Opening Keynote: Arthur W. Coviello, Jr. (Keynote Summary)
Tuesday, April 3, 2012
Keynote summary by Gaspar Modelo-Howard
The State of Security
Arthur W. Coviello, Jr., Chairman, RSA, The Security Division of EMC
Mr. Coviello opened his keynote with a quote from Nicholas Negroponte: “Internet is the most overhyped, yet underestimated phenomenon in history”. This statement, Mr. Coviello argues, it is still true today. And to determine the state of security, one does not have to look beyond the state of the Internet.
The growth of the Internet has driven the evolution of computing in the last few decades. Computing has gone through radical transformations: from its early days with mainframes, to computers, moving later to networks in the 80s and then to the rise of the Internet and the World Wide Web in the mid 90s. We are currently experiencing a confluence of technologies and trends (cloud computing, big data, social media, mobile, consumerization of IT) that make clear that the next transformation of computing is well underway and creating new challenges to security. Coviello contended the past evolution of IT infrastructure gives clear signals to the fast and deep changes security should continue to experience in the future. As an example and in just a couple of years, the IT industry has moved from 1 exabyte of data to 1.8 zettabytes, from the iPod to the iPad, from 513M to over 2B Internet users, from speeds of 100kbps to 100Mbps, and from AOL to Facebook (which would be the 3rd largest country in the world, by considering its number of users as population).
Coviello then used an interesting analogy to explain the impact in security of the continuous growth of the Internet, and therefore the need to better empower security. Imagine that the Internet is a highway system that is experiencing an exponential growth in the number of cars that use it. The highway system then needs to increase the number of lanes of existing roads, add new roads, and provide better ways for cars to access the system. But all this growth also increases the number and complexity of accidents on the roads. Then, security needs to grow accordingly to better manage (prevent, detect, and respond) the new scenario of potential accidents.
Looking at the security world, things have also changed dramatically over the years. Not long ago there were tens of thousands of viruses and their corresponding signatures, where as now there are tens of millions. Organized crime and spying online is a very real threat today that was not really happening in 2001. The scenario is then more difficult today for security practitioners to protect their networks. Stuxnet opened a new threat era for security. We have long moved away from the times of script kiddies. The new breed of attackers include: (1) non-state actors, like terrorists and anti-establishment vigilantes; (2) criminals, that act like a technology company by expanding their market around the world to distribute their products and services, and have sophisticated supply chains; and (3) nation-state actors, which are stealth and sophisticated, difficult to detect, well-resourced, and efficient.
Coviello briefly explained the high profiled breach experienced by RSA in 2011. They were attacked by two advanced persistent threat (APT) groups. From the steps taken, it is very clear that a lot of research on the company was made before the attacks. Phishing email was used to get inside their networks, sending the messages to a carefully selected group of RSA employees. The messages included an Excel attachment that contained a zero-day exploit (Adobe Flash vulnerability), which installed a backdoor when triggered. The attackers knew what they wanted, and went low and slow. The attack went on for 2 weeks, with RSA staying two to three hours behind the attackers’ moves. The attackers were able to ex-filtrate information from the networks, but RSA ultimately determined that no loss was produced to the company from the attack. As for the experience, Coviello acknowledged that is still not a good idea for a security company to get breached.
We are past the tipping point, were physical and virtual worlds could be separated. Additionally, the confluence of technologies and trends is creating more ‘open’ systems. The security industry is challenged as the open systems are more difficult to secure (than close systems, each under a single domain). We need to secure what in a way can’t be controlled. It is then not difficult to explain what has happened recently, in terms of breaches. In 2011, many high-profiled attacks occurred (in what others have labeled as the ‘Year of the Security Breach’) to big organizations like Google, Sony, RSA, PBS, BAH (Booz, Allen, Hamilton), Diginotar, and governmental entities such as the Japanese Parliament and the Australian Prime Minister.
Coviello argued that vendors and manufacturers must stop the linear approach used in the security industry to keep adding layer after layer of security control mechanisms. Security products should not be silos. We need to educate computer users, but keeping in mind that people make mistakes. After all we are humans. Our mindset must change from playing defense, as protection from perimeter does not work alone. Also, security practitioners and technologists must show an ability for big picture thinking and having people skills.
We need to get leverage from all security products, therefore the need to move away from the security silos architecture. Fortunately, the age of big data is arriving to the security world. Coviello provided a definition to big data: collecting datasets from numerous sources, at a large scale, and to produce actionable information from analyzing the datasets. The security objective is then to reduce the window of vulnerabilities for all attacks. The age of big data should also promote the sharing of information, which unfortunately is currently a synonym for failure. Organizations do not work together to defend against attacks.
Mr. Coviello calls for the creation of multi-source intelligence products. They must be risk-based, as there are different types of risks and should consider the different vulnerabilities, threats, and impacts affecting each organization. The intelligence products should be agile, having deep visibility of the protected system. They should detect anomalies in real time and the corresponding responses should be automated in order to scale and be deployed pervasively. Unfortunately today, systems are a patchwork of security products, focusing only on compliance. Finally, the intelligence products should have contextual capabilities. The ability to succeed against attacks depends on having the best available information, not only security logs. Such information should come from numerous sources, not only internals.
The Q&A session included several interesting questions, after the stimulating talk. The first one asked about the possible impediments to achieve the goals outlined in the talk. Coviello pointed out three potential roadblocks. First, the lack of awareness regarding the impact of a security situation by the top board of the organization. Top management should understand that security problems are the responsibility of the whole company, not just the IT department. Second, ignoring the requirement to follow a risk based approach when making security decisions and developing strategies. Third, is important that security programs grow as organizations increasingly rely on their IT systems.
A question was made regarding the asymmetric threat that security practitioners face and what can be done about it. Coviello pointed out the need to work around risk analysis in order to reduce the potential risks faced by organizations. It should be understood that the digital risk cannot be reduced any more than the physical risk. So organizations should get more sophisticated on the analytics, following a risk-based approach.
A member of the audience pointed out that several federal cybersecurity policies are based on the concept of defense in depth. Such concept is not driven by risks, which ultimately might raise costs to organizations required to comply with policies and regulations. Coviello agreed that if a risk-based approach is not followed, security programs might not achieve cost effectiveness. He also mentioned that defense in depth is sometimes misunderstood as it is not a layering mechanism to implement cybersecurity. It should encompass information sharing among organizations and even countries. He offered an example, calling for ISPs to play a more aggressive role and work with organizations to stop the threat from botnets.
A final question was made regarding the push by elected officials to use electronic voting, especially in small counties that might lack the resources to protect those systems. How to make elected officials understand the risk faced when using electronic voting, when such authorities usually do not have the capability to secure the voting system? Coviello sounded less than enthusiastic about electronic voting. But more importantly, he said there is a need to aggregate the security expertise and services so it can be outsourced to small and medium-sized organizations. The security industry should follow on the steps of the software and hardware industries, offering outsourcing services and products.