SAN FRANCISCO – Organizations can only fight attackers by freeing infosec staff to find creative solutions, says the head of RSA.
“Our problem is not a technology problem,” Amit Yoram said in his keynote at the company’s annual conference here. “Our adversaries are not beating us because they have better technology. They are beating us because they are being more creative, more patient, more persistent. They’re single-minded. They have a target, no prescribed path to get there no overarching rules to limit them and a virtually limitness number of pathways to explore.”
Even state of the art analytics is insufficient he said. “The solution is to leverage our own creative, problem-solving analysts. We set them loose to hunt and track down our opponents.”
And to those who point to a shortage of infosec talent, Yoram replied: “Grow them — or at least don’t stand in their way. Let them evolve into the hunters you need .. Focus on empowering them with tools to fuel their curiosity and enable them to find the answers they seek.”
These security analysts can detect and combat potential intruders interactively, he said, denying them access to systems. “You can do this too. Create a culture that embraces free thinkers, the curious. If your security program is focused first and foremost on compliance you’re doing it wrong. Embrace the freedom to actively hunt adversaries. You’ll attract the right team.”
Companies should invest in technologies that enhance rather than replace the curiosity of security staff, he added, including tools that give complete visibility into network traffic. Black boxes that only throw out alerts without explaining why only give the illusion of security, he said.
He also warned governments against policies that weaken encryption. How can we justify policies that would “catastrophically weaken our infrastructures.” he asked. There is more surveillance today than at any time in history, he said. “Weakening encryption is solely for the ease and convenience of law enforcement when pursing petty criminals. No credible terrorist or nation-state actor ever used technology that is knowingly weakened. However, if we weaken encryption you can sure bet the bad guys will use that and exploit it against us.”
The conference is expected to attract 40,000 attendees, more than 550 exhibitors and more than 700 speakers from around the world. Many vendors take the week to announce new products and services (see below).
But for some it’s a yawn. Forrester Research enterprise analyst John Kindervag , who’s here, calls the huge conference “a medieval torture device,” because of the hype. “RSA is a big fashion show where we see what walks down the runways this year. There’s probably going to be a lot of people talking about threat intelligence, about behaviour analysis.” That’s where venture capital firms are pouring in money, he says. But there will be too many vendors for the market to support, he says, predicting that by this time next year many will have gone out of business or be bought by competitors.
“The real thing missing from the show is data security. It’s still an afterthought. We use networks and devices to give us various levels of protection against a data breach, but the industry still has pretty much got its head in the sand that it can build a harder and more effective perimeter, and they can’t.”
Data encryption, he says, is the answer to better security. There also has to be more advances in key management, he said.
On that front Mississauga, Ont.’s WinMagic announced this morning SecureDoc CloudVM, security software that encrypts and manages data stored in virtual machines and Infrastructure as a Service (IaaS) platforms such as Amazon Web Services (AWS) and Microsoft Azure.
The solution increases visibility and strengthens data security within virtual environments by controlling encryption key management systems across a vast array of layers including endpoints, file servers, virtual servers, enterprise file sync and share (EFSS) solutions and Internet of Things (IoT) instances, the company said.
In an interview James LaPalme, the company’s vice-president cloud solutions, CloudVM’s policy engine can rotate keys over a set time to prevent insider attack. It can also relate a file to geography — if a workload is moved to a prohibited geography it can be automatically deleted.
CloudVM will be offered as by subscription or a perpetual licence. It will be listed in the AWS and Azure maketplaces so users can pay hourly per instance. No details on pricing were released.
Also this morning
–Centrify, which makes identity management solutions, has extended the capability of its cloud-based multi-factor authentication solution. Until now MFA was available only for applications; now it’s available for business users, privileged users and resources. “It’s for all the users for all the types of things they want to have access to,” Bill Mann, the company’s senior vice-president of products and marketing, said in an interview.
It’s a standalone service or option across all of Centrify’s products, Identity Service, Privilege Service and Centrify Server Suite.
The MFA solution supports voice call, text message, soft token OTP, mobile biometrics and OATH-compliant tokens.
–Iovation announced a new Customer Authentication service it says makes it easier for consumer-facing websites to authenticate known devices of users so they don’t have to remember passwords.
The company is known for its device identification and reputation sharing platform used by organizations for fighting fraud and authenticating users. The new service uses rich device context and risk profiling to reduce and ultimately replace passwords, said Scott Olson, the company’s vice-president of products.
The service can match devices with customers’ accounts. “It’s going to streamline the authorization process so consumers aren’t required to enter their passwords as frequently, or deal with challenges such as asking questions about their first girlfriend or the colour of the car they had 20 years ago or sending them a one-time password through a text message.”
In practice it integrates with a Web site through JavaScript which fingerprints the device and profiles the risk though the company’s platform, or through an SDK for a mobile application.
–Hewlett-Packard Enterprises announced SecureData Mobile, an end-to-end data encryption solution for developers which protects sensitive information in mobile environments.
Chandra Rangan, HPE’s vice-president of marketing, said in an interview the suite does tokenization in a way that isn’t performance intensive but still preserves formats in a way that allows some level of information to be unencrypted — say the first two digits of a credit card — for analytics. The result is data doesn’t have to be decrypted often.
“Now you have data that is useful for analysis but useless if it’s stolen.”
—Intercede announced a software solution that leverages Intel’s new chip-based Authenticate identity protection technology to replace password-control access to sensitive devices. It leverages Intel’s recently-released 6th generation core V-Pro processors.
Allen Storey, Intercede’s chief product officer said in an interview uses the company’s MyID credential management suite to manage Intel Authenticate protected credentials. Those credentials aren’t available until after logging into Windows.
As part of the two-factor solution Intel is incorporating a mini-driver as a standard interface for developers and is a virtual reader, so it makes the Intel chip appear like a smart card when logging on to Windows. “You can log onto Windows with it, you can sign documents, connect to secure shared portal sites,” Storey said.
“This in effect allows you to replace passwords completely.”
It’s available now for developers to trial. No date has been set yet for general release.