TORONTO — Less than two days after the release of an Auditor-General report criticizing Canadian government for a lack of security, the CEO of Symantec has warned that the threat is getting worse.
“The average span of time
between the discovery of a vulnerability has collapsed from six months to six days,” said Symantec’s John Thompson in a speech to the Empire Club in Toronto on Thursday.
“And day-zero attacks are just around the corner. In other words, we’ll soon see a vulnerability and an exploit appear on the same day, almost simultaneously.”
The remarks follow closely the A-G’s report released late Tuesday, which was based on a review of the public sector’s IT security policies and practices. In the report, Sheila Fraser and her team criticized Treasury Board Secretariat for failing to complete standards related to intrusion detection and incident response, as well as a lack of consistency in applying standards and adhering to security policies among many government departments.
Thompson admitted that one of the lessons Symantec had too learn itself was that: “(At one time), our view of security was far too narrow.”
Then came the Slammer attack of Jan. 25, 2003, which infected 90 per cent of unprotected servers in just 10 minutes, affecting flight schedules, ATM networks and virtually all business.
“Our own research at Symantec shows that it costs 10 times as much to recover from a single incident or disruption, as it does to establish a program in the first place.”
Thompson said new proactive technologies incorporated into security appliances will allow Symantec to deliver prevention capabilities ahead of an attack.
“We must shift our game to offense, where we are driving the overall process for protecting critical information, not just responding to the most recent attack.”
In a short Q&A after his speech, before he was ushered off for meeting with customers and the government, Thompson was asked how Symantec planned to respond to the shortened time between vulnerability and attack.
He said that while you can only do so much to prevent, and mitigate the risks of an attack, there is new technology now being developed which he referred to as “automatic activation.”
Thompson stressed that while an early warning system provides a valuable head start, it is not enough. To truly protect your assets, you have to be able to act on external intelligence immediately.
“We have a repository of intelligence second only to the U.S. government, much of which is managed out of Calgary, ironically,”
which will assist this development.
In his speech, Thompson offered a scenario where “automatic activation” technologies could assist IT departments.
It included a situation:
• where an external threat could trigger an internal audit, so you could instantly identify the systems that are vulnerable to attack;
• where an external alert could tell systems to assess patch levels on those vulnerable systems and automatically update those that are unprotected;
• where an external intelligence could prompt more frequent incremental backups from user systems to the data centre; and,
• and where all these actions could produce an audit trail to ensure that all your policies and processes are in compliance.
“Now that would be useful. Heck, that would be invaluable,” he said.