RSA Learns From Its Maginot Mistake

RSA’s Art Coviello gave a wake-up call to the new world of cyber-attacks at last week’s RSA Conference, reports Eric Doyle

Art Coviello, executive chairman of RSA, EMC’s security division, closed his keynote at the company’s conference with the famous Nietzche quote, “What doesn’t kill you makes you stronger”.

Given the tempestuous events of this year, Coviello knows what he is talking about. It is to the company leaders’ credit that an event that could have killed another company was dealt with quite deftly. Immediate action averted a disaster when the security specialist became a security casualty.

Mending A Broken System

It is customary for Coviello to open the conference with a speech that looks back at the past year of cyber-crime to set the scene for the numerous seminars and teach-ins that typifies the RSA Conference. This year he adjusted the traditional format to embrace a look at what thought processes should be engaged when establishing a security policy.

Art Coviello

In this year’s attack on the SecurID network, his company found that its traditional defence barriers which had rigidly resisted past attacks became outdated overnight as it fell foul of new thinking spreading across hackerdom.

The core message that RSA was bringing to Londonwas summed up by Coviello when he said, “Organisations are defending themselves with the information security equivalent of the Maginot Line – as their adversaries go around them. But, we can recover if we adapt and become more agile.”

It is important to step back and take a look at the cyber-crime landscape. No longer are we victims of mischievous or curious hackers testing the perimeters for weak spots. Gone are the days of the reverse engineering attack or the hurling of random data at the castle walls in fuzzing attacks launched in trebuchet-like volleys at random points. Today’s attackers come from many different tribes with a range of agendas but they are united in the old practice of finding the weakest point. Now, though, they are finding new spins on social (network) engineering and phishing, or known-vulnerability exploits.

New Threats, New Targets, New Motivations

This year saw the rise of the hacktivist, a politically-motivated attacker whose aim is to block Websites or to embarrass an organisation by stealing and revealing secrets from behind the firewall.

We have also seen a different kind of political attack as national governments attack one another in cyber-space with stealth weapons of awesome power – weapons that trickle down into the underworld of inter-company espionage.

“A criminal group can buy a botnet kit for drive-bys, a spamming kit for spam runs, bulletproof hosting from an underground service provider, unattributable domain registration … and on and on. For them it’s about speed and volume. They will find your weakest link,” warned Coviello.

Where Coviello became a little less clear in his message was in his differentiation between cyber criminals and nation state attacks. He described this difference with the following words: “They want to remain inside your network monitoring incident response efforts to gauge defender responses altering their behaviour accordingly until they get what they want.”

This may be true of the nation state attacks but it is also becoming true of the cyber criminal. To remain undetected in a system amplifies the rewards that can be accrued.

Back on beam, he added: “The implication of the risks from all of these attackers is that IT organisations are in a constant state of persistent, dynamic, intelligent threat. The security dogmas of the past are no longer adequate. Many security technologies are past their freshness date – offering diminished value. So all of us, as security professionals, need to change the way we think.”

Three Pillars Of The Agile Solution

Coviello divided the new requirements into three elements.

First, the system must be risk-based but at a much more granular level than in the past. Risk is a function of vulnerability, probability, and materiality of consequence – so, if you have information that has material value, it is probable that you will be attacked.

The way to find these weak points is to look at it from the hacker’s viewpoint. What may seem unimportant to you can be something that is missed. A PR firm in theUS saw its share price tumble when a disgruntled ex-employee hacked in and changed the figures in a financial report press release that was then widely circulated. Who would have thought that a press release would be a target?

The next area for attention, he said, is the agility of the security structure. Current measures often lack the situational awareness, visibility and agility needed to detect and thwart sophisticated attacks. The new thinking is to apply predictive analytics based on an understanding of normal states, user behaviours, and transaction patterns to spot those events that indicate an unexpected change – no matter how small.

Third, the system must have contextual capabilities. The success of prioritising actions and decision-making relies on access to the best information available. This goes beyond reliance on security event management gleaned from logs data.

Data Access Is The Locking Key

“Organisations must adopt a ‘Big Data’ view of information security in which their security teams have real-time access to the entirety of information relevant to the detection of security problems. To operate as a system all kinds of data from controls and monitoring devices must be aggregated and leveraged.” Coviello advised.

The wider the information gathering pool, the better the derived intelligence on what is happening within the corporate networks and data stores – and this big data pool can be made even larger if companies share information with one another.

Coviello closed his keynote with the Nietzche quote adding: “The questions for this audience are: Will we act on what we’ve learned? Will we commit the resources to be quicker and more agile? Do we have the will, politically and unselfishly, to create the ecosystem we need? We cannot escape history. We will be remembered in spite of ourselves. We have a common goal: to be remembered for leaving a firm foundation for our successors to build on.”