I found the degree to which customers in the region were concerned about compliance to be a bit of a surprise. I say 'surprise' because I often hear that compliance isn't as much of an issue outside of the U.S. From what we're seeing, though, the regulatory environment in non-U.S. geos, including Southeast Asia, is becoming more complicated...

Well, the results are in! Our servers nearly crashed thanks to the influx of responses, but, fortunately, that wasn't the case. Here are the results...

It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western...

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

That said, I do think that we're definitely starting to see signs of maturity in the market -- of the emergence of "design classics"...

"This is the single largest and most complex identity theft case ever charged in this country," said US Attorney General Michael Mukasey.

According to officials, the defendants -- three from the United States, one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin -- tapped into wireless networks and installed programs that captured card numbers, passwords and account information. The stolen data was then hidden around the globe and sold for profit.

This event reflects a growing trend in cyber crime...

New Speaking of Security co-host, Amanda Van Veen, meets with Jeff Carpenter, Senior Product Marketing Manager at RSA, to discuss how the latest release of RSA Authentication Manager supports organizations focusing on business continuity. When natural or man-made disasters hit, it's important that employees be able to quickly and easily access network resources, but it's equally important to know just who those new remote workers are.

Now, ordinarily, forcing mandatory extra authentication like this you'd think is a good idea, and something that should be applauded...

Neosploit is a brand that could be relied upon to solve that problem rather well. Designed to ease the infection stage, Neosploit is an infection kit which exploits numerous system vulnerabilities and infects PCs worldwide with any type of malware. Neosploit checks "candidate" PCs in order to find vulnerabilities, and once these are found, the PC will be infected with the malware of the criminal's choice.

However, the RSA FraudAction Research Labs recently received information indicating that we may soon see the last of this "Neosploitation".

The Intelligence Community is an online community of RSA enVision customers, partners, systems engineers and product managers. It's getting quite a lot of use too, with interesting new posts around feature requests, tips and tricks and product announcements appearing every day. I was just trawling through it this morning, and I thought I'd pull out a few highlights...

What has certainly come as more of a surprise, though, is...

Art Coviello tells a cautionary tale of the future of security and its impact on business innovation at this year's EMC World. Hear how to avoid the perfect storm by integrating security into the platform and using information risk management strategies.

Please take advantage of the comments field to get answers to your compliance-related security queries!

It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read...

It's no secret that PCI compliance is focused on securing cardholder data and infrastructure. Simply put, you can't secure what you don't manage and you can't manage what you don't know about. Before you go looking for all instances of cardholder data, you must be prepared to find more than expected.

Most merchants are aware of the cardholder data in their database(s). But what about payment applications or payment portals that temporarily store the data? Or customer service reps e-mailing credit card information to confirm or dispute an order?...

To be honest, I originally came at this piece of research as a way to define what the place of a SIEM product in a SOC, so I diligently asked everyone I interviewed what technologies they thought were central to a security operations function. The answers I got were pretty unexpected, and normally started with the phrase "Technology? Oh that's an afterthought."

When we think of a SOC, we often have this picture of a big room, full of people in rows staring at a big screen up front, with monitors in front of them...

It is eye-opening to see how differently our customers and partners, as well as folks within RSA, define compliance. From what I've seen, most will immediately gravitate towards the notion of meeting the stated or implied security requirements within governmental mandates, such as Sarbanes-Oxley and HIPAA. In addition, "compliance" certainly conjures up images of the PCI Data Security Standard, which isn't surprising considering how many organizations these requirements impact. What we don't tend to see initially is a broader view of compliance...

Didn't you used to be an analyst? Yep, I used to cover the SIEM space for Forrester, as well as a bunch of data security and architecture topics. However, all good things must come to an end - I was certainly approaching the end of my shelf life in that world. It was a privilege, though, as I got to spend a huge amount of time talking to people about their security priorities and looking at how that translated into requirements for new tools and ways of doing things. Now I get to help turn these conversations and ideas into something tangible...

In Speaking of Security's 105th security podcast we talk to Dave Howell, Senior Manager Solutions Marketing, about how organizations are turning to a framework-based approach to manage ever-expanding and overlapping regulatory requirements.

Happy Cinco de Mayo and welcome to the latest Speaking of Security video podcast. Today Host Paul Joyal speaks with Colin Bailey of EMC and Katie Curtin-Mestre of RSA, The Security Division of EMC, about this new scalable solution that leverages RSA Key Manager for the Datacenter.

In a recent RSA Web Seminar, Juniper Networks' Smitha Murthy and RSA's John Masotta discussed the benefits of an SSL VPN and how best to secure its access with strong authentication. Hear a snippet in this week's podcast or check out the entire replay of the event.

Well, being a veteran RSA Conference attendee, I thought I was ready for another busy but ultimately manageable week despite the multiple commitments and responsibilities that I had to balance. Well, that theory was turned on its head, starting on Sunday...

In Speaking of Security's blockbuster 100th security podcast we talk to Marc Gaffan, Director Product Marketing, about Identity Assurance and its importance to enterprise-level security and compliance.

RSA is committed to countering this trend by starting an industry-wide conversation about smart ways to manage information risk. As we mentioned in yesterday's blog posting, we were able to pick the brains of 10 top security executives from global enterprises in a variety of industries and get THEIR suggestions. But we'd like to hear from you...

Here is a transcript of the talk: http://www.rsa.com/innovation/docs/coviellokeynote2008.pdf

It's a good read, with a lot of interesting insights...

Part 2: Paul Joyal speaks with award-winning USA Today journalists, Byron Acohido and Jon Swartz. They are the co-authors of Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, which is scheduled for an April 2008 release. Byron and Jon talk about the inspiration for their book and more in part two of this two-part interview. See Byron, Jon and Paul next week at the RSA® Conference 2008, registrations are still being accepted!

Part 1: Paul Joyal speaks with award-winning USA Today journalists, Byron Acohido and Jon Swartz. They are the co-authors of Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, which is scheduled for an April 2008 release. Byron and Jon talk about the inspiration for their book, the state of cybercrime, and more in part one of this two-part interview. Tune in next week for part two!

View Krebs' entire article.

The Bush Administration has been ratcheting up its focus on information security over the past year, but is starting to roll out its cyber security initiative...

Tim Mather, Chief Security Strategist for RSA Conferences, talks about the role of the Chief Security Officer and how that role might evolve in the years to come. RSA® Conference 2008 is where you can hear more from leading information security professionals at the world's largest industry conference and expo when it comes to San Francisco, CA, April 7-11. For a free RSA Conference 2008 Expo Pass, courtesy of RSA, The Security Division of EMC, email podcast@rsa.com with your request before April 4 and we'll send you a special registration code.

What's the Buzz? RSA® Conference 2008 is the world's largest information security industry conference and expo and it comes to San Francisco, CA, April 7-11. Paul Joyal talks to Sandra Toms LaPedis, Area Vice President and General Manager of RSA Conferences, about what makes this event so special and what's new for this year's attendees. AND for a free RSA Conference 2008 Expo Pass, courtesy of RSA, The Security Division of EMC, email podcast@rsa.com with your request before April 4 and we'll send you a special registration code.

In Speaking of Security's newest video podcast we talk to Joram Borenstein, Senior Product Manager, about the latest strategies of online fraudsters.

RSA, The Security Division of EMC, RSA is pleased to invite you to our first global technical user conference hosted at EMC World 2008 in Las Vegas, May 19-22, 2008. RSA Xchange brings together a rich community of like-minded security professionals with an interest in learning from each other, partners and RSA product and engineering experts. Cathy Long joins Paul Joyal to talk about this new and unique opportunity.

UPEK® Inc., a leading brand of secure biometric fingerprint solutions, recently announced a joint technology solution combining the convenience and security of biometrics in millions of existing notebook computers with the market-leading strong authentication solution from RSA. Matt Buckley talks with Brian DeGonia from UPEK about this solution.

Please note, we'll be taking a short winter break next week in honor of President's Day - but watch for our next episode on February 25.

In Speaking of Security's second video podcast we talk to Joe Gabriel, Manager, Channel Marketing, about RSA's strategy for channel enablement.

I've heard two starkly contrasting opinions on the security of the PASS card...

Speaking of Security Blogger Sean Kline talks with Paul Joyal about his top 5 intriguing ideas for authentication for 2008.

Matt Buckley interviews Jon Oltsik, Senior Analyst, Enterprise Strategy Group, about his paper and thoughts on an information-centric security architecture.

Welcome to a new year of RSA's Speaking of Security Podcast. Today we introduce our first Video Podcast!

This week RSA Compliance Specialist, Dave Howell, offers his view on the future of the Payment Card Industry Data Security Standard and the evolution of online fraud.

This is our final broadcast for 2007. This week's topic is Information Risk Management, an information-centric strategy that provides the most effective means of recognizing, assessing and mitigating the risk that information is exposed to throughout its lifecycle. Hear from a recent RSA Web Seminar conducted in collaboration with TowerGroup, on how financial institutions can leverage a sound IRM strategy. A companion white paper on the subject is also available.

As the follow up to the Government Information Security Act of 2000, FISMA established an updated legal framework for federal information security, including baseline security standards for federal agencies. I remember that the information security community was excited about FISMA and its promise.

So, what's the verdict five years later? In my opinion it's a mixed bag. On one hand, FISMA has arguably increased awareness of, and focus on, federal information security...

"She could be your daughter," I told R. He continued ignoring me, and said, "She could totally be mine..."

"Perhaps, but she won't," I said. "You're 38, you have a girlfriend and you were telling me the other day you were thinking of proposing to her."...

You raise some interesting points on which I would like to comment. First, RSA believes that there are always tradeoffs between strength of security, cost and ease of use. The key (no pun intended) is matching the right means of authentication to the right level of risk. This is why we have such a broad range of authentication types and form factors.

To some of your specific points, RSA SecurID hardware and software authenticators are both forms of multi-factor authentication. In the case of hardware authenticators, they are based on something you have (the physical authenticator) and something you know (your password or Personal Identification Number). Software authenticators work the same way depending on the form factor and can include other factors....

Click here to listen/download (08:39).

This week Paul Joyal speaks with Tom Corn, Vice President of Data Security Products for RSA, about Data Loss/Leakage Prevention (DLP) and RSA's approach to the issue along with how it differs from other players.

1. Controls as part of a broader strategy
   Organizations still make decisions on how to authenticate requests (often users) based on individual applications, infrastructure deployments or regulatory requirements. This is one of the contributors to a "quilt of security doilies", to paraphrase the CTO of a top bank who I met recently. Point security solutions have proliferated throughout organizations making it very difficult and costly to manage. In 2008, organizations will increasingly adopt frameworks like Information Risk Management to assess which threats to mitigate, inventory the types of controls (including authentication) that they need and take a more holistic approach to implementing their strategy...

Click here to listen/download (07:15).

This week, hear from Ari Juels, Speaking of Security blogger and Chief Scientist for RSA Laboratories. Ari tells us about some projects that his team is working on including "Proofs of Retrievability" and the WARP token for wireless authentication.

Click here to listen/download (07:27).

Paul Joyal speaks with Dan Wilson, Vice President and Co-Founder of Accuvant, one of RSA's key channel partners about their business, their information-centric strategy for security, and a recent award that they received. Please note that we will be taking a short break for the U.S. Thanksgiving holiday, but will be back with another podcast for the week of December 3, 2007.

Click here to listen/download (09:56).

Matt Buckley speaks with EMC Vice President of Technology Alliances, Chuck Hollis, about Security and Virtualization. Read more from Chuck at chucksblog.emc.com.