IT pros need to stop using old frameworks for addressing security and deal with today’s reality because the old view of security is no longer useful, attendees at the RSA Conference 2015 in San Francisco were told on Tuesday.
It is as if security pros are explorers who have reached the farthest reaches of their known world, said RSA President Amit Yoran during his keynote address.
+ ALSO ON NETWORK WORLD Hot security products at RSA 2015 +
“We have sailed off the map, my friends,” Yoran says. “Sitting here and awaiting instructions? Not an option. And neither is what we’ve been doing – continuing to sail on with our existing maps even though the world has changed.” He laid out a five-point plan for security executives to start addressing the right problems.
First, accept there is no security that is 100% effective. “Let’s stop believing that even advanced protections work,” he says. “They do, but surely they fail too.”
RSA President Amit Yoran
Second, security architectures need pervasive visibility of endpoints, the network and the cloud. “You simply can’t do security today without the visibility of both continuous full packet capture and endpoint compromise assessment,” he says. “These aren’t nice to haves, they are fundamental core requirements of any modern security program.”
One of the problems of current security is that once an intrusion is detected, it is dealt with as quickly as possible, but without considering whether it is part of a larger attack scheme. “Without fully understanding the attack, you’re not only failing to get the adversary out of your networks, you’re teaching them which attacks you are aware of and which ones they need to use to bypass your monitoring efforts,” he says.
Third, pay more attention to authentication and identity because they are used as elements in many attacks and as stepping stones to more critical assets. “The creation of sysadmin or machine accounts or the abuse of over-privileged and dormant accounts facilitates lateral movement and access to targeted systems and information,” he says.
Fourth, make use of threat intelligence from commercial vendors and from Information Technology Information Sharing and Analysis Centers (ISAC). The feeds should be machine-readable so responses can be automated to improve response times when threats are confirmed. At the same time, businesses should stop using email as the platform for communicating response plans among those working on the plans. “In fact, we’ve seen adversaries compromise mail servers specifically to monitor sysadmin and network defender communications,” he says.
Fifth, inventory the organization’s assets and rank them in order to set priorities on where security dollars will be spent. “You have to focus on the important accounts, roles, data, systems, apps, devices– and defend what’s important and defend it with everything you have,” he says.
Probably not coincidentally, RSA announced at the conference a blending of authentication, identity governance and identity and access management (IAM) into a single platform called RSA Via. It is designed to centralize identity intelligence and give it awareness of the current environment so defense isn’t based on pre-set, static rules. The first offering in the RSA Via family is Via Access, software as a service that enables using multiple authentication methods that may already be in place on an organization’s mobile devices.
Also, RSA Security Analytics - which provides the context of what malicious activity may be at play on the network by giving visibility from endpoints, across the network and into the cloud resources that may be part of the overall enterprise – has new features. It gives a view of attacks against mobile and customer-facing Web applications.