EMC's Anti-Security Culture: Business First, Security Second

(Updated with additional copy and links - 1920 EST 10 Jun 2011): NetWitness' Chief Security Officer Eddie Schwartz has apparently become the first CSO that EMC's RSA Security division has ever had, which I thought was pretty amazing for a world leader in security technology. In the course of looking into who holds the position at RSA's parent company, EMC, I ran across an EMC Leadership and Innovation article written by former EMC CSO Roland Cloutier that expressed a corporate philosophy which, in my opinion, contributed to the success of the RSA attack earlier this year:
Security must be a business enabler 
Cloutier is adamant that security must be deployed in the service of business goals, enabling the innovation and responsiveness that create competitive advantage. "As security practitioners, our aim is to create an environment for our executives, engineers, and sales folks to build, deliver, and service the absolute best technologies without any impedance or concern about security in our environment," he says. "We want them to understand that security is not a business inhibitor."
One of the recommendations that Cloutier makes in order to keep security from becoming a "business inhibitor" is contained in a special EMC 2009 report "Top Global Security Officers Reveal Strategies for Driving Business Advantage in an Economic Crisis" when he apparently shrunk EMC's security department by 25% in order to create more "efficiency":
"In a tough economy, it's tempting for enterprises to rein in business innovation," said RSA President Art Coviello. "However, strategic initiatives that enable revenue growth and operational transformation are more critical than ever. Security practitioners can help business leaders safely pursue the most lucrative business opportunities by understanding the risk picture and identifying the right trade-offs. At the same time, security teams must find ways to squeeze the most out of every dollar. For example, EMC's Chief Security Officer and council member Roland Cloutier recently freed 25% of EMC's monitoring and response operational resources and achieved a four-fold improvement in alert performance by consolidating device, application and technology monitoring into a centralized SIEM solution."
 EMC's commitment to automation as a "sound" security practice continued right up to February 2011 with the release of their latest RSA security paper "Mobilizing Intelligent Security Operations for Advanced Persistent Threats" (.pdf). No wonder the marketing buzzword "APT" showed up in Art Coviello and Uri Rivner's statements about the March attack. The entire EMC technology and security leadership just finished writing a white paper on it! Here's one of the authors' three recommendations for defending against an APT attack:
3. Focus on developing capabilities that enable the analysis of security information in real time and the automatic adaptation of IT-based defenses. Automation will be essential in minimizing reaction times to attacks: the faster organizations can adapt and stay ahead of the attack, the less time the APT has to cause damage. 
The common theme underscoring all three reports is that in EMC's view automation as an efficiency measure AND a security necessity. It may be a necessity for enabling profitability in a down economy but automated defenses are counter-intuitive for any company that wants to protect its crown jewels from a dedicated and well-funded adversary. Here's why:

An automated solution will never stop a customized attack because the attack was designed to circumvent it!

I'm giving the keynote speech at Basis Technology's Government Users Conference next week on the lack of Cloud security and how Cloud services are becoming sophisticated attackers' preferred targets. Finding economies of scale works for an adversary. It almost never works for the defender. This is a lesson that EMC should have learned by now - the hard way.

Comments