Companies need to reconsider their security focus to concentrate on dealing with hackers once they're in, rather than assuming that they can always keep them out, according to Australia and New Zealand RSA general manager Andy Solterbeck, sending the message that if it happened to them, it could happen to anyone.
The company this week released a report, "When Advanced Persistent Threats Go Mainstream" (PDF), which RSA developed based on discussions with the Security for Business Innovation Council. It defines an Advanced Persistent Threat (APT) as "a cyber attack that is highly targeted, thoroughly researched and tailored to a particular organisation".
RSA itself was the target of an APT earlier this year in March, when hackers found the details of the company's HR staff via social media channels, and then, using social engineering and a zero-day exploit, took control of one of RSA's computers to launch an attack.
Speaking with ZDNet Australia on the report, Solterbeck said that APT attacks were now shifting towards commercial enterprises, like RSA, when they used to be confined to government agencies.
He said that while companies had been beefing up their perimeter-based security measures, like firewalls and user-access controlled environments, they needed to consider more seriously what they need to be prepared for an eventuality where a hacker does breach the system.
"Traditionally, we've done logging, we've done user-access control. Those tools, while absolutely important, now need to be adjuncted with full packet capture, session-aware tools. In other words, something that understands at a session and a user level, what transactions are actually occurring inside a customer's network."
In the case of RSA's own attack, Solterbeck said that it was "executed flawlessly" by the attackers, but was still detected due to the tools that RSA had employed.
"Our critical incident response group actually saw it in flight and mitigated against the attack, but not in time to stop them from taking some stuff out of our environment."
Solterbeck said that by using these sorts of tools, organisations could highlight any suspicious activity that was occurring in real time, and also go back on a packet-by-packet level post-attack and see what was taken.
He said that companies would be able to ask why users were establishing sessions to countries that they normally had no association with, and what files might be accessed during that session. He also referred to the ability to determine if a connection is suspicious based on its context.
"[If] I've seen this user come in on this machine, from this IP address, with this screen resolution, running these cookies before, I'll trust it and let them through. If, all of a sudden, this user is coming from another country on a different IP address, on a different machine form factor, I'm going to ask them to step up in authentication."
Although he couldn't disclose any specifics, Solterbeck said that the contextual system was being used "in a significant number of online banking transaction environments" in Australia, and that there had been a significant increase in interest for these systems along with hardware- and software-based tokens.
Regarding RSA's own hardware tokens, Solterbeck reaffirmed the company's claim that its security breach had not affected the tokens, and that there was no reason not to use them, but that the company would continue to issue replacements for any customer that deemed it necessary to do so for its own reasons. AMP, Westpac and ANZ have already made the decision to replace them.