Behind closed doors, more than 100 senior executives talked freely about the difficulties in defending against APTs and regulatory changes they wanted to see.
In a closed-door summit on advanced
persistent threats, CISOs, CIOs and CEOs revealed that their organizations had
been breached at least once by sophisticated attackers intent on stealing
sensitive information. Several admitted they wouldn't be able to tell if they
had been attacked.
More than 100 C-level executives from
major organizations attended the Summit on Advanced Persistent Threats in
Washington, D.C., last July and candidly discussed what they were doing about
cyber-security and targeted attacks, Eddie Schwartz, chief security of RSA
Security, EMC's security division, told eWEEK.
On Sept. 13, trade group TechAmerica and RSA released key findings summarizing
the discussion between forum attendees. An in-depth report is expected in
Schwartz said he was surprised at how
pervasive APT activity is. "Literally everyone had something to say,"
he said, noting that many of the executives discussed incidents they had not
yet disclosed publicly even though customers may be affected.
"The frequency and volume of
attacks have reached pandemic levels," Schwartz said.
Security professionals from government
agencies and the private sector acknowledged that they must assume they are
already compromised, Schwartz said. Organizations have to plan and act as though
they already have a breach, and act accordingly to minimize the time the
attackers are in the network undetected and to limit damage.
The perimeter defense, of trying to
block all incoming threats, doesn't work when there are so many ways for
attackers to get in, Schwartz said. Instead, an organization has to ensure the
"crown jewels" are protected at all times, especially since attackers
are now targeting "people" with spear phishing attacks instead of
breaking into systems.
Schwartz knows what being in a
"state of compromise" feels like. In March, RSA disclosed that
unknown attackers had breached its systems and stolen sensitive information
relating to its SecurID two-factor authentication technology. The information
was later used to launch follow-up attacks on several defense contractors in
RSA talked about what had happened with
the breach and also "listened to everyone else talk," Schwartz said,
adding that being able to hear what other executives were doing and
experiencing gave attendees some ideas on what to implement in their
There was a significant "level of
shared concerns" among the attendees, which was a clear indicator that
these kinds of attacks, while not new, are more pervasive than originally
perceived, Schwartz said. More organizations are experiencing attacks, and
there is a "growing willingness" to talk about it, he added.
The bad guys are better at information
sharing and much faster at analyzing data, Phil Bond, CEO of TechAmerica, told eWEEK. In contrast, companies have a
hard time sharing information or discussing incidents with the larger
community. In many cases, organizations may be held liable for information
shared with third parties because it would violate privacy regulations, even if
it were for security purposes, Bond said. There needs to be some tweaks in
policy to make it easier for companies to share information with the security
community and with the government.
Attendees also acknowledged that
cyber-incidents shouldn't just be handled by the security team, but need to be
embedded in the organization's overall strategy. Just as the executives plan
for natural disasters and sudden downturns in the stock market, cyber-attacks
need to be treated as a disaster and all major divisions need to be included in
the preparation for defense and incident response, Schwartz said.
Organizations have all conducted some
form of employee training or awareness programs, but the traditional programs are
generally perceived as being a waste of money, according to Schwartz. Employees
do not see the relevance of the training, and the programs do "not make
them want to follow the rules," Schwartz added.
Some organizations are taking
"forward-leaning approaches" to training, such as running
scenario-based "war-games" style of training, where users are
actually compromised and then called in to face the consequences, Schwartz
said. The employees are shown exactly how a specific action, such as opening an
unknown file, results in specific amount of money lost, employees laid off or
even someone injured, he added.