RSA Chief: Conventional Security Defenses Are Inadequate
Speaking from recent experience, RSA's Art Coviello says the question now is not whether your defenses will be breached -- it's whether you are equipped to respond when it happens.
How do you get ahead of advanced security threats? According to a new report, the key is "intelligence-driven information security."
The new report from the RSA-sponsored Security for Business Innovation Council (SBIC) is now out, providing enterprises with guidance on the latest information security best practices. RSA, the security division of EMC, is no stranger to advanced threats and in fact was the victim of one such attack in 2011.
According to the 35-page report, traditional security defense mechanisms such as firewalls and IPS systems are still necessary -- but no longer adequate. The report encourages today's enterprises to focus on building out a new set of information and intelligence capabilities around data collection and analysis, security posture insight, adversary research, and more.
"You can assume that you're going to get breached, if someone wants to breach you," Art Coviello, Executive Chairman of RSA, told InternetNews.com. "The question should be, do you have the intelligence to shrink the window of vulnerability that you're going to inevitably find yourself in."
Coviello noted that enterprises need to have and use actionable intelligence in order to defend themselves and not just sit back and wait to be attacked. In Coviello's view, traditional security tools such as antivirus and firewalls are constantly being evaded by attackers, and are no longer sufficient to keep up with modern threats. That said, he stressed that enterprises should not throw out their traditional IT defenses.
"[Traditional security tools] keep out the riff-raff and it's good hygiene, but you need more sophisticated capabilities," Coviello said. "Security should always be done in the context of defense in depth. They will breach the outer walls and you have to have more layers and those layers have to be based on data that gives you real actionable intelligence."
That actionable intelligence doesn't have to be open and publicly available. Coviello noted that a lot of security information sharing is done in a more proprietary way among the good guys and is not available to hackers or criminal nation states. He also suggested that internal data is essential in defending against advanced threats. Internal data that looks for anomalies in network traffic as well as log files are two potential sources of security intelligence that can help mitigate the risks of attack.
For example, internal intelligence can come from behavioral analysis. He noted that while a company might have many diligent employees, chances are that if there are a lot of employees logging onto a resource at three in the morning, it's likely not legitimate traffic.
"The capabilities that we're driving our customers toward are not going to stop an individual attack, but they will give the capability to respond timely enough to reduce the risk of loss," Coviello said. "There will always be a new type of attack; it's really about having a system that is agile, dynamic, and responsive."
While the notion that IT users need to have multiple sources of security intelligence -- both external and internal -- might seem obvious to some people, Coviello argued that's not always the case.
"If you're living this day in and day out, you tend to think that reports like this are rudimentary and just basic blocking and tackling," Coviello said. "Yet the vast majority of companies are still really immature."
In March of 2011, RSA itself was the victim of an advanced threat that led to a data breach. Coviello noted that he isn't just pitching security intelligence best practices for other companies to implement; he's using them at his own company as well.
"One of the ironies of our own breach is that the technology that helped us see the attack in progress was our NetWitness technology," Coviello said. (RSA's parent company EMC acquired NetWitness in April 2011, a month after disclosing the breach). "What most people don't realize is that most of these attacks go undetected."
Coviello admitted that RSA lost information in the data breach. However, he stressed that RSA was able to determine what was lost in a timely manner in order to mitigate the risk to customers. He added that RSA also took some of the lessons learned from the experience to make their technology and processes even better for creating a real-time response capability.
"We learned a lot in terms of our own internal security and we did think that we had a strong security program," Coviello said. "Let's just say we have a stronger one now."
Follow eSecurityPlanet on Twitter: @eSecurityP