Usability is a key focus of innovation at RSA, the security division of EMC, according to chief technology officer (CTO) Zulfikar Ramzan.
“Usability of technology is critical to working as part of a broader ecosystem in an organisation to deliver value,” he said.
Although he took up the role in March 2015, Ramzan said that as a former student of RSA co-founder Ronald Rivest, he knows the company history better than most.
The challenge he sees facing RSA as a technology company is making products that are easy to use, but allow some flexibility at the same time.
“Our security analytics technology, for example, can augment whatever Siem [security information and event management] system an organisation has in place, but it can also be used as part of a programme aimed at replacing an existing Siem,” said Ramzan.
“The idea is to provide a level of flexibility to our customers, so that while basic capabilities are preconfigured, they can reconfigure the system in a way that suits their environment best,” he added.
Gathering good data
Siem is one of the technologies RSA is innovating around in terms of usability.
“Traditional Siem systems have failed spectacularly because they typically generate too many alerts, which is not very usable. Most of the companies that experienced major breaches in the past 18 months had Siem systems in place, and they often did not know to what extent they had been compromised for months,” said Ramzan.
He said the high-level idea of gathering security data and applying some analytics to provide alerting capability is sound, but to make Siem systems more usable, it is essential to get the right kinds of data being fed into such systems in the first place.
“If you have bad data coming in, it doesn’t matter how clever the algorithms or the analysts are, it is impossible to get good insights. You can’t make a good wine from bad grapes,” said Ramzan.
Gathering the right kinds of data involves things such as going beyond network logs to get full packet capture visibility.
“Incident response is about understanding all of the pieces that went into an attack, not just the ones that were the most convenient to find. It’s about being able to reconstruct the overall attack,” said Ramzan.
Visibility and analytics
According to Ramzan, pervasive and deep visibility is an essential base, including the network, endpoints and cloud deployments.
The next essential step, he said, is putting the right analytics around it. “Traditionally, security has been done by looking at maddeningly myopic snapshots of what is going on, such as a single antivirus alert or a single IPS [intrusion prevention system] alert, without any way of tying that to an overall attack,” said Ramzan.
In the real world, he said, if some network traffic is observed going to a suspicious IP address, it would be useful to know which computer or host connected to the IP address, what process on that host initiated the communication and how that process got on the system.
The next step would be finding out more about that process through looking at what it looks like in memory, looking at the in-memory structures associated with the process, working out what registry keys are used and looking for these artefacts across the whole IT environment.
“It is about moving from the initial alert to finding out about the overall scope of the attack. That is where you start to translate all the signals into something more meaningful and actionable, which makes it more usable,” said Ramzan.
RSA, he said, is focusing on taking concepts such as Siem that work well on paper and finding ways of making them work in reality.
“A clear sign that Siem technology has to evolve is that traditional Siem systems detect less than 1% of advanced threats, according to the 2014 Verizon data breach investigations report. That is mind boggling. Why would anyone pay for a technology that detects less than 1% of the stuff you care about?” said Ramzan.
Identity drives innovation
Other key areas where RSA is focusing its innovation efforts include identity and identity management, analytics and translating cyber intelligence into business risk.
“Identity is important because it is the only tangible thing we have to hold onto as we move towards a world where there are no network boundaries. Identity has always been a cornerstone of security because security is fundamentally about the assertion that only the right people should be able to access specific resources at specific times under specific circumstances,” said Ramzan.
There is no way of understanding who the right people are without a strong concept of identity, he said, which is not just about things such as authentication and access, but also about the lifecycle and governance of identities.
“As an individual’s role changes, so should what they are allowed to access. This is often where organisations fail in practice because processes for handling that change over time are missing, which is an aspect of identity management,” said Ramzan.
Another key aspect of identity management, he said, is governance. This is about setting policies for what people in particular roles should be allowed to access and having processes in place to review on a regular basis what access has been granted and the associated entitlements.
Analytics is important, he said, particularly in a world where traditional perimeter-based security technologies such as firewalls, IPS and antivirus will miss a lot of threats, especially targeted attacks, which are typically crafted in the knowledge of what security systems the target company has in place.
“Cyber criminals know how they are going to get past the front door, so it is important to understand what they have done in your environment and how to catch them earlier in the attack chain,” said Ramzan.
“In the physical world it would be a preposterous notion to have someone malicious living in your house for up to eight months before you knew they were there, and yet it is very common in the cyber world,” he said.
Organisations need to reduce the time attackers are allowed to go undetected on their networks, said Ramzan, which he believes can be done through increased visibility coupled with analytics.
Threat intelligence and business risk
The third key area of RSA’s innovation efforts, he said, is translating threat intelligence into business risk because it is the language of the executive.
“The way you act on threat intelligence is by figuring out how to reduce the risk associated with the threats that have been identified,” said Ramzan.
“Knowing that an alert impacts a point-of-sale terminal containing sensitive customer data, for example, would help prioritise actions. It is essential to look at business context in conjunction with alerts because without context it is very difficult to figure out what is going on,” he said.
By being able to express cyber threats in terms of business risk, Ramzan said information security professionals are able to engage with business executives in terms of what is important to them.
“Information security professionals need to be able to translate IT security risk into business risk. That is an area in which we are innovating heavily with our Archer GRC [governance, risk and compliance] platform,” he said.
“We are also innovating heavily across our Via Access identity management capabilities and our security analytics technology, which is part of our advanced security operations portfolio. We believe these three areas are going to be the most relevant for customers and that it is the right thing to do.”
Machine learning insights
Prior to joining RSA, Ramzan served as CTO of Elastica, where he used machine learning technologies and natural language processing for accessing and using cloud services more securely.
He said machine learning has a very important role to play in cyber security because it is about gaining insights from data in an automated fashion.
“Machine learning in security has been around for decades and is likely to play an important role at RSA because we have a lot of machine learning technologies in place,” he told Computer Weekly.
“Ron Rivest wrote a paper about machine learning in cryptography many years ago, identifying some of the first connections between these fields. That thinking has evolved over time and we have seen products that use machine learning,” he said.
However, Ramzan said machine learning is not a panacea in terms of security. “The reality is that machine learning – depending on how it is used – will provide some capabilities, but you have got to couple that with a broader picture of what is going on,” he said.
“It has to be machine learning, coupled with visibility, coupled with some platform to take action and creating workflow, coupled with business context to prioritise the issues that have been spotted according to how much impact they could make to the business.”
According to Ramzan, RSA is predicated on innovation and has reinvented itself in response to the continually evolving threat landscape.
“We cannot succeed in that world unless we are willing to innovate ourselves and change ourselves all the time,” he said.
RSA’s focus 30 years ago was on cryptography and selling crypto toolkits, but the company is currently focused on security analytics, identity and GRC.
“Part of my goal as CTO is to ensure that RSA is always at the forefront of addressing the problems that our customers care about the most, as well as trying to predict what the problems are going to be so that we have the technology ready to meet it when it becomes relevant,” said Ramzan.