When Security Compliance Isn't Enough
A robust defense against attack means going beyond the rubber stamp of security compliance and certification, argues RSA CISO Eddie Schwartz.
RSA Chief Information Security Officer Eddie Schwartz has a tough mandate. It's his job to evaluate how RSA faces advanced threats and to help ensure the integrity of the entire security organization.
In a conversation with eSecurity Planet, Schwartz detailed his organization's efforts to defend itself against attack. He also took aim at the idea that simply being compliant with standards such as PCI-DSS is enough to actually verify that an organization is in fact secure.
RSA is no stranger to attacks. The security vendor was breached in a 2011 attack that shocked the security industry. Since then, RSA has taken multiple measures to help understand and defend against advanced persistent threats.
"Being a public company, we have a profile that is often the target of hacktivist groups and we have a profile that is a target of what some people call 'cyber-terror' type of outfits," Schwartz said. "We also have a huge business that is associated with takedowns in the cyber criminal world."
With such a big target painted on its back, RSA has done a lot of work trying to improve threat visibility overall. Schwartz noted that there has also been an effort to examine innovative ways of improving the isolation and control of critical processes.
That examination has a basis in moving beyond the traditional approach of simply measuring security against a given standard, such as PCI-DSS. Schwartz said that when he came into the role of RSA CISO in 2011 after the breach event, he chose to push the standards compliance efforts to a secondary level. Instead, his focus is on identifying the most critical assets and then understanding how to associate all events to those critical assets.
In Schwartz's view, compliance is a natural byproduct of good security and not the ultimate arbiter of security itself. Organizations that buy products based on seals or certifications alone are following a misguided interpretation of what security is all about, according to Schwartz.
"We just don't secure things so that people can put a seal on a window somewhere," Schwartz said.
The Real Value of Certification
Not all certifications are equal in terms of rigor, of course. Among the more rigorous certification is the Common Criteria set of security certifications. Common Criteria provides Enterprise Assurance Levels (EAL) that requires a high degree of discipline and scope.
In contrast, Schwartz argues that there is less value, when you take a generalized security framework and then try to apply it to a specific security program that has myriad complexity, for a point in time evaluation.
Schwartz pointed out that the industry has seen high profile hacks from organizations that have been compliant with a point in time certification like PCI-DSS. Transaction vendor Global Payments is one such vendor that was recently breached even though the company was PCI compliant.
Attempting to thoroughly evaluate the security of an organization in less than a month's time -- as is the case in a typical PCI audit -- is a tall order. A Common Criteria evaluation typically takes more time due to the rigor of the process.
"It's the difference between a year of review and a couple of weeks of analysis," Schwartz said.
Certification however does a role to play when used in the right context. For example, with product security, Schwartz noted there are a series of lifecycle events and as part of those events there are certification activities that will make sense. A more dynamic and tailored approach to security is what is needed today.
"It's a question of applying control sets in a given situation," Schwartz said. "I don't think we should be simply driving towards some standard because someone says it make sense to do this."
The Right Technology
Schwartz came to RSA by way of the company's acquisition of security visibility vendor NetWitness in 2011. Having visibility into the broad scope of security events that occurs across an enterprise landscape is one of the keys to mitigating the risk of breaches. Visibility is also the key to actually understanding when a breach has occurred, so it can be locked down and remediated.
Even if an enterprise acquires a best of breed lineup of security technologies to help prevent breaches, Schwartz says that a confidence factor will still need to be assigned. That factor will need to take into account other external factors that could impact the post-acquisition operation of a given device or technology.
The NetWitness approach is to add context to packet capture such that when an event pops up, an organization can dig in to see what it really means. Just looking at security events in a narrow approach isn't enough to provide a complete view of the threat landscape. The approach that Schwartz is now advocating is to take advantage of the larger universe of threat intelligence data to fully understand risk.
"What we're showing now is the unified analytics framework," Schwartz explained. "Where we can take all of those previous point solutions and put it into a single user interface and allow users to access it from a normalized viewpoint of all the back-end Big Data."
Over the course of the rest of 2012, Schwartz says that RSA will continue to work on increasing the number of data sources that can plug into the platform. All that analytical data will lead to a form of active defense. The data results could lead to some form of firewall rule or an IPS signature.
Schwartz said that RSA has been working with its network device and security software partners to build some form of data feed from the analytics platform that can be fed into an actionable defense. In his view, one of the typical deployment problems with many types of security technologies is that they aren't fully deployed with all the right rules in place.
"The issue becomes: How do we gain enough of a confidence level that we can have the machine just accept the remediation rule in an automated manner," Schwartz said. "I think that's where the industry has to evolve."
"If we don't start getting to the point where we're willing to accept automation [then] we're never going to catch up here."
Watch the full video below: