The executive chairman of RSA began his discussion with the familiar refrain of how the IT landscape has evolved so rapidly over the last decade. Yet there was something a bit different about this early morning keynote, as an animated Coviello was unafraid to cast some bold statements.
“In my 16 years in this industry, I’ve never sold on the basis of fear”, he said, adding that he would not start doing so at this point either. However, Coviello warned that we presently face “harsh realities” that must be addressed in a collective industry-wide sense.
The transformation of IT has directly affected the threats organizations currently deal with, and with it requires a shift in the fundamentals of security. “We couldn’t even connect in 2001 with anything other than a laptop being the most sophisticated device” at a user’s disposal, he recalled.
Coviello then relayed a metaphor he once employed to illustrate this transformation: “What if the amount of information was the growth in the number of automobiles on the highway? What if the bandwidth was the speed at which those automobiles were travelling? What if the number of apps were the number of lanes on the highway? What if the number of devices we connect with were the on and off ramps to the highway? And what if social media was a sign on every single car telling you who the driver was and something about their passengers?”
“And we expect [security managers] to prevent every single accident on the highway”, Coviello remarked. The metaphor was striking, and within the grasp of anyone who lacks a technical background.
“If we don’t think about how things have changed, how are we going to prepare ourselves for the future”, he asked rhetorically. Even though the number of security tools at an organization’s disposal has increased dramatically over the past decade, Coviello found only one brave soul in the audience who said they felt safer online in 2011 than they did in 2001.
Today’s “attackers are taking advantage of the vulnerabilities that have been created with these changes, and they are doing it at the same speed [defenders] do, but they are doing it with agility and cunning as never before, and they outflank outmoded parameter defenses that are less and less effective as every single year goes by” an impassioned Coviello declared, adding that these types of outdated defenses are non-existent in the cloud.
2011 in Retrospect
The RSA executive then changed course to discuss some of the major security incidents to hit the headlines over the past year. First up was the Stuxnet infestation that dealt a hefty blow to the Iranian nuclear program.
Coviello then expressed concern that the Iranian regime now has possession of Stuxnet. “Do you think for one second that they haven’t already reverse engineered it? Do you think over time that the terrorists won’t get more sophisticated?”, he asked the audience. “At some point, if you are part of critical infrastructure, you have to be wary that these guys will develop capabilities, and you have to start thinking about how you will protect yourselves now.”
He subsequently turned his attention to cybercriminals, such as the ones who compromised the Sony PlayStation Network to steal a bounty of email addresses and other personally identifiable information, much of which Coviello said is likely for sale across the internet and can be used to attack other sites.
And then there is the advanced persistent threat, or APT – the three letters that seemed to crop up throughout the year in the security industry. He noted that the US Air Force coined the term APT in 2005, and that the concept was not a “security industry conspiracy to sell more stuff. APT is not just a form of malware, it is a methodology. It’s about specific, targeted attacks that are well resourced, well researched, and difficult to detect.”
The APT discussion led directly into Coviello’s mention of his own company’s brush with the attack methodology. The RSA executive said his company’s employees received legitimate looking emails from known people from within a real company. “Who among your employees would not open those emails?”, Coviello said in RSA’s defense.
Soon after, the RSA executive chairman’s voice rose dramatically. “The security dogmas of the past are no longer adequate”, Coviello declared. “Many security technologies are past their freshness dates, offering diminished value. All of us as security professionals need to change the way we think.
Then he had what could best be described as a Nikita Khrushchev moment – sans shoe – as Coviello reflected on recent comments he received about the security breach situation being hopeless.
“It is not!”, the animated Coviello implored as he pounded his fist repeatedly on the podium. Because there is no turning back the clock, he noted, “we must change the way we do security, and it is especially important as we migrate to the cloud”.
In response to what some see as hopelessness, Coviello said security systems must evolve to be “resilient enough to see an attack in progress and minimize and limit the window of vulnerability”.
First, he concluded, fundamentals of security must change from perimeter-based to logical and information-centric; security must move from being bolted onto systems to being built in and automated; and the static/reactive posture must morph into an adaptive and risk-based approach.