:00:34:Can you provide a profile of your roles and challenges?"....My roles have changed over the years but I have faced a lot of the same challenges....One of the commonalities across all of them is a simple question - 'do you want to be compliant or secure?' What I've discovered over the years is that you don't have to make a choice between those two. There is a way to ensure that your organization is compliant while still ensuring that you are meeting security...."
:01:39:What are your recommendations for security governance?"....One of the fundamental things that an organization needs to do is to get management to buy into anything you are trying to put together...."
:02:19:Can you profile defense in depth?"....One of the things we've seen as the technology and methodologies have matured in the security industry has been a move toward providing multiple layers of security. So even if one of the layers is breached, there is a compensating offsetting layer of security somewhere further within the network or on a system itself in order to deal with that specific problem....."
:03:42:What are your best practices regarding virus protection?"....Using the multiple layered approach to virus protection. Don't rely on the same vendor normally for desktop protection and server protection. Microsoft, I think, is the unique differentiator and is an exception to that rule because their Microsoft Forefront for Exchange product actually doesn't use the Microsoft anti-virus signature. It leverages the signatures of multiple other vendors so you have the opportunity to have other vendors' technology from a signature perspective while taking advantage of Microsoft's ability to talk very rapidly with their own equipment because, of course, it's their own software...."
:04:29:How about malware removal and your recommendations?"....In 99% of the cases until you are 100% sure that you have been able to clean that malware out, I usually recommend that people actually rebuild the system from scratch...."
:04:37:What are your viewpoints in regards to security of the people element in corporations?"....People are the weakest link, as we well know, when it comes to security....When it comes to protecting information and preventing that information from leaving the organization most companies have not taken sufficient steps to protect their information. It's very easy for information to walk out of organizations today and most companies don't know about it....The biggest challenge in the people side is getting restrictions in place and being able to understand what's happening...."
:06:51:Can you overview some of the key products from the Forefront Security product suite? "....Forefront really has three focuses. The Client protection, the Server protection, and the Network (the Edge protection)...On the client side, Microsoft has done a great job on creating a small footprint client, it's one of the smallest ones on the market. On the server, my favorite product is Microsoft Forefront for Exchange. I love it because it has the ability to leverage up to five different vendors' scanning engines and to provide defense in depth but right in that one spot without having to invest in multiple different technologies....From the Edge, of course, the ISA server, the Microsoft firewall, as well as the IAG...."
:08:45:David provides some recommendations for Security Solution Accelerators."....I really like the Accelerators because they give you quick access guides, attack surfaces (different ways that machines can be compromised), and they've put together a really comprehensive set of baseline settings for each of the different operating systems...."
:09:40:What is a simple and effective way to measure network security?"....It takes three things. You need to have policies that define what you are supposed to be doing. You need to have a type of technology or methodology or process in place in order to enforce that policy. Then you need to have a way to measure the effectiveness of the compliance of that enforcement...."
:11:13:Can you comment on 2009-the year of whitelisting due to the economic climate?"....Instead of saying let's let the users do pretty much what they want within reason and then try to figure out ways to stop them from doing it, you'll see pretty defined lists of what people are allowed to do and by default you will block everything else....The same thing applies to applications....So it adds to the validity of the defense in depth approach. It adds to the functionality of the anti-virus software because things are being stopped from running even before they get a chance to run. It also makes it a lot easier to manage and maintain from a security perspective...."
:13:58:Please comment on using security monitoring solutions to measure and validate Service Provider SLAs."....From a security monitoring perspective there is actually a fair amount that we can do for ourselves very easily and relatively inexpensively to help us to validate SLAs from our providers, and also to make sure the providers are not just meeting service level agreements but also to ensure that they are doing things in the fashion that they've agreed to do it. Two examples I would use are User Account Creation (specifically as it relates to administrative accounts) and Change Management Control...."
:16:25:What can you say about tracking and compliance in a non-compliance world?"....What companies really need to move towards in order to do that effective tracking, in order to ensure compliance or at least aware of compliance, is to get into more continuous auditing monitoring...."
:18:13:Provide your predictions of future IT/Business security trends and their implications/opportunities?"....I see huge opportunities in the security industry for us to really solidify how we deliver security into companies and to come up with very clear measurable sets of deliverables into companies. I see a big opportunity for security to become engrained....I think we are going to see a lot more trends towards consolidation...."
:20:23:Which are your top specific recommended resources and why?"....www.microsoft.com/security and others....Bruce Schneier's blog...."
:21:45:If you were doing this interview, what question would you ask and then what would be your answer?"....When are we going to see security as an industry stabilize so that we can get back to running businesses?...."
:23:57:David shares a story from his experiences and work.
This is the next blog in the continuing series of interviews with top-echelon and renowned professionals.