Malware Notes from RSA

Last week I had the opportunity to lead a peer-to-peer discussion at the RSA Conference with a focus on malware. This session was dedicated to give malware researchers and security practitioners a forum to share recent experiences and best practices in their fight against advanced and targeted malware. The talk turned out to be a lot of fun not only because advanced malware is a hot topic, but also because we had a great group of attendees representing a broad spectrum of perspectives on security. In the room we had researchers from a variety of security vendors, agency researchers, security practitioners from very large enterprises, and even a few representatives from smaller businesses. This made for a great discussion where we were able to dive into details on specific new malware samples and techniques, but while also keeping our feet planted in the real-world of security managers who always need the fastest, most direct path to actually protecting themselves from these threats. Given that it was a private session, I obviously can’t share all the details, but there were a few key topics that I think are worth sharing.

Security Teams Need the Time to Think
Modern malware and APTs have made security both more challenging and simultaneously more strategic for the enterprise. These modern attacks are driven by patient, creative, and sophisticated attackers that require more than simply buying a new security product. While everyone agreed that there is an obvious need for new technologies and techniques to respond to changes in the threat landscape, it was also unanimous that security teams need the time to investigate, learn and adapt based on the real activity in their network. Obviously, we all want to automate as much of the security process as we can, but the consensus was that a creative, engaged attacker needs to be met with a creative, engaged security professional. This of course requires many organizations to rethink and reinvest in security in terms of technology, time and training, and in many cases enterprises are doing just that.

Data-Centric vs. Network-Centric Strategies
When discussing specific strategies for controlling advanced malware and attacks, there were two distinct strategies and ways of thinking about the problem. One approach was a network-centric approach that was focused on understanding exactly what is traversing the network, and what is normal for individual users as well as the network as a whole. This approach is probably quite familiar to many of you who read our blog regularly, as tying users to their applications and content is a common theme. However, another and equally important concept is a more data-centric approach where an enterprise focuses closely on understanding where its most critical data is stored and providing tight controls over how that data is accessed. While there was some debate between the participants on this point, these two approaches don’t strike me as that different. In fact, I see them more as two sides of the same coin. The data-centric approach in general focuses on a much more segmented approach to data and the network, which are tightly controlled based on user roles and permissions. While the two sides debated whether the network or the data was more important, the conclusion was ultimately very similar – security teams need to know precisely “who” is trying to access “what,” and “how” they are trying to do it. Furthermore they need this visibility to clear enough that they can baseline and identify anomalies that could indicate a potential compromise.