2015 RSA Conference: Challenge Security Thinking
The theme for RSA 2015 was the title of this article and sound advice in an era fast evolving into a global IoT (Internet of Things) environment. Two (of many) trends discussed at the show highlighted that digital crime has accelerated globally, and the attack surface (read criminal opportunity) of the IoT vastly compounds this growth rate.
The issue is if our security professionals can keep pace with the emerging risks to business operations that the IoT enables. To say that the cyber industry is growing to address these risks is an understatement. At the 2015 RSA Conference of the 409 exhibitors, 115 were new entrants at the show! The sessions included all topics cyber, as well as physical security, government policy issues and international law enforcement collaboration.
To that point, Trend Micro hosted an insightful session, “The FBI and Trend Micro – Combating Cybercrime within your Organization,” providing a global threat overview and suggestions for collaboration with security vendors, the FBI and international police organizations. Tom Kellermann is the Chief Cybersecurity Officer at Trend Micro, Inc., and the poster boy for the national television media (Bloomberg, CNN, Fox News) to explain the latest tends in cyber breaches, actor motivations and the overall societal impact. Kellermann summed up the state of the industry nicely while citing InterPol statistics that traditional (physical) crime is down 10 percent globally, year over year. However, he posits that this is not because criminals are attending church services, but rather migrating their full time and attention to cybercrime. In fact, he states, “Organized crime worldwide is now fully engaged in cybercrime as a growth industry.” Add to this scenario the fact that geopolitics has entered the cyber realm using specific tools and tactics as levers to advance strategic political agendas, and you get the real sense that both global risk and security are taking on entirely new definitions.
The reality is that a core group of talented hackers (approximately 200-300 worldwide) are deploying malware “kits,” complete with customer support services, to the public. As Kellermann notes, “Advance Persistent Threats (APT) has become commoditized. The arms bazaar of Eastern Europe allows for non-state actors to deploy asymmetrical capabilities to be leveraged worldwide.”
Unfortunately, this is the new normal and it is occurring at a time when converged systems, sensors, and mobile devices are exploding. We can hope that end user cyber education will catch up with the criminal exploits, but the sad fact is that our websites are targets for watering hole attacks, and secondary infections are the norm. Cyber hygiene is important, but when a sophisticated cyber criminal or state actor is involved, security must blend personal device protections with a much broader risk management strategy. Our emerging IoT environment compounds the risk concerns for every company, global supply chain, critical infrastructure and individual. Today’s security professional also has to be ready for CHANGE, and challenge “yesterday’s” security thinking.
Cyber criminals are breaching IP connections to move laterally into enterprise networks to hack everything from POS (Point of Sale) systems and databases, to video surveillance cameras and access control devices. Everything connected is at risk…and everything is connected. In this scenario enterprise security professionals need to be one step ahead of the latest threats and rapidly communicate that information. The intent of the adversary today is not to smash, grab and go, but to copy, eavesdrop and maximize dwell time. Enterprise security professionals today expect the breach. With our IoT deployments continuously expanding the threat landscape, device convergence has become a risk management discussion.
For the latest trends impacting converged security, I suggest following the experts at Trend Micro (http://cloudsecurity.
trendmicro.com/us/technology-innovation/experts/). Kellermann encouraged companies and the public at large, to collaborate with the FBI via local Infragard chapters (www.infragard.org).
In fact, FBI Director James Comey’s cyber strategy was discussed at length:
- Empower Local Officials (Law enforcement, local government)
- Put Hands on People (Make arrests)
- Shrink the Globe (Collaboration)
- Partner with Private Industry (InfraGard)
Regarding cyber countermeasure strategy, Kellermann’s advice is to remember that “Offense Informs Defense” when considering risk and putting security threat information into context. As for a specific deployment tactic, he offers focusing international policing resources on “curtailing digital money laundering,” a new-age spin on an age-old crime. Perhaps following the money is the best strategy to attack the attackers; after all it worked on Al Capone at a time when he appeared to be as invincible as today’s cybercrime adversaries.
Dmitri Alperovich, co-founder and CTO at cyber firm CrowdStrike, hosted an interesting panel titled “Cyber Battlefield: The Future of Conflict,” that included Jason Healey, Director Cyber Statecraft at The Atlantic Council; Martin Libicki, Senior Scientist at RAND; and Adam Segal, Senior Fellow, China expert and cyber guru at The Council of Foreign Relations.
The discussion was wide ranging, and I was surprised to hear Alperovich comment that, “The vast majority of cyber-attacks, over 90 percent, are espionage related.” To that point, Adam Segal stated, “Chinese cyber and industrial policy are both targeting U.S. companies, and a broader struggle is emerging.” (This includes intellectual property theft/source code requirements for Chinese business/trade issues). However, he suggests the dichotomy is that major U.S. firms like IBM and GE complain of Chinese cyber theft of IP, but turn around and announce long-term business relationships in the country. Which is it?
Healey believes that the White House is making progress playing “small ball” and that a broader and better-coordinated cyber policy is taking shape. “We are scoring runs, but the next couple of innings look bad because there are heavy hitters on the opposing side.” His position is that the attackers have always had the advantage since the first days of the Internet, and the goal is to actually “Get the Defense better then the Offense” – so we can recognize breaches earlier and respond faster. One recommendation he suggested: convince Warren Buffett (and institutional investment firms) that in order to get investment dollars, these firms need to take cyber defense more seriously.
Libicki stressed a few excellent points when he advised, “Avoid the metaphors of CYBERWAR. Offense is not a policy action. You are not in the war business… you are in the risk management business.” He also summarized that if you want to fix the cyber problem, “spent the money on securing software.”
The panel session, “The Evolution of the Cybersecurity Executive Trifecta: The CSO/CIO /CISO,” had Rick Howard, CSO at Palo Alto Networks, discuss the current state of cyber management, offer suggestions and provide a link to a reading list of cyber books. He described the current CISO role as the “Rodney Dangerfield of the security profession,” with an average tenure of only 18 months. He blames the problem on security professionals (CSO/CISO) who do not understand the businesses they are protecting. As such, the communication skills required to put the security discussion into a business context is lacking, or many times, absent. This causes a fundamental miscommunication regarding the cyber threat to business operations, and negatively impacts the needed senior level support and funding to combat it effectively. To underscore his point, Howard states that, “The security convergence topic is a risk management discussion,” and outlined the top three areas for improvement:
- The CSO/CISO should run the organization like a business.
- The Security executive needs Board-level representation.
- Today’s CSO/CISO lacks business communications skills.
The business discussion involves the following key areas with an understanding of how they converge into an overall risk management framework: cyber risk, business continuity, fraud investigations, compliance, brand protection and employee safety.
Howard suggests that the security professional (CSO/CISO) should not be reporting to the CIO but rather the optimal environment is a healthy tension between the CIO and the CSO/CISO as peers in the organization, reporting to the same senior level executive, a CFO, COO or CEO.
Howard suggests visiting the Palo Alto Networks Cybersecurity Cannon website for a required reading lists: (https://
paloaltonetworks.com/threat-research/cybercanon.html) Cyber education, like the threats, never ends.