October 2010 about information security.  Below you’ll see a copy of my slides.  I cover a lot of ground: protecting end points, antimalware, encryption, network security, wireless network security, regulatory compliance.  I also end with my take on where the whole security thing is going.