RSA executives advised security professionals that the new fact of life for IT organizations is a state of persistent, dynamic, intelligent threats in which it is no longer a matter of if an organization will be compromised, but more likely when and how.
The key to combating these threats, they say, is to recognize the different tactics and tools used in these advanced attacks and automate the response of controls to defend information assets, isolate compromised elements of the infrastructure and ensure that network compromise does not lead to damage to the business.
In a joint keynote address at the RSA Conference Europe 2011 that is currently under way in London, Art Coviello, Executive Vice President for EMC and Executive Chairman of RSA, and Tom Heiser, President of RSA, discussed the evolving threat landscape and urged organizations to create advanced security systems capable of defending against these new threats and agile enough to meet the advanced challenges of today’s hyper-extended enterprise.
“2011 has been quite a year for us and for anyone on the security side of IT,” said Art Coviello during his keynote address. “It’s been a year of headline grabbing attacks across every corner of the world. Organizations are defending themselves with the information security equivalent of the Maginot Line as their adversaries easily outflank perimeter defenses. People are the new perimeter contending with zero-day malware delivered through spear-phishing attacks that are invisible to traditional perimeter-based security defenses such as Anti Virus and Intrusion Detection Systems. Clearly conventional security is either not effective or not enough. The threat landscape is evolving and our security systems must change to outpace our adversaries.”
To defend against advanced threats, security programs must evolve to be risk-based, agile and contextual.
Risk-based – Risk is a function of the threat landscape, including understanding an organization’s adversaries and capabilities compared with the relative security exposure of the organization’s information assets. Intelligence about your potential attackers and most valuable assets shows you where to focus your efforts, such as what systems to protect and what users to closely monitor.
Agile – The threat landscape will continue to evolve, and a successful outcome requires that organizations have the agility to process, incorporate and analyze new sources of internal and external intelligence – on the fly. Automation is absolutely essential for security to work at the speed and scale of the networks and cyber threats we face.
Contextual – Incident response, investigation and remediation are most effective when a security event is delivered with complete context around it. The success of prioritizing and decision-making is dependent on having the best information available. Organizations must adopt a “big data” view of information security in which their security teams have real-time access to the entirety of information relevant to the detection of security problems. Big data combined with high-speed analytics provides the contextual view needed to defend against advanced threats.
RSA President Tom Heiser conveyed ‘Lessons Learned’ from the attack on RSA, and from an insider’s vantage point, offered specific advice on what organizations can do to help harden their defenses and adapt appropriately to the evolving threats. He advised, “Sophisticated attackers know traditional security controls and are adapting and changing tactics-Â¦ determined to find exploits in complex, rapidly evolving IT environments and through people.”
Heiser closed his remarks by offering five categories of forward-leaning practices for getting ahead of advanced cyber threats:
- Re-visit your view of risk – Conduct a risk assessment to identify your high value / high risk information assets, looking at things from an opponent’s perspective, and with an eye to real, not theoretical, opponents.
- Re-think zero-day malware protection – don’t stop using traditional anti-virus tools, but recognize that they alone will not be sufficient against customized attacks.
- Deploy security and network forensics capabilities for continuous monitoring, for deeper awareness and analysis of network traffic (this is different from traditional intrusion detection, which is past its freshness).
- Harden authentication and tighten access control.
- Increase user and executive education and communication – the human dimension is as important as the tools you deploy.