At RSA Conference 2016, we caught up with Robert Griffin, Chief Security Architect, Security Evangelist, RSA, to learn more on the current threat landscape and insights on how organisations can strengthen their security posture.
What are the biggest security threats organisations should be wary of in 2016?
There are merchant threats, especially in terms of disruptions of enterprises and infrastructures. These are new and important. For example, the recent attack against Ukrainian power companies in December resulted in the disruption of electric power. For many attackers, this represents a shift in focus from financial espionage into active disruption of business within the organisation and also the society where these capabilities are offered.
Today we see that there is a tendency to attack new classes of enterprises, which have been relatively not as attractive to attackers, until now. Critical infrastructure is now being targeted more often than compared to two years ago.
In terms of risks, is it more information security risks or cyber threats?
There seems to be less risk of information breaches than the fact that the infrastructure itself is targeted. This was true in the Saudi Aramco breach as well as the Ukrainian incident.
Back in 2006, it was clearly espionage attacks against the manufacturing sector. However, today it is a different class of attacks intended to achieve social and economic damage.
There is a reflection of change in the goal of the attackers to create a social impact rather than for financial advantage.
What are the cybersecurity trends that you see around the globe?
There are new trends in attack mechanisms, especially in terms of the growth of the dark net. For example, RSA announced the discovery of two fairly significant new sets of malware in late 2014. One was called Terracotta, which was a malware-supported VPN network. Attackers could rent and have access to this VPN in order to secure communications among themselves.
The second one was called GlassRAT, a new remote access Trojan, explicitly directed towards being able to gain control of enterprise environments. Both were clearly a new generation of malware with some resemblances to previous classes of malware.
There are definitely on-going developments of new malware within the attacker environment. The other change is in the direction and goal of the attackers.
What do you think is the future of cybersecurity?
Well, the first point to note is that attacks will continue to grow in complexity, in frequency and in the range of attackers. Presently, we have three most common categories of attackers – nation-state, cybercriminals and hacktivists. Most likely, there will be further differentiation of these categories and the introduction of potential new kinds of attackers.
We are most certain to see a shift in the direction of response. At RSA, we have strongly advocated that the model of defensive and preventive strategies such as firewalls will no longer suit the modern enterprise or government.
Today’s employees are always on the move, so most of their communication doesn’t happen within the home office over secured networks but via the cloud. Therefore, we need to have models that fit the cloud-based approach and support mobile users. The only way to do this is through mechanisms such as identity and analytic-based approaches. I believe that the strategy of analytics and investigation will be the dominant response model in terms of how we deal with achieving cybersecurity going forward.
How can businesses enhance their security posture?
The first aspect to this is to have a fundamental change in attitude and perspective. We have to think of security as a spectrum of capabilities. Organisations should start by identifying what are the assets, if attacked or breached, would damage the company or its customers the most. What can be done to mitigate the risks around that impact? If we begin there, we will quickly come to the conclusion that very little should be spent on anti-virus or things that provide such little protection against attacks. Instead the most effective methods show up in areas such as identity management, analytics and risk management. That is the strategy one has to have in place and is the best way forward in order to respond to threats.
Gaining complete visibility across networks is what most organisations are aspiring towards. But what are the key elements to keep in mind to help achieve this?
There are three main aspects. One is that, the more you can instrument capabilities in that environment to provide information, the better off you are. If you don’t have that, then you miss out on a whole body of information, which you could otherwise use.
The second aspect is that you need to gather kinds of information that may not be the direct indicators themselves but provides really good context about what is going on.
The third element is that organisations really need to think about the privacy questions. They need to assess if this kind of information is collected, does it pose a risk of exposure of important user information or risks in terms of national regulation and company liabilities.