BEDFORD, MASS. --- RSA executives are hopeful that the company is well on its way to rebuilding its tarnished image following a massive breach of its systems that weakened its SecurID two-factor authentication tokens.
“It’s not a matter of if and when, it’s how you are able to respond and shrink the window of opportunity so when you are breached you can respond timely enough to mitigate any damage.
Art Coviello, executive chairman of RSA
Art Coviello, executive chairman of RSA, Thomas P. Heiser, president of RSA and other senior executives invited media to its corporate offices to explain how far the company has come since the SecurID breach in March of 2011 and lay out the company’s vision to innovate on a product that hasn’t changed much in 30 years. The company has been busy restoring trust among its largest customers over the last 10 months, they said.
While the security company’s executives work on improving its stature, other teams have been busy retooling the manufacturing and distribution processes and replacing tens of millions of hardware tokens. The security division of EMC Corp. reported its breach cost $63 million in initial expenses. Coviello said the breach put the company in a better position to speak about the dangers of state-sponsored cyberattacks. The company is also integrating its recent acquisition of NetWitness with its Archer compliance management platform.
“Security has to be more intelligence-based and positioned to understand that we’re living in an environment of advanced threats,” Coviello said. “It’s not a matter of if and when, it’s how you are able to respond and shrink the window of opportunity so when you are breached you can respond timely enough to mitigate any damage.”
The days immediately following discovery that an attacker successfully penetrated the company’s systems were among the darkest for RSA, Heiser said. The company’s secret sauce, the intellectual property of its flagship product, had been accessed.
“It was hell to live through what we did,” Heiser said. “We had absolutely flat decision making; there was no hierarchical decision making. We needed to figure out how to get out of this, because we were getting pummeled.”
The company increased its manufacturing capability seven fold, engaged its largest customers to explain the attack in detail and later took its story on the road in nearly two dozen advanced threat summits held around the world.
Coviello said investigators learned the initial attack started at a third-party, setting the stage for cybercriminals to design a targeted, social engineering attack against RSA employees. Using a spear phishing campaign, the attackers lured an employee into retrieving a message from their junk mail folder and opening a Microsoft Excel spreadsheet containing an Adobe Flash zero-day vulnerability. From there, the attackers targeted other systems, elevating their privileges until they could gain access to RSA’s proprietary data.
“We believed we were attacked for the purposes of getting to the country’s government and industrial base,” Coviello said. “We believed we had a very strong security system in place before the breach and we redoubled our efforts across the entire spectrum, including our communication with employees.”
Breach served as fuel for innovation
While the breach was among the company’s darkest days, it also served as a wake-up call to reinvigorate a product that hasn’t changed much since its inception.
While the company has added new SecurID customers, it worked on rolling out its mobile strategy, introducing a software development kit that gives banks the ability to build SecurID into mobile banking applications, said Dan Schiappa, senior vice president of products at RSA. RSA SecurID is also a mobile app, enabling employees to ditch the SecurID keyfob and use their smartphone to authenticate.
“It’s about extending SecurID to having a more mainstream application,” he said.
Schiappa admits that the company didn’t lose any customers as a result of the breach because SecurID is very “sticky,” meaning it’s difficult to rip and replace the technology without disrupting employees. Competitors also haven’t proven that their two-factor authentication product is more secure.
The company is also busy with a project code named “RSA Pegasus” that engineers are designing identity and data protection technologies for securing virtualization and cloud-based systems. The focus is on access management and cloud-based employee provisioning and deprovisioning, Schiappa said.
“While the last year has been extremely difficult, it’s also reinvigorated all of us,” Schiappa said.
Bret Hartman, CTO of RSA, said the company is looking at mobile as a way of incorporating geolocation data and biometrics into the authentication process. In addition, engineering teams are developing ways to automate threat sharing between businesses and their partners. The company sees a need to apply analytics to threat analysis, he said.
The company’s engineers are also looking at ways companies can manage risks in virtualized infrastructure, Hartman said. VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and Intel, released Vblock in August, integrating RSA’s Archer governance risk and compliance platform across the virtualization layer.
“We have a very strong partnership with Intel and we believe in hardware-based security to get below the application and OS layer,” Hartman said.