As predicted by SC Magazine some time ago, the RSA Conference Europe has been all about the advanced persistent threat (APT).
With RSA's own incident firmly on the opening agenda and dozens of experts ready to share their thoughts on this modern attack, there were key mentions of this particular trend. In the first panel debate in the keynote theatre, chair Paul Simmonds, Jericho Forum board member, said if an attack is detected, then by definition the attacker has failed. “Perhaps it is an average persistent threat,” he said.
Uri Rivner, head of new technologies and consumer identity protection at RSA, said a lot of attacks are targeted, but not all are an APT. John Howie, senior director at Microsoft, commented that the APT accounts for a small number of attacks and it is targeted at specific entities.
“At a business it takes time, energy and effort away from other work and it is important to distinguish the real issues that are at hand,” said Howie.
He added that most organisations are not equipped to defend against an APT. “If you are a target, they will go after a big thing, and if you defend that, you can deal with it. Do not just focus on APT or you will get paranoid – start dealing with issues first,” he said.
However, Rivner claimed that high-profile attacks had made it easier to go to the board and say "we need these things to equip ourselves".
Wolfgang Kandek, CTO of Qualys, said a small business with a small or part-time security team should carry out risk analysis because good system administration can be very helpful.
In another panel discussion, Paul Dorey, former CISO at BP and now director at CSO Confidential and board member of Jericho Forum, said the APT is "one of the bitterest pills for security professionals to swallow".
Eddie Schwartz, chief security officer at RSA, said the key is to spot malware at speed, and it is a combination of breaking down barriers and choosing the right combination of threat and intelligence sources.
Martijn Dekker, CISO at ABN Amro, said companies do not have to reinvent systems; they just need to reapply security. “People are the new perimeter and you need to invest in them. New processes and people have completed a policy that they may never see again in their career, so it is not effective. We want to know what confidential data was leaving, so we can use it and share real incident examples.”
He added that ABN Amro's annual staff survey found that the number of social engineering threats received by staff had increased four-fold. Asked if this was because of more attempts, Dekker said that staff are more capable of recognising these threats.
In terms of spotting malware, Schwartz said an effective strategy is to balance prevention with detection, as businesses are too limited by prevention, and detection is critical.
This is far from the final word on APT, but with one of the major security conferences highlighting the issues so broadly and offering solutions around it, perhaps 2012 will be the year of APT solutions?