Last April’s RSA security breach was engineered by a nation-state whose ultimate goal was not to steal secrets about SecurID tokens but rather to use those secrets to compromise U.S. military contractors that protected their networks with the devices, RSA officials say.
To execute that scheme, the attackers started off by compromising the network of a trusted RSA business partner and used that infiltration to send a spear phishing email to an RSA employee who fell for the ruse, according to RSA officials talking at a recent meeting with reporters at its headquarters.
The company hosted a media day to air out the breach in an attempt to put it behind them before the RSA 2012 security conference that starts Feb. 27 and shift focus to its upcoming product road map. During the session executives talked about the breach in some detail, characterizing it as an unfortunate incident that has valuable lessons for any organization.
If breaking into a military contractor’s network was the ultimate goal of the RSA breach, the attackers were successful. RSA’s CEO Tom Heiser says the breach of Lockheed Martin’s network in May was made possible at least in part by the stolen RSA secrets. But, he says, that is the only known breach attributable to the theft. “There is no one [else] we know of that’s had an active attack due to RSA, period,” he says.
After an initial frantic time spent explaining to customers what happened and what to do about it, the company shifted to try to meet customer demand for new tokens despite RSA’s belief that they weren’t necessary. To do so they put in place half a dozen or so new robots, boosting production seven-fold, he says.
Heiser seemed exhilarated recounting how the company responded to the breach, calling on teams of engineers to answer questions and setting up a network of executives around the world to answer questions no matter the time of day.
Initially the company did triage – “to stop the bleeding” – and address customer needs and the safety of their networks, but during the summer shifted to the offensive. It set up Project Phoenix designed to put the focus on advanced threats like the one it fell prey to, setting up 15 to 20 small conferences around the world since then to discuss the problem, Heiser sys.
He says the satisfaction of customers lagged after the breach when they were mainly upset about the problems it was causing them. Now, though, they are committed to RSA products for the long term, he says. The company claims a net gain in customers since the breach.
Angry customers said immediately afterward that they weren’t getting enough information from RSA and that in order to get it had to sign non-disclosure agreements.
RSA Executive Chairman Art Coviello tries to put a rosy complexion on the impact of the breach. He claims RSA lost “not a single significant customer” as a result. “There was virtually non-existent churn that we’ve been able to detect,” he says. Overall, the company has about 35,000 SecurID customers.
The key to retaining customers affected by the breach is getting one-on-one meetings with them to explain what happened, Heiser says. When those happen, customers cool down and are willing to stick with the company, Heiser says.
Coviello says the company demanded the NDAs that rankled some customers so any information they might hear would not wind up in the hands of hackers.
Information about the breach that the company released to customers might have left them unsatisfied, but since only Lockheed has been affected, it seems to have been enough to mitigate the risks, he says. “I’m hard pressed to see what we could have done differently,” he says. “If you have a vulnerability in software do you announce to everybody that it exists or do you quietly fix it?”
Coviello says customers may be disconcerted but decided to stay with RSA and SecurID, at least in part because of the investment they have already made. They are convinced the technology still works and can see expanded roles for it as they roll out new infrastructure such as virtual desktops, he says. The company says it has a net increase of 1,000 new SecurID customers since the breach.
Coviello says the attack on RSA started at a company RSA did business with. “That environment was compromised specifically to get at us,” he says. The long timeframe for executing the attack indicates the attacker was a country as opposed to independent criminals. “We think we were attacked to get at the industrial-military base,” he says.
He has no smoking gun for what nation was behind the attack because it’s extremely difficult to trace the ultimate source of the attack and destination of the stolen data. “The trail gets cold very quickly,” Coviello says. “I don’t make any kind of assertion I can’t back up with fact.”
RSA did identify the employee who clicked on the malicious email attachment that launched the attack, but no punishment was meted out to that employee, he says.
The RSA attack was the start of 20 highly publicized attacks last year, says Dan Schiappa, senior vice president of identity and data protection. “That’s the new world we live in,” he says. “Before, attention was paid if your company was breached; now attention is paid when anybody is breached.”