Speaking of Security – The RSA Blog and Podcast

A few months ago I had a conversation with a security professional working in a major US defense contractor. It was right after the attack on RSA. “Welcome to the club”, he said, “we’ve been hit by these APTs for years”.

So Ok, you think you know security. Riddle me this one… What does Jennifer Lopez and computer hackers who’ve attacked America’s defense establishment have in common? If you answered both are featured in this September’s issue of Vanity Fair magazine, you’d be right, and a true member of the all knowing security club.

The debate in Washington, DC over what the role of government should be to help improve our nation’s cyber security posture is in full swing as the U.S. Congress considers a range of policy approaches. Because cyber has emerged as a significant national and economic security problem, proposals range from handing the U.S. Department of Homeland Security new authority to regulate critical infrastructure to tasking the U.S. Securities and Exchange Commission to clarify corporate disclosure requirements for cyber security breaches.

In January 2010, at the turn of the decade, I wrote the following lines in my blog: “It will be an interesting decade from a cybercrime perspective. Employees are one of the weakest links in corporate security… The current defenses cannot suffice, and the industry must think of a new defense doctrine.” A lot of folks in the security space raised an eyebrow.

Building the right strategies and principles into any security program and, frankly, gaining awareness and building relationships at all levels and with all functions in a company or organization is critical to success. While confronting APTs will require giving up the idea that it is possible to protect everything, security teams will have to focus on protecting the organization’s most critical information and systems. Or even more strongly stated- they will get in – the goal is to detect them early and minimize the damage.

APT has become a buzz of security professionals for the past few years, but now has legitimate attention among all levels of the organization. Why? Because executive leadership knows that buzzword has now become a clear and present danger even among private sector organizations.

On the flight home from this year’s Gartner Security & Risk Management Summit, I reflected on some of the highlights of the trip. I look forward to this show every year due to the high level of customer engagement and great conversations. In looking for overall themes from the event I noticed, not surprisingly, a lot of emphasis around advanced persistent threats.

The question of “why” EMC has acquired NetWitness will no doubt come up (beyond the fact that they are the obvious market leader with awesome technology) and how do they fit? Over the next few months that will become increasingly clear and in fact obvious if it isn’t already, but I thought I’d start with a simple analogy that I will connect first with RSA enVision (i.e. with Security Information and Event Management or “SIEM”) and then with RSA Archer (i.e. with Governance Risk and Compliance or “GRC”).

I was on a tour in Asia Pacific when I first heard the news about the attack. The investigation into this attack continues but I’m eager to share some information with you about it. Let’s first make sure everyone is on the same page. The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry. Unofficial tallies number dozens of mega corporations attacked; examples are in the press regularly, and some examples are here, and here.

This week’s Speaking of Security podcast reviews the key announcements from RSA at the recent RSA Conference.