Johannesburg, 29 Feb 2012
The IT security industry is going through “hell” and it cannot guarantee risk-free systems in the digital world.
This was the chilling message from Arthur Coviello, executive VP of EMC and executive chairman of RSA, the security division of EMC, in a keynote address opening the RSA 2012 Conference, in San Francisco. More than 18 000 delegates are attending the event.
In an attempt to restore confidence in the organisation that suffered a massive security breach in March last year, Coviello said RSA is not the only company that was hit during last year's hacking spree.
“We are not alone; an attack on one of us should be viewed as an attack on all of us,” he said. “If you are going through hell, keep going,” he added, quoting former British prime minister Winston Churchill.
The RSA cyber attack last year left the company's SecurID tags vulnerable, which exposed 760 companies, including big names like Google, Facebook and Microsoft.
However, Coviello noted that, since the breach, the company has been trying to rebuild trust in the industry. “We hope that the attacks on us will strengthen our resolve to fight on.”
Painting another gloomy picture, Coviello pointed out that the security industry cannot stop any individual from being attacked, but can only minimise the window of risk. “We are in a race with our adversaries and right now they are winning.”
He made reference to last year's Verizon Data Breach Investigation Report, which noted an increase in highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, device-tampering schemes, as well as cunning social engineering plots.
“Our industry is being challenged more than ever before and we are facing some harsh realities that we are at risk of failing. You can't always get what you want; until now, we have always been getting what we wanted.”
According to Coviello, trust in the digital world is at jeopardy, as attackers, who have become more organised, are taking advantage of gaps that exist within the security industry.
Highlighting some factors that have exacerbated the situation, Coviello pointed to mobility, saying that, due to the proliferation of mobile devices, tech-savvy consumers are, for the first time, accessing information faster than governments or corporates.
“There are about 5.9 billion subscribers of cellphones worldwide and landlines are becoming primitive. At least 500 million people in China spend about 2.5 hours a day online using mobile devices.”
He explained that attackers are taking advantage of the situation to breach security, as organisations cannot cope. Mobile devices have also led employees to bypass IT to carry out their business.
“We don't know where these trends are going, but IT organisations must learn to control what they can't directly control.”
In the face of all the gloom, Coviello challenged the security industry to fight back with creativity and innovation. “We must understand that our networks will be breached and we want to move with the same speed as our adversaries.”
He pointed out that the industry needs predictive counter-intelligence to combat the attacks. He suggested that multi-source intelligence-driven security has the ability to repel attacks.
This new approach will be built on three pillars, namely risk-based security, agility, as well as contextual capabilities, he pointed out.
“Existing approaches lack intelligent-based controls - they are just a patchwork of controls. We need to identify anomalies in real-time to eliminate the blind spots.”
Coviello also noted that adopting the big data approach could be useful in shrinking the window of vulnerability. “The age of big data has arrived and organisations should adopt the big data model through the gathering of security-relevant data. This data must be correlated,” he stressed.
Further, he said, IT should form military- and intelligence-style skills rather than employing purely technical staff to handle today's threats.
“We're not going to take it anymore,” he concluded.