Information risk in the Middle East is very basic and companies in the region are leaving themselves vulnerable to attack. This according to Branden Williams, senior information risk and security professional, and CTO of marketing at RSA.
“I’ve worked with some utility companies in the Middle East and information risk there is very basic. It’s not that they don’t take it seriously, but just from a maturation perspective they’re not there,” Williams said.
“When an executive has to live through a breach they then understand a little bit more about why they need to spend the money to prevent something like that from happening. Until they can really see it, hear it and deal with it, it’s that black swan that doesn’t exist. They think it’s not going to happen to them,” he added.
Williams was referring to RSA’s large-scale security breach in March of last year, which he said even the advanced information risk of the security firm couldn’t detect.
“It was a very advanced attack from an advanced adversary that was using this information for additional targets. It wasn’t something basic like a firewall not being configured correctly. It started with a couple of phishing emails and it’s pretty easy to get somebody to click a link,” he said.
“So it started with that and established a beachhead, before moving laterally, taking advantage of the permissions that exist with the different users and then targeting specific users,” he added.
He said that RSA’s security breach only emphasised that the “very basic” information risk he has seen in the Middle East is nowhere near adequate enough to help prevent the sophisticated attacks of today, and offered his advice.
“The easiest thing is to start looking and mapping out data flows as early as you can while you can get a handle on it, because the more your company grows the more stuff is going all over the place. If you can manage and understand where your data is moving you can design control to keep it safe,” he said.
Williams also offered his advice on the best practices enterprises can follow to identify and mitigate potential risks.
“Understanding where your data lives and how it flows is really key to designing suitable controls. Then you have to understand how people consume that data and how your business uses that data, so that when you design those controls you’re not breaking the business. You have to use the intelligence that comes in from either vulnerability intelligence or geopolitical intelligence – anything that can feed into a policy structure that you create,” he said.
“It has to be flexible enough. Let’s say a certain geopolitical event occurs, you can decide that because this event is occurring you may be a target for this type of information so you can turn off VPN access for the time being. You have to have an ability to take control of certain elements of your infrastructure in that manner where you can say this is offline for now,” he added.
Despite its security breach, Williams said RSA is so confident in its own products that it uses them all for its own protection.
“We use all of our own products to protect EMC and RSA. The latest one we added was NetWitness, which is kind of like a DVR for your network connections. We also use RSA Archer to manage incidents, RSA Data Loss Prevention (DLP) to look for data that’s flying around in places, RSA enVision for capturing logs, and our strong authentication appliance for our remote users,” he said.
“I’m not saying all you have to do is buy RSA – I’d love for you to do that, but it’s more that we believe we have a really strong platform that covers the majority of those things. It does tend to start with visibility, or the data and the risk, before then managing it,” he added.
Sub editor, Ben Rossi is reporting live from the RSA Security Conference, 2012 in San Francisco. For live tweets from the event, follow @ComputerNewsME and #RSAC.
