Preparing for the Inevitable Cyber-Attack

The wave of large, high-profile data breaches that targeted the security industry during the past year have spawned a new threat to corporate networks: hackers armed with detailed knowledge of the inner workings of their security systems, since the hackers already hacked the firms that provide those systems.

“People in our line of work have been going through hell in the last 12 months,” Arthur Coviello, executive chairman of RSA, the security division of EMC, said during the kickoff keynote for RSA's 2012 conference, an annual gatherings of U.S. cyber-security professionals. “Never have security firms witnessed so many personal attacks as in the last year.”

Companies should no longer be surprised by data breaches, Coviello said, and he was speaking from personal experience: RSA itself fell victim to hackers last year in a much publicized breach, when the thieves stole data from RSA's SecurID authentication system used by employees to access sensitive corporate information. The hackers then used that information to mount an attack against other companies, including defense contractor Lockheed Martin.

Since the breach, Coviello said, RSA has “a sense of urgency as never before to apply the lessons we have learned firsthand and use the privileged insight we've obtained from other attacks. We are sharing them and using them to drive our strategy, investments, and our product roadmaps.”

Coviello stressed that hackers are developing new methods of attacks faster than companies can keep up with them, and they can remain inside networks undetected for longer periods of time. According to an analysis from Verizon, 91 percent of breaches led to loss of data within days or hours—but 79 percent took weeks or more to discover.  “We need to reverse those statistics,” he said.

Many refer to these data breaches as “advanced persistent attacks,” but that term is a misnomer, said Scott Charney, corporate vice president for trustworthy computing at Microsoft. These attacks often aren't advanced at all; they're just persistent, he said. “They occur over time, and they're determined,” Charney added.

Charney said companies must improve what he called “basic hygiene.” That means designing systems that not only prevent attacks, but that also detect attackers quickly and contain them in order to limit unauthorized access or disruption, he said.

Coviello expressed a similar sentiment that companies must shift away from the defensive mindset of keeping hackers out to an offensive mindset of focusing on the detection in real-time of data breaches.

Part of what is driving this shift is the realization by some that attacks are nearly inevitable. “There are two types of companies: those that will be hacked and those that have been hacked and will be hacked again,” said Robert Mueller, director at the FBI and a former U.S. attorney, in his keynote at the RSA Conference

“Accepting the inevitability compromise doesn't mean that we have to accept the inevitability of loss,” Coviello said. “We can manage risk to acceptable levels.”

“For starters, we have to stop being linear thinkers, blindly adding new controls to failed models,” Coviello added. Today's data systems rely primarily on compliance reporting and regulator audits, creating a “patchwork of controls subject to time-consuming updates, serving up far too much data and not nearly enough intelligence.”

Adding to the challenges of securing IT infrastructures is the rapid proliferation of various platforms and the increased use in the workplace of personal devices by employees. “For the first time since the dawn of IT, technology-savvy consumers and employees are adopting technologies faster than governments, and enterprises can absorb them with huge political, social, and security ramifications,” said Coviello.

“People in our line of work have been going through hell in the last 12 months. Never have security firms witnessed so many personal attacks in the last year.”

—Arthur Coviello,

Executive Chairman,

RSA

Employees are used to having powerful technologies, hardware, and applications as part of their everyday lives. “Not only are they not waiting for IT organizations to catch up and provide these capabilities, employees and entire business units have been bypassing IT organizations to achieve their business and personal goals.”

To cope, companies must improve their risk management. “The fact remains that few organizations do it meaningfully and well,” said Coviello. “We must learn to evaluate risk at more substantive and granular levels.” He added that risk is a function of three components: how vulnerable the company is to attack; the likelihood of being targeted; and the value of what is at stake.

Currently, Charney said IT organizations tend to be at one of three stages of preparedness. In the first stage, they don't know what to do. They don't know what the right set of strategies and actions are to take.

In the second stage, they know what to do, but not well. “Companies have good security policies but when they're actually audited, they're not applying what should be done,” said Charney. In the third stage, they know what to do and some do it well, but not to scale, he said.

Coviello added that companies also must begin to analyze data beyond just traditional security platforms and, instead, across the network from all kinds of infrastructures, including mobile devices and the cloud. This enables “predictive and preemptive intelligence” that could be used to predict where a hacker may potentially launch the next attack.

“Big Data”

This proliferation of mobile devices and cloud services has resulted in massive volumes of unstructured data, which security experts refer to as “big data.” Using “big data” can provide companies with intelligent controls and advance monitoring capabilities that understand transaction patterns and user behavior to spot high-risk anomalies and events, security experts agreed.

The data must then be correlated using high-speed analytics to produce actionable information. “We need to respond to those high-risk anomalies in real-time to mitigate risks,” said Coviello.

Charney agreed with Coviello that big data offers companies significant potential to improve business operations and develop new products. “Big data is going to provide huge benefits for our society,” he said.

Charney used geo-location data collected by mobile devices as an example. Specifically, he cited a situation in which Microsoft used cloud-based analysis to help a healthcare provider identify trends to determine why some hospital patients were being readmitted within 30 days of being discharged.

SECURITY MEASURES

Below are the results from the September 2011 Unisys Security Index, which polled Americans on what steps they would take in the event that they learned of a security breach suffered by an organization with which they were dealing.

Source: Unisys.

By putting this information in the cloud, he said, the analysis revealed that the returning patients all were being treated in the same hospital room, which contained a virus. “Who would have thought that was relevant?” asked Charney. Thus, geo-location data in the cloud can identify trends that otherwise would go unnoticed, he said.

But making use of big data remains a challenge. “The problem isn't that we don't have security data,” said Charney. “The problem is that we have too much security data, and we don't know what to do with it all.”

Moving forward, the priority will be placed on industry and government to work together to develop more effective privacy principles, as well as to improve end-to-end reliability of cloud services and adopt more holistic security strategies.

“We are at another inflection point, with expectations for better security, privacy, and reliability growing at an exponential rate,” Charney said. “Now is the time for industry and governments to develop and adopt strategies and policies that balance business and societal needs with individuals' choices.”

U.S. Deputy Secretary of Defense Ashton Carter, also a keynote speaker at the RSA conference, reiterated this need for collaboration. “We are just beginning a long march to security,” he said.

Security professionals are trying to make a business out of what “inevitably will be required, which is greater security than what we now have,” Carter added. “In that respect, we are partners in this march.”

Mueller agreed. “We must continue to push forward together,” he said. “Terrorism does remain the FBI's top priority, but in the not-too-distant future, we anticipate that the cyber threat will pose the number-one threat to our country, and we need to take lessons learned from fighting terrorism and apply them to cyber crime.”