LAS VEGAS – Forget about the perimeter, you’ve already been breached.
That’s the mindset that RSA Security Inc., a division of EMC Corp., wants business and IT leaders want to adopt when it comes to security posture.
It’s a message that’s been hammered here since day one of the conference, but apart from the concept’s tie up with RSA products, Coviello must know what he’s talking about. Some two years ago, RSA itself was a victim of a major cyberattack that was a massive hit on the company’s reputation.
At that time, Coviello said, RSA actually faced two attacks, both focused in accessing data of the company’s customers so that they could be attacked. Even though no one lost their data or suffered financial loss as a result of the 2011 attack, RSA paid a US$66 million charge, part of which was to pay for the replacement of its SecureID tokens.
It was also a learning episode for RSA which led it to refocus from authentication to detecting “faint noises” of an attack in progress and immediately plug that leak,” said Coviello.
He said, as more companies adopt big data strategies, they are also expanding the attack surface for cybercrime organizations.
“When Joe (Tucci, CEO of EMC) and Paul (Maritz, former EMC executive now CEO of GoPivotal Inc.) talk about the explosion of big data and mobile technology, business leaders are saying ‘wow’ and thinking about the opportunities,” he said. “The CSO and IT meanwhile are having a migraine.”
This is an assessment which resonates with Christopher Munley, principal of Booz Allen Hamilton, a Virginia-based cyber security firm that deals with many government agencies.
“If cyber criminals and state-sponsored hackers can break into the systems of large companies and networks of governments, you have to assume they can breach your business,” he said in an interview. “The perimeter is long gone. The name of the game today is protecting your vital data and preventing exfiltration.”
“Companies need to deploy technologies that help them detect minute anomalous signals or behaviours within their network and systems that indicate something out of the ordinary is happening and that it could mean an attack is underway.
Munley likened the method to how United States covert agencies were able to listen in on mobile communication traffic and Internet activities to smoke out terrorists.
Unfortunately, Coviello said, many companies are still locked in the old model of reactive security.
The RSA chief characterized this as:
- Perimeter-based and focus on keeping attackers out
- Static and signature based, primarily using anti-virus and authentication
- No true defense in-depth
Most organizations that employ this security strategy, he said, spend 80 per cent of their IT budget on perimeter defenses, 15 per cent on monitoring and 5 per cent on response.
However, in recent years, enterprises have been dealing with growing amounts of data and an increasing number of devices hooked-up to the corporate network and the Internet. This, Coviello argues, has expanding the threat landscape.
A more mature security approach, he said, is one that splits the security emphasis this way:
- Perimeter defense, 34 per cent of budget
- Monitoring, 33 per cent of budget
- Response, 33 per cent of budget
Many organizations however are hampered by three main challenges: budget constraints, lack of skilled personnel and lack of information sharing.
He said ideally, organizations should be sharing information on threats they have encountered and methods they have employed to reduce the security risk for everyone.