What's the easiest way for me to find out whether I have insiders stealing data from my company?
This is a really hard question. The cynic in me says, go into work and open the door, but the reality is that insider threat and its detection are increasingly vexing problems. The stuff I was talking about earlier regarding looking at business processes, looking at net flow, USING WHAT YOU HAVE NOW instead of buying the latest and greatest is the easiest way. Use application layer firewalls and IDS and ngrep and whatever you have to search for strings that are sensitive - not regulated, but sensitive to HOW YOU DO BUSINESS. Log them to a text file and read it every now and then. If you see stuff you shouldn't, find out why. That also goes back to being an educated customer - the ADL, database transaction monitoring and port and device control guys can all help you do this, but the more you know when you walk in the door, the more you're likely to get out of the relationship.
Any litmus-tests for the every month(/day) security solutions like PEAP, EAP/TLS etc. Can a security admin just be sure which one to use over the other?
I am frightened of the concept of a 'security litmus test' because the way we all do business is different. There is no one size fits all. What is important to my business is worthless to yours and vice versa. But the fact is that whether you make artisanal cheese or missile systems, there is SOMETHING that you need, that is truly competitively crucial to your survival, and you should let that business need drive what you protect and how.
Any types of security products that are better off being bought as a SaaS product than as a traditional software product?
I would say that messaging is a no-brainer here. The Google/Postini product offering messaging filtering for like US$25 per user per year is just a hell of a lot better than I can get anywhere else. We use hosted Zimbra and Barracuda and it's wonderful - much better than when we were all sitting around trying to do it ourselves. Log management, firewall management - anything that is not your core competence and is someone else's is a great candidate. [Disclosure: Barracuda is not a client. I don't know if Google is. I think Yahoo (which bought Zimbra) may be].
LifeLock (or other anti-identity theft) organizations are getting the thumbs up from several well-respected security pros. Others say these kinds of services are a rip off. What gives?
I'm one of the pros who gives it a thumbs up. I'm a LifeLock customer (no discount, and I think they MAY be a customer of ours) and I can say that it works as advertised at least as far as setting and maintaining the alerts. I am also a customer of freecreditreport.com's decidedly not free service, and Equifax or Experian or one of those, and I keep a close eye on it, so I see what LifeLock does for me. Their analogy about changing the oil on your car is the best one - sure you can do it yourself. Go ahead and deal with the credit bureaus if you want. That's well outside my core competence. Besides, the credit bureaus are there to protect lenders, not you, and staffed, it seems, entirely by graduates from the New Jersey Registry of Motor Vehicles or the immigration bureau. Horrible experiences. I would much rather pay LifeLock US$100 or so a year to deal with them. If you've got the time and inclination to wrassle with TransUnion, Experian and Equifax, have at it - it's free as the air to set fraud statements every 90 days, last I checked.
Application security is getting more attention and is being addressed as a higher priority now. What are your thoughts on this emerging area of technology?
Very cool. We are seeing this as a truly painful and necessary evolution and this is a cultural shock more than a technical one. This has to be top down change in the way we look at imagining, developing, testing and rolling out applications. Some of the companies we like here: Veracode, Clockwork, Fortify (can't remember if any are customers of ours) but we also like the Six Sigma approach of looking at your application-development cycle as starting with secure code training for EVERYONE involved with coding, testing in dev, auditing, then testing, then dynamically testing in QA and in production or in a virtualized production image - but testing, testing, testing and baking it right in. Companies really good at this are GE and many of the investment banks, which have been doing it for years. Smaller companies do it the traditional way - hurry, hurry, hurry, get it out, fix it in the mix - which means that you're always going back and fixing stuff you could have fixed earlier in the name of getting business done. That is a false economy, so baking security testing into the application development and QA stage is crucial, and as I said will be painful for many. Dynamic testing after is easy-peasy.
Mobile voice encryption is an up and coming technology for companies wanting to protect cell phone users from eavesdropping. What are some of the pros/cons of it?
Encrypted voice! It's like a JetPack - of course I want it, and I have absolutely no need for it, it's just cool. Speaking of cool, KoolSpan (Disclosure: Not a 451 customer) just launched the TrustChip, which allows smartphones with an SD card slot to do encrypted voice and other applications for US$300 a pop - THAT is cool. It also is an elegant approach to solving the problem of extended trust -- that is, TrustGroups claims it's configurable in a manner that means that just because A trusts B, and B trusts C, it does not necessarily follow that A trusts C. Awesome, but we wonder about KoolSpan's funding. That said, a wicked smart friend of mine who works at a high-falutin' lab just spent a day down there vetting the thing and says it's as cool as I thought it was. So yeah, bring on the voice encryption calls! Cons? So you're pressing me and I'll pull one from the sky: I would assume scrambled calls might send your line directly to the Raised Eyebrow Department of whatever federal agency is monitoring your calls - and if none is, what could be wrong with encrypted voice calls?