What a Year It's Been: RSA 2021 Embraces 'Resilience'

Clearly, the months since the world shut down in March of 2020 fomented a radical shift in how people work and live, and it’s brought a range of crises and challenges to bear across the spectrum of our lives. These profound changes and experiences were also felt in cybersecurity, bringing never-before-seen threats and attack vectors to the fore. So, perhaps it’s entirely fitting that the theme for the all-virtual RSA Conference 2021 kicking off this week is, simply, “resilience.”

“This has been incredibly challenging for all of us. We all had to deploy the technology that enabled virtually every worker on a global basis to shift to remote work overnight. They were connecting over multiple networks,” Chuck Robbins, chairman and CEO at Cisco, said from the stage during Monday’s opening keynote addresses. “They were connecting from whatever device they could possibly find to get connected from. And we all know that during this time, the security landscape that we were all dealing with was becoming very complex.”

For instance, employees, just by working 30 extra minutes on a mobile device, create 20 percent more vulnerability than you would have normally, he said, adding, “every individual is carrying an average of four devices, and most of us are carrying even more. And this just creates more opportunity for breaches.”

Embracing Chaos as a Constant

Rohit Ghai, CEO at RSA, noted that there are lessons to be learned from the insanity. Referencing that OTHER phenomenon that happened in March 2020, the Tiger King craze that saw 64 million Netflix households binging the documentary, he noted during his keynote that the streaming giant has learned to embrace chaos – something that cybersecurity types should take a page from.

RSA’s Rohit Ghai recaps the most notable cybersecurity incidents since the pandemic started.

Netflix has created something called Chaos Monkey to help ensure that its 203 million subscribers can stream without quality issues, he pointed out. It’s basically a resiliency-testing tool that randomly shuts down production instances and emulates various types of common failures, at scale, in order to test the company’s ability to accomplish graceful degradation and survival, without any customer impact.

“Chaos is a pretty good way to describe our context in cybersecurity,” Ghai said. “Boundless, complex, hyperconnected and dynamic tech stacks, sitting on multiple cloud workloads that move about. We have machine and human actors working, playing and learning from anywhere, and the added randomness of malicious actors trying to disrupt, steal and instill fear.”

The cybersecurity industry can focus on resilience by embracing chaos, he explained. That’s done by expecting the unexpected; trusting no one; and compartmentalizing failure zones – in addition to ongoing red teaming, blue teaming and incident-response trials.

“If you don’t have visibility, then you don’t know what to defend,” he said. “And once you do have visibility, use threat intelligence to understand your likeliest antagonists, including their methods. And then in addition to modeling the likeliest attack, make sure to throw in a few unlikely ones. It is a mindset, not just an architecture.”

He also advocated for implementing third-party risk assessments, network segmentation and least privilege.

“What if the SolarWinds servers were only allowed to talk to the known good rather than being disallowed to connect to the known bad?” he postulated. “Could the Twitter hack have been avoided if the employees had not been trusted to change the email addresses of accounts? By being prepared for chaos, we will fall less often.”

Goal: Build Back Better

Of course, despite best efforts, successful cyberattacks happen. Cisco’s Robbins pointed out that if cybercrime losses were stacked up against the GDP of countries, it would be the third largest economy in the world after the U.S. and China, with $6 trillion in global damages.

“And, we all know the real cost is not being able to run our businesses, or the reputational damage that you suffer, and the impact on your organizations in the future,” he added.

Against that backdrop, coming back from an incident stronger than before should be a guiding cybersecurity principle going forward, Ghai postulated – and he said that a big key to that is inclusivity and a focus on community.

“We need to bring not just the security professionals but IT and business leaders into the community as well,” he said. “We also need to find a way to attract diverse and neuro-diverse talent.”

He added, referring to Marcus Hutchins, “I also implore us to consider another idea to grow our community: We need to find a way to never give up on bright minds and attract them. We need to recruit better than the adversary.” Hutchins famously discovered the kill switch for WannaCry – after years of cybercriminal activity as a teen and young adult. He was given a lenient sentence when convicted for the latter, and eventually turned to legitimate activity.

There’s much at stake: The threat surface is only going to continue to expand, Robbins pointed out.

“We have great new technologies like 5G and Wi-Fi 6, continued explosion of public cloud, workers that will work from home forever or in a hybrid model as we go forward,” he said. “There is really no perimeter in the enterprise to defend anymore, those same workers will be mobile, at some point in the future in coffee shops again, and we have to deal with all that and we have to build security practices around what we know is coming in the future.”

He also struck a hopeful note for accomplishing that: “[But during the pandemic], we have also learned that industries can be transformed. Two-thirds of CIOs have said that post-pandemic, they will spend more on our security investments going forward. And we know the projects that used to take years are now taking weeks and months because of the sense of urgency that we’ve all been facing.”

Security Community ‘Has Each Other’s Backs’

A coming together of the security community is another aspect of cultivating resilience that’s been highlighted in the past few, difficult months, according to Jimmy Sanders, CISO at Netflix DVD.

Netflix CISO Jimmy Sanders.

“Whatever stage you are in your current career cycle, we need your ideas, we need your effort, we need your collaboration,” he said during his keynote. “I think of the term ‘snowball effect,’ because … the great ideas build upon each other. We need to ensure that the best security practices are accessible to everyone.”

He added that a single entity can’t curb the overall rise of security breaches, regardless of how amazing that individual security structure may be. “But together,” he said, “the security superhero group sharing knowledge and effective techniques can achieve [the] greatest security resilience.”

It’s a positive assessment that will lead to better cyber-resilience going forward, Ghai said.

“Our community has shown remarkable solidarity when one of us falls,” he said as he closed his talk. “We’re getting better at sharing and learning. So when one of us falls, all of us learn, we all rise up stronger. In 2020, we saw cyber-incidents of unprecedented scale and scope. But let’s note that we have not yet encountered a global cyber-pandemic. We have not been fully tested yet and must remain vigilant. The next leg of a long journey is just beginning.”

Download our exclusive FREE Threatpost Insider eBook,****“2021: The Evolution of Ransomware,”**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story andDOWNLOAD** the eBook now – on us!**