[ISN] RSA: Security vendors to build bridges at hot show

From: InfoSec News (isn@private)
Date: Mon Feb 23 2004 - 23:50:57 PST

  • Next message: InfoSec News: "[ISN] Hacker threats to bookies probed"

    Forwarded from: William Knowles <wk@private>
    
    http://www.computerworld.com/securitytopics/security/story/0,10801,90384,00.html
    
    By Paul Roberts
    FEBRUARY 23, 2004
    
    Security is a hot topic in technology circles these days. For proof of
    that statement, one need look no further than the buzz surrounding
    this year's RSA Conference in San Francisco, an annual gathering
    focused on IT security.
    
    Once the exclusive province of cryptographers, the annual conference
    has grown and diversified in recent years along with the IT security
    industry itself. This year's conference will reflect heady times for
    that industry, with a high-profile keynote address by Microsoft Corp.  
    Chairman and Chief Software Architect Bill Gates, swollen attendance
    figures and a gaggle of product news from companies looking to build
    bridges between their products and those of competitors.
    
    Weary after a year punctuated by major outbreaks of worms such as
    Blaster, Sobig and MyDoom, more than 10,000 visitors are expected to
    visit San Francisco's Moscone Center this week, where more than 250
    exhibitors are displaying technology to stop malicious hackers,
    viruses and other online scourges, according to Sandra LaPedis, area
    vice president and general manager of RSA Conferences, a division of
    Bedford, Mass.-based RSA Security Inc.
    
    Attendance at this year's show is expected to be up by about 20% over
    2003, due in part to Gates' appearance, an improving economy and a
    sustained interest among companies and the public in computer security
    topics such as viruses, spam and identity theft, LaPedis said.
    
    Conference organizers have also changed tactics to broaden the show's
    appeal, adding a separate discussion track on identity and access
    management and a private Executive Security Action Forum for Fortune
    500 CIOs and chief information security officers today, she said.
    
    Dozens of companies, large and small, are planning announcements to
    coincide with the conference, with the need for better security
    management a dominant theme.
    
    VeriSign Inc., IBM and others are backing a new program to develop an
    open standard for strong, multifactor authentication that can be used
    across the Internet.
    
    Mountain View, Calif.-based VeriSign today announced an initiative
    called the Open Authentication Reference Architecture, or Oath, which
    is intended to replace the patchwork of proprietary
    user-authentication products and allow users to seamlessly access
    services on corporate networks and the Web, VeriSign executives said.  
    IBM said its Tivoli Identity Management product will support the new
    architecture.
    
    Sun Microsystems Inc. plans to announce at the RSA Conference changes
    to its product line that are intended to make network security easier
    to manage.
    
    Calling its new security model "Infinite Access," Sun plans to
    announce the integration of its Java Card technology with a wide range
    of the company's other software products. The closer integration will
    provide strong, multifactor authentication "out of the box" (without
    requiring custom integration) for customers who use Sun's Java Desktop
    System, its alternative to Windows, said Rama Moorthy, manager of the
    Security Marketing and Strategy group at Sun.
    
    The idea is to make security ubiquitous, invisible to users and easy
    for businesses to use, Moorthy said.
    
    Sun also plans to announce closer integration of its identity
    management product, the Java System Identity Server, with Microsoft's
    Active Directory Server. A new version of the Java System Identity
    Server that incorporates technology acquired with Sun's purchase of
    Waveset Technologies Inc. features improved life-cycle management for
    user accounts and will allow customers to directly manage accounts
    within Active Directory Server using the Java System Identity Server,
    she said.
    
    Companies such as Qualys Inc. and Tripwire Inc. plan to use the
    conference to announce versions of their products that work better
    with other security management technologies.
    
    Redwood City, Calif.-based Qualys plans to announce integration
    between its QualysGuard vulnerability testing service and security
    event management products from ArcSight Inc., GuardedNet Inc. and
    Network Intelligence Corp. The integration will allow customers using
    those products to correlate vulnerability information from QualysGuard
    with intrusion-detection systems (IDS) and firewalls to provide a
    single view of network security, a Qualys spokeswoman said.
    
    Portland, Ore.-based Tripwire Inc., which makes software to monitor
    changes in computer configurations, plans to announce an upgrade to
    its server management product. Tripwire Manager 4.1 will be easier to
    use with other enterprise management software such as Hewlett-Packard
    Co.'s OpenView and IBM's Tivoli, the company said.
    
    Sensing an opportunity, a new company, Skybox Security Inc. in Menlo
    Park, Calif., plans to unveil its Skybox View, an enterprise risk
    management platform, at the RSA Conference. Based on attack-simulation
    technology developed at Dartmouth College's Institute for Security
    Technology Studies, Skybox View creates an integrated security model
    of an organization's network that maps network scanners, firewalls and
    routers. The product then launches simulated attacks against them to
    identify likely access paths for attackers.
    
    Also on the management front, firewall maker Zone Labs Inc. plans to
    announce a new version of its Integrity security policy enforcement
    product, Zone Labs Integrity 5.0. The new integrated firewall and
    security policy management product features tighter integration with
    Check Point Software Technologies Ltd.'s firewalls and virtual private
    network products so companies can limit network access to machines
    that comply with security policies regarding antivirus updates,
    systems configuration and patch level, Zone Labs said.
    
    Finally, the Organization for the Advancement of Structured
    Information Standards (OASIS) plans to announce growing support for
    its emerging AVDL (Application Vulnerability Description Language)  
    standard, which allows security products from different vendors to
    share data about software vulnerabilities.
    
    A host of security technology companies, along with the U.S.  
    Department of Energy Computer Incident Advisory Capability
    organization, have announced support for the nascent standard.
    
    The OASIS AVDL Technical Committee has completed the first
    specification for the standard and will submit it to OASIS for
    approval in March, according to Brian Cohen, CEO of SPI Dynamics Inc.  
    in Atlanta and a member of the AVDL Working Group.
    
    AVDL will be a common language among disparate security products and,
    when widely adopted, will set the stage for a closer integration
    between vulnerability-detection systems and automated patching and
    remediation products, said Wes Wasson, vice president of marketing at
    NetContinuum Inc. in Santa Clara, Calif., and another AVDL Working
    Group member.
    
    "These devices need to start communicating in intelligent ways," said
    Pete Lindstrom, research director at Spire Security LLC, a market
    research and analysis company. "It doesn't mean you go bonkers with
    automation overnight, but we need to slowly get comfortable with
    things like dynamic reconfigurations [of network devices] in our
    environments."
    
    Eventually, closer links between vulnerability assessment products and
    technology such as firewalls and IDS are needed, he said.
    
     
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Feb 24 2004 - 06:42:41 PST