Advanced persistent threats (APT) are without a doubt one of the biggest IT security buzzwords.

APTs don't create huge disruptions; they quietly do their evil over time. It seems hardly a day goes by without a story in the press about a company discovering that they have been hit by an APT.

However, understanding APTs and how to protect against them can be a daunting task for any IT manager. In a series of blog posts we will explain exactly what APTs are, how they affect systems, what types of protection are effective and ineffective and the best approach to defend against them.

So, first things first – to help better understand APTs, let's dig into the meaning of each part of the acronym:

• Advanced: The attacker has significant technical capabilities to exploit vulnerabilities in the target. These capabilities may include access to large vulnerability databases and exploits and coding skills and the ability to uncover and take advantage of previously unknown vulnerabilities. The bad guys may purchase zero-day attacks to help them. They may even rent access to a bot network.
• Persistent: APTs often occur over an extended period. Unlike short-term attacks that take advantage of temporary opportunities, APTs may take place over the course of years. Multiple attack vectors can be used, from web-based attacks to social engineering. Minor security breaches may be combined over time to gain access to more significant data.
• Threat: In order for there to be a threat, there must be an attacker with both the motivation and ability to perform a successful attack.

Looking at the stages of an APT

APTs typically progress through a series of stages as they develop and spread. It's useful to understand these stages in order to see how the threats come about. For example, an APT might follow these stages:

• Reconnaissance: Attackers research and identify their targets.
• Intrusion: Spear phishing emails target specific users within the target company with spoofed messages that include malicious links or malicious PDF or Microsoft Office document attachments.
• Establishing a backdoor: Attackers try to get domain administrative credentials and extract them from the network.
• Obtaining user credentials: Attackers gain access using stolen, valid user credentials.
• Installing utilities: Programs installed on the target network install backdoors, grab passwords and steal email, among other tasks.
• Privilege escalation, lateral movement and data exfiltration: Attackers grab emails, attachments and files from servers.
• Maintaining persistence: If the attackers find they are being detected or remediated, they use other methods, including revamping their malware, to ensure they don't lose their presence in the victim's network. Attackers don't break a window, steal some things and leave. They harvest initial data and wait patiently for more information to become available. An APT tends to stay for an extended period, potentially years, and attempts to remain undetected.

Targeted attacks represent a very special type of threat — one that is silent, very difficult to trace and potentially devastating in the damage it can do, which ranges from stealing an organisation's intellectual property or stealing passwords from systems so they have unlimited network access.

It's essential that enterprise organisations protect themselves against these threats, and do so cost effectively, without placing an inappropriate burden on end-users or interrupting daily operations.

Brian Laing is a vice president at AhnLab

The recent media interest surrounding the heist of several million pounds worth of money from cashpoints across the globe highlights the fact that, with the connectivity introduced by the internet age, the definitions of national boundaries have changed beyond recognition.

Information security has often been considered as the afterthought in many organisations. The primary concerns of cost efficient systems that suit the functional requirements of the end-user are all too often prioritised, while the technical hardening and resilience to potential threat vectors are passed down the line, and considered as the final piece of the jigsaw serving little more than lip service to the notion of security due to tight budgets.

A number of recent high profile breaches highlight various facets of this issue; although in reality the majority of these weaknesses stem from an underlying human precondition towards minimal effort. The headlines provide striking news stories; however the underlying weaknesses are default and weak user credentials.

The string of cash withdrawals across the globe has taken a fundamentally different approach and casts suspicion against the security model of offshoring potentially sensitive data, while raising the political spectre of responsibility in the global economy.

While credit card security has improved significantly in recent years, the security of debit cards has lagged behind. Media interest focuses on credit, and debt, over accounts that are tied to physical account balances.

While investigations are on-going; the true detail of the break-ins will remain unclear, and subject to speculation. However, it is clear that sensitive account information for a number of accounts was held offshore. While this detail may not have included the entire card details, a number of critical components for these were exposed, including account balance information for pre-paid debit cards.

In reality, these weaknesses are liable to be similar in nature to their more publicised neighbours, where the human weakness allows cracks to appear in the outer security layers. The introduction of multi-national boundaries introduces issues such as language and process priorities that can provide skilled individuals the opportunities to social engineer themselves into privileged positions.

These cracks can then be utilised in order to gain access to underlying infrastructure. With even the tightest of security hardening, access by ‘legitimate' users into an environment will be allowed.

However, this heist has hit the headlines because the unnamed perpetrators took the process one step further: by enrolling a number of operatives across the globe, they were able to change the ‘back room hacker' stereotypical attack into a physical theft of millions of dollars, and bypassed many of the underlying bank security measures that were put in place.

The use of technological warfare, combined with the age old art of card cloning, provided the means for significant number of withdrawals in a targeted and coordinated fashion. Significant and inherent weaknesses in the ATM processes, and account security measures were unearthed, which will have caused the many card companies sleepless nights as they rush to react to the media spotlight.

It must be noted that the majority of countries where the fraud was targeted continued to utilise the card magnetic stripe as the primary means of card security, while nations such as the UK, where chip and pin technology is used extensively, have been targeted less.

Technological advances such as this will have reduced a number of the lowest hanging fruit for such an operation. However, the underlying weaknesses still exist, and should not be overlooked.

For many, such a news article provides a wake-up call. Where once the world of the ‘hacker' was considered a minor consideration for many in the private sector; either the domain of the bedroom teenager, or the James Bond style spy, the real implications for many will have been realised. This is physical money, and is a global issue.

Many current initiatives, such as the PCI security standard and Barclays Risk Reduction Programme, aim to raise awareness of the hardening of systems involved in the processing of card data and provide reassurances against the underlying processing methods.

Such programmes provide markers that can be used as part of a broader education and awareness that can be adopted by companies in order to integrate a solid understanding of security, both from the board level down, and from the ground level up.

Sam Raynor is a consultant at Information Risk Management

I recently came across a very interesting blog by Wendy Nather on her not renewing her CISSP certification.

Nather, who is a well-respected analyst at the 451 Group, has been IT security director at several firms in previous years and probably needed to keep her CISSP accreditation. However in her blog, Nather said that she had decided to let her CISSP certification lapse as since getting the accreditation, "having that certification has done nothing for me, except to make me have to look up my number every so often when registering for a conference".

She said: “I never actually planned to get it to begin with; I only signed up for the exam because there was a job I thought I might apply for, and the CISSP was required.

“By the time I decided to go in a different career direction, it was too late for me to get my exam fees back (and for that amount of money, I could have bought a laptop or some designer shoes). So I crammed for about a day and a half, went to the exam, came out two hours later, and was done. Relatively painless, except for the extortion I had to do of certain former colleagues to get the recommendation forms filled out.”

Back at the RSA Conference in February, I attended a panel session on the value of certifications, where comments were made on the need for these accreditations and whether people are hired for competency or because of certifications such as the CISSP.

In that session, Andrew Ellis, chief security officer at Akamai Technologies, said: “We look at certificates, if they have them they say 'with this, this person is qualified to practise with quality', but then if a practitioner has a certificate such as CPA, that is the most common reputational certificate.

“The challenge is as those who have them grows, so it becomes the bottom bar and it carries the reputation of the lowest person who owns that certification.”

Nather also said in her blog that she was not happy with paying every year to have letters after her name, and that CISSPs were so common, they would be of use for people starting out in security and it was a handy first sorting mechanism when you're looking to fill certain levels of positions. “But by the time you're directly recruiting people, you should know why you want them other than the fact that they're certified. And then the letters aren't important,” she said.

The blog naturally stirred quite a reaction, with Nather posting an update saying she really respects and admires what members of the (ISC)2 board are trying to do, and while the CISSP is not completely useless, it's just not something she personally wants to put time and money into maintaining.

Wim Remes, (ISC)2 board member, commented that he disagreed on CISSP being an entry level cert and admitted that the organisation needed to work on communication. He said: “In my opinion the cert, first and foremost, establishes a common vocabulary among professionals that allows us - even though from different backgrounds and with different focus areas - to talk the same language and understand each other.”

Among the many responses to Nather's blog was one I spotted from Gal Schpantzer, a contributing analyst at Securosis. He said in a Securosis blog that after years working in IT, “I no longer want to bother proving how much I know”. He admitted that while the CISSP has a powerful sway over the infosec industry's hiring practices, the HR process is what it is, and many HR shops bounce you in the first round if you don't have those five magic letters, so the CISSP has on-going value to anyone going through open application processes.

In my chosen career there isn't such an encompassing industry certification that you are required to have. Part of me thinks that is good that journalism is open to all, but at the same time, is that a double-edged sword? If there is a filter surely that makes life easier to sort the qualified from the chancers?

There are many who will disagree with Nather's decision and many who will feel she is correct. At that RSA session, I spoke with a major researcher from a vendor I spotted in the room, and he told me that while he saw the CISSP as important, as you only had to sit the exam once and were not re-examined continually, he questioned what value it holds for senior professionals in IT.

In the modern world, data is collected on who we are, who we know, where we are, where we have been and where we plan to go.

This trend is increasing and there is no end in sight. Analysing this data gives enterprises the ability to understand and predict where humans focus their attention and activity at the individual, group and global levels.

As some will say, personal data is the new 'oil', a valuable resource of the 21^st century. It will emerge as a new asset class touching all aspects of society.

High-profile data breaches and mis-steps involving personal data seem to be reported by the media each day. Tension has arisen between individuals (who feel powerlessness over this data-grab) and businesses (that rely on our data to market to us).

A Hogan Lovells whitepaper said: “Every single country that we examined vests authority in the government to require a cloud service provider to disclose customer data in certain situations, and in most instances this authority enables the government to access data physically stored outside the country's borders, provided there is some jurisdictional hook.”

Another factor in this debate is what some consider 'cyber war' between countries. When introducing the Cyber Intelligence and Sharing Protection Act (CISPA) in February, US House Intelligence Committee chairman Mike Rogers declared: “American businesses are under siege. We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats.”

Of course, the more individuals believe we are ‘at war' and buy into nationalistic rhetoric, the more willing we are to give up privacy, freedoms and control over how the internet is run.

I recognise an increasing momentum to establish new norms to guide how personal data can be used to create value. For example, the Organisation for Economic Cooperation and Development (OECD) and its member governments have been discussing how to refresh their principles for our hyper-connected world.

Other groups, such as the Centre for Information Policy Leadership, have been focusing on accountability: ‘Who has data about you? Where is the data about you located?' In addition, different business sector associations/consortia and regional authorities have been considering how these principles apply to their particular applications.

The Global System for Mobile Communications Association (GSMA) has developed principles for mobile privacy, and the Digital Advertising Alliance has developed principles for the use of data in online behavioural advertising.

The proposed European Commission Data Protection Regulation, which is currently under discussion by the European Council and Parliament, is the most comprehensive attempt to establish new norms for the flow of personal data.

The Asia-Pacific Economic Cooperation forum is establishing a cross-border privacy-rules system to harmonise approaches throughout the region.

In short, there are bodies exploring these issues.

That is a good thing, considering that we are at an important juncture regarding this topic and the decisions we make today will have serious implications long into the future.

Yves Le Roux is a member of the ISACA Guidance and Practices Committee and the ISACA Privacy Task Force and principal consultant at CA Technologies - France

On 17th May 2013, Yahoo advised users in Japan to change their passwords, as a precautionary measure, following the potential theft of a file containing 22 million user names.

A week earlier, Google announced that it plans to make two-factor authentication compulsory. Online authentication is becoming an increasing burden on users and administrators.

In February, the Fast Identity Online (Fido) Alliance published a new set of authentication standards that aim to end the reliance on passwords. By creating open and interoperable standards based on the Online Security Transaction Protocol (OSTP), the Fido Alliance hopes to authenticate users to all online applications using the Trusted Platform Module chip on the device, or biometric information supplied from the computing device.

Are passwords passé?

It has been well documented that users struggle to remember passwords. As a result, people often create weak passwords and reuse the same one to access multiple online applications, putting all services at risk in the event of a breach. Passwords also lend themselves to licensing problems, by allowing login details to be shared between authorised and unauthorised users.

Play it again SAML?

It was these very same authentication issues that led to the development of the Security Assertion Markup Language (SAML) standard ten years ago by the Organisation for the Advancement of Structured Information Standards (Oasis).

The principal goal of Oasis was essentially the same as that of the Fido Alliance: to create a new standard for confirming identity and authorising access to web services.

A decade later, one of the most important uses of SAML is to enable single sign-on (SSO) to web applications. SSO, like OSTP, removes the reliance on passwords by creating an authentication system that uses XML-based assertions between the identity provider and service provider (web application).

SaaSID supports a range of SSO methods within its solutions, but it recognises that authenticating users to online applications is just the first step.

As more corporate applications are delivered online, CIOs need more than just a record of who logged in and logged out. They need to be able to manage and record what happens between those two events.

CIOs operating in regulated industries, such as financial services, healthcare and pharmaceuticals, need to go beyond authentication and SSO and provide an audit of employees' interactions with web applications; visibility that SSO cannot provide.

The benefits of going beyond SSO

Data protection regulations require CIOs to prove that they restricted access to personal data and that they prevented unauthorised processing, changes or breaches of that data. Without being able to control and audit interactions with web applications, CIOs cannot show how risks to data have been effectively managed and this affects their ability to comply with a range of information security-related standards, regulations and legislation.

For example, if you can only see login and logout information, how do you prove to an auditor that you prevented customer lists from being exported from your organisation's CRM application?

This lack of visibility in the cloud is preventing some organisations from achieving the scalability and productivity benefits of web applications.

A cunning device?

The Fido Alliance's approach requires software to be downloaded to devices to enable authentication to online services. However, this may not be acceptable to employees working on personally owned devices.

One of the concerns voiced by CIOs is how they can ensure that new web applications are quickly rolled out to all devices and that access to corporate data is just as quickly revoked when employees leave the organisation. This is critical for combating data loss and remaining compliant.

However, because each employee tends to use multiple computing devices, this may delay roll-out and revocation of access to web applications and corporate data using a device-centric approach such as the Fido authentication system.

When using SSO, CIOs still need to tackle the compliance blind spot created when employees use web applications to process corporate data. They also need to drive out the complexity caused by employees using multiple computing devices in the corporate environment.

Identity in the cloud

Computing and mobile form factors change on an almost weekly basis, so the Fido Alliance's device-centric approach is in some ways surprising.

We realised three years ago that when users access web applications, the only point of commonality is the browser, so that's where we put our SSO - in web application management and auditing software.

By using browser-based security, CIOs can go beyond SSO to enable web application features to be controlled, while creating a detailed audit trail of user activity, regardless of the device used.

This browser-based approach hands back control to CIOs, so that employees can benefit from using web applications, regardless of the device, without CIOs losing visibility of interactions with corporate data and without IT teams wasting time on multiple password resets.

Richard Walters is chief technology officer of SaaSID

Along with the usual power ballads, nonsense songs and dance spectaculars, Saturday's Eurovision Song contest also brought a bit of IT to the mix.

Performed by Gianluca Bezzina as the Maltese entry, 'Tomorrow' told the story of Jeremy working in IT, whose option was risk assessment.

No chance of a nil point, the song scored a total of 120 points, placing him eighth overall. If you missed it, the song is below:

The concept of cloud-based file sharing is one plaguing security managers, as it is often putting data out of their control and at fear of being out of compliance.

 

Without mentioning any names, it seems that this concept has elevated users to not only bring their own devices into the workplace, but also take data out of the perimeter and into an unmanaged cloud. There are several solutions to this, with one of the leading consumer players now offering a business solution, but among the other more business-ready solutions is Box.

 

Fresh from partnering with CipherCloud to offer encryption of data inside an application, Box is now offering a similar service with the business and control as its heart. This week I met with Whitney Bouck, general manager of Box, who was announcing the company's accreditation with the ISO 27001 standard.

 

Bouck said: “This certification demonstrates our commitment not only to the security and control of our customers' data, but also our commitment to our global customer base. We started down this path last year and our compliance efforts are gaining steam.

 

“While this is an important certification for Box, it's just one more step along our long-term roadmap and commitment to providing the highest level of transparency and assurance to our customers about the quality and security of our platform, top to bottom.”

 

This achievement aside, using the cloud still fills security types with fear. Speaking at SC Magazine's Data Protection conference in March, G4S technology director Glyn Hughes said "that internal due diligence and continual assessment needs to be done when it comes to the cloud, as a move to the cloud cannot result in a loss of control of data".

 

Bouck said that when it comes to data protection fears of storing data in the cloud, this is a conversation that she is having frequently with CIOs and CISOs and, as technology has become more sophisticated, this is pushing and pulling users to and from the cloud. She said that while challenges such as cost, availability and agility are a concern, "there are lots more to the cloud".

 

Bouck went on to say that where there is fear of using the cloud, there is also a change, as trust has been added as well as availability. She said: “Where we shine is we allow data to be put on any device so you can share it with anyone you want to so you can sync and share.

 

“The other area is content and collaboration. Where we focus on business content and a lot of it is back and forth; often it is too large [and] goes into an FTP server, so we try to thread that together and put it into Box where you can track it rather than a disconnected model. You do stuff with executives and third parties, so storing and sharing content is at the core.”

 

Talking about the type of users that Box has, Bouck mentioned enterprises, airlines, electrical firms and telcos. She said: “Look at banking, a heavily regulated sector. What are they in business for? To provide financial services to their users; their core business is not managing data centres, it is about managing wealth and money and that is why we are in this business, we offer services for data management. It all matters for the cloud: how safe is it, can service providers offer security?”

 

Talking about the recent launch by Dropbox of 'Dropbox for Business', Bouck said that while the initial technology is similar to what it offers, this solution "added very few controls for adding and deleting users". Bouck said that Box's management adds the ability to allow use on a certain device, password security, limits on sharing content and permissions to limit the control of information so it is all logged and audited.

 

“In Box it is all tracked so you can see what is against policy and alleviate problems,” she said. “The administrator control fits within a user's ecosystem. We integrate with 240 business applications and we have achieved compliance with HIPAA, Fedramp and now ISO 27001.”

 

Bouck went on to say that consumerisation of IT has changed the way people share data, as it is so accessible in consumer models. She said it is becoming known as a 'Dropbox problem', so Box saw the opportunity to give users a tool to be secure, to scale and which offers visibility too.

 

She said: “We focus on scale and security and it all makes IT happy, as nothing makes users and security people happy! Our secret sauce is how this affects users without inhibiting users. Look at the work from home model, how is that done securely? If you use Box you can do it securely, but if you bring in a device, security has to okay it first, or you have to use a VPN to get in.”

The claim that any Western information technology dependent society could be brought down by a 15-minute cyber attack has recently provoked intense discussion.

In reality, a well-prepared cyber attack does not need to last for 15 minutes to succeed. After preparations it takes only seconds to conduct the attack, which may hit targets next door as well as those on the other side of the world.

It is the society's capability to withstand the attack that determines whether or not it will lead to all-round chaos ‒ and in what time. As a general rule, it takes a lot longer than 15 minutes for all consequences to manifest themselves and for the society to absorb and react to them. Re-establishing the equilibrium that existed in the society before the attack may take years.

There is no such thing as absolute security; neither in the physical nor in the virtual world. While technology entails a promise to eliminate human error from the threat catalogue through automation, it brings novel and constantly evolving threats.

Information technology vows to enhance situational awareness necessary to the production of security, yet carries even unknown vulnerabilities with it. Incomplete security is nothing new in itself, but the enmeshment of physical and virtual worlds creates new kinds of security opportunities and needs that societies have to address.

Today's overall threat catalogue is versatile and in constant change. As it includes both un-emerged and just gradually appearing threats, it forces societies to plan and prepare also for the unknown. Preparing for the unknown can only take place through strengthening the society's resilience.

Resilience stands for the continuation of operations even when the society faces a severe disturbance in its security environment, the capability to recover from the shock quickly, and the ability to either remount the temporarily halted functions or re-engineer them.

Resilience is a multidimensional phenomenon. It affects societies at present, yet even more their futures. It is required from both physical and virtual systems, and from their intermingled reality. Resilience is not only a headache of the decision-makers trying to secure the functions vital to society at any time, but also a feature of states, organisations and corporations, as well as that of individuals.

The society's overall resilience builds upon the capabilities of its constituting parts to prevent and resist exceptions from the ‘business as usual' ‒ as well as to adapt to them rapidly and flexibly.

The Cabinet Office in the UK categorises resilience into ‘infrastructure resilience', ‘community resilience' and ‘business continuity', and ‘corporate resilience'. All of these are deemed important for the survival of the society in the contemporary security environment. Resilience is not only a physical but to a large extent a mental feature.

Hence it also entails, for instance, the capability to make justifiable decisions and act upon them under distress. Tolerance for crisis should be seen as a function vital to society.

The Western societies are used to the prevailing state of peace and have managed to construct well-functioning societal operations based on the utilisation of technology.

As a drawback to this state, which in itself is worth pursuing, they have lost some of their capability to survive. Especially, their mental ability to deal with distress is declining for the lulling belief that no major things can go wrong. This can lead to a situation in that the physical features of the society recover from an attack relatively quickly, but the poor mental tolerance keeps the society from re-balancing itself for years or decades.

Developing and maintaining resilience is a central demand presented by the contemporary security thinking. Its importance will only become highlighted in the future as the world becomes ever more interconnected, threats more complex and addressing the complicated security questions requires cooperation.

Resilience enables both efficient operating in times of distress or conflict and smooth functioning of society or any of its constituting parts anytime ‒ as well as people's trust on the aforementioned.

The intertwined nature of physical and virtual worlds requires that preparation, action and education take place in the intermingled reality. This enables the utilisation of opportunities that information technology and cyber space create without exposing oneself to unnecessary risk.

Even the virtual world, that relies heavily on automation, does not always function. Minor disturbances in it, such as temporal interruptions in communications networks or defunct ATMs, are only beneficial, because we tend to trust too much on the operability of bytes. If bytes do not function, we become helpless.

Temporal cyber disturbances and shocks will always happen. This is important, because they keep societies alert and able to both react and pro-act. As a result, building resilient societies is vital for anyone's survival for the future ‒ that is a fact.

It depends on the success of this building project whether cyber attacks can or cannot bring societies to their knees in indefinable time.

Jarno Limnéll is director of cyber security at Stonesoft

Attending a recent social event, I was able to get together with some major names from IT giant HP.

The four executives at the event represented some of the technology acquisitions that the company had made over the past few years, including Fortify, ArcSight, Vistorm and TippingPoint, via the acquisition of 3Com.

Speaking with Andrzej Kawalec, CTO of HP enterprise security services UK; Jason Schmitt, director of product management for HP Fortify; Frank Mong, VP and general manager of enterprise security product solutions; and Rob Greer, VP and general manager of HP Software, network security; I firstly asked the group if they felt that managing a collection of technologies would work better if they could ‘cooperate' and share information among each other.

Kawalec said that HP "looks after the biggest companies in the world and we share that intelligence deep into our capability". Greer commented that what made ArcSight great was its capability of looking into all sources, and that HP has the technologies to deliver to it.

He said: “With TippingPoint, we integrate with ArcSight to find that information to integrate to get better intelligence. It is my belief that people get in externally and each phase of technology and services gives intelligence on this. If you integrate the environment, then the game is not over.

“Do you know where the assets are? That is what ArcSight correlates and shortens the timeframe to identify and do something about it. The integration with Fortify means that security challenges can be addressed initially, so you can create a kind of ‘digital vaccine' to make changes.”

Kawalec said that the eight security offices that HP has around the world send information into ArcSight to collect and correlate information in order to get context. “Tying it all together, it can be really amazing,” he said.

Mong said that HP is focused on what the customer wants, and its ecosystem of servers means it takes the knowledge and loads it into the technology. He said: “If you look at a data breach, you don't just look at the network or the firewall or intrusion protection system, as 84 per cent of vulnerabilities are in the applications, so that is where Fortify comes in.”

Schmitt commented that HP's view on application security is not about identifying flaws, but simulating attacks, and its WebInspect technology is focused on this. Kawalec said that this offers a hosted model to allow the user to use the tool and move on.

Greer said: “We know you cannot stop and you cannot be 100 per cent secure, so we make it secure so that those who attack you give up and go somewhere else.”

HP talked up a concept called the ‘five step kill chain', which they said was the following:

• Research
• Infiltration
• Discovery
• Capture
• Exfiltration

Mong said that it is all about countering a threat and knowledge, and that it makes sense to protect the user and make it harder for the attacker to get in.

He said: “We put together the complete package, as it is not a case of ‘if', it is ‘when'. It is not layered defence; it is the process and what layers there are. We're putting in technology that slows the attacker down.

“We are still talking layers, but it is just tools and users need a process to understand and counteract the threat.”

Getting back to the point of technologies working together, Kawalec said that often there is "fracture points between products and services", while Greer said that often a lot of technologies do not standardise and there is too much of a trade-off between risk and accessibility.

“People don't want to pay for security, they will not compromise on performance. Security should be an enabler.”

I asked the group where they felt HP was in the security space, following on from the same question I had asked the security brands of Dell last year. Mong said that "HP has to be in security", whether it is for PCs and laptops or servers, all environments have security at the core.

Kawalec said: “No one is doing consumer, hardware, software and servers at such a massive scale. From tablet to the printer to the network, if it is running for enterprise, no one is doing it. Security is a massive market.”

Greer concluded by admitting that there are some gaps between its technologies and that the rules of the game have to change, but that "HP has the best way of addressing that".

So less a case of mind the gap in the long term, but could the company be on the lookout for those technologies where it feels it is not delivering to users in order to deliver a full package at the moment? Its acquisition strategy has been pretty quiet for a couple of years, but could things be changing?

A few weeks ago I had the pleasure of meeting ‘advanced internet security protection' vendor AhnLab as it made the first stage of its move into the EMEA market.

I first became aware of the company at this year's RSA Conference through its prominent advertising. At Infosecurity Europe, the company made its first step into EMEA, which it has now followed with the opening of a UK-based office.

The company specialises in integrated internet security solutions for small-to-medium businesses (SMBs) to enterprise organisations with a firm eye on advanced persistent threat (APT) protection.

Speaking to SC Magazine, Brian Laing, director of marketing and products at AhnLab, said that it provides maximum defence by offering protection of email and web attacks ‘all within one box'. “We offer our own anti-virus with one licence, we have two sandboxes and offer email and web protection,” he said.

“We don't do a one-size-fits-all solution, but we look at ‘beyond application detection and behaviour', as well as the executable to give you a full detail of what is warranted to be malicious. We then compare signatures and anomalies to that list of behaviours to what is in common with malware.”

Laing explained that there are no binaries sent to the cloud, and instead there is a list of behaviours to get the DNA of an attack into a database. He said: “We put the data in their cloud, and there is a copy of our cloud in your network, you can also get updates for queries with signatures and behaviour patterns.”

AhnLab has been in the anti-virus business since the mid-1990s since its foundation in Seoul, South Korea. It offers a range of products including a ‘Total Internet Security' package, as well as specific layers of security.

It is tricky to talk to AhnLab without the name of its main competitor coming up. In fact its PR claims that its products "have been identified as being faster, producing fewer false positives and having a lower TCO than FireEye in a number of third party tests".

FireEye has made an incredible mark in the information security space since its own entry into the UK almost two years ago, so it is not hard to see why companies are aspiring to its level of attention.

Asked if he felt that there was a market for APT protection in the UK, Laing said: “There is some, but we look at FireEye's revenue and success and also the amount of press coverage that they have got.”

Laing confirmed that the company sees itself in the same space as FireEye and I am sure that they will not complain about the competition or being held in such esteem.

AhnLab EMEA territory manager Simon Edwards said: “By establishing EMEA headquarters, we are going to be able to provide a better service to our customers within the region. We see Europe as one of our biggest areas for growth over the next few years and we have set ourselves ambitious business targets.

“The company offers customers unrivalled products, which have already attracted the attention of some of the major industry players. As today's cyber criminals continue to develop highly sophisticated pieces of advanced malware, it is imperative that organisations deploy a suitable security solution, which can cope with these threats.”