RSA Conference Europe 2012 Keynotes; day one part two

Keynote 3 – Francis deSouza – Group president, Symantec – The art of cyber war, know thy enemy, know thyself

For many years IT was standardising on systems from the client to the server room.  Now we have BYOD, cloud etc.  IT is becoming more diverse with many more devices and data stored across multiple locations and hosting environments.

What does this mean for IT security?  What model do we need?

Historically IT security has been defence only and point / issue based. – you get viruses so install AV etc.

We need to look more holistically and look at how we defend against multi flanked attacks and advanced persistent threats.  Also consider how we can use the attack against the attacker or to catch the attacker (think Aikido).

What do we mean by multi flanked?  Attacks are now increasingly using multiple, seemingly independent attacks, many of which are just diversions so we miss the real attack.  When we are busy or focusing on a specific task we often miss obvious things.  Look up ‘how many times did the white team pass the ball’ for an example of this!

Phishing attacks are also getting much more advanced and sophisticated, these are now one of the primary ways attackers use to gain a foothold.

An example of this was a recent attack on a bank that used a phishing email to gain access to a bank.  The gang then launched a DDoS attack on the bank, while the bank was rushing around trying to keep their site up and prevent the attack being successful.  The gang then used the malware installed via the phishing email to steal bank and ATM details.  They then passed these to their monetising team who created ATM cards, distributed these to hired people who all went to ATMs, and withdrew cash.  This attack walked away with $9M in a couple of hours.

The attackers also do things like ensure they use cards in ways that look legitimate and at times customers (the legitimate card holders) are less likely to spot the use quickly.

How do these gangs create these massive data centres of compute power yet remain invisible to legal organisations such as Interpol, the FBI etc.  Sophisticated organisations sell ‘bulletproof’ solutions hosted in one country, managed in another, sold in yet another etc.  This is a real market where actual marketing is used, and there is great competition and price pressure – it is a lot cheaper than you think!

There is also the ‘democratisation’ of cyber warfare tools – this follows neatly from the previous talk – increasingly complex and advanced tools are available more and more readily.

On the other side of this is the huge increases in what we are trying to protect – we have more and more complex systems and every growing data volumes.  The volume of data stored is likely to increase by 40 times from today’s levels by 2020!

What does this mean for the security industry?

We need to improve our intelligence;

–          What do they want?

–          What are our key information assets?

–          Out of all of our data which is critical, and which is ‘garbage’?

–          What is happening in your organisation?

–          How are the criminals working and what attacks are they using?

–          Look holistically – what is the campaign they are using, and what are the weaknesses of their campaign?

–          Who are the actors in the campaign?

Our intelligence and security need to be more agile – we need to improve our understanding of what is happening and the unknowns and unexpected things we discover.  Is our security agile enough to change to deal with these new and unexpected things?

Brief comment on having powerful defences and AV (well this is Symantec..)  Good point on reputation based computing – if we have never seen this file before should we trust it?


Keynote 4 – Adrienne Hall – General Manager, trustworthy computing, Microsoft – Risks and Rewards in cloud adoption

Microsoft Security Intelligence Report release 13 is available for download as of today, and is available here;

A great overview of the report can be found here;

Microsoft has also released some very helpful, open source, security tools;

–          Attack Surface analyser

–          Anti-cross site scripting library

Microsoft recently commissioned a cloud computing survey.  This was carried out by an independent survey company so vendor neutral around current barriers and benefits.  The full results can be found here;

Unsurprisingly, perceived security risks are still the top barrier, however from those who have adopted the cloud 54% stated they have improved security along with 47% who managed to make cost savings on their overall security spend.  The perception and reality currently do not appear align..  How do we address these barriers?

Improve transparency;

–          Collaborate to share information and guidance e.g. Cloud Security Alliance (CSA)

–          Drive and support industry standards

–          Commit to transparency in cloud offerings

Microsoft has just released a cloud security readiness tool that can be found here;

This is a survey tool that will allow you to assess both the security of your current environment and your readiness for cloud adoption / migration.  This is a free tool that will help you plan a cloud migration regardless of the technologies or cloud providers you intend to use.  To ensure vendor neutrality this links in with and is based on the CSA Cloud Controls Matrix.

The output of this survey is a report for your organisation which understands controls relevant to your industry and regional location.

Talk summary – Stay informed; Embrace standards, best practices and transparency; Weigh the risks and rewards.

Overall this talk was lighter than the others and fairly Microsoft focused, but had some good points and highlighted some useful tools.

Note, at the time of writing the ‘aka.’ links are giving 404 errors, I have email Microsoft and asked for this to be resolved.


Keynote 5 – Herbert Thompson – Program committee chairman, RSA conference – Security the human: Our industries greatest challenge

In security we set up situations where people are designed to fail especially if they are not security savvy or paranoid.

–          Links in emails – how do we know which are real and which are malicious?

–          What do we do about site certificate errors?

–          What do we do when a site wants us to download a file?

Security currently treats everyone the same regardless of knowledge or talent.  One size does not fit all.  Think of car insurance; you have to answer many questions, and the outcome is an insurance quote tailored to your risk profile.

We need to be the people that help the business understand the risk; enable them to make decisions and embrace change with a full understanding of the risks of doing so.

Very light talk, but great point around understanding and managing risk appropriately.