Are you the publisher? Claim or contact us about this channel


Embed this content in your HTML

Search

Report adult content:

click to rate:

Account: (login)

More Channels


Showcase


Channel Catalog


older | 1 | .... | 239 | 240 | (Page 241) | 242 | 243 | .... | 254 | newer

    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    As CIO for the Williams Group, I think a lot about how to secure our information and intellectual property – and we clearly generate a ton of it.

    During a typical race weekend, our Formula One team generates about 60 gigabytes of telemetry and 80 gigabytes of additional data, delivering a total of 140 GB that requires analysis in order to determine each critical decision made throughout each practice session, qualifying, and the race on Sunday.

    That’s just the half of it.

    Throughout qualifying and races, our team also needs to relay that massive amount of data back to our UK headquarters in real time for analysis. All the while, our engineers working in the race pits are accessing streams of information on their laptops to make on-the-spot recommendations on the timing of pit-stops, making fractional front and rear-wing adjustments, and to constantly tune vehicle performance.

    So when I say that our company thrives on its intellectual property, this is far beyond being a business truism: IP is our organization’s lifeblood and it’s behind our success winning 16 Formula One championships.

    As we’ve digitized our operations, we now face escalating threats from cyber criminals. Each year, attackers show increased sophistication and skill in changing up their tactics. We know there’s a steep price to pay for failure. If any malicious outsiders were to get their hands on our car designs or any other of our IP, it would put Williams’ competitive advantage at dire risk.

    A breach would also risk dealing a blow to our reputation for safeguarding the closely-held secrets of partners and customers who regularly share their intellectual property with us. In addition to our own Formula One race car division, Williams Advanced Engineering group also works with a range of other industries.  

    For instance, we partnered with Jaguar Land Rover to produce the Jaguar C-X75. Film-goers may recognize it as the vehicle used by one of the bad guys in the film, `Spectre,’ chasing James Bond through the streets of Rome. We also do work in aerospace, medical sciences, defense and a range of other industries where partners rely on us to maintain a safe and secure supply chain and meet strict security requirements governing the handling of their most valuable information. 

    Keeping Users Secure

    I often get asked what keeps me up at night. There's only one thing I really worry about: Losing data. It’s what I hate the most.

    That job has become increasingly fraught given the multiplicity of digital endpoints that we now need to protect, and exacerbated by the fact that our teams are frequently on the road, where they connect via mobile devices in order to access Williams’ intellectual property. Roughly 60% of our workforce regularly now works away from the home office and they need to be able to download data safely from anywhere in the world.  

    Given the different types of data and intellectual property we’re regularly involved with, we put a premium on finding a way to ensure that our users remain secure, no matter where they work and no matter what networks they use.  

    In the past, we only had antivirus to protect the endpoints. There was no intrusion prevention or detection system at all. So last year, we partnered with Symantec to help us deal with these myriad endpoint security needs and fill the gaps in our network defense.

    Symantec’s breadth of intrusion prevention and detection technology made an immediate impact. Our first race of the 2016 season marked the first time that we had endpoints that I felt were fully protected. With Symantec Endpoint Protection and Endpoint Encryption, which were deployed at the same time, everyone on our team who went to Australia for that race had fully protected endpoints they could trust.

    Endpoint protection involves a lot more than just loading antivirus onto our systems. Here’s an example:

    One of our laptops was stolen during the Italian Grand Prix at Monza in September 2016. In the past, we would have had to escalate that kind of incident to the boardroom since the theft of data kept on those machines could potentially compromise our IP. Not this time. Symantec’s technology completely enveloped all the data stored on the stolen device in the protective shield. The thieves had one of our machines in their possession, but they had no way to access what was inside. Symantec’s endpoint protection technology had made it impossible for outsiders to access any of our information.  

    We’ve also extended Symantec Endpoint Protection to safeguard our virtual machines and cloud, where a lot of our intellectual property gets stored. That came in handy when attackers subsequently tried to hack into our cloud. Symantec Endpoint Protection detected the attempt and sent out an alert. The upshot: We foiled their attempt to access our data, bring down our systems or use them as bots, which is probably what they were trying to do.

    The partnership with Symantec has translated into a vastly improved risk management posture–which further enhances our reputation and enables us to give customers and partners even more confidence in our ability to protect their IP. Symantec has equipped Williams with the necessary tools and technology so that we can turn to our customers and assure them that, "Your data is safe with us."

    Learn more about how Symantec protects Williams on our dedicated microsite.


    0 0

    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    CloudSOC Audit customers are already able to discover and rate over 22K cloud apps and services with the leading Cloud Access Security Broker (CASB) solution. And now, Symantec has added thousands of native mobile apps to its growing app library. Currently in beta, the full release will include tens of thousands of mobile apps –the largest overall database of cloud apps in the industry.

    Audit Dashboard with mobile app Mobile Trust Score (MTS) showing 

    Why Expand CASB to Embrace Mobile Apps? CASB 2.0! 

    With the proliferation of mobile cloud applications and the daily news of breaches and compromises of cloud applications, including native mobile apps, it becomes imperative that CASBs evolve to gain visibility and control over this growing threat vector.  

    CloudSOC is the industry's only CASB 2.0 solution designed so that you don’t have to create a separate security island in the cloud – it easily integrates with both native Symantec products such as data Loss Prevention (DLP), Web Security Service (WSS)ProxySGEndpoint Protection and Access Control to extend your security investment beyond the network perimeter to ensure apps and data are secure no matter user, device, location or app or data type. 

    Adding mobile apps to CloudSOC Audit is the next step in the evolution of CASB 2.0 by bringing broad native app visibility and control into the CloudSOC security ecosystem. 

    CloudSOC CASB 2.0 

     

    How it Works 

    CloudSOC Audit can now uncover native mobile apps through analyzing firewall and proxy logs, and provide deep insight into the risk posed by those apps. Much like the Business Readiness Rating (BRR) that Symantec currently calculates for each non-mobile app based on 120+ security attributes (SOC-2 Compliance, Encryption, MFA support, etc.)CloudSOC Audit provides a Mobile Trust Score for each mobile app based on its own, mobile-focused security criteria.


    0 0

    Machine Learning Automatically Interprets Cloud App Traffic
    Publish to Facebook: 
    No

    As departments adopt more cloud services to perform business critical activities, the Symantec cloud team is working hard to help IT organizations quickly extend their cloud monitoring and control capabilities to protect more cloud services.

    SuccessFactors, Google Hangouts, and Facebook Workplace are among the many new and enhanced services supported by CloudSOC to help organizations monitor and secure data and accounts in the cloud.  The CloudSOC data science team recently deployed a new machine learning system that can automatically learn to read cloud app traffic. Within weeks of being deployed, this new system has already added granular activity monitoring and control for over 30 new cloud apps to the CASB Gateway.

    The data science core in CloudSOC helps IT departments secure a constantly changing, vast landscape of cloud territory, providing intelligence to address cloud challenges, such as:  

    ●Cloud providers update and change their services without warning.

    ●End users regularly adopt new cloud apps without notifying IT.

    ●End users control what content they choose to upload and share—often without fully understanding the risks associated with what they do.

    ●Third parties opportunistically uncover confidential company data accidentally shared with the public.

    ●Cyber criminals target cloud accounts to access data, spread malware, or exfiltrate data.

    Organizations need deep visibility into real-time traffic, not just what apps users are accessing, but also what exactly users are doing with a cloud app. Getting to this level of granular and contextual knowledge is difficult. It requires a system with the ability to read the real meaning in volumes of traffic that uses obscure machine language identifiers to communicate with disparate systems. Additionally, this system must be adaptive, able to use a foundation of knowledge based on a continually learning system because these machine language identifiers can be changed without notice or documentation at any time by 3rd party cloud service development teams.

    One of the ways CloudSOC tracks transactions with cloud apps (sanctioned and unsanctioned platforms, corporate and personal accounts) is through an inline gateway. The CloudSOC CASB Gateway relies on an artificial intelligence engine called StreamIQ to read the machine language in real time to identify and control risky behavior and confidential content between end users and cloud apps.   The CloudSOC data science team leverages the horsepower of cloud computing and both supervised and unsupervised machine learning to create StreamIQ. This intelligence system drives accurate and deep activity tracking for a broad and continually increasing range of cloud apps. StreamIQ intelligence also enables CloudSOC to detect more threats such as malicious insiders and abnormal behavior, enforce protection with a more granular level of control, and investigate security incidents more effectively.

    The latest enhancements to StreamIQ accelerate CloudSOC’s ability to learn to read new cloud service machine languages. After only one month of deployment, CloudSOC has already added granular visibility and control for more than 30 new apps. The CloudSOC CASB Gateway can monitor and enforce granular security controls on sanctioned and unsanctioned cloud apps and with the powerful StreamIQ system, it can easily learn new apps as they become important to our customers.     

    Learn more about CloudSOC here

    Click to Tweet: 
    Symantec CloudSOC Adds 33 New Cloud Apps including SuccessFactors #CASB #CloudSOC #SuccessFactors #Symantec
    Symantec CloudSOC CASB machine learning automatically interprets cloud app traffic #CASB #CloudSOC #Symantec

    0 0

    Disaster Response Policy helps Symantec act quickly when natural disasters occur
    Publish to Facebook: 
    No

    The world has experienced a number of catastrophic weather events in recent weeks. We’ve seen the images of the destruction caused by recent hurricanes Harvey and Irma, and the devastating impact on the people of Texas, Florida, Belize, Nicaragua, Honduras, Cuba, and many islands in the Caribean. In South Asia, monsoon season has been unusually harsh and the resulting floods across India, Bangladesh, and Nepal have claimed the lives of 1,200 people to date.

    Being a good corporate citizen is core to our company culture and each time a natural disaster occurs, our Corporate Responsibility (CR) team needs to decide how to respond – and must act quickly. Symantec has a formalized Disaster Response Policy to help us best respond to situations that necessitate external assistance. Our pre-determined and agreed upon approach allows our CR team to work quickly to put our response plan in place.

    Each disaster is evaluated on a case-by-case basis using a disaster response scorecard. We place an emphasis on those that occur close to one of our offices or those that impact our employees. We also look at the total number of people affected by a disaster and the financial impact expected to the government and affected communities. We keep close tabs on how our peers and similarly sized corporations are responding, as well as employee sentiment generated from the event.

    This process guides our CR team, and our goal is to respond within 72 hours, as we know early financial donations help provide food, water, and other desperately needed supplies. We have pre-vetted several national and global nonprofit partners, including CARE International, UNICEF and the Red Cross, and research locally focused relief organizations where appropriate.

    Once the scorecard is completed, a process flowchart helps our team respond. For all disasters that meet an aspect of our scorecard criteria, we monitor the situation through participation in U.S. Chamber of Commerce Business Civic Leadership Center calls, Red Cross email notifications, general media resources, and other nonprofit partner communications.

    For all incidents that score five points or higher we post nonprofit information on our disaster response intranet and leverage our employee matching gift program. We match employee donations 1:1, up to $1,000 per year. For events that score more than ten points, we work with our Steering committee, the Senior Site Executive in the region, and our Communications, Human Resources, and Business Continuity Management teams, to determine the best course of action. We often consider at 2:1 employee match and provide employee assistance program information where appropriate.

    We typically make financial donations for disasters that score twenty points or more. For example, we offered financial support to relief efforts after Hurricane Harvey through our Disaster Response Strategy. As a company, Symantec made a donation of $25,000 to Team Rubicon, a nonprofit organization headquartered in Dallas, Texas, that mobilized military veterans with first responders to rapidly deploy emergency response teams to the flooded areas.

    Finally, we look for ways our software products and services can be of value. With any hurricane, monsoon, or event that occurs, we of course think first about the people impacted. Having our Disaster Policy in place allows us to help where, and as much as, we can, as quickly as possible. 


    0 0

    Local Green Team supports Symantec's goal to reduce GHG emissions by 2025
    Publish to Facebook: 
    No

    It started with a mug. The Cape Town, South Africa office connected with Symantec’s Green Team in 2015 when Symantec launched the "One Mug, One Planet" campaign to help reduce paper cup usage across operations by 15 percent. Inspired to minimize their impacts both inside and outside the office, the Cape Town office joined the campaign, making a commitment to use a reusable mug every day.

    Two years later, Cape Town has it’s own four-person Green Team, including Wade Corin, Director, Inside Sales; Shieraaz Williams, Facilities Manager; Pia De Freitas, Associate Manager, Inside Sales; and Clarissa De Agrela, Inside Sales / Site Coordinator. Working hand-in-hand with the Employee Resource Groups (ERG), including Community Relations (CR) Committee, Events Committee, Intramural Sports Committee, and Symantec Women’s Action Network (SWAN) they support one another and help drive a certain culture within their location.

    Cape Town’s Green Team is focused on making a difference both in the office and within their local communities. With events held at least quarterly ranging from beach clean-ups to building vegetable gardens in low-income communities, the Cape Town Green Team is quite active. The group also organizes events to educate local youths on topics like Cyber Security and Greenhouse Gases and works to inspire these children and teenagers, showing them how they can make a difference in their own communities.


    The CR and SWAN committees drove the Veggie Garden Initiative in two of Cape Town’s in-need communities to support the local people living there and help teach them how to grow crops. The volunteer team, led by Natalie George, Yondela Nyongo, and Leeanne De Wit, cleaned up lots, built greenhouses, and planted vegetables, including spinach at three different garden events.

    For Shieraaz and Clarissa, joining the Green Team was a chance to not only make a difference in their communities, but to reduce our global carbon footprint. “I chose to join the Green Team as I feel that it is important to understand not only the Greenhouse gas (GHG) effect, but also how we as a Company can make changes, whether they be large or small, to have a positive effect and contribute to the survival of life on earth,” said Clarissa.

    In addition to working to help underprivileged communities, Symantec’s Green Team helps support our goal to reduce GHG emissions by thirty percent in ten years (FY15-FY25). In the office, the Green Team supports the local facilities team with identifying cost-cutting and energy reduction initiatives, using lasted technologies to help reduce the energy and carbon footprint. Due to these efforts, over the last two years, the Cape Town office has introduced energy-saving controlled lighting, and is now going a step further with LED lighting solutions to reduce energy even further. The team has also adjusted the HVAC to switch off during none office hours and weekends, and all water coolers are now timer controlled.


    On Mandela Day, Symantec’s Cape Town office volunteered with animal welfare charity, FALLEN ANGELS, and spent time caring for dogs at the rescue center.

    If you’re wondering about the first mug that started it all, after the success of "One Mug, One Planet", the Cape Town office has stopped using foam cups entirely. Symantec mugs and glassware are offered throughout the office helping the team reduce their waste and carbon footprint.

    Cape Town’s Green Team and ERGs will continue to work together to educate and bring awareness to the importance of reducing GHGs and making a difference in the world we live in today. Green Team member Wade Corin knows the importance of leading by example, saying, “Being socially responsible is everyone’s responsibility – If you are not willing to do it, how can you ask others?” As such, the office looks forward to participating in the second annual Global Service Week (GSW), October 9–15, 2017 and hopes you will too. In Cape Town, GSW will include volunteering with SolarBuddy, whose goal is to end the devastating cycle of energy poverty for marginalized communities across the world. Cape Town’s volunteers will build solar light bulbs, giving the gift of light to dozens of children living in energy poverty. They hope you will be inspired to share your gifts in-person or virtually this GSW.


    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    For more than a decade the National Association of State Chief Information Officers, better known as NASCIO, has polled its members to learn their priorities at that given point in time. It comes as little surprise that information security has made the published top 10 each year, but in recent years the subject has had a strangle hold on the top spot.

    This past November security and risk management topped the list of state CIO priorities. It was the same the year before and will likely be the same next year. The reasoning is simple: like their colleagues in the federal government – not to mention the private, education and healthcare sectors – nothing is more important than information security for state technology leaders.

    That is a running theme throughout the NASCIO list. State technology leaders want to increase their use of cloud services, modernize legacy systems and further leverage data management and analytics solutions. All of these initiatives require a robust security infrastructure to be successful.

    The Path Forward

    The cybersecurity maturity of state government agencies varies from state to state. Some states already have robust security systems in place and are focused more on integrating new tools, while others might house more risk than they are comfortable with.

    The best first step for any state government is to use the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to create a risk management plan. The NIST CSF will allow state governments to determine the gaps in their security coverage and prioritize their exposure. By using the NIST CSF, state governments can gain a full view of their enterprise and allocate future resources to the most sensitive of areas.

    For fixing these gaps state governments should look to improve their overall security infrastructure, opposed to finding a technology to one specific blind spot. By simply plugging in different cybersecurity solutions, state governments risk creating silos filled with further security gaps. State governments need end-to-end security solutions that protect data wherever it resides. Solutions that are built to integrate together as well as with existing technologies.

    By pursuing a multi-layered approach that aligns perfectly with the NIST CSF, state agencies will have confidence that their cybersecurity program is, and will remain, effective.

    The NASCIO survey shows that state governments take security seriously – it is wonderful to see that security remains a top priority. The challenge will be for state governments to fix security holes in an efficient and effective way that does not create future problems. By laying a baseline through the NIST CSF and then factoring in an integrated defense platform, state government information and assets will be well more protected.

    We are going to be looking at key cyber priorities coming out of NASCIO as well as other emerging trends in the state and local market, while providing some commentary and recommendations. Stay tuned for additional blogs in this series.


    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    The new BlueBorne (https://www.armis.com/blueborne/) vulnerability should scare the security community because it is a non-traditional attack vector not addressed by conventional security solutions. Fortunately Symantec customers, Symantec Endpoint Protection Mobile (SEP Mobile) is not a conventional solution and is agnostic to the attack vector.

    Bluetooth was once considered quite secure due to years of implementation peer review from researchers. Unfortunately, in the last ten years researchers turned their eyes elsewhere. During those ten years Bluetooth has been implemented in a plethora of new devices, operating systems, and frameworks. As a result, implementations have apparently lost some of that initial security focus, and vulnerabilities have unfortunately flown under the radar for too long.

    Enter BlueBorne, leveraging a newly discovered attack vector that puts an estimated eight billion worldwide devices – mobile, desktop, and IoT - with Bluetooth at risk of infection. BlueBorne exposes an extremely potent new attack vector that attackers will seek to leverage widely, mostly as a result of a few key traits:

    First, people’s systems almost always have Bluetooth turned on. And, perhaps unbeknownst to most, Bluetooth is always scanning the airwaves for devices looking to connect (even if you’ve never paired with them before). This means that BlueBorne is quite literally spreading through the airwaves undetected.

    Second, adding to its contagiousness is the fact that BlueBorne (via Bluetooth) is compatible with basically any/all software versions and doesn’t require any specific conditions beyond an active Bluetooth. It also doesn’t require any user interaction to infect the device.

    Third, once BlueBorne finds a device via Bluetooth, it can analyze the MAC address to determine the device’s operating system. Then it can deliver a payload tailored to that operating system. This makes it extremely adaptable.

    And, finally, as if being highly contagious and adaptable wasn’t enough, Bluetooth also has inherently high administrative permissions on devices. This means that when a device is infected, the attacker has virtually full control over the device and can accomplish any number of potent actions which include, but aren’t limited to, man-in-the-middle attacks and remote code execution.

    All in all, this is a nasty new threat vector that existing security solutions aren’t looking for. It can spread quickly, easily, stealthily, and lethally. And it will, of course, take time for Bluetooth to be patched across all eight billion devices. This will all make BlueBorne an extremely attractive medium for attackers for some time.

    How does it work?

    BlueBorne consists of 4 vulnerabilities affecting Android devices: One is an information leak vulnerability which helps to facilitate the next ones; two are vulnerabilities that allow remote code execution (RCE) as the Android Bluetooth user; the last one allows creating a network interface that device traffic will be routed through, similar to a man-in-the-middle (MiTM) hotspot.

    So, is there any good news? Yes, actually, there is! First, these vulnerabilities were patched in the Android OS in the security patch of September 2017, and Apple patched it in iOS 10. So, anyone can now update their operating system to protect themselves from this threat. Yet not everyone can or will, and what about protecting your device from these types of threats before they are disclosed and patched? That’s where SEP Mobile shines.

    Although most security solutions probably can’t stop BlueBorne from infecting a device today, SEP Mobile still has mechanisms to render it harmless by defeating the payload itself. SEP Mobile has several ways to handle this. Among other detections, SEP Mobile uses an advanced Indicators of Compromise (IoC) engine on every mobile device it monitors to identify exploits that are being used to gain control over the device in real time. This engine uses deep knowledge of each device system, how it should look and behave, and how proper apps and processes are supposed to interact with it. So, as soon as BlueBorne attempts to infiltrate a mobile device protected by SEP Mobile, we would flag that as malicious activity and activate the appropriate protections to keep the device and sensitive data safe. Other detections will alert and automatically protect if an attacker attempts to achieve network MiTM, regardless of the exploit. SEP Mobile now also explicitly alerts for systems that are vulnerable to CVE-2017-0783.

    Many of the methods used by SEP Mobile for predicting and detecting mobile threats are agnostic to the method, or vector, of the attack. It means that we don’t have to know (or try to predict) the signature of every threat or attack vector in existence. We can instead focus on stopping the malicious activities they will attempt. This is the beauty of a future-proofed mobile threat defense solution.

    In addition to being able to stop malicious payloads using this Bluetooth vulnerability, Symantec will continue to protect our customers’ mobile devices from many other exploits that are as of yet unknown. It should still give businesses peace of mind that their end user’s mobile devices will remain safe from today’s attacks, as well as those that will appear tomorrow.

    What to do now

    Always be sure to update your mobile device to the latest security patch as soon as possible. If you’d like to learn more about how SEP Mobile can protect your enterprise’s mobile devices, be sure to visit our website or drop us a line.


    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    A few years ago, most businesses would have been right to wonder whether their digital work processes would ever be as easy to use as Facebook. But cloud technology has come a long way in a short time. 

    Cloud services are transforming internal business workloads and processes of countless companies and whole industries like retail, transportation, and even manufacturing. Organizations are able to choose among a variety of intuitive, cloud-based services to find the best fit.   

    The shared, on-demand nature of cloud computing also means that enterprises need to plan for a host of new security challenges. Fortunately, Symantec and other companies can help with products such as ProxySG, "ProxySG-as-a-Service" in the Cloud (officially  known asWeb Security Service, (or WSS),Cloud Access Security Brokers, and the single-sign-on features of our own Validation & Identity Protection service Access Manager.   

    However, we're always reaching for more. That's why the Research Lab continued tackling new challenges like insider threat detection, micro-segmentation, and micro-services, all from the perspective of the cloud. 

    Indeed, going back over adecade, we did some of the earliest work in the industry on constructs like “containers.” More recently, we published on “Security-as-a-Service for Microservices-Based Cloud Applications,” to guide administrators as they implemented permission controls around the “principle of least privilege” policy enforcement for containers. 

    The Research Lab has also applied machine learning to protect cloud-based services and combat insider threats. In fact, our first trial deployment, working with a company employing more than ten thousand cloud users, helped catch real insiders who were abusing the system.

    A Personal Kind of Cloud Security

    However, when I mull the future of security and the cloud, I see even bigger potential. Think about security delivered “from the cloud” as an always-on service, protecting users everywhere they go. 

    Let me offer an analogy. 

    The Internet surrounds us nearly everywhere we go. We’ve come to expect wireless and constant connections, anywhere, anytime. In similar fashion, security should envelop us wherever we go. 

    I like to envision it as an invisible body of armor, one that moves with us like a summer shirt, but more bulletproof than Kevlar, titanium or carbon fiber all combined. 

    Personal VPNs offer a bit of the “always on” protection that I’m describing. They ensure that computing devices are always connected to a safe data center, protected by a strongly encrypted pipe that lets you securely transmit communications, protected against any eavesdroppers who might be lurking. 

    That’s just a first step. With so many websites getting hacked, how can even you be sure that the websites you visit aren’t attacking you “through” that pipe? That’s where cloud-based services like WSS and Fireglass help.  

    Such services can detect and block such attacks in real-time, including some never seen before. 

    Given the countless mobile devices now part of the growing Internet of Things are truly “cloud-driven” things, building such powerful and flexible security into mobile devices is a crucial step. That’s why Symantec Labs was eager to help Symantec becomeamong the firstto leverage theARM TrustZone technology that’s now built into billions of mobile devices.  

    It also explains why we’re stillhelping drive newstandards for such authentication, safely and securely connecting people to their information in the cloud, perhaps evenfinally killing passwords in the process.  

    What’s more, it’s also part of the reason we are so excited about our more recent acquisition ofSkycure, which makes a predictive threat detection platform for mobile devices.

    This is an idea that can’t come to fruition fast enough. Consider, for example, the practice of merchants and ad-networks invading our privacy to profile everyone. 

    Meanwhile, some governments are going so far as toattack our smartphones to gather information about the political leanings of their citizenry and unmask the anonymity of dissidents protesting against repressive regimes. 

    If ever there was a time we could use the powerful and flexible armor that I’m talking about, it’s now. Both for individuals as well as for organizations. My hope is that this kind of security will be delivered from the cloud. 

    And soon. 

    We’re working hard on that.


    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    Speaking today before an audience at the Center for Cyber & Homeland Security (CCHS) at the George Washington University in D.C., Symantec CEO Greg Clark shared his perspectives and recommendations for strengthening America’s cyber defense. 

    More specifically, Clark addressed the defects in today’s model, whereby cyber criminals and malicious Nation States can easily discover which security products the U.S. government has purchased, then buy those very same products in order to study how to exploit them in cyberattacks. 

    Clark proposed the government work with trusted partners to develop mission-specific, custom security products that are protected from discovery and scrutiny by bad actors. In addition, Clark called for a major security research and development effort that would strengthen America’s cyber defenses while spurring innovations that also will benefit the private sector and society-at-large. 

    Clark outlined his recommendations today in an op-ed on thehill.com. You can read the full text here.


    0 0
  • 09/20/17--12:36: HOLA is For All of Us
  • Symantec celebrates Hispanic culture and National Hispanic Heritage Month
    Publish to Facebook: 
    No

    By Martina de la Torre, Director, Global Trade Compliance at Symantec

    ​In an increasingly connected world, cultivating a diverse and inclusive community that welcomes people from all cultures is critical to running a successful business. When people feel comfortable speaking up there is more collaboration and innovation, faster solutions and delivery of our projects — and it is easier to implement change. We believe that when you give people equal opportunity, amazing things happen. That’s why Symantec has set a 2020 goal to increase the percentage of underrepresented minorities in the United States by 15 percent.

    But as a Hispanic woman in tech, I know our industry still has a lot of work to do when it comes to welcoming people from diverse communities. While the Hispanic population in the United States has reached 57 million[1]— making it the second largest population in the nation and the largest ethnic group — we hold only 7 percent of technology jobs. And despite Hispanics being considered some of the savviest and most frequent technology users, only 8 percent of computer science and engineering graduates are Hispanic, and of those only 12 percent go into technology jobs.

    This also means that Hispanics are missing out on economic opportunities. Jobs in computer sciences, including cyber security, cloud computing and mobile networks are growing 21 percent faster than the average for all occupations, according to the Bureau of Labor Statistics. And the tech industry is also missing out — on the skills and unique perspectives of the Hispanic community.

    Above: This August, HOLA’s work included hosting the Hispanic Foundation of Silicon Valley (HFSV), including Ron Gonzales, President and CEO of HFSV and former Mayor of San Jose (center, blue blazer). Cecily Joseph, Symantec’s VP of Corporate Responsibility, standing to the right of Ron, also attended the event.


    This August, HOLA’s work included hosting the Hispanic Foundation of Silicon Valley (HFSV), including Ron Gonzales, President and CEO of HFSV and former Mayor of San Jose (center, blue blazer). Cecily Joseph, Symantec’s VP of Corporate Responsibility, standing to the right of Ron, also attended the event.

    National Hispanic Heritage Month, which begins September 15, marks the anniversary of independence of five Latin American countries: Costa Rica, El Salvador, Guatemala, Honduras, and Nicaragua. Mexico and Chile celebrate their independence in September, the 16th and the 18th respectively. This special month reminds us both of the progress we’ve made to foster a more diverse and inclusive community here at Symantec, and the work that lies ahead.

    A network dedicated to Latino culture

    In 2009, Symantec founded the Hispanic Outreach, Leadership & Advancement group (HOLA), which represents our Employee Resource Group (ERG) for Latinos. What started as a series of events organized around Hispanic Heritage Month has evolved into a community that supports Hispanic employees in professional development as well as exposes other employees to the diverse Hispanic culture.

    Our primary goal is to engage internal and external stakeholders via our shared Hispanic culture. We’ve done this through a variety of initiatives, including a Professional Networking event, Internet safety programs at local schools and a Hispanic Heritage event.


    HOLA’s Hispanic Heritage event

    Closing the diversity gap in cyber security

    With my own children, nieces and nephews, I’ve seen first-hand a lack of opportunities to help them prepare for their careers. They do not have opportunities for internships, do not have mentors, and do not have networks to get interviews. Silicon Valley is a competitive place and our local youth have to compete with global talent. I want to see our youth grow up in an inclusive environment that nurtures diversity so that they will be able to realize their dreams and compete in our global economy.

    In recognition of the reality that children often are inspired by a particular potential career path at a young age, HOLA invites children from local schools to demonstrate to students the value of science and math and the opportunities such education affords.

    Students from underserved areas come to Symantec to see what it's like to work in a tech or computer science career. We give them a tour of our offices, schedule workshops — the recording studio always is very popular — pair them with Hispanic employees at Symantec for lunch and expose them to many roles and professional opportunities. The children benefit from seeing our employees, who may look like them, which we hope will leave a lasting impression. It’s our hope that such an experience can spark a lifetime of interest in STEM education and working in technology, and to reinforce that education is key; it’s the way forward.


    The HOLA ERG at Symantec.

    HOLA is for all of us

    You don’t have to be Hispanic to join HOLA — everyone is welcome. We encourage employees of all backgrounds to join. In May, HOLA members participated in the 2017 Silicon Valley Latino Leadership Summit. Most recently, on August 10, we hosted an event for the Hispanic Foundation of Silicon Valley (HFSV). On October 5th we will celebrate Hispanic Heritage Month in Mountain View through a special event offering Hispanic desserts, music, and art.

    With operations in more than 35 countries, Symantec is a truly global company, with a diverse workforce and customer base. To us, diversity is more than just race, gender and ethnicity — it’s also about creating a workforce that embraces every culture, language, age, sexual orientation, disability, background and experience. Giving a voice to those differences is how we define inclusion. We know this is good for our team dynamics, and good for our business.

    [1] Krogstad, Jens Manuel, “10 facts for National Hispanic Heritage Month,” September 15, 2016 http://www.pewresearch.org/fact-tank/2016/09/15/facts-for-national-hispanic-heritage-month/


    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    Mankind has undergone a massive transformation over the last couple of millennia, yet for much of humanity, 10 simple rules handed down from on high are still pretty effective at producing worthy citizens and a civilized society. 

    This got me wondering if we could find Ten Commandments for data protection, and this is what I explore in this blog.

    As organizations continue to evolve through their own digital transformations, data security has become more complex. Good custodians of data are starting to integrate a number of elements in place to keep it safe. Excellent custodians of data are going even further and putting in place integrated systems that bring together technology, process and human behavior.  So here are my 10 Commandments of Data Protection:

    1. Know your data

      If you can’t define what data is sensitive, then obviously you won’t be able to protect it! Ensuring you can identify all your sensitive data is achieved using the best that people and technology can offer. Certain data are easily defined, so technologies such as Data Loss Prevention or Cloud Access Security Brokers (CASB) do a great job of finding it - at rest, in motion or in the cloud. However, true enlightenment comes when you bring the power of people into the mix. Allow your data owners to also tag sensitive data and you have a complete way to classify data across its entire lifespan.

    2. Protect what’s rightfully yours - consistently

      Now that you have a comprehensive view of your sensitive data, make sure it’s kept safe. The best way to do this?  Encryption. Using data classification to determine the need for protection allows you to consistently apply the appropriate protection based on the level of sensitivity, saving you from “re-inventing the wheel” every time.

    3. Provide omnipresent protection

      Things are not always black and white so how can you apply protection in shades of grey? For example, it might be OK for someone to open a document, and even for them to edit it, but not to print a hard copy. Take encryption to the next level and incorporate Digital Rights Management to give you better flexibility and control.

    4. Give your cloud a silver lining

      The cloud represents the best, and worst, in humanity.  It allows open collaboration and individuals to demonstrate the generosity of human spirit.  But this generosity can lead to data being overly shared, and that’s where trust can be eroded. There is a better way. Protection that follows the data – even into the cloud - ensures that wherever, and with whomever data resides, a generous spirit can always a good thing.

    5. Don’t let just anyone unlock your secrets

      A decryption key, in the wrong hands, can be dangerous. How can you control who can access your data? Well, instead of just relying on the decryption key, why not embed a user’s identity into the process. And, if you add the third dimension of multi-factor authentication, you can be really confident that when a user opens a document, it really is them and not an imposter. This is how you start to reduce the risk of account takeovers.

    6. Keep an eye on your flock

      Just as a good shepherd has the ability to watch over his flock, you can keep an eye on all your data users – especially when they are not part of your organization and located on the other side of the world. 

      As users authenticate to access a document, you have a means of watching who is accessing what, from where. You can encourage good behaviors, and intervene before anyone strays too far from the right path. Help your users to respect sensitive data, and you’re well on the way to full protection.

    7. Control at the data level, for protection everywhere

      You no longer need to fear the unknown. Even if data has been scattered to the four winds, and is stored multiple times in the cloud, on a plethora of devices, across multiple countries and users, information centric security keeps it safe. For example, using identity-based authorization at the data level keeps you fully in control. You know that only the right people have access, and you can step up (or down) security by being context aware.  For example, if users are accessing data remotely, on unmanaged devices you would ask for additional levels of authentication.

    8. Develop the ability to revoke access to the data anytime

      What happens when people move on, take a new role or outside vendors change? Can you take back what you’ve given them? Well, now you have the ability to track who is accessing what data, you can see when data is at risk of abuse. By using a cloud-hosted service that can both track and control access for users from inside and outside your organization, you have a system that delivers “actionable intelligence.” 

      If a user starts acting out of character (think along the lines of how credit card companies monitor for anomalous spending behavior to detect fraud), or no longer has a legitimate reason to hold that data, then you can limit or even remove their access. So while you can’t remotely delete a document (we haven’t yet found a way to deliver that miracle!), you can make that document unreadable by effectively locking it, and throwing away the key!

    9. Manage just the data that matters

      Here is the interesting conundrum. Not only do we have more data to protect, but the way we protect data creates even more data! A data squared problem! How are we meant to monitor every single piece of sensitive data, understand whether it’s moving to the cloud or has been accessed by mobile users and devices. It’s impossible, so we need to focus on the alerts that really matter – but how do we know that?

      Take this example: If your systems are set to protect sensitive data that leaves the organization, then this is safe and you do not need to do anything. But if your data protection systems work in isolation, they may generate multiple events, and that can quickly overwhelm your team.

      The intelligent integration of data protection systems solves this problem. We imagine a world where a Data Operations Center is established that collates information from various systems (e.g. DLP, CASB, information centric encryption, authentication etc.) to help you act on the events that matter, helping you separate the wheat from the chaff.

    10. Make threat protection personal

      Account takeover is a big problem, when a legitimate account is being controlled by a malicious actor then you have problems – your security systems can be easily bypassed because the attacker now has the key to your front door. 

      Monitoring not just who is accessing your data, but how they access it unlocks tremendous insight. Being able to mine the data in your Data Operations Center and correlate it with user behavioral analytics will show where your risk lies. Not only can you find user accounts that may have been compromised, but also well-meaning users who are inadvertently putting your data at risk. The key -- being able to act on this information quickly to contain the risk and even stop a breach before it happens. 

      Information Centric Security

      By following these 10 Commandments you take data protection to a higher plane. You get the best of technology and people, and allow people to share, support and encourage each other, while eliminating some major risk areas. We have based our whole information centric security approach around these tenets to ensure that you don’t stop the flow of information, but you have the power to control over with whom and how it is shared, allowing you to maintain both visibility AND control, even with outside users.  Protection can be dynamic as you can revoke access over time. We don’t want to flood you with data, so we use telemetry to rise above the flood and help you protect what matters, and smart analytics ensure you can take fast and decisive action before, or just after a breach occurs.

      So, to recap, the data protection 10 commandments are:

      1. Know your data

      2. Protect what’s rightfully yours – consistently

      3. Provide omnipresent protection

      4. Give your cloud a silver lining

      5. Don’t let just anyone, unlock your secrets

      6. Keep an eye on your flock

      7. Control at the data level, for protection everywhere

      8. Develop the ability to revoke access to the data anytime

      9. Manage just the data that matters

      10. Make threat protection personal

      If you want to find out more, watch my recent webinarHERE, where Heidi Shei (Forrester Research) discussed a number of data protection challenges and I demonstrated Symantec’s Information Centric Security approach.


    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No

    Overview

    The recent Equifax breach is unfortunately a security risk all companies handling sensitive customer information face.  Details of the recent breach have been made available here. The attack vector at issue here is a widely-known vulnerability in Apache Struts 2 framework, disclosed in early March and drew the attention of many Web Application Firewall (WAF) vendors, including Symantec – see here. The specific payload does not matter when using CVE-2017-5638 as the vector of attack, as there are several proof of concepts (POCs) available and there are likely thousands of ways to exploit this vulnerability. In our original blogpost, we use one of those POCs to showcase the strength of the Symantec WAF solution for blocking zero-day attacks.

    What can other companies learn from this? All companies that handle payment card information are subject to PCI DSS compliance. Requirement 6.6 of the PCI DSS specifically provides two ways to comply: (1) conduct a web application vulnerability security assessment, and/or (2) deploy a WAF in front of the web application. Deploying a WAF is the most flexible, least risky, and the most efficient method to achieve PCI DSS 6.6 compliance since conducting a vulnerability security assessment may be more resource intensive. This WAF approach also gives web application developers time to fix, patch and validate changes before deploying updates to application servers while still maintaining security controls during this highly vulnerable time. According to an article by IT World Canada, deploying the fix for the Apache Struts vulnerability can take months due to the significant effort and risk of rewriting parts of the software required as part of the update. This is where a WAF solution provides significant value by preventing attacks during the time application developers are updating vulnerable web applications in a test environment prior to deployment of such updates.

    Unfortunately many administrators run WAFs in monitor-only mode because of a common problems front-ending complex applications. Advanced features, such as a learning mode (Positive Security Model) can quickly make a WAF unmanageable if deployed in front of complex and continually changing web applications. WAF admins respond by switching the appliance into monitor-only mode or disabling security features. On the other hand, using a Negative Security Model approach is a reactive control and cannot protect against many zero-day attacks. We believe in a different approach. The Symantec WAF solution tackles these problems by leveraging a unique Content Nature Detection strategy that identifies attacks such as CVE-2017-5638 without requiring a signature update, virtual patch, or learning mode. This technique is less prone to false positives for identifying vulnerabilities, and in this example can provide zero-day attack protection without any configuration change on the WAF.

    Configuration

    We suggest the same mitigation techniques recommended in April’s blog:

    Symantec WAF customers were already protected before the Struts vulnerability was found and described in our blog post here.

    Existing ProxySG customers who are not running WAF controls can deploy a virtual patch in policy for immediate protection. For example:

    ; ProxySG 6.5.x<proxy>
    request.header.Content-Type.substring="%{(#" force_exception(invalid_request)
    
    ; ProxySG 6.6+
    <proxy>
    http.request.normalization.default("urlDecode:(path),urlDecode:(header),urlDecode:urlDecode:htmlEntityDecode:(arg_name,arg)")<proxy>
    http.request[header].substring="%{(#" force_exception(invalid_request)

    Defense in depth

    Even though the Symantec ProxySG WAF provides protection for this CVE, it is important to employ a defense-in-depth strategy and deploy multiple layers of security. If any specific layer is breached there are other layers providing complementary protection, making it extremely difficult for attackers. Symantec offers two additional layers of protection, providing a three-tier comprehensive defense in depth solution.

    Symantec Cloud Data Protection Integration

    The Symantec Cloud Data Protection (CDP) product integrates with the ProxySG WAF and is used to encrypt sensitive information that is typically stored in backend databases. Using a third-party Hardware Security Module (HSM) the encryption keys are stored securely, and are used to encrypt and decrypt the data in real-time as it is accessed from the database. Using the CDP Policy Builder, the Administrator can quickly and easily identify the fields that are sensitive in their custom web application and define an encryption policy for these fields. This additional layer of security provides protection in the event an attacker bypasses the network defense layer and lands an exploit on an internal system that has access to the database. The contents are encrypted and therefore unusable by the attacker.  

    Symantec Data Loss Prevention

    Symantec also offers the leading DLP solution on the market and this is used for an additional layer of defense. Integrating DLP with the ProxySG WAF allows all data leaving the application to be scanned for violations and anomalies. If an attacker is somehow successful in breaching the WAF and exploiting the Cloud Data Protection encryption, they must also successfully extract the data and evade the DLP policy that is scanning all traffic leaving the application to succeed in an attack.

    その他の投稿者: 

    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No

    人間は、過去数千年の間に大きな変化を遂げてきましたが、人間性の本質はそれほど変わっていません。文明社会と善良な市民を生み出すには、かつて天から与えられた単純な 10 カ条の戒律が、今もなお有効です。

    そう考えると、データ保護についても「十戒」をあげることができるのではないか。それが今回のブログのテーマです。

    デジタル革命が進むにつれて、データのセキュリティは複雑化の一途をたどっています。適切なデータ管理を考える組織は、データの保護に必要な対策を数多く取り入れ、実施するようになりました。それ以上に優れたデータ管理を考える場合には、テクノロジーとプロセス、人間の行動まで複合した統合的なシステムを運用しています。そうしたことを踏まえて、筆者が考えた「データ保護の十戒」をご紹介しましょう。

    1. データを理解すること

      どのデータが重要かを判断できなければ、データの保護は始まりません。重要なデータを、間違いなくすべて割り出すには、人と技術を総動員する必要があります。なかには定義の簡単なデータもあるので、データ漏えい防止(DLP)やクラウドアクセスセキュリティブローカー(CASB)といった技術さえあれば、保存されたデータでも、移動中あるいはクラウド上のデータでも、識別は万全です。しかし、真の理解を得るためには、人の力を動員しなければなりません。データの所有者が重要なデータにタグ付けしてくれれば、データの存続期間を通じてずっと、データを確実に分類することができます。

    2. 必要なデータだけを一貫して保護すること

      重要なデータを包括的に把握できたら、それを安全に保護する段階に進みます。一番いいのは、暗号化です。データを分類して保護の必要性を決めておけば、重要度に応じた適切な保護を一貫して適用できるので、「いつも決まった操作を繰り返す」という無駄を省くことができます。

    3. あまねく保護を実施すること

      ものごとは、白黒が常にはっきりしているわけではありません。だとすれば、その中間にあるグレーな領域はどう保護すればいいのでしょうか。たとえば、一部のユーザーに文書を開くことや編集することまで許可できても、プリントアウトは許可したくない場合があります。暗号化を次のレベルにまで進め、デジタル著作権管理を導入すれば、柔軟性と管理性が向上します。

    4. クラウドの明るい面を活かすこと

      クラウドには、人間性の最善の部分と最悪の部分が表れます。オープンなコラボレーションの場で個人が寛容の精神を発揮できる反面、その寛容性があだとなってデータの共有が行きすぎになれば、そこから信頼が崩れかねません。そこを補うには、データを徹底的に、クラウドに至るまで保護することです。そうすれば、データがどこに、誰の手元にあっても、寛容の精神が常に善良な方向にのみはたらきます。

    5. 秘密を解ける相手を限定すること

      復号鍵は、悪意のある者の手に渡ってしまえば、危険なものになります。データにアクセスできるユーザーは、どうすれば制御できるのでしょうか。復号鍵だけに頼るのではなく、ユーザーの ID もプロセスに組み込むという手があります。三次元的に多要素認証まで追加すれば、文書を開いたユーザーが、なりすましではなく、間違いなく本人であるという信頼性はかなり高くなるはずです。アカウントの乗っ取りを防ぐ土台にもなります。

    6. 監視の目を怠らないこと

      優秀な羊飼いが、羊の群れをもらさず見守る能力を有しているように、あらゆるデータユーザーを監視する必要があります。部外者や遠隔地のユーザーであれば、なおのことです。

      文書にアクセスするユーザーを認証すれば、誰が、どのデータに、どこからアクセスしているのか監視する手段になります。行動規範を示し、誤った行動をとらないよう事前に介入することもできます。重要なデータが優先されやすい環境を築けば、無事に万全な保護を達成できるでしょう。

    7. データレベルの制御によって、どこでも保護を実現すること

      未知なるものを怖がる必要は、もうありません。仮にデータが四方八方に分散しており、クラウドや無数のデバイス上に、また複数の国やユーザーの手元に何度も保存されるとしても、情報中心のセキュリティがデータを安全に保護します。たとえば、データレベルで ID ベースの認証を使えば、十全な制御を保つことができます。適切なユーザーだけが所定のアクセス権をもち、状況に応じてセキュリティを昇格(または降格)できるようになります。たとえば、ユーザーがリモートで、管理対象外のデバイスからデータにアクセスしている場合には、認証のレベルを増やすなどの方法があります。

    8. いつでもデータへのアクセスを取り消せる態勢を築くこと

      ユーザーの転居、新しい役職への異動、外部ベンダーの変更などがあった場合には、どう対処しますか。これまでに提供していた情報は、回収できるのでしょうか。誰がデータにアクセスしているかを追跡できるようになれば、データが不正利用されるリスクを把握できます。社内からでも社外からでもユーザーのアクセスを追跡して制御できるクラウドホスティング型のサービスを使ったシステムで、「実践可能なインテリジェンス」が提供されます。

      ユーザーがふだんと違う行動を始めたり(クレジットカード会社も、不正利用を検出するために異常な消費行動を監視しています)、データを保持する正当な事由がなくなったりした場合には、そのユーザーのアクセス権を制限する、あるいは完全に抹消することができます。そのため、リモートで文書を削除できないユーザーでも(その実際の方法はまだ確立していませんが)、ロックして鍵を破棄してしまえば、その文書を読み取り不可に設定することはできるわけです。

    9. 真に重要なデータだけを管理すること

      ひとつ、皮肉な問題があります。保護すべきデータが増え続けているだけではなく、データ保護の方法によってデータが増える結果になっているということです。データによってデータが増える、そんな相乗効果と言えるでしょう。重要なデータをひとつ残らず監視し、それがクラウドに移動中なのか、モバイルユーザーやデバイスによってアクセスされたのかを、余さず把握する ― それが不可能である以上、真に重要なデータだけに絞ることが必要になります。問題は、それをどう見分ければいいか、ということです。

      こんな例を考えてみましょう。社外に出ていく重要データを保護するようにシステムが設定されていれば、そのデータは安全であり、何もする必要はありません。しかし、そのデータ保護システムが単独で動いている場合、いくつものイベントが発生し、またたく間にチームの処理量を超えてしまいます。

      この問題を解決するのが、データ保護システムのインテリジェントな統合です。さまざまなシステム(DLP、CASB、情報中心の暗号化、認証など)から情報を照合するデータオペレーションセンターが確立している世界を想像してみてください。真に重要なイベントに限定して対処できるので、意味のあるものとないものを区別しやすくなります。

    10. 個人アカウントのレベルで脅威を防ぐこと

      アカウントの乗っ取りは大きい問題です。正規のアカウントが悪質な犯罪者によって操られれば、セキュリティシステムは堂々と正面から突破されてしまいます。なにしろ、攻撃者が玄関口の鍵を手にしたのも同然だからです。

      データにアクセスしているユーザーだけではなく、アクセスの方法まで監視できれば、大きな手がかりが得られます。データオペレーションセンターのデータをマイニングし、ユーザー行動に関する解析と関連付けることができれば、リスクの発生する場所を突き止められます。実際に乗っ取られたユーザーアカウントを発見するほか、誤ってデータを危険にさらしている善意のユーザーも特定できるはずです。要するに、そうした情報に対処してリスクをいち早く封じ込めることができ、場合によっては侵害そのものを食い止めることもできるということです。

      情報中心のセキュリティ

      以上の「十戒」を守れば、データ保護のレベル向上を図ることができます。技術と人を総動員し、相互に情報共有やサポート、助力を期待できる一方、大きいリスクも一部では軽減されます。シマンテックは、このような原則にのっとって、情報中心のアプローチを推し進めています。その目的は、情報の流れを止めることなく、情報共有の相手とその方法を管理下において、たとえ外部ユーザーとの間であっても、情報の可視性と管理性を両立させることです。アクセス権はいつでも取り消せるので、動的な保護が実現します。ユーザーが情報の波に押しつぶされてしまうのは本末転倒です。そのため、シマンテックは遠隔測定を利用してその波を乗り越え、真に重要なデータだけを保護するよう努めています。また、スマート解析を通じて、侵害が起きる前に、あるいは起こった直後に、迅速で確実な対応をとることができます。

      それでは、改めてデータ保護の十戒をまとめておきましょう。

      1. データを理解すること

      2. 必要なデータだけを一貫して保護すること

      3. あまねく保護を実施すること

      4. クラウドの明るい面を活かすこと

      5. 秘密を解ける相手を限定すること

      6. 監視の目を怠らないこと

      7. データレベルの制御によって、どこでも保護を実現すること

      8. いつでもデータへのアクセスを取り消せる態勢を築くこと

      9. 真に重要なデータだけを管理すること

      10. 個人アカウントのレベルで脅威を防ぐこと

      さらに詳しい情報をご希望の場合は、こちらで筆者による最近のオンラインセミナーをご覧ください。Heidi Shei 氏(Forrester Research)が、データ保護に関するたくさんの課題について解説しており、筆者がシマンテックの Information Centric Security(情報中心のセキュリティ)のアプローチを実演しています。

    【参考訳】

    * 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

    * 日本に特化したセキュリティ情報は、シマンテックビジネスセキュリティステーション https://business-security-station.com/securityinfo/?utm_source=symcom&utm_medium=owned&utm_campaign=rblogもご覧ください。


    0 0
  • 09/24/17--19:00: 数据保护十大准则
  • Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No

    人类在过去几千年里经历了巨大变革,对于人类社会来说,过去传下来的十条简单准则在确保国富民强方面仍非常奏效。

    这使我很想知道我们是否能找到十条数据保护的准则,而这就是我们在本博文中所探讨的内容。

    随着公司凭借数字化转型而不断演变,数据安全变得更为复杂。负责的数据管理人员开始整合大量相关元素,以保证数据的安全,而优秀的数据管理人员更是创建了各种整合体系,将技术、进程和人类行为相互结合。以下是数据保护的十条准则

    1. 了解您的数据

      如果您不能确定哪些数据是敏感数据,则明显无法对其进行保护!尽可能利用人才和技术,确保您能识别所有敏感数据。某些数据很容易定义,因此诸如数据丢失预防或云访问安全代理(CASB)等技术可很好地发现这些数据,无论数据是处于固定或移动状态,或是在云端。然而,在融入人为因素之后,一切问题才真正地迎刃而解。这使数据拥有者也可对敏感数据进行标记,因此您在数据整个生命周期内都可对其进行分类。

    2. 始终如一地保护属于您的数据

      现在您已经对敏感数据有了全面了解,接下来就是确保数据的安全。最好的方法是什么呢?那就是加密。使用数据分类以确定保护需要,这样您便能够依据敏感性级别采用适当的保护方法,避免每次都“重蹈覆辙”。

    3. 提供无所不在的保护

      不是所有事情都黑白分明,那么您怎么在灰色区域执行保护呢?例如,可以让某些人打开文档,或甚至进行编辑,但却无权打印。将加密技术进行升级,整合数字版权管理,使您具有更高的灵活性和控制力。

    4. 给云一线希望

      云代表了人类社会最好和最差的一面。云使人们能够开放式协作,展示出人类精神的慷慨大度。但是这种慷慨大度可导致数据被过度分享,损坏了人与人之间的信任。这里有一个更好的方法,那就是基于数据的保护,这样即使在云端,也可确保无论在何处或是由何人来保护数据,慷慨大度的精神始终是一件好事情。

    5. 不要让任何人破解您的秘密

      解密密钥落入坏人之手将非常危险。您如何控制谁可以访问您的数据呢?与其仅依赖于解密密钥,不如将用户的身份嵌入至进程之中。此外,如果您添加第三维的多因素身份验证,您便可确信打开文档的人是用户而不是骗子。这便是您如何降低账号盗用风险的方法。

    6. 密切关注数据用户群

      就像出色的牧羊人总是能看管好自己的羊群一样,您也可用密切关注您所有的数据用户,特别是那些不属于您机构,且位于世界另一端的用户。

      由于用户需要经授权才能访问文档,您便能够查看何人在何地访问何种数据。您可以对良好行为进行鼓励,并在用户偏离正确轨道前加以干预。让用户重视敏感数据,您便离全面保护不远了。

    7. 在数据层进行控制,实现全面保护

      您无需再害怕未知信息。即使数据分散至四面八方,在云端、各种设备储存多次,或经手多个国家和用户,Information Centric Security(信息中心安全)都能保护数据的安全。例如,采用基于身份的授权方法以掌握控制权。您清楚只有正确用户才有访问权,而且您可以通过情境感知来增强或减弱安全性。例如,如果用户在非管理的设备上远程访问数据,则您将会要求额外的认证级别。

    8. 开发随时撤销数据访问权的能力

      在用户离开,担任新角色,或外部供应商改变后会发生什么?您能收回给他们的数据吗? 您现在能够追踪谁在访问那些数据,并可查看数据何时面临滥用的风险。通过使用云托管服务,您可以跟踪和控制公司内外用户的访问权,从而拥有了一个可提供“可执行情报”的系统。

      如果用户行为异常(想一下信用卡公司如何监控异常消费行为来检测欺诈),或不再有合法理由来保留这些数据,则您可限制或删除这些用户的访问权限。因此,虽然您不能远程删除文档(我们还没有找到实现这种奇迹的方法!),但是您可以有效地将其锁定并丢弃密钥,从而使文档不再可读。

    9. 仅管理重要数据

      这是个很有趣的难题。我们要保护更多的数据,但我们保护数据的方式却创建出更多的数据!这是个数据成平方增长的问题!如何检测每一个敏感数据,如何了解数据是否移动至云端或是否已经由移动用户和设备访问。这是不可能实现的,所以我门需要关注真正重要的警报,那我们又怎么发现这些警报呢?

      例如:如果您的系统可保护离开公司的敏感数据,那么数据便是安全的,您无需再做其他保护。但是如果您的数据保护系统独立工作,则可能会生成多个事件,使您的团队很快就不堪重负。

      数据保护系统的智能集成可解决这一问题。我们认为由Data Operations Center(数据操作中心)建立的世界可整理来自不同系统的信息(如DLP、CASB、信息中心加密和认证等),帮助您对重要事件采取行动,帮助您区分优先级别。

    10. 威胁保护要有针对性

      账号盗用是个大问题,当合法用户账号被恶意使用者操控,您的问题就来了 — 网络攻击者有了进入前门的钥匙,因此可轻松绕过您的安全系统。

      不仅要监控是谁访问您的数据,还要了解他们的访问方法,这样才能明察秋毫。有能力在数据操作中心挖掘数据,并以用户行为分析与其相关联,才能显示您的风险所在。您不仅能找到可能泄露的用户账号,还能发现无意中将您数据置于危险之中的善意用户。最关键的是能够快速对此信息进行响应,从而控制风险,或在风险发生之前便加以阻止。

      信息中心安全

      遵守这十大准则,您可以将数据保护级别提升到一个更高的层面。您充分利用相关技术和人才,允许人们互相分享、支持和鼓励,同时消除一些重要的危险区域。我们在这些原则的基础上建立了以信息为中心的安全策略,确保您不会阻碍信息流动,但仍有权利控制数据分享的对象和方法,使您即能保持对用户的可见性和控制能力,即使对外部用户也是如此。您可以撤销访问权,因此保护可以是动态的。我们不想让数据洪流影响到您,因此我们使用遥测技术来克服数据洪流,帮助您保护重要的数据。我们用智能分析确保您能够采取快速而果断的行动,或在发生入侵之后马上采取行动。

      总的来说,数据保护十大准则就是:

      1. 了解您的数据

      2. 始终如一地保护属于您的数据

      3. 提供无所不在的保护

      4. 给云一线希望

      5. 不要让任何人破解您的秘密

      6. 密切关注数据用户群

      7. 在数据层进行控制,实现全面保护

      8. 开发随时撤销数据访问权的能力

      9. 仅管理重要数据

      10. 威胁保护要有针对性

      如果您希望获取更多相关信息,请单击此处查看我最近主持的网络研讨会。在此研讨会上,来自Forrester Research公司的Heidi Shei讨论了很多数据保护难题,而我则对赛门铁克的信息中心安全方法进行了演示。


    0 0
  • 09/26/17--06:44: Identity Safe in the Storm
  • Publish to Facebook: 
    No

    Posted by Eva Velasquez, CEO, Identity Theft Resource Center

    There are a lot of safety considerations that anyone in the path of a natural disaster must make. Do you evacuate, or shelter in place? Is your residence strong enough to withstand a storm, flood, or wildfire? Will you have enough food, water, and prescription medication for the days and weeks afterward? Will you survive without basic utilities after the event, and for how long?

    With the gravity of those questions looming in people’s minds, staying safe from scams, fraud, and identity theft associated with a natural disaster might seem like a secondary consideration. But think of it this way: your home and your possessions will one day be replaced in some form, but the effects of identity theft and fraud can linger for months or even years.

    There are some very important steps that citizens can take—before, during, and after the event—that can help reduce their risk of this type of crime. Some of it involves nothing more than a little foresight and preparedness, but all of it centers on being mindful of the importance of your identity.

    BEFORE

    Secure Important Documents– Some disasters strike with weeks of notice, while others only give you seconds to take action. Before even the slightest hint of danger heading your way, you can secure all of your important documents in a water-tight container, fire-proof safe, or other strong box. It will help protect it from any elements of the event, as well as serve as a go-to location in case you have to evacuate. Your Social Security card, family birth certificates, marriage certificate, immigration papers, a digital copy of your medical records or prescriptions, even mementos like your grandmother’s wedding band or your class ring can be tucked away for safe keeping.

    Should you have to evacuate, everything you might need is in one handy container that can be loaded with your other vital belongings.

    DURING

    Learn What Information You Need– In a disaster and in the hours afterward, you might have immediate, crisis-level needs for food, medical care, and shelter. Rest assured that FEMA and other disaster relief agencies are equipped to help you, even if you cannot prove who you are. You will not be required to turn over your Social Security card to receive health care, for example, as the US does not have a centralized medical record database. Eventually, your health insurance or Medicaid/Medicare card will be necessary, but at the moment of the actual event, hospitals and medical centers will treat patients on a triage basis, regardless of their identities or proof of insurance.

    AFTER

    Watch Out For Scammers– In many ways, the days and weeks after the event can be even scarier than the disaster itself, and certainly fraught with more heartache and frustration. This is the time when individuals’ needs are met on a triage basis, and when the bureaucracy of rebuilding your life can start.

    Unfortunately, it’s also the time when identity thieves and scammers come out in full force, ready to take advantage of your situation and turn your loss into their gain. Scams can encompass everything from charitable giving to home repair. The people who are claiming to help you are good at what they do and can be very convincing. That’s why it’s important to secure your money and your information.

    It’s tempting to do whatever the other person says if it sounds like your life will get back to normal, but you have to protect yourself from even further harm. Never turn over your personal identifiable information to anyone who claims to need it for “verification” purposes. If you need repairs, never make payments up front for any work and always get a price quote in writing before allowing someone to begin work. Finally, be aware of the potential for scams in the long term, including email offers, phone scams from fake insurance representatives, and more.

    By following just a few simple steps, you can help minimize your risks of identity theft before, during or even after a natural disaster strikes. LifeLock, a Symantec company, proudly provides financial support to the Identity Theft Resource Center


    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    It’s a simple message that somehow still gets lost in transmission: enterprise employees who use unsecured Wi-Fi are asking for trouble.

    As much as they try though, security executives find that their warnings all too often land on deaf ears. With the proliferation of easy-to-access hot spots--everywhere from local coffee shops to airports, and even national parks—employees often choose convenience over security when they work out of the office, forgetting that malicious hackers are lying in wait.

    Unsuspecting users are then vulnerable to having their information stolen in any number of ways by malicious hackers. Besides the risk of losing IP or other valuable data in a breach, employees may expose login corporate credentials that allow attackers access to the company network.

    So, what should CIOs and other enterprise security practitioners be doing to mitigate the problem? We turned to Symantec CIO Sheila Jordan for some answers.

    Q:What are the dangers of employees using unsecured public Wi-Fi?

    Sheila Jordan: There are three big buckets to protect IT infrastructure in any corporation: No. 1 are the network and the data centers, where all data traverses, flowing in and out. It's the highway of the company. No. 2: the applications, be it Office 365, SFDC (SAS applications) or ERP (enterprise resource planning) on premise. And finally No. 3, devices—and that means all devices—laptops/pc’s, tablets, mobile phones and now Internet of Things (IOT).

    The variation of devices combined with a global employee workforce working from wherever they are makes one think that “work” has become a verb, not a noun. You “work” wherever you are: in a Starbucks, an airport, or even in the air. What makes this a bit daunting is companies have an obligation to secure your environment as you work, wherever you are.

    Q: What type of critters are employees dragging into the corporate network on their mobile gadgets? More importantly, how do you stop the security threats they entail?

    Sheila Jordan: You know, they're probably picking up something feral: last year alone, Symantec’s researchers discovered more than 600 new vulnerabilities on iOS and Android operating systems. Mobile malware detections doubled to a total of 18.4 million. (See Symantec's ISTR report) In a recent survey, 55% of IT professionals blamed “bring-your-own-device” (BYOD) for a rise in insider attacks over the past year, and 51% pointed to BYOD as being behind data leaving the network perimeter via mobile devices and web access. It's not hard to see why it's happening: employees are working anywhere and everywhere on whatever public, probably not secure Wi-Fi hotspots, they find.

    Businesses have spent years repeating warnings about this, but they could turn blue in their corporate faces before it changed anything. Too many business employees simply continue to use unprotected public Wi-Fi to do their work. It leaves them vulnerable to fake Wi-Fi hotspots, to wireless sniffers, to the danger of lost (and all too often unencrypted) devices, and even to having their login credentials shoulder-surfed away.

    Q: What do businesses have to do to protect themselves?

    Sheila Jordan: What must happen is you have to decide if you want BYOD devices in your organization. It comes with a huge burden for the IT organization to support multiple versions of operating systems and applications. We offer employees a selection of corporate owned laptops. This way we control the image to ensure it meets all security credentials. You can't buy any old laptop you want, plug it in and have it potentially infect our entire corporate network.

    In reality, I think of ideal security as layers – security to protect the device and security to protect the data on the device. You need to secure the right data at the right level. The good news is Symantec offers many products that secure the mobile device such as SEP Mobile (Symantec endpoint protection). As employees bring in new mobile devices, we need to balance corporate information security with employee productivity. The icing on the cake for us is that our security products are becoming less intrusive and security is happening 24/7 and behind the scenes, seamless to the end user.  

    Q: Are employees oblivious to the threats involved in unprotected hotspots?

    Sheila Jordan: I don't think they're oblivious. It's a joint responsibility. The company has to secure data on the devices. We also have a responsibility to be sure employees understand what they can and can't do on the corporate network—and on public networks. Training is important as it all comes down to employee compliance. The people-factor is often the weakest link in any security program. However, I do think that if we do our jobs right, with the right technology and sound change management process, compliance only gets better.

    Q: What's an example of handling change management well?

    Sheila Jordan: Many complaints we get are from engineers who don't want us to negatively affect their productivity. It's always a balance of making sure they can do their jobs but that they are working in secure manner in a secure environment. One area we have seen tremendous change is how and where people want to code. Software engineers are very active, brilliant people who want to tackle innovation when it sparks. This means we need to provide our engineering teams with secure environments that can be accessed from the office, home office or on the go. To support this change, however, we as IT organizations have had to revisit how we secure our mobile devices and their work by implementing policies, mobile security products, securing connections through VPN and two-factor authentication (2FA), such as Symantec VIP.

    Proper change management is a key tool that ensures a corporation can adapt to a global environment that is constantly changing around them without descending into chaos while effectively tending to the balance between productivity and security.

    Q: Any other advice for businesses grappling with this problem?

    Sheila Jordan: At many companies, especially those that have been around 50, 60, or 70 years, there's a lot of legacy applications and technology. The IT organization is funded to keep the business running. To unhook several servers and apps takes money and effort. Often, IT organizations don't get funded to do that.

    This legacy environment becomes a breeding ground for bad guys. What better place to sit and observe the organization? My advice: go clean up that environment. Most breaches we've seen have some part of that legacy problem in the issue. As the global environment changes, legacy environments often don’t provide the security that today’s capabilities command, such as supporting secured remote worker programs.

    In addition I would suggest a very rigorous and disciplined process around patching, scanning and access monitoring. Normally there is a lot of change introduced into the overall IT architecture and the CIO/CISO needs to ensure good hygiene.

    その他の投稿者: 

    0 0

    And What’s Likely to Happen if your Business is not Compliant
    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    Symantec recently hosted a live panel to help organisations get ready for the imminent GDPR. With contributions from firms from White & Case, Mandiant, Commvault and Symantec - one issue rang out particularly strongly to me: is GDPR a ‘cliff edge’ issue?

    We polled over 1,000 participants, only 19% of whom said they feel ready for GDPR – a figure that might decline when more granular conversations about the ins and outs of information risk and mapping begin. 

    So how do the majority of respondents feel who say they are either not ready for, or are not sure if they are ready for GDPR? Concerned.

    The main issue surrounds the fines that could be imposed for non-compliance: the worst infractions could mean a whopping €20 million or 4% of your organisation’s global annual turnover.[1] It is this spectre that got me thinking… With the GDPR coming into force imminently, many organisations will be wondering whether, should they be hit with a large fine, it could send their business off a cliff.

    Our panellists felt that even if hefty fines are levied as a result of compliance violations, the ultimate objective is to see organisations putting consumers and citizens first, chiefly through greater transparency into the use and, should it happen, the loss or misuse of their personal or sensitive data.  While enforcement motivations and attitudes will vary between authorities across the EU, the ICO recently made a statement elaborating the position of British authorities with regards to fines.

    Therefore, if your organisation can demonstrate it has taken measures to increase transparency and improve how it collects, processes, and protects data, these can go towards mitigating the consequences of a breach or violation, and whether your business will be issued with a sizeable fine. That’s not to say that regulators will do nothing if you are found to be in violation of the GDPR on May 25th 2018. So make sure you meticulously document the progress you have made to support compliance and what work you have still to do – along with a timetable and investment plan.

    You cannot ignore GDPR. Organisations are obliged to report data breaches to the Data Protection Authority (DPA), without undue delay, and at the least within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of the affected individuals.

    Ensure that you have the right technology in place to encrypt all personal data, to quickly identify a breach occurrence, and thoroughly comprehend the nature and impact of the breach. A mitigating factor both in terms of notification obligations and potential sanctions, is the encryption of personal data, which, if exfiltrated, makes them effectively unusable by attackers.

    Ensure that you have the right technology in place to quickly identify a breach occurrence, and assess the nature and impact of the breach. Refresh and refine your processes over time as your use of data evolves, and practice it as appropriate.

    The sooner you take action the better. May 25th, 2018 is not a deadline after which your compliance efforts don’t matter. Regardless of your organisation’s state of readiness, what’s important is to build your own compliance timeline with a well-documented plan. This can go a great way towards mitigating or avoiding penalties if an investigation takes place before you are fully compliant. And just like cybersecurity, don’t assume that there is an end-state: GDPR compliance is an ongoing process of continual improvement, evolving as your business and data processing practices change.

    Start with an impact assessment. To truly embrace the GDPR’s objectives of putting consumers and data privacy first, create a cross-organisational GDPR team that extends beyond compliance to include stakeholders from legal, risk, lines of business, digital & marketing, IT, cyber security and senior operations personnel. Together, map all the personal and sensitive data that your organisation processes on-premises, in the cloud and on user devices, and get a clear understanding of who can access it, how well it’s protected, and whether there are any data residency concerns. Understand any potential gaps vis-à-vis GDPR and how resolutions can be woven into any existing compliance processes you have in place.

    Once you’ve gained a clear understanding of the gaps between your organisation’s processes and the requirements of the GDPR, you can prioritise which ones present the greatest business risk. Then plan any process improvements and supplement your existing security investments – including those that tell you where compliance data resides, make it safer, govern access, and help detect and prevent breaches.

    You can access all the practical support our panellists delivered to get better prepared for GDPR. The full BrightTALK panel, Benchmark Special: How prepared are you for May 2018? is available now.


    0 0

    Publish to Facebook: 
    No

    By: Cecily Joseph, VP Corporate Responsibility at Symantec

    Organizations and governments across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, the cloud, and infrastructure. Each year, our stakeholders also look to Symantec for updates on our corporate responsibility (CR) progress. This week, we launched our FY17 CR Report, our tenth annual report, highlighting what we’re working on, how we manage our priority issues, and our progress and results over the last year. At Symantec, corporate responsibility and positive societal impact are aligned with our business strategy and we’ve aligned our CR activities with several UN Sustainable Development Goals (SDGs) to better contribute to large-scale progress.

    Our annual CR report is an important tool for us. Over the years, the reporting process has helped us identify and manage our priority issues, risks, and opportunities. Reporting has helped us integrate CR into our decision-making processes and shaped our long-term CR strategy. Each year, the report provides an opportunity to engage with our stakeholders in a meaningful way, and their invaluable feedback impacts our programs. Reporting helps us measure and understand our performance and has enabled us to set goals and communicate our performance – whether positive or negative.

    Symantec operates in more than 35 countries and has roughly 12,000 employees worldwide. FY17 was a big year for us organizationally as we acquired Blue Coat and Life Lock, gaining additional technologies and expertise that strengthened the protection we offer our customers. In this year of transition, and as you’ll see in our recently launched report, we’re making solid progress in some areas, and need to improve in others.

    Progress in FY17: Educating One Million Students in STEM and Reducing GHGs

    In addition to experiencing a great deal of change this year, we met two of our key CR goals. As a company, we set a goal to excite, engage, and educate one million students in science, technology, engineering, and math (STEM) by 2020. To meet this goal, which emphasizes students learning computer science and cyber security, we partnered with nonprofits around the world.

    This year we passed our milestone of one million students educated in STEM, investing just under $10 million to achieve this. We expanded the American Association of University Women (AAUW) Tech Trek program and added new nonprofit partnerships focused on cyber security education. Our partnership with Science Buddies exceeded our reach expectations, exposing hundreds of thousands of students to hands-on science education projects.

    We’ve also continued the Symantec Cyber Career Connection (Symantec C3) program, which seeks to address the gap in qualified cyber security professionals by providing a pathway for young adults, veterans, and others to enter the cyber security field. Symantec C3 provides a mix of classroom education and soft skills development, followed by on-the-job experience at cyber security internships with some of America’s leading employers. Now in its third year, approximately 7,000 students have been exposed to cyber security careers.

    In addition to meeting our STEM goal, we’re making progress in reducing our Greenhouse gas (GHG) emissions. We believe that moving to a low carbon economy is important for sustainable economic growth, and our goal is to reduce GHG emissions by thirty percent in ten years (FY15-FY25). To help us meet this goal, we’ve reduced resource use across our operations, engaged employees, and joined industry initiatives in an effort to help the transition to a clean energy future.

    In FY17, we reduced our GHG emissions by fifteen percent, far surpassing our three percent annual reduction target. This achievement puts us well on track to meet or exceed our reduction goal, and since FY15, we have reduced Scope 1 and 2 emissions by 19 percent. We achieved this progress primarily as a result of three initiatives: energy efficiency projects that reduced overall energy consumption; space consolidation efforts that created a more efficient global office footprint; and an internal cloud platform initiative that reduced our data center footprint.

    Some Areas for Improvement: Diversity Efforts and Employee Volunteering

    We are proud of the progress we’ve made in educating students in STEM and reducing GHGs, and believe it’s important to be transparent and report on CR areas where we need to improve.

    At Symantec, we aim to be as diverse as the world in which we live. We've made investing in diversity a priority not only because it’s the right thing to do, but also because it translates to a higher performing industry and company. We understand that a diversity of perspectives promotes better business decision-making. It also helps ensure the products and services we offer meet the needs of the broad spectrum of customers worldwide.

    To help us demonstrate our intent, we set a public goal to increase both the percentage of women globally, and the percentage of underrepresented minorities in the United States by 15 percent by 2020 (from FY14). In this past year, we have not made sufficient progress towards our goal. We are integrating diversity and inclusion criteria into our attraction, retention, and advancement strategies, but have failed to move our numbers.

    Currently, women make up 26% of our workforce, 23% of our leadership team, and 16% of our technical team. Black and Hispanic employees make up 7% of our U.S. workforce, 5% of our leadership team, and 6% of our technical team. We are not where we want to be and know we need to work harder and differently to improve our diversity numbers.

    Goals are vital to our work at Symantec. They help us drive change, keep us accountable, and keep our priority issues on the agenda at every meeting. With that said, they don’t define all of our progress. Though we didn’t make progress on all of our diversity goals, our key efforts to create an equitable and diverse workplace and world included:

    • Our CEO, Greg Clark signed the CEO Action for Diversity & Inclusion pledge along with more than 150 other CEOs.                 
    • We earned a 100% score on HRC’s Corporate Equality Index for the 9th consecutive year.
    • We initiated a series with Triple Pundit called “Black Lives Matter and Beyond,” which examined how companies can work to improve equality by increasing diversity in their ranks.
    • We piloted a Mitigating Bias training to promote inclusive thinking, rolling out the training to all recruiters and human resources business partners. We also embedded aspects of the training in our Pay and Performance training and New Manager training.

    Many of our CR efforts were especially challenged by recent organizational changes and acquisitions in FY17. These changes impacted our ability to affect the mix of people at Symantec and increased employee turnover, affecting both our diversity progress and our employee volunteering efforts. This year, we saw a set back in employee volunteering. In FY17, our engagement numbers dropped by 10 percent — to 2.24 hours volunteered per employee. This decrease was primarily due to competing internal priorities and employee turnover following the two acquisitions.

    We’ve redoubled our commitment to growing our volunteer program and are committed to building a culture that enables employees to apply their time and talents to the issues they care most deeply about. We’ve designed a competitive benefits program to encourage and maximize volunteer and philanthropic efforts that allow employees to gain corporate support for any activity with a registered nonprofit organization. These initiatives include:

    • Symantec’s Take 5! challenge, which encourages employees to volunteer for at least five hours each fiscal year;
    • Our Matching Gift program: Symantec matches up to $1,000 per employee per year,
    • Dollars for Doers: Symantec makes a donation of $15 per volunteer hour, up to $1,000 per employee per year;
    • Nonprofit Board Service: Symantec encourages our employees to serve on nonprofit boards, and they can request a lump-sum Dollars for Doers payment of their full annual allotment without accounting for hours;
    • Symantec Service Time Programs, which provides employees with up to five working days for volunteering.

    This October, we will also host our second annual Global Service Week (GSW), a full week of volunteering during which our employees are encouraged to commit to at least 30 minutes (and up to eight hours) of community service with a cause they care about.

    A Focus on the Future

    In this next year, we will continue to educate students in STEM, and will push to meet our GHG reduction goal by 2025. We’ll work to involve our newly added team members in our CR efforts and will strive to increase our employee volunteer numbers. We will continue to roll out our Mitigating Bias training to all employees to continue to foster an inclusive culture of acceptance and respect. We will work on our CR programs with coalitions and partners, focus on local community input, and like other leading businesses, will get more involved in addressing social issues. And, as you’ll see in this year’s report, we will continue to stay true to our commitment to make our world a better, safer place.

    We invite you to read more about Symantec’s CR efforts in the FY17 Corporate Responsibility Report. And, by providing your brief feedback you can support one of our nonprofit partners. Simply answer a few survey questions about our CR report and we will donate $50 (up to $50,000) to our partner Common Sense Education, which supports digital safety education for kids.


    0 0

    Background Image on Blogs "Quilted" Page: 
    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    It is the middle of a weekend and the IT security team receives an alert that ransomware is holding the hospital’s system hostage. There are many questions that need to be answered, and quickly: Which systems are affected and is your data at risk? Do you pay the ransom? Can the threat be mitigated another way? Is the threat impacting critical systems, care delivery, patient safety, and clinical operations?

    Unfortunately, this type of scenario is only too real. Healthcare institutions are affected by ransomware more than any other sector. And whether it is this type of attack or any other that puts data and the organization at risk, these healthcare organizations need a plan for when crisis happens. The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) provides such framework.

    As we’ve discussed throughout our series on demystifying the NIST CSF for healthcare, there are many facets of cybersecurity covered. With five functions and 98 subcategories, the NIST CSF can provide healthcare organizations with a tool to help them to reduce risk and better understand, and make improvements to their cybersecurity environment.

    The RESPOND function, which was the topic of our most recent webinar, is a major part of that. It helps healthcare organizations look at the critical areas that need to be addressed during and immediately after an attack. That includes response planning, but also communications, analysis, mitigation and improvements.

    The goal of the NIST CSF, and specifically the RESPOND function, is not to instruct healthcare organizations on what to do. Instead, it provides a guide for organizations to see the areas in their enterprise that may be at a higher risk than others during an attack. It is then up to the organization to determine where to prioritize, and which areas to improve on.

    Doing More with Less

    As the 2017 HIMSS Cybersecurity survey shows, healthcare organizations continue to underspend on cybersecurity. On average, healthcare organizations spend about 6 percent or less of their budget on security, which is significantly less than other major industries. With limited funds and resources, the NIST CSF can help these organizations maximize and prioritize where they spend security dollars.

    There is no silver bullet for security. The attacks will continue and breaches will occur. Organizations need to be prepared and make sure they have a mitigation plan in place for when an incident or even a breach does happen. By following the guidance of the RESPOND function, healthcare organizations can have more confidence in the processes, tools, and technologies chosen when they must take action against a cybersecurity event.

    Join Symantec on October 17 at 1 p.m. ET for the next webinar in our series on the NIST CSF for Healthcare. This webinar will explore the RECOVER function, arguably the most important function as it helps ensure an organization’s resiliency and ability to focus on the patient. You can register for that webinar here.


    0 0

    Publish to Facebook: 
    No
    Twitter カードのスタイル: 
    summary

    Every day approximately 200,000 people around the world move from rural to urban areas leading to an explosive growth in cities. In fact, in 1950 only 29 percent of the world’s population lived in urban areas, but that total will near 65 percent by 2040. To combat this growth, cities must become “smart,” finding ways to become more efficient and better utilizing available resources to maintain – if not improve – their ability to deliver services to citizens.

    The Internet of Things (IoT) will serve as a catalyst for the smart city concept by collecting data from sensors and connected users. City leaders will then be able to use this data to improve everything from water and electrical use to traffic and public safety. That is, of course, if they can keep these systems protected.

    Improving Protection

    The number of malware attacks focusing on IoT devices has multiplied over the past year as eight new malware families emerged. More than half of the attacks came from China or inside the United States, while high numbers also emanated from Russia, Germany, the Netherlands, Ukraine and Vietnam.

    No matter where the attack originates, poor security on IoT devices make them soft targets for breaches. As cities implement more IoT technologies they will need to make sure that device security remains a top priority. Historically, when it comes to this type of attack, hackers tend to be less interested in the victim and the majority wish to hijack a device to add it to a botnet, most of which are used to perform distributed denial of service attacks.

    Hackers, though, could break into these devices to either steal or alter city data, or as a gateway into the larger enterprise.

    Look to the Device

    Securing the IoT takes great care and diligence, but is achievable. Any organization that uses devices or sensors to collect data needs to first look at their overall security posture and then turn to security at the device level.

    Here are some key things state and local governments should look for to secure the IoT:

    • Secure devices with embedded operating systems. Use security systems that protect the leading embedded operating systems, including Linux, WNX and Windows Embedded operating systems.
    • Protect communications. Make sure to authenticate IoT devices and encrypt data transmitted throughout IoT systems and networks. Proper mutual authentication can help ensure that devices only accept connections and commands from authorized systems, avoiding the pitfalls hackers typically exercise.
    • Rely on code signing certificates. Control permission for code to run on devices, including cloud programs and Java file formats.

    The IoT provides incredible promise for state and local governments looking to move forward with smart city concepts, but only if the technology can be secured properly. For more information about securing the Internet of Things, please look to these resources.


older | 1 | .... | 239 | 240 | (Page 241) | 242 | 243 | .... | 254 | newer