RSA Breach A Lesson In Detection And Mitigation

While pundits say RSA, as a standards bearer in security, should be held to a higher measure of security than the average enterprise, some say the company's recent breach is less a black mark on the company than a lesson to organizations at large about the scope of today's threats. And as details emerge about how RSA dealt with its breach, it is clear that most organizations need to do a better job with not just real-time monitoring -- but also real-time blocking -- of threats.

According to those in the security information and event management (SIEM) space, the RSA breach should be a wake-up call for any enterprise that needs to protect its "special sauce" to maintain customer confidence and smooth operations.

"What we can take away from it is whether you're making a widget for a car, an airplane, [or] software for the banking industry, you should really consider who might be targeting you and why would they target you, and you have to put protections in place," says Brendan Hannigan, president and chief operating officer of SIEM firm Q1 Labs. "Targeted threats are serious and are coming from a variety of different sources, whether they be state actors or industrial espionage or criminals."

And these determined crooks are not just seeking out the big dogs like RSA.

"We've increasingly been seeing within our own practice specifically targeted attacks, and I'm not talking great, big Fortune 500 companies," says Bobby Kuzma, owner of managed security service provider Central Florida Technology Solutions. "I'm talking targeted, against 10-doctor medical practices."

In order to detect sneaky multivector threats like the one that struck RSA, organizations need to count on a higher level of intelligence than is currently utilized today.

"You have a variety of different security controls in place, but in addition you need to have this blanket of security intelligence that's overlaying this that's looking for very sophisticated, low, slow, insidious, unusual behavior in your environment," Hannigan says. "That's the important layer we think customers haven't focused on. They focus on the point products, [but] they haven't focused on the security intelligence layer that takes all of these controls and puts them together."

While the breach is a blow to RSA, many within the industry have said the security firm still did better than the average organization that probably wouldn't have even known it had been struck.

"Instead of pointing fingers, I'd probably take a look at my house and wonder, 'Do I have similar problems?'" says Philip Cox, principal consultant at IT security consulting firm Systems Experts. "If the 'A' team is getting broken into, that should cause some worries because other companies might also be suffering the same attack and not even know it."

While SIEM tools may certainly go some ways toward detecting attacks, such as the one that struck RSA through a phishing e-mail and a zero-day Flash exploit, they are hardly a panacea. According to the report that RSA made publicly on Friday via a company blog and an analyst briefing, the company did not depend solely on its own in-house tools to find the attack. It credits the tools from NetWitness with helping detect the attack, though when pressed was not willing to divulge technical details about the way the product worked.

Interestingly, the NetWitness revelation came on the very day EMC and RSA insiders were closing a deal to acquire that firm and just a business day before it would publicly announce the acquisition. While the disclosure of some limited details about the breach was seen by some as a way to advertise the benefits of a product line that it was poised to acquire, RSA executives say the deal wasn't precipitated by the breach.

"This [deal] was in the works before that," says Tom Heiser, president of RSA. "Having said all that, I don't think it could have happened at a better time than it did right now."

It's clear that even before it was stung that RSA saw the need for more advanced means of detecting threats in real time. The real problem highlighted by this recent blow-up, though, is not so much about real-time detection of threats as it is about blocking threats before they do damage. RSA claims it did, in fact, detect the attack on its systems in real time. But the fact remains it was unable to stop attackers from stealing some part of its SecurID intellectual property, details about which the firm still have not disclosed. Until the company divulges how much was or was not stolen, it is hard to show how effective real-time detection is in mitigating risk. Regardless, the lesson is that something was exfiltrated.

"You've got to be able to use monitoring tools intelligently, not just from a forensic viewpoint, but from a proactive viewpoint to stop the transactions," says Avivah Litan, vice president and distinguished analyst at Gartner, who believes it doesn't do a company much good to detect an attack but be unable to prevent it from doing damage.

She believes the current monitoring and SIEM tools need to evolve to offer better blocking capabilities. "Log management and SIEM are not going to get you there. All those compliance SIEM systems are not in line to the transactions; they score in real time, but their architectures aren't made to be inline and interdict." she says. "It wouldn't be that difficult for the SIEM vendors to build that in, and they probably will when they start getting demand for it."

In the meantime, she suggests organizations work to build APIs or have vendors build APIs that sync their SIEM into fraud detection and prevention tools that call authentication or transaction verification that has blocking capabilities.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.