The future of security is analytics and sharing – in conversation with RSA’s Uri Rivner
I was talking to Uri Rivner – as one does – about the future of security. Uri is Head of New Technologies, Identity Protection at RSA; and knows a thing or two.
But first a background. Security isn’t working. Ask Google or Sony or Nintendo or Mitsubishi or, indeed, RSA. Nobody is saying we need to chuck out all our existing security products and processes; but we need to do more to make it work. And that’s what we were talking about.
“Two things.” said Uri. “Firstly, in the future you will see more advanced analytics: automated detection systems, like the on-line banking fraud detections systems or online credit card fraud detection systems. We will see things that are automated and will learn, rather than have to rely on the rules that an expert writes.” At the moment, much of our attack detection is based on the rule definitions of our security experts; and it is difficult to write a rule to detect something we’ve never seen before. “Computers,” added Uri, “are much better at finding software attacks.”
Hold on to that thought: the future of security is in advanced, intelligent, automated analytics.
“Secondly,” he continued, “the future will include data sharing. Corporates today just don’t share their data with anyone else. If you are under attack, you’re on your own. But the future will have to include some level of data sharing in realtime. There will have to be some way to collaborate in realtime, so that rather than relying just on your own security operatives, you actually rely on the industry’s wisdom to help you find these attacks. In many cases the attackers don’t go after a single specific target; they go after lots of targets within a certain industry or country. So it will be crucial to share data in realtime.
“How will we do it? As always, the devil is in the detail. Not all of the technologies or directions are ready yet. There are tools and technologies that are being deployed as we speak, but I would say that it will take the industry a couple of years to actually do something that has a fighting chance against APT-type attacks.”
There are indeed many problems; not least the reluctance of one company to share information with another company that might be, or become a competitor. Government seems to be a good starting point, where inter-departmental co-operation can be mandated before ultimately evolving into inter-governmental collaboration. But governments are naturally secretive: they believe their function is to gather intelligence, not to share it out. And then there’s the legal pitfalls of multiple legal jurisdictions, each with subtly different data protection requirements.
But Uri insists on both the necessity and inevitability of data sharing. “The idea is not,” he continued, “to configure a big shared repository and say, hey, we’re under attack. We have to be more subtle. We have to abstract the data, anonymise the data, and we have to do all the things that will make it even legal to share data between competing operations and different countries. But the bottom line is this: we have to do it; it’s a must.
“Ask any US CISO,” he continued. “The USA has been heavily attacked over the last 18 months, and all the CISOs agree: we want to share data, we want it at machine speed and in realtime, and we don’t want to share it several days later. So we need to work out how we can do this and be both legal and practical. It will happen at some point. The banking sector is already doing this. They actually share data in realtime. Not everybody knows this, but it’s one of the measures the banking sector has already taken. If bank A is being attacked – I’m talking about financial fraud here, not APT – by some hacker or criminal and they learn about it, automatically it goes into a central repository which means that everyone is now protected from this attack. There are ways to solve this sort of thing. Exposure, legal issues, customer trust issues – there are ways to share data.”
So the future of security is in the combination of large-scale automatic and intelligent analytics with wide-scale security data sharing. Now here’s a co-incidence, and it really is purely a co-incidence: on Thursday a new security product that fulfils the first and could be used for the latter will be announced. I’ll tell you more about that on Thursday.