Having just returned from the annual RSA (News - Alert) conference in San Francisco, it only seems appropriate to look at a high level at what transpired. Behind the roughly 500 exhibitors, the packed event floor, the equally jammed keynotes and panel discussions, blizzard of press releases and great conversations with vendors and CSOs alike, there were some common themes worth highlighting. I left the event exhilarated (there are a lot of really smart and innovative folks working the challenges) as well as sleep deprived. The latter due to the descriptions of not only the maliciousness and deviousness of the bad actors, but the scale and scope of what IT professionals, indeed all C-levels, now have on their hands.
Realities are as one pundit noted during an early session, “We have been living with a 2003 view of cybersecurity in 2013.” The point was well taken. It used to be that what Chief Security Officers (CSOs) and their minions had to deal mostly with internal threats by disgruntled employees operating behind corporate firewalls, and protecting the perimeter from “barbarians at the gate.”
Unfortunately, we are in the midst of a perfect storm. The combination of bring your own device (BYOD), the concomitant explosion in apps (internal and increasingly those from external app stores or unapproved third-parties), virtualization, the cloud, governance and compliance issues and the aforementioned dexterity and ingenuity of the bad guys has created a “new normal.”
In this “new normal” security now must be much more proactive as well reactive. Real-time is the only time and that may be too slow. Cyber risk management is now a top level agenda item globally for all C-levels and hence not just an operational expense to be managed by IT. The scope of what needs to be classified, analyzed, managed and constantly updated now includes worrying about the security of:
In short, “E”verything needs to be accounted for, watched, secured, managed and analyzed. And, as will be seen below, the nature of priorities are changing as various threats become more prevalent and virulent.
What this has meant in some cases a whole new jargon is emerging which people need to pay attention to in order to literally survive. For example, in industry-speak, the number of “vectors” (areas of exposure to attacks) has increased, and more “visibility” is needed along with better “context” for doing “reputation management.” Having a firm grounding in the details behind that sentence, when couple with the increase in high profile attacks from not just those playing pranks, but those seeking to monetize the behavior through theft of intellectual property/industrial espionage, destruction of critical assets, brand defamation that goes viral, etc., is the reason no doubt as to why attendance at RSA has almost doubled in the past few years. Customers looking for answers, and the industry is responding with a burst of innovation as realized in a host of new capabilities.
Hitting the highlights
All of what follows are trends I will be keeping a close eye on. A good place to start is with three important ideas conveyed to me that are great food for thought.
First, with a tip of the hat to Tim Rains, Director of Product Management at Microsoft, he explained that a way for security professionals and non-security professionals to look at the headlines and ponder what to do is to realize that in the online world we need end-to-end thinking. This translates into evaluating processes and protections starting with the creation of information using processes that reduce vulnerability to corruption from the get go, assuring the integrity of data (physically and virtually) when it is stored, and then dealing with the increased complexity of when data is on the move. In other words, who, what, where, why when, how and under what conditions people, devices, apps and processes have authenticated access under strictly defined yet dynamic policies and rules. It also means having the tools to correlate anomalies across what in many cases have been siloed databases in order to have that proactive ability and responsiveness that is now a mandate.
Second, and with thanks to David Knight, EVP Product Management and Marketing at Proofpoint and Frank Cabri, VP of Worldwide Marketing at Centrify, two related thoughts should resonate. Knight said, “We live in post-perimeter world.” Cabri added, “Identity is the new perimeter!”
Finally, SafeNet CEO Dave Hansen described the company’s “Breach Level Index Initiative,” Verizon Managed Security Services is about to put the finishing touches on its latest and most comprehensive Data Breach Security Report (Data Breach Investigations Report), Narus and a host of executives from other leading companies I spoke with all said roughly the same things need to be addressed by the industry. Many have their own solutions in the space or soon will at least for their customers, but the needs include:
-Data from the outset (as in what is hyper critical and what is less so)
-Attacks by type, severity and targets
-Best practice counter-measures
The point about classification is key and opens a real can of worms. As various speakers noted during the event, it is estimated by both industry heavy weights McAfee and Symantec that upwards of 70 percent of cyber attacks go unreported publically. Some feel that the stigma of having been a victim is fast being removed and that it is becoming a badge of honor to have been attacked, but this seems more like spin than reality. They also noted that quick classification coupled with the application of big data and other analytic techniques that could improve defenses and response times might make various enterprises want to step forward with how well they are doing as a point of product differentiation. In fact, the financial services and healthcare industries are the most likely candidates for this.
The classification discussion also leads to a talk Dave Frampton, VP/GM Secure Access and Mobility Product Group at Cisco had regarding access management and the need for federated access across the cloud going forward. It also underscored what appears to be a growing need as the nascent Security as a Service (a different and more specific type of SaaS (News - Alert)) starts to mature of the need for what for better or worse can be called a security control plane so that CSOs and their service providers have the visibility and control to orchestrate properly all of their security capabilities.
Finally, on the last point about “context” it is hard to underestimate the importance of what the industry means when it uses the term. Roughly translated, this is the creation of behavioral profiles by people, devices, processes and apps so that using big data anomalies can be more quickly detected a remediation executed.
There is more
If you look up my contributions of the last several days, you will see that I posted articles regarding: “Smishing” which is text messaging based phishing; and “Longlining” which is the diabolical practice of sending out massively yet customized corporate phishing attacks. A few other terms that are absolutely at the top of the security industry buzz that I have or will cover are:
There is a lot more and you will see a rolling thunder of news on these and host of other critical security topics, including device management, protection of the power grid and keeping those assets safe, and the entire area of protecting machine-to-machine (M2M) interactions. I will not bore you with the details of several discussions I had with people about what happens in a world of driverless cars when bad actors have a contest to see who can create the biggest freeway pile-up, or the one I raised about who might have access to the remote monitoring and management of pacemakers.
As the headline states, this was a big show dealing with big challenges, and really scary activities. The good news was that security is no longer just viewed by C-levels as an operation expense but rather as a part of a holistic view of risk management is seen as a way to assure business vitality, continuity and in many cases differentiated value. The industry is vibrant with solutions, and there is a willingness to listen and to pay.
I also wanted to close by noting that I will be moderating a one-day event on July 23 in New York City called, “SecureIT: Protecting the Enterprise in a BYOD World.” Consider this your save the date. I can’t reveal who will be speaking but you will be hearing from us very shortly about all the details. I can promise that the topics above will be addressed, and all of us will have an opportunity to discuss the challenges that lie ahead, and how the best minds in the industry are looking to give all of us increased peace of mind.