Alchemy Security

Alchemy Security Awarded ArcSight VAR Certification

Joe Bonnell — Tue, 07 Sep 2010 13:23:33 +0000

SOC Services and SIEM Specialist’s Experience and Deep Knowledge Recognized with
Gold Partner Status in ArcSight Connections Channel Program

DENVER, CO – September 7, 2010 – Alchemy Security, well-known information security risk management pioneers, today announced a Value Added Reseller (VAR) agreement with ArcSight, Inc. (NASDAQ: ARST), a leading global provider of cybersecurity and compliance solutions. As a Gold Partner in the newly structured ArcSight Connections Channel Program, Alchemy Security expands its partnership with ArcSight to offer mutual clients extensive expertise in solving strategic security challenges and implementing long lasting security programs.

“Alchemy Security offers strategic and enduring security solutions to our joint customers,” said Chris Triolo, vice president of solutions for ArcSight. “The company has worked with demanding international organizations and the team executes with efficiency and precision. We are proud to have Alchemy Security represent our brand in the marketplace.”

As a Gold Partner in the ArcSight Connections Channel Program, Alchemy Security joins a premier tier of partners recognized for their strong commitment to driving ArcSight business. ArcSight extends dedicated business plan development support and higher financial incentives, as well as other program benefits to its Gold partners.

As an industry innovator, Alchemy Security is recognized for its broad competency in security information and event management (SIEM). Alchemy Security developed the world’s first Agile SOC model to be used by SMEs (Small Medium Enterprises) and global organizations alike to build robust security operations centers, custom tailored to meet the client’s specific organizational needs. This methodology has now been adopted by the ArcSight SOC services team.

“The exceptional flexibility and holistic approach to information security that ArcSight allows for is a competitive differentiator for us. It lets our consultants deliver a balanced approach to business, compliance, security intelligence, and IT operations,” said Joe Bonnell, Alchemy Security, CEO. “Increasing our role in bringing ArcSight to more enterprises is exciting. Our goal is to ensure organizations are no longer flying blind so that information security practitioners can prioritize limited resources in the most sensible manner possible.”

“Information security intelligence is an extremely complex problem. We have used every major SIEM solution on the market and nobody else comes close to ArcSight, particularly when you add compliance requirements from mandates like PCI and HIPAA / HITECH. ArcSight has the only solution that can actually deliver the goods,” adds Peter Schawacker, Managing Principal for SOC Services, Alchemy Security.

Alchemy Security provides comprehensive security and risk management services and solutions that include:

SOC Express™

establishes fully functioning Security Operations Centers within 90 days

Co-managed SIEM support

enables clients to utilize virtual ArcSight expertise in a cost-effective on-demand fashion

Application/Environmental Log Analysis

educates clients as to gaps in policy vs. operating environment, estimate EPS and other considerations required for ArcSight architecture & deployment

Security intelligence staffing and training

ensures smooth transition project initiation and ongoing operations

Security consulting

extends client security teams with niche information security expertise

About Alchemy Security:
Alchemy Security provides sophisticated, strategic and enduring information security solutions for compliance, security intelligence, and business imperative initiatives. A holistic and cost effective approach to IT asset protection delivers the right balance of support, service and consultation to global retail, banking, technology, and health care organizations. Alchemy Security is an ArcSight Gold partner, preferred vendor, and Value Added Reseller. For more information please visit www.alchemysecurity.com

###

For more information:
Heidi Groshelle
Groshelle Communications
415.307.1380
heidi@groshelle.com

Alchemy Security Announces Hosting of “Mile High Security” B-Sides Event

Joe Bonnell — Thu, 22 Apr 2010 22:08:20 +0000

Alchemy Security is proud to announce that we’ll be hosting a Security B-Sides “Mile High Security” event at our corporate headquarters here in Denver on June 18th. To learn more or to attend the event you can check out the details here.

Peter Schawacker to Present at ISSA Ottawa Chapter

Joe Bonnell — Thu, 08 Apr 2010 03:30:13 +0000

Mark your calendars. Peter Schawacker, Managing Principal SOC Services, will be sharing his latest thoughts on the subjects of Agile Security & SOC at the Ottawa Chapter of ISSA April 29th.

Peter Schawacker to present on Agile SOC at UNIX Users Association of Southern California- LA Chapter

Joe Bonnell — Tue, 26 Jan 2010 20:15:33 +0000

Peter Schawacker, Principal Consultant SOC Services will be presenting at the UNIX Users Association of Southern California- LA Chapter on May 6 to discuss Agile SOC practices used to build world-class security operations centers.

Damon Cortesi to Present At Seattle Chapter of National Information Security Group (NAISG)

Joe Bonnell — Tue, 26 Jan 2010 20:07:43 +0000

Damon Cortesi, Principal Consultant at Alchemy Security will present on common security failures associated with Social Media Web Applications such as Twitter, Facebook, and other online web sites at the Seattle chapter of NAISG.

Peter Schawacker Presents on Agile Security at UNIX Users Association of Southern California

Joe Bonnell — Tue, 26 Jan 2010 19:57:57 +0000

Peter Schawacker, Principal Consultant for our SOC Consulting group discusses how Agile Security techniques can be used to better secure environments at the UNIX Users Association of Southern California.

Damon Cortesi to Present at Security BSides Las Vegas

Joe Bonnell — Tue, 21 Jul 2009 16:04:17 +0000

Principal Consultant Damon Cortesi will be presenting at Security BSides Las Vegas. Damon’s talk will cover security considerations within social networking sites such as Twitter, as well as web-application related challenges organizations face in the web 2.0 space.

PCI Compliance Becomes Scorecard for CSOs

Joe Bonnell — Mon, 20 Jul 2009 21:44:01 +0000

Companies recertifying for the second or third year of PCI compliance are having a rough go of things as of late. A combination of the latest clarifications within the revised PCI DSS standard, along with the recent scoring matrix that compels assessors to ensure they have done a thorough job as part of the review, have caught an unfortunate number of CISOs flat footed. Anyone who thinks they are about to go through a “check box exercise” could find themselves with small to large remediation efforts that are forcing many to miss their renewal dates. These challenges are being exacerbated by the fact that assessors are getting better at their job, and security budgets are getting hit like everything else. These dynamics are generating some painful realities for those chartered to maintain compliance to this very thorough and rigorous standard. Unfortunately for most CISOs, the subtleties of why they are missing compliance dates and risk potential fines and/or change of compliance status for service providers, is lost on executive leadership. Based upon some things we’ve observed over the years, leadership changes aren’t necessarily a bad thing, but it doesn’t serve anyone’s interest to throw the baby out with the bathwater.

What is a CEO to do?
Meanwhile, CEOs are struggling to drive the business forward in a historically difficult operating environment, and often view the Infosec team as being an impediment rather than an enabler to the business. An ill tempered CEO who thinks his CISO isn’t getting the job done does not bode well for our industry as playing a game of musical chairs merely slows down security initiatives, thus defeating what were certainly good intentions. What makes this decision more difficult is that the CEO has little tangible insight as to whether organizational risk is trending up or down. Graph charts depicting a downtrend of critical findings from Nessus scans surely don’t tell a CEO much about how much risk has been mitigated. Fact is, based upon our observations there are very few CISOs who even know what they are protecting outside of PCI related assets.

Getting beyond the PCI scorecard
Within the current operating landscape, it’s incumbent upon CISOs (or equivalent in responsibility), to position within the organization that compliance is a shared problem between all parts of the business including IT operations, Security Operations, Human Resources, Legal, and Executive Leadership. It should further be made clear what exactly each part of the business is responsible for implementing, and hold all accountable. Finally, bringing effective communications supported by meaningful metrics to the subject are critical to help communicate throughout the leadership chain that residual risk is being appropriately managed and mitigated.

As for your next PCI assessment, unless you’ve consulted with your QSA to discuss changes made within the standard, it is wise to set expectations with varying levels of leadership that there will likely be findings that weren’t issues within previous years and to anticipate resource requirements accordingly.

The Way Forward for Information Security

Peter Schawacker — Mon, 20 Jul 2009 16:55:12 +0000

Every system has within it the limitation that it cannot exist unto itself. The big problems of Information Security will remain intractable as long as industry participants continue to focus inward.

For the past year or so, I have noticed that, at the same time that security technologies are reaching a certain degree of maturity, security projects remain highly prone to failure. Information Security seems to have struck a ceiling in its development. The tools that we have at our disposal – authentication, monitoring, etc. – seem to be adequate when properly implemented. But proper implementation does not happen enough of the time.

Some time ago, I started taking excursions into the world of Project Management. Certain colleagues of mine had encouraged me to look into PMI’s PMP certification and so I did. What I found astounded me. No one that I have encountered in the Project Management world (I visit lots of meetings PMI and Agile professionals) had a clue about Information Security. My knee-jerk reaction was to deride the PM’s for their naïveté. But then I recalled conversations with InfoSec people about Project Management. Their attitude was not merely one of ignorance, but of distain for the Project Management as a whole! Let me qualify this statement by saying that there exist a few InfoSec experts who appreciate the value of Project Management, and even a few who actually know how to manage projects. But generally, my conversations and research in both worlds, PM and InfoSec reveal that these two communities are almost entirely unaware of each other.

The tools now exist; the craftsmen are capable and ready to build great security. But the plans elude them. Worse yet, the craftsmen usually insist that planning is to be avoided. If we, as a profession are to advance our effectiveness throughout the industry , we must extend our understanding into fields of knowledge that will allow us to create those plans.

In the days and weeks ahead, I will present one way forward for Information Security, from dependence upon tools and individual experts, toward managing teams that achieve results that exceed what has been left to individuals.

Twitter Confidential Information Compromised Via Weak Password

Joe Bonnell — Fri, 17 Jul 2009 05:15:24 +0000

As noted, poor password management trumps strong security technology every time. Any bets on how long before google *requires* strong passwords? Both are victims, both share blame. A side note about this hack is that it highlights the trust relationships (and residual risk) that business partnerships impart upon each other.