Zulfikar Ramzan, CTO, RSA Security, discusses how organisations should change their mind-sets to adapt to the evolving threat landscape and the value-add security can bring to businesses.
This is the first time that the RSA Conference is being held in this part of the world. What prompted you to hold the event here?
We are always looking at how we can inculcate the worldwide community of security professionals and vendors, and get them to come to one place. While it will be very easy for the Conference to be held in just one location every year, we felt that that would limit our opportunity to create that community. I believe that cybersecurity is not an issue that affects only one individual, this is a subject that can impact anybody in different ways.
I am particularly excited to have come to this part of the world because economies in this region are heading towards rapid growth. There has been a tremendous change in this region during the last 10 to 15 years and almost everything has transformed. I think that is a sign of the progressively changing times.
When I look at burgeoning economies, wherever part of the world that may be, they all have one thing in common – they are all encumbered by legacy issues. Nevertheless, they are forward thinking when it comes to improving the IT landscape and that excites me as a technologist. We are seeing that a lot of our customers here are starting to really understand and accept the way the threat landscape is shifting.
Last year at the RSA Conference your president Amit Yoran mentioned that security is still stuck in the Dark Ages. What do you think he meant by that?
I think that’s because of incumbency issues. A lot of companies are still encumbered by traditional security systems. If you look at security 20 years ago, security mainly focuses on two elements – firewall and antivirus.
For the longest time that has been sufficient, there were not that many threats then and they pretty easy to deal with. Overtime, security evolved with elements such as IPS, IEES and so on. But ultimately, the goal of every organisation is to know how they can prevent attacks from happening and how they can protect everything that is within the walls of their perimeter. However, the threat landscape has radically transformed since then and cybercriminals have also changed. As a result, the same technologies that they have relied on for so many years started failing them in unprecedented ways, and yet a lot of these organisations remain reluctant to changing their mind-set.
There was a recent study by Forrester which identified that when most IT leaders budget their spending they focus more on prevention technologies. This should not be the case because they are merely putting more effort on building taller walls and digging deeper motes which will not solve the problem entirely. That is the message that we are trying to get across, organisations should move beyond these traditional mechanisms and embrace the way the landscape has evolved.
I’m not saying that they shouldn’t have an antivirus or a firewall, but they must not mistake these technologies as proper strategies for dealing with advance threats. The most aggressive and impactful threats can only be addressed by a comprehensive strategy, which involves analytics as this can will help organisations gain insights on their visibility. This should then lead to a comprehensive governance programme, so that they can take the low-level technical issues and translate them up to high-level business risks. Because the one thing that we are seeing nowadays is that cybersecurity is no longer dedicated to just the realm of the highly technical specialist, it has now become a crucial element to every member of the C-suite and management teams.
The CEOs and CFOs may not care about the technical implications of a malware but they do care about how it will translate to business operations, what risks it will bring and how they can compensate for it. We have to take the language of IT security professionals and translate that the language that C-level members understand. Enterprise leaders are now recognising security as a critical business issue. At the same time, CIOs and CISOs are increasingly being asked to use security in bringing more value to the business.
One of the problems of security today is the increasing number of alerts and false positives. People cannot identify which specific alerts they should pay attention to. Is this where security analytics come to the picture?
Absolutely. If you look at some of the major breaches during the last 18 months, every one of them had the technology that you would expect when it comes to security. They had SIEM, next-gen firewalls, Sandbox and so on. Those technologies failed them when the breaches happened.
Now, part of why they failed is because they had numerous of alerts. They might have pinpointed some critical issues but they also found 5000 other things that were not entirely relevant. So, when you see 5000 alerts what do you do?
The way I see it is like this, if you have an alert that has no context that alert is useless. You need to have some context around that alert. If you have the extra visibility you can triage these alerts and find out which ones actually matter. So, having a deep and pervasive visibility helps you eliminate irrelevant alerts.
You can still further simplify this. Organisations can juxtapose these alerts with business context and through this process they can find out which ones are impacting their most critical data. Upon doing so, they can have their IT security teams assess and address these alerts.
With the right combination of security analytics, pervasive visibility and having the business context organisations can eliminate irrelevant threat elements and focus on the most critical issue. In doing so, they’ll be able to concentrate on how they can address these critical problems and improve their risk posture.
What can you say is the ideal security posture?
I think there should be an equitable split on investment between prevention, detection and response technologies.
Make sure you also have a good identity access management. Identity is the first key pillar to having a good security posture. As we move into a world where the perimeter becomes less and less relevant, identity is one of the last tangible things you can hang onto from the security perspective. If you look at it closely, identity is a cornerstone of security. Because security has always been about the assertion of ensuring that only the right people can access the right resources at the right time.
The second key pillar is visibility. Understand where the attackers are trying to get into and identify it earlier in the kill chain. Know that intrusion is very much different from a breach. While you cannot stop all incidents of intrusion, you can always find a way to stop cases of breaches. That should be the goal of every organisations from the security standpoint. You have to figure out how to minimise the impact of an intrusion and reduce the risks of attackers taking your most critical assets.
The final component is making sure you can translate this to business risk. Because ultimately, security is part of a pervasive culture in an organisation and an integral business critical aspect of a company.