It’s important to note exactly what happened as it indicates why current user security models are flawed. This is why I recommend implementing new, comprehensive models just emerging that will enable the next generation of protection in an increasingly sophisticated world of cyber attacks on companies and individuals. While all the details are not yet public (RSA rightly wants to keep some of the lower-level details private to prevent copycat attacks), enough of the details have surfaced that companies can learn from them and hopefully prevent similar attacks.
So, what happened? In a nutshell, a phishing e-mail message was sent to some lower-level personnel entitled “2011 Recruitment Plan.” It included an Excel spreadsheet with a zero-day exploit Flash file. One or more of the recipients opened the file, thinking it was legitimate. The exploit then retrieved the user ID and password and established a connection on the SecureID server. There it gathered a number of data files and transferred them to a compromised staging server at a hosting provider. From there, the data was transferred to a remote server.
What is important to note is that RSA was able to catch this breach in process and halt it in near real time (although it was not able to prevent at least some sensitive information from escaping). This extraordinary defense was mounted because RSA was not just looking at log-in authorization and credentials, but was monitoring and analyzing all traffic exiting its network. As a result, RSA was able to determine that this connection was making unauthorized use of sensitive data, and was able to rapidly cut off access.
Real-Time Monitoring and Analysis Is Key
Real-time monitoring and analysis is key
This real-time monitoring and analysis is the key to ensuring future security against new age data breaches, but which very few companies currently have in place. It’s nearly impossible to prevent human error-created invasions such as this one where a user opened an infected file. No traditional, PC-installed antivirus or antimalware solution (for example, McAfee and Symantec) prevents this. As these so-called Advanced Persistent Threat (APT) attacks become more sophisticated (often through sponsorship of state-funded actors or other well-financed hackers), the types and amount of data loss will grow.
I believe that data protection must dramatically and fundamentally change if enterprises want to protect their most valuable assets (see my January 2011
Employing this changing landscape of security technologies is even more critical as companies adopt a cloud-centric position. Companies that provide cloud-based access-whether through internal servers or via a service provider-must have a network-based “watchdog” service or they’ll face an increasing amount of escaped data and undetected exploits. To provide such services, RSA has announced that it is purchasing
Data monitoring and remediation in real time is what is required to secure data in our hyperconnected world by scrutinizing data content and behavior and stopping any breaches before they escape-regardless of the human or technology errors that allow it to happen. Other cloud services-based providers-for example, Cisco, Microsoft and Amazon-must have a similar solution or face a competitive disadvantage (and expose a huge security hole). Of course, RSA, which is owned by EMC, will no doubt make this capability a key component of EMC’s cloud-based offerings. Organizations concerned with security must demand such services if they are to protect their data from loss. Private clouds (for example, those behind the corporate firewall) must include a real-time data monitoring component to provide next-generation security and data leakage prevention.
The bottom line
Enterprises will have to migrate to newer models of security in the never-ending fight against increasingly sophisticated hackers and growing data loss which may even go undetected. While traditional endpoint solutions will not go away, they cannot prevent the phishing/human error APT and zero-day attacks becoming more common. Real-time packet monitoring-to evaluate and control data on the network-is the next important step in securing corporate assets. It must become a component of all enterprise security operations-especially in cloud-based systems. This is the only way to discover and stop the increasingly sophisticated attacks emerging from well-funded, expert hackers.
Jack E. Gold is the founder and Principal Analyst at J. Gold Associates, an IT analyst firm based in Northborough, Mass., covering the many aspects of business and consumer computing and emerging technologies. Jack is a former VP of Research Services at the META Group. He has over 35 years experience in the computer and electronics industries. He can be reached at jack.gold@jgoldassociates.com.