Less than a month after a sophisticated attack successfully breached its signature product line, RSA, the Security Division of EMC Corp., announced today it will be integrating the company and technology central to the investigation of the attack.
In a letter posted online, NetWitness Corp. CEO Amit Yoran announced that EMC acquired the Virginia-based network security monitoring company. Terms were not announced; a press release this morning said the deal closed on Friday.
"The intensity and sophistication of advanced adversaries and zero-day malware challenge every organization to rethink traditional approaches to network security," said RSA president Tom Heiser in a release. "NetWitness has redefined the security landscape, providing a powerful solution for organizations seeking to gain immediate insight, precise clarity and timely closure in the face of the toughest cyber threats."
NetWitness was long rumored to be seeking out a company to acquire it, analysts said. The vendor has little competition and its monitoring and analysis platform has been popular in the federal government, said Jon Oltsik, principal analyst at Enterprise Strategy Group. The vendor has been attempting to gain broader adoption in the private sector, he said. The technology would fit in with RSA's enVision decurity information and event management (SIEM) products, which use data from other sources to get a broader view of a company's security posture, Oltsik said.
"It makes for a pretty good blend," Oltsik said of the acquisition. "Enterprises have looked at point tools for years and now they're trying to transition to a more strategic view of security and this enables that."
Avivah Litan, vice president at Gartner Inc., also called the acquisition a good fit for RSA, which is known for its user authentication capabilities. "RSA already has user and account monitoring, but they don't offer site monitoring and that's what NetWitness gives them," Litan said.
Details about the attack on RSA SecurID, the company's trademark two-factor authentication technology, have been slow to emerge. On Friday, the company briefed industry analysts, providing the most insight on what CEO Art Coviello labeled an APT attack against RSA. Officials from RSA told analysts Friday that the attack began with a spear phishing campaign against a segment of RSA employees. The subject line "2011 Recruitment Plan" was effective enough for some employees to retrieve the email out of their spam folders and open the infected attached Excel spreadsheet. A Flash object embedded in the spreadsheet was a zero-day exploit of an Adobe vulnerability that downloaded a Trojan on the user's machine. The Trojan began harvesting credentials and the attackers eventually reached the systems they were targeting related to SecurID.
RSA said it saw the attack via a NetWitness tool it uses internally, which alerted RSA administrators and subsequently stopped the attack.
NetWitness was founded in 2006 and has a presence inside some high-end enterprises and government agencies. The release this morning said NetWitness will be part of RSA's line of security management tools, alongside RSA enVision, DLP and CyberCrime Intelligence Service.