There has been a growing sense from security pros that when they go to the various industry trade shows that the vendors are all promising silver bullets and it's become increasingly difficult to separate out which products will really help their organisations be more secure.
To maintain a strong lab presence in the industry as former Technology Editor Dr. Peter Stephenson retired, SC Media in the US has recently entered into a partnership with Security Vitals, a security consultancy based in Pontiac, Mich. The first series of reviews will publish in this April's print edition with a focus on ransomware management tools. In May, the team will review SIEM and UTM tools and the following month in June, SC Media will write about vulnerability management products.
The team at SC Media views this new relationship as an opportunity to enhance the publication's review coverage. The new SC Media Product Reviews team consists of a formidable group of seasoned industry experts who add experienced, robust and knowledgeable perspectives to the team's existing editorial crew.
SC Media has retained its long-time Labs Manager Judy Traub, and added four member of the Security Vitals team: Rob Cote, who as SC's Program Director, brings 30 years of experience in the tech industry; Michael Diehl, Technology Editor, whose 18 years of industry experience includes work with multiple MSSPs and various private enterprises; Matthew Hreben as Security Technologist and Technical Writer Dan Cure round out the new team.
“The SC Media team and I look forward to working with Security Vitals, as well as Merit Network's Michigan Cyber Range to continue providing readers with critical insights into cyber-security solutions,” said Illena Armstrong, vice president, editorial, SC Media. “Since 2006, our former Technology Editor and current Editor-at-Large Peter Stephenson and I have worked tirelessly to ensure that our independent and unique Group Tests, First Looks, and Innovators of the Year profiles meet the needs of security professionals who seek guidance in their buying decisions. Through this new partnership, we expect to not just uphold our lofty standards, but surpass them as we evolve and enhance our Product Review offerings.”
A Look at the New Team
Cote's IT career began about 30 years ago where he worked in operations supporting, deploying and managing a wide variety of IT systems for outsourcing firms such as EDS, Perot Systems and Cap Gemini. He went on to launch a cyber-security firm in 2006 that was sold in 2016 to launch Security Vitals. In growing Security Vitals, Cote has pioneered offerings in Security Metrics and Compliance as a Service that are geared toward specific industry segments.
At Security Vitals, Cote's team provides security solutions to the health care, insurance, banking and manufacturing industries. Cote said while he has written some reviews in the past, product testing is a large part of the job function in his work at Security Vitals.
“It's really important for us to test products and give our clients an unbiased view of which product will be best for their organization,” Cote said. “We intend to take that same approach to the reviews we write for SC Media. We have put together a team that's enthusiastic about testing and understands that there are no silver bullets. The readers are looking for guidance and we want these technologies to have a significant impact at their organizations.”
Technology Editor Diehl promises that vendors will have to really “earn” a full five-star rating in the future, referring to SC's rating system that ranges from one to five stars.
“I think the readers can expect a lot more three and four ratings in the months ahead,” Diehl said. “It's just really impossible for any product to have a perfect rating because there's always something that it doesn't do. For example, if there's an issue with support and they only offer email or chat and don't offer product specialists to talk to on the phone, we'll ding them for that.”
Diehl, a former diesel mechanic who went back to college later on in life to pursue a career in information technology, said networking and security instantly appealed to him when he first started studying computers, mainly because he views himself as a problem solver. Today, he has an Associate's Degree in Computer Support Systems Engineering, a Cisco CCNA, a PCI Professional Certificate, and will complete his CISSP later this year.
“I injured my back as a mechanic and had to find something else to do for a living, so information security was a natural because much like working as a mechanic, you are looking for things that go wrong and vulnerabilities in the system,” Diehl said. “We aim to be tougher with these reviews because there's a lot on the line. People only remember when things go wrong, so we have to be really sure that if we're recommending a firewall, it's a product that will protect your organisation. And if we find some features lacking, we'll be sure to point them out.”
Diehl said he's especially looking forward to working with Merit Network's Michigan Cyber Range based in Ann Arbor. He said they will easily be able to spin up test environments in both AWS and Azure and they have multiple buildings for testing across an enterprise network.
“If I need to build VPNs at multiple sites I can replicate how they will run across five or more facilities, seeing how the endpoints respond and generate logs that we can then analyse,” Diehl said. “The Cyber Range is very much engaged in this process and we are all looking forward to the national exposure we will receive in working with SC Media. This is a very big deal for us.”
The Balance of the Team
While he has a different background than Diehl, Security Technologist Hreben came to the technology field from the same perspective. His first experiences working in technology were in networking and he learned security along the way.
A veteran with more than a decade of service in the Navy and Naval Reserves, Hreben has built his IT technology career working on a variety of different roles.
As a network administrator at Impco Technologies, Hreben worked his way up the Tier 1, Tier 2, Tier 3 ladder and took it upon himself to learn more about the vulnerabilities in the company's Sophos environment.
“I basically sought out the experience,” Hreben said. “I asked my supervisor if I could manage the Sophos environment so I wound up doing the updates and learning more about what to look for. I find looking for vulnerabilities in the network challenging and plan to apply that to the way we do our tests.”
Hreben said he will run many of the hands-on tests and then turn over his notes to Technical Writer Cure, who has a degree in English Language and Literature from Oakland University and a Master of Arts in Secondary Education and Teaching from Wayne State University.
After a stint in teaching Cure worked in training and development for telecom company SRVR, and then more recently for Renkim Corp., where he focused mostly on documentation and compliance processes.
Cure's father is a professional violinist and Cure himself still plays the violin and maintains his musical interest as a hobbyist with audio technology and every so often will write reviews about digital audio workstations.
“To many listeners, all of the digital audio workstations do the same thing,” Cure said. “But it takes someone knowledgeable to point out the strengths and weaknesses of each product and that's what we intend to do in our security reviews.”The new lab team plans to be engaged with the SC Media readership. Those interested in contacting the lab for a product review can email Judy Traub at firstname.lastname@example.org.
For the past 15 years, Rob has focused on helping organisations successfully protect against cyber-attacks. At his former firm, he built a services organisation that provided specialised security monitoring and vulnerability management programs, testing services, compliance assessments, and industry leading technology solutions.
With over 30 years in tech, beginning with an operational background supporting, deploying, and managing a wide variety of IT systems for global outsource firms including EDS, Perot Systems, and Cap Gemini, Cote built a background in outsourcing provided critical insights for structuring the successful managed service offerings at VioPoint that provided the impetus for launching Compliance as a Service (CaaS) at Security Vitals in 2016.
The company represents a culmination of many years' experience reflected in the visionary CaaS offering, which takes critical process and technology solutions and bundles them into a monthly service that allows companies to focus on their core competencies while Security Vitals addresses the ongoing compliance requirements.
Rob has also contributed thought leadership in the field of security metrics. Developing a specialised framework for identifying risk and developing client-specific performance indicators, he has established Security Vitals as a recognised source for helping organisations identify and quantify meaningful information security metrics.
An IT professional with over 18 years of experience, four of which were spent working with
Managed Security Service Providers (MSSPs), Mike built his career with hands-on roles working as a network engineer, systems engineer, network architect, and help desk specialist. A natural problem solver, Mike takes a measured and deliberate approach to resolving technical challenges. He maintains a keen focus on developing and implementing repeatable process to provide consistent and positive outcomes. These core beliefs provided the foundation for a successful transition to information security and compliance.
A key element in Mike's shift to information security were roles at MSSPs where he gained the knowledge and practical experience working with industry standard security frameworks including PCI, HIPAA, SANS, NIST. Assisting on the customer-side of PCI compliance, he worked with Qualified Security Assessors and Approved Scanning Vendors to finalise PCI reviews and answer self-assessment questionnaires.
The roles with MSSPs provided in-depth experience working with clients of all sizes including large franchises with multiple locations. During this tenure, Mike served as both an induvial contributor and team leader where he consulted with information security stakeholders regarding vulnerabilities, network architecture (segmentation), and proper firewall rulesets to ensure clients would achieve PCI compliance.
Another key role was working with a communications company as the Technical Services and Compliance Manager. There he was responsible for the day-to-day IT operations as well as SOC-2, HIIPA, and PCI compliance. Mike served a lead role in all vendor and customer security audits keeping the organisation in continuous compliance with PCI-DSS 2.x-3.x and SOC-2 Type 2 certifications.
Matt has dedicated a career to assembling the foundational elements necessary to become a foremost security technologist. As an active US Navy reservist, he reinforces IT operational skills with ongoing field exercises that require focused IT infrastructure and logistic support.
Working with a regional healthcare provider, Matt focused his efforts on isolating and resolving a wide variety of technology issues ranging from network connectivity to Windows Operating System malfunctions. With resolution time as a key driver, Matt focused his energies on prioritising activities and balancing workload across a staff of more than 1000 internal employees.
Additional infrastructure knowledge and experience was developed supporting a tier-1 automotive supplier as well as a global automotive manufacturer. Working across a variety of platforms and applications, Matt alternated between field operations support and the corporate headquarters locations; it was during this time that he developed both an affiliation and first-hand experience with information security. Acting in a variety of administrator roles, Matt was responsible for managing Virtual Private Networks, two-factor authentication, LDAP, and Microsoft Exchange. He also conducted ongoing audits for application access, user accounts, privileged access, and server groups in support of ongoing compliance requirements.
In his role at Security Vitals, Matt supports a variety of client engagements where he conducts risk-based assessments, evaluates compliance with required security frameworks, and implements technical controls (and technology) to address gaps in security.
Dan brings more than ten years of professional experience developing, editing, and publishing IT-security related content. His journey as a writer, however, began not as practitioner but as an educator. After several years of successfully transferring knowledge to young individuals, he drew upon his teaching experiences to segue into the world of writing for technology-oriented organisational development and change.
Dan initially joined a long-distance telephony reseller as a content creator and trainer. There, he witnessed the challenges of observing federally and industry mandated regulatory compliance. Like that of many other small startups made possible by the telecom boom of the late nineties, this challenge required drafting policies, training operations personnel on new procedures and protocols, and other communications related to compliance. In that initial writer's role, Dan established himself as a key resource for effectively bridging the gap between centralised policy and end-user knowledge across the organisation.
A more notable achievement was serving on a two-person team tasked with designing and directing the development, from the ground up, of an internal LMS and LCMS e-learning application. This project supported on-going security awareness and other PCI DSS standards compliance for sales and customer service departments handling personal credit and account information.
Over the years, Dan honed his information mapping and visual content development skills. In various roles, Dan has designed and written end-user guides for web-based SQL application interfaces for OEM automotive manufacturers; developed and administered a knowledge base for contact center processes, agents, and SMEs; developed, edited and contributed to IT policy manuals; developed a risk assessment auditing report related for PCI DSS compliance re-certification; and scripted and produced video tutorials among other media resources.
As part of the Security Vitals team, Dan provides ongoing support to develop policies, write incident response plans, develop awareness training, and establish process/procedural documentation for clients.
The long-time SC Lab Manager oversees the pre- and post-product reviews process with lab staff, security vendors, and service providers for SC Media, covering Group Tests, Emerging Product, and First Look reviews.
SC Media's testing methodology
For the April, May and June issues the Security Vitals team has agreed to test products the same way SC Media has done in the past. The following offers a quick thumbnail of our testing methodology. Security Vitals' Rob Cote and Michael Diehl say the team will use continuous improvement principles to evaluate how the tests are going and make improvements when necessary.
Diehl does promise this, however: “Vendors will have to earn their 5-star ratings.”
Here's how SC Magazine reviews
Products are rated in six categories:
• Ease of use,
• Support, and
• Value for money.
Each product is then given an Overall rating, which is determined from a combination of these categories.
Ratings are marked from one to five stars, which is referred to as the star rating:
Five Stars - Outstanding in all respects - an “A” on the product's report card
Four Stars - Exceeds basic expectations and requirements - a “B” on the product's report card
Three Stars - Meets the expectations of the review - a “C” on the product's report card
Two Stars - Failed to achieve some basic requirements - a “D” on the product's report card
One Star - Seriously deficient - an “F” on the product's report card.
FROM THE - March 2018 Issue of SCMagazine US »