RSAC16: RSA’s Amit Yoran comes out in support of strong encryption

Government must engage with security community

According to Yoran, adversaries will surely be exploit weakened encryption. “Such a policy would harm US economic interests on an already suspicious world stage, as well as unconscionably undermine those trying to defend our digital environments in every industry,” he said.

Yoran welcomed the participation at the RSA Conference of the director or the NSA, the director of the FBI, the US attorney general, members of the US Congress and state governors to engage with the security community.

“We need to be respectful, but we must also make sure our voices in this debate are heard loud and clear,” he said.

Yoran also praised the many accomplishments of the US Department of Commerce in cyber, including updating the privacy framework enabling better cooperation between the European Union (EU) and the US.

“We must make sure our voices in this debate are heard loud and clear”

Amit Yoran, RSA

x

However, he said Obama Administration’s inclusion of cyber security technologies in the Wassenaar Arrangement is “absurd”.

“For those of you who aren’t familiar with it, the Wassenaar Arrangement is designed to prevent the spread of technology for offensive use, to evil and oppressive regimes. It is conceivable that offensive tools and exploit kits might warrant some restriction.

While monitoring platforms might be perverted or used for bad purposes, the answer cannot be to deny their efficient use to all organisations trying to defend themselves.

The misguided current interpretation effectively criminalises every company trying to monitor their global digital infrastructure against cyber threats and doesn’t practically solve any problem. The private and public sectors need to think differently,” he said.

‘Prevention is a failed strategy’

Picking up from his themes at RSA Conference in San Francisco in April and Abu Dhabi in November 2015, Yoran said the world continues to push communication, collaboration and commerce online. He said it is no use pretending that preventative technologies such as anti-virus, malware sandboxing, firewalls and next-generation firewalls “will keep us safe when we know they won’t”.

“Intellectually, we get it. But that intellectual assent is not translating into changed behaviour fast enough,” he said.

According to an RSA survey of 160 organisations worldwide, 90% of respondents are not satisfied with the speed and capabilities they have in detecting incidents. However, two-thirds of those organisations are still relying on a legacy perspective of security information and event management (Siem) for detection.

“You understand that prevention is a failed strategy. That’s a big step. But if you continue to invest solely in prevention, what good is ‘getting it’?” he said.

The key to security’s future

Gartner projects that by 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches — up from less than 10% in 2014.

The question information security professionals need to ask themselves, said Yoran, is whether they are leading their organisation into security’s future or still clinging to the past.

“The future is a new world order in which the technologies we deploy better align to the realities of our threat landscape. From this perspective, we need to emphasize monitoring and response, knowing that prevention will fail,” said Yoran.

He said authentication and identity management “have come roaring back to the forefront of security conversations”, as the abuse of identity has become a key component of virtually every advanced attack, outpacing malware attacks as the most prevalent attack vector. 

“I don’t need to tell you that passwords have utterly failed. Even strong multifactor authentication needs the added perspective of fluid, contextual awareness. In addition to managing and strongly authenticating our identities, we need to monitor and govern them effectively,” said Yoran.

However, he said visibility into identities is useful only up to a point. Therefore there is a need to push visibility much deeper into networks, endpoints and the cloud. 

“We need visibility of full packet analysis of our networks, combined with an understanding of telemetry from our endpoints to see exactly what is going on.

“At its very core, the key to security’s future relies on comprehensive visibility – getting and seeing the full picture,” he said.

Behavioural analytics and AI

Yoran said behavioural analytics, artificial intelligence (AI), and machine learning hold great promise for enhancing how organisations do cyber security. This is why RSA, the security division of EMC, has introduced RSA Security Analytics and Ecat endpoint threat protection and response.

However, he said, while behavioural analytics and AI deliver “incredible” tools, they are not magic. “All forms of analysis in a stovepipe – be they malware in a sandbox, user behaviour or threat intelligence – can be readily bypassed, which is why pervasive visibility is foundational. No matter what any supplier claims, there is no magic that can save us,” said Yoran.

“Our problem is not a technology problem. Our adversaries aren’t beating us because they have better technology. They’re beating us because they are being more creative and patient and persistent,” said Yoran.

Hunting culture

According to Yoran, the way to keep up – knowing that even state of the art analytics will be insufficient in the face of creative adversaries – is to tap into creative defenders.

Organisations should simply allow, enable and encourage their own curious, problem-solving analysts to track down and hunt for opponents.

“If you don’t have hunters, grow them – or at least don’t stand in their way. Let them evolve into the hunters you need,” he said.

Yoran said organisations should create a culture that embraces the free thinker. “Embrace the freedom to actively hunt for adversaries. You’ll attract the right team and, in doing so, create the right culture.”

‘Reclaiming our heritage’

Companies also need to focus their investments on technologies that enhance rather than replace human creativity and problem solving, he said.

“Technologies that automate routine and mundane tasks help. Black boxes that just throw off alerts without supporting data or explanations provide the illusion of security,” said Yoran.

“We need to know why something is being flagged. We need tools that give us the comprehensive visibility – the perspective to see the whole playing field and when rules are being violated.”

In closing, he said the information security industry was founded and built by “mischievously creative, almost eccentric, pioneering renegades”.

“Let’s reclaim our heritage of intellectual curiosity and rekindle that crazy, creative spirit that brings diverse perspectives,” he said.

“Remember, you are how you behave. Our industry needs to wake up. So, what are you going to do differently this year?”