A need to keep up with adversaries, hiring the right people and advances in technology were the key themes of the RSA Conference's opening keynote.
In his presentation in San Francisco, Art Coviello, executive vice-president of EMC Corporation and executive chairman of RSA, walked on stage to the Rolling Stones' You Can't Always Get What You Want and walked off to Twisted Sister's We're Not Gonna Take It. In between he talked of the need to match adversaries following a year of incredible change.
He claimed that trust in the digital world is in jeopardy despite public advances as "new breeds of cyber criminals, hacktivists and rogue nation states have become as adept at exploiting the vulnerabilities of our digital world as our customers have become at exploiting its value".
Coviello blamed a "slow response to recognise the potency of the emerging threat landscape and our inability to band together", which he said has allowed adversaries to be better co-ordinated, develop better intelligence and easily outflank traditional perimeter defences.
He later pointed to the consumerisation of IT, saying that the industry was past the tipping point where personal and professional lives can be separated and, just as IT organisations must learn to manage what they can't directly control, security organisations must learn to secure what they can't directly control.
“The result is our industry is being challenged as never before. We need even more from security because we are at serious risk of failing. Today's security models are just inadequate and, with current trends, will only become more so,” he said.
“In my 17 years in the security industry, I have never sold on the basis of fear. I am not about to do that now. As security professionals, we have demonstrated time and time again an enduring resiliency and ability to innovate to give others the confidence to realise the potential of the information age. But, I tell you, we face some harsh realities.”
He then addressed the attack on RSA, which occurred since last year's conference, saying that the industry has been through hell and he and his colleagues "feel this as personally as anyone else in this room".
Coviello said: “Never has our responsibility to you been as firmly etched in our minds. We have been dedicated to regaining and maintaining your confidence since our breach. We have a sense of urgency, as never before, to apply the lessons we learned first-hand and use the privileged insights that we obtained from other attacks.
“We have been sharing them and using them to drive our strategy, our investments and product roadmaps. In the final analysis, we hope that the awareness from our attack will strengthen the sense of urgency and resolve of everyone. Because the fact is, we are not alone.”
He went on to say that the volume of attacks in the past year is unprecedented, with targeting more sophisticated than ever, and the industry should understand that "an attack on one of us is an attack on all of us".
Calling on the industry to learn together from these experiences and emerge from this “hell” smarter and stronger, Coviello said "it's time for us to fight back with creativity and innovation".
He said "we have to stop being linear thinkers, blindly adding new controls on top of failed models" and need to recognise that perimeter-based defences and signature-based technologies are outmoded; he added that educating IT users about how to harden security is important, but we should appreciate that people will make mistakes.
“However, accepting the inevitability of compromise does not mean that we have to accept the inevitability of loss. We can manage risk to an acceptable level. We won't stop every individual attack, but we can reduce the window of vulnerability from all attacks, and put the balance of control back firmly in the hands of security practitioners,” he said.
“Just as our adversaries have taken advantage of the sheer speed and availability of information on the internet, we need to do the same. We can unearth the wealth of intelligence that is buried in those very same infrastructures and use that intelligence to our advantage.
“Our mindset must shift from playing defence and tracking meaningless individual events. We need the capability to sift through massive amounts of information lightning fast, creating pre-emptive and predictive counter-intelligence to spot the faint signals that may be all that's visible in a sophisticated, stealthy attack.
“The reality today is that we are in a race with our adversaries – they win when they can spot weaknesses and exploit them faster than we can identify the attack patterns and prevent them.”
Looking to the future, he said RSA sees intelligence-driven systems as having three distinct properties: the system must be risk-based and users must learn to evaluate risk at more substantive and granular levels; an intelligence-driven security system must be agile as existing approaches to managing security operations lack the situational awareness, deep visibility and environmental agility needed to detect and thwart sophisticated attacks; and it must have contextual capabilities as an agile system of controls and monitoring capabilities is effective only when a security event is delivered with complete context around it.
Coviello went on to say that the security industry is "woefully short of the human resources to carry out this vision" and a new breed of cyber-security analyst should be championed, with more military experience and intelligence utilised and less focus on traditional IT security technical experience.
“This new breed of analyst must have the right analytical skills, big-picture thinking and much-needed collaborative people skills to ensure smooth information sharing with multiple stakeholders,” he said.
“But most important, they need to be offensive in their mindset: constantly evaluating external intelligence, tweaking security data models and finding new ways to identify and intercept threats on the horizon.”
He concluded by saying that it is time to work together to "ensure that the balance of control of our digital world remains in the hands of security practitioners".
“We can give our industry the structures it needs to share intelligence so that we can all be in this fight together, and that knowledge gained by any one of us becomes power for all of us,” he said.