Art Coviello’s RSA Conference Keynote.
Good morning and welcome to RSA Conference 2013.
We in this audience are the champions of a trusted digital world.
A champion is defined as an advocate or defender. Sounds like us, but a champion is also defined as a winner. Doesn’t quite sound like us.... at least, not yet.
Could things get a whole lot worse before they get better? Perhaps. How many of you have those BYOD security issues solved? You understand all the security ramifications of Facebook, LinkedIn and Twitter, don’t you? Everyone is moving to the cloud without fear or trepidation. And, you’ve got that DDOS problem covered, right?
Well, although collectively we’re not winning, we haven’t lost yet either.
But - just when you think the odds against us can’t get any higher, they do!
I’m talking about the coming convergence, across every aspect of our lives, of mobility, social media and cloud with Big Data. With the pervasiveness of Big Data, touching on everything we do, our attack surface will be altered and expanded and our risks magnified in ways we couldn’t have imagined. 2012 was the breakthrough year for the concept of Big Data.
A year in which the most interesting character in the U.S. presidential election was not the winner (or the loser), but a data analyst at the New York Times named Nate Silver. Silver predicted the outcome down to the popular vote percentage and the breakdown in the Electoral College. Editors at TIME magazine declared the #2 buzzword of 2012 to be “Big Data,” only behind something called the “Fiscal Cliff.” For all of the buzz, there’s tremendous confusion about the term because it represents more than just a lot of data.
Fundamentally, Big Data is about the ability to extract meaning, to sort through the masses of data elements and find the hidden patterns, the unexpected correlation, the surprising connection. It’s about analyzing vast and complex unstructured data sets at high speed, to solve innumerable problems across a wide spectrum of industrial, non-commercial and governmental organizations.
Big Data has the potential to transform our lives for the better, our health, environment, our livelihoods, and almost every facet of our daily lives. Yet, we are only at the dawn of Big Data.
Let’s start with the data itself. Stored digital content is doubling every two years reaching 1 zettabyte last year. Just think about that for a moment. That’s the equivalent of 4.9 quadrillion books. Seems like a lot! And while the most common business analytics are based on structured data using relational data bases, the real goldmine is in unstructured data which is 5X larger and growing 3X faster.
And how will something like the “Internet of Things” accelerate the growth of consumable data? Nick Valery, a columnist for The Economist, writing in their 2013 Almanac, estimated that the number of identifiable “things” connected to the Internet: from vending machines, to smart meters, to cars, will exceed 1 billion this year.
By 2020 analysts predict that tens of billions and perhaps as many as 200 billion objects will be connected. Think of the richness and variability of data that data scientists will have to work with. And, we’re not only talking about how big data will impact and drive information technology. We’re talking about how businesses and organizations will fundamentally change and evolve to become more productive and efficient. As Valery suggests, the benefits to society will be incalculable.
But, according to IDC , as of now, less than 1% of this data is being analyzed. This won’t be for long though, as new tools and techniques are coming on line. And it won’t be long before Big Data applications and stores become the “crown jewels” of an organization. For once this tired cliché is actually appropriate. And those crown jewels will be readily accessible in the cloud and via mobile devices across our hyperconnected enterprises -- but not just to us, to our adversaries as well.
Feel those odds against us rising? Well I'm just getting started.
Much has been made in the press of late about attribution for the attacks on the NY Times and others. I’ll take the reports at face value. But, do we really need to see a smoking gun to know there’s a dead body lying on the floor? Did we somehow miss, that not one, but multiple nation states are infiltrating commercial, non-profit and government organizations around the world for the purpose of espionage and theft of IP, some more visible and egregious than others?
And let’s not forget cybercriminals like those associated with the recent Facebook and Apple breaches.
Sure, we should continue to work to out all of the perpetrators. But, we know who they are or at least where they are coming from. I would rather ask, what are our governments going to do about it and what are we going to do to better defend ourselves?
There’s a whole host of geopolitical issues here that are above my pay grade. But, it’s clear to me, in an age of globalization, with interdependent economies relying on world trade that all nations need to be governed by rule of law and respect for property, not just in word but in deed.
As to defending ourselves, well, there is an additional challenge we are all collectively facing, a very disturbing escalation from our adversaries that we need to have a thorough understanding of. I’m talking about recent attacks that go beyond intrusion, disruptive attacks that appear to be coming from a nation that sponsors terror and hacktivist groups.
Ensuring the right level of understanding here is key, because if we, as an industry, overhype this situation, organizations won’t take measures to prepare themselves.
That’s why I abhor terms like cyber Pearl Harbor. I think it is a poor metaphor to describe the state I believe we are in. After all, what do I do differently once I’ve heard it? And I’ve been hearing it for almost 10 years. Triggering a physically destructive event solely from the Internet might not be impossible, but it is still highly, highly unlikely. Disruptive attacks against the financial services industry however, as we have seen in recent months, have the potential to not only cause significant economic loss, but could trigger a loss of public confidence, all out of proportion to any financial one. The same could be true of a disruptive attack on any other element of our critical infrastructure, like the power grid. DDoS attacks are just the method du jour, but we should be preparing for others. And yes, we’ve had DDOS attacks before. The escalation is about the source and severity with which they are being carried out.
Make no mistake; this escalation is significant.
Disruptive attacks will become the prelude, the pathway to destructive attacks. Here's the issue, the more we create the “Internet of things,” IP enabling more and more elements of physical infrastructure, the pathway will become clear. Attacks on digital systems that result in physical destruction will no longer require “manual” intervention. Disruptive attacks that erase or corrupt digital content as we saw at Saudi Aramco, are a step along that path.
The emergence of these disruptive attacks adds a scary dimension to the escalation of intrusion- oriented attacks aimed at espionage and theft. Taken together, the implication is that in the next several years we are headed into very dangerous and unchartered territory and I’m not sure that anyone outside our community has a true grasp of the situation.
In a speech I gave about six months ago, I coined a phrase, the PR GAP, the perception versus reality gap that I felt had emerged between the press, the general public, and privacy groups and ourselves. Some of the blame rests with us. FUD oriented marketing, figures tossed around about cyber losses, phrases like cyber Pearl Harbor, etc… may temporarily raise awareness but do nothing to improve a broad understanding of the situation.
Many in the press still believe the situation is overhyped. This past year, Richard Clarke was skewered in a Wired Magazine column for suggesting our critical infrastructure was highly vulnerable. But until recently, the press didn’t see what we, law enforcement, and the intel community see. Nobody, nobody, wants their breach or loss exposed. So like the proverbial iceberg, the true depth of the problem has remained hidden. And I say recently because the New York Times and several others in media felt what it was like firsthand.
But back to my friend, Dick Clarke. Even if he did exaggerate the current threat, it doesn’t mean his prediction won’t come to pass based on the current trajectory or with the specter of the uncontrolled use of exploits like Stuxnet and Duqu exploits. It would be wise for us to remember his 9/11 testimony and his work in the White House to warn about the terrorist threat.
So what do we do?
As is often the case, in times of crisis and peril, I look to history and the exemplary leadership of others, like the sixteenth President of the United States Abraham Lincoln.
He is certainly topical with the recent movie.
One month before signing the Emancipation Proclamation, in a message to Congress on December 1, 1862 about what it would take to win the Civil War and save the Union, President Lincoln said:
“The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty and we must rise……with the occasion. As our cause is new, we must think anew and act anew.”
Well, I think it’s safe to say “our situation is piled high with difficulty”.
We are at a critical crossroads – we are at the next phase in the evolution of the Information Age with this convergence of Big Data, mobility, cloud, and our social media-driven society.
And as we face an equally evolving threat landscape, it is clear that our cause is new, and we must act anew. It is past time for us to “disenthrall” ourselves from the reactive and perimeter based security dogmas of the past and speed adoption of intelligence-driven security.
In my keynote last year, I outlined the requirements of an intelligence-driven security system: a thorough understanding of risk, the use of agile controls based on pattern recognition and predictive analytics to replace outdated static controls, and the ability to analyze vast streams of data from numerous sources to produce actionable information.
Fortunately, no matter what you call it, the idea of an intelligence-driven model is becoming conventional wisdom. So we are starting to “think anew.” But given the situation, we must act more quickly. This morning I would like to focus on the nature and development of intelligence-based systems and sources of intelligence that are the basis for the model that we must act on.
Nassim Ta-leb, who gained fame as the author of Black Swan, a bestseller about financial markets and predictability of risk, has a more fascinating new book out: Antifragile: Things That Gain From Disorder. The concept is relevant to designing intelligence-driven security systems that employ adaptive capability, machine learning and external intelligence to become smarter in response to attacks.
“Anti-fragile” does not mean “resilient” or “durable.”
Resilience means taking a blow and springing back to previous form, like a wet sponge. Durable means withstanding external force without changing, like the U.S.S. Constitution’s hull withstanding the force of cannonballs. Anti-fragile, by contrast, is the opposite of fragile.
If fragility means brittleness or weakness that causes an object to break in response to force then anti-fragile means the adaptive capacity to become stronger or smarter in response to attacks and disorder. Taleb shows how so many make the mistake of trying to design “durable” entities… when all the time they should be trying to design underlying systems that can prove themselves to be “anti-fragile.”
Using an approach like this can make an intelligence driven security model future proof. I’m not talking perfect security here I’m talking about a model that evolves and learns from change, whether process, technology or threat related - I’m talking about a model that allows us to detect attacks quickly and respond quickly - I’m talking about a model based on “Big Data” that’s correct – our own version of security Big Data.
Big Data will be applied in two ways: in security management and in the development and application of individual controls. Because sources of security data are almost limitless, there is a requirement for security management that goes well beyond traditional SIEM.
We have reached the limits of that technology. Organizations must be able to gain full visibility into all data, structured and unstructured internal and external.
Big Data architectures will be scalable enough such that all data can be analyzed no matter how expansive or fast changing.
Organizations will be able to build a mosaic of specific information about digital assets, users and infrastructure -allowing the system to spot and correlate abnormal behavior in people and, in the flow and use of data.
In a recently published security brief, titled: Big Data Fuels Intelligence Driven Security , experts from RSA, Northeastern University and Booz Allen Hamilton set out the components for a Big Data oriented security management system:
It must start with – Automated tools that collect diverse data types and normalize them.
And the data needs to be stored in a centralized warehouse where all security-related data is available for security analysts to query. The system must include analytics engines capable of processing vast volumes of fast-changing data in real time as well as a standardized taxonomy for indicators of compromise that are in machine-readable form and can be readily shared. And it must rely on N-tier infrastructures that can scale out across multiple vectors and have the ability to process large and complex searches and queries.
Finally, the system must have a high degree of integration with GRC systems and task specific security tools to detect attacks early or even in advance and then to trigger automated defensive measures such as blocking network traffic, quarantining systems or requiring additional identity verification.
As to the controls themselves -
The high degree of integration is key to replacing today’s non-system of individual, isolated static controls. Big Data controls will be agile and predictive like next generation authentication and malware blocking. Although initially task specific, to be truly dynamic and situationally aware these controls have to evolve. Let me elaborate. Individual Big Data controls will be smart to begin with but will also have the capacity to be self-learning and they should be able to inform or be informed by other controls. They should be able to feed or receive intelligence from security management systems and report to and receive instructions from GRC systems.
While we are several years away from all controls and management platforms having this level of completeness, the process is well underway.
Vendors have already been building tools with big data analytics and are offering products that will have a disruptive impact on many tired product categories like anti-virus, authentication and SIEM.
As an example, and I’m sure you’ll see others, we at RSA have just announced version 8.0 of our SecurID authentication manager platform. Version 8.0 includes a risk based analytics engine that has experience gained from nearly 50 billion transactions. We also recently announced our Security Analytics platform, a new approach to security management that fuses log and packet data with internal and external threat intelligence. This platform gives analysts unprecedented visibility to assess and defend against advanced attacks. But Big Data is only as good as the amount and quality of the data.
That is why it is so important to address the need for information sharing so that external feeds of intelligence can have a force multiplier effect.
This is something I have been advocating for some time which is why I am so pleased that this year’s winner of the RSA conference award for security practice will be going to an industry ISAC for its outstanding system of sharing threat intelligence.
It’s also great to see the advances industry is making. For example Juniper Networks just announced Junos Spotlight Secure, a powerful new cloud platform for gathering and sharing intelligence about attacks and attackers and much more. We’re looking forward to working with Juniper to provide bidirectional intelligence sharing with RSA Live.
Whether it’s within or among industries, or between and among vendors intelligence driven security models can only succeed through better sharing of intelligence. The question that remains to be answered is how to act. Having talked about the attributes of Big Data Security Management and Big Data Control Iet's focus now on some of the actions practitioners can take.
Here's my advice based in part on the wisdom of my colleagues –Create a transformational security strategy:
Design a plan that transitions your existing infrastructure to an intelligence driven one incorporating Big Data capabilities, as they become available.Create a shared data architecture for security information:
Because there are so many sources and formats of data, it is critically important to have a single architecture that allows all information to be captured, indexed, normalized, analyzed and shared.
Migrate from point products to a unified security architecture using open and scalable Big Data Tools:
Migrating to individual Big Data controls will solve old problems in new ways and new problems as conditions change. The leverage and synergy from and between these tools will lead to a unified security architecture that finally offers true defense in depth.
Strengthen your operation’s data science skills:
While emerging security solutions will be big data ready, security teams may not be. Security leaders should add data scientists or outside partners to manage the organization’s big data capabilities.
Finally, Leverage external threat intelligence:
Augment internal analytics programs with external threat feeds from as many sources as possible. That completes a high-level action plan, but what about the benefits?
Historically, the benefits of our security infrastructures have been in our ability to react and act against known threats. Enabled by big data, intelligence driven security will also have the ability to act against both known unknowns and unknown unknowns. No, I’m not channeling my inner Donald Rumsfeld. The whole point of an anti-fragile system is that it will operate independently of and in concert with the threat environment and other environmental changes. I don’t mean to imply we are headed to some security utopia.
But, we should be able to keep pace with our adversaries and in many instances, get ahead of them even in the face of uncertainty. The model is future proof even if the operation of it isn’t.
That’s why we can’t forget the human element.
In his book, The Signal and the Noise, Nate Silver implied that big data yields little if we deny our role in the process. One of my favorite Silver quotes is, “Caesar recognized the omens, he just didn’t think they applied to him.” However much we automate the process, we cannot abdicate our own judgment and involvement, nor can we escape responsibility. In that vein -in the same message to congress I referred to earlier, President Lincoln talked about his responsibility, his administration’s and Congress’.
I’d like to paraphrase those remarks as they apply to us:
We cannot escape history, we, all of us in this industry - will be remembered in spite of ourselves. The trial through which we pass will light us up in honor or dishonor to future generations. We say we will protect critical infrastructure and ensure information technology is used to make a better world.
The world will not forget that we say this.
I believe we know what to do to create a trusted digital world. We need the help of our governments but it is up to us to defend ourselves. We need to move quickly to intelligence driven security. Big Data technology will enable this new model, transforming security.
But it must begin with us. As a technologist, I believe technology will continue to help us solve our seemingly unsolvable problems - improve trust and confidence - and help us manage the problems that cannot be solved right away. Big Data technology has arrived. Embrace it.
It will help us win. We have no time for losers. WE ARE THE CHAMPIONS!