Michael Osterman's blog

BlackBerry used to be the dominant mobile messaging platform in the enterprise, but (by their own admission) they become arrogant as the market leader in the absence of serious competition.  Then along came the iPhone and Android on a variety of innovative devices – and several hundred thousand cool applications for both platforms.  Then came IT’s decision to more or less capitulate and let consumers dictate the mobile environment in their organizations.  The result was that the BlackBerry became relegated to a distant third place and it lost mindshare, no better indication of which was its stock price that fell roughly 95% in a remarkably short time.  The net result was that not only would fewer users opt for BlackBerry devices, but IT would also reduce support for BlackBerry Enterprise Server (BES) – our own research shows that anticipated support for BES will be lower by early 2014 than it is today.

Clearly, RIM-then/BlackBerry-now messed things up quite seriously and squandered its enviable position as leader of a large and rapidly growing market.  Arguably, they did so at about the worst possible time – just as mobile was becoming the dominant computing platform for millions of users.  Compounding the problem, the company recognized their shortcomings, but then was late in delivering their next-generation handset and its enterprise platform.

However, BlackBerry seems to have righted what some might consider to be a sinking ship:

• They introduced an advanced, elegantly designed, touch-only device, the Z10.
• They announced a more traditionally designed, but equally advanced device, the Q10 that has a physical keyboard.
• They introduced BlackBerry Enterprise Service 10 that supports not only BlackBerry devices, but also Android and iOS.
• The company also just announced a lower cost device, the Q5, aimed at increasing the company’s penetration in emerging markets.
• BlackBerry Balance provides one of the better platforms for segregating and managing company-owned and personal data on employee-owned devices.
• The company will be making some very interesting announcements over the next several months that currently are under NDA.
• The leadership team was replaced last year and seems to have given the company some traction once again.

Has BlackBerry turned the corner?  I’m convinced the answer is yes, but the company still has a significant amount of work ahead of it convincing others of that.  As noted above, our research shows that support for BES is still declining, at least in terms of the number of companies that plan to support it by next year.  I think this reflects an outdated perception by many IT decision makers that BlackBerry is still on the decline from a feature and function standpoint – in essence, many decision makers are basing their decisions on old information that BlackBerry will need to continue working hard to wean out of the IT mindset.

Similarly, many users don’t think that BlackBerry devices are nearly as cool as the iPhone 5 or many Android-based devices like the Nexus 4 or Galaxy S4.  Again, most of these people have probably not played with the Z10 and so think of “the BlackBerry” as the somewhat stodgy workhorse that it used to be – another hurdle that BlackBerry will have to overcome.  Complicating the problem is that most don’t consider BlackBerry a leader in the mobile space – a report we will publish within the next two weeks discusses the results of an in-depth survey we conducted on the mobile market in North America.  That survey shows that while 46% of IT decision makers and influencers believe that Apple is “definitely a leader” in the mobile messaging space, only 17% think this about BlackBerry; even Microsoft received a higher rating.

BlackBerry will have to continue working hard to regain its lost market share in the mid-market and enterprise space in North America, despite the fact that it currently dominates some markets, such as Latin America and South Africa.  However, I believe the company will be able to take back much of their share because they have several compelling arguments that should resonate nicely with IT decision makers: a solid, multi-platform mobile management system; new handsets that will appeal to many users; robust technology for addressing the BYOD issue; the company’s venerable security model that its competitors cannot match; and its ability to offer all of these capabilities from a single vendor.  The company’s serious missteps of the past – and their new management’s response to them – may end up being the best thing that could have happened to the company.

I spent some time at EMC World last week in Las Vegas.  As always, it was time well spent in informative sessions and in individual meetings – and, gauging by the difficulty of traversing the hallways between sessions and after keynotes, the show was very well attended.

Although my bent in visiting a show like this is normally geared more toward security, archiving, encryption and other topics related to what Osterman Research does, two of the major themes I took from the conference were the growing importance of Big Data in the context of improving security; as well as the need to view backup, archiving and disaster recovery along a continuum of data and information protection instead of individual point solutions.

With regard to the issue of Big Data and security, I believe that EMC and many others are correct in viewing Big Data as an important way to significantly improve the security of systems, networks, messaging and virtually every application on which we rely to get work done.  The issue of Big Data in a security context is a simple one: analyzing vast amounts of data from email, social media posts, transactions, various applications, location-generating systems and other data sources with the goal of determining when systems have been breached or are about to be.  The goal is less about preventing the ingress of bad guys and malicious content and more about analyzing the sometimes extremely subtle anomalies that occur when they do.  This is not to say that intrusion prevention or blocking content is irrelevant or futile, but rather that Big Data can be useful in keeping bad guys out, but more useful once they’re inside.

A good analogy that one speaker used – and that I am extending here – is that of the human body: your skin and other systems were designed to prevent intrusions of bacteria, viruses and other nasty stuff and it keeps most of this unwanted content out quite well.  However, when the inevitable intrusion occurs through a cut or some other breakdown of this intrusion prevention system, the immune system detects the sometimes very subtle anomaly and immediately goes to work in identifying, finding, encapsulating and destroying the intruding content.  In a sense, Big Data can act as the information source the enables the immune system in a corporate network or a cloud-based system, for example.

The second major theme – viewing backup, archiving and disaster recovery holistically – is an issue that I think will get more play simply because it make so much sense.  Many decision makers tend to view these systems as point solutions with fundamentally different goals and often use different vendors to implement each capability.  While there’s nothing at all wrong with that approach, it might more sense in some environments to view these solutions along the continuum of data protection, information protection and business protection.  Yes, backups are designed to protect snapshots of data to restore servers; archiving systems are designed to protect information for purposes of e-discovery, regulatory compliance or end-user self-service; and disaster recovery systems are designed to protect data and information from disruptions large and small.  However, all of these solutions are designed to protect an organization and its data along a continuum of sorts, and so it makes sense to manage them as parts of a whole instead of islands unto themselves.

We have contended for some time that many organizations will migrate to a hybrid of on-premises and cloud infrastructure for many of their key systems, such as email, archiving, security, etc. While migrating completely to the cloud for things like archiving is quite feasible and the right decision for many companies, some decision makers want to maintain their data behind the corporate firewall. Reasons might include a fundamental mistrust of leaving sensitive corporate data in the hands of a third-party cloud provider, or it might be as simple as not wanting to invest in higher bandwidth pipes to move large amounts of data to and from the cloud.

As an example of this, Sherpa Software has recently introduced Attender Online. Attender Online is a cloud-based data management system that allows an organization to manage their Electronically Stored Information (ESI) via a cloud interface while leaving it in place on-premise. Attender Online is designed to meet a number of requirements, including storage management for both network file shares and desktop hard drives; ESI management on desktop computers, Exchange servers and file servers; and email content management in Exchange environments.

Attender Online allows management of on-premises content completely from a Web browser and permits administrators to create a customized, Windows 8-like interface to manage various content sources. The system maintains logs of policy behavior so that a complete audit trail is maintained.  Attender Online integrates with Active Directory and allows management of ESI content sources by associating them with individual computers or individuals within the organization. A key capability of the system is that allows organizations to actively delete content that is no longer required, supporting defensible deletion policies—a critical issue for many organizations.

Although Attender Online is a useful solution and combines the ease of cloud management with on-premises data management, it is not without its limitations. It manages email only in Microsoft Exchange environments and .pst files, and it works only with Windows desktops. The latter is perhaps the more important limitation for many organizations given the large number of them that have mixed Windows and Mac desktops and laptops.

Even with some limitations, Attender Online is a useful capability that decision makers should seriously investigate.

A good friend in Washington recently posted this on Facebook:

“I follow on Instagram almost all of my 6th grade youth group girls and I am continually amazed at how many of them have public profiles and post screen shots of their personal information. I wonder how many parents actually know what pictures they’re posting and if they really care…”

This is troubling on a couple of levels. First, many social media users tend to overshare their personal information and so are more susceptible to online fraud like email phishing. They’re opening themselves to a potentially higher likelihood of home burglary when they post near real-time photos of themselves on vacation or otherwise away from home. Young people, in particular, might be opening themselves to the worst kind of child abuse—a British newspaper did a search on Twitter and within two minutes found 20 users who expressed interest in “under-age images and child abuse”; within two hours they found 200.

Young people are typically the worst offenders because they care less about the privacy of their personal information. Lest you think I’m just some old guy making sweeping generalizations about young people, a new survey from the USC Annenberg Center for the Digital Future and Bovitz, Inc. found that while 77% of those 35 years of age or older agreed with the statement, “No one should ever be allowed to have access to my personal data or Web behavior,” only 70% of younger people agreed. I anticipate that as people grow up in an age of continual connectedness via social media, the proportion that care about personal privacy will continue to shrink.

However, employers need to be concerned about this, as well, since these are the people that will be your employees in the years to come. We hear on a regular basis how businesses must adapt their communication practices to young people entering the workforce—they need to make social media easily accessible, permit the use of personally owned smartphones and tablets, and generally migrate away from an email-centric mode of communication and collaboration. While that’s true, business decision makers also need to be concerned about the very real potential for oversharing employees to overshare corporate content. While much of this might be accidental, an employee with a predispostion toward oversharing personally is likely to do so with corporate information, as well.

It’s important to note that by oversharing, I’m not talking about sending things like trade secrets, confidential financial reports, or other really sensitive information through social media or other channels. While that can and does happen, quite often the oversharing can be more subtle. For example, an employee of a consumer products company who continually posts about business travel to Minneapolis or Atlanta or Issaquah might be giving clues about an upcoming retail deal with Target or Home Depot or Costco—information that could be valuable to competitors, but that was shared with no intention of revealing confidential information.

What should businesses do? First and foremost, establish policies focused on how devices and applications should be used—lots of organizations don’t have these policies, and they should. Second, implement a data leak prevention solution that will monitor all of the channels over which employees communicate, including email, social media, instant messaging, etc. The goal of the DLP solution should be to monitor communications and take appropriate action, which might include encrypting some content, blocking some messages, reminding senders about corporate policies before the send actually occurs, or routing some messages to a supervisor or compliance officer for further review.

Entering a new age of communication and collaboration with employees who might be less concerned about privacy means that decision makers need to be proactive in order to mitigate risk to the extent they can.

Most content is not sent or stored with any sort of encryption. For example, attachments sent through email, files sent using many file transfer solutions, form data sent over the Internet, content stored in repositories like file servers, desktop computers, laptop computers, tablets, smartphones, removable storage devices like USB sticks, etc., are not sent or stored with encryption. The result is that a wide range of sensitive or confidential data is left vulnerable to interception by unauthorized parties, sometimes with very damaging results.

Decision makers are clearly not happy with the current state of their email policies in the context of encryption. For example, Osterman Research found in a study published in August 2012 that only 38% of mid-sized and large organizations find that their policies for encryption of confidential email and attachments meet their needs. Moreover, only about one-half of organizations have automated systems in place to scan outbound content for policy violations, sensitive information, credit card numbers, and information that should be encrypted. The predominant actions with outbound email at such organizations is to automatically apply policy requirements (such as encryption or distribution through a secure channel), or to remind users of corporate policies through a pop-up message.

Making the encryption problem worse—dramatically in some cases—is the proliferation of cloud-based file synchronization and storage tools that are widely used in organizations of all sizes. For example, Dropbox is widely employed and currently has about 55 million users worldwide. An Osterman Research survey conducted in the first quarter of 2013 found that Dropbox is used extensively in organizations of all sizes, often without IT’s blessing or even their knowledge.

Dealing with encrypted messages in an end-to-end encryption solution presents a dilemma for content monitoring: allow the message to flow through unchanged thus respecting the encryption, or decrypt messages to check for policy and content violations. If the message is allowed to flow through unchanged, but the message is in violation of policy and compliance rules, this presents a problem for organizations. Encryption is being used to hide violations, and that creates a risk. On the other hand, if messages are authentically encrypted due to following policy and compliance rules for confidential or sensitive information, unnecessarily decrypting those messages creates the risk that the decrypted message will be accessible to people who should not have access to it. On balance, Osterman Research believes the most appropriate course of action is to decrypt inbound messages to check for policy violations.

On the other hand, integrated gateway encryption solutions take this issue into account as a core part of their design. For example, inbound messages found to be encrypted with an “approved” encryption solution are decrypted in memory at the gateway, scanned for various policies (which may include spam, malware and compliance policies), and sent in encrypted form to the appropriate destination based on policy. By default, both the gateway and the intended recipient have access to the unencrypted contents of the message and its attachments. In such a system, inbound messages encrypted with other forms of encryption (which the gateway cannot decrypt and analyze), are typically handled by an “acceptable encryption policy.” Typically, these policies specify some set of trusted recipients that may be allowed to receive arbitrary encrypted messages, but these messages will be quarantined if directed to others.

For more information on these issues and our recommendations for dealing with them, please see the white paper we published recently, Why Securing Communications and Content 
is a Critical Best Practice.

I had an interesting discussion last week with AirPatrol, a company coming out of stealth mode, with regard to their solution to address the BYOD problem. Their approach, which they call “Cognitive Mobile Security,” uses location sensors installed within a building that can track mobile devices to an accuracy of 20 centimeters—accurate enough to identify whether a mobile device is in your shirt pocket or pants pocket.

AirPatrol’s Zone Defense solution is conceptually quite simple: location sensors, each of which can cover about 2,200 square feet, are deployed within a building (a minimum of three sensors are required per space for triangulation purposes).  These sensors provide continuous monitoring of all Wi-Fi- and cellular-enabled devices within their detection area, updating the location of each device about every three seconds. Through a single console, all devices can be monitored in real time, providing MAC addresses, association states and other information about each device.

If a device requests access to the corporate network, an agent is first downloaded to the device with the owner’s permission. If an unauthorized/agentless device is active within the monitored space, Zone Defense will alert the security team or other monitors to warn them of the potential security threat.

Once the agent is active on the device, location-based security policies will be enforced that can enable or disable certain features of the device. For example, if a particular room with sensitive information is defined as an area in which mobile device cameras and microphones should not be enabled, any device entering that zone will automatically have its camera and microphone disabled until it leaves that zone, although all other functions of the device will continue to operate normally. Moreover, the policy can be granular in that certain roles can have functions in a particular zone enabled, while other roles, such as visitors or consultants, can have functions in the same zone disabled.

AirPatrol’s solution, while requiring an agent on the device, is an elegant approach to the BYOD problem because it permits employees and others to use their devices, but with full knowledge and control of the organization’s security or other teams. It can prevent users from accessing the Internet via Wi-Fi or cellular connections during certain hours while connected to the corporate network to prevent security breaches, for example, while re-enabling Internet connectivity once the user has disconnected from the corporate network.

Although the US government is a significant customer of AirPatrol, banks, hedge funds and others are among the company’s customers.

Gleaned from a Web search this morning:

“I have a data stream that will be sent as daily emails containing temperature and wind speed from a measurement site.  Our email system is Outlook…”

“We are a GroupWise 6.5.5 shop. We have a new employee who will start work in 3 weeks whose current email system is Outlook.”

“We are using a Notes db to collect patient data which contains several forms.  But the db is in Notes R5 and the email system is Outlook.”

“The email system is Outlook 2003, the workflow is based on SharePoint 2010 Approval workflow.”

“Top candidates will have a working knowledge and experience with Microsoft Word, Powerpoint and Excel. Outlook is our email system, so a working knowledge of that is helpful but not necessary.”

Microsoft introduced Outlook 97 in January 1997 and bundled it with Exchange Server 5.5, but had included versions of Outlook for MS-DOS, Windows 3.1x and the Mac with that version of Exchange Server. Since that time, Outlook has become the more or less de facto standard for email clients—our research shows that about 70% of corporate users employ Outlook or Outlook Web Access as their primary work-focused email system.

However, it is important to note that Outlook is an email client, not an email system. That seems obvious to just about anyone in IT, but to many business decision makers—many of whom are pushing to replace GroupWise or some other email system with Exchange—it’s not quite so obvious. Many of them view Outlook as their email system, not appreciating that Exchange is the actual email system that is managing and presenting their email experience. That’s a serious problem for non-Microsoft vendors who must overcome the misperception and that must educate decision makers—many of whom have already made up their mind about moving to Outlook—that email is about much more than just the personal email experience.

This confusion has definitely benefited Microsoft given the large number of organizations that have migrated competing email systems to Exchange over the years. I’ve wondered if this was a carefully planned decision by Microsoft back in the 1990s that has reaped huge rewards over the years, or if the company has simply benefited from an accidentally genius move that has convinced many decision makers that a user experience should be the driver for the email system decision. Either way, it has worked out quite well for Microsoft.

The implications of this are quite important, not only for Microsoft’s competitors, but also for decision makers that often are willing to spend millions of corporate dollars to migrate to Exchange, when what they’re really looking for is the Outlook experience.

I will be the first to admit that the Outlook experience is generally a good one, and that a decision to migrate to Exchange is not without merit. However, our cost modeling has demonstrated that several other email systems are significantly less expensive than Exchange, and not only when factoring in the cost of a migration: in many situations, these Exchange alternatives would be much less expensive even if they were being redeployed completely from scratch.

I have three recommendations for business decision makers that are intent on migrating to Outlook:

1. Consider that Outlook is your email experience, but Exchange will be your email system. Talk to your IT administrators, consultants and other knowledgeable individuals inside and outside your company that can advise you on the merits of staying with your current email system vis-à-vis migrating to Exchange.
2. Consider the complete cost of a migration—it may be more expensive than you think.
3. Consider the long-term benefits of the migration. Will your users be sufficiently more productive with Outlook and Exchange than they would be if you stayed on whatever email system you’re using now? Will that increase in productivity offset the costs of switching email systems, including the disruption that comes from doing so?

Longline fishing is a commercial fishing technique in which a main line of up to several miles in length contains hundreds or thousands of short lines with hooks, each loaded with their own bait. The controversial technique is used to target certain types of fish, such as tuna and halibut, and can efficiently catch thousands of fish with a single deployment.

At RSA, Proofpoint discussed their discovery of what they have defined as “longline phishing attacks”—highly effective, large scale phishing attacks that have a high success rate in defeating existing anti-phishing defenses, and that result in a high clickthrough rate by users who receive these phishing emails.  These longline phishing attacks have three characteristics:

• They are sent in high volumes—to the tune of hundreds of thousands or millions of emails per attack—but each recipient organization receives only a relatively small number of emails, somewhere on the order less than 0.1% of their total email volume during the period of the attack.
• The content in the emails that are sent are highly customized, using minor word changes, changes in the subject lines or body content, rotating the URLs that are included in the messages, a large number of sending IP addresses, and malware that is hosted on a large number of compromised—often legitimate—sites.
• The use of zero-day exploits for which patches or AV signatures have not yet been developed.

The genius behind the longline phishing attack is that (a.) volumes of any one message are extremely low, which makes recognition of these attacks difficult; (b.) overall volumes of messages received per potential victim are also low, often not triggering conventional anti-spam or anti-malware defenses; (c.) the attacks exploit vulnerabilities for which no defense is yet available; and (d.) botnets are used to distribute the attack across a wide range of sending IP addresses—one such attack, designed “Letter.htm” by Proofpoint, found in excess of 25,000 unique senders’ IPs in use.

Another reason that longline phishing attacks are successful is that their perpetrators will compromise legitimate Web sites to distribute malware in order to gain higher clickthrough rates from potential victims. For example, in the Letter.htm attack, the cybercriminals who launched it compromised 22 different legitimate Web sites deep within each site—an average of three subdirectories deep. Moreover, they waited to load malware onto these sites until after the attack had launched, increasing the likelihood that these sites’ administrators would not be able to discover or address the infiltration until after the attack had been completed. In the Letter.htm attack, more than 185,000 emails were sent to 80 companies over a span of three hours, no company received more than three emails with the same characteristics, and the total mail volume represented by the attack was less than 0.06% of the total volume of email received by each company.

Underscoring the effectiveness of longline phishing attacks, Proofpoint found that 11% of the messages delivered—observed in more than one billion email messages sent to large enterprises—resulted in users clicking on links in the messages, demonstrating the efficacy of using compromised legitimate Web sites as part of the attack effort.

There are three lessons that should be taken away from this:

1. Bad guys are smart and well funded, and getting smarter and even more well funded.
2. Users are an important line of defense in preventing these types of attacks.
3. Anyone who thinks the “spam problem” has gone away is sorely mistaken.

More information on longline phishing attacks is available from Proofpoint here.

Most will agree that despite the enormous amounts spent on secure Web gateways, anti-virus software, cloud-based malware filtering and the like, users are still the weak link in the security chain. The primary reason for this is that increasingly they are the targets, often supplying the bad guys with the information they need by posting detailed personal information on social media and other sites. Moreover, bad guys can often harvest many of your company’s email addresses and use them to launch a phishing or spearphishing attack against your company’s employees. Smaller organizations are typically most vulnerable to attack because they often lack the budget or expertise to thwart sophisticated attacks.

As just one example of what can happen to a company, a cybercriminal could launch a spearphishing attack against a small company’s owner or other senior executive for the purpose of infecting his or her PC with malware, such as a keystroke logger. The goal of doing so would be to gain access to the corporate financial accounts so that the cybercriminal could transfer money to mules operating elsewhere in the country who would, in turn, transfer the money offshore.

To see how much information I could gather on a senior executive, I chose a company at random in Kent, Washington after doing a quick Google search. I went to this company’s Web site, found an owner of the company, and then did a search for his name on Facebook, where I found him. Although I’m not friends with this individual, a quick look at his wall revealed his former employers, where he went to high school, the fact that he is also a realtor, where he had lunch last Friday, his phone number, information about his Washington State Ferry ride last Tuesday, information about an upcoming company event in early March, the names of two people who gave him gifts in late January, and what he had for dessert on January 13th. A bad guy could have used any of this information to craft a spearphishing email with a subject line that would likely have attracted his attention and gotten him to click on a link to a malware site that would have infected his PC.

KnowBe4 is a Clearwater, Florida-based startup focused on combatting this kind of social engineering attack through a combination of employee training and periodic testing of the effectiveness of that training. Essentially, the company does three things:

• Initially, it conducts a simulated phishing attack against a company’s employees to determine just how vulnerable they are to phishing attacks.
• Then, it conducts individual online training sessions that last 30-40 minutes to educate employees about phishing and spearphishing.
• It then follows up this training with simulated phishing attacks to determine just how vulnerable employees still are after the training.

Part of the effectiveness of this training method is that it provides a feedback loop that consists of testing, training, testing and remediation. Employees who fall for simulated phishing attempts can receive additional training or other remediation efforts designed to help them become more careful when inspecting their email.

KnowBe4 has demonstrated that their training and testing system can reduce employee vulnerability to phishing attempts. While KnowBe4’s solution certainly does not do away with the need for a layered security system at the gateway, server, desktop or cloud levels, it can bolster what is often the weakest link in a company’s security posture—their employees.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a relatively simple authentication method designed to combat the growing problem of spoofed emails, particularly those that are designed to fool receivers who are the targets of cybercriminals. Using DMARC, a sender can indicate that any emails they send are protected by either the SPF and/or DKIM authentication methods. A key element of DMARC is that the sender can also provide instructions on what to do if a message received is not protected by either method—e.g., send the message to quarantine or simply reject the message. The fundamental benefits of DMARC are that it allows a sender to demonstrate their authenticity to recipients, and it provides a systematic way of helping recipients to know what to do with emails that falsely purport to be from trusted senders.

One of the chief advantages of DMARC is that is removes the burden from the receiver of deciding what to do with a messages that fails to authenticate via SPF and/or DKIM, since the sender’s policy dictates what should be done with the failed message. Another key element of DMARC is that it provides a robust mechanism for receivers to report back to senders on the passed and failed messages that they receive from each sender. DMARC policies are part of the DNS system and available to anyone that wants to use them.

Although DMARC was announced only 13 months ago, its uptake has been significant in terms of the number of mailboxes that are now protected by it. According to DMARC.org, three out of five of the 3.3 billion consumer mailboxes around the world are protected by DMARC, and one-half of the domains with the highest email sending volumes have implemented DMARC or are in the process of doing so.  Moreover, 70% of these leading sending domains have crafted policies directing recipients to take action against messages that are not authenticated. DMARC.org also reported that during the last two months of 2012, roughly 325 million messages were rejected based on DMARC policies—roughly 15% were from domains that are frequently phished.

DMARC is not a perfect solution to the problem of phishing. For example, it will not stop cybercriminals from creating and using variants of trusted domains—such as “eday.com” instead of “ebay.com” or “paypa1.com” instead of “paypal.com” (replacing the “l” with the numeral “1”). However, given the success it has demonstrated in its first 13 months, as well as the major email senders that are supporting, DMARC is a significant step in the right direction of combatting phishing and online fraud.