RSA: Data security should be more about detection than prevention

The traditional approach to information security that is focused on prevention is failing because it looks only at known threats, says Eddie Schwartz, chief information security officer at RSA.

Warwick AshfordWarwick Ashford is chief reporter at Computer Weekly. He joined the CW team in June 2007 and is focused on IT security, business continuity, IT law and issues relating to regulation, compliance and governance. Before joining CW, he spent four years working in various roles including technology editor for ITWeb, an IT news publisher based in Johannesburg, South Africa. In addition to news and feature writing for ITWeb’s print publications, he was involved in liaising with sponsors of specialist news areas on the ITWeb site and developing new sponsorship opportunities. He came to IT journalism after three years as a course developer and technical writer for an IT training organisation and eight years working in radio news as a writer and presenter at the South African Broadcasting Corporation (SABC).

View all articles by Warwick Ashford >>

warwick.ashford@rbi.co.uk 020 8652 8505 Active Warwick Ashford False True

The traditional approach to information security that is focused on prevention is failing because it looks only at known threats, says Eddie Schwartz, chief information security officer at RSA.

There is a difference between detection and prevention, and businesses need to pay more attention to the former, he told delegates at the RSA Conference Europe 2011 in London.

"Once an attacker gets in, there is a limited time before they bed down in the network and begin to build defence in depth," said Schwartz.

One of the goals of any organisation's security strategy, he said, should be to create new intelligence about attackers and attack methods rather than rely only on what is already known.

To create new intelligence, organisations need to implement multiple, iterative processes designed to capture everything that crosses their networks to identify all anomalies.

"Separate regular activity and behaviour to discover interesting activity, and behaviour to create new intelligence," said Schwartz.

For example, 500,000 sessions on a network can be pared down to 200 for closer inspection by filtering out only HTTP sessions with abnormal headers from non-standard countries involving file types that might be linked to malicious activity, he said.

After reducing the number of events to examine through automation based on a series of reasonable assumptions, humans can get involved to create new intelligence, said Schwartz.

This is the only way organisations can hope to counter attackers who aim to get in, stay in and steal intellectual property by remaining under the radar of traditional security systems, he said.

In addition to the usual intrusion detection and prevention, malware protection, log management and packet capture systems, organisations need to build intelligence gathering capability through analysis and continual intelligence-driven monitoring.

This is not easily achieved, said Schwartz, but businesses must make a start and begin to apply processes that analyse protocols, tap into intelligence sources to monitor networks and carry out malware analysis.

"It is not easy, but it gets easier, so stop whining and get busy," he said.

Read more on IT news in your industry sector

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close