Blog posts by Mike Small

Blog

McAfee Acquire Skyhigh Networks

McAfee, from its foundation in 1987, has a long history in the world of cyber-security.  Acquired by Intel in 2010, it was spun back out, becoming McAfee LLC, in April 2017. According to the announcement on April 23rd, 2017 by Christopher D. Young, CEO – the new company will be “One that promises customers cybersecurity outcomes, not fragmented products.” So, it is interesting to consider what the acquisition of Skyhigh Networks, which was announced by McAfee on November 27th, will mean. Currently, McAfee solutions cover areas that include: antimalware,...

Blog

Grizzly Steppe – What Every Organization Needs to Do

On December 29 th, the FBI together with CERT finally released a Joint Analysis Report on the cyber-attacks on the US Democratic Party during the US presidential election.  Every organization, whether they are based in the US or not, would do well to read this report and to ensure that their organization takes account of its recommendations.  Once released into the wild – the tools and techniques and processes (TTPs) used by state actors are quickly taken up and become widely used by other adversaries.  This report is not a formal indictment of a crime as was the...

Blog

What Value Certification?

In the past weeks, there have been several press releases from CSPs (Cloud Service Providers) announcing new certifications for their services.  In November, BSI announced that Microsoft Azure had achieved Cloud Security Alliance (CSA) STAR Certification. On December 15 th , Amazon Web Services (AWS) announced that it had successfully completed the assessment against the compliance standard of the Bundesamt für Sicherheit in der Informationstechnik (BSI), the Cloud Computing Compliance Controls Catalogue (C5). What value do these certifications bring to the customer of...

Blog

AWS re:Invent 2016 Blog

In the last week of November I attended the AWS re:Invent conference in Las Vegas – this was an impressive event with around 32,000 attendees. There were a significant number of announcements at this event; many were essentially more of the same but bigger, better based on what their customers were asking for. It is clear that AWS is going from strength to strength. AWS announced many faster compute instances with larger amounts of memory optimized for various specific tasks. This may seem boring - but these announcements were received with rapturous applause from the audience....

Blog

Democratized Security

At the AWS Enterprise Security Summit in London on November 8 th , Stephen Schmidt, CISO at AWS gave a keynote entitled “Democratized Security” .  What is Democratized Security and does it really exist?  Well, to quote Humpty Dumpty from the book Alice in Wonderland “When I use a word it means just what I choose it to mean—neither more nor less."  So, what Mr. Schmidt meant by this phrase may or may not be what other people would understand it to mean.  This is my interpretation. The word democracy originates in ancient Greece and where it...

Blog

Be careful not to DROWN

On March 1 st OpenSSL published a security advisory CVE-2016-0800 , known as “DROWN”. This is described as a cross-protocol attack on TLS using SSLv2 and is classified with a High Severity. The advice given by OpenSSL is: “We strongly advise against the use of SSLv2 due not only to the issues described below, but to the other known deficiencies in the protocol as described at https://tools.ietf.org/html/rfc6176 ” This vulnerability illustrates how vigilant organizations need to be over the specific versions of software that they use. However, this is easier...

Blog

ISO/IEC 27017 was it worth the wait?

On November 30 th , 2015 the final version of the standard ISO/IEC 27017 was published.  This standard provides guidelines for information security controls applicable to the provision and use of cloud services.  This standard has been some time in gestation and was first released as a draft in spring 2015.  Has the wait been worth it?  In my opinion yes. The gold standard for information security management is ISO/IEC 27001 together with the guidance given in ISO/IEC 27002.  These standards remain the foundation but the guidelines are largely written on the...

Blog

Why Governance Matters to IT Security

MetricStream, a US company that supplies Governance, Risk and Compliance applications, held their GRC Summit in London on November 11 th and 12 th .  Governance is important to organizations because of the increasing burden of regulations and laws upon their operations.  It is specifically relevant to IT security because these regulations touch upon the data held in the IT systems.  It is also highly relevant because of the wide range of IT service delivery models in use today. Organizations using IT services provided by a third party (for example a cloud service...

Blog

AWS Security and Compliance Update

Security is a common concern of organizations adopting cloud services and so it was interesting to hear from end users at the AWS Summit in London on November 17 th how some organizations have addressed these concerns. Financial services is a highly regulated industry with a strong focus on information security.  At the event Allan Brearley, Head of Transformation Services at Tesco Bank, described the challenges they faced exploiting cloud services to innovate and reduce cost, while ensuring security and compliance.  The approach that Tesco Bank took, which is the one...

Blog

Building a Cyber Defence Centre: IBM’s rules for success

According to GCHQ , the number of cyber-attacks threatening UK national security have doubled in the past 12 months. How can organizations protect themselves against this growing threat especially when statistics show that most data breaches are only discovered some time after the attack took place? One important approach is to create a Cyber Defence Centre to implement and co-ordinate the activities needed to protect, detect and respond to cyber-attacks. The Cyber Defence Centre has evolved from the SOC (Security Operation Centre). It supports the processes for enterprise security...


KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Subscribe to our Podcasts

KuppingerCole Podcasts - watch or listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00