New cybersecurity reality: Attackers are winning

@CNNMoneyTech February 28, 2012: 2:58 PM ET
RSA executive chairman Arthur Coviello spoke about RSA's massive data breach last year in his opening keynote at RSA's annual cybersecurity conference.

RSA executive chairman Arthur Coviello spoke about RSA's massive data breach last year in his opening keynote at RSA's annual cybersecurity conference.

SAN FRANCISCO (CNNMoney) -- This past year's wave of high-profile, extremely sophisticated cyberattacks are a watershed moment for the security field, according to RSA chief Arthur Coviello.

"People in our line of work have been going through hell in the past 12 months," Coviello said during his kickoff keynote for RSA's 2012 conference, one of the largest annual gatherings of U.S. cybersecurity professionals. "Our networks will be penetrated. We should no longer be surprised by this."

Coviello was speaking from personal experience. In March, RSA was among the victims of a massive cyberattack that targeted hundreds of major American companies and government agencies. The attackers breached RSA's systems and made off with information that RSA said could "reduce the effectiveness" of its widely used SecurID authentication system.

The hackers, who have not yet been publicly identified, then used information obtained from RSA to mount an attack on defense contractor Lockheed Martin (LMT, Fortune 500). That kind of painstaking campaign -- known in the industry as an "advanced persistent threat" -- marks an escalation in the cybersecurity arms race, Coviello said.

"Never have the attacks been as targeted, with the aim of breaching one organization as a stepping stone to breaching others," he said.

Coviello dealt quickly with the elephant in the room, acknowledging RSA's black eye over the breach -- one of the largest in terms of the number of clients put at risk through a vendor's vulnerability.

"My colleagues and I feel this as personally as everyone in this room," he told the crowd of thousands. "Since the breach, we've been dedicated to regaining and maintaining your confidence in us. We have a sense of urgency as never before."

But for companies to protect their most critical systems, they have to fundamentally overhaul their approach, according to RSA.

Online security has traditionally been about building the biggest, fiercest defenses possible to keep attackers out. That's not enough. Now, you have to assume you've been compromised, and invest just as heavily in detection.

Less than 5% of cybersecurity breaches are discovered within hours, according to the latest edition of Verizon's threat report, the industry's most comprehensive annual study. Almost 80% weren't found for weeks -- or months.

RSA, a unit of EMC Corp., (EMC, Fortune 500) is practicing what it now preaches. The breach changed the company's approach from "defend" to "defend and detect," RSA chief technology officer Bret Hartman told CNNMoney in an earlier interview.

"It's a shift in the level of paranoia to assume that you're always in a state of partial compromise," Hartman said.

Companies have some options for adjusting to that reality, including deploying a new wave of monitoring tools aimed at finding breaches and reconstructing the data trail of what has disappeared through them.

But they also need to change how they approach the new threat landscape.

"We need to tap more military experience and military intelligence experience," Coviello said. "The new breed of analysts I'm talking about need to be offensive in their mindset."

He said that level of expertise is needed to counter the mounting attacks from criminals, hacktivists and "irresponsible nation states" -- a direct dig at China, which security researchers view as one of the largest and most potent cyberespionage threats.

"The reality today is that we are in a race with our adversaries," Coviello said. "And right now, more often than not, they are winning." To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.