RSA: Data breach has made RSA stronger, says Tom Heiser

The data breach at RSA in March has made the security division of EMC more focused and more experienced, says RSA president Tom Heiser.

Warwick Ashford

Warwick Ashford is chief reporter at Computer Weekly. He joined the CW team in June 2007 and is focused on IT security, business continuity, IT law and issues relating to regulation, compliance and governance. Before joining CW, he spent four years working in various roles including technology editor for ITWeb, an IT news publisher based in Johannesburg, South Africa. In addition to news and feature writing for ITWeb’s print publications, he was involved in liaising with sponsors of specialist news areas on the ITWeb site and developing new sponsorship opportunities. He came to IT journalism after three years as a course developer and technical writer for an IT training organisation and eight years working in radio news as a writer and presenter at the South African Broadcasting Corporation (SABC).

View all articles by Warwick Ashford >>

[email protected] 020 8652 8505 Active Warwick Ashford False True

The data breach at RSA in March has made the security division of EMC more focused and more experienced, says RSA president Tom Heiser.

The breach has also armed RSA with first-hand knowledge of what it is like to detect and mitigate the effects of an advanced persistent attack (APT) he told the RSA Conference Europe 2011 in London.

Tackling the issue head-on, he emphasised that RSA was quick to spot the attack was in progress, communicate with customers, and provide a means of remediation, especially to the defence industry.

The fact that only one attack on an RSA customer in relation to the stolen data has been reported, and that the attack was thwarted, proves that the remediation efforts were effective, he said.

Heiser confirmed that the data breach was carried out by two groups acting on behalf of a nation state targeted at defence industry-related information.

The attack was specialised and sophisticated, he said, using freshly compiled malware that was highly tailored to RSA, mimicking RSA naming conventions in an attempt to avoid detection.

RSA was able to lock down its infrastructure almost immediately and limit the effects of the attack, said Heiser, thanks to quick detection by software from NetWitness, acquired by RSA in April.

The breach highlighted the fact that contemporary attacks are gaining the upper hand, attackers are developing new techniques very quickly, attacks are more likely to be "low and slow", and that people are making it easier for attackers by providing so much personal data online.

In the wake of the breach, RSA is sharing the lessons learned with any other organisation experiencing similar attacks.

First, it is important to stay close to stakeholders and share what you can without jeopardising ongoing investigations, said Heiser.

Second, organisations should never let a crisis go to waste. RSA is using the experience to change its internal culture, which includes breaking down silos within the organisation.

Third, organisations should encourage innovation, work towards company-wide responses to threats, and not just from IT security.

Five ways to improve data defences

RSA has also drawn up five practices that it recommends organisations apply to improve defences around their information assets.

"Most organisations need a new strategy for security to ensure that when they are targeted, the loss or damage is limited," said Heiser.

1. Organisations should start by re-evaluating their risk, he said. This involves asking what could make them a target, what information they hold that could be valuable to attackers, how vulnerable they are to attack, and how they fit into the supply chain.

2. Organisations should rethink their protection against zero-day vulnerabilities. "Do not rely on signature-based detection, but also use behaviour-based detection systems," said Heiser.

3. Organisations should ensure they have security and network analysis capabilities. "Situational awareness is crucial in the face of contemporary threats," he said.

4. Harden authentication systems and tighten access control. This should include multi-authentication methods and restricted number of logins.

5. Education about security issues across the organisation is important to ensure these are discussed and understood at board level. User awareness is also very important, said Heiser.

He also suggested that organisations review the access they allow to social media sites and that they block access to high-risk sites, as well as increase training about APTs and phishing attacks.

Heiser called on the security community to come together to share information to innovate and evolve defences. "Our adversaries are doing this well. We need to do it better," he said.

Read more on IT news in your industry sector