Friday, July 24, 2015

Phishing and APT: Top Security Threats 2015

BlackHat-SecurityPriorities

Posted by ,  Phishing, Security

According to 2015’s Black Hat Attendee survey, the gap between the top threats that organizations face and the areas into which investment, technology, and defensive capabilities are being built is growing.
Specific, targeted attacks and spear phishing top the list of concerns for the 460 top-level security experts surveyed for the report — and tellingly, only 26% of the same group reported that investments were being made into these areas.
Given that spear phishing and sophisticated attacks account for more than 90% of all breaches, this failure to build realtime, accurate, actionable detection and remediation capabilities is a significant problem.

Most information security teams spend the majority of their time on the least significant threats.

According to the report, “application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.”
Underlying this point is a more fundamental one: lack of time to spend on proactive defense is one of the most significant problems facing most organizations’ information security teams. Consider Frost and Sullivan’s recent report on the state of the industry; the average team spends 85% or more of its time focused on remediating known threat.
This misalignment is a significant source of risk for these organizations, however. Patch management, internal code testing, perimeter firewalls, and cloud workload security are all critical components in a robust security stack, but targeted attacks that focus on compromising user accounts, using those credentials for east-west movement and privilege escalation, and exfiltrating sensitive data must be a focus in an effective defense in depth strategy.

Targeted attacks and spear phishing are highest risks, but rarely detected.

“Security pros are not spending their time and budget in a manner that is commensurate with their concerns about current threats.”
Even a cursory review of the breaches that have hit the news in 2015 so far reveal that without strong “left of exploit” capabilities — technology and solutions that can identify early stage attacks, when they are still at the spear phishing, account compromise, and privilege escalation stage — results in data loss.
From healthcare companies to the federal government, it is clear that traditional security solutions are necessary, but on absent early stage, proactive detection and defense, simply can’t prevent breach.
The challenge here is that the traditional solutions to this problem are equally failing to keep up with today’s threat landscape. SIEM platforms, log aggregation, and incident response can’t find these earlest-stage threat vectors — the spear phishing and account compromises that leads to full exploit, often flying under the radar of most other tools. Absent comprehensive situational awareness, it takes weeks or even months to detect and respond to data loss, if it is ever found at all.

Wednesday, July 15, 2015

Use Cases: The path to value from the Internet of Things

Use Cases: The path to value from the Internet of Things
By: Andres Rosello, Marketing Director, PTC

If you are in the business of creating, operating or servicing things you have likely seen a barrage of “billions and trillions” reports recently describing the impact of the Internet of Things (IoT) on your business.

Cisco predicts we’ll see as many as 50 billion “things” connected to the Internet by the end of this decade. That’s a four-fold increase in just six years.

GE estimates that the Industrial Internet has the potential to add $10 to $15 trillion to global GDP over the next 20 years.

However, in order to create real business value in a smart, connected world, we need to shift our focus away from these “billions and trillions” reports and identify the specific IoT use cases that enable each organizational function to transform their business processes and improve operational effectiveness or create strategic differentiation.

While some organizations have started to create tremendous value from the IoT, data shows that the majority of organizations are still struggling to get started. IDC research found that while 66% of Discrete Manufacturers and 67% of Process Manufacturers are actively pursuing IoT initiatives, less than half (40%) of those Discrete Manufacturers and only about half (55%) of those Process Manufacturers have even begun a pilot.

Why the delay? Organizations struggle to define and prioritize IoT use cases and develop a business case to fund initial investment.

To help overcome these challenges we have defined the top 26 IoT use cases based on hundreds of customer interactions, and organized them by the business function or stakeholder they benefit.



To learn more about each of the top 26 IoT use cases, visit PTC.com.



Thursday, July 9, 2015

Uncover the Value in the Internet of Things: Getting ROI from IoT

Uncover the Value in the Internet of Things: Getting ROI from IoT
Melissa DiEgidio, PTC

Smart, connected products and the Internet of Things (IoT) are changing how value is created for customers, how companies differentiate their products and services, and the industry boundaries across which companies compete.
During the recent LiveWorx event in Boston, a panel of Industrial Internet Consortium (IIC) members addressed the value within IoT.
“There’s a lot of hype around IoT, said panel member Syed Hoda, CMO at ParStream, which offers an analytics platform. “But there are some things that are actually real-life, places where you can monetize it and customers like it,” he said.
Yet, a recent ParStream survey of early IoT adopters found that measuring ROI is a challenge. “Only one-third of companies had metrics, and about another one-third said they didn’t know how to measure it,” Hoda said.
“A lot of companies are just trying to learn,” Hoda said. But the companies with the best ROI were also the best at collecting and acting on data to generate value quickly, he said.
EMC’s Wayne Adams agreed that many companies struggle with where to start. It’s not as simple as taking information from sensors and benchmarking data, said Adams, senior technologist and director of standards at the company.
“It’s not just about the data. It’s about knowing what to match additional information to before you can do analytics.” Many companies find that the value in data from connected products is exponentially enhanced when combined with data from other sources, for example enterprise systems data from CRM, ERP or PLM systems.  
The challenges IoT bring are not just confined to the question of how to collect and analyze the data generated from connected products. There’s the question of how to define and communicate the value.
Allan Alter, senior research fellow with consulting group Accenture, said the first step is to understand what your customer wants.
“Thinking about the customer is where it all starts,” he said. Companies must be able to clearly define and articulate the value proposition for customers and internal stakeholders in order to succeed. 

Want to hear more from the ICC panel “Getting from IoT to ROI: A Panel Discussion on the Business Side of the Industrial Internet” watch the LiveWorx replay today

Tuesday, July 7, 2015

12 Failure Modes of an Agile Transformation

Posted by Jean Tabaka in Agile

 
The year? 2015. The setting? An Agile transformation near you. The problem? You’ve hit a wall. Despite all your best intentions, you’re still not getting those promised benefits of Agile: speed, quality, value, sustainable growth across your organization. And your problems don’t stop there. You aren’t responding to market threats; you can’t even see market threats; you’re unable to retain great employees; you’re not an industry showcase. In the end, your Agile transformation has brought cynicism and distrust.
 
You may have heard me talk about “12 Agile Adoption Failure Modes” that concentrated on agile failure in the context of IT teams. Given the expanded adoption of Agile practices in organizations beyond the IT group, the threat of failure is now farther-reaching, with bigger impact.
Now it’s imperative that we look not just at Agile adoption, but at Agile transformation — where organizations move beyond Agile principles within their IT groups to business agility. To accomplish this, we transform from just doing Agile to being Agile.
Over the next few weeks I’ll share with you the top 12 failure modes of an Agile transformation that I’m witnessing in my work with organizations around the globe. The first three center around LEADERSHIP.

1. Lack of Executive Sponsorship

 photo via Flickr CC

This failure mode evidences itself in several different ways and ultimately, it warrants its spot as the number one failure mode and drives all the other failure modes. Also known as “buzzword buy-in,” a lack of executive sponsorship can come at you from two directions
Imagine a small group of techies eager to adopt Agile in their team. With no executive sponsorship, they perform in a stealth environment — sort of a “skunkworks” adoption — under the radar of the existing organizational structure. Why? Because they’re hiding from the hierarchy of management (see the second failure mode, below) which could shut down their effort, and evading the current gate-driven approach to product delivery. While the project may gain some momentum, deliver value faster, and stir the souls of those involved, its sustainability is improbable. Lack of executive sponsorship will limit visibility into the team’s success and provide insufficient support for adoption across subsequent teams. Agile adopted this way will likely die.
 
In our second scenario, an executive decrees a switch to Agile delivery across the entire IT organization, but there’s no real follow-through: it’s simply a “checkbook commitment.” The executive demands immediate results, yet doesn’t change the metrics by which success is measured. Unengaged, the executive proclamation for an Agile adoption will never move to a true business transformation. At best, without the executive’s continued engagement, the organization will only have pockets of Agile success, typically limited to the team level. The organization will probably grow to blame Agile (and each other) for decreased quality and productivity. And the executive’s resignation letter will conveniently not include the word “Agile” in its summary of successes.
 
How do we prevent this failure? Leaders must accept that a successful transformation is a journey. Along this journey, leaders seek guidance for a transformation with a broad, sustainable impact. As part of the transformation they make a personal commitment to their teams, and in turn they recognize the personal commitment they are asking of their employees. Executives commit to measuring success differently from before, because the work is different from before. Success now favors value delivery, and time for learning is built into the transformation. Ultimately, success is celebrated across the organization and setbacks are seen not as failures or cause for blame, but as opportunities for learning and growth.

2. Failure to Transform Leader Behaviors

Isn’t it great to have managers who just get things done? They know the right actions to achieve success; they direct their teams to perform these actions; and they have the power to control all aspects of the work and do whatever it takes to get it done.

Huh?

Let’s pull this apart a little. When a manager tells the team what to do, there’s a false sense of success via control. When a manager powers through difficult circumstances regardless of the impact on the team, they leave the wisdom and the morale of the team behind.
 photo via Flickr Commons
Such a management style is a classic Agile transformation failure mode. All the team-level Agile practices in the world mean nothing if the manager doesn’t embrace a behavior that is more in service to the team than control of the team. Robert Greenleaf’s work identifies the characteristics of what he calls a “servant leader”: one who serves by leading, and leads by serving. An Agile transformation success story hinges on the ability of the leaders in the organization to take on these characteristics:
  • Systematic neglect: knows the limits of how much focus can be allocated to issues; learns what to focus on and what to let go of in order to support the team and achieve goals effectively
  • Acceptance: knows when to let go and trust the instincts of the team; accepts the wisdom of the team and is prepared to support it
  • Listening: facilitates useful and necessary communication, pays attention to what remains unspoken, and is motivated to actively hear what others are saying
  • Language: speaks effectively and non-destructively; clearly and consistently articulates the vision and goals for the team
  • Values: is responsible for building a personal sense of values that are clearly exhibited through consistent actions; supports team behaviors that build their sense of values
  • Tolerance of imperfection: modulates his or her own sense of perfection and offers to each team member an understanding of their strengths and challenges; cares more about “How can I help the team grow?”
  • Goal setting: owns the vision; doesn’t advocate for a personal belief in what is right but rather maintains the goal for a higher purpose, inviting others to align with the vision for the overall good
  • Personal growth: recognizes the value of continually finding diverse disciplines that invite new ways of acting in service to the team, and models this growth behavior to inspire others
  • Withdrawal: knows when to step back and allow the team to figure out its course, versus inflicting a personal sense of what is right for the team; carefully decides what to bring forward and when

3. No Change to the Organizational Infrastructure

What is your current organizational structure? How many layers of management exist around each Agile team? How is governance perceived, and who is ready to break down walls to make sure that value flows through your organization?
 photo via Flickr CC
 
Failed Agile transformations suffer from an inability to change the existing organizational structure. What do I mean by this? Typical organizations have been set up for sub-optimization: that is, they measure success by departmental performance, versus overall value delivery. Here’s what that looks like: In the book This Is Lean, authors Niklas Modig and Par Ahlstrom depict a soccer field scattered with teams, each one in its own tent. Success is defined as any one team getting the ball out of its tent. But is that really success overall? In this scenario, as in our traditional organizations, we create accidental adversaries. We limit visibility of the organization’s overall effectiveness, and focus on our team’s success at the expense of success for the organization.

True Agile transformations push the boundaries of these existing organizational hierarchies. In the soccer field metaphor, we remove the tents. Now everyone can see where the ball is, where everyone else is, where the goal is positioned, what the referee is indicating, what the coach is saying, and what the scoreboard says. In your effective Agile transformation, you know what the true value is, you know who needs to be involved in order for the value to be delivered, and everyone associated with the value delivery has visibility into the current state of the value stream, including its blocks. They see the goal as successful delivery of value to the customer, and they coordinate as a whole to deliver that value.
 
Here’s another symptom that your organizational infrastructure is crippling your Agile transformation: Does your organization cling to a notion of efficiency based on resource usage — believing that loading people to 100% capacity is the best way to get work done, and then measuring people annually by how well they deliver in this fully-loaded mode?
To incent greater collaboration and communication, you need to revisit how you appraise work. Instead of annually, by individual, 100% utilized, with MBOs set 12 months earlier, you should invite frequent feedback; focus more on team effectiveness; and bias performance appraisal toward efficiency of value flow versus efficiency of workers.
 
If you’re not feeling the discomfort change brings, you aren’t truly transforming. If your transformation isn’t requiring you to invest in the technology and culture to support a new mode of visibility and collaboration, you aren’t truly transforming. If you’re adopting some Agile practices at the project level without looking at the bigger picture, your Agile transformation is poised for failure. And Agile, not the failure to transform the organization, will get the blame.