RSA SecurID: Hacked but Not UnWitnessed

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

/images/stories/knowledge_center/analysts_corner.gifIt’s now been a little over four weeks since RSA SecurID, the famed two-factor authentication user token system, was hacked. It had long been assumed that this system was hack-proof given its record of security enablement at some of the largest corporations and government agencies. Yet, in the end, like most security breaches, it was compromised as a result of human error and not holes in the technology.

It’s important to note exactly what happened as it indicates why current user security models are flawed. This is why I recommend implementing new, comprehensive models just emerging that will enable the next generation of protection in an increasingly sophisticated world of cyber attacks on companies and individuals. While all the details are not yet public (RSA rightly wants to keep some of the lower-level details private to prevent copycat attacks), enough of the details have surfaced that companies can learn from them and hopefully prevent similar attacks.

So, what happened? In a nutshell, a phishing e-mail message was sent to some lower-level personnel entitled “2011 Recruitment Plan.” It included an Excel spreadsheet with a zero-day exploit Flash file. One or more of the recipients opened the file, thinking it was legitimate. The exploit then retrieved the user ID and password and established a connection on the SecureID server. There it gathered a number of data files and transferred them to a compromised staging server at a hosting provider. From there, the data was transferred to a remote server.

What is important to note is that RSA was able to catch this breach in process and halt it in near real time (although it was not able to prevent at least some sensitive information from escaping). This extraordinary defense was mounted because RSA was not just looking at log-in authorization and credentials, but was monitoring and analyzing all traffic exiting its network. As a result, RSA was able to determine that this connection was making unauthorized use of sensitive data, and was able to rapidly cut off access.

Real-Time Monitoring and Analysis Is Key

Real-time monitoring and analysis is key

This real-time monitoring and analysis is the key to ensuring future security against new age data breaches, but which very few companies currently have in place. It’s nearly impossible to prevent human error-created invasions such as this one where a user opened an infected file. No traditional, PC-installed antivirus or antimalware solution (for example, McAfee and Symantec) prevents this. As these so-called Advanced Persistent Threat (APT) attacks become more sophisticated (often through sponsorship of state-funded actors or other well-financed hackers), the types and amount of data loss will grow.

I believe that data protection must dramatically and fundamentally change if enterprises want to protect their most valuable assets (see my January 2011 research brief). It is no longer safe to protect only your endpoint. It is now mandatory to encompass a fresh approach where all data is monitored and checked before exiting the corporate firewall, and evaluated as to whether or not it should be made available to the outside world (including to “trusted” remote users). This requires high-speed packet interception, examination and evaluation-which must be done in real time if protection is to be effective. It’s why many of the security companies such as McAfee and Symantec are moving to more cloud-based interactions. It’s also why companies such as Cisco and Juniper are becoming security companies as well as network infrastructure companies.

Employing this changing landscape of security technologies is even more critical as companies adopt a cloud-centric position. Companies that provide cloud-based access-whether through internal servers or via a service provider-must have a network-based “watchdog” service or they’ll face an increasing amount of escaped data and undetected exploits. To provide such services, RSA has announced that it is purchasing NetWitness, a company that monitors all data packets over the network, deconstructs the packet and evaluates the contents based on predetermined rules. It then prevents or allows the data to exit the corporate network-all in real time. In fact, RSA used this technology to discover and stop the attack on SecurID in near real time.

Data monitoring and remediation in real time is what is required to secure data in our hyperconnected world by scrutinizing data content and behavior and stopping any breaches before they escape-regardless of the human or technology errors that allow it to happen. Other cloud services-based providers-for example, Cisco, Microsoft and Amazon-must have a similar solution or face a competitive disadvantage (and expose a huge security hole). Of course, RSA, which is owned by EMC, will no doubt make this capability a key component of EMC’s cloud-based offerings. Organizations concerned with security must demand such services if they are to protect their data from loss. Private clouds (for example, those behind the corporate firewall) must include a real-time data monitoring component to provide next-generation security and data leakage prevention.

The bottom line

Enterprises will have to migrate to newer models of security in the never-ending fight against increasingly sophisticated hackers and growing data loss which may even go undetected. While traditional endpoint solutions will not go away, they cannot prevent the phishing/human error APT and zero-day attacks becoming more common. Real-time packet monitoring-to evaluate and control data on the network-is the next important step in securing corporate assets. It must become a component of all enterprise security operations-especially in cloud-based systems. This is the only way to discover and stop the increasingly sophisticated attacks emerging from well-funded, expert hackers.

Jack E. Gold is the founder and Principal Analyst at J. Gold Associates, an IT analyst firm based in Northborough, Mass., covering the many aspects of business and consumer computing and emerging technologies. Jack is a former VP of Research Services at the META Group. He has over 35 years experience in the computer and electronics industries. He can be reached at jack.gold@jgoldassociates.com.