Security pros come clean at Summit on Advanced Persistent Threats

Put about 100 chief information security officers, CIOs and CEOs into a room and what they are willing share about cybersecurity just might surprise you. More information about just what they shared will be revealed soon in a report stemming from a closed-door Summit on Advanced Persistent Threats held in Washington, D.C., in July, where business and government security professionals acknowledged to each other that their organizations had either been hacked through stealthy infiltration to steal valuable sensitive information and intellectual property, or that they wouldn't know it if it had been.

The meeting, which covered advanced persistent threats (APT) and other security breaches, was organized by trade group TechAmerica and EMC's security arm, RSA.

RSA, of course, is the well-known victim of an attack disclosed this past spring in which highly sensitive information about SecurID was stolen and later used to attack at least a few RSA customers, including Lockheed Martin. Some have suggested the RSA-related breach was carried out by China, but the security company declines to comment on this.

"What was different about this [summit] was that RSA was sharing their insights, saying this happened, and it set the context for other people to discuss," says Bill Boni, vice president and corporate information security officer of T-Mobile USA, who attended the summit.

SECURITY ISSUES: HIPAA has teeth and will bite over healthcare privacy blunders

There's growing realization that organizations must learn to live in a state of compromise and focus on limiting the damage, according to those who attended the meeting.

"It means change your mental gestalt in a way," says Boni, adding that it's not realistic to think perimeter controls are decisive defense when users are tricked by hackers via exploits such as phishing scams.

"It's an unrealistic expectation that you never lose a game or an opponent isn't going to score a point against you," Boni says. "Corporate lawyers are adverse to corporate security officers admitting, 'We got owned by the APT,'" but he says there needs to be a better way for security managers to speak candidly among themselves in order to get a better picture of how the APT problem might be occurring.

Since experiencing its own devastating APT incident, the wounded RSA took to organizing the equivalent of high-tech group therapy to talk about APT. "We have a lot to share on that front," acknowledges Eddie Schwartz, chief security officer at RSA.

"There's the notion that the adversary is much better at threat intelligence than we are," he says. "The adversary gathers open-source intelligence and they do data-mining before an attack."

APT BACKGROUND: Advanced persistent threats force IT to rethink security policies

In contrast, companies getting hit find it hard to even have a candid discussion or share information quickly so the larger community can benefit from anyone else's knowledge. Schwartz argues there is even a need for an IETF standard to help in assist in data-sharing in this regard.

The APT Summit suggests government and business outfits are finding themselves on the defensive, lacking even a preferred way to communicate about the threats they're trying to stop.

Boni says he understands why RSA would suggest a standard because there is a need for sharing APT information "machine-to-machine." The model used by the antivirus vendors in malware distribution for many years offers ideas for such a rapid real-time process. "Instead, it would be like a global SIM [security information management]," Boni suggested, with certain identifying information anonymized.

But companies are also doubtful that technology -- and specifically signature-based defense -- can protect them, since attacks are often highly customized in terms of malware. The naïve employee, clicking on whatever is interesting in email or on the Web, has become the attacker's easy way into the corporate network. An employee tricked by a phishing scam is how the attacker compromised the RSA network.

One thing heard at the APT Summit is that a lot of APT attacks appear to be coming in through compromised business partners, says Schwartz. "These are 'beta attacks' that are tested out," he says. There's also a problem of compromised hardware and software, which suggests supply-chain breaches.

Companies are trying to expand their ability to fight a stealthy APT attack, to the extent that 65% of those attending the APT Summit indicated they now have at least one person tasked with APT as a specific security function, says Schwartz.

Training programs to educate users are moving from simple instruction to something more akin to "war gaming," says Schwartz, where the huge impact of an APT on a business is more vividly taught.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitylockheed martinemc

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place