Seven Questions for RSA Security Head Art Coviello
It’s been almost a year since the security company RSA disclosed that it had come under what it described as an “extremely sophisticated” cyberattack.
It went on to explain some of the circumstances of the attack, a little bit about what data was taken, and then later conceded that at least some of that information was used to launch an ultimately unsuccessful attack against the defense contractor Lockheed Martin.
Last year was a tough one for RSA. Its security tokens, which generate six-digit numbers that act as a second constantly-changing password to help keep intruders out of sensitive computer systems, are the backbone of the security systems of many companies and government agencies.
Art Coviello, the onetime CEO of RSA and now executive vice president of its parent EMC, will be giving a keynote address tomorrow at the annual RSA Security Conference in San Francisco. I thought it might be a good chance to talk with him about the legacy of the attack on RSA, see if there was anything new he could share about what was learned about the attack, and how what happened is shaping RSA’s thinking about the computer security landscape.
AllThingsD: Art, You’ll be speaking at RSA about a year after the infamous attack on your company. How are you approaching the speech, and what are you going to say?
Coviello: Part of what I’ll be talking about is the renewed sense of dedication we have to our mission, our responsibility to customers to regaining and maintaining their confidence. And also applying the lessons learned and sharing them vigorously, not only with our attack, but some of the other attacks that we have privileged insight into. And the bottom line is that we do hope, in the final analysis, that people have more of a sense of urgency in protecting themselves, because the truth of the matter is that we weren’t alone. The theme will be how security has to change from the kind of perimeter defenses that seemed to be dissolving even before our attack, to the requirement for more resilient security based on intelligence that you can get on a more real-time basis. So I’ll be outlining RSA’s vision for intelligence-driven security.
It will be a fairly strong call to action for the industry. We’ve had a great run in creating a trusted digital world, for all its weaknesses and idiosyncrasies. But as you see with trends like the consumerization of IT, we’ve never had a generation of employees and consumers that has been as technology-savvy as we have today, and in many instances they’re getting ahead of the enterprise IT organization’s ability to absorb the technologies they use day in and day out. And that puts an even bigger burden, from a security perspective, on IT organizations. And so they need to manage what they can’t directly control, and secure what they can’t directly control, and that means perimeters are nonexistent. So how do you get the intelligent controls you do have deployed more intelligently, so that even if things are out of reach, they’re not out of your ability to secure them? Our attack did not only raise awareness, but also the action level of people.
The attack that RSA suffered last year caught a lot of people by surprise. For those who haven’t kept track, have there been any new disclosures or information disclosed since, or is there anything new that you’ve learned?
No. And the funny part about it, as with all things in the press, if nothing bad happens, nothing gets written about. To date, there has been only one instance where it has been suggested that the information stolen from us has been used in another attack. And that was Lockheed Martin. And that attack was unsuccessful. There have been no other attacks, and believe me, we have stayed close with law enforcement and other sources, and have run down every one of these that has been reported, and there’s no substantiation of even another attempted attack, let alone a successful one. So we stand by the original decision we made in March, which was to announce that information had been stolen, to announce that you couldn’t launch a direct attack with the information stolen, and that if you took the remediation steps that we advised our clients to take, you’d be fine.
I think — and this is my theory — the attacker thought that they would be able to get in, steal the information they got from us without being caught, and then steal information from others, and combine them. And, quite frankly, because of our quick action in detecting that we were breached and some information stolen, we blew their cover. I can’t think of a reason to explain why they would go to all that trouble and you would only see one instance of a follow-up attack, and that one instance was stopped. And that got lost in all the coverage.
The impression I got was that the attacker seemed to get that this was an attack that was only partially successful, and that whoever it was — the speculation was that it was China — they only got a little of what they had hoped to get, and once detected, the jig was up. Is that more or less how you see it?
I couldn’t put it better than that. And we said that everything we saw pointed to a nation-state, but we never had the smoking gun to point to a particular country as the source of the attack.
So then what happened after the attack was that, since a lot of people and companies and government agencies had put a lot of faith in the RSA dongles and your system to keep people out, there was a bit of a crisis with that faith.
Totally true, let me step in here. That was one of the issues we had to wrestle with when the Lockheed incident happened. Because of the Lockheed thing, people thought we had to issue new tokens to everyone. That was not the case. We continued to stand by the remediation. But we had to recognize the angst and the perception among customers. And that is why we had to offer to replace the tokens. And sure, there were a number of customers who did, but the vast majority did not. No one likes the fact that it happened, but our concern right from day one was for the customers. The proof of the pudding is that our customers are still taking tokens. We’ve lost a negligible number of customers. And, in fact, we’ll be talking this week about some surveys showing that people are still buying tokens.
So you say in your remarks you plan to talk about real-time security intelligence, which is something I’ve talked about with IBM recently. Is real-time intelligence the direction where the entire security industry has to go?
First of all, the NetWitness — and this is another irony in all this — I signed the purchase and sale agreement to purchase NetWitness just a few days before the attack on RSA. And one of the reasons we bought it is that we had it deployed all across EMC. And we viewed it as being very effective in spotting anomalies in network traffic. So the issue today, especially with the porous perimeters that we have, is not whether or not you can or will be breached, because you can be breached. The issue is how fast can you spot it.
The Verizon data-breach report (PDF here) says that more than 90 percent of exfiltrations occur within hours or days of the initial breach. But about 79 percent of breaches aren’t spotted until weeks after they occur. We were able to see the attack in progress, which is why we were able to minimize the information that did get out, and we were within a blink of an eye of stopping the attack altogether. And it was based on this NetWitness technology. But since we acquired it, we have been leveraging it to see not just movements of packets, but to combine with our (Security Event Management) product to not just log information, but ingest all kinds of contextual information. This is unprecedented in security technology and, frankly, IBM doesn’t have it.
And one of the things that I’ll be saying in the keynote is that the age of Big Data has arrived for security, and it has. It is a Big Data problem. If you’re going to be able to spot these attacks in real time and have a resilient security system, as opposed to one that breaks and doesn’t bend, which is what the perimeter defenses do today, then you have to have real-time analytical capability. Only today do we have the storage and analytical capability, and the ability to deploy it at scale. One disadvantage of the attackers is that they are not legitimate. There will always be something in how they get access, or what they do, that will allows us to find them out.
The observation I made in talking with IBM last week is that there are so many new problems and threats emerging that it’s not only difficult to keep track of them, but it’s also hard to filter security vendors who offer conflicting visions and products they all say are a panacea. CIOs are getting confused, and are having a hard time calibrating their priorities. How do they find any clarity these days?
Let me read a line from my keynote: We have to stop being linear thinkers, blindly adding controls on top of failed models. It’s the model itself that is broken. If a vendor is coming to you, saying, “I’ve got this new control, just add it to this uncoordinated silo of controls that already exist,” then they are not doing you much of a service. What we’re advocating is that people double down on some of the qualitative things that have nothing do with technology. So the first element of having what we call an intelligence-driven security system is doing a better job of assessing and managing risk. And I’m going to put a challenge out to the audience, and I’m going to say that no one does this meaningfully, and no one does it well.
So what needs to change?
When I talk about understanding the threats outside-in, as well as inside-out, what I mean is not only understanding what your material assets are, but marrying that knowledge to an understanding of who might attack you, how they might come at you. The next step is getting leverage from the controls that you have. You have to disinvest in some. Let’s face it, 10 or 12 years ago, antivirus signatures numbered in the tens of thousands. Now they number in the tens of millions. How can that make any sense? As soon as you have a signature, someone has a new virus to overcome it. It’s these static models that don’t bend, but break, that have to change. The controls that we have have to be more intelligent.