RSA's Amit Yoran says IT security has failed, answers lie in mindset approach and not technology

He put up a slide with the obligatory Sun Tzu quote, which he then promptly dismissed as being out of touch of touch with today’s reality. And he also spoke in a lighter vein about having invited director Seth Rogan whose 2014 satire comedy The Interview saw allegedly furious North Korean hackers attack Sony, the parent company of the movie’s distributor Columbia Pictures. But in front of a record 30,000 plus attendees, in the largest RSA Conference till date, which underscores the important of security in today’s Digital Era, Amit Yoran, president of RSA, The Security Division of EMC pretty much admitted that the usual approach to security had run its course. Instead of just looking for technology to solve the issue, Yoran challenged the industry to relinquish its legacy approaches to combating cyber attacks; approaches which Yoran said have failed but continue to give organizations a false sense of security.

That came as no surprise, given the number of high-profile attacks on companies that are spending millions of dollars on security but are still getting compromised. Even as I write this my mailbox has an e-mail from Hyatt today asking me to change my password since Hyatt has found that some accounts were accessed by an unauthorised individual utilising member usernames and passwords. It affects each of us. And it has reached staggering proportions.

Yoran clearly agreed. “2014 was yet another reminder that we are losing this contest. The adversaries are out-manoeuvring the industry…and winning by every measure,” said Yoran in his opening keynote at the event. The RSA president, who is a West Point graduate, has worked for the US Department of Defense and has been with RSA since it acquired his start-up, Netwitness, in 2011, compared the industry’s current approach to a mindset stuck in the Dark Ages, whereby companies employ security strategies and solutions that no longer map to the business and threat environment we face. “To keep the barbarians away, we’re simply building taller castle walls and digging deeper moats. Taller walls won’t solve our problem.”

Yoran argued that the industry continued to seek a technology solution to what was fundamentally a problem of strategic approach; that an iterative approach to improving defensive strategy is incapable of beating threat actors who are able to evolve their tactics far faster than we can build new walls. But it wasn’t all sackcloth and ashes. RSA has to sell security technology and Yoran laid out some recommendations to address the security industry’s shortcomings and better combat advanced threats: - Stop Believing that Even Advanced Protections Are Sufficient.

“No matter how high or smart the walls, focused adversaries will find ways over, under, around, and through.” Many of the advanced attacks last year did not even use malware as a primary tactic.

- Adopt a Deep and Pervasive Level of True Visibility Everywhere – from the Endpoint to the Cloud. “We need pervasive and true visibility into our enterprise environments. You simply can’t do security today without the visibility of both continuous full packet capture and endpoint compromise assessment visibility,” explained Yoran.

- Identity and authentication matter more than ever.

“In a world with no perimeter and with fewer security anchor points, identity and authentication matter more than ever. At some point in [any successful attack> campaign, the abuse of identity is a stepping stone the attackers use to impose their will.”

- External threat intelligence is a core capability. “There are incredible sources for the right threat intelligence [which> should be machine-readable and automated for increased speed and leverage. It should be operationalised into the security programmes at organisations and tailored to an organisation’s assets and interests so that analysts can quickly address the threats that pose the most risk.”

- Understand what matters most to your business and what is mission critical.

“You must understand what matters to your business and what is mission critical. You have to defend what’s important and defend it with everything you have.”

Yoran explained that was re-aligning to map itself to this new paradigm. “As an industry, we are on a journey that will continue to evolve in the years to come through the efforts of all of us here today.” He continued, “We have sailed off the map, my friends. Sitting here and awaiting instructions isn’t an option. And neither is what we’ve been doing – continuing to sail on with our existing maps even though the world has changed.”

Yoran concluded that many of the technologies exist to provide true visibility, proper threat intelligence and systems that help manage digital and business risk. “This is not a technology problem,” he said. “This is a mindset problem.”