RSA CTO Bret Hartman discusses the concept of advanced persistent threats with eWEEK, as well as the concept of the next-generation security operations center.
Many people agree that fighting cyber-crime requires a mix of awareness,
technology and user buy-in, but finding the balance between those elements
and mixing them into a cyber-security solution hasn't been easy.
Still, vendors at the RSA Conference are putting
forth their own strategies
to address the proliferation of malware
targeting consumers and businesses today. While Microsoft Corporate
Vice President of Trustworthy Computing Scott Charney made headlines Tuesday
when he expanded on his "Collective Defense" idea, EMC
and VMware turned their attention to the enterprise, pitching a vision of
security built on principles meant to counter advanced persistent threats.
Abbreviated as APT, "advanced
persistent threat" has joined a long list of catchwords used by vendors in
IT security. But to Bret Hartman, CTO of EMC's
RSA security division, APTs are not simply a
new class of malware.
"Part of the problem of when you define [advanced persistent threats],
it's not going to be like one single piece of software or platform; it's a
whole methodology for how bad guys attack the system. ... They're going to use every
they can throw at you. They are going to use insider
attacks; they're going to use all kinds of things because they are motivated to
take out whatever it is they want."
That corporate networks will be compromised by such threats has to be
assumed, he said, an idea that gave rise to a brief titled "Mobilizing
Intelligent Security Operations for Advanced Persistent Threats
which EMC and VMware offer up the foundation
of the next-generation security operations center (SOC).
This vision includes six core elements: risk planning; attack modeling;
virtualized environments; automated, risk-based systems; self-learning,
predictive analysis; and continual improvement through forensic analyses and
Each element is part of what the companies consider the next-generation SOC,
which they contend must take a more information-centric approach to
security risk planning and have priorities based on governance, risk
management and compliance (GRC) policies.
This will require that organizations do a better job of classifying their most
critical assets, explained Hartman.
"You've got to make the call," he said. "That's a hard
decision; that's a business decision about where you focus your efforts."
That conversation can start with compliance and audit mandates when
applicable, but should be data-driven regardless, he said.
Virtualization also underlies tomorrow's SOC, he explained. For example, the
report notes that organizations can "sandbox" e-mail, attachments and
URLs suspected of having malware, launching suspicious files in an
isolated hypervisor with the virtual machine segregated from the rest of the
system. Desktop virtualization also offers protection by allowing organizations
to remove a compromised virtual machine and reset it back to a clean state, he
"The focus on virtualization so far has been about saving money and
flexibility," Hartman said. "This is saying we can actually use
virtualization to put defense mechanisms in place against APTs that you cannot
do in the physical world."
The biggest technology challenge with all this, he said, is to integrate all
these elements together.
"Any one single defense, an APT is
going to be able to get around. ... No single company is going to be able to
cover the whole thing, so that ecosystem play is important," he said.