Targeted attacks, costly insider mistakes and cloud computing complexities are on the minds of RSA Conference 2011 attendees. In this video from the RSA exhibitor show floor, they share their views of the state of the threat landscape, the evolution of the RSA conference and the kinds of security vendor technologies that appeal to them.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
RSA 2011: Attendees talk threats, security solutions
Sanjo Dunner: I am Sanjo Dunner of the Los Angeles Police Department. Compliance
is one of our big concerns, to be compliant with federal and
state regulations that are on top of us. We are also interested
in being able to secure our network. It is very important to
have a secure, segregated network for us in which we can monitor
the activities of our employees, as well as what attacks are
occurring onto us because we are a big target.
Interviewer: Is there anything specific here at RSA that you look for?
Sanjo Dunner: One of the biggest things is I look for vendors to try to
provide a panoply of solutions. A whole bunch of solutions under
one vendor typically, and we are seeing more and more of that
consolidation over the years. I have been coming here for the
last three or four years now, and we really are tired of the
situation where we have a whole bunch of point solutions. We are
looking to have a consolidated thing happening so we can buy
from one vendor and have, perhaps not best-of-breed, but at
least take care of the problems that we have.
Charrise Castagnoli: Charisse Castagnoli, with Dell, and I work in Mid-Market
Security Strategy. I think the big challenge 20 years ago, we
worried about banking insiders, we worried about people who were
on the inside actually figuring out how to game the system and
extract value money, or usually money. I go to
the bank because that is where the money is. It is still the
same today, it is just that now, instead of the occasional
insider who is doing it for personal motivation profit, it has
become a real business with organized crime, with hierarchies of
individuals that vet out third party malware for you and allow
you to rent it and target that stuff. We have seen targeted
malware at Brazilian banks; we have seen targeted malware at
very advanced targets, obviously, the last couple of years.
Interviewer: Is this your first year at RSA or not?
Charrise Castagnoli: This is my 17th year at RSA.
Interviewer: Seventeenth year at RSA, so it started out as a cryptography
Charrise Castagnoli: In the basement at the Fairmont Hotel. Mathematicians who could
not get jobs as insurance actuaries.
Interviewer: What is your take on the change and what it has become today?
Do you like what you see, could it be better? How would you
describe the changes that you have seen?
Charrise Castagnoli: I think the changes are driven by the change of the threat
landscape, the fact that digital information is here to stay,
and you cannot stop that. You cannot stop the evolution of
technology, whether it is driven by the consumer, the doctor
that brings the iPad into the hospital, or it is driven by your
teenager who brings home the latest smart phone device, or wants
to play the latest game. That evolution is going to continue to
occur. I would like to see better coordination across the
industry for standardization, especially around metrics for
measuring and monitoring. We have seen . . .
Interviewer: Measuring and monitoring what?
Charrise Castagnoli: Measuring and monitoring security incidents. We have seen the
improvement in vulnerability assessment with the advent of the
Common Vulnerability Enumeration driven out of Mitre. I would
like to see that go beyond. I would like to see threat
intelligence, in terms of IP risk. I would like to see that, and an
XML standardized protocol so we can have better information
sharing with our partners overseas, as well as domestically. I
would like to see a better mechanism for scoring and identifying
actual exploits so we could have better test tools and
capabilities. Finally, I would like to see some standardization
around forensics so we can really ensure that as systems are
built, we have the capability and the understanding that we need,
should you need to, whatever the reason is, whether it is for
investigating criminals or just data recovery. Those same
techniques and tools should operate across all of your devices:
a server, a notebook, a tablet, a smart phone.
Xi Chen: Hello. Xi Chen, Technical Leader, Ernst and Young.
It is Ernst & Young Penetration Testing
Company, in Israel. I think, in general, application level
threats such as fraud should be at least the top
concern of every individual or firm.
Interviewer: What should be at the top?
Xi Chen: I think frauds, then the application level threats; virus
threats, such as . . .
Interviewer: As a pentester, are you finding it fairly easy to get into
peoples' networks, even organizations with a lot of security?
Xi Chen: Especially organizations with a lot of security.
Interviewer: How come? What makes it so easy for you?
Xi Chen: In general, humans are humans, even an organization priorities that focus and invest a lot of budget on security, still have problems with education, not in the general
term, but educating their personnel, how to implement and sync
security. You can always find a specific spot in which a human
made a mistake, and that mistake is something that you can
abuse. If you take it to the fraud side, the application-
level threat side, again, the consumer is still human since that
organization does not really try to educate them in how to
behave, how to properly behave, how to access organization
security and do not really force them, at least not as much as
they should, to work security the point of their organization;