RSA 2012: Coviello Insists Cyber-Defences Are About Managing Risk

The sheer volume of attacks against enterprises and governments in 2011 showed that security was critical, but the security industry is “in serious risk of failing” to protect organisations, said Art Coviello, executive chairman of RSA, during his opening keynote address at the 2012 RSA Conference.

Signature-based and perimeter-heavy defences no longer work, and the industry needs to shift attention to new types of security defences, said Coviello, who kicked off the show on 28 February. Organisations have to assume their networks will be penetrated and put in protections to minimise data theft or damage as a result of the compromise, Coviello told attendees who gathered at the Moscone Center in San Francisco for the conference.

Three elements of security

Security technology that organisations should be considering should have three elements, said Coviello (pictured).

The first is risk-based, which allows IT managers to look at what is going on within their environment and properly prioritise what needs to be fixed. Managing risk is critical, said Coviello.

The second element is agile, as the platform of choice needs to be situational aware and be able to react immediately when something goes wrong. Today’s security is often a “patchwork of controls” spewing out “too much data and not enough intelligence”, said Coviello.

Finally, there is context-awareness and this is critical. There needs to be a way to tell when a certain activity is an anomaly and not part of user behaviour despite it seeming harmless.

All these elements together allow organisations to respond in real-time to threats.

Organisations “have gone through hell” in the 12 months since last year’s conference, said Coviello, and RSA was one of them.

Coviello was referencing the incident where unknown perpetrators – who still have not been unmasked a year later – breached RSA Security servers and managed to steal some data related to the SecurID two-factor authentication technology. RSA shared the pain of regaining customer trust and trying to secure their systems that other breached organisations felt, said Coviello.

“An attack on one of us is an attack on all of us,” said Coviello.

RSA also experienced a sense of urgency to apply the lessons learned from the breach to make their systems stronger as well as to share the information with the rest of the industry. The attack influenced how the company shares data, its investments, and its overall strategy.

Changing vectors

The type of attacks have also changed, as last year was the first time there were so many “stepping stone” attacks, said Coviello, referring to incidents where an organisation was breached to steal information that could be used to launch a more complex and potentially more rewarding attack.

The SecurID breach was one such attack, as there is evidence the attackers used the stolen information to launch attacks against Lockheed Martin, a defence contractor. The attacks against certificate authorities, such as the one against the DigiNotar, a Dutch certificate authority, is another, as the perpetrators were focused on stealing security certificates that could be used to masquerade as other legitimate Websites.

Coviello hoped that the increasing number of attacks would strengthen the sense of urgency within the industry to work on methods to improve organisation defences.

In addition, the trinity of emerging technologies, mobile, software-as-a-service (SAAS) and hybrid cloud adoption is “exacerbate” the security situation. These new trends are “transformative” but because they open up the attack layer, it becomes even more challenging for IT departments to try to keep their employees and systems secure.

Outpaced by the speed of change

It is unprecedented that employees and consumers are adopting emerging applications and technology faster than governments and enterprises can absorb them, said Coviello. It is no longer possible to separate the digital world from the physical, nor work life from personal. People have gotten so used to being able to do things online and have easy access to powerful machines that they are not willing to wait for IT to catch up.

IT has to learn to manage what they cannot control, and security organisations have to learn how to secure what they cannot control, said Coviello.

Cyber-adversaries are better at planning attacks and much faster at launching campaigns than IT teams are at detecting and blocking them. They are exploiting the gaps in a security that is a result of an increasingly hyper-connected infrastructure, he said. The industry has to move away from worrying about the network perimeter to keep threats out because the attackers can “outflank” the network perimeter.

“The network will be penetrated. We should not be surprised,” said Coviello.

“You can’t always get what you want,” Coviello added. People would like a world with no risk. No auto accidents, no stock market crashes, no cyber-attacks. Since that isn’t realistic, people look for ways to reduce risk so that “smart people” can make “prudent decisions” to keep the systems and data secure.

Coviello was optimistic, despite the challenges facing the information security industry. “If you try you might find what you need.”

How much to you know about internet security issues? Take our quiz and find out!

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago