RSA chairman: We could block SecurID attack today
The chairman of security firm RSA has said the company would now be able to block the attack by a nation state that in 2011 stole information related to its SecurID two-factor authentication.
While RSA was able to detect the breach while it was in process, the attackers were still able to extract data relating to the authentication system from an RSA file server.
Today RSA chairman Art Coviello believes RSA would be able to spot the abnormal network traffic as attackers prepare to move data in time to prevent information from being extracted.
"We were within a whisker of stopping that attack altogether with the continuous monitoring capability. I would like to think that today we would be able to stop that attack altogether from having exfiltration," he told the EMC World 2013 conference in Las Vegas.
"We wouldn't necessarily be able to keep them out, but we would be able to detect the attack timely enough to prevent any loss."
Coviello believed RSA would be able to spot the attack using its Security Analytics suite, which he said offered users a real-time, easily searchable view of the network.
"It's a product that combines the log data with the [network] packets and other contextual information and we can correlate it and analyse at speeds we couldn't [before]," he said.
"It's about seeing the signal in the noise, there's always going to be some anomalous behaviour and if you've got a fast enough processing engine, which we believe we do, you'll be able to see that signal."
At the time of the attack, RSA did not have a real-time view of information from its network logs. It was using NetWitness monitoring software to capture network packets and a separate product called RSA enVision to collect, archive and analyse logs.
"Keeping logs and data for years works but when you can't get that data out in a timely fashion it's not useful for you from a security perspective," said RSA systems engineer MJ Knudsen, adding that compiling a report from these logs could take hours to days.
The Security Analytics suite used by RSA today features a newer version of NetWitness that can continuously capture both network packets and pull data from network logs, with its base configuration able to handle 3Gbps of network traffic or 30,000 events per second in logs.
NetWitness is built on three appliances. The NetWitness decoder appliance can capture and parse data from network traffic from OSI layers two to seven and from network logs. It then tags the data — for example, identifying things such as source and destination IP address for network traffic, or unusual behaviour such as suspicious HTTP headers. This process creates an ontology of searchable metadata that describes the network.
A separate appliance extracts and indexes that metadata and presents it to another appliance that acts as a query engine that offers users a real-time, hierarchical view of the network that can be drilled into via a single web interface.
The system is scalable; as network traffic grows, additional appliances can be added to retain a real-time view of the network.
In his speech at EMC World, Coviello emphasised that, as there was no guaranteed way of keeping a determined attacker from penetrating an organisation's systems, security investments needed to go beyond perimeter defences to technology such as Security Analytics that could spot anomalous behaviour within the network.
"This intelligence-driven model is future proof," he said "It won't stop all attacks but it will give us the capability to minimise the damage from attacks as we will be able to detect and respond. We will have the adaptive capacity to learn and understand from the attack environment the changes that might make us more vulnerable."