News Stay informed about the latest enterprise technology news and product updates.

Yoran: RSA, information security industry needs 'radical change'

New RSA President Amit Yoran says business as usual isn't stopping the evolving threat landscape, and hints at radical changes coming to the information security industry and within RSA itself.

SAN FRANCISCO – RSA's new president laid out his bold view for the future of both the information security industry and RSA itself, saying that radical changes are needed across the board.

The opening keynote at the 2015 RSA Conference marked the changing of the guard for the security market leader. Amit Yoran took over as president of RSA, the security division of EMC Corp., last fall. This year marks the first time in a decade former RSA President Art Coviello did not kick off the event; Yoran chose not to acknowledge Coviello in his keynote.

Yoran hinted at big changes coming to RSA itself, but was notably cryptic on the topic.

"RSA is re-engineering across the board," Yoran said. "By this time next year, we won't be the same RSA you've known for decades."

Michael Versace, research director for global risk and security strategy at IDC, based in Framingham, Mass., wanted expansion on this statement.

"One of his statements that was most surprising is that next year is going to be much different than this year," Versace said. "And I'm wondering what that really meant -- from an organizational perspective? Product and service perspective?"

At least part of the coming reinvention of the security vendor involves a separate announcement Tuesday in which it introduced RSA Via, a SaaS-based access control offering that unifies multifactor authentication to any number of third-party cloud and on-premises applications. The product, meant to compete with the likes of OneLogin and Ping Identity, promises to offer centralized identity intelligence and contextual awareness for identity and access management (IAM) across mobile devices, Web applications and SaaS applications.

Also Tuesday the company announced a revamped RSA Security Analytics product, offering what it describes as new visibility into attacks that target critical customer-facing Web and mobile applications, as well as data privacy capabilities.

Radical changes needed

Yoran was much clearer on his main thesis, which focused on moving beyond what he described as the information security industry taking up the strategy of the Dark Ages, which saw building bigger and stronger walls as the pinnacle of security.

"Building taller walls and digging deeper moats is not solving our problems," Yoran said. "The perimeter mindset is still clinging to us. We say we know the perimeter is dead; we say we know the adversary is on the inside, but we don't change our actions."

We say we know the perimeter is dead; we say we know the adversary is on the inside, but we don't change our actions.
Amit YoranPresident, RSA

Yoran said it was clear the industry's security strategy was not working because data breaches are getting bigger. He called 2014 "the year of the mega breach," and noted that 2015 may well be known as the year of the "super-mega breach."

He attempted to impart urgency by saying the industry stands at an inflection point, where computers are taking over more and more human tasks, including creating art and driving, and proving better than humans in some respects. He even went so far as to claim that technology will be able to build itself and, essentially, create new life "in the next few years."

Some in attendance, including Vince Scott, cybersecurity professional with Cincinnati-based Procter & Gamble Co., thought maybe Yoran was exaggerating too much.

"I thought Amit was a little apocalyptic to start with, however at the end, there are things we can do," Scott said. "You can get that impression that there's nothing we can do, so let's all go home, if it gets to be too bad. I thought it was interesting to drive us to thinking about the problems differently."

According to Yoran, thinking about the problem differently begins with admitting some current technologies don't work as well as expected. He noted that monitoring for malware is dependent on finding known signatures, and is incapable of detecting unknown threats, and called SIEM an "increasingly useless moneypit."

The trouble with SIEM, Yoran said, was that it failed to provide full visibility. He pointed to examples like Stuxnet and Equation Group, which would bypass traditional security and still remain hidden. Yoran railed against underwhelming SIEM products, saying they should provide better visibility, including full-packet capture and endpoint compromise assessment visibility.

"These are the foundational requirements for modern security," Yoran said. "If you don't have that level of visibility, you're only pretending to do security."

Yoran said visibility alone was only part of the answer, because security teams need to also properly pull together information in order to glean important threat intelligence.

"The single most common and catastrophic mistake made by security pros," Yoran said, "is underscoping incidents and rushing to clean up before fully understanding the full scope of the incident and the aim of the campaign."

He also pointed out that while a lot of time and effort is spent focusing on malware, the 2015 Verizon DBIR found that Web app incidents are a major threat vector, and 95% of those incidents involve harvesting credentials to escalate attacks.

Yoran closed by pushing better authentication and access practices, threat intelligence tailored to each company, and understanding resource, skill, and compliance challenges in order to focus defenses on the most important accounts, data and applications.

Gerardo Morales, IT compliance analyst for General Motors Financial Company Inc., based in Fort Worth, Texas, said the weaknesses Yoran catalogued are real and he trusts his advice, but also said budgetary issues can be a concern when trying to implement the types of changes Yoran suggested.

"Right now, I think it's easy because the economy is doing well," Morales said. "But I think if the economy ever hits a downturn, security is one of those things where companies will start cutting and then we'll have a whole other challenge at that point."

Yoran acknowledged the challenges arising from limited resources, skill gaps and legal impediments, but urged the information security industry to make radical changes because the threat landscape has changed drastically.

"We have sailed off the map, my friends. Waiting for instruction is not possible," Yoran said. "This is not a technology problem; this is a mindset problem. The world has changed, and it's not the terrain that's wrong."


Dig Deeper on Security industry market trends, predictions and forecasts