The “old” approach to security never worked, and it was time to abandon that mindset and embrace news ones, Amit Yoran, president of RSA Security, said in his opening keynote for RSA Conference Asia Pacific Japan 2015.
“We have sailed off the map” and the current environment is unknown, Yoran said. And the industry can’t keep trying to sail with the old map, the old mindset, in these uncharted waters, he added. Yoran evoked the same metaphor during his keynote speech at RSA Conference in San Francisco back in April.
Yoran’s keynote began with a short discussion on identity. In the physical world, we have many different ways to identify ourselves, including ethnicity, religion, nationality, and language, but it’s “ironic” that our digital selves rely purely on username and password, Yoran said. While we use biometrics or other methods tied to our physical selves to authenticate face-to-face interactions, we rely on just usernames online.
Identity is a challenge. It’s not just about giving the right level of access to the right individual, but also denying any access to the wrong individual. This requires a better, more sophisticated, understanding of the threat landscape.
The bad guys are “out maneuvering and out gunning” security professionals, Yoran said.
The only way forward is to change our mindset, of what the threat landscape looks like and the best ways to defend ourselves. There is a “misguided notion” that prevention can keep the bad guys out. “It can’t,” he said. We can’t keep relying on legacy methods of protection, the tools that rely on attacks we’ve already seen and the ones that just build higher castle walls.
“The game has changed.”
Advanced protections are insufficient for today’s threats. Advanced protections can—and do—fail, especially since many of today’s adversaries are creative, well-resourced, and focused. Challenge the vendors to make sure the offered solution really would help, and doesn’t just perpetuate the mentality that security just needs deeper moats and thicker walls. “No matter how high or smart the walls, focused adversaries will find ways over, under, around, and through.”
Deep, pervasive visibility from the endpoint to the network to the cloud is necessary. Attacks are stealthy, which makes it even more important that you can see all elements. “The single most common and catastrophic mistake made by security teams today is under-scoping an incident and rushing to clean up compromised systems before understanding the broader campaign,” Yoran said. By rushing to clean up the systems, security professionals tip off the attackers. More importantly, the attackers can figure out what the defenders know and don’t know about the attacks, and adjust their methods accordingly to burrow deeper into the network.
Identity management matters more than ever. Malware accounts for less than half of advanced attacks. Most breaches where confidential data was stolen relied on stolen credentials, and the attackers “walked right in,” Yoran said. “Don’t trust the actions of the trusted,” Yoran warned, noting that privileged accounts are frequently targeted. “At some point in every successful attack campaign, the abuse of identity is a stepping stone the attackers use to impose their will.”
Organisations must leverage external threat intelligence. It’s difficult to identify when something is wrong if the organization doesn’t know what “normal” looks like, Yoran said. “[Threat intelligence] should be operationalized into your security program and tailored to your organization’s assets and interests so that analysts can quickly address the threats that pose the greatest risk.”
Security programs must be guided by an understanding of risk. “You must understand what matters to your business and what is mission critical,” Yoran said, in order to “defend what’s important and defend it with everything you have.”
These five concepts, if applied, do work, Yoran asserted. But it requires organizations to be willing to let go of the legacy mindset. That appears to be a recurring theme, and attendees will do well to embrace the message.