T.E.N. Knowledge Base


ISE® WEST 2012

Taking PDF Security to a New Level with Adobe Reader® and Adobe Acrobat® > Download Whitepaper
Adobe Reader X and Adobe Acrobat X take the security of PDF documents-and your data-to a whole new level. Engineered with security in mind, Reader X and Acrobat X deliver better application security thanks to Protected Mode and new capabilities that allow more granular controls, tighter integration with the Microsoft® Windows® and Mac OS X operating system architectures, and improved deployment and administration tools.

Adobe® Flash® Player and Adobe AIR® security > Download Whitepaper
Both Adobe Flash Platform runtimes-Flash Player and AIR-include built-in security and privacy features to provide strong protection for your data and privacy, whether you use these Adobe products on your desktop system or mobile device. Adobe constantly advances these protections to incorporate the latest developments in the industry and stay ahead of the continually evolving threat landscape.

Adobe Incident Response and Management > Download Whitepaper
The Adobe Secure Software Engineering Team (ASSET) team proactively focuses on preventing security vulnerabilities in Adobe products before they ship, but Adobe knows that ensuring security doesn't end when a product is released. If external security researchers, partners, or customers discover a vulnerability after a product ships, the Adobe Product Security Incident Response Team (PSIRT) responds to resolve the security issue quickly, effectively, and thoroughly. PSIRT is your first line of defense for vulnerability resolution and threat mitigation. PSIRT coordinates with Adobe product engineering teams to identify the appropriate response plan and keeps you informed on mitigation procedures and release schedules.

Adobe Secure Product Lifecycle > Download Whitepaper
The Adobe Secure Product Lifecycle (SPLC) is a rigorous set of industry-leading best practices, processes, and tools designed to keep customers safe and more secure in the evolving threat landscape as they deploy and use Adobe software. The SPLC touches all aspects of the product lifecycle-from providing essential security training for software development teams and building security features into product design, to developing quick incident response plans postship.

Killing Data  > Download Whitepaper
As cybercriminals have become more skillful and sophisticated, they have eroded the effectiveness of our traditional perimeter-based security controls. The constantly mutating threat landscape requires new defensive measures, one of which is the pervasive use of data encryption technologies. In the future, you will encrypt data - both in motion and at rest - by default. This data-centric approach to security is a much more effective way to keep up with determined cybercriminals. By encrypting, and thereby devaluing, your sensitive data, you can make cybercriminals bypass your networks and look for less robustly protected targets.

Establishing a Data-Centric Approach to Encryption  > Download Whitepaper
This paper will provide an overview of the evolving approaches hackers use to steal private data and describe the key requirements for protecting corporate data assets with a data-centric encryption strategy.

Executive Viewpoint  > Download Whitepaper
Sathvik Krishnamurthy, President and CEO of Voltage discusses Data-Centric Security Against Tomorrow's Threats.

The Continuing Evolution of Virtualization, Cloud Computing, and Information Security  > Download Whitepaper
According to ESG research, increased use of server virtualization is a top priority for 2012; more than 60% of large and small organizations will increase spending in this area. Why? Because its optimization and efficiency benefits are measurable and real. Given this, many firms plan to expand their use of virtualization by increasing the number of virtual servers in use, virtualizing applications, and moving forward with virtual desktop projects. This progress is part of a multi-year journey from IT virtualization to an increasing use of cloud computing. In fact, ESG research indicates that 46% of organizations are using SaaS today, 27% consume IaaS, and 23% are already utilizing PaaS.

2012 Global Security Report  > Download Whitepaper
Organizations, regardless of industry and size, continue to face similar information security risks. Old systems with known flaws can take time to decommission and new systems are implemented with little or no thought to security. In its third year, the Trustwave 2012 Global Security Report will help you understand today’s information security threat landscape, as well as how to better protect your organization from cyber attacks in the years ahead.

Core SEcurity

The Value of Predictive Security Intelligence > Download Presentation
Although security information is widespread, true "intelligence" is hard to establish because rapidly evolving technologies often create massive responsibility with little support or understanding of security implications. Security leaders must possess the knowledge and resources to predict and prevent threats and effectively communicate risks within an environment of constant change. Our lunch program will provide insights regarding the integration of full-scale attackplanning, threat simulation and attack replication for the purpose of garnering upper-management support, optimizing efficiency and investments in people and technology, and uniting security and business risks.

Pete Lindstrom

Pete Lindstrom
Principal Analyst
Spire Security

Measure the Immeasurable: Translating Risk to Executives  > Download Presentation
What does "we stopped 24,476 malware attacks today" mean to an executive? Not much without context. The challenge with reporting metrics is that executive don't always understand "why" they should care, as most measurements only speak to what can be measured vs. what should be measured. As security executives we need to talk less about the bits and bytes and more about what is critical to the business. If you do, you'll find the path to true partnership with the C-suite is not as difficult as exploiting an OpenSSL De-allocation vulnerability. In this session you will learn concrete strategies that will help your organization "get there" and contextualize security - for executives and the business alike. Learn how to create a repeatable, successful strategy to communicate IT risk-to-business risk to build an open line of communication, prioritize issues, and possibly gain more resources to fix the problem right.

Mike Wilson

Mike Wilson
Vice President, Chief Information Security Officer
ISE® West Executive of the Year Award Winner 2011
ISE® North America Health Care Executive Award Finalist 2011

The Evolving CISO Role – What got you here is unlikely to get you there...  > Download the Presentation
There has been commentary over the last twelve months around the emerging role of the CISO as a risk practitioner, business partner and seasoned communicator. What it means to be CISO today is changing and why this should be of concern for aspiring security professionals as the skills they hone to help achieve these leadership roles are likely to be inadequate to be fully effective these new roles.

Arguably the security and risk management industry is challenged by the lack of executive and general management skills to quench an ever increasing leadership demand. This is truly evident in the health care vertical that is in very short order responding to a revolution associated with the perfect storm of digital healthcare regulatory reform and increased privacy and security concerns.

Interestingly research suggests that the significant challenge facing aspiring new leaders is not their technical prowess or subject matter expertise, but rather the ability to evolve the Information Security Function to that of a risk governance organization that provides oversight across a topic that is more relevant to the Board and Senior Management than ever before. Emerging skills are now sought after, grounded in risk management and ability to partner across the organization, executive communication  skills and the ability to influence senior leaders. Here is the paradox, to succeed through the ranks in the information security field we have emphasized the need for specialization and technical skills development, and yet when you arrive your ability to be effective as a CISO requires a whole different set of skills.

Curtis Coleman

Curtis Coleman
Information Security Officer
Seagate Technology

Factory Application Control / Whitelisting Project  > Download the Presentation
In this presentation, Curtis Coleman will discuss  the “Factory Application Control/Whitelisting Project” Seagate undertook to protect both legacy factory testing systems with embedded computers and high-risk, high-value knowledge worker systems.  The project addressed the need to :

  1. Replace the resource-intensive antivirus systems that impacted throughput capacity within the factory environment
  2. Augment the signature-based antivirus system with strong defense that would prevent malware from executing on the knowledge worker computers.
Curtis will share how it was critical throughout the effort to maintain factory production capacity while protecting the testing systems from mtook to alware and other threats.

Amy Carroll

Amy Carroll
Vice President, Operational Risk and Process Management
Janus Capital Group

Security Leadership Balancing Risk and Business Value > Download the Presentation
Amy Carroll will discuss how Janus Capital Group is managing their security awareness program as a marketing campaign.   She will walk you through the 4 week campaign that was rolled out to coincide with International Security Awareness Month, and the sessions they have offered their developers on how to protect company and personal data focused on security vulnerabilities – what can happen and how to avoid them.   Janus Capital Group implemented the Courion attestation module to ensure user access is compliant with corporate and regulatory policy, with favorable feedback from their business application owners.   This moves Janus closer to the goal of having an employee access view as opposed to individual system access views.

Bill Burns

Bill Burns
Director, Information Security and Networking

DevOps – Scaling Cloud Security by Converging the Data Center with a Global Public Cloud > Download the Presentation
Bill Burns will share how Netflix is committed to adopt a pure public cloud model, yet many security and compliance controls are not mature or do not exist in that space. Bill and his team created a prioritized, and risk-based approach to migrating existing controls from their datacenters to a global public cloud. One such example has been the migration of a distributed, purely-software Web Application Firewall system to provide basic security and compliance controls. This system protects sensitive customer information and transactions, provides a “single pane of glass” of the entire attack surface (DataCenter + global public cloud), and is compatible both with their traditional puppet-based and DevOps deployment model. Furthermore, this WAF system is embedded into cloud instance build process, so it’s truly “baked in by default” for any new instances that are spawned. As new Netflix web systems are automatically added to match customer demand throughout the day, this security control is transparently applied to follow the demand curve.  The end result is a system that scales equally well in both traditional datacenter and DevOps public cloud environments, and interoperate seamlessly. This provides his team and Netflix a single view of the attack surface that represents the Netflix service.

Sherry Ryan

Sherry Ryan
Chief Information Security Officer
Blue Shield of California
ISE® West Executive Award Nominee 2011

Practical Security Management: Getting Back to Basics  > Read Roundtable Discussion Summary
With the media continuing to report on the latest security incidents and malware du jour, it’s tempting to view the constant stream of high-profile data breaches as proof of the advanced capability of the faceless adversary. Driven by the seemingly endless stream of news-making exploits, organizations increasingly are relying on the latest technology as a silver bullet in defending against attacks.

Joan Ross

Joan Ross
Chief Security Officer

Building Trust in the Cloud: Managing the Risk  > Read Roundtable Discussion Summary
Cloud computing has accelerated the rapid adoption of digital business models and given rise to a breed of sophisticated business user who can choose which services to use and combine them at will. Cloud computing clearly delivers value in terms of flexibility, scalability, cost savings and the ability to focus on the core business. But in exchange for speed and efficiencies, organizations are increasing their dependency on third parties and making business trade-offs that may be risky due to a lack of expertise by the person making the outsourcing decisions. Further, as organizations become locked in to a cloud provider, they face compliance, contracting, legal and integration risks.

Jeff Trudeau

Jeff Trudeau
Information Security Officer
Sutter Health
ISE® North America Health Care Executive Award Winner 2013

Threat Intelligence: Knowledge is Power  > Read Roundtable Discussion Summary
Today’s cyber threat actors are unwaveringly focused on the theft of intellectual property, mission-critical details, and other sensitive information, continually evolving their methods and routinely defeating traditional approaches to defense. As organizations work to thwart the attackers, they find themselves in an escalating arms race with unseen attackers. To combat the advanced, persistent and constantly morphing threats, organizations need the very best security intelligence delivered immediately. However, conventional security technologies typically lack the innate intelligence to deal with rapidly emerging threats and web innovation. As a result, current approaches to threat management often fail due to limited threat intelligence, a lack of event context and gaps associated with this lack of visibility. Further, conducting threat intelligence is tedious and time-consuming. Most security teams are already overburdened with other initiatives. Without ongoing threat vigilance, most organizations stand to find themselves in a constant, reactive state, trying to limit damage after outbreaks occur.

Niall Browne

Niall Browne
CSO & VP of Information Security

Mobile Device Management: Balancing Business Agility and its Risk  > Read Roundtable Discussion Summary
With the astonishing influx of smartphones, mobile devices and tablets into enterprises, mobile data has become a foundation of the daily operations of businesses around the world. Not only has data itself become more mobile, but the users holding that data have as well. It is the job of the IT organization to make this ‘mobile user experience’ no different than if the user was inside the office and connected to the network, and just as secure. While employees relish the anywhere, anytime power of smartphones and tablets, IT executives shudder at the security risks associated with the advent of free-roaming, employee-owned devices that have direct access to the corporate data. With inadequate mobile security solutions and a lack of understanding or disregard of company security policies by employees, mobile users routinely put sensitive data at risk and are often completely unaware of the inherent risks.