EMC WORLD REPORT: It’s very likely that your network has already been breached. You need to focus on how to minimize and stop the damage, says Art Coviello

Perimeter security no longer enough: RSA

LAS VEGAS – Forget about the perimeter, you’ve already been breached.

That’s the mindset that RSA Security Inc., a division of EMC Corp., wants business and IT leaders want to adopt when it comes to security posture.

“If you’re still racking your brains about how to keep the bad guys out, you’re already way behind,” said Art Coviello, the 59-year-old executive chairman of RSA said during a media briefing at the EMC World 2013 conference here. “It’s very likely that your network has already been breached and what you need to focus on is how to minimize and stop the damage.”
Art Coviello, chairman of RSA (photo by Nestor Arellano)

It’s a message that’s been hammered here since day one of the conference, but apart from the concept’s tie up with RSA products, Coviello must know what he’s talking about. Some two years ago, RSA itself was a victim of a major cyberattack that was a massive hit on the company’s reputation.

At that time, Coviello said, RSA actually faced two attacks, both focused in accessing data of the company’s customers so that they could be attacked. Even though no one lost their data or suffered financial loss as a result of the 2011 attack, RSA paid a US$66 million charge, part of which was to pay for the replacement of its SecureID tokens.

It was also a learning episode for RSA which led it to refocus from authentication to detecting “faint noises” of an attack in progress and immediately plug that leak,” said Coviello.

He said, as more companies adopt big data strategies, they are also expanding the attack surface for cybercrime organizations.

“When Joe (Tucci, CEO of EMC) and Paul (Maritz, former EMC executive now CEO of GoPivotal Inc.) talk about the explosion of big data and mobile technology, business leaders are saying ‘wow’ and thinking about the opportunities,” he said. “The CSO and IT meanwhile are having a migraine.”

This is an assessment which resonates with Christopher Munley, principal of Booz Allen Hamilton, a Virginia-based cyber security firm that deals with many government agencies.

“If cyber criminals and state-sponsored hackers can break into the systems of large companies and networks of governments, you have to assume they can breach your business,” he said in an interview. “The perimeter is long gone. The name of the game today is protecting your vital data and preventing exfiltration.”

“Companies need to deploy technologies that help them detect minute anomalous signals or behaviours within their network and systems that indicate something out of the ordinary is happening and that it could mean an attack is underway.

Munley likened the method to how United States covert agencies were able to listen in on mobile communication traffic and Internet activities to smoke out terrorists.

“Security agencies have recently been very successful in identifying the whereabouts of target suspects by monitoring cell phone traffic and looking for things that were out of the ordinary,” he said.
In the business context, Coviello said, software can help credit card companies for instance collect and cross-refercne data from various sources and infer that something is “out of the ordinary if you usually make withdrawals from the U.S. and all of a sudden your account shows activity from outside the country.”
 
Today’s software have become very sophisticated, he said, that they can “learn” how a customer logs in to his or her account and determine if a log-in session was committed by that customer or a malware program.

Unfortunately, Coviello said, many companies are still locked in the old model of reactive security.

The RSA chief characterized this as:

  • Perimeter-based and focus on keeping attackers out
  • Static and signature based, primarily using anti-virus and authentication
  • No true defense in-depth

Most organizations that employ this security strategy, he said, spend 80 per cent of their IT budget on perimeter defenses, 15 per cent on monitoring and 5 per cent on response.

RELATED CONTENT

Lack of regs, complacency is why Canada lags in security: Vendor

However, in recent years, enterprises have been dealing with growing amounts of data and an increasing number of devices hooked-up to the corporate network and the Internet. This, Coviello argues, has expanding the threat landscape.

A more mature security approach, he said, is one that splits the security emphasis this way:

  • Perimeter defense, 34 per cent of budget
  • Monitoring, 33 per cent of budget
  • Response, 33 per cent of budget

Many organizations however are hampered by three main challenges: budget constraints, lack of skilled personnel and lack of information sharing.

He said ideally, organizations should be sharing information on threats they have encountered and methods they have employed to reduce the security risk for everyone.

“Information sharing in this matter has to scale out,” Coviello said. “What we need is a neighbourhood watch.”
Separately, in a corporate filing EMC [NYSE: EMC] said it has started to lay off 1,004 people around the world in all of its divisions. Another 800 will cut from the VMware division. Last year, the document said, 1,163 jobs were cut as part of restructuring.
 
(With a file from Howard Solomon, ITWC)
Related Download
Cisco Secure Mobility Knowledge Hub Sponsor: Cisco
Cisco Secure Mobility Knowledge Hub
This Knowledge Hub provides an end-to-end look at what it takes to discover, plan, and implement a successful Secure Mobility strategy.
Learn More
Share on LinkedIn Share with Google+ Comment on this article