Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Hi and Low Tech Musings from RSA Security conference

by Avivah Litan  |  February 28, 2013  |  5 Comments

I just got back from the RSA Security conference in San Francisco, an invigorating gathering of security professionals which frankly – at least for me – is always a fun crowd to be around. My main takeaway is that the crimes and infractions we should be focused on are either very low or very high tech. Most of the security budget has been spent in the middle and the solutions put in place generally haven’t stopped the attacks executed on these two ends of the spectrum.

Seasoned security managers who I speak with feel the situation is becoming untenable and that the industry needs a ‘paradigm’ shift. There are simply too many things to worry about and too many point security solutions that need to be patched together and integrated. Indeed one colleague cited a statistic about the incredibly high number of man hours his organization spends just keeping the 200 or so security-related applications up to date and working together.

Key takeaways from the conference:

a) Insider fraud is mainly very low tech and does not involve collusion. CERT presented its findings on insider financial fraud at banks and that was its conclusion after closely examining 80 cases of insider fraud at U.S. banks. What did they find? Low and slow crimes (it took an average of 2.5 years to detect after the fraud started) and very low tech techniques such as customer service reps in call centers printing screens full of customer PII data, or bookkeepers changing entries to pay themselves.

Significantly only 6 percent of these insider cases were detected by software. The others were discovered mainly through tips or aroused suspicions (e.g. when a low salaried employee all of a sudden starts driving a brand new BMW). The CERT team didn’t correlate the findings with security expenditures at these organizations, but I would bet that most of those highly regulated banks that were surveyed had spent a lot of money on Identity Access Management systems.

But while low-tech insider fraud should be a major concern for enterprises (it does result in significant financial damage) – I didn’t come across any other mention of it at the conference other than this one presentation by CERT.

b) In contrast, ‘sophisticated’ high tech attacks are capturing most of the R&D and innovation dollars. The ‘hottest’ vendors on the RSA conference expo floor were positioning their software and services as necessary for defending an enterprise and its assets against today’s advanced targeted attacks. Whether it’s the Chinese, Iranians, or Ukrainians, it’s creating a call to cyber-arms that no one wants to ignore. So unlike the unglamorous low-tech threat – this category is getting all the dollars and attention.

c) DDoS continues – meanwhile, while the security professionals were busy at the conference, the DDoS attacks against U.S. Banks continued. Demonstrative of the cat-and-mouse nature of these attacks, the hackers have reportedly increased their botnet network from 3000 servers (with high bandwidth connectivity to the Internet) to 10,000 servers. They are attacking multiple bank domains at a time, rather than one at a time, taxing the resources of the hosting ISPs. And they are reportedly deploying new application DDoS tactics against their target banks’ web applications, further messing around with the banks’ abilities to defend themselves. These shifts in the DDoS attack taxonomies will no doubt spur new spending and solutions by the victims while the offense/defense cycle continues to spiral.

Bottom line – the attack vectors that I see working are either very low tech or very high tech. But not too many people seem interested in investing in the solutions and processes that can stop the boring low tech crimes. Under-the-radar high-tech espionage and crime is getting all the attention and dollars, and I still haven’t heard about any of it being stopped. Meanwhile, the political crazies are flexing their cyber-muscles and embarrassing the heck out of our IT security industry.

5 Comments »

Category: Uncategorized     Tags:

5 responses so far ↓

  • 1 jerry scala   February 28, 2013 at 1:02 pm

    I believe you hit the nail right on the head. As and RSAC attendee and the developer of a product that may fall into the lower tech part of the spectrum, that being those data breaches related to mishandled storage media, we found very little attention this part of the security equation. Trade analysts and traditional media routinely report that although the cyber attack gets much more attention and budge, the most common form of a data breach is the lost hard drive, backup tape or client device.

    May not be as “sexy” as the latest cyber threats, but the same principals apply – accumulate as much info as possible, put it into context, identify threat and rapidly alert on it. Sound familiar? Put these principals to work in our neck of the woods and you will mitigate a huge amount of risk with a tremendous ROI.

    LogRhythm had a very catchy quote – “How can you know when something is abnormal when you don’t know what normal is?” We apply these same principals to storage device lifecycle management from the data center to the mobile device from first write through erasure and sustainable disposition.

  • 2 mark   March 1, 2013 at 3:39 pm

    Not sure I understand this.

    Are we saying that money is spent in the middle and it’s fixed those threats, but we should now look at the extremes, because that’s where the threats are?

    If so, isn’t that what we’d expect a normal distribution bell shaped curve to look like? And wouldn’t we spend 80% of our money in the middle.

    The ends will always be there… that’s why they are called … the ends? (did we just point out the obvious?)

    Or are you saying if we need to pick an end… let’s start at the cheap end. The RoI is probably better?

    Is so, maybe… maybe not. Maybe we’ll just introduce lot’s of procedures and policies to catch the poorly executed exceptions (e.g. No Printing unless authorised by your manager!) Problem is, policies need writing, documenting, upgrading and then enforcing… which is where 99% of people suffer from the dishonesty of a few.

    Could it be that the industry is concentrating in the middle because that’s where success is… maybe that Identity Access money is well spent?

    Apologies… didn’t mean to come across as rude. The article got me thinking for a few moments :-)

  • 3 Avivah Litan   March 3, 2013 at 12:59 pm

    Really good question. I was just giving my observations that most of the attacks and violations I hear about are at the low or high end of the spectrum.

    Frankly, I don’t have enough information about the middle. I would really like to get some basic stats on how well SIEM, DLP, DAP and other monitoring systems are performing. I’d also like to know what the ROI has been in IAM systems. Other analysts probably have a much better handle on this as I spend most of my time on fraud prevention and user authentication (for external users).

    From my vantage point, I don’t see the low tech or high tech crimes against the enterprise being stopped. And the RSA conference just confirmed it for me.

    hope it makes sense – wish I knew more about the middle – and you are right – a bell curve definitely comes to mind.

  • 4 maureen swinden   March 5, 2013 at 10:21 am

    I am assuming that a Co Trustee taking over $150,000.00 falls on the low end of spectrum. However, that money was in a family Trust. When it was discovered on a Friday I IMMEDIATELY contacted the Mutual Fund Group and was told that no one was able to help me until Monday! Due to other actions by this same Trustee ( i have the inner office memos )the Trust was changed by the Mutual Fund group from a managed account to a Custodial account only. I have been involved in a 3 1/2 yr. lawsuit and it is still ongoing! I can only imagine if the public knows about the lack of safety for a family Trust how fast would the accounts be moved AND who would entrust their money?

  • 5 Avivah Litan   March 6, 2013 at 3:33 pm

    That sounds like a total nightmare. I wish I knew the best recourse for you other than litigation. At the least, I would also try the press. I don’t think the general public has any understanding over how little protection they have against account takeover outside the realm of consumer deposit or credit card accounts.

    It’s a very serious hole in consumer protections and your story just proves how relatively easy it is to lose your money in brokerage accounts. I hope you get relief soon.