Agility and communication are two important tools for mitigating attacks

RSA Conference Europe 2011, which took place at the Hilton London Metropole last month, kicked off with a keynote from Art Coviello, executive VP of EMC and executive chairman of RSA, the security division of EMC.

“2011 has been a year of headline-grabbing attacks,” he said, giving the examples of Sony in April, the Australian government in March, Google in June, DigiNotar in September, and RSA itself in March.

The five laws of security fragility Hugh Thompson “Security fragility is a new model of security that expects failure. In fact, it embraces it,” says Hugh Thompson, chief security strategist for People Security. 1.    Secure systems fail when faced with out-of-context attacks. 2.    Expect failure, create safety nets, and adapt. 3.    People will make mistakes. 4.    Assume your environment is contested. 5.    Constantly re-evaluate assumptions.

While hacktivists and cyber criminals are still dangerous, he said the most concerning type of attack is the advanced persistent threat (APT). These are sponsored by nation states that can allocate many resources to such an attack. They also use social engineering to get their desired target.

“Think a nation state is not interested in you? Think again. They might use you to go after someone else,” he said.

Conventional security is not adequate to prevent all these attacks, he noted, and security systems need to evolve.

“I see advanced security systems evolving to include three distinct elements. First, the system must be risk-based.”

He explained that although security professionals have been talking about risk-based security for some time, companies “must do a better job of using the latest tools to understand and evaluate risk at an even more granular level”.

He said if you have information that has material value, it is probable you will be attacked. “If you look from the point of view of your attackers, you are more likely to spot those vulnerabilities.”

Art Coviello

The second element of an advanced security system is agility. “Existing programs of controls lack the situational awareness, visibility and agility needed to detect and thwart sophisticated attacks. That’s why controls that rely on predictive analytics based on an understanding of normal states, user behaviours, and transaction patterns to spot high-risk events need to be deployed more pervasively.” These controls can be better leveraged if organisations combine them with monitoring technologies “in a systemic way, creating true defence-in-depth”.

The final element, he said, is the system must have contextual capabilities. “Even an advanced system of controls and monitoring capabilities can only be effective when a security event is delivered with complete context around it. In other words, the success of prioritising and decision-making is dependent on having the best information available.

“Advanced security systems need to rely on more than just traditional security event management that relies only on log data,” he said. Organisations must adopt a ‘big data’ approach. “From a security perspective, big data refers to vast data sets of unprecedented scale and formats – gathered from every part of the enterprise correlated to fuse high-speed analytics with security intelligence.” With big data capabilities, security teams will recognise the enemy quickly, and render attacks harmless. “In essence, if we know we are going to be vulnerable, this is the way to shrink the window of vulnerability.”

Hitting home

Thomas Heiser, president of RSA, reiterated the message of information sharing in his keynote. “As a community, we need to come together. Our adversaries have gotten very good at sharing information among themselves,” Heiser said.
RSA held advanced threat summits in London and Washington, and one of the key takeaways was “we have a need to share the information. But we need a mechanism to do it.”

He also agreed with Coviello about needing a new approach to security. “Anyone who’s been close to these attacks knows we must learn to live in a constant state of compromise. We need new strategies for security.

“Let’s talk about what we faced,” he said, describing the attack. “Put yourselves in the following scenario: number one, what if your employees received phishing attacks from trusted sources from a company and a person they knew?

“Number two: what if there was a malware payload that delivered a zero-day executable? Third: what if the attack resulted in an APT active in your infrastructure and layers of resilience. What if the adversary had multiple groups, one visible, and one shielding the other? What if this harvest from the initial steps was used to gain independent access?

“That gives you a taste of the situation we found ourselves in,” he said.

The adversary was seen to switch network techniques, malware and origin. “Both groups were known to authorities, but were not known to work together before. What does this tell us? Our adversary was organised and well co-ordinated. They knew what to look for and where to go. It took them a lot of preparation to put this together. They exploited people and processes even more than the infrastructure itself.” Heiser said RSA identified the attack in progress with its NetWitness software. “We responded quickly, and locked down our IT infrastructure; we used specialists to help identify beacons in our compromised infrastructure.”

One of the lessons RSA learned from the attack is that while people are the most vulnerable, they are also a company’s greatest asset. He said it was inspiring how everyone came together to fix the problems.

Thomas Heiser

Another lesson learned is the necessity of robust business continuity processes, Heiser added.

Never let a crisis go to waste, he said. “We’ve been trying to live by that.” The crisis taught RSA to break down silos, and create better information sharing in the organisation. Another benefit was innovation urgency. He said ideas were created in hours or days, rather than months.

Many of the speakers at RSA reiterated the key messages outlined by Coviello and Heiser: many companies will get breached, so it is important to focus on mitigating those breaches by being agile; hackers readily share information with one another, and to stay ahead, organisations need to do the same; and both agility and information sharing will help combat advanced persistent threats.