Coviello noted that up until recently, IT security has succeeded in making the internet safe enough to transform the world, but times are changing, and trust in the digital world is in jeopardy.

“New breeds of cybercriminals, hacktivists, and rogue nation states have become as adept at exploiting the vulnerabilities of our digital world as our customers have become at exploiting its value,” said Coviello. “With increased speed, agility and cunning, attackers are taking advantage of gaps in security resulting from the openness of today’s hyperconnected infrastructures and the industry’s slow response to recognize the potency of the emerging threat landscape.”

Coviello remarked that security systems must evolve from the current patchwork of controls serving up too much data and not enough intelligence to models that provide advanced monitoring capabilities, high-speed analytics and intelligent controls.

“Our mindset must shift away from playing defense and tracking meaningless individual events,” said Coviello.  “We need the capability to sift through massive amounts of information lightning fast, creating predictive and pre-emptive counter-intelligence to spot the faint signals that may be all that’s visible in a sophisticated, stealthy attack.”

In his keynote, Coviello observed that the security industry has been going through “hell” over the past year with the recent epidemic of attacks.  Referring to the attack on RSA in March of 2011, Coviello stated, “Never has our responsibility to you been as firmly etched in our minds. We have a sense of urgency as never before to take the lessons we learned first-hand, and the privileged insight we obtain from other attacks to use them to drive our strategy, our investments and product roadmaps. In the final analysis, we hope that the awareness from our attack will strengthen the sense of urgency and resolve of everyone.”

Coviello called for the industry to rally together to take the following actions:

·        Change how we think about security. The security industry must stop thinking linearly, “…blindly adding new controls on top of failed models. We need to recognize, once and for all, that perimeter-based defenses and signature-based technologies are past their freshness dates, and acknowledge that our networks will be penetrated. We should no longer be surprised by this,” Coviello said.

·        Transition to intelligence-driven security systems that are risk-based, agile, and contextual. Organizations must do a better job at evaluating risk from the inside out and the outside in – combining both broad and deep understanding of their material assets and internal environments with a wide range of external intelligence sources.  Security frameworks must be based upon agile, predictive analytics and continuous monitoring. Finally, organizations need to develop systems that provide real-time access to the entirety of relevant information via advanced, Big Data-based security systems driven by the power of multi-source intelligence in order to achieve a contextual understanding of threats.

·        Collaborate and Share information. The IT industry must do a better job of sharing its collective intelligence in real time “for the benefit of all,” Coviello said. This is already beginning to happen, as grassroots networks of likeminded communities are sharing security intelligence as never before.

·        Train a new generation of security analyst to combat the rising tide of Advanced Attacks.  The new breed of analyst must have analytical and intelligence skills, ‘big picture’ thinking, people skills, a focus on offense (not just defense), and the ability to react with speed and precision.

“We are in combat with a host of adversaries and it’s time for us to fight back with creativity and innovation,” Coviello concluded. “By doing so we can ensure that the balance of control of our digital world remains in the hands of security practitioners.”

If you want to protect your data, you need a plan. You need to understand what data needs protection, and implement policies to govern how sensitive data is handled, and put the right tools in place to monitor the data and protect it from being leaked or compromised.

You’ve got those bases covered, right? Well, whether you do or not, you should download the free Data Protection Toolkit from Sophos and check out what it has to offer. The ZIP file is filled with resources including videos, best practices checklists, sample data policies, and information to help educate users about data security threats.

It’s free. What have you got to lose?

Adobe issued a security advisory on March 14 warning users that a vulnerability had been discovered in Adobe Flash, as well as the authplay.dll function included in Adobe Reader and Adobe Acrobat. The flaw was being exploited in limited attacks which included a malicious Flash (SWF) file embedded within a Microsoft Excel (XLS) file attachment. Apparently, someone within RSA received that email attachment, opened the Excel file, and clicked on the Flash file–compromising his PC and giving the attackers complete access to the system.

Adobe released an update for Flash, Acrobat, and Reader (except for Reader X for Windows because the sandbox security already mitigates the threat) about a week after announcing the zero-day threat. I don’t know if RSA has implemented those updates yet, but hopefully it has.

The lesson here is that even if you are RSA–a company virtually synonymous with security, the namesake of the biggest security conference of the year, provider of two-factor authentication solutions relied on to protect systems and data around the globe–one well-timed social engineering attack, and a little human error is all it takes for an attacker to get inside and gain access to sensitive information.

The bonus lesson is that it is bad PR to call an attack “extremely sophisticated”, and then have to face the embarrassment when it is discovered that it was just an average, ordinary phishing attack–especially for a security company.

The information shared in the letter is concerning for customers, but what is even more concerning at this point is what is not being shared. RSA has been scarce on details–basically just saying that it is “confident” there is no immediate threat of an exploit resulting from the hack, and that it has “no evidence” that any other products are impacted. But, other than that, RSA just wants customers to not panic, and have faith that RSA has everything under control.

Art Coviello’s letter states, “As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”

The problem is deciding who gets to define “as appropriate”. Many customers feel it would be “appropriate” for RSA to be much more forthcoming with details about what information, specifically, was compromised by the hack so customers can better understand the threat and be armed with information necessary to determine the scope and impact of the potential threat, and take proactive steps to guard against any potential SecurID hacks.

Perhaps, RSA is unsure whether the attackers even really realize what they have, and they fear that divulging too many details could exacerbate the problem by pointing would-be attackers in the right direction. That seems like a reasonable possibility. But, for now RSA is just being vague about the details of the SecurID hack, and what RSA isn’t saying seems to be more revealing than what RSA is saying.