Managing advanced persistent threats will be a priority throughout 2013, says RSA's chief information security officer, Eddie Schwartz.
But how organizations approach APTs will be critical, and understanding they're really only as secure as the other organizations connected to them is key. "The basic premise is that no organization is an island," Schwartz says in an interview with Information Security Media Group [transcript below]. "If you're just sitting there looking at your own log files or other limited amounts of data, you're going to fail in this space."
That's why Schwartz says the fight against APTs requires a big data approach. "How can I collect as much information as possible internally about the behavior of my network, its users, all of the devices that are connected to it, and organize that data properly?" he asks.
The answer is big data, Schwartz says.
Another approach to dealing with advanced adversaries is through what Schwartz calls intelligence-driven security, a tactic that uses available information with internal data to create a unique view of the actors behind APTs.
"There's a wealth of information [out there]," Schwartz says. "You've got to get it and you've got to have resources in your organization dedicated to doing intelligence-driven security."
To that end, the Security for Business Innovation Council, a group of 19 global chief security and risk officers brought together by RSA, has compiled a list of security best practices to help address emerging APTs.
During this interview, which covers the SBIC's findings as well as RSA's priorities for 2013, Schwartz discusses:
- Areas RSA is focusing on internally to improve security in 2013;
- Why intelligence-driven security around big data will be key in the coming year;
- How fraud and cloud vendor management will impact the jobs of CISOs at companies large and small.
Schwartz has 25 years experience in the information-security field. Before RSA, he served as chief security officer of NetWitness, later acquired by EMC. Before NetWitness, Schwartz was the chief technology officer of ManTech; was executive vice president and general manager of Global Integrity, later acquired by INS; served as senior vice president of operations of Guardent, later acquired by VeriSign; was the CISO of Nationwide Insurance; was a senior computer scientist at CSC; and served as a Foreign Service Officer with the U.S. Dept. of State. Schwartz also has advised a number of early-stage security companies, and served on the executive committee of BITS, the technology division of the Financial Services Roundtable.
RSA's Focus in 2013
TRACY KITTEN: As chief information security officer, what are you focusing on for RSA in 2013?
EDDIE SCHWARTZ: At RSA for 2013, we're focused on a lot of different areas. First of all, we're looking closely at our internal security and what we need to do to be prepared for a lot of the trends and issues that we're going to talk about today, whether it's advanced threat management or looking, for example, at what are the regulatory compliance risks that our customers are facing and how can we help them.
A big area for us is focusing on how we can provide big data analytics and intelligence-driven security to really solve problems for our customers. My team has been involved in this for well over two years. Now, we're focused on how we take this out to the market. How do we evangelize it? How do we show what we're doing internally in security at both EMC and RSA?
Top Challenges for CISOs
KITTEN: What would you say are the top challenges that CISOs across all business sectors will need to address in 2013?
SCHWARTZ: That's a great question. There are three primary areas that we can drill down to as we go. The first area is the threat landscape. It continues to evolve. It continues to become more intense, whether it's nation-state actors of new and different types, organized criminal groups, the continued presence of Anonymous and associated groups, or even insider threats. That's one area.
A second area, which is definitely covered in the report we're going to talk about, are technology trends, from social media to cloud and so on. These are big areas that are important to the business and the success of the business, and obviously they raise challenges for security officers.
Then, finally, it really is these large security gaps that are out there and the ability of the business to react with agility or IT to put in the right technology to have the right skills and processes in place. All of these things are going to be challenges going forward as we look into 2013.
KITTEN: Are there any areas that stand out above the rest?
SCHWARTZ: The biggest challenge really is wrapping up everything that I just said and solving the problem of transformation, because many organizations, for example, have invested in legacy, signature-based and perimeter-based approaches, or have certain skill sets on their security teams, or are moving from traditional legacy, banking applications or data center applications, and moving to cloud and mobility. It's making that transformation and realizing, "Wow, there are a greater number of adversaries out there. There are new delivery mechanisms for dealing with our customers and we're going to have to change a lot of different things," and that transformation is not easy. Change can be painful and expensive, and security is going to have to move quickly and with agility to make that happen. Definitely, a lot of conversation with peers and a lot of conversation with trusted business partners is going to be really, really important.
Security for Business Innovation Council
KITTEN: What is the SBIC?
SCHWARTZ: The SBIC, or Security for Business Innovation Council, is a group of roughly 19 chief security officers or chief risk officers from Global organizations across different market sectors - manufacturing, energy, financial services, government, telecom - all of which have gotten together as leaders in their respective areas and have said, "How can we get together as a group periodically, think of what some grand challenge or grander issue is that we're all facing in information security?"
We at RSA are the sponsor of this forum. Then we put out a report that says how we all feel about certain risks, some examples of what we're doing to address them, what we're thinking about, what's needed, what's the way forward, and recommendations. Recent reports include a report on intelligence-driven security, where people talked about what they're doing with big data analytics and how they're integrating intelligence into their incident management processes. The last report was on bring-your-own-device , which is a really hot issue for CIOs and network directors today, where the members talked about how you allow employees to bring all of their different personal devices into the enterprise and still manage security around them.
KITTEN: What about the way the best practices themselves are collected and put together? Is this basically just a culmination of information that was shared among these 19 chief security and risk officers?
SCHWARTZ: We work with the members of the SBIC. At RSA, we moderate that. We ask them what's of most interest, and it's usually a very strong consensus regarding the next topic is. And then we conduct a series of interviews and discussions with each member to determine what the issues are. It's a very structured process. There are a lot of questions and answers. There are a lot of case-study-driven approaches, and then out of that a report is written in draft. Each of the members has a chance to review the draft, and then there's some additional external peer-review done, and then, finally, it's published by RSA on RSA's website.
Cloud, Big Data Management
KITTEN: What can you tell us about some of the council's findings regarding cloud vendor management and big data management?
SCHWARTZ: There's no question that cloud computing is continuing to see adoption in the enterprise and continuing to grow across many different domains, whether it's the infrastructure level, platform level and so on. Obviously, this opens a lot of different potential issues relative to security: How do I do authentication in the cloud? How do I get visibility into threats, some of the threats that we talked about from different threat actors? How can I get assurance that if I have to prove regulatory compliance to my regulators, I can show them that I'm still complying with regulations, like banking regulations or the payment card industry mandates, or healthcare regulations?
One thing that needs to happen is to have a discussion around all of that between chief security officers and vendors, to come to agreements about what the appropriate standards are; what technologies need to be in place for governance, risk and compliance; and how can we get a common visibility into the status of these controls. Having a formal program, for example, for cloud vendor management, ensuring that the IT budget includes all of the different elements to conduct that vendor management, and ensuring that there's technical proficiency in the organization that understands both the IT aspects of the problem and the security aspects is critical. These would be cloud vendors that add different aspects in that value chain.
Social Media, BYOD Risks
KITTEN: Social media risks that often involve the inadvertent disclosure of confidential data or intellectual property made the list, too, as did increasing threats posed by bring-your-own-device policies. What can you tell us about the SBIC's best practices in those areas?
SCHWARTZ: I think there are risks and opportunities. If you think of the opportunity aspects, think about all of the companies that all of us do business with on a personal level. They all have moved their presence to various types of social media and are reaching out to us and asking us to use our smart phones and various tablets to communicate with them and to do business with them. Many of us are welcoming those innovations, whether it's innovations in mobility or innovations to get information via social media, like in cases of emergency. These are all good things.
But as we continue to rely on these services, we also have to have trust around these services that we're getting information that we can rely on and that our information is safe as we conduct transactions. The businesses need to be able to prove to us that this is true and trustworthy as well.
For security officers, clearly there needs to be a team that takes a multidisciplinary approach to this, where they understand all of the different aspects of social media, not only the outreach parts to try to get people interested in it, but to also understand how to deal with potential security risks. How do you deal with the integrity of that environment? How do you train both internal populations and external populations, as far as what they should trust and what they shouldn't? And how do you monitor social media channels to make sure, for example, that those channels aren't being hijacked by people who may have mal-intent toward the organization, or may want to misinform the constituency that's using that channel.
For BYOD, a key factor is, when you introduce personal devices into the enterprise, it's still important to manage the security and integrity of corporate data. There's that balance between making sure that corporate data is secure and managing that aspect of the device, while still ensuring people feel good about the fact that they can use the device for personal reasons. That's a tricky balance. That requires a close examination of policy, a close understanding of what mobile device management looks like, which aspects are important to focus on right now and which aspects may be more important down the road.
KITTEN: What steps has RSA taken, based on its own breach, to ensure that it's less susceptible to APTs?
SCHWARTZ: The key to any advanced actor, whether it's APTs or some of the more advanced criminal groups, really is the basic premise that no organization is an island. In other words, if you're just sitting there looking at your own log files or other limited amounts of data, you're going to fail in this space. It's really important, when dealing with APTs or other advanced threat actors, to first take a big data approach. How can I collect as much information as possible internally about the behavior of my network, its users, all of the devices that are connected to it, and organize that data properly?
Another critical aspect of this is the idea of intelligence-driven security, and we're really big on that in my shop. How can we look out into the known security universe and look for sources of information, external to EMC and RSA, so that when we integrate that with our own internal data, [we can] provide unique visibility into advanced threat actors - so-called indicators of compromise, information about groups, and information about their networks and resources, whether [it's] their IP addresses, domain names, file types [or] botnet? There's a wealth of information. Some is privileged information; some is pay-per-view information, if you will. Some is information that you'll share on a peer-to-peer basis, on a sector basis, within the banking community or financial services community. The point is, you've got to get it and you've got to have resources in your organization dedicated to doing intelligence-driven security.
Top Threats in 2013
KITTEN: What about other types of threats?
SCHWARTZ:Fraud is really something that we look at closely: fraud due to external criminal groups that are looking for ways to steal identities or steal information for financial gain. We and our customers are very concerned about that, and that's a slightly different problem than an APT-style attack. While it uses similar tactics, in terms of understanding how these actors work, maybe it's a different intelligence-gathering process, in terms of what you need to know. We have a business in Israel, our antifraud command center, that's very, very good. We recently announced that we opened an antifraud command center satellite office at Purdue University in Indiana, which is doing research on fraud-based threat actors as well.
Another area is looking across things like the supply chain. Most organizations, if they think about it, have suppliers and are a supplier to somebody; so you're a link in a chain somewhere and there needs to be security across that whole chain, and that is touched on in the current report. How do I ensure that I'm both trustworthy to the people that are downstream of me, where I'm a supplier, but also ensure that the people that supply me or the organizations that supply me also are trustworthy? It's really important that chief security officers look at that and say, "Do I have a program in place that's adequate to ensure that the entire supply chain is monitored adequately?"
Advice for Organizations
KITTEN: What advice can you offer to other organizations?
SCHWARTZ: We're certainly talking about 2013 and, obviously, we always tend to look at what's the best or worst thing that happened in a given year. But one of the things to consider is that none of these things is completely solvable. Whenever we think about any of these issues, whether it's implementing BYOD securely or intelligence-driven security, or dealing with supply-chain security, or having a program for social media security, cloud security and so on, all of these issues really are multiyear, ongoing programs.
My word of advice, is that you have to think of all of these things as programmatic in nature and plan for multiyear commitments, and plan for commitments that also may change over time. You've got to be agile, just like the adversaries are agile. You've got to have plans that transcend one year to the next, but also you've got to have the agility shift plans a little bit based on changes to the threat landscape, based on changes to how the business is going to be run over the next one, two, three or five years.