Alluding to recent disclosures regarding US government surveillance, Coviello said “There are absolutely legitimate concerns about having network activity monitored at a very granular level”, adding that privacy of the user should be a consideration. During his opening keynote address at this year’s RSA Europe conference in Amsterdam, he recalled that some customers have refrained from deploying technologies that would protect their own – and customers’ – privacy, for fear that it would violate the privacy of their own employees.
“Of course, that conundrum ignores the fact that the exact same exact technology would protect those workers’ privacy. This demonstrates the consequence of pitting security against privacy”, he asserted. Coviello called for a proper “alignment” between security and privacy, drawing a parallel between the opposite poles of a magnet. “Aligned, they each attract each other”, he said, “forming a powerful bond.”
Coviello stressed that having both security and privacy is not impossible. “But we must align the two in an environment that can be trusted by everyone”. He described a three-legged approach that included the application of transparency, strong governance, and technology that can ensure this proper balance, calling it “the only way privacy is still possible today, given the open, interconnected nature of our digital world.”
He nonetheless admitted that monitoring data flows for anomalies on such a wide scale has the potential for misuse and cautioned against the development of a Big Brother state that would severely curb innovation. “We must strike a balance between the extremes of an Orwellian oversight of the people, using our networks, and an equally dogmatic allegiance to anonymity, which in reality is the enemy of privacy.
Repeating the words “Anonymity is the enemy of privacy”, Coviello said that digital adversaries desire such anonymity to misuse data without fear of being caught or prosecuted. “We must be transparent”, he added, calling it the largest problem facing the public today. As part of this transparency, as he outlined, governments must explain to people how they are monitoring network activity, and that they are doing so to protect both the privacy and security of citizens.
Intelligence-driven Security
Coviello also touched upon how Big Data analytics can provide a wealth of actionable information for security professionals, but at the same time aggregates this data for possible misuse by hackers. Add to this, he noted, the billions of IP-connected devices that are anticipated along with never-ending streams of personal information that users volunteer via “social media sites and vendor loyalty programs, unwittingly it also gives our adversaries new avenues of attack that we have paved ourselves.”
As a result, said the RSA chairman, “traditional methods of defense are increasingly ineffective”, along with a disappearing perimeter. “Physical infrastructure will be harder and harder to protect, and traditional security controls are becoming obsolete. We are in danger of being overwhelmed by these changes to our environment.”
Far from the gloomy picture Coviello created, he asserted confidence in the infosec industry’s gradual shift toward an intelligence-driven security model. “[It] promises a radically different, much more effective model of security using Big Data thinking and technologies”, he said, and the process begins with a more comprehensive understanding of the risks that organizations face.
“In this model, more agile and dynamic controls – that can react to facts and circumstances – replace those outdated perimeter ones”, Coviello explained. “These controls will have their own analytic capability (intelligence) to detect and respond to attacks in a timely manner, preventing [data] loss.”
The key to a more effective, intelligence-driven security strategy is providing context, he concluded – an ability to not simply aggregate data, but develop a comprehensive picture of attackers, their methods, and security risks. Such context includes the integration of security controls that can interact and inform each other, and intelligence gathering on potential attackers, network traffic, and user behavior. Coviello drew a comparison between such a strategy, and those employed by law enforcement on a local level, saying that security technology needs to be more like the beat cop who is intimately familiar with “normal” activity in his/her neighborhood, whereas most technology acts more like a police headquarters, collecting information but lacking this intimate, site-specific knowledge.
“When we comprehensively understand the context of normal behavior – people and the flow of data over networks – we are able to transcend the reactive models of the past to more clearly and quickly spot even the faint signal of any impending attack…in the midst of an increasingly noisy environment”, he said. “This is what makes intelligence-driven security future proof. It eliminates the need for prior knowledge of the attacker or their methods because no matter how clever, sophisticated, stealthy, and well-resourced our adversaries are, at some point – if they are to gain value from their actions – they will have to do something out of the ordinary.”