On Tuesday, Amit Yoran delivers his first keynote address as president of RSA—the security subsidiary of business technology giant EMC (EMC), best known for its passkey-generating fobs—at this year’s RSA Conference, the largest enterprise security confab in the world.
(If you’re unfamiliar with the conference, here’s Fortune’s breakdown in the latest issue of the magazine. You’ll notice we pulled a featured quote from his address.)
Yoran sat down on a call with Fortune ahead of his speech to provide a sneak peak at the issues he’ll be discussing on stage. What’s his number one? Well, the headline may have given it away…
“The security industry is failing,” Yoran tells Fortune, taking a pause before delivering a knockout blow. “It has failed.”
Indeed, it’s hard to argue otherwise. Last year there were 738 data breaches, according to the Identity Theft Resource Center, which represents a more than 25% increase over the year prior. Those figures don’t exactly indicate a success.
“If I could come up with a theme for this year’s conference it would be: No More of the Same,” Yoran says. In fact, the theme of this year’s conference is—as though pulled from another presidential campaign playbook—Change. (Admittedly, a less colorful theme than that of that of the ’95 summit: Egyptian Scarab Seals.) “Let’s do things differently; let’s think differently; let’s act differently. Because what the security industry has been doing has not worked.”
Yoran, who has served in various security functions within the private and public sector for more than two decades, has seen monumental shifts in the way security pros protect—and their adversaries infiltrate—corporate networks. Now he’s fed up, it seems. Companies have failed to adapt to today’s assiduous threats, he says.
“If we don’t succeed and turn the current paradigm around, I think there is a catastrophic situation for technology in general,” Yoran says. “We have to win. There is no alternative.”
Topping Yoran’s list of gripes is what he believes to be a lack of understanding. Today organizations will spot a breach and rush to clean it up before truly understanding the extent of the compromise, he says. They end up blinding themselves to the incident, not having “scoped” it properly.
[fortune-brightcove videoid=4177674506001]
Yoran’s keynote address is aptly titled “Escaping Security’s Dark Ages,” and he extends the analogy in conversation with Fortune. “We need to stop thinking of taller castle walls and deeper moats,” he says. Complex passageways and nifty windows won’t work either—no matter how high one builds or how deep one digs, attackers will still get through. “At the end of the day, even if you use next generation protective measures, focused adversaries with the resources, with the time, with the skill, and that have a defined objective of breaking into your organization are still going to get in,” he says.
Not to alarm anyone, but they’re probably already inside, he adds.
So should we all just roll over and accept defeat? Yoran answers with an emphatic No. Even while corporate IT teams face the digital equivalent of barbarian raids and bubonic plagues, Yoran is convinced that the halcyon days are not all past. “We sit at the doorway of the age of technology enlightenment,” he says.
Clearly knowing his audience, Yoran supplies his guidance in the form of “5 things to know”—a favorite Fortune format. Here they are:
1.) Know your environment.
First is what I would characterize as true visibility: Understanding what’s really happening in your environment. Don’t rely on logs from IDSs [intrusion detection systems] or firewalls. You’ve got to really understand. Unless you have full packet visibility into end points with a sophisticated compromise assessment capability technology, unless you have visibility into the cloud-based environments that you operate in, you cant begin to pretend you know what’s going on. I would say that is a fundamentally non-negotiable building block for security today.
2.) Know your users.
Second is this sort of realization or understanding that in a perimeter-less world, you have fewer anchor points at which to apply good security. Key among those are identity and data. As attacks move from zero day exploits and pieces of malware to orchestrated campaigns, at some point in that attack lifecycle it’s all about compromising privileged access accounts. Compromising an end user account increases the access levels that—and the information that—the adversary can access. Organizations need to do a better job of authentication.
3.) Know your adversaries.
Third is external threat intelligence. There are phenomenal sources of threat intelligence today that have phenomenal insight into very specific threat actors. If you don’t understand the threat environment, if you don’t understand your adversaries, if you don’t understand who is coming after you or what they’re coming after—what their TTPs are, or tools techniques and procedures—your operating in an island instead of looking at the weather forecast. You’ve got to understand what’s happening in the broader environment to give yourself a leg up, or even a fighting chance.
4.) Know your priorities.
The fourth point would be to understand what matters to your business. You can’t protect everything at all costs at all times. What matters most? What’s mission critical? What is required for your regulatory reporting requirements? What is required to accomplish your organizational objectives? What keeps you in business? What drives shareholder value? You’ve got to understand these things so you can prioritize your limited security resources to the things that are going to be most impactful to your organization. It’s an absolutely critical part of managing digital risk today. Because digital risk is business risk. It’s a fundamental building block that most organizations don’t do or don’t do well.
5.) Know your weaknesses.
Point five is to stop believing that your adversary protections work. They work, they block things—but they fail, too, on a regular and consistent basis. Stuff gets through. We see malware today specifically designed and programmed to evade sandbox detection, because that’s an increasingly common methodology people use to protect themselves. I’m not saying don’t adopt aggressive forward-leaning protective methods. Of course, do that. But don’t lull yourself into a false sense of security by believing the marketing or hype.—that just because you’ve done X, Y, Z, you can sleep well at night. The truth is the adversary is getting in no matter how high the walls you build are. Or they’re already in. And you’ve got to be able to think about the world that way.
“That’s the difference,” Yoran concludes, “between becoming a leading security program and disaster.”
