Day One of RSA Conference Asia Pacific Japan 2015 began with the opening of the Expo floor. Show attendees walked around the floor, listening to vendor representatives demonstrate their solutions and asking questions about specific tools. The hum of conversation was steady throughout the day.
The conference theme this year, change, highlights the evolution of security mindset. Change can be an effect, catalyst, or opportunity. As security professionals, we can either change reactively, or proactively.
Amit Yoran officially opened the conference with the opening keynote in the afternoon. The “old” approach to security was done, and it was time to approach security from a new perspective, RSA Security president Amit Yoran told attendees. He discussed how organizations need to understand the current threat landscape—where attacks are stealthy and typically have never been seen before. He discussed how many organizations still cannot detect attacks targeting known vulnerabilities or using published exploits.
Raimund Genes, the CTO of Trend Micro, followed up by discussing advanced persistent threats, targeted attacks, and cyberwar in his keynote speech. “We don’t need to spread Fear, Uncertainty, and Doubt,” Genes said. While Yoran emphasized that security professionals needed to understand the threats facing their organizations, Genes laid out the challenges in exhaustive detail. An interesting statistic he threw out during the course of his talk: there are typically 15 to 50 bugs in every 1000 lines of code. He also referenced a game at http://targetedattacks.trendmicro.com/, where players try to make decisions as a CIO of a company about to release a biometrically authenticated mobile payment app.
Ken Allan, global cybersecurity leader at Ernst and Young, expanded Yoran’s theme in his keynote. He asked the audience how many people worked for an organization who knew their organization had been breached already this year, and was surprised so few hands went up. “The question is not if your organization will be breached, as it has already happened,” Allan said. “The real question is, are you aware” it has happened, he said. Allan also touched on the fact that different countries have different laws on the books covering breach disclosure and notification. The United States has rules about disclosing breaches, as can be seen by the number of news headlines. For people in countries where they don’t see as many headlines, the question to ask is whether that’s because there aren’t any attacks, or if it’s because organizations don’t have to admit something happened, Allan said.
Cybercrime is an “entire industry with sophisticated value chain and funding,” Allan told attendees. Manipulating the stock market can have a bigger business impact than a bank robbery, he noted.
Allan also threw out some interesting statistics from the Ernst and Young Global Information Security Survey, which found that 56 percent of the respondents were unlikely to detect sophisticated attacks, and 35 percent to 45 percent of respondents said there was a lot of room to improve their security posture. Another distressing finding was the fact that despite the fact that senior executives understand more about cybersecurity and the risks the organization face, 43 percent of the organizations in the survey had no plans to change the infosec budget, Allan said.
Over in the Social Lounge on the Expo Floor, Dr. Hugh Thompson interviewed executives from SODA, the winner of Innovation Sandbox Most Innovative Start Up. RSAC TV recorded interviews with speakers Leonard Ong, the moderator of the Hot Topics in Privacy: A Conversation with Privacy Leaders panel, Jim Reavis, on Security Lessons Learned: Enterprise Adoption of Cloud Computing, Dr. Tobias Feakin, on Asia-Pacific Cyber Maturity, and Zulfikar Ramzan on strategic plans for incident response.