RSA SecurID breach: Executives try to repair tarnished image

BEDFORD, MASS. --- RSA executives are hopeful that the corporate is definitely on its thanks to rebuilding its tarnished image following an incredible breach of its systems that weakened its SecurID two-factor authentication tokens.

“It's not a question of if and when, it's the way you may be able to respond and shrink the window of opportunity so if you are breached you're able to respond timely enough to mitigate any damage.

Art Coviello, executive chairman of RSA

Art Coviello, executive chairman of RSA, Thomas P. Heiser, president of RSA and other senior executives invited media to its corporate offices to describe how far the corporate has come because the SecurID breach in March of 2011 and lay out the company's vision to innovate on a product that hasn't changed much in 30 years. The corporate have been busy restoring trust among its largest customers over the past 10 months, they said. 

While the safety company's executives work on improving its stature, other teams had been busy retooling the producing and distribution processes and replacing thousands and thousands of hardware tokens.   The safety division of EMC Corp. reported its breach cost $63 million in initial expenses. Coviello said the breach put the corporate in a better position to discuss the hazards of state-sponsored cyberattacks. The corporate can be integrating its recent acquisition of NetWitness with its Archer compliance management platform.

“Security needs to be more intelligence-based and positioned to grasp that we're living in an environment of advanced threats,” Coviello said. “It's not an issue of if and when, it's the way you may be able to respond and shrink the window of opportunity so while you are breached one could respond timely enough to mitigate any damage.”

The days immediately following discovery that an attacker successfully penetrated the company's systems were one of several darkest for RSA, Heiser said.  The company's secret sauce, the intellectual property of its flagship product, were accessed. 

“It was hell to pass though what we did,” Heiser said. “We had absolutely flat decision making; there has been no hierarchical decision making. We would have liked to determine methods to get out of this, because we were getting pummeled.”

The company increased its manufacturing capability seven fold, engaged its largest customers to explain the attack intimately and later took its story at the road in nearly two dozen advanced threat summits held everywhere.

Coviello said investigators learned the initial attack started at a 3rd-party, setting the stage for cybercriminals to design a targeted, social engineering attack against RSA employees. Using a spear phishing campaign, the attackers lured an employee into retrieving a message from their unsolicited mail folder and opening a Microsoft Excel spreadsheet containing an Adobe Flash zero-day vulnerability. From there, the attackers targeted other systems, elevating their privileges until they can gain access to RSA's proprietary data.  

“We believed we were attacked for the needs of having to the country's government and industrial base,” Coviello said. “We believed we had an overly strong security system in place before the breach and we redoubled our efforts around the entire spectrum, including our communication with employees.”

Breach served as fuel for innovation
While the breach was one of many company's darkest days, it also served as a wake-up call to reinvigorate a product that hasn't changed much since its inception.

While the corporate has added new SecurID customers, it worked on rolling out its mobile strategy, introducing a software development kit that provides banks the power to construct SecurID into mobile banking applications, said Dan Schiappa, senior vice chairman of goods at RSA.  RSA SecurID is additionally a mobile app, enabling employees to ditch the SecurID keyfob and use their smartphone to authenticate.

“It's about extending SecurID to having a more mainstream application,” he said.

Schiappa admits that the corporate didn't lose any customers as a result breach because SecurID is extremely “sticky,” meaning it's difficult to tear and replace the technology without disrupting employees. Competitors also haven't proven that their two-factor authentication product is safer.  

The company can also be busy with a project code named “RSA Pegasus” that engineers are designing identity and information protection technologies for securing virtualization and cloud-based systems. The focus is on access management and cloud-based employee provisioning and deprovisioning, Schiappa said.

“While the last year have been extremely difficult, it is usually reinvigorated anyone,” Schiappa said.

Bret Hartman, CTO of RSA, said the corporate is calling at mobile as a method of incorporating geolocation data and biometrics into the authentication process. Besides, engineering teams are developing how one can automate threat sharing between businesses and their partners. The corporate sees a necessity to use analytics to threat analysis, he said. 

The company's engineers also are staring at ways companies can manage risks in virtualized infrastructure, Hartman said. VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and Intel, released Vblock in August, integrating RSA's Archer governance risk and compliance platform around the virtualization layer.

“We have an excessively strong partnership with Intel and we believe in hardware-based security to get below the appliance and OS layer,” Hartman said.

Dig Deeper

• Folks who read this also read...