RSA Data Breach Highlights Value of Network Forensics Technology

When a security company like RSA reveals that its network has been breached and data stolen, customers are left wondering what they can do if they ever get attacked.

As RSA deals with the data breach where attackers stole information about its two-factor authentication technology, organizations can watch and learn how to deal with these kinds of attacks.

RSA acknowledged on March 17 in a letter on its Web site about having been hit by an advanced persistent threat, and that some information about SecurID had been stolen. While it quickly assured customers that the theft wouldn't expose any customers to any direct attacks, the company acknowledged that the one-time password system would be vulnerable as part of a blended attack.

The letter was vague on details, but suggested customers shore up other aspects of security such as tracking changes in user access and privilege levels as well as educating employees about social engineering attacks.

RSA is a "great example of what organizations have to do when they figure out they've been breached," Peter Schlampp, vice president of product management for digital forensics firm Solera Networks, told eWEEK.

The fact that RSA identified the attack and seem to know what was taken is a good sign. "It is very clear to me they have some kind of network forensics technology in place," Schlampp said. In many cases, when companies discover a breach, they have no idea what was exposed, he said. The tone of the letter makes it clear that RSA knows exactly what was stolen, he said.

RSA probably knows exactly the origin where the attackers entered the network and the exact instance of the file that was copied, he said. RSA's network forensics technology would have provided the company's investigators with the name, location, and contents of the file, as well.

The company has all the information it needs to identify the attack, say what was stolen, figure out how to prevent it from happening again, and to remediate the breach, according to Schlampp.

RSA identified the attack as an advanced persistent threat (APT) in its letter. APTs are generally ongoing attacks where the perpetrators are probing the network looking for information. They are not looking for immediate financial gain, but information that can be used to launch further attacks, he said.

APTs are currently the "biggest threats" facing large organizations, but IT managers and security professionals aren't talking about it as much, Schlampp said. The RSA breach should encourage organizations to start looking at their infrastructure and at the RSA breach for information on how to deal with this growing threat, he said.

"If Google and Aurora wasn't enough of a wake-up call, this is another wake-up call," said Schlampp. Last year, Google announced it had been subject to ongoing attacks as part of Operation Aurora. A number of other companies were also included in Aurora, although there were other unrelated APT attacks on other large companies, as well.

APTs highlight the fact that attackers are looking for "new novel ways" to get into the network using advanced and highly targeted techniques, Schlampp said. Organizations need to make sure that their security defenses are collecting all the information so that if a breach occurs they are notified and can immediately perform root cause analysis to determine what happened, he said.

Schlampp wouldn't be surprised if RSA started offering network forensics and technology specifically geared towards dealing with APTs in the "coming days," he said. RSA has shown a lot of "integrity" in stepping up and acknowledging the breach, Schlampp said. That will go a long way towards restoring trust with customers, he suggested.