Analysis: RSA says security needs to change, but what does that mean?
RSA executive chairman Art Coviello has issued a call to action to the security industry to improve technology and collaboration
RSA executive chairman Art Coviello ended his opening keynote speech at RSA Europe 2013 with a call to the IT security industry to show the same spirit as Europe in setting up a common market after WW2.
But what exactly does he have in mind?
Proliferation of data and devices
He would like to see action in several areas. First, in relation to the fact that the attack surface is expanding with the proliferation of data, mobile devices, social media, cloud services and IP-enabled devices.
“We still have not caught up with that as an industry, so technologically there is a gap that has arisen over the past five or six years,” Coviello told Computer Weekly.
The industry has been slow in developing the intelligence-driven controls Coviello believes are necessary to evolving security systems to keep pace with new and emerging threats.
What is RSA doing along these lines?
“Only this year did RSA launch Security Analytics, which is the first product that combines the correlation of logs and packets with other contextual information,” he said.
Also, Coviello believes individual point controls have not become nearly as smart as they need to be.
“FireEye is really hot now because they offer a different method for catching malware, which is another example of another supplier that has come to market with a different approach than a static, signature-based technology such as traditional anti-virus,” he said.
RSA’s acquisition of fraud detection firm Silvertail Systems, for example, enables the identification of patterns and anomalies in web sessions so that companies can predict that a wave of attacks are on the way.
“These are the kinds of smart products that need to make their way into companies’ infrastructures,” said Coviello.
He believes more work needs to be done by the security industry to create more ways of introducing artificial intelligence in security that will enable better protection.
Collaboration, privacy and transparency
Second, Coviello would like to see the different parts of the security industry working together to reduce the level of confusion that exists. In his keynote, Coviello said it is important to balance security with privacy, but it is equally important to balance fear with recklessness.
“On the one hand, people are too fearful to do anything, but on the other, when they do not see the kind of attacks they are being warned about, they continue to be reckless,” he said.
For this reason, Coviello believes it is important to improve companies’ level of understanding, and then having a “civil dialogue” about privacy to get around the catch-22 situation of being afraid to deploy monitoring technologies for fear of infringing on employee privacy.
“The way to solve the problem is with transparency by setting out what needs to be done, why it needs to be done, and sharing intelligence with some level of anonymity because sometimes it is enough to share the nature of an intrusion or the nature of malware used without giving other details,” he said.
However, Coviello said total anonymity is not possible. “Anonymity is the friend of our adversaries because if you can’t track them or you can’t see them, then you can’t stop them and you can’t prosecute them.
“But if you have a civil dialogue and people do not get overly emotional, I think companies can work through these issues just as European countries that had been battling each other for centuries put away their ancient rivalries to enable trade with each other for the collective good,” said Coviello.
“Sitting down and having a civil discussion, collaborating and compromising is the way to get things done,” he said.
The security industry is in the unique position of understanding the attackers, the problem of the attack surface, who does what to whom and what effect technology can have.
“We are in an excellent position to help people because by and large, our entire raison d’etre is to protect people and organisations,” said Coviello.
So why has the industry not heeded previous calls to arms?
Need for understanding
In this day and age of social media and instant communication, Coviello blames that fact that people are more interested in voicing an opinion than on listening to what others have to say.
“But I am listening, and what I am saying is merely reflecting legitimate concerns I hear from customers and colleagues to the security industry,” said Coviello.
As far as the businesses caught in the catch-22 of balancing security with privacy are concerned, he believes they need to move beyond awareness of the problem to improve everybody’s understanding.
“This is an issue not just for the company, not just for RSA’s customers, but also an issue for the media to educate people so that a discussion about action can take place, because if we do not do certain things, we are all going to be in jeopardy,” said Coviello.
But in doing those things, there needs to be transparency, he said, about what is being done and every effort made to ensure that the by-product of those actions is not untoward invasion of anyone’s privacy.
Education, governance and policy
“So you start with education, then you say transparently what needs to be done and then you give people confidence that they can trust what you said by having a governance model,” said Coviello.
But how does a company prove it is complying with the governance model?
“We believe that our Archer product can be used in this regard because it provides a framework for managing policy and part of that policy can be around privacy,” said Coviello.
Archer also has incident response capability, he said, so it enables companies to track incidents in relation to the policy and then report on it.
“This will enable companies to prove they are in compliance with any governance model they suggest,” said Coviello.
There is lots that can be done, he said, but it begins with education, which can be broadly – such as in the media, in an organisation, industry to government, and government to government.
Trust and cynicism
Very little can be achieved without trust, he said, but it is also important to verify things are as they should be.
“That is why transparency and governance is so important because if we give up hope of trust, I view that as a very cynical thing and we might as well unplug.
“But we can’t allow either cynicism that nothing can be done or fear of breaching trust to overwhelm us,” said Coviello.
However, he remains optimistic. According to Coviello, there has never been so much venture capital investment in security as there is now.
“There is unbelievable innovation going on that will advance the cause of artificial intelligence and intelligence-driven security,” he said.
And although he would not want to go through it again, Coviello said a lot of good had come out of the RSA breach in March 2011.
“We got a lot smarter and customers achieved a higher level of understanding, not just awareness,” he said.
But at the same time, he believed the world needed to agree on what can and cannot be done on the internet between and among governments.
“That should include spying in general, the protection of intellectual property, and the use of the internet for destructive means through a good and civil debate,” he said.
Coviello believes that if these issues are not addressed by 2020, the world will not make the economic progress that it would otherwise make.
Everyone has a role to play in enabling a trusted digital world. The security industry in delivering intelligence-driven products, but also enterprises, governments and the media in educating people around security and promoting dialogue around privacy and trust.