RSA’s Coviello: companies face new reality of persistent threats

It’s been a breathtaking year for mega databreaches. Security token giant RSA last March disclosed an embarrassing hack in which its crown jewel SecurID tags technology was pilfered.

And tech security journalist Brian Krebs in October shed light on a list (presented to Congress) of 760 organizations that were similarly hacked, including a who’s who of the Fortune 100.

That’s just one subset set of successful breaches, albeit a big one. Sony, Epsilon, Bank of America, HB Gary, DigiNotar, and, most recently, the U.S. Chamber of Commerce also disclosed major data thefts.

RSA, a division of EMC, deserves kudos for disclosing details about how it got penetrated. Such post-event sharing has traditionally been rare among the good guys.

Arthur W. Coviello Jr, RSA’s executive chairman, just sent LastWatchdog this  year end review of key lessons learned and what to expect in 2012.

Coviello

By Art Coviello

I just came back from a five-week trip of meeting with customers around the world and never in my entire career have CEOs and corporate boards been as interested in security as they are now. The common theme throughout these conversations was that we are facing a new reality – one of persistent, advanced and intelligent threat.

This new reality was reflected in the headline-grabbing attacks throughout 2011, from the attack on RSA to Sony, Epsilon and Google just to name a few. Organizations around the world today are dealing with a deluge of digital information. The velocity of sharing information is skyrocketing as well – driven by web-based applications, mobile devices, social networks and cloud computing. As a result, we all are interconnected as never before.

This new openness to computing infrastructures is creating greater opportunities for collaboration, communication and innovation; but it’s also creating new vulnerabilities that cyber criminals, hacktivist groups and nation states have learned to exploit. Attackers are taking advantage of gaps in security created by complex and disparate technology with increased speed, agility and cunning….easily outflanking perimeter security defenses such as anti-virus software and intrusion detection systems.

If there is a silver lining to this rising threat, it is that the furor around the attacks in 2011 has reached a crescendo; it’s no longer about awareness, it’s about action. I believe that 2012 will be a year of action in which we’ll focus on key areas of improvement and innovation.

Real-time intelligence sharing will become a priority

In the era of advanced threats, greater situational awareness is essential to effectively detect, deter and to defend against cyber attacks. The industry needs better frameworks for communicating threat information and strengthening the security posture of all interconnected parties. In my conversations over the past months, people were united in their call for private and public sectors to work on establishing a common framework to share information dynamically and at line speed. Today’s attackers are better at sharing real-time intelligence than their targets, and fixing this should be a top priority in 2012.

Security professionals will bridge the boardroom gap

Never before has information security captured the mind share of board members than it has this past year. Information risk management must be integrated into an organization’s overall enterprise risk management strategy. Now is the time to make security a board-level conversation.

Education and training of our cyber workforce will become front and center

As cyber threats escalate, we need to invest in building the cybersecurity workforce with the requisite skills to defend our enterprises, government and critical infrastructure and help drive continued innovation. Efforts are underway and should receive our full support for cybersecurity programs that graduate more individuals with expertise in computer sciences, risk assessment, analytics, digital forensics and human behavior.

National governments will prioritize cyber security

Across the globe we are seeing governments prioritize cybersecurity as both a national security and economic security issue. The growth in cyber-crime, the rampant theft of IP and other sensitive information from corporations, and the penetration of defense systems and critical infrastructure by cyber attackers have all contributed to the urgency placed on cybersecurity by national governments. In the U.S., a bill on cyber threat intelligence information sharing between government and industry is expected to pass the House of Representatives, and in the Senate the Majority Leader has said that he will bring a comprehensive cybersecurity bill to the Senate floor by January or February. Shoring up its own defenses, the U.S. Federal Government is ramping up its cybersecurity workforce plans, and forecasts for spending on cybersecurity initiatives top $13.3 billion by 2015.

Organizations will begin to change the way they think about security

Outpacing the advances in today’s cyber threats will take a new approach to information security. Security must evolve from conventional frameworks of uncoordinated static point products to more advanced security systems that are risk-based and capable of meeting the challenges of dynamic threat environments.

Learning to live in a state of compromise, organizations will shift their security budgets away from traditional prevention technologies to detection technologies designed to limit exposure and mitigate damage from threats. The pervasiveness of virtual desktops will grow as organizations struggle to protect endpoints. And the adoption rate of technologies such as tokenization will take off as companies find new ways to protect sensitive and regulated information.

I believe 2012 also will be the year in which security management meets big data – enabled by advances in data storage, compute power and analytics. With this big data capability, security teams will be able to gain real-time access to the entirety of information relevant to the detection and remediation of security problems.

If 2011 was the year of the attack, then I believe 2012 will be the year of resiliency and adaptation within the industry. Our experiences of this year have indeed made us stronger and smarter. Our society has made unimaginable progress over the past 20 years through advances in information technology. It’s our responsibility to sustain this advancement through a trusted digital world.