Archivo de la etiqueta: security

News

Zscaler raises $100m in round led by TPG

California based Zscaler, which provides security-as-a-service (SAAS), has raised $100 million dollars in Series B funding round. This was led largely by late stage investor TPG. Other investments have come from existing investors EMC, the storage company, and Lightspeed Ventures. The company has now raised well over $130 million dollars and its valuation last round was estimated to be at over a billion.
tpg-logo
Jay Chaudhry, CEO of Zscaler, has said in a recent announcement, “Our mission is to make the Internet safe for business by delivering an amazing security platform that protects our clients and enables the strategic adoption of cloud computing, mobile devices and the Internet of Things. The investment and partnership from TPG and the global relationships and experience they provide will enable us to accelerate investment in our technology, grow our customer base and aggressively scale our business to meet growing demand. We are excited to join an elite group of security companies valued in excess of $1 billion.”
The companies’ customer base has nearly doubled since last year. The company has an estimated 5000 customers, including Humana, NBC, ExxonMobil and the UK’s National Health Services, and protects over 13 million employees.
Nehal Raj, a partner at TPG, and now a Zscaler board member, has also said, “We see tremendous opportunity in the rapidly growing cybersecurity industry, and after spending significant time in the space, we found Zscaler to be the leading cloud-based security solution for the world’s largest and most demanding customers — a true SaaS platform like that of Salesforce or Workday. We are looking forward to partnering with Jay and his team to accelerate growth, most immediately by introducing Zscaler to the potential customers and channel partners within our global network.”

The post Zscaler raises $100m in round led by TPG appeared first on Cloud News Daily.

News

Rackspace To Host Information Center

The Cloud Security Alliance has taken the initiative to unify cloud service providers to allow for the creation of a peer based information sharing center. This sharing center will be co-chaired by Brian Kelly, CSO at cloud firm Rackspace and the founder and CEO of anonymous cyber incident sharing platform TruStar, Dave Cullinane.
csalogo
Kelly has said,”The whole concept emerged from what we refer to as Presidential Decision Directive 63, which we started back in May of 1998. Under the Clinton administration they convened a group of people to look at the initiatives needed for the protection of the nation’s critical infrastructure. It had a number of directives, one of which being the formation of a range of information sharing and analysis centers, and a few of them formed immediately — financial services, information technology and telecommunications.”

In addition, Kelly has said that in 15 years these centers have been operable, they have been to learn and improve this new independent information sharing center. “I think, largely, they were ineffective for the initial 5-10 years as participants weren’t really providing anything and they were just there to consume information, and it was not really timely enough, nor was it actionable. From a security perspective, we need to represent a unified front. We have to work as one team. I need to be able to call my buddy at Amazon on a moment’s notice, and Google needs to be able to call me to tell me what they’ve found.”

The post Rackspace To Host Information Center appeared first on Cloud News Daily.

News

Cloud News Daily 2015-07-28 23:19:51

Imperva Inc., dedicated to protecting business-critical data and applications in the cloud and on-premises, and Raytheon|Websense a global leader in protecting organizations from the latest cyber-attacks and data theft, have formed a strategic alliance to facilitate both safe and productive use of cloud applications for organizations of a myriad of sizes. This agreement allows Raytheon|Websense to implant the Imperva Skyfence Cloud App Catalog into its web security gateway products. In addition, it certifies joint interoperability that will make it easier for customers to both deploy and integrate the solutions.

Mike Siegel, Vice President of Product Management of Raytheon|Websense, has commented “As a cloud access security broker (CASB), Skyfence will strengthen our Triton platform by providing powerful, embedded risk intelligence to support reporting and decision-making. The Skyfence technology allows our current and future customers to leverage the existing Websense platform and better deal with cloud app adoption and security issues emerging from shadow IT.”
raytheon-websense-showcase_image-10-a-8115
It is essential that cloud computing organizations create or adopt a solution that can both periodically scan activity and mark new additions to the program. Skyfence can routinely monitor the environment of the cloud and will alert IT management to changes.

Mark Kraynak, Chief Product Officer of Imperva, has stated, ““IT cannot begin to define and enforce a cloud security strategy if they are unaware of the applications in use. With a myriad of cloud applications being adopted for workforce efficiency including file-sharing and collaboration, measuring what applications are being used and understanding their risk to the business are critical.”

The post appeared first on Cloud News Daily.

Elastica, Google, Hacking, News & Analysis

Google Drive vulnerable to undetectable phishing campaign, experts claim

Hackers used Google Drive to mount a barely detectable phishing attack

Hackers used Google Drive to mount a barely detectable phishing attack

Google Drive has been subject to a phishing attack that used JavaScript code obfuscation and compromised websites in order to steal end-user account credentials using Google services.

Elastica researchers explained attackers deployed a JavaScript encoding mechanism to obfuscate web page code that could not be easily read, and used fake SSL credentials to gain entry to Google’s services. Attackers were able to reach a wide network of end-users by exploiting Google Drive to host malicious Web pages, where attack victims were directed.

The hackers used Gmail to distribute emails containing links to unauthorized web pages hosted on Google Drive, and then stored stolen credentials through a third-party domain.

Although the malicious pages were reported to Google, Elastica said they have yet to be removed.

“In this particular incident, attackers were able to circumvent tight security controls and target Google users specifically to gain access to a multitude of services associated with Google accounts,” said Aditya K Sood, architect of Elastica Cloud Threat Labs.

“While the cloud offers unprecedented benefits to its users, it is challenging the traditional security model and necessitating a modern, flexible security stack designed to provide protection in a perimeterless world.”

Because the pages were hosted on Google Drive, which uses SSL to encryption, standard security methods like IP blacklisting and intrusion detection weren’t effective.

Rehan Jalil, chief executive of Elastica said these issues will likely keep cropping up as cloud usage grows.

“Security and risk professionals are quickly learning that legacy security solutions are no longer effective for cloud applications,” Jalil said.

News

New DISA Guidance

The Defense Information Systems Agency (DISA) has released three documents pertaining to cloud security. These documents hope to aid the Defense Department in securing the network against attacks. According to a report in C4ISR & Networks, the documents will include two new requirement guides and a new concept of operations. The goal of these documents is to prevent the disruption of cloud service provider-supported DoD missions. In addition, they will aid in creating a perimeter defense and monitoring architecture for applications hosted in commercial cloud environments.

The cloud access point (CAP) functional requirements document (FRD) calls for a line of defense between e Department of Defense Information Network (DoDIN) and Internet-based public cloud service offers. According to the documents, the first DISA-established CAP is a modified NIPRNet federated gateway.
DISA-Seal
Jack Wilmer, DISA infrastructure development executive, has told C4ISR & Networks, “A CAP being fully scalable and able to support the enterprise, to include the availability of the application protection enterprise-wide, is scheduled to be ready by early 2016.”

The documents also state, “As DoD strives to meet the objectives of the DoD CIO to maximize the use of cloud computing, the DoDIN perimeter must continue to be protected against cyber threats from external connections. The CAP will proactively and reactively prevent attacks against the DoDIN infrastructure, particularly traffic from mission applications that originates in the cloud service environment…there are many information assurance functions that may be implemented as detect and prevent measures to address the different types of external attacks”

The post New DISA Guidance appeared first on Cloud News Daily.

Americas, Google, News & Analysis, Policy and Regulation, US Bureau of Industry and Security, US Department of Commerce

Google says trade agreement amendment hinders security vulnerability research

Google says the US DoC amendments would massively hinder its own security research

Google says the US DoC amendments would massively hinder its own security research

Google hit out at the US Department of Commerce and the Bureau of Industry and Security this week over proposed amendments to trade legislation related to the Wassenaar Arrangement, a multilateral export control agreement, arguing they will negatively impact cybersecurity vulnerability research.

The Wassenaar Arrangement is a voluntary multi-national agreement between 41 countries and intended to control the export of some “dual use” technologies – which includes security technologies – and its power depends on each country passing its own legislation to align its trade laws with the agreement. The US is among the agreement’s members.

As of 2013 software specifically designed or modified to avoid being found by monitoring tools has been included on that list of technologies. And, a recent proposal put forward by the US DoC and BIS to align national legislation with the agreement suggests adding “systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices” to the list of potentially regulated technologies, as well as “technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.”

Google said the US DoC amendments would effectively force it to issue thousands of export licenses just to be able to research and develop potential security vulnerabilities, as companies like Google depend on a massive global pool of talent (hackers) that experiment with or use many of the same technologies the US proposes to regulate.

“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” explained Neil Martin, export compliance counsel, Google Legal and Tim Willis, hacker philanthropist, Chrome security team in a recent blog post.

“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages – even some in-person conversations! BIS’ own FAQ states that information about a vulnerability, including its causes, wouldn’t be controlled, but we believe that it sometimes actually could be controlled information,” the company said.

Google also said the way the proposed amendment is worded is far too vague and proposed clarifying the DoC-proposed amendments as well as the Wassenaar Arrangement itself.

“The time and effort it takes to uncover bugs is significant, and the marketplace for these vulnerabilities is competitive. That’s why we provide cash rewards for quality security research that identifies problems in our own products or proactive improvements to open-source products. We’ve paid more than $4 million to researchers from all around the world.”

“If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit,” it said.

Deloitte, managed security, Managed services, Mike Denning, News & Analysis, Verizon

Verizon tries to woo CSOs with managed security offering

Verizon is boosting its managed security practice

Verizon is boosting its managed security practice

Verizon is throwing its hat into the managed security services ring this week, launching a managed cybersecurity and incident monitoring service targeted at large enterprises.

The Unified Security Services includes a pre-configured set of features managed by Verizon directly and designed to protect the network edge.

Verizon said it will provide service event monitoring, device alerting and 24/7 security support as well as patch management as part of the suite.

“With Unified Security Services, we have bundled together technology, human expertise and deployment services into one convenient offering,” said Mike Denning, vice president of Global Security at Verizon Enterprise Solutions.

“This solution is aimed at helping organizations — with little to no internal staff — better safeguard their networks, without adding complexity or more resources to their IT teams,” he said.

The suite will initially be rolled out in the US with plans to offer hosted versions globally in 2016.

The launch would suggest its partnership with Deloitte, announced in the Spring, is bearing fruit. In April the companies announced a partnership to deliver a comprehensive set of cybersecurity and risk-management solutions to enterprises.

As part of that deal Verizon said it would leverage its experience in digital forensics and managed services and Deloitte its cyber risk advisory services to deliver end-to-end incident response services.

Asia Pacific, CSA, New Zealand, News & Analysis, Open Source, STRATUS

CSA lends prototype compliance tool to six-year cloud security project

The CSA is part of the STRATUS project, a six-year cybersecurity project

The CSA is part of the STRATUS project, a six-year cybersecurity project

The Cloud Security Alliance (CSA) said this week that it is lending a prototype data auditing and compliance regulation tool to the STRATUS initiative, a six-year multi-million dollar cybersecurity project funded by New Zealand’s Ministry of Business, Innovation, and Employment.

STRATUS, which stands for Security Technologies Returning Accountability, Transparency and User-centric Services in the Cloud, is a project being led by the University of Waikato intends to develop a series of security tools, techniques and capabilities to help give cloud users more control over how they secure the cloud services they use.

As part of the project the CSA showed how cloud data governance could be automated by applying auditing guidelines (CSA Cloud Control Matrix, ISO standards, etc.) and compliance regulations using a recently developed online tool.

The organisation, which is leading the data governance and accountability subproject within STRATUS, said it would also help support STRATUS’ commercialisation efforts.

“STRATUS’ approach to research commercialisation is different from typical scientific research grants,” said Dr. Ryan Ko, principal investigator of STRATUS, and CSA APAC research advisor.

“STRATUS understands that for cloud security innovation to reach a global audience, it will require a platform which will allow these cutting-edge cloud services to quickly align to global best practices and requirements – a core CSA strength given its strong research outputs such as the Cloud Controls Matrix and the Cloud Data Governance Working Group,” Ko said.

Aloysius Cheang, managing director for CSA APAC: “We have developed a prototype tool based on our work so far, that has received positive reviews. In addition, we are working to connect STRATUS and New Zealand to the CSA eco-system through our local chapter. More importantly, we are beginning to see some preliminary results of the efforts to connect to dots to commercialisation efforts as well as standardization efforts.”

The organisation reckons it should be able to show off the “fruit of these efforts” in November this year.

News & Analysis, Salesforce, Software as a service, Tod Nielsen, Toopher, Verizon

Salesforce bakes security, compliance into native apps with Shield

Salesforce has launched Shield in a bid to improve confidence among highly regulated cloud adopters

Salesforce has launched Shield in a bid to improve confidence among highly regulated cloud adopters

Salesforce this week announced Salesforce Shield, a portfolio of “drag and drop” security and compliance assurance services that developers can bake into native Salesforce apps.

The Shield services include field audit trail and data integrity tracking, data encryption, archiving and event monitoring.

Salesforce said the services are already in use by some of the company’s clients in the financial services and healthcare services sectors.

“While many companies are leveraging the cloud to build apps at the speed of business, those in regulated industries have struggled to take full advantage of the cloud due to regulatory and compliance constraints,” said Tod Nielsen, executive vice president of Salesforce1 Platform, Salesforce.

“With Salesforce Shield, we are liberating these IT leaders and developers, and empowering them to quickly build the cloud apps their businesses need, with the trust Salesforce is known for.”

Salesforce said the move will help provide assurances to more heavily regulated sectors including developing applications with the Salesforce platform, particularly those that are learning more heavily on mobile platforms.

That said, mobile security has been a big focus for the firm in recent months. In April the company acquired Toopher, a Texas-based mobile authentication startup, and towards the end of last year the company joined Verizon’s dark fibre cloud interconnection service to give its customers more secure options for linking to its cloud platform.

Crowdstrike, Funding, Google, News & Analysis, Rackspace

Security as a service firm Crowdstrike bags $100 from Google, Rackspace

CrowdStrike secured $100m in funding this week from Rackspace, Google among others

CrowdStrike secured $100m in funding this week from Rackspace, Google among others

Security SaaS provider CrowdStrike completed a $100m round of funding led by Google and Rackspace this week, which the company said would be used to bolster its international expansion.

The funding round, in which Accel and Warburg Pincus also participated, brings the total investment secured by the firm to $156m.

CrowdStrike offers a range of threat intelligence, endpoint protections and cybersecurity services including a cloud-based software offering and a security operations centre -as-a-service.

The company, of which Rackspace is a customer, claims to have trebled billings revenue and employees year on year.

“It’s extremely gratifying to bring in a high-caliber investor like Google Capital which shares our passion for innovation and sees the opportunity to completely transform the security industry,” said George Kurtz, CrowdStrike’s co-founder and chief executive officer.

“As we continue to experience hyper-growth, this capital injection will help us firmly establish our SaaS-based endpoint protection platform as the leading solution to address today’s sophisticated attacks and will allow CrowdStrike to further accelerate our domestic and international expansion.”

The cloud-based security services market is growing along with enterprise adoption of cloud services in part because they can be deployed more quickly and flexibly than on-premise solutions, and because the architectures tend to be quite complimentary. Large cloud providers also see value in funding them because security services are quite capitally and operationally expensive – they require huge investments in code, infrastructure, monitoring and support staff – which means it’s challenging for these large IaaS providers to offer these services themselves. According to MarketsandMarkets the cloud security market is forecast to grow nearly 16 per cent CAGR from $4.2bn in 2014 to $8.7bn in 2019.