After an action-packed week at RSA, we’re happy to say this year’s show didn’t disappoint, as it encouraged the information security community to “challenge today’s security thinking.” We saw consistent themes across many presentation topics, as well as vendors’ messaging, including one of the biggest issues seen in the recently released Verizon DBIR: people are the problem.
Below are a few quick-read recaps of some of the sessions we had the opportunity to attend, and the key takeaways the presenters wanted us to bring home:
Can Cyber Insurance be Linked to Assurance?Larry Clinton, President & Chief Executive Officer, Internet Security Alliance Dan Reddy, Adjunct Faculty, Quinsigamond Community College
In this presentation, Clinton and Reddy argue that preparation against cyber attacks goes beyond the technology used to protect our systems and networks. Looking at the Sony and Target breach, the stock value of both companies is now higher than before they were breached, meaning the economics of security are out of balance, said Clinton.
The issue lies in making security both profitable and affordable. Clinton and Reddy outlined several scenarios for how organizations could manage risk when planning for incidents, such as the government acting as the insurer of last resort (much like in other catastrophic events), and giving organizations a FICO-like cyber score (based on certifications or an assessment).
The latter included using ISO standards, the NIST framework and the Top 20 Critical Security Controls as reference models to lower an organization’s premium, which begged the questions: If that was the baseline, what could be done as an incentive for companies? Will more cyber insurance generate more prevention activities? And can it encourage more voluntary investments
“Do the things that are most cost-effective,” concluded Clinton.
How to Build an Insider Threat Program in One Year
Dawn Cappelli, Insider Risk Management, Rockwell Automation
According to a recent survey, half of employees who left or lost jobs in the last 12 months admitted to keeping confidential corporate data – 40 percent of them planned to use this information at their new job. “I guarantee that there are contractors and employees that walk away with your information,” said Cappelli. When the audience was asked if they had a formal insider threat program, only a few raised their hands. Cappelli went on to discuss why every organization needs to have one in place. Cappelli explained one of the most evident giveaways of a malicious employee is often their concerning behavior – they may be disrupting or perform badly.
In order to begin building a former insider threat program, she gave several best practices:
- Create a virtual team with leadership from HR, Legal and IT on board.
- Build the foundation with HR and Legal, outlining what the most important thing to protect is. What are the company’s crown jewels?
- Develop a technology roadmap with it. The most matured program would include insider threat analytics.
- Implement continuous risk management.
- Establish a formal process for incidents. What do you do when an employee was found to copy thousands of files onto a USB?
- Implement the program globally.
- Participate in the insider threat community, including people from all industries.
Fail Safe the Human Psyche to Advance Security & Privacy
Theresa Payton, CEO Fortalice Solutions
In this presentation, Payton argues we have to rethink how we deliver security. Most security awareness programs are boring, where we require employees to sit through outdated videos and answer a few multiple-choice questions. Although we’ve now spent $1 trillion on protective cyber security, breaches are still happening. Why? Because we fail to design for the human psyche, said Payton. Ninety-five percent or more of past breaches were a result of human error, and 78 percent start with tricking the user.
Payton encourages us to design security programs knowing that our employees will do everything wrong, and ask ourselves: Does our design have high empathy for the user? Security programs should “own the hearts and minds” of people – they can’t memorize all of the policies that we require them to adhere to, but an engaging program will make it effortless for them to want to contribute. Furthermore, target your awareness program, and make reporting easy, as well as rewarding.
See the presentation slides here (PDF).
Advanced Strategies for Defending Against a New Breed of Attacks
Martin Roesch, VP and Chief Architect, Cisco Security Business Group
Roesch’s keynote presentation outlined various innovative approaches for the way the security industry can address today’s rapidly evolving threats. With the proliferation of zero-day and targeted attacks, Roesch highlighted that hackers simply don’t go away anymore – these adversaries are paid and motivated to do this malicious work. Yet, less than half of security practitioners leverage critical security controls, such as patching and configuration management.
“If you knew you were going to be comprised, would you do anything differently?” asked Roesch.
As of now, the way our community addresses security is by investing in different technology and trying to make these tools interoperate. Evidently, it’s diffcult for security teams to synthesize reports, and turn this data into security awareness when they are working with 30-60 different security vendors. So, what if we could do better?
Roesch highlighted the need for integrated threat defense architecture. With our tools working together and leveraging one another, we would be able to generate a visibility platform that could let us know what we are most vulnerable to and what we should allocate fewer resources to. Furthermore, we should leverage external intelligence to better understand events that occurred.
Lastly, Roesch stressed that the business value of our network is increasing up until the moment it is breached. When we suffer a breach, our business value can be lost very rapidly and even become negative. He asked the audience: What if we could pre can responses? What if we could failsafe? The idea is to minimize the damage of our business value by having a known safe state than we can rebuild quickly from, an approach that is successfully used by the military and space.
Although some of his ideas may seem radical to some, he urged the infosec community to at least start these discussions. The reality is that we need to do better, said Roesch.
“It’s not an option. It’s a requirement. Now is the time.”