Now that Micro Focus has successfully completed the spin-merge with HPE Software, we wanted to highlight our expanded security portfolio via our first annual Micro Focus Cybersecurity Summit 2018, which took place in Washington, DC, on September 25-27, 2018. This unique Summit allowed face-to-face interaction with our product managers and security leaders such as Micro Focus CMO John Delk and Former FBI Cybersecurity Special Agent, Chris Tarbell. Many like-minded customers heard best practices, solution roadmaps and cybersecurity topics critical to their organization/agency.
Secure development, security testing, and continuous monitoring and protection of apps
David Harper, practice principal for Fortify on Demand presented on “Application Security as a Service.” David discussed how 80% of breaches today are from application vulnerabilities, which are only growing due to the fact companies continue to have more and more applications, along with shorter and shorter release cycles. One approach companies can take is secure gating with Fortify on Demand, David said. The challenge, however, is even though a security gate may work for your organization now, can it keep up with DevOps? We then heard some great advice on building security into the software development lifecycle (SDLC) and addressing it early on. David closed with a fairly detailed plan of creating an application security program by implementing a security gate first, then securing the DevOps lifecycle with compensating control.
Micro Focus’ Lucas von Stockhausen shared the stage with Fortify customers for “Shifting security left: bringing security into continuous integration and delivery.” While discussing what shifting security left means, the team pointed out that it’s NOT about moving current activities left, changing the location of the stop, or controlling development, but more about changing how you do security, compromising in order to reduce risk, and finally, becoming a part of development. Application Security teams not only feel frustrated, ignored and left out, but are looked at as roadblocks, and being anti-business. During this presentation, however, the team discusses how shifting left correctly can change all of that.
Detecting known and unknown threats through correlation, data ingestion and analytics
Marius Iversen, a platform engineer for a major telecommunications company located in the Netherlands, presented “ArcSight is an open architecture for SecOps.” He discussed the need for his organization to abstract event data related to their customers into a custom web driven portal. In order to accomplish this, they use APIs (Application Programming Interfaces) extensively, which allowed them to present visualizations based on data pulled from many different security tools into a single customer dashboard.
Even though applications like ArcSight are natively multitenant, there are also security advantages to having them access data through a custom portal, verses giving them direct access to the tools themselves. As he states it “ArcSight is generally integrated into the core of your network where you don’t want customers having access. We resolved this by using APIs because we can control what data comes out and what information should be presented to customers.”
Discovering an integrated approach to Identity and Access Management
Today CISOs place IAM concerns on top of the list because continuously connected users need swift access to business processes at a reduced risk. In the session “Access management: The glue between business value and security,” Micro Focus’ Kent Purdy and Chan Yoon talked mostly about these three access management trends: organizations are looking for more than just passwords; risk-based access is on the rise; and one size authentication no longer applies. They also pointed out some deployment gotcha’s, as well as some unique approaches that Micro Focus takes on solving these and other IAM-related problems.
Micro Focus’ Rob MacDonald and Derek Gordon from PWC discussed how Identity among other technologies can improve the customer experience in the session, “Improving the customer experience by understanding customer relationships.” IoT has a big part in that discussion both from a security and customer experience perspective. To harness the power of IoT, businesses must learn how to manage it safely. At the heart of all enterprise security is the concept of identity. Just like people, connected things need to be given an identity from day one. Connected things and the people who use them must follow rules that govern access to information.
Ensure all devices follow standards and compliance to secure your
A significant part of any IT department’s day includes managing and maintaining security and compliance standards across a wide array of endpoints while enabling access to corporate applications and resources. The ZENworks portfolio includes a host of UEM products that consolidate management into a single solution. The session, “Automating IT management processes across device lifecycles with ZENworks: present and future,” with Micro Focus’ Jason Blackett and Gil Cattelain, looked at endpoint management needs and how ZENworks helps address them.
The “Securing your devices and data with ZENworks” session hosted by Micro Focus’ Darrin VandenBos considered what happens when security incidents happen, such as a stolen corporate laptop or smart phone, and how IT teams can best tackle security through their ZENworks implementation. Specific topics included patch management, containerization, data encryption, VPN enforcement, and other specifics that are critical to secure an enterprise’s IT assets.
The Summit included session with a number of our customers. The session, “Simplifying IT processes and increasing user productivity” featured a case study highlighting Trinity Health, one of the largest multi-institutional Catholic healthcare delivery systems in the nation, serving communities in 22 states with 94 hospitals and 109 continuing care locations. The discussion focused on Trinity’s use of ZENworks Configuration Management and ZENworks Patch Management, with a particular emphasis on software distribution, secure patch management, asset management and automation of desktop migration to Windows 10, as well as touching on reporting and imaging.
Exploring data-centric security solutions that safeguard data throughout its entire lifecycle
In the session, “Voltage data-centric security innovations to expand protection—in use, motion and at rest,” Micro Focus’s Reiner Kappenberger shared how his team is growing the data security portfolio, adding key capabilities to make it the most comprehensive data-centric security portfolio in the industry. He detailed how they recently added transparent protection for cloud, commercial and in-house applications without critical application changes or integration required. Micro Focus is investing heavily in the protection of data of all types, he added, for structured and unstructured data, whether in use, in transit or at rest, for persistent protection and management of sensitive data across the enterprise.
Enterprises are adopting cloud services whole heartedly. In the panel discussion, “Cloud-based data privacy and protection: protecting data and privacy across hybrid IT,” challenges for enterprises to govern data security and privacy across hybrid IT were outlined. Concerns about control over platforms, multi-tenancy, data residency, identity and access, collaboration and data flowing into and between clouds were discussed.
Lastly, you can’t have an InfoSec conference without addressing GDPR, and the Cybersecurity Summit had a panel discussion on “Regulatory changes in GDPR and the United States.” GDPR raises the stakes for enterprises around the world to improve data governance and protection through its lifecycle. The panel discussed strategies for risk mitigation, including an interlock of tools and techniques to improve governance, manage identity and protect data. The biggest take away was that GDPR has hidden opportunities to create value and dramatically change the ROI of calculation and compliance.
If you missed the event, there is still a chance to see the sessions outlined above and more, online at the Digital Summit. Registration is free, even if you did not attend the Cybersecurity Summit. Then make plans to attend our second Summit, happening in the summer of 2019.