Infosec still in the Dark Ages, says RSA president

It is time for information security to escape the Dark Ages, according to Amit Yoran, president of RSA, the security division of EMC

This article can also be found in the Premium Editorial Download: Computer Weekly: The National Trust's great IT renovation

It is time for information security to escape the Dark Ages, according to Amit Yoran, president of RSA, the security division of EMC.

While technology may soon be capable of accelerating its own development, “we are still in the Dark Ages of Information Security,” he told the opening session of RSA Conference 2015 in San Francisco.

The fact that 2014 was yet another “year of the breach” indicates that “things are getting worse, not better” and another reminder that “we are losing this contest,” said Yoran (pictured).

He went as far as saying that adversaries are “out-manoeuvring the industry, out-gunning the industry, and winning by every measure.”

According to Yoran, the industry has promoted a defensive strategy that aligns with a Dark Ages mindset of simply “building taller castle walls and digging deeper moats,” but that is not solving the problem.

“It is like we’re working from a map of a world that no longer exists; and possibly never did,” he said.

Yoran said that despite knowing that perimeters are not sufficient, the perimeter mindset persists, and the security profession continues to rely on signature-based systems.

“We’ve all heard that the threats that matter most are the ones you haven’t seen before. These tools by definition are incapable of detecting the threats that matter to us most,” he said.

And yet, Yoran said many security professionals base their security on the “futile aggregation of telemetry from these virtually blind IDSes, AV platforms, and firewall logs, implementing the glorious and increasingly useless money-pit, known as the Siem.”

He said that although the terrain has changed, many information security professionals are still clinging to their old maps. “It’s time to realise that things are different,” he said.

Echoing previous calls to arms to the security industry by the recently retired RSA executive chairman Art Coviello, Yoran said: “It is time for a renewed sense of exploration, awareness, and understanding. It’s time for security to escape the Dark Ages and pursue our own Age of Enlightenment.”

According to Yoran, who is responsible for developing RSA’s strategic vision, there are five things the security industry should do to change the way it operates.

First, he said information security professionals have to stop believing that even advanced protections work.

The reality that underlies every intrusion, he said, is that a well-resourced, creative, and focused adversary is going to get into any IT environment they target.

“We’re seeing analytics-resistant malware that can evade detection by sandboxes and other advanced systems.

“No matter how high or smart the walls, focused adversaries will find ways over, under, around, and through,” he said.

Second, Yoran said information security professionals must adopt a deep and pervasive level of true visibility everywhere, from the endpoint to the network to the cloud.

He said this end to end visibility is necessary if organisations are to have any hope of seeing the advanced threats that are increasingly today’s norm.

“Even now many organisations operate completely blind as to whether they are victim to these published techniques. We need pervasive and true visibility into our enterprise environments,” he said.

He said the visibility of both continuous full packet capture and endpoint compromise assessment visibility is essential to information security.

“Within our digital environments, we need to know which systems are communicating with which, why, any related communications, their length, frequency and volume, and ultimately the content itself to determine what exactly is happening,” he said.

Yoran said that the single most common and most catastrophic mistake made by security teams today is under scoping an incident and rushing to clean up compromised systems before understanding the broader campaign.

“Without fully understanding the attack, you’re not only failing to get the adversary out of your networks, you’re teaching them which attacks you are aware of and which ones they need to use to bypass your monitoring efforts,” he said.

Third, he said that in a world with no perimeter, identity and authentication matter more than ever.

Yoran noted that in the latest Verizon Data Breach Investigations Report in cases where confidential data was disclosed, the most popular method used was Web application attacks.

“And in those cases, 95% of the time, attackers used stolen credentials and simply walked right in,” he said.

According to Yoran, strong authentication, and analysing who is accessing what, can identify attack campaigns earlier in the kill chain.

“This can make the difference between successful response and unmitigated disaster. Don’t make the mistake of just trusting the actions of the trusted; those are the very accounts and users most targeted and of which we should be the most suspicious,” he said.

Fourth, Yoran said external threat intelligence needs to be recognised as a core information security requirement.

He said there are sources for the right threat intelligence for your purposes from vendors like CrowdStrike, iSIGHT Partners, ThreatGRID, and others as well as various sectoral information sharing and analysis centres (Isacs).

“Threat intelligence should be machine-readable and automated for increased speed and leverage. It should be operationalised into your security programme and tailored to your organisation’s assets and interests so that analysts can quickly address the threats that pose the most risk,” said Yoran.

Finally, he said information security professionals must understand what matters to their business and what is mission critical.

Read more about traditional security

Traditional approaches to security are exposing UK businesses to heightened risk of attack

Cloud computing and mobility have blown traditional security models wide open

Protective monitoring is an essential part of cyber security as traditional approaches are no longer enough

“This asset categorisation isn’t the sexy part of security but it is critical to helping you prioritise the deployment of limited security resources for the greatest possible impact.

“You have to focus on the important accounts, roles, data, systems, apps, devices – and defend what’s important and defend it with everything you have,” he said.

According to Yoran, these ideas can work and RSA has seen the difference it makes when organisations take these approaches to security.

“We see customers understand the attack campaigns that have been running in their environment for months or longer - often right under the noses of their protective measures,” he said.

 With these ideas and agile mindsets, he said RSA’s teams are even catching attackers red-handed, and disrupting their ability to exfiltrate data and achieve their goals.

However, he said RSA does not claim to have all the answers. “There are resource challenges, there are skills challenges, there are legal challenges. But we are on a path to changing a paradigm under which our industry has operated for decades.”

Yoran said RSA is re-engineering the company to deliver on this vision. “This time next year, we won’t be the same RSA you have known for decades,” he said.

He concluded by saying that the information security industry is on a journey that will continue to evolve in the years to come through the efforts of everyone.

However, he said the biggest challenges are not technological.

“We have the technology today to provide true visibility. Strong authentication and identity management solutions are readily available. We have great threat intelligence and insight into sophisticated adversaries. And we have systems that map and manage our digital and business risk.

“This is not a technology problem. This is a mindset problem. The world has changed and trust me, it’s not the terrain that’s wrong,[it’s the map],” he said.



Read more on Hackers and cybercrime prevention