RSA Conference: Advanced Persistent Threats Require New Security Focus

RSA CTO Bret Hartman discusses the concept of advanced persistent threats with eWEEK, as well as the concept of the next-generation security operations center.

Many people agree that fighting cyber-crime requires a mix of awareness, technology and user buy-in, but finding the balance between those elements and mixing them into a cyber-security solution hasn't been easy.

Still, vendors at the RSA Conference are putting forth their own strategies to address the proliferation of malware targeting consumers and businesses today. While Microsoft Corporate Vice President of Trustworthy Computing Scott Charney made headlines Tuesday when he expanded on his "Collective Defense" idea, EMC and VMware turned their attention to the enterprise, pitching a vision of security built on principles meant to counter advanced persistent threats.

Abbreviated as APT, "advanced persistent threat" has joined a long list of catchwords used by vendors in IT security. But to Bret Hartman, CTO of EMC's RSA security division, APTs are not simply a new class of malware.

"Part of the problem of when you define [advanced persistent threats], it's not going to be like one single piece of software or platform; it's a whole methodology for how bad guys attack the system. ... They're going to use every zero-day attack they can throw at you. They are going to use insider attacks; they're going to use all kinds of things because they are motivated to take out whatever it is they want."

That corporate networks will be compromised by such threats has to be assumed, he said, an idea that gave rise to a brief titled "Mobilizing Intelligent Security Operations for Advanced Persistent Threats" in which EMC and VMware offer up the foundation of the next-generation security operations center (SOC).

This vision includes six core elements: risk planning; attack modeling; virtualized environments; automated, risk-based systems; self-learning, predictive analysis; and continual improvement through forensic analyses and community learning.

Each element is part of what the companies consider the next-generation SOC, which they contend must take a more information-centric approach to security risk planning and have priorities based on governance, risk management and compliance (GRC) policies. This will require that organizations do a better job of classifying their most critical assets, explained Hartman.

"You've got to make the call," he said. "That's a hard decision; that's a business decision about where you focus your efforts."

That conversation can start with compliance and audit mandates when applicable, but should be data-driven regardless, he said.

Virtualization also underlies tomorrow's SOC, he explained. For example, the report notes that organizations can "sandbox" e-mail, attachments and URLs suspected of having malware, launching suspicious files in an isolated hypervisor with the virtual machine segregated from the rest of the system. Desktop virtualization also offers protection by allowing organizations to remove a compromised virtual machine and reset it back to a clean state, he said.

"The focus on virtualization so far has been about saving money and flexibility," Hartman said. "This is saying we can actually use virtualization to put defense mechanisms in place against APTs that you cannot do in the physical world."

The biggest technology challenge with all this, he said, is to integrate all these elements together.

"Any one single defense, an APT is going to be able to get around. ... No single company is going to be able to cover the whole thing, so that ecosystem play is important," he said.