In his keynote speech at the RSA Conference 2015, Amit Yoran, RSA Security’s president, aired his opinion that information security needs to “escape the dark ages” – but is he right?
There’s no doubt that many of his comments will ring true with computer and network security professionals. Certainly, following the staggering number of security breaches in 2014, most of the sector is ready for a new approach to cyber security.
Current strategies are a result of an evolutionary process permanently building existing mindsets and technologies without ever reassessing the ever-changing threats posed in cyber warfare.
Yoran’s comparison with the past continued with his criticism of companies simply “building taller castle walls and digging deeper moats” which he said is “not solving the problem”.
Evolution instead of revolution
Now considered ‘The Year of the Breach’, 2014 saw an estimated four out ten companies fall foul of a security attack and, with rising levels of sophisticated campaigns by digital terrorists, Yoran is urging the industry to pursue an ‘Age of Enlightenment’ of its own.
His vision for RSA’s development of robust cyber security is centred around five key points:
1) The sector must acknowledge that even the most advanced protection systems do not work. Security professionals must accept the reality; if someone wants to break into an IT environment then, with the right resources, dedication and creativity, they will do so.
2) The sector needs to improve visibility across its entire environment if it is to detect, identify and combat the threats to networks. Many organisations are seemingly blind to the risks of known techniques, and it is imperative to adopt a more pervasive approach to risk detection.
3) The sector needs to focus on attacks from web applications where credentials are stolen and used maliciously and fraudulently. Isolating this risk, and safeguarding users’ own actions, is an essential defence against breaches of security.
4) The sector needs to continue to adopt and develop external threat intelligence. Incorporated into a security programme, threat intelligence needs to be an automated process and adapted to each individual company’s own risk policy.
5) Companies must categorise the risks to enable resources to be deployed on only the important aspects of an organisation’s data security. Being selective with what you need to protect is an essential element of damage limitation.
Whilst Yoran doesn’t claim to have all the answers, it’s clear that the industry is starting to ask the right questions. Perhaps 2015 will be remembered as the beginning of a new era in cyber security.