RSA Conference 2018 is a flurry of lights, sounds and information. It’s easy to get lost in the buzz and miss what you really want to see. In case you fall into this category — or weren’t able to make the trip to San Francisco at all — we streamed an entire presentation from SonicWall malware expert Brook Chelmo live on Facebook.
I like cars. All kinds of cars. From high speed racers, to utility pickups and even classics like the 1961 Corvette I’m looking to restore in my spare time. Partner programs are a lot like cars. Some are basic and get you from point A to point B. Others are high performance vehicles designed to thrill. As we announce the new SonicWall Secure First partner program and Reward for Value incentives at our PEAK16 conference this week in Las Vegas, we’ll unveil a program that I’d like to believe has a lot of horsepower, gives its drivers great controls, and is a dependable ride.
At the heart of the new program are our partnering engines designed to help our partners deliver the best security possible to protect their customers while creating more value for their business. We’ve tuned up all the partnering engines Incentives, Enablement, Support and Services.
For the incentive engine, “Reward for Value” recognizes and rewards partners for the full value they contribute to selling and supporting SonicWall solutions across the entire customer lifecycle. Whether it’s hunting a new sales opportunity, delivering a proof of concept, attaching incremental security services subscriptions to a sale or demonstrating vertical market expertise, Reward for Value delivers balanced up-front discounts and back-end rewards.
We’re also revving up new partner sales and SE trainings and accreditation tracks all built on a new partner enablement platform that delivers rich media training content and sales tools designed around the customer lifecycle. The new accreditations will provide valuable general knowledge on the threat landscape and cyber security, as well as on the latest SonicWall solutions like SonicWall Capture our new advanced threat protection offering.
Additionally, the Authorized Support Partner program is being announced to help partners builds out profitable support and services practices with their SonicWall solutions. Rich with support and services enablement that will ensure together we deliver customer success, this new program will recognize and reward Partners for owning their customers through deployment, support, optimization and upgrades. We’re also highlighting the momentum we’re building with our Security-as-a-Service and how partners can deliver managed security services on the SonicWall platform.
With close to 750 Partners attending from across the Americas, this is our largest and most successful partner event in the history of SonicWall. In fact, I’ve talked to Partners here who have attended every Peak we’ve hosted over 14 years! Talk about a loyal and dedicated Partner base. It’s humbling and an honor to count these companies among our Partners. And speaking of great Partners, I want to thank our platinum sponsors for co-sponsoring this annual event Tech Data, D&H Distributing, Securematics, SYNNEX and Ingram Micro. Without them none of this would have happened.
Our Americas business is running on all cylinders, the partnering engines are revving up and we’re thrilled to launch our Secure First partner program and Reward for Value. With the partner feedback and validation we’re receiving at PEAK, we’ve got our eyes focused on the road ahead and together with our Partners are speeding toward even greater success.
“SonicWall has proven to be a winner for us in our security practice. We have had a number of wins against other security products because of the support provided by SonicWall. PEAK16 is in that it enables me to engage with peers and enhance my skills,” says Jeffrey Grant, vice president of Tri-Delta Resources Corp.
“SonicWall understands partner challenges, enabling us to deliver thousands of customer centric solutions over the 25 years,” said Joseph Tassia, president of Nuoz.
I am meeting one-on-one with our partners this week to listen and help them further with their security mission. Follow @SonicWall on Twitter and SonicWall on Facebook with #YesPeak16 to join in the conversation and get updates. We want to hear from you.
It’s summertime, so that means Black Friday is only four months away. Some retailers like to get a head start on the event and offer special Black Friday deals during July as a means to generate some additional sales over the summer. There are also “Christmas in July” promotions. Most of us, however, will wait to make our purchases until the traditional start of the holiday shopping season in November.
Whether it’s over the summer or later in the year, events such as Black Friday, Small Business Saturday and Cyber Monday offer consumers an opportunity to shop for a great deal. Increasingly the researching and purchasing of items during the holiday season is done online. According to the National Retail Federation (NRF) both holiday retail sales and non-store sales increased again last year. Results from a 2015 NRF survey also found that 46 percent of holiday shopping (browsing and buying) would be done online. This was an increase over 2014 and a trend that is likely to continue in 2016.
People enjoy shopping online for many reasons: it’s convenient, there are no crowds, you can often get better deals, and it’s easier to compare items. No wonder it’s become a popular activity, both at home and at the office. And for many employers, that’s the problem. Online shopping at work negatively impacts productivity. It’s like taking an extended lunch break on your computer. It also introduces security risks to the company’s network. Who knows whether the sites employees visit to make purchases are legitimate and aren’t sources for malware distribution.
Shopping isn’t the only online activity that affects organizations. In 2016 there are a slew of sporting events drawing worldwide interest: March Madness and the Ryder Cup in the US, Euro 2016 in France, the Summer Olympics in Brazil to name a few. Like they do with online shopping, employees will be spending time at work focused on something other than their jobs. For example, streaming live events at the office is very popular, albeit somewhat risky. Read Wilson Lee’s blog “Zika is not the only virus you can get by watching the Olympics” for details on the threat streaming the Olympics can pose to your network.
In addition to productivity and security concerns, streaming video opens up a third issue for employers which is the consumption of network bandwidth for a non-essential activity. In fact, during the last Summer Olympics in 2012, Los Angeles City Hall employees were asked to stop watching the games online at work due to the high volume of network traffic it was generating.
Whether or not online shopping and watching streamed sporting events during work are approved by management, most employees will be engaged in these activities at some point. Knowing this, what steps can organizations take to maintain productivity, protect the network from attack and conserve bandwidth? Here are a few:
- Set limits – Tools such as web filtering and application control provide the ability to restrict access to online shopping sites and streaming video by time of day. Employers have the option to allow these activities during lunch or after hours while blocking them during the rest of the work day.
- Manage that bandwidth – Another option is to restrict the amount of bandwidth allocated to streaming video. Less bandwidth for non-essential activities means more for those that are critical to the success of your business.
- Inspect encrypted web traffic – The use of secure sockets layer (SSL) and transport layer security (TLS) to secure internet traffic continues to rise. To protect your network from attacks hidden in encrypted web traffic, make sure your firewall can decrypt and scan encrypted traffic for threats.
If you’d like to learn more about how to protect your network and preserve productivity and bandwidth during the holiday online shopping season and other events watch this free webcast. You can also find information on how SonicWall next-generation firewalls can help on our website.
One of my first customers in IT was a large retailer, with more than a thousand stores. This was at a time when e-commerce was just beginning, at least for large, traditional retailers. Giving their customers the ability to purchase on the web was still a year or two away.
This retailer made about 90 percent of its annual revenue between Thanksgiving and New Year’s Day. That was “Season”, and the entire year’s IT schedule was built around getting ready for Season. Any and all hardware upgrades, OS changes, and software updates were to be completed and locked in by mid October. Change control during Season was very simple: No changes unless something broken absolutely had to be fixed, you were able to make a 100% solid case for the change, and not doing the change would impact revenue. Otherwise, hold off until January.
Retail’s a lot more complex these days, and brick-and-mortar is only one of the revenue-generating retail channels. Still, Season remains Season. And it all begins with Black Friday. Estimates of 2015’s revenue for the first two days of Season, including Black Friday, top $4 billion in the U.S., with about a third of that coming from online sales. More than 150 million shoppers purchased online during the 2015 Thanksgiving holiday weekend.
Clearly, this is not a time to have security issues with your infrastructure, and especially so with your payment systems, whether online or POS systems in your stores.
The relevant compliance standard is PCI DSS (Payment Card Industry Data Security Standard). Version 3.1 takes effect on June 30, and includes a number of changes from the previous version (3.0). These include, with some exceptions, removal of SSL and early versions (1.0 and 1.1) of TLS, along with some additional clarifications of existing requirements, a number of which are common sense clarifications (For example, don’t send unencrypted account numbers in a text message. You think?).
Complying with PCI DSS is a good way to reduce your business’s risk of cyber attack, but it’s really only a waypoint toward better security, not an end in and of itself. That’s a point SonicWall Security’s Tim Brown, our CTO and a SonicWall Fellow, makes in an on-demand webcast highlighting the changes to PCI DSS in version 3.1, so that you can be best prepared for Black Friday. We offer SonicWall network security solutions to help you stay PCI compliant, and improve security well beyond the PCI basics. And staying in line with 3.1 will put you in better shape to have a more secure, successful Black Friday, Cyber Monday, and holiday Season. It will also prepare you for PCI DSS 3.2, which includes additional clarifications and new requirements, particularly around multifactor authentication for anyone having access to cardholder data. While 3.2 succeeds 3.1 as a standard for assessments as of this October, its new requirements will not be mandated until February 2018 until then, they’ll just be considered best practices.
Learn more about the changes in PCI DSS 3.1, and how they can help your business prepare for Black Friday. View Focusing on security to meet compliance: responding to changes in PCI DSS 3.1.
In medieval times, people relied heavily on physical security to protect their critical assets. Originally they had castles with walls and as attackers figured out how to breach those walls they added moats and draw bridges and murder holes to keep the advanced attackers out. But all of these hardened physical security measures designed to keep people out had the unfortunate side effect of making it difficult for people to get in, which in turn interfered with business and commerce. Needless to say, this type of security did not survive.
Cyber security has evolved in a similar fashion. Fifteen years ago, stateful packet inspection (SPI) firewalls were considered to be best-in-class protection against external threats. These firewalls were typically configured to block peoples’ access to internal resources. A user often had to submit a ticket to gain access to a server. Some types of communications required that specific rules were written to be allowed. This is the “castle wall” approach that many CISOs learned when they were being introduced to network security. But this approach to security is also outdated.
Organizations have to attract people rather than keep people out. Retail businesses post signs saying, “These doors must remain unlocked during business hours.” Security must take a similar approach, to become more dynamic: The question now is how do you keep an eye on who is coming in and out to provide necessary protection?
Unlike brick-and-mortar stores, where you keep doors open, electronic online presence never closes. Today, ecommerce is being done electronically 24 x7. Not only do you need to keep your electronic communication presence open, but also highly available and redundant. The question becomes: How do you keep an eye on what is constantly coming in and out of the network?
Two parallel goals in security are to keep the malicious traffic out while also keeping employees productive. If employees want to boost their productivity but IT is slow moving, they invent ways to work around the rules to enable the productivity measures they need to do their jobs more efficiently.
Fortunately, that paradigm is now shifting. Security is no longer about blocking or allowing necessary access. It is about enabling secure access on a permanent basis to enable the business. The perimeter is not only about blocking traffic, but also about easily enabling appropriate access for users. What should be allowed? Whatever enhances the environment and makes it better. For network security to detect malicious behavior, SonicWall next-generation firewalls analyze all of the network traffic, identify and eliminate what is bad, and let the good flow in and out freely.
In a similar way, application control becomes important as more people rely on their own applications. With the deluge of mobility, everyone is BYOD, bringing their own cloud (BYOC) and bringing their own applications. CISOs need to know what applications are running on their networks and analyze those applications.
And, with identity and access management, we need to make sure this is the right person, right level of privilege and the right level of access to critical company data. Also, for CISOs to effectively manage identities, it is important to have self-governance and self-provisioning to create, modify and revoke and renew identities without always having to call an information security administrator.
The Department of Yes is about empowering business initiatives while retaining security by governing every identity and inspecting every packet. It enables security professionals to allow remote workers to be more mobile, to go to the cloud, and to go back to the corporate network – securely and productively.
Visit SonicWall Security and open your own Department of Yes.
In survey after survey, IT executives continue to say that security is one of the top challenges they face. No one has to tell us about the risks. The stories of data theft and breaches are in the media every day. We are intimidated by the rapidly changing threat environment. New malware is being written every day and some of it is being written using a variety of methods that defeat existing security technologies. And too often the way that we protect our organizations is to add a myriad of approaches, tools and solutions, creating a tremendous amount of complexity that becomes hard to understand let alone manage.
But if you dig down one level, what you find is that security concerns create a barrier to doing what IT really needs to do, which is implement cool new initiatives that move the business forward.
Everybody wants to be seen as a hero, the clever one who can take on challenges, solve problems and make an impact on the business. Unfortunately, the security concerns become the reason they can’t do it. At SonicWall Security, we are working to help out with the security equation.
What are the initiatives that organizations are trying to deploy? One of the biggest areas of opportunity comes from all of the innovation that is going on in the cloud. Moving your work to the cloud streamlines the ability of your workers to collaborate and share information in real time. Tools like Microsoft Office 365 and DropBox allow employees to collaborate in a way that is changing the workplace.
This really hit home for me a couple of weeks ago when my 11-year-old daughter was assigned a big project in her fifth grade class. She and her teammate needed to create a report and a presentation. The night before the project was due, I came into her bedroom and she had her iPod setup to FaceTime her partner. They were both working together on the report using Google Docs and on the presentation using Google Sheets. They were oblivious to me, so I watched for a few minutes as they talked through ideas, added and edited text and pictures, and generally created and fine tuned the deliverables.
For this project, there was no need for them to meet, or even call each other. Collaboration tools enabled the entire project. This was an “aha” moment for me, because I realized then and there that these kids were demonstrating the future of work. What they take for granted is sadly often not possible in the work environment for a variety of reasons, but I couldn’t stop thinking that security is a big stumbling block to achieving the productivity new collaboration tools offer.
So, what is on your IT wish list? Do you want to move your CRM to the cloud? Or streamline your customer service delivery, or give your team access to data analytics no matter where they are? Or are you looking to eliminate paper and go all digital? Whatever it is, don’t let security be a barrier. If you want to learn how to turn IT security into the Department of Yes, contact SonicWall Security.
I started this year speaking and writing about how retail establishments can protect themselves from the rising tide of malware. I continue this train of thought by considering the Payment Card Industry Data Security Standard (PCI-DSS) as a general guidance to protect any small business.
Instead of looking at PCI-DSS as guidelines for protecting cardholder data, consider it as guidance for protecting any critical data. You may wonder what critical data you have, or think that you may have nothing of value to cyber thieves. And yet any business has at least one of the following types of critical data that cybercriminals want, which means that any business “including yours” is a potential target:
- Employee records
- Customer records
- Intellectual property
- Access (user names, passwords, etc.) to partner networks (the easiest way to breach a big company many be through a small partner)
- Access (user names, account numbers, passwords, etc.) to your bank account
Therefore, PCI-DSS guidelines can be a starting point for any business, retail or not. (I say a “starting point” because even if you are PCI-compliant as, I believe, Target was when they were breached, it does not mean you are secure.) At a high level, PCI-DSS guidelines provide some excellent places to start when looking to protect critical data. Looking at the six high-level guidelines for PCI-DSS, I have some thoughts:
- Build and maintain a Secure Network and SystemsThis one is pretty straightforward: build your network with an eye on security starting at the planning phase. Often businesses take a money saving approach and not structure their network for growth. This is a short-term view that often costs more money down the road. Often, in order to maximize performance, security settings are turned off. When looking at your network, make sure you are able to build it under the security umbrella. Looking at the cost of a breach, security is a very low-cost investment.
- Protect Cardholder DataIn the spirit of this blog, let me replace “Cardholder Data” with “Critical Data.” Making sure critical data is handled in a secure way would include encryption of your data and isolating it from those not qualified to access it. Again, something learned from Target.
- Maintain a Vulnerability Management ProgramAnti-virus should be something you require on all devices that can access network resources. This includes phones. I am sure we will see a newsworthy breach that starts with a compromised phone. There is a recent trend to deliver ransomware to phones. For both personal and professional reasons an antivirus on all your internet accessible devices is common sense.
- Implement Strong Access Control MeasuresIf you leave your freshly baked pie in the window, someone is going to take it. The aroma of your critical resources should be kept behind locked doors. It is more than passwords; the ability to see who is using these passwords will help you keep assets secure. This leads me to:
- Regularly Monitor and Test NetworksThere are many reputable organizations that can test your defenses. I have seen many of them offer inexpensive or free services to show you where you have vulnerabilities. Let the experts help you.
- Maintain an Information Security PolicySecurity is a critical business issue and should be considered integral to the organization. As you talk about products or new ways to expand your business, make sure that you do it in the context of a secure environment. After the fact and ad hoc security may leave you thinking you are protected when you actually are not.
I would hasten to add one more thing: implement an ongoing education program to build security awareness in the organization. As we all become more educated in proper cyber-hygiene, it becomes harder for criminals to compromise your organization.
The PCI guidance is something that is a great starting point for any business looking for a roadmap to security. If you are looking for more information, you might want to check out this webinar that Tim Brown, executive director and CTO of SonicWall Security, delivered on PCI – Focusing on security to meet compliance responding to changes in PCI DSS 3.1.
Businesses are ramping technology investments and capabilities faster than ever. Employees, customers and partners are accessing more applications and data every day. These investments drive enormous value to the business, but also create IT complexity and security vulnerabilities.
Our customers and partners constantly ask us to help them rise to these challenges, to help them deliver innovative initiatives and improve collaboration, while protecting their company. Often, the security risks around these new applications, projects and technologies, force IT to say “NO” to their business partners.
To change this model, we have invested in SonicWall and SonicWall One Identity solutions to help organizations become more innovative and create competitive advantages by driving initiatives such as:
- Leading your organization to the cloud
- Deploying BYOD across your organization
- Enabling a digital transformation
- Completing stress-free audits
We feel that it’s time for a radically different point of view and SonicWall Security’s context-aware, integrated security solutions put us in the unique position to offer organizations the security they need in today’s complex IT environment. SonicWall and SonicWall One Identity enable CISOs to govern every identity and inspect every packet, effectively identifying and isolating rogue activity, while letting the acceptable traffic flow.
These network inspection and identity governance capabilities give organizations the ability to confidently push beyond traditional boundaries while controlling vulnerabilities. We are empowering IT teams to deliver the strategic projects and capabilities that drive your business forward while providing the security you need.
We want to enable the IT security team to become the Department of “Yes.”
SonicWall and One Identity solutions reinforce each other to ensure we’re setting the highest bar for value to our partners and customers.
We’ve created this extensive security portfolio to enable you to:
- Not only detect but also block advhelpanced threats at the gateway before they get into your network with extreme low latency
- Automatically allow or deny ““ or step up authentication ““ for every user access attempt based on context that is derived from the network to identify abnormal activity
- Provision a new employee, partner or contractor in 15 minutes across your enterprise and then de-provisioning them 15 minutes after they depart
- Leverage Privileged Account Management controls like password vaulting and session management for those identities who have the “keys to the kingdom”
As we lead in the market with our innovative solutions, we can help you attain true governance of user and admin access to your network, applications and data and deeper security without compromising performance. We are committed to do all of this, effectively raising productivity and security, without increasing your costs.
For more information on how to start become the Department of Yes, explore our new informative SonicWall Security web site
Every moment of every day, anyone or any organization, government or institution – including K-12 – can fall victim to the latest threats and cyber-attacks. If you’re accountable for the network security of an entire school district, you know your success rests largely on everyone understanding and staying current with today’s complex and dynamic risk environment and how to avoid it.
K-12 IT expert Larry Padgett bears this out: “The most important thing is to get everybody to agree that technology security is everyone’s game, everybody on campus, and every division, department and schools must be fully engaged. Otherwise, it is going to be very difficult to be successful.”
Larry is the Director of IT Infrastructure, System Support, Security, and Governance for the School District of Palm Beach County (SDPBC). A career technology leader for more than 29 years, Larry oversees an IT infrastructure that is considered larger than the Coca-Cola® Company in terms of the number of ports and how his networks are laid out. SDPBC is one of the largest school district in the United States, with 187 schools and 225,000 thousands user accounts under management, including students, faculty, and general staff.
I had the privilege of meeting Larry at the 2015 SonicWall World Conference in Austin, Texas, where I had the opportunity to ask him specifically about the things that he is doing differently that allowed SDPBC to be successful.
Larry explained how security vendors typically talk about security as a layered approach but it can’t end there. He then described SDPBC’s winning approach to security rests on three core pillars: people, process and technology.
You must identify those who are, and who aren’t, fully engaged in exercising cyber hygiene within your district. You are responsible for every PC, servers and applications on your network. You’ll need to know if you are getting support from the board and leadership level down to everyone in the district.
- How do you know if they are knowledgeable about security?
- Can they identify the risks?
- Do they all understand the risks?
- What trial and test do you have in place to measure how knowledgeable they are about security?
If they’re not all engaged, you’re simply not going to be as successful as you could be. If they’re not as knowledgeable as they need to be, you would want to start discussing security as an everyday topic in your staff meetings, in the classrooms and, more importantly, in your executive and board room discussions. If security isn’t one of the top topics on the board agenda, you have much important work to do to get their buy-in, because nowadays, security is a key risk metric. Your ultimate goal is to get everybody to agree that security is everyone’s game so they become proactively involved in helping your institution be successful.
When there are people involved, you also need to have processes in place that would allow you to make sure that you are doing the right things, that they are doing them well and that what they do is actually effective for the state of business you’re currently operating in.
- What processes are you using?
- Have you written them down?
- How do you know if they are being followed?
- How are they monitored and measured?
These are questions that enable you to think through all of the risks that you’re going to mitigate, and follow-through with implementing robust security policies and practices that can help put you in a better position for success.
Begin embracing a layered security approach as part of your defense-in-depth framework, because it provides you an effective and proactive way to help fend off today’s advanced threats. At a minimum, the top five security services that you must have as part of your layered security defense are:
- A capable intrusion prevention system with threat detection services that can provide complete anti-evasion and inbound anti-spam, anti-phishing and anti-virus protection
- SSL inspection to detect and prevent today’s advance evasive tactics and compromised web sites from sneaking malware into your network though the use of encryption
- Around-the-clock threat counter-intelligence for your next-generation firewalls and intrusion prevention systems, so you can receive the latest countermeasures to combat new vulnerabilities as they are discovered
- Email filtering and encryption to secure both inbound and outbound communications
- Security for endpoints, since most network infections begin with a compromised user device
Back from NYC, where I attended last week’s National Retail Federation annual conference, “The Big Show.”It’s been a long time since I’ve been to a major event like this one, but retail continues to be important to SonicWall and is now part of what I do here at SonicWall Security, particularly for our SonicWall network security offerings.
So what’s new in the retail industry? Judging from all I saw, tons, of course. Retailers are all in on getting the most out of their brick-and-mortar locations as well as their various online and social outlets. Multichannel and omnichannel are retail’s new normal. New technologies continue to emerge, starting with information technology, which drives the customer experience with data analytics, to in-store beacons and other Internet of Things devices, store, website, and fulfillment design, POS systems, targeted marketing the list goes on and on, testament to the hundreds of vendors exhibiting at the NRF show.
We had plenty of visitors to the SonicWall Security booth, and good conversations with all. Some visitors and customers joined us for happy hour and a very elegant dinner Monday evening at Colicchio & Sons, in what we used to call the Meatpacking District when I called New York my home. A part of Manhattan that was almost desolate in the evening has become very much alive. The dinner gave me a chance to listen to what customers were thinking and providing a SonicWall perspective on how we can help.
You’d think that with all the attention to hacks and breaches of major retailers, security would be a major focus of an event like this, but I didn’t find that to be the case, and was, quite frankly, surprised. Our presentation by Kent Shuart, Dodging the Next Hack, How to Protect Your Business, was one of only two conference sessions with a security focus. You can read more about Kent’s presentation in SC Magazine. Of special note is Kent’s point that small and medium size retailers may be an even bigger target in 2916 than their larger retail counterparts. Many of these small and medium sized retailers have not updated their protections while hackers continue to get more sophisticated. The black market value of credit card records is such that even a small business’s account data can be a major hack windfall.
Me, I don’t believe that the retail industry doesn’t want to talk security. I think that the industry as a whole understands that without a secure network infrastructure, the customer and business data that is their lifeblood is at risk. Whether in a store or online, businesses large and small need solid, secure, scalable, beyond-PCI-compliant network security that doesn’t just protect them from cyber criminals, but gives them a leg up on their competition.
Although the booth was small the message was big: SonicWall would like to be your trusted partner in all things IT. We can help build your retail business in a secure way without breaking the bank. Learn more about our retail solutions, or visit us online.