The Grand Gallery of the St. Regis hotel in San Francisco, CA is used to hosting weddings, parties or similar events, but on April 15, Kaspersky Lab hosted its annual cybersecurity summit in the ballroom. Some of the best and brightest minds from the security industry were on hand to talk about the security landscape and business security concerns. The day opened with a video asking pressing questions about the cybersecurity landscape and what would set the tone for the day.
Tom Ridge, Former Secretary of the U.S. Department of Homeland Security; Chairman of the National Organization on Disability and the U.S. Chamber of Commerce’s National Security Task Force, opened the day with a keynote in which he described the security landscape saying, “It’s a brave, new, interconnected world and there are two states – one is the scourge of terrorism, the other is what I refer to as the forever-more. We won’t be less connected. We’ll be more connected.”
He continued to intrigue the audience saying that there is a problem with the lack of information that is being shared across the public and private sector. Some experts suggest they’d like to see a Geneva-like convention for cybersecurity, but Ridge explained that he didn’t think we are there yet. One of the reasons, in the private sector, the cyberworld is a vague world and in general the C-Suite is not familiar with it and the security experts need to convince them that the risks aren’t just virtual – there are real world risks that can seriously affect the bottom line.
Ridge stated that a lot of people in the private sector look at cyberthreats the same way they think about physical terrorist attacks – that yes, it is a reality that terrorism happens, but it won’t happen to me. Ridge said, “The private enterprise is foolish to draw those conclusions. We [the private sector] are definitely a target-rich environment. The C-suite understands physical damage, but the impact of the virtual impact isn’t understood.”
Following that thought, he said the depending on the enterprise; many see cybersecurity as an IT problem, not a business risk. Ridge then discussed what he believes needs to be done in order to manage the risk of cybersecurity, as he said that “it isn’t a preventable risk, but it is a manageable one.” Ridges main point is that we need to change our mindset. We need to go from a need-to-know information sharing mindset to a need-to-share mindset because information shouldn’t be exclusively held by governments or handed out on an ad hoc basis. Unfortunately, Ridge believes, we are not there yet.
Ridge ended his keynote with the following statement, “I don’t believe regulation is the answer, I think information-sharing is the answer. The best way to enhance the security of a private enterprise is to increase the information-sharing within the corporation. And to do that in the digital forevermore, we don’t have to be bullish, we have to be smart and a culture of resiliency needs to be at the center.”
Next on the action-packed agenda was the Keynote Panel “Securing Critical Information Assets Now and in the Future”, led by Howard Schmidt, Chair, Kaspersky Lab International Advisory Board. Schmidt was joined by Eugene Kaspersky, Chairman and CEO of Kaspersky Lab; Fred Schwien, Director of Homeland Security Programs & Strategy, The Boeing Company; and Joe Sullivan, Chief Security Officer, Facebook. Schmidt asked Schwien what he thought was necessary to secure critical infrastructure. To that, Schwien said that it certainly takes cooperation between the government and the industry. While in his experience, they have cooperated more than ever in the physical realm that cooperation has not translated to the cyber realm, yet. He also stated that unfortunately, we have not had a serious enough event to call in the cavalry and instill the strict standards that need to exist.
Eugene Kaspersky commented on the same question saying he thinks three things need to be done. First, the world must be split into different categories – individuals, critical infrastructure and enterprises. Second, more, advanced education is needed, both on the individual level, but also on the corporate level. Lastly he joked, “There needs to be a special government regulation test for security officers. We must test their paranoia level and they must pass this paranoia test.”
Kurt Baumgartner of Kaspersky Lab’s Global Research & Analysis Team (GReAT) presented on the top five APTs that are most important to businesses and business implications. These include Red October, Winnti, Net Traveler, Ice Fog and Careto. With each of these he explained the groups behind these APTs, what the APT was designed to do, and how these APTs affect businesses. In closing, Baumgartner said, “The cost of entry to corporations is decreasing, while the volume and precision of these attacks are increasing.”
The final panel discussion of the day was focused on cybersecurity and financial services. Rich Mogull, Analyst & CEO, Securosis moderated the panel made up of Ellen Richey, Executive Vice President and Chief Enterprise Risk Officer, Visa; Steve Adegbite, Senior Vice President of Enterprise Information Security Program Oversight and Strategy organization, Wells Fargo & Co; and Chris Rezek, Expert Consultant, McKinsey. The panel discussed how the higher levels of attacks have affected the financial industry and the cost implications involved with these attacks. Steve Adegbite stated that in his role, he looks at these attacks form a technical aspect and said that, “People are not going after hard targets – they are going to go after the easy ways in, and work their way to the top.”
In discussing whether or not the panelists have seen any changes in the risk profile that may not be economically motivated, Richey responded saying it is mostly financial. However, the other piece to it is DDoS attacks, and so far these players have been mostly hacktivists. Due to these types of attacks, the industry has really ramped up its defenses.
When asked their one piece of advice on how to better secure the financial industry, Richey stated, “It starts at the top. If you don’t have the support of the CEO, the board or owners, you won’t succeed. Additionally, it is just as much a business process problem as a technology problem. You can’t protect everything so it is important to figure out what will be targeted, segregate it and protect it.”
To close out the day, Peter Beardmore, Senior Director of Product Marketing, Kaspersky Lab presented the Company’s enterprise security vision. Each day, Kaspersky Lab records more than 315,000, new, malicious software samples in the wild, more than 30 million new spam emails and each month our products repel more than 60 million network attacks and prevent 270 million web-borne infections. Kaspersky Lab already offers a core set of products to help protect against these threats, and during his presentation, Beardmore introduced a few new offerings focused at securing the enterprise including, Kaspersky Security for Virtualization – Lite Agent, Kaspersky Lab Security Intelligence Services, Critical Infrastructure and Industrial Applications and Kaspersky Fraud Prevention.
Beardmore ended the day by stating, “What the market will see from Kaspersky from now and into the future is a Kaspersky that is a leader in consumer, small business, the mid-market and also the Enterprise and Government.”