On March 17, security vendor RSA (a division of EMC) revealed that its security had been breached and that the stolen data could compromise the effectiveness of its widely used SecurID authentication solution. The perpetrator staged a sophisticated, focused, multi-stage attack – known as an Advanced Persistent Threat (APT). Though RSA was able to detect the attack and contain the damage, data was lost that RSA says would not enable a direct attack on a SecurID implementation, but could reduce its effectiveness. This explanation is admittedly vague, but RSA claims that broadly disclosing additional details is not in the interest of its customers. They are probably right.
On Friday, April 1 RSA released additional details about the attack. Per the figure below from RSA, the APT included a highly focused phishing effort, weaponized via a zero day (previously unseen) Adobe Flash exploit embedded in a Microsoft Excel spreadsheet. From the initially compromised systems, the attackers fanned out, collecting the credentials necessary to access the systems containing data they were after.
Some in the industry have focused on whether or not RSA did enough to protect this data, what defenses they used, or didn’t, and so on. Frankly this misses a greater truth. Namely, that sooner or later most organizations will be breached.
This doesn’t mean, of course, that firms should give up. But at some point additional defenses simply aren’t practical or economically justified based the current perception of risk or other organizational realities. To cope, firms must have an incident response process in place to minimize damages in the event of the breach via rapid detection and response. For example, in RSA’s case, technology – including network monitoring systems from NetWitness (whom RSA has just purchased) – provided early warning of the breach enabling RSA to respond quickly.
Even monitoring intelligence within the enterprise has its limitations, especially as much of it necessarily revolves around managing known threats. Going forward there is a significant opportunity to leverage security intelligence from the Internet itself to glean insight that firms can’t possibly gain from their own systems. For example, startups like Damballa detect command and control communications and thus can help flag initial infection, even by zero-day exploits, potentially before theft or other damages can occur. Meanwhile infrastructure providers like VeriSign meld insight from monitoring DNS with other threat intelligence (from its iDefense service) to similarly keep firms ahead of threats. Network operators like Verizon help customers stay smart and agile by tapping the cracker-jack expertise of their security professional services group.
These are just a few examples. The unifying theme is that in today’s highly internetworked, increasingly professionally motivated threat environment, the next major security advance won’t likely be a new defensive measure within the enterprise. It will come from the outside, dare I say it, the cloud.