Subscribe to the RSA blogs and podcasts for the latest posts and security updates!
Sam Curry is Chief Technology Officer, Identity and Data Protection business unit and Chief Technologist for RSA, The Security Division of EMC. Mr. Curry has more than 18 years of experience in security product management and development, marketing, engineering, quality assurance, customer support and sales. Mr. Curry has also been a cryptographer and researcher and is a regular contributor to a number or journals and periodicals. Prior to his current role, Mr. Curry was CTO, Marketing and Vice President of Product Management where he led the strategic direction for all RSA solutions. Prior to joining RSA, Mr. Curry was Vice President of Product Management and Marketing for a broad information security management portfolio at CA. Previously, Mr. Curry was also Chief Security Architect and led Product Marketing and Product Management at McAfee. Earlier, Mr. Curry was a founder of one and a first employee in another successful technology company. Mr. Curry is a frequent speaker at industry events and has been quoted in Forbes, Bloomberg, CNET, Technology Review, PC World and Computerworld. He has also appeared on Tech TV, CNN and MSNBC. Mr. Curry holds degrees in English and Physics from the University of Massachusetts and from Mount Allison University. Subscribe to Sam's RSS feed
It’s this last point that I’d like to dive into. Our analysis of the data does not point to a flaw in the RSA algorithm itself but instead points to an important problem in cryptosystem implementations as a whole. In particular, good cryptography (including RSA’s) depends on proper implementation. The importance of proper implementation is critical and can not be overstated. Let me draw a simple analogy here.
Last august, I wrote about needing a different answer to the traditional security problem because the changing landscape over time was making conventional protocols, applications and skill obsolete. I wrote there about time and intelligence: these are the essential assets in any security autonomic system. Why? To really boil it down to its basics, it’s a race. In a race, you care about being first, not second. Intel helps you run the race better and time is the only currency that matter. It’s a race to the data, and you want to win. So it’s all about time and intelligence.
It seems that 2011 was a year that tried our industry. All things cyber grabbed headlines, and the very nature of trust in a digital world was brought into question. This might have to do with my personal perspective, but it came to a head with our own breach in March here at RSA. There were others in the world of security that were hit, and I am sure that from their epicenters it was as nauseating to watch the ripples move out through the internet.
With the increase in effectiveness of attackers and the corresponding decrease in more traditional defense techniques, IT and Security staff are looking for “game changing” components to bring the battlefield back into their control or at least make it more favorable. What Sun Tzu might have referred to as choosing your terrain and, when that doesn’t work, cheating!
Two weeks ago, as my fiance Kathleen got ready for bed and I took the dogs for a walk, she got a phone call. It was late, after midnight. The voice on the other end was an automated voice claiming to be “Patriot’s Bank” (I am changing the name of the bank to something simple and New England-like since I don’t want to name her bank without their permission). The return number was a 214 area code (odd), and the voice claimed that they were checking on suspected fraud on her account.
Clearswift put out a little piece of news here on blocking of Facebook and Twitter at work, and it got me thinking…There’s probably a theorem or a theory buried in here somewhere…call it the “Circle of Life” or something. Basically, solutions that work, especially in the absence of anything else, tend to become not just permanent but preferred and part of the background.
Building the right strategies and principles into any security program and, frankly, gaining awareness and building relationships at all levels and with all functions in a company or organization is critical to success. While confronting APTs will require giving up the idea that it is possible to protect everything, security teams will have to focus on protecting the organization’s most critical information and systems. Or even more strongly stated- they will get in – the goal is to detect them early and minimize the damage.
To my amazement, I still get asked “if I do everything I am asked to do for compliance, am I secure?” To be fair, this question often comes from non-security people.
I’ll start with the bottom line: for eGRC to work it has to be true at all Human and system levels of abstraction in an organization and it must have common elements across all function in a company. With the release of the most recent study by the Ponemon Institute (with EMC) , there are some clear pointers to the need for more strategic and, frankly, systemic mechanisms for managing enterprise governance, risk and compliance. Let’s cover a few ideas before coming back to those.
Hospitality and transportation have amazing access to PII (Personally Identifiable Information) for wealthy individuals or at least people with sufficient savings to travel and also to lucrative, high-limit pockets of corporate cash. Given that most people who travel are by definition anomalous spenders (e.g. you spend $300 on a night in San Francisco and then $500 in Tokyo the next day), anomaly detection is typically not as effective as it could be and requires tuning and adjustment to a subset of the population rather than normalizing with the largely more sedentary population.
