Jeff Clark of Neoformist is one such artist blurring the boundaries between programming, verbal, and visual art. Using a scripted algorithm he generates portraits of famous people and animals using an algorithm that creates words in the colors and patterns needed to create the portrait. Some examples feature a shot of Barack Obama created with the words “Yes We Can” and Albert Einstein with the word “Genius.” Very cool– go take a look.

“Experienced end users are very intelligent.

These end users know the complex event processing problems they need to solve; and they know the limitations of the current COTS approaches marketed by the CEP community.  Even in Thailand, a country many of you might mistakenly think is not very advanced technologically, there are experts in telecommunications (who run large networks) who are working on very difficult fraud detection applications, and they use neural networks and say the results are very good.   However, there is not one CEP vendor, that I know of, who offers true CEP capability in the form of neural nets.

Almost every major bank, telco, etc. has the same opinion, and the same problem. They need much more capability than streaming joins, selects and rules to solve their complex event processing problems that Dr. Luckham outlined in his book.   The software vendors are attempting to define the CEP market to match their capability; unfortunately, their capabilities do not meet the requirements of the vast majority of end users who have CEP problems to solve.

If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher.  Hence, the users have already voted.   The problem is that the CEP community is not listening.”

Not to be overly repetitive,  but the last part of this quote from a year ago is worth highlighting:

“If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher.  Hence, the users have already voted.   The problem is that the CEP community is not listening.”

Frankly speaking, nothing in the “CEP world” has changed, technologically speaking, since this September 2007 post was written.  From a sales perspective, we have seen less CEP-related sales in 2008 than in prior years.   If these so called CEP products were actually capability of detecting “real” complex network-centric situations (threats) in real-time, they would be selling faster than a cup of ice water in the blazing hot Sahara desert.

Don’t shoot the messenger.  Build better detection engines!

On the other hand, maybe complex detection is too hard for most of these companies and that is why they focus on routing, mediation and relatively simple rule-based scenarios, versus complex event processing?

First it was Caymas Systems, then it was Vernier Networks, now Lockdown Networks appears to be exiting the NAC market.  Of course the obvious reaction as a competitor is to say good riddance, one less competitor to deal with.  But to turn a quote on its ear, I write today not to bury Lockdown Networks, but to praise them. More than the other two NAC companies that have exited the market, I was personally in the loop on Lockdown Networks. I first heard about them when a VC friend of ours asked us about them years ago.  This was when we were still planning Safe Access and Lockdown's business plan was vulnerability management. They had not raised money yet and were still in stealth mode. We thought of them as competition for our VAM product, but wanted to see what they would come up with. I stayed abreast watching their progress from afar. Some time later, when I was looking to put together a group of companies to form a coalition to develop an independent NASL script library, knowing that they used Nessus, I reached out to them.

This is when I first met Rob Gilde.  Subsequently I also met Brett and most of the rest of the team there. I like Rob, he ran their product team, was knowledgeable and a nice guy in a west coast laid back kind of way.  In short time it became apparent  to me that Lockdown was looking to move out of the VM business.  Rob realized that just scanning and reporting was not going to make it.  He had the notion of adding enforcement to his vulnerability scanning. If you failed a vulnerability scan, you should be denied access to the network.  My initial reaction was vulnerability scans are done mostly on servers, but Rob wanted to do vulnerability scans on endpoints.  That is when I told him about our own product which we were about to release. Rob and the team re-tooled and released their Enforcer product some time later. 

I personally always thought that doing SANS TOP 20 scans on endpoints was not where it was at in NAC, but Lockdown raised money from Intel and a bunch of other folks and was making a big splash in the heady, gold rush days of NAC.  We ran into them on deals from time to time, especially in many of our major partner/OEM deals.  The good news for us, is that just about all of the time, our product was picked over theirs.

Soon rumors were everywhere that Lockdown was on the block.  Brett and team were looking to grab 20 or so major customers and quickly flip the company for a big win.  Than we began hearing that they were looking for less and less money.  Also, their PR began becoming more and more desperate.  That is when I began calling them on it in my blogging.  Evidently that got their attention.  A few Interop shows ago, Rob called me over and said he and especially Brett were really upset I called them out.  I apologized and said hey I call them as I see them.  At RSA or another show after that Brett walked right by me and tried his best to diss me.  People from NY don't get dissed that easy though.  I just laughed it off, but it was the last time I spoke to anyone at Lockdown. 

Recently we have begun to see a few customers that were choosing our Safe Access product to replace Lockdown's.  I thought this was ominous for them, but hey good for us! I truly expected to hear any day of someone picking them up at a decent price. I didn't think it would just implode.  In many ways a company shutting down is a death of a thousand dreams.  The soaring aspirations of the founders, the individual sugar plum fantasies of the early hires, the VC's thinking this could be the big hit.  Perhaps most sad of all, the customers who looked at the market and for whatever reasons decided that Lockdown offered them the best product for providing NAC and solving their problems.  Those people made a bet that Lockdown would be there to solve the issues and provide a great solution.  They as much as anyone lost that bet. 

As they do on Ebay, here is a second chance for Lockdown customers.  We will have on our web site a special offer to upgrade you to Safe Access and leverage your investment in Lockdown.  Lockdown's misfortune does not have to be yours.  We are here to help and are here to stay.  So to all of Lockdown's customers, I am sorry you are left in a hard place here, but there is help.

To Brett, Dan Clark and the rest of the Lockdown crew, most especially to Rob Gilde, I offer my sympathies that this did not turn out better for you.  You all made a great effort and you made us try harder which resulted in our product being developed faster than it would have otherwise.  For that I thank you and wish you all the best of luck in your future endeavors. This song is for you:

First it was Caymas Systems, then it was Vernier Networks, now Lockdown Networks appears to be exiting the NAC market.  Of course the obvious reaction as a competitor is to say good riddance, one less competitor to deal with.  But to turn a quote on its ear, I write today not to bury Lockdown Networks, but to praise them. More than the other two NAC companies that have exited the market, I was personally in the loop on Lockdown Networks. I first heard about them when a VC friend of ours asked us about them years ago.  This was when we were still planning Safe Access and Lockdown's business plan was vulnerability management. They had not raised money yet and were still in stealth mode. We thought of them as competition for our VAM product, but wanted to see what they would come up with. I stayed abreast watching their progress from afar. Some time later, when I was looking to put together a group of companies to form a coalition to develop an independent NASL script library, knowing that they used Nessus, I reached out to them.

This is when I first met Rob Gilde.  Subsequently I also met Brett and most of the rest of the team there. I like Rob, he ran their product team, was knowledgeable and a nice guy in a west coast laid back kind of way.  In short time it became apparent  to me that Lockdown was looking to move out of the VM business.  Rob realized that just scanning and reporting was not going to make it.  He had the notion of adding enforcement to his vulnerability scanning. If you failed a vulnerability scan, you should be denied access to the network.  My initial reaction was vulnerability scans are done mostly on servers, but Rob wanted to do vulnerability scans on endpoints.  That is when I told him about our own product which we were about to release. Rob and the team re-tooled and released their Enforcer product some time later. 

I personally always thought that doing SANS TOP 20 scans on endpoints was not where it was at in NAC, but Lockdown raised money from Intel and a bunch of other folks and was making a big splash in the heady, gold rush days of NAC.  We ran into them on deals from time to time, especially in many of our major partner/OEM deals.  The good news for us, is that just about all of the time, our product was picked over theirs.

Soon rumors were everywhere that Lockdown was on the block.  Brett and team were looking to grab 20 or so major customers and quickly flip the company for a big win.  Than we began hearing that they were looking for less and less money.  Also, their PR began becoming more and more desperate.  That is when I began calling them on it in my blogging.  Evidently that got their attention.  A few Interop shows ago, Rob called me over and said he and especially Brett were really upset I called them out.  I apologized and said hey I call them as I see them.  At RSA or another show after that Brett walked right by me and tried his best to diss me.  People from NY don't get dissed that easy though.  I just laughed it off, but it was the last time I spoke to anyone at Lockdown. 

Recently we have begun to see a few customers that were choosing our Safe Access product to replace Lockdown's.  I thought this was ominous for them, but hey good for us! I truly expected to hear any day of someone picking them up at a decent price. I didn't think it would just implode.  In many ways a company shutting down is a death of a thousand dreams.  The soaring aspirations of the founders, the individual sugar plum fantasies of the early hires, the VC's thinking this could be the big hit.  Perhaps most sad of all, the customers who looked at the market and for whatever reasons decided that Lockdown offered them the best product for providing NAC and solving their problems.  Those people made a bet that Lockdown would be there to solve the issues and provide a great solution.  They as much as anyone lost that bet. 

As they do on Ebay, here is a second chance for Lockdown customers.  We will have on our web site a special offer to upgrade you to Safe Access and leverage your investment in Lockdown.  Lockdown's misfortune does not have to be yours.  We are here to help and are here to stay.  So to all of Lockdown's customers, I am sorry you are left in a hard place here, but there is help.

To Brett, Dan Clark and the rest of the Lockdown crew, most especially to Rob Gilde, I offer my sympathies that this did not turn out better for you.  You all made a great effort and you made us try harder which resulted in our product being developing faster than it would have otherwise.  For that I thank you and wish you all the best of luck in your future endeavors. This song is for you:

Actually someone once told me the same thing about women and I am sure women say the same thing about men. But Tim Greene has an epiphany in a recent article about bad news for NAC vendors who rely on agents.

I think we all know that the last thing most enterprises want is another agent on their machines.  Heck, not just enterprises either, no one wants yet another agent.  The reasons for this are many and Tim lays them all out.  For me personally the biggest reason is that too many of these agents (and not NAC agents necessarily) are pigs.  They slow down your machine more than some of the widgets I used to use slowed down my blog page loading.

But Tim offers agentless NAC as a panacea. That it is not. In some cases agentless NAC works great, in others it severely limits what you can test for when and how fast.  Personal firewalls and other such technologies can wreak  havoc on agentless NAC.  You may still need credentials to get any useful information.  Over the years here at StillSecure, we have come to realize that in most real life situations, you need both agent, agentless and even web delivered methods of NAC testing, if you are going to be able to perform NAC against the entire spectrum of devices logging on to the network.  There is no one perfect way to do NAC. If there was, everyone would do it that way.  A good NAC solution should be flexible enough to offer multiple methods of testing.

One other thing I noticed was in the comments to Tim's article Dan Clark from over at Lockdown tried to make a comment and refer back to the Lockdown blog for his further commentary on this. The next comment though from Robert B I thought was priceless. It isn't that long, so let me just paste it in here:

Does anyone else find vendor blogs like nactalk.lockdownnetworks.com a little troubling? They appear as a neutral blog discussing a topic, except they only contain the vendor's point of view.

While they seem to allow comments, the one time I registered and tried to comment, it was never approved. I'm assuming that since none of their other "vendor patting themselves on the back" articles have comments, I am not the only one.

Hey Robert I agree with you. The Lockdown Blog is a pretty thinly veiled attempt at a cheap marketing outlet. A review shows they put up an article a month and never have any comments as Robert points out. That is not a blog, the same way many vendors who claim to offer NAC don't really have a NAC solution. However, I would hope that not all vendors who blog are painted with that same brush.  Besides myself, there are several excellent blogs authored by people who are also working for vendors. Not to say we are not biased, but I think there is a clear distinction there.

Actually someone once told me the same thing about women and I am sure women say the same thing about men. But Tim Greene has an epiphany in a recent article about bad news for NAC vendors who rely on agents.

I think we all know that the last thing most enterprises want is another agent on their machines.  Heck, not just enterprises either, no one wants yet another agent.  The reasons for this are many and Tim lays them all out.  For me personally the biggest reason is that too many of these agents (and not NAC agents necessarily) are pigs.  They slow down your machine more than some of the widgets I used to use slowed down my blog page loading.

But Tim offers agentless NAC as a panacea. That it is not. In some cases agentless NAC works great, in others it severely limits what you can test for when and how fast.  Personal firewalls and other such technologies can wreak  havoc on agentless NAC.  You may still need credentials to get any useful information.  Over the years here at StillSecure, we have come to realize that in most real life situations, you need both agent, agentless and even web delivered methods of NAC testing, if you are going to be able to perform NAC against the entire spectrum of devices logging on to the network.  There is no one perfect way to do NAC. If there was, everyone would do it that way.  A good NAC solution should be flexible enough to offer multiple methods of testing.

One other thing I noticed was in the comments to Tim's article Dan Clark from over at Lockdown tried to make a comment and refer back to the Lockdown blog for his further commentary on this. The next comment though from Robert B I thought was priceless. It isn't that long, so let me just paste it in here:

Does anyone else find vendor blogs like nactalk.lockdownnetworks.com a little troubling? They appear as a neutral blog discussing a topic, except they only contain the vendor's point of view.

While they seem to allow comments, the one time I registered and tried to comment, it was never approved. I'm assuming that since none of their other "vendor patting themselves on the back" articles have comments, I am not the only one.

Hey Robert I agree with you. The Lockdown Blog is a pretty thinly veiled attempt at a cheap marketing outlet. A review shows they put up an article a month and never have any comments as Robert points out. That is not a blog, the same way many vendors who claim to offer NAC don't really have a NAC solution. However, I would hope that not all vendors who blog are painted with that same brush.  Besides myself, there are several excellent blogs authored by people who are also working for vendors. Not to say we are not biased, but I think there is a clear distinction there.

But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker.

They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal -- if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory.

The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery.

There's only a little bit of hyperbole in the New York Times article. The research is being conducted by the Medical Device Security Center, with researchers from Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington. They have two published papers:

• "Security and Privacy of Implantable Medical Devices," Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Pervasive Computing, January 2008.

• "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Symposium on Security and Privacy, May 2008.

This is from the FAQ for the second paper (an ICD is a implantable cardiac defibrillator):

As part of our research we evaluated the security and privacy properties of a common ICD. We investigate whether a malicious party could create his or her own equipment capable of wirelessly communicating with this ICD.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could violate the privacy of patient information and medical telemetry. The ICD wirelessly transmits patient information and telemetry without observable encryption. The adversary's computer could intercept wireless signals from the ICD and learn information including: the patient's name, the patient's medical history, the patient's date of birth, and so on.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could also turn off or modify therapy settings stored on the ICD. Such a person could render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.

Of course, we all know how this happened. It's a story we've seen a zillion times before: the designers didn't think about security, so the design wasn't secure.

The researchers are making it very clear that this doesn't mean people shouldn't get pacemakers and ICDs. Again, from the FAQ:

We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed. We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs.

For all our experiments our antenna, radio hardware, and PC were near the ICD. Our experiments were conducted in a computer laboratory and utilized simulated patient data. We did not experiment with extending the distance between the antenna and the ICD.

I agree with this answer. The risks are there, but the benefits of these devices are much greater. The point of this research isn't to help people hack into pacemakers and commit murder, but to enable medical device companies to design better implantable equipment in the future. I think it's great work.

Of course, that will only happen if the medical device companies don't react like idiots:

Medtronic, the industry leader in cardiac regulating implants, said Tuesday that it welcomed the chance to look at security issues with doctors, regulators and researchers, adding that it had never encountered illegal or unauthorized hacking of its devices that have telemetry, or wireless control, capabilities.

"To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," a Medtronic spokesman, Robert Clark, said. Mr. Clark added that newer implants with longer transmission ranges than Maximo also had enhanced security.

[...]

St. Jude Medical, the third major defibrillator company, said it used "proprietary techniques" to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them.

Just becuse you have no knowledge of something happening does not mean it's not a risk.

Another article.

The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously.

"Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network, intellectual property and our people," Wal-Mart spokeswoman Sarah Clark said in a statement in April. Following the Gabbard firing, Wal-Mart said it conducted a review of its monitoring activities. "There have been changes in leadership, and we have strengthened our practices and protocols in this area," Clark said.

[...]

At a gathering of security specialists in New York City in January of 2006, David Harrison, the former Army military intelligence officer who was hired by Senser to head Wal-Mart's analytical security research center, provided a rare glimpse into the company's monitoring operations. Harrison told the gathering Wal-Mart faces a wide range of threats: "A bombing in China, an armed robbery in Brazil, an armed robbery in Las Vegas, another bomb threat, and that was just yesterday," Harrison said.

To safeguard its employees and operations Wal-Mart has tapped its massive data warehouse of information, now believed to be larger than 4 petabytes (4,000 terabytes), to look for potential threats. It tracks customers who buy propane tanks, for example, or anyone who has fraudulently cashed a check, or anyone making bulk purchases of pre-paid cell phones, which could be tied to criminal activities. "If you try to buy more than three cell phones at one time, it will be tracked," he reportedly told the audience.

[...]

Gabbard, the Wal-Mart employee fired for recording reporters' phone calls, said in his interview with The Wall Street Journal that Wal-Mart uses software from Raytheon Oakley Networks to monitor activity on its network. The Oakley product was originally developed for the U.S. Department of Defense.

The Oakley software is so sophisticated it can allow administrators to visually see what types of information are moving across the network, from Excel spreadsheets to job searches on Monster.com, or photos with flesh tones that might indicate a user is viewing pornography.

And this article talks about ex-CIA agents working for corporations:

The best estimate is that several hundred former intelligence agents now work in corporate espionage, including some who left the C.I.A. during the agency turmoil that followed 9/11. They quickly joined private-investigation firms whose U.S. corporate clients were planning to expand into Russia, China, and other countries with opaque business practices and few public records, and who needed the skinny on international partners or rivals.

These ex-spies apply a higher level of expertise, honed by government service, to the cruder tactics already practiced by private investigators. One such ploy is pretexting -- obtaining information by pretending to be somebody else. While private detectives have long posed as freelance reporters or job recruiters to get people to talk, former agents have elevated pretexting to an art.

[...]

Similarly, ex-agents have helped popularize the use of G.P.S.-based monitoring devices and long-range cameras for following people around. One corporate-espionage technique comes straight from the C.I.A. playbook. In the constant search for the slightest edge, some hedge funds and investment companies have turned to a handful of private-investigation firms for a tactic that seems to fall between science and voodoo. Called tactical behavior assessment, it relies on dozens of verbal and nonverbal cues to determine whether someone is lying. Signs of potential deception include meandering off topic rather than sticking to the facts and excessive personal grooming, such as nervously picking lint off a jacket. This method was developed by former lie-detector experts from the C.I.A.'s Office of Security, which administers polygraph tests to keep agents honest and verify the stories of would-be defectors.

[...]

Most of the ex-agents' activities, from surveillance to lie detection, are perfectly legal. In the wake of the 2006 Hewlett-Packard scandal, detectives used pretexting to obtain the private telephone records of company directors, employees, and journalists. In an effort to track leaks to the media, federal law was tightened to prohibit using fraudulent means to obtain telephone records. Financial records were already off-limits. But federal law doesn't forbid assuming a false identity to get other information -- an area that ex-spies exploit.

Still, a few techniques favored by the spies-for-hire do appear to violate privacy statutes. One of these involves using "data haunts," extreme methods of electronic monitoring such as tracking cell-phone calls and gathering emails by relying on secretly installed software to record computer keystrokes. An ex-C.I.A. agent described a group of his former colleagues who set up shop offshore so that they could tap into telephone calls -- a practice prohibited by federal law -- outside U.S. jurisdiction. "They call themselves the bad boys in the Bahamas," he said.

Even some of the legal methods are controversial within the industry. Certain old-school firms won't stoop to dumpster diving or stealing garbage -- which is usually legal as long as the trash is on a curb or other public property --" because they consider it unethical. They say that the prevalence of former intelligence agents in the field and the rise of unscrupulous tactics have tarnished a business that often struggles with its reputation. One longtime investigator complained that he recently lost business to some ex-C.I.A. officers who promised a potential client that they could obtain the phone and bank records of a target -- something that is illegal in most cases.

[...]

Current and former employees said Diligence's ex-spies also held classes in using false identities to obtain confidential information. Ex-employees said it wasn't unusual for an investigator to have five or six cell phones, each representing a different identity, on his or her desk. And while ex-C.I.A. and former MI5 agents were old hands at such deception, the new initiates sometimes got confused and answered a phone with the wrong name.

All interesting. It seems that corporate espionage has gone mainstream, and the debate is more about how and when.

On a related note, this paragraph disturbed me:

On occasion, Diligence investigators were dispatched to collect garbage from a target's home or office. In some cases, two former employees said, Diligence hired off-duty or retired police officers to take trash so that they could wave their badges and fend off any awkward questions.

It's public authority being used for private interests. We see it a lot -- off-duty police officers guarding private businesses, for example -- and it erodes public trust of authority. In the case above, I'm not even sure it's legal.

Some other interesting news items have appeared in the recent past.

1. Germany’s respected weekly, Der Spiegel, reported that China was thought to have hacked into the computer systems of Germany’s chancellery, as well as systems at three ministries, infecting the networks with spy programs. The alleged attacks occurred just before Chancellor, Angela Merkel, visited Beijing. Computers in the chancellery and the foreign, economics, and research ministries were targeted. The German Federal Office for the Protection of the Constitution (BfV) conducted a comprehensive search of government IT installations, and prevented a further 160 giga-bytes of information from being transferred to China. The scale and nature of the stolen data suggested that the operation could have been steered by the state.

2. Australian IT reported  that Chinese hackers had allegedly tried to hack into highly classified government computer networks in Australia and New Zealand as part of a broader international operation to glean military secrets from Western nations. New Zealand Prime, Minister Helen Clark, confirmed that foreign intelligence agencies had tried to hack into government computer networks, but had not compromised top-secret data banks. The Chinese government has denied any involvement.

3. In its annual report to Congress, The U.S.-China Economic And Security Review Commission  said, “Among the disruptive capabilities China is fielding is the ability to conduct cyber attacks. General James Cartwright, then Commander of the U.S. Strategic Command (USSTRATCOM) and currently Vice Chairman of the Joint Chiefs of Staff, testified before The Commission that China is actively engaging in cyber reconnaissance by probing the computer networks of U.S.government agencies as well as private companies. The data collected from these computer reconnaissance campaigns can be used for myriad purposes, including identifying weak points in the networks; understanding how leaders in the United States think; discovering the communication patterns of American government agencies and private companies; and obtaining valuable information stored throughout the networks."

Today, cyber espionage enables you to get information that may have taken years to collect through human intelligence, only in a matter of minutes, in a single download session. So it’s a no-brainer for many, the McAfee report estimates 120 countries engaged in web espionage operations, but most of these operations are not very sophisticated. But the Chinese approach of targeting key industries and economic sectors, placing Trojans in those systems to be activated if/when necessary, is like having a sleeper cells that get activated on demand. This should serve as a wake-up call to governments and businesses around the globe that in today’s competitive environments, spending the time, effort, and money to protect your sensitive information assets is the key to keeping your competitive advantage.