As more organisations become accepting that compromise is an inevitable by-product of doing business, and that traditional products aren't good enough to stop the threat, it's no wonder that security professionals will use the industry's signature annual event to discuss why taking the fight to the attackers may be a tactic worth considering.
The 22nd annual RSA Conference, which opened this week in San Francisco, brings together information security leaders and thinkers to showcase the industry's emerging trends and technology.
The five-day conference includes hundreds of sessions across 22 tracks, including newcomers like "Breaking Research" and "CISO Viewpoint."
Joining big data and mobility as this year's hot topics will be a number of talks centering on "active defense," which involves taking a range of actions against saboteurs, from shutting down botnets through legal measures, to using deception to throw a wrench in attackers' plans – or through more extreme avenues, considered unethical or even illegal, in which an organisation launches its own attacks to dismantle the infrastructure of hackers.
Hugh Thompson, program committee chairman for RSA Conference and chief security strategist and senior vice president at security firm Blue Coat Systems, told SCMagazine.com that active defense continues to be a divisive concept among security professionals.
“If you are attacked by a group, as some point do you attack back?” Thompson asked. "[But] are you sure that the person you think is attacking you, is really the person attacking you?”
Dmitri Alperovitch, CTO of security intelligence start-up CrowdStrike, said security practitioners can consider other options when taking an offensive-minded approach to security, which doesn't have to involve more extreme, and in some cases, illegal, measures.
“It's critical to understand that it's not about attacking back or vigilante acts,” Alperovitch said. “It's about finding ways to raise [attackers'] costs and risks to deny them the benefits of what they are trying to achieve.”
Deception, with could include planting false information on networks, has historically been used in the financial services industry, Alperovitch said, and could be used in a range of industries that are now on the radars of hackers who wish to steal valuable intellectual property from companies or classified government data.
“It's very economical for [hackers] to continue to attack you, knowing the value of the information they can extract is far greater than the costs they invest to attack you,” he said. “You don't want to just sit back and defend their attacks by swatting them away.”
At the conference, a range of speakers will be touching on the threat of nation-state attacks and cyber espionage campaigns.This will include Michael Daniel, White House cybersecurity coordinator; Eric Rosenbach, U.S. deputy assistant security of defense for cyber policy and FBI Director Robert Mueller.
Despite claiming no involvement, the Chinese government has repeatedly surfaced in news about cyber attacks against U.S. organisations, including during the sophisticated, four-month long surveillance of computer networks at The New York Times, as well as Twitter, Facebook and Microsoft.
And last week, computer forensic firm Mandiant released a 60-page report that offers a fascinating close-up of the nuts and bolts of secret Chinese military unit 61398, believed to be behind the theft of hundreds of terabytes of information from 141 organisations primarily in the United States.
The White House has chimed in as well, with a cyber security executive order from the president and a report on protecting against trade theft. Congress, meanwhile, is considering legislation to require threat information sharing.
As such, Josh Corman, director of security intelligence at security firm Akamai Technologies, toldSCMagazine.com that strategies for handling attacks from advanced adversaries, like governments or government-backed groups, will be a major topic of interest at this year's conference.
Corman said the range of threats is what has dialed up the need for greater intelligence.
“Most of the industry thinks you shouldn't care about the adversaries,” Corman said. “And the reason we didn't have to care before was because most of the adversaries were motivated to commit financial crime.
But recently, state-sponsored espionage [groups] and chaotic actors, like Anonymous, who are ideologically fueled, have different motivations. You need to know what these actors are going after.”
Keynote staples Art Coviello, president of EMC's RSA, and Scott Charney, vice president of trustworthy computing at Microsoft, will open the show.
Later, Jimmy Wales, founder of Wikipedia, is expected to discuss how the internet will democratise developing countries by giving them a digital voice and the ability to fight censorship, while Vint Cert, vice president and chief internet evangelist at Google, is set to present on authentication and determining when online identification should be optional or necessary
On Friday afternoon, former Secretary of State Condoleezza Rice is scheduled to deliver the closing keynote.
An emerging complement, if not an edgier alternative, to the RSA Conference is BSidesSan Francisco, which opened Sunday and concludes today. The show will feature talks from researchers and other securitiy pros, including Corman, who is scheduled to offer a keynote.
It's also imperative that attendees at both shows weigh in on – and even challenge – major buzzwords and debate points. In the maze of vendor booths, sessions and people, what's discussed often sets the tone for the rest of the year, Corman said.
“The lexicon that is battled upon, the specific buzzwords – the vendors build to that,” Corman said. “So it's almost a self-fulfilling prophecy.”
Corman advised people traveling to San Francisco this week to create their own personal "cons," which may actually turn out to be more productive than the official ones.
"Sometimes there's more topics discovered at a bar," Corman said.