Kent Landfield – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Tue, 08 Oct 2019 16:21:06 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Kent Landfield – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 The Open Cybersecurity Alliance – Building for the Future https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-open-cybersecurity-alliance-building-for-the-future/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-open-cybersecurity-alliance-building-for-the-future/#respond Tue, 08 Oct 2019 16:00:24 +0000 https://securingtomorrow.mcafee.com/?p=97045

Today, the rapidly evolving cybersecurity threat landscape has driven an explosion of security products, generating an ever-increasing mountain of potentially valuable data and insights. But with that comes the increased complexity needed to make sense of it all and extract the real value.  According to the industry analyst firm Enterprise Strategy Group organizations use on […]

The post The Open Cybersecurity Alliance – Building for the Future appeared first on McAfee Blogs.

]]>

Today, the rapidly evolving cybersecurity threat landscape has driven an explosion of security products, generating an ever-increasing mountain of potentially valuable data and insights. But with that comes the increased complexity needed to make sense of it all and extract the real value.  According to the industry analyst firm Enterprise Strategy Group organizations use on average 25 to 49 different security tools from up to 10 vendors, each of which generates large amounts of siloed data. Today, integrating security products into an established operational environment can be  extremely resource intensive, time-consuming, and costly, all at the expense of hours that could be better spent hunting and responding to threats.

For too long, many cybersecurity vendors have made life harder for customers by assuring their “secret sauce” was theirs and theirs alone. Organizations were not able to get the full value from the tools they purchased because of the lack of interoperability, the expense of integration and the potentially valuable data locked away from sight in proprietary silos. This situation provides us with a real opportunity, and we intend to take advantage of it.

We have seen this play out before. Prior to the beginning of the Industrial Revolution, tools were mostly handcrafted and not precise or consistent enough to support manufacturing needs. It was widespread standardization that changed the landscape and led to the Industrial Revolution. Interchangeable parts allowed for the easy assembly of new and innovative products, cheap repairs and fewer skills and time required of workers. Best of all, it led to dramatically reduced costs across the board, for producers and consumers.

We need to foster a similar revolution in cybersecurity today.

McAfee and IBM Security have kick-started an initiative to bring real interoperability and data sharing across the cybersecurity product landscape. The Open Cybersecurity Alliance (OCA) project is comprised of like-minded global cybersecurity vendors, end users, thought leaders and individuals interested in fostering an open cybersecurity ecosystem, where products from all vendors and software publishers can freely exchange information, insights, analytics, and orchestrated response, via commonly developed code and tooling, using mutually agreed upon technologies, standards, and procedures.

The Alliance’s founders, McAfee and IBM Security, are joined in the initiative by Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin.

The OCA was formed under the auspices of OASIS, a respected consortium driving the development, convergence and adoption of open standards for the global information society. The Alliance was launched as an OASIS Open Project on October 8, 2019. Participation from additional organizations and individual contributors is welcomed.

OCA’s goal is to develop and promote sets of open source common content, code, tooling, patterns, and practices for operational interoperability and data sharing among cybersecurity tools. The Alliance aims to create an environment where cybersecurity vendors do not compete on plumbing; rather, the plumbing is the foundation – the common platform — upon which cybersecurity tools are built. Cybersecurity vendors have a real adversary they are trying to defeat, and vendors should not be distracted by each of us having to replicate different ways to provide product plumbing.

For enterprise users, OCA means:

  • Improving security visibility, providing the ability to discover new insights and findings that might otherwise have been missed
  • Extracting real value from existing products while reducing vendor lock-in
  • Connecting data and sharing insights across products
  • Enabling vendors who make use of OCA code, tooling, and patterns to seamlessly interoperate, making plug-and-play integration of cybersecurity products a reality
  • Facilitating a variety of security use cases, including threat hunting & detection, analytics, operations, response and more;

In short, the goal is: integrate once, reuse everywhere.

For security vendors, the benefits of supporting the OCA in products are tangible.  They include:

  • Reduced integration costs, improving vendors’ ability to focus on higher-value features and integrations
  • Improved robustness of data integrations, allowing customers to extract more value from their products and tools
  • Ease of integration for customers, allowing products to be more useful directly out of the box
  • No duplication of the messaging and data exchange aspects of products

Security practitioners benefit from OCA integrated tools by:

  • Increased visibility and the ability to discover new critical insights and findings that would have otherwise been missed
  • Reduced procurement of unnecessary new tools
  • Reduced vendor lock-in
  • More rapid deployment and integration into security processes
  • Overall reduction of costs for product integration

Like the beginning of the Industrial Revolution, where interchangeable parts provided the economic incentives and the foundation for true innovation, we believe that an open cybersecurity ecosystem, where products from all vendors and software publishers can freely exchange information, insights, analytics, and orchestrated responses, will lead to real advancements in cybersecurity. The OCA strives to provide that foundation for cybersecurity innovation to flourish.

Join the Open Cybersecurity Alliance today and help us start a revolution.

The post The Open Cybersecurity Alliance – Building for the Future appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-open-cybersecurity-alliance-building-for-the-future/feed/ 0
Privacy and Security by Design: Thoughts for Data Privacy Day https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/#respond Mon, 28 Jan 2019 14:00:56 +0000 https://securingtomorrow.mcafee.com/?p=93986

Data Privacy Day has particular relevance this year, as 2018 brought privacy into focus in ways other years have not. Ironically, in the same year that the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect, the public also learned of glaring misuses of personal information and a continued stream of personal data […]

The post Privacy and Security by Design: Thoughts for Data Privacy Day appeared first on McAfee Blogs.

]]>

Data Privacy Day has particular relevance this year, as 2018 brought privacy into focus in ways other years have not. Ironically, in the same year that the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect, the public also learned of glaring misuses of personal information and a continued stream of personal data breaches. Policymakers in the United States know they cannot ignore data privacy, and multiple efforts are underway: bills were introduced in Congress, draft legislation was floated, privacy principles were announced, and a National Institute of Standards and Technology (NIST) Privacy Framework and a National Telecommunications and Information Administration (NTIA) effort to develop the administration’s approach to consumer privacy are in process.

These are all positive steps forward, as revelations about widespread misuse of personal data are causing people to mistrust technology—a situation that must be remedied.

Effective consumer privacy policies and regulations are critical to the continued growth of the U.S. economy, the internet, and the many innovative technologies that rely on consumers’ personal data. Companies need clear privacy and security expectations to not only comply with the diversity of existing laws, but also to grow businesses, improve efficiencies, remain competitive, and most importantly, to encourage consumers to trust organizations and their technology.

If an organization puts the customer at the core of everything it does, as we do at McAfee, then protecting customers’ data is an essential component of doing business. Robust privacy and security solutions are fundamental to McAfee’s strategic vision, products, services, and technology solutions. Likewise, our data protection and security solutions enable our enterprise and government customers to more efficiently and effectively comply with regulatory requirements.

Our approach derives from seeing privacy and security as two sides of the same coin. You can’t have privacy without security. While you can have security without privacy, we strongly believe the two should go hand in hand.

In comments we submitted to NIST on “Developing a Privacy Framework,” we made the case for Privacy and Security by Design. This approach requires companies to consider privacy and security on the drawing board and throughout the development process for products and services going to market. It also means protecting data through a technology design that considers privacy engineering principles. This proactive approach is the most effective way to enable data protection because the data protection strategies are integrated into the technology as the product or service is created. Privacy and Security by Design encourages accountability in the development of technologies, making certain that privacy and security are foundational components of the product and service development processes.

The concept of Privacy and Security by Design is aspirational but is absolutely the best way to achieve privacy and security without end users having to think much about them. We have some recommendations for organizations to consider in designing and enforcing privacy practices.

There are several layers that should be included in the creation of privacy and data security programs:

  • Internal policies should clearly articulate what is permissible and impermissible.
  • Specific departments should specify further granularity regarding policy requirements and best practices (e.g., HR, IT, legal, and marketing will have different requirements and restrictions for the collection, use, and protection of personal data).
  • Privacy (legal and non-legal) and security professionals in the organization must have detailed documentation and process tools that streamline the implementation of the risk-based framework.
  • Ongoing organizational training regarding the importance of protecting personal data and best practices is essential to the continued success of these programs.
  • The policy requirements should be tied to the organization’s code of conduct and enforced as required when polices are violated.

Finally, an organization must have easy-to-understand external privacy and data security policies to educate the user/consumer and to drive toward informed consent to collect and share data wherever possible. The aim must be to make security and privacy ubiquitous, simple, and understood by all.

As we acknowledge Data Privacy Day this year, we hope that privacy will not only be a talking point for policymakers but that it will also result in action. Constructing and agreeing upon U.S. privacy principles through legislation or a framework will be a complicated process. We better start now because we’re already behind many other countries around the globe.

The post Privacy and Security by Design: Thoughts for Data Privacy Day appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/feed/ 0
NIST’s Creation of a Privacy Framework https://securingtomorrow.mcafee.com/business/nists-creation-of-a-privacy-framework/ https://securingtomorrow.mcafee.com/business/nists-creation-of-a-privacy-framework/#respond Wed, 31 Oct 2018 19:50:12 +0000 https://securingtomorrow.mcafee.com/?p=92370

On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like […]

The post NIST’s Creation of a Privacy Framework appeared first on McAfee Blogs.

]]>

On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like the NIST Cybersecurity Framework (CSF).

Event participation was outstanding. NIST’s initial registration for the event was filled in less than 90 minutes. Realizing they needed a bigger room, NIST moved to a space that nearly doubled the potential attendance. When the reopening of the registration was announced, it was filled in less than an hour. Many well-known names in the privacy field attended, with the audience primarily consisting of privacy consultants, lawyers, and other professionals trying to figure out how the Privacy Framework fits into their future.

NIST previously brought together both public and private sector individuals interested in solving problems that face us all. The CSF was a highly successful effort to develop a lightweight, valuable, and adoptable framework focused on improving the “security programs” of organizations. While initially developed in response to presidential executive order 13636, the CSF was never meant to be a government document. Speaking to critical infrastructure and cybersecurity organization representatives at the first Cybersecurity Framework meeting, previous NIST director Dr. Pat Gallagher said, “This is not NIST’s framework, this is yours.” He was absolutely right.

Over the next year, more than 3,000 professionals participated in CSF workshops, responded to requests for information, and provided comments on work-in-progress drafts. The result was something that achieved the CSF’s initial goals: It’s beneficial to all sectors and is usable by a range of organizations from small businesses to some of the largest corporations on the planet. The CSF is having a positive global influence with its adoption by various countries. It’s also assisting in the global alignment of cybersecurity languages and practices.

NIST has established many of the same goals for the Privacy Framework. These goals include:

  1. Developing the Privacy Framework through a consensus-driven, open, and highly transparent process
  2. Establishing a common language, providing for a consistent means to facilitate communication across all aspects of an organization
  3. Ensuring it is adaptable and scalable to many differing types of organizations, technologies, lifecycle phases, sectors, and uses
  4. Developing a voluntary, risk-based, outcome-based, and non-prescriptive privacy framework
  5. Ensuring it is usable as part of any organization’s broader corporate risk management strategy and processes
  6. Taking advantage of and incorporating existing privacy standards, methodologies, and guidance
  7. Establishing it as a living document that is updated as technology and approaches to privacy change and as stakeholders learn from implementations

During the Privacy Framework Kickoff, I was pleased to hear questions that were similar to what I heard during the initial CSF Kickoff. There was real tension in the room during the CSF Kickoff—a sense of not knowing how it was going to impact organizations’ cybersecurity-related responsibilities. The same tension was present during the Privacy Framework Kickoff conversations. We are just beginning to try to understand a solution that doesn’t yet exist.

It’s hard to see the result of a Privacy Framework from where we sit today. How can we develop and position a framework like this to be valuable for both U.S. and global businesses? What is intended for this effort? What are potential definition needs? What is harm? What new technology could influence this? How do we position this for the next 25 years of privacy, not just the past five?

We have started down a path that will likely take more than a year to complete. I envision the emerging Privacy Framework as addressing best practices in privacy while being compatible with and supporting an organization’s ability to operate under the various domestic and international legal or regulatory regimes. The Privacy Framework should not be focused on the legal aspects of privacy, but rather on what organizations need to consider in their own privacy programs. This is a journey just begun. From my perspective, the workshop on Oct. 16 was an outstanding start to the development of a consensus-driven Privacy Framework. I look forward to the active discussions and work ahead.

The post NIST’s Creation of a Privacy Framework appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/nists-creation-of-a-privacy-framework/feed/ 0