3
RSA December 2009 Computer Fraud & Security 13 that this is acceptable in its current pro- file. Using the Risk IT Framework meth- odology to apply controls to the encoun- tered event to provide for monitoring, reporting and continuous reassessment to assure the profile and vector of attack do not escalate and result in increased exposure(s), is an effective method of managing risk. ISO 27001 A formalised approach to managing risk in the enterprise under the Risk IT Framework and its associated compo- nents also provisions support for ISO 27001 certification(s). For example, under Section A.12.6.1 relating to con- trol of technical vulnerabilities, where the ISO 27001 standard seeks to assure that a process or mechanisms are in place in support of timely information gather- ing about technical vulnerabilities, a for- mal approach provides measurable and valuable reassurance. “Managing risks such as cyber terror and hacktiv- ism provides opportunities to calculate what levels of risk may be acceptable to the business, organisation or establishment, which leads on to establishing the overall appetite for such risks” Furthermore, under ISO 27001, value may also be achieved under such a Risk IT Framework by taking a feed from a learning-based approach from other encountered security events. Again, as outlined under ISO 27001, at A.13.2.2, such an approach not only encompasses the key components for management of risk in a manner that will provide a knowledge-based, tangible and realistic response, but will again lead to the identification of any potential opportunities under Val IT, where costs may be realistically applied to providing pragmatic and robust security process, and protec- tion mechanisms, whilst at the same time maximising in real time return on investment (ROI). Conclusion Cyber terror and hacktivism are two unknowns, which, dependent on type of organisation or market sector, will have varying degrees of poten- tial for adverse interest. However, one thing is for sure: if or when they are encountered, they could prove extremely difficult to react to and manage. It may be further concluded, that only by having formalised plan in place, such as delivered through a top-down implementation of the Risk IT Framework, may a control- led approach be applied at time of crisis. One variation of the well- known quote sums this up well: ‘Prior Planning Prevents Phased, and Poor Performance’ (the 6 Ps). RSA: what’s around the corner? Dario Forte Art Coviello, CEO of RSA, stated that in 2015 there will be more than 15 bil- lion devices communicating with each other on the network. This will be cou- pled with a directly proportional increase in the workforce, which inevitably means greater exposure to social net- works and other potential danger zones. Regarding infrastructure, however, virtualisation and cloud computing are gaining a greater presence in all enterprise architectures. This brings the need to establish ‘new’ principles of security, which have been laid out by RSA in seven points (source: www. rsa.com): 1. Security must be embedded into the IT infrastructure The first principle acknowledges that security should not just be integrated into the infrastructure, it should be embedded within it. The direct outcome of this is an increase in partnerships between RSA and certain major vendors such as Cisco and VmWare (the latter represents an internal synergy, since both companies are owned by EMC). 2. Develop ecosystems of solutions Ecosystems must be formed to enable products and services from multiple organisations to work together to solve common security problems. RSA has invested in the RSA eFraudNetwork™ community, an ecosystem created in col- laboration with thousands of financial institutions across the globe to spot fraud Dario Forte, Moving towards the RSA Conference After the recent RSA conference in London, RSA’s top management gave some indications of the company’s vision for the future, together with its strategies, both technological and financial. The objective is to become a billion dollar per-year company (which it originally planned to do by this year), while shift- ing from the ‘simple’ provision of technology and services to more advanced activities that will include high-level consulting. We interviewed two of the most representative RSA executives – Chris Young, vice-president of products, and Tom Heiser, worldwide operations – to get their view of things.

RSA: what's around the corner?

Embed Size (px)

Citation preview

Page 1: RSA: what's around the corner?

RSA

December 2009 Computer Fraud & Security13

that this is acceptable in its current pro-file. Using the Risk IT Framework meth-odology to apply controls to the encoun-tered event to provide for monitoring, reporting and continuous reassessment to assure the profile and vector of attack do not escalate and result in increased exposure(s), is an effective method of managing risk.

ISO 27001

A formalised approach to managing risk in the enterprise under the Risk IT Framework and its associated compo-nents also provisions support for ISO 27001 certification(s). For example, under Section A.12.6.1 relating to con-trol of technical vulnerabilities, where the ISO 27001 standard seeks to assure that a process or mechanisms are in place in support of timely information gather-ing about technical vulnerabilities, a for-mal approach provides measurable and valuable reassurance.

“Managing risks such as cyber terror and hacktiv-ism provides opportunities to calculate what levels of risk may be acceptable to the business, organisation or establishment, which leads on to establishing the overall appetite for such risks”

Furthermore, under ISO 27001, value may also be achieved under such a Risk IT Framework by taking a feed from a learning-based approach from other encountered security events. Again, as outlined under ISO 27001, at A.13.2.2, such an approach not only encompasses the key components for management of risk in a manner that will provide a knowledge-based, tangible and realistic response, but will again lead to the identification of any potential opportunities under Val IT, where costs may be realistically

applied to providing pragmatic and robust security process, and protec-tion mechanisms, whilst at the same time maximising in real time return on investment (ROI).

Conclusion

Cyber terror and hacktivism are two unknowns, which, dependent on type of organisation or market sector, will have varying degrees of poten-tial for adverse interest. However, one thing is for sure: if or when they are encountered, they could prove extremely difficult to react to and manage. It may be further concluded, that only by having formalised plan in place, such as delivered through a top-down implementation of the Risk IT Framework, may a control-led approach be applied at time of crisis. One variation of the well-known quote sums this up well: ‘Prior Planning Prevents Phased, and Poor Performance’ (the 6 Ps).

RSA: what’s around the corner?

Dario Forte

Art Coviello, CEO of RSA, stated that in 2015 there will be more than 15 bil-lion devices communicating with each other on the network. This will be cou-pled with a directly proportional increase in the workforce, which inevitably means greater exposure to social net-works and other potential danger zones.

Regarding infrastructure, however, virtualisation and cloud computing

are gaining a greater presence in all enterprise architectures. This brings the need to establish ‘new’ principles of security, which have been laid out by RSA in seven points (source: www.rsa.com): 1. Security must be embedded into the IT infrastructureThe first principle acknowledges that security should not just be integrated

into the infrastructure, it should be embedded within it. The direct outcome of this is an increase in partnerships between RSA and certain major vendors such as Cisco and VmWare (the latter represents an internal synergy, since both companies are owned by EMC).2. Develop ecosystems of solutions Ecosystems must be formed to enable products and services from multiple organisations to work together to solve common security problems. RSA has invested in the RSA eFraudNetwork™ community, an ecosystem created in col-laboration with thousands of financial institutions across the globe to spot fraud

Dario Forte, Moving towards the RSA Conference

After the recent RSA conference in London, RSA’s top management gave some indications of the company’s vision for the future, together with its strategies, both technological and financial. The objective is to become a billion dollar per-year company (which it originally planned to do by this year), while shift-ing from the ‘simple’ provision of technology and services to more advanced activities that will include high-level consulting. We interviewed two of the most representative RSA executives – Chris Young, vice-president of products, and Tom Heiser, worldwide operations – to get their view of things.

Page 2: RSA: what's around the corner?

RSA

Computer Fraud & Security December 200914

as it migrates between and among finan-cial institutions on a worldwide scale.

“Virtualisation and cloud computing are gaining a greater presence in all enter-prise architectures. This brings the need to establish ‘new’ principles of security”3. Create seamless, transparent security Making security largely transparent to users and systems it is designed to protect is critical in bridging the gap between the rate of technological advancement and people’s ability to keep up with it. 4. Ensure security controls are corre-lated and content-awareThe average user’s access to information is growing exponentially, along with the number of regulations and requirements that govern the protection of that infor-mation.5. Security must be both outside-in and inside-out focusedRSA argues that security must include a two-pronged approach that protects both the perimeter (the outside-in) and the information itself (inside-out). Since users are accessing information from a variety of devices inside and outside the network, as well as in the cloud, secu-rity policy and controls must adhere to information as it moves throughout the information infrastructure.6. Security has to be dynamic and risk-based Since they are not bound by rules and

regulations, criminals and fraudsters are free to deploy increasingly creative attacks. To battle this, organisations need to be positioned to dynamically correlate information from a number of sources and respond to real-time risks related to both infrastructure and information. RSA today announced that it is offering new consultative and advisory services to help enterprises implement or improve their security operations to better man-age both risk and IT compliance pro-grammes.

7. Effective security needs to be self-learning The dynamic nature of IT infrastruc-tures and the malicious attacks launched against them is outpacing the ability of humans to keep up with their speed and complexity. For this reason, informa-tion security strategy must be dynamic and behaviour-based. To help support this goal, RSA also announced that it is teaming up with Trend Micro to leverage real-time threat intelligence to further enhance capabilities of the existing RSA service to stop online attacks.

So what?

Actually, there does not seem to be much new in these ‘proclamations’. So we decided to ask a few targeted, somewhat ‘spicy’ questions, acting as spokespersons for the many enterprise customers who pay close attention (some sceptically) to what the vendors are up to.

Forte: What is new in these seven guiding principles and which are the most relevant?

Young: Looking at things generally, there does not appear to be anything new. However, this is not the case. Coviello has given a very clear indication of the main issue that companies will have to address: the increase in an interconnected work-force. In our view, it is therefore impor-tant to prepare for a trend of notably sophisticated attacks, not only regarding fraud (which is now daily fare) but also in terms of the loss of sensitive data as a result of deliberate or accidental actions. So we believe that great emphasis must be placed both on the preventative man-agement of the issues and on the ‘wiring’ of solutions on the architectural level, in order to decrease risk and create low-impact security systems.

“Although we are very care-ful about financial factors, we believe that innovation is also a determining element in assessing potential targets”

Forte: What can you tell us about products; for example, event and log management products?

Young: This is a crucial period for this line of technology. I can’t tell you much right now, but I can say that in the not-too-distant future RSA’s SIEM tech-nologies will be integratable with DLP solutions. We expect this will be a trend shared by other producers, but our com-petitive edge will be gained from getting there before they do.

Forte: So we are witnessing announce-ments of partnerships between RSA and third parties. There is one with First Data Corporation, the largest payment processing company in the world, where RSA and First Data recently announced a service designed to secure payment card data from merchants by eliminat-ing the need for merchants to store credit card data within IT systems. But there is another one that has left market experts broadly puzzled: the one with Trend Micro. The issue is not the stature of the partner, obviously, but because in the past a similar partnership with Symantec, also in the same sector, did not bring the expected success. Aren’t you concerned that this collaboration might suffer the same fate?

Young: Not really. And there is one fundamental reason: the partnership with Trend is an information partnership to increase global fraud intelligence on suspicious crimeware including viruses, spyware, spam and other malware. There will be no direct commercial involve-ment.

Heiser: The partnership with First Data is certainly an example of what we intend to do in the future: to ensure security is encapsulated in the solutions and services, and to provide customers and merchants with transparent protec-tion.

Forte: So you want to become a one billion dollar per-year company. What deadline have you set?

Heiser: At most, two to three years. We believe that, with the commitment we are making to honing our strategy

Page 3: RSA: what's around the corner?

RSA

December 2009 Computer Fraud & Security15

and the results we are seeing with our customers, we can do it.

Forte: But how, exactly? Acquisitions? What route will you take?

Heiser: Partially acquisitions, clearly, and partly by exploiting new slices of the market.

Forte: But what method will you use? Yours is a technology company and, as we all know, many acquisitions are made for mere financial motives. By looking at factors that have little technological importance, such as EBITDA and so on. Do you not sense the risk of missing technological opportunities by looking solely at financial factors?

Heiser: I’m smiling because you’re right: there is often that risk. Fortunately, in RSA, although we are very careful about financial factors, we believe that innovation is also a deter-mining element in assessing potential targets. Hence, our parameters regard both sides of the coin. It is, nevertheless, true that these are separate sectors: the financials are assessed to ensure there will be no negative impact on our cur-rent situation (and that our high-prof-itability standards will be maintained), while we look at the technical aspects to assess competitive advantage.

Forte: Art Coviello gave a very inter-esting interview about the relationship between security investments and the credit crunch. We are basically living the opposite era of post-September 11. Could you give us a brief about what kind of investment priorisation compa-nies should make?

Young: As I see it, it depends on the sectors in which the customer companies are working and, within each field, what the greatest points of exposure are. For this reason we feel that consulting serv-ices are necessary to identify risks and guide solutions.

Forte: But you are vendors: how can you expect the client to see you as a trusted advisor?

Heiser: I feel it is a question of reputa-tion. Despite the fact that we are a ven-dor, RSA enjoys a consolidated stature

among clients as a serious and reliable partner. In some cases, former RSA employees have become our clients and continued to turn to us for this reason.

Forte: How do you intend to achieve a sufficient level of market penetration?

Heiser: We believe that the role of the partners is indispensable in this case. We believe that having partners specialised in the territory is a winning complement to our strategies.

Forte: Competitors are engaging in dumping (we are witnessing this in all the fields you are involved in). You are being accused of lack of flexibility by several customers. What’s your response?

Young: The price factor is certainly important in a period of financial crisis such as the one we are going through. Personally, I feel that RSA is capable of meeting customer demands for flex-ibility, without having to resort to the dumping you mention. In any case, the quality of our products enforces our distance from dumping in the strict sense.

Heiser: Dumping is something we now see in many sectors. Personally, I see it as being associated with specific geographical locations, and not a general problem. I am also sensitive to what you tell us about the presumed lack of flex-ibility in our products and services, as claimed by sources you have mentioned. Our objective is to maintain maximum granularity in our products and services, without stooping to dangerous compro-mises. We believe that, in the long run, dumping represents a risk for those who practise it and for those who take advan-tage of it.

“Dumping is something we now see in many sectors. Personally, I see it as being associated with specific geographical locations, and not a general problem”

ConclusionsIs RSA ready to be a trusted advisor? From a strictly technological point of

view, as a trend watcher the answer is certainly yes. The company’s visibility, especially regarding fraud and Trojan horses, is close to dominant. However, we feel that there is a difference between the role of product and service provider and that of an independent advisor.

What is missing is the ‘supra vendor’ factor, one which the company, being a key player, cannot guarantee since it is often directly involved in the deal-ings. We therefore do not feel they can present themselves as independent advisors without running the risk of a conflict of interest. What is interest-ing, instead, is the ambitious goal of one billion that RSA has set as a mile-stone in its strategy. We believe this may be achieved in accordance with the roadmap. Nevertheless, the strategy is not completely clear at the moment and we hope to have clarification in the near future. What certainly weighs in their favour are the synergies that all hope to see from EMC (and subsidiar-ies). We will have to wait and see to what extent the partners will be willing to subscribe to (and follow) the cause. One thing is clear: RSA is a company to watch.

About the author

Dario Forte, CFE, CISM, CGEIT, former police detective and founder of DFLabs, a firm specialising in Business Security. He has worked in the field since 1992. Forte has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the US Department of Defense Cybercrime Conference and the US Department of Homeland Security (New York Electronic Crimes Task Force). Forte was also the keynote speaker at the Black Hat conference in Las Vegas. He provides security consulting, incident response and forensics services to several government agencies and private companies. www.dflabs.com