Despite the major compromise of intellectual property related to its SecurID product line, RSA had implemented a process that limited what the hackers could get away with, the company's security architect told an audience Wednesday at SC Congress Canada in Toronto.
Speaking on a panel focused on how a properly implemented risk program can help defend against specially targeted attacks known as advanced persistent threats, Robert Griffin explained how the security firm's process of dynamics, adaption, analytics and assessment prevented further damage from being done.
In particular, the assessment piece proved particularly helpful by being able to pick up the tracks of the attackers, who gained their initial foothold when an employee clicked on a malicious attachment contained in a socially engineered email.
“Within six to eight hours, we could [identify] anomalous behavior of the core systems at RSA,” Griffin said.
Still, he acknowledged the slickness of the adversaries, who used a zero-day vulnerability to introduce a variant of the polymorphic malware dubbed Poison Ivy. He described the attack as “commercial cybercrime,” not too different than one might find in a scenario where the bandits are after credit card numbers.
He said the hackers were able to temporarily distract the security team by causing a “noisy” attack on the company's personnel systems – when they really were stealthily siphoning out the crown jewels related to RSA's SecurID tokens.
“They were after ways to compromise credentials, from the ground up, of our customers,” Griffin said.
RSA, which is owned by EMC, additionally blundered by failing to adequately lock down its access controls, which enabled the infiltrators to gain unauthorized privileges, he admitted.
Since the company disclosed the breach in March, the networks of at least two major defense contractors -- Lockheed Martin and L-3 -- have been penetrated thanks to the authentication information obtained in the RSA heist. RSA has since pledged to replace tokens for those customers who want new ones.
The larger message of the SecurID breach is the need to apply visibility to an organization's risk posture, Griffin said.
He was joined on the panel by Jason Hall, the former director of risk and compliance at the Canadian Imperial Bank of Commerce.
Hall described his efforts to introduce a governance, risk and compliance program at the financial institution.
The biggest challenge, he said, was complexity because the implementation required him to wade through scores of dashboards, stakeholders, data sources, frameworks and assessments.
Hall recommended to audience members who are looking to launch a similar initiative to define the process before they begin.