Interview: RSA on hoping for the best — and preparing for the worst
Rui Ataide is a senior member of RSA's Incident Response team, a customer facing organisation within RSA, and is based in the UK. Chris Thomas helps RSA's customers across the region to make sure they are getting the most from their investment in RSA technologies. With more than three decades of combined cybersecurity experience, they currently hop between active cyber breaches and assist in the remediation and prevention of security risks.
“The nature of the role is not always predictable — we can't know who will be the next victim of an intrusion. There can be simultaneous incidents that force us to reallocate to another region. Ultimately, we are a worldwide group that responds to problems where they are.” — Rui Ataide
RSA is a global leader in cybersecurity — working with a majority of top financial, consumer, healthcare, manufacturing and telecom companies. MitchelLake's Robin Block sat down with Rui and Chris to gain perspective on the state of cybersecurity, the Australian market and RSA's offerings.
What is RSA's main differentiator in the market?
Chris: RSA offers a number of different technologies. Our flagship product, RSA NetWitness Suite, provides end-to-end visibility across an environment — the capability to reconstruct network sessions, identify anomalies in behaviour, and track an incident in real time. This is vital to remediation. Without a full scope of an incident, you are likely to miss something — in the long run, that is cost inefficient and dangerous.
Rui: If you look at our network visibility technology, the differentiation next to our main competitors is the level context we offer — creating what we call meta-data. That context allows us to look beyond common indicators such as IP or domain, and look at actions in relation to their commonality within a system.
We also collect vast volumes of data. In conjunction, that allows us to look at the frequency of an app or action through an environment, adding perspective on the likelihood that something represents a threat. That makes an analyst's job easier, and enables them to allocate their time more efficiently — increasing the likelihood that they will be able to respond to an actual threat. The amount of data that we collect also allows for a distinctly thorough evaluation in the event of a breach.
How do you view the Australian cybersecurity market — do you think there is a shortage of talent?
Chris: Australia is a multi-tiered ecosystem. Large financial institutions and the government are forward-leaning in their cyber capabilities. The rest of the market scales down from that point. I think there is a move within the market to more relevantly cater to smaller businesses that don't want or need the most advanced security systems — but still need protection.
Rui: Colleagues and customers indicate that it is difficult to find qualified security professionals in Australia. As a community, we need to take greater ownership of that. Rather than looking for someone with ten years of experience, it is incumbent on organisations with existing infrastructure to look for people with the right aptitudes and train them. One of my most talented colleagues studied English Literature.
Chris: We also have initiatives with technical schools to augment education systems. One of the most developed partnerships we have is with Temasek Polytechnic in Singapore. We helped them build a security operations centre in their university network that is actively monitoring their live production traffic. In addition to protecting their systems, that allows students to rotate through different analyst roles in an active setting — giving them genuine hands-on experience before graduation.
What advice would you give to anyone worried about data security? Do you think threat intelligence is an important development for the market?
Chris: The threat intelligence space is a growing market, but it is still quite distributed. Governments share information, and there are regional, local and vertical groups.
What is still missing from those programmes is context. However, implementing that is difficult because it can expose victims — creating larger problems. What I would like to see is the growth of trusted third parties that can securely provide the context that is needed to make that information illuminating.
Understanding the limitations around information sharing is important because it is not something on which you can stake the integrity of your systems. With that said, there have been strides to create more transparent networks. Organisations like the ACSC and ASD have recently started sharing their case studies. The fact that they have started coming to conferences, and are visibly sharing information is a big and positive change from a few years ago.
Rui: I think the message that people need to absorb is that intrusions are going to happen. That sounds pessimistic — but the distributed ability to carry out an attack has simply led to an increase in frequency. An attacker only needs to be successful one time. A defender has to be successful every time.
What is important is to be aware and go beyond attempting to prevent a breach, to being prepared for when one happens — hope for the best, expect the worst. It is also important to realise that it doesn't really matter if you think your organisation has any data of value. We have started to see a rise in breaches aimed only to get information that can ease access to another organisation. The more prepared individual organisations are, the more robust the entire security ecosystem becomes.