Put about 100 chief information security officers, CIOs and CEOs into a room and what they are willing share about cybersecurity just might surprise you. More information about just what they shared will be revealed soon in a report stemming from a closed-door Summit on Advanced Persistent Threats held in Washington, D.C., in July, where business and government security professionals acknowledged to each other that their organizations had either been hacked through stealthy infiltration to steal valuable sensitive information and intellectual property, or that they wouldn't know it if it had been.
The meeting, which covered advanced persistent threats (APT) and other security breaches, was organized by trade group TechAmerica and EMC's security arm, RSA.
RSA, of course, is the well-known victim of an attack disclosed this past spring in which highly sensitive information about SecurID was stolen and later used to attack at least a few RSA customers, including Lockheed Martin. Some have suggested the RSA-related breach was carried out by China, but the security company declines to comment on this.
"What was different about this [summit] was that RSA was sharing their insights, saying this happened, and it set the context for other people to discuss," says Bill Boni, vice president and corporate information security officer of T-Mobile USA, who attended the summit.
SECURITY ISSUES: HIPAA has teeth and will bite over healthcare privacy blunders
There's growing realization that organizations must learn to live in a state of compromise and focus on limiting the damage, according to those who attended the meeting.
"It means change your mental gestalt in a way," says Boni, adding that it's not realistic to think perimeter controls are decisive defense when users are tricked by hackers via exploits such as phishing scams.
"It's an unrealistic expectation that you never lose a game or an opponent isn't going to score a point against you," Boni says. "Corporate lawyers are adverse to corporate security officers admitting, 'We got owned by the APT,'" but he says there needs to be a better way for security managers to speak candidly among themselves in order to get a better picture of how the APT problem might be occurring.
Since experiencing its own devastating APT incident, the wounded RSA took to organizing the equivalent of high-tech group therapy to talk about APT. "We have a lot to share on that front," acknowledges Eddie Schwartz, chief security officer at RSA.
"There's the notion that the adversary is much better at threat intelligence than we are," he says. "The adversary gathers open-source intelligence and they do data-mining before an attack."
In contrast, companies getting hit find it hard to even have a candid discussion or share information quickly so the larger community can benefit from anyone else's knowledge. Schwartz argues there is even a need for an IETF standard to help in assist in data-sharing in this regard.
The APT Summit suggests government and business outfits are finding themselves on the defensive, lacking even a preferred way to communicate about the threats they're trying to stop.
Boni says he understands why RSA would suggest a standard because there is a need for sharing APT information "machine-to-machine." The model used by the antivirus vendors in malware distribution for many years offers ideas for such a rapid real-time process. "Instead, it would be like a global SIM [security information management]," Boni suggested, with certain identifying information anonymized.
But companies are also doubtful that technology -- and specifically signature-based defense -- can protect them, since attacks are often highly customized in terms of malware. The naïve employee, clicking on whatever is interesting in email or on the Web, has become the attacker's easy way into the corporate network. An employee tricked by a phishing scam is how the attacker compromised the RSA network.
One thing heard at the APT Summit is that a lot of APT attacks appear to be coming in through compromised business partners, says Schwartz. "These are 'beta attacks' that are tested out," he says. There's also a problem of compromised hardware and software, which suggests supply-chain breaches.
Companies are trying to expand their ability to fight a stealthy APT attack, to the extent that 65% of those attending the APT Summit indicated they now have at least one person tasked with APT as a specific security function, says Schwartz.
Training programs to educate users are moving from simple instruction to something more akin to "war gaming," says Schwartz, where the huge impact of an APT on a business is more vividly taught.