Would you trust security advice from a vendor whose own network has been breached?
Australian and New Zealand clients of security specialist RSA should, says the company’s Australia/NZ manager Andy Solterbeck, even though the company fell victim to a major complex attack, branded an Advanced Persistent Threat, in March this year.
RSA’s threat detection strategies performed and should be trusted, Solterbeck says, because “we caught [the intrusion] in flight. We don’t know of another commercial organisation that has done that [with a threat of this complexity].” In other recent complex attacks, such as the one last year dubbed “Operation Aurora”, the targets, which included Google and Adobe, only became aware of the incident when notified by US government sources, Solterbeck says.
The complex attack on RSA’s own network left some doubt in customers’ minds as to the continued security of the company’s SecurID two-factor authentication system. The most pessimistic scenario was that the intruders had enough data to compromise SecurID tokens worldwide.
“We now know what they got,” Solterbeck says, but he declines to go into details.
RSA moved immediately to notify users; Solterbeck and his own staff contacted “most large customers” in the region personally, but contact with others was made through distributors and resellers. Customers were offered the option of having their SecurID tokens recalled and reissued. The number of customers taking advantage of this course was “less than we expected”, he said.
As to whether the intrusion scared off any current or potential customers in the Australia and New Zealand region, “I can only go by the figures,” he says; last quarter and this quarter brought RSA “record” business.
The volume of customer concern was rather higher in Australia than the international average, he says, but this may have been because “the press in Australia was very active” on the issue or because of emergence of the story at an appropriate point in the daily and weekly news cycle in this part of the world.
New Zealand users, however, did not show above-average levels of concern, he says.
The “advanced persistent threat” involved a combination of attack vectors, starting with a “social engineering” approach to selected RSA employees via Facebook, followed by their being sent a file baited with malware using a zero-day-exploit in Adobe Flash.
Like the Aurora attacks, the RSA intrusion almost certainly came from a “nation-state actor”, says Solterbeck. The evidence for this, apart from the complexity and probable high cost of the methods, is that the only subsequent intrusion where the RSA information was probably used was an attack in May on the systems of defence contractor Lockheed-Martin. That attack, Solterbeck emphasises, was unsuccessful.
Complex and state-sponsored threats do, however, mark an escalation in the threat landscape, he says, demanding a different response from the conventional malware checkers. More “analytic and forensic” monitoring is needed, to detect and understand threats on-the-fly to a fine level of detail.
In April, RSA’s parent, EMC, acquired Virginia-based NetWitness, which specialises in such monitoring and analysis software.
Secondly, organisations should change the way they govern and manage risk, Solterbeck says, moving from unsatisfactorily “siloed” measures to centralised processes with good governance and an emphasis on quantifiable risk minimisation.
Another trend in response to the escalating threat has been a move from straightforward two-factor authentication to “adaptive authentication”, which takes note of unfamiliar patterns of usage, such as a logon from a terminal in a place not usually associated with that user; in that case, the user will be asked to supply another piece of identity information before being given access.
Fourthly, he says, there is an increasing amount of inter-company collaboration on security measures among major companies such as Microsoft, VMware and Cisco to mount a multi-vector coordinated defence to complex threats.
But ultimately, approaches to nation-state-scale threats must move into the political realm, he says.
“Governments must become clearer about the kind of behaviour they expect from other nation-states on this front,” particularly states with whom they have a trading relationship and on whom they can potentially exert economic muscle.