Today, Norman and Shadowserver released a paper that revealed a large attack infrastructure in which they detailed an ongoing campaign, running as far back as September 2010.  This campaign, reportedly run out of India, used spear-phishing attacks and multiple strains of malware to breach targets of interest and extract data.

The details of this case can be researched in the following paper:

http://blogs.norman.com/2013/security-research/the-hangover-report

Due to our industry ties the RSA FirstWatch team was able to obtain an advanced copy of the paper, and doing so we were able to collect over 700 of the detailed malware samples referenced in the report for analysis.

This analysis, focused almost exclusively on network behavior, allowed us to detail effective ways of detecting this malware on the network in real-time.

As a general rule, the RSA Security Analytics / RSA NetWitness approach to network analysis for these types of threats has always been a three-part process which is circular in nature:

1. Identify expected network behavior
2. Examine outliers
3. Link intelligence

Detection of Identifying User-Agents

In many APT malware cases, a non-standard user agent is observed as part of the command and control communication sequence and this case is no different. There are several case-related user-agent strings detailed in the paper:

EMSCBVDFRT
EMSFRTCBVD
FMBVDFRESCT
DSMBVCTFRE
MBESCVDFRT
MBVDFRESCT
TCBFRVDEMS
DEMOMAKE
DEMO
UPHTTP
sendFile

Additionally, the following user-agent strings are also present:

wininetget/0.1
file
test
vbusers
folderwin
smaal
simple
nento
bugmaal

When these user-agent strings are turned into a Security Analytics application rule they would look like the rule below and would allow a quick pivot on hangover-related malware traffic:

Client = emscbvdfrt,emsfrtcbvd,fmbvdfresct,dsmbvctfre,
mbescvdfrt,mbvdfresct,tcbfrvdems, demomake,demo,
uphttp,sendFile,wininetget/0.1,file, test,vbusers,folderwin,
smaal,simple,nento,bugmaal

This particular pivot, where we identify meta elements that we don’t expect to exist in our environment, is a very common way of detecting both malware and unwanted applications on the network.

Identifying Information in Query Parameters

While not as clear cut as identification of unique user-agents, many malware samples, especially Remote Access Trojans (RATs) used by APT attackers, commonly transmit identifying information as part of command and control check-in traffic.

In this case, we see similar behavior in which the computer name of the analysis environment “RemotePC” as well as the logged in user “admin” is identified in plaintext during the C2 check-in of many of the identified samples:

(click on the image below and zoom to see detail)

Identifying C2 domains

Lastly, establishing domain intelligence by using malware analysis and existing known compromise, plus online research, passive DNS and other methods, we are able to build a large feed of domains which identify suspect traffic.

In this case, RSA FirstWatch added specific domain intelligence related to the hangover intrusion set on 4/30/13.    Historic hits to these domains can be located with the following custom drill:

threat.category = research && threat.desc = apt-domain-a-cow_star, apt-domain-a-hanove, apt-domain-a-trojan.apt.snowtime, apt-domain-a-backdoor.apt.anke, apt-domain-a-backdoor.apt.vbupload, apt-domain-a-dragoneyemini_ smackdown, apt-domain-a-smackdown, apt-domain-a-hanove2, apt-domain-a-appinbot, apt-domain-a-hanovelarge

These three detection methodologies can be applied to this and future incidents for proactive detection of advanced threats.

Special thanks to the researchers at FireEye and Dell Secureworks for their assistance in malware analysis and classification tasks.

Happy Hunting!

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

This blog discusses five of the high level missteps common to organizations that have experienced needlessly prolonged negative effects of cyber security incidents.

1) No security team

A fair percentage of clients that I have provided incident response services to over the last 12 months are operating without security or oversight on the Internet, meaning not a single person employed at that organization is solely dedicated to working on security issues. While this is common for small companies and startups, these clients matured over the years to the point where they had hundreds or thousands of employees and even more computing devices on the network. What had not occurred, however, was the investment in security commensurate with the growth of the company.

When a company consists of 10 people operating on a shoestring budget and an idea, realistically it’s hard to justify spending money on anything that doesn’t have a tangible ROI. When those companies grow, however, the potential losses in intellectual property or corporate reputation began to justify expenditure towards a comprehensive security program. Add to that potential regulatory compliance requirements and most successful companies should have no problems demonstrating a true business need for security implementation.

2) No budget for enterprise level security tools

These companies are slightly better off than the organizations with no security team at all. What I typically observe at these clients is a dedicated though undersized staff that spends a lot of time trying to convince management of the necessity of enterprise security tools. At least that’s how they start out on the job. By the time I am called in to consult, I typically find that the IT managers accept as fact that executive leadership will not dedicate funds towards the purchase of enterprise security tools. Often these managers hope that the single biggest result of a breach is that executive leadership will finally see the true value of implementing these tools.

3) No management support for an information security program

Both of the previously mentioned conditions can be summed up by this one condition. That being said, I have still occasionally seen organizations that are reasonably staffed and tooled, but end up not implementing security properly because of the perceived negative impact to the business. For example, take a company that has an intelligent web proxy up and running on the network. Since executive management does not champion network security, creating exceptions to the policy is relatively easy. Before long, that company will have entire pockets of personnel whose web traffic bypasses the proxy. If a company has adequate security in place, but lacks management support, users will often find a way to bypass that security.

4) Over-reliance on tools; under-reliance on skills training

At these organizations, what I have found to be the common denominator is that tools and security staff are both implemented, but the weak link in the chain is the capability of the personnel that are hired to deal with incidents. Consider a case where a critical client system was compromised via targeted email attack. Two users clicked on a URL in similar LinkedIn phishing emails, starting the chain of infection that ultimately led to an attempted payroll theft months after the initial infection. Multiple opportunities existed for this client to detect and remove the threat from the network prior to the attacker trying to steal money; original emails were still present in the gateway storage, both compromised systems were beaconing to a known bad IP address, both hosts had AV alerts that fed into a central server, both users created help desk tickets as a result of their computers acting strangely, and this exact attack had been sufficiently blogged about for a security analyst to gather information and perform discovery in their own network. On the surface, this organization appeared ready to be able to efficiently handle any network security issues that came up. The reality, however, was that though there was an extensive trail of evidence that could have easily been queried and analyzed, there were no truly qualified personnel on staff that could put the pieces of the puzzle together.

5) Sysadmins assigned to remediate AV alerts, end up running scan tools that don’t wipe out the threat

I understand the motivation of the sysadmin who sees an AV alert and responds by running eradication tools like Malwarebytes. More often than not I find that in targeted attacks, at best these tools only kill the portion of the malware that was causing the AV alerts. For the motivated but untrained sysadmin, no more AV alerts means no more compromise, situation resolved. Incomplete remediation is a dangerous situation, since the possibility now exists that the host is still compromised but no longer alerting anybody about it. In a corporate environment, AV alerts should be treated as a notification to rebuild the system in any case where a thorough forensic examination cannot rule out persistent compromise.

 Mike McGrew is an Advisory Practice Consultant within RSA’s Incident Response practice. Mike provides network and host-based incident response services for intrusions involving sophisticated adversaries that target intellectual property and other critically sensitive data. Mike has been a CISSP for over 10 years and was previously a Navy cryptologist supporting the National Security Agency (NSA).

It’s time to understand the differences between corporate secrets and custodial data.

Secrets refer to information that the enterprise creates and wishes to keep under wraps. They tend to be messily and abstractly described in Word documents, embedded in presentations, and enshrined in application-specific formats like CAD. Secrets that have intrinsic value to the firm are  almost always specific to the enterprise’s business context — where an interested party could cause long-term competitive harm if this information is obtained. Keeping proprietary knowledge away from competitors is essential to maintaining market advantage.

Typically, companies in knowledge-intensive industries such as aerospace and defense, electronics, and consulting generate large amounts of confidential intellectual property that present barriers to entry for competitors. Unlike with toxic data spills, failures to protect secrets are almost never made public.

By contrast, legislation, regulation, and contracts compel enterprises to protect custodial data. Mandates that oblige enterprises to be good custodians include contractual obligations like the Payment Card Industry Data Security Standard (PCI-DSS) and data breach and privacy laws. Custodial data has little intrinsic value in and of itself, but  when it is obtained by an unauthorized party, misused, lost or stolen, it changes state.Data that is ordinarily benign transforms into something harmful.

When custodial data is spilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints. Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data also accrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity. Examples of custodial data include customer personally identifiable information (PII) attributes like name, address, email, and phone number; government identifiers; payment card details like credit card numbers and expiry dates; and medical records and government identifiers like passport numbers. Many well-known companies have graced the front pages of major newspapers with toxic data spills.

Interestingly, enterprises in highly knowledge-intensive industries like manufacturing, information services, professional, scientific and technical services, and transportation have between 70-80% of their information portfolio value from secrets while healthcare firms and governmental entities are nearly exactly the opposite, most of the value of their information assets are custodial data assets.

Data security incidents related to accidental losses and mistakes are common but cause little quantifiable damage. By contrast, employee theft of sensitive information is costlier on a per-incident basis than any single incident caused by accidents.

Unfortunately, compliance drives spending on security for all companies and smaller ones have a difficult choice to make.  “Compliance” in all its forms has helped CISO’s buy more gear, but it has distracted IT security from its traditional focus, keeping company secrets secure. All companies, large and small really need to do a better job of understanding the value of their corporate secrets.

Read my next blog for some recommendations on achieving the right balance.

ATMs (otherwise known as a Cash Points, Money Machines, Cashlines or sometimes even Holes in the Wall), are a staple of modern life. To the everyday consumer, they are seen as a convenient way to access our bank accounts, even when the branch is closed.  (I remember standing in line at the bank as a child on Saturday mornings with my father so that he could withdrawal the funds our family needed for the week – talk about advanced planning!)  ATMs enable us to get our cash on demand, for those of us who still use cash, and have come a long way since the first machines in the 1960s which dispersed a set amount of funds and sent back the bank card at a later date.

Convenient to consumers, yes – but to fraudsters, ATMs are seen as a way to get their hands on currency that isn’t theirs and unlike an online transaction can be harder to trace.   As a cash-out point for many scams, fraudulent crimes and cyber-attacks the ATM has seen its fair share of unfriendly withdrawals.

Underground Card Marketplace (Source: RSA Anti-Fraud Command Center)

Fraudsters will typically purchase cards and PINs in the underground or recreate plastic cards using the stolen data from card skimmers (Krebs on Security has some great information on ATM Skimmers).  They will then recruit mules who are the feet on the street that take a cut of every withdrawal they make with the stolen data from ATMs.  Mule recruitment is pretty easy as there are plenty of people looking for quick cash, especially when the unemployment rate is high.

There is an entire ecosystem of criminals who specialize in one or more areas of the carders market.  Mules are recruited by Mule Herders who provide forged plastic cards from Forgers who bought credit card credentials from Traders who bought the compromised credentials from a Fraudster who specializes in hacking into payment systems or social engineering schemes such as phishing.  Each criminal makes money from some point of the chain and continues to feed into the underground economy with their specialty.  Kevin Poulsen’s King Pin describes one Hacker’s (Max Butler) plan to rule the black market in stolen credit cards before his crime ring was taken down by the FBI in 2007.

Source: WIRED

Last week the US Department of Justice published an indictment of a cybercriminal gang who used the ATM as the cash out point for a massive global heist – ultimately draining $45M from around the world.  The attackers used “sophisticated intrusion techniques” to hack into the information systems of payment processors and global financial institutions, steal prepaid debit card information and modify withdrawal limits.  The hacked prepaid debit card numbers and pins were distributed to fraudsters in 26 countries who encoded magnetic stripe cards with the compromised card data and withdrew cash from ATMs on a massive scale across the globe.

It is important to note that the prepaid cards used in this attack are typically pre-loaded with a limited amount and are not associated with a specific user account.  These cards lack transaction history and individual behavior patterns which most organizations leverage to monitor fraud.  This is one of the reasons these criminals targeted prepaid cards – they understand the payment ecosystem and exploit areas of weakness. For example if a mule went from ATM to ATM with a stolen genuine debit card associated to an account a transaction monitoring system could have flagged that activity as fraud.  However, with a prepaid card there is no association, transaction or behavioral history.

This latest heist is a reminder that old tried and true attacks will continue to occur without the correct cross channel risk based, intelligent security in place.  Yes, processers need to better protect themselves from breaches and understand the threats their networks face – before an attack occurs, not only after the fact.  But banks need to better understand the transactions that occur at the ATM, online and via their mobile banking to monitor risk and look for anomalous behavior across all channels. For example, if there is an anomaly in withdrawal amount or a large velocity of ATM activity over a short period of time, a risk based authentication system should flag the activity as high risk and create for further investigation.  (It remains to be seen how the roll out of CHIP /PIN based on the EMV protocol will affect card fraud in the US – where ~ 80% of all ATM fraud occurs – but that is a discussion for another day).

RSA Adaptive Authentication ATM Module enables organizations to analyze transactions in the ATM channel using Risk Based Authentication and cross channel fraud detection.  Fraudsters will continue to use the ATM channel to get their hands on cash, and we will continue to stay on top of the attack vectors in this space to provide intelligent controls to protect the end user.

Amy Blackshaw is a Principal Product Marketing Manager within RSA’s Identity and Data Protection Group. In her role, Amy is responsible for the go-to-market strategy for the RSA Adaptive Authentication solution which provides protection against advanced threats in the enterprise and online. Prior to joining RSA, Amy worked in the Energy Industry bringing secure technology solutions for sustainable energy businesses. Amy holds her undergraduate degree from the University of Massachusetts, Amherst, her MBA from Simmons College, and is a CISSP.

http://rsa.edgeboss.net/download/rsa/2013/130411_sos_podcast.mp3

Miles Davis is an easy example of this.  On one hand, you have an intense musical genius that fueled scores of jazz standards and inspired countless musicians across the globe.  On the other hand, you have an individual who later in his career performed quite literally with his back to the audience facing the other musicians and at times seemed oblivious that an audience was even present (Check out this video of his classic song Tutu).   Unfortunately I never got to see Miles Davis in person so I can’t weigh in on the feeling of being physically at one of his performances.  I am sure the power of the musicality was overwhelming but the performance may have left some feeling disconnected from the artist.   My point is that in some cases, you can have one without the other – great musicality without a grand performance or engaging entertainment without a deep, complex musical experience.

How does this fit into my “Groove Theory of GRC”?

Postulate #1:  Optimizing Business Performance is the end goal; Visibility and Accountability is the method.

The end goal of any GRC program should be Performance Optimization.  If GRC were a concert, the performance matters.  I am not talking about lasers and smoke machines.  I am talking about the substantive effect one feels at the end of a great performance – whether it is music, or theatre or a sporting event.  Management and the Board of Directors need to make decisions that are more certain to result in desired outcomes thus optimizing the performance of the business.   The GRC program should set this as the fundamental objective and impact the organization positively.   But great musical performances just don’t happen.  All the lasers and smoke machines in the world cannot make up for a truly awful band.   A talented set of musicians who know their own role, are dedicated to their craft and are communicating together can bring a musicality that transcends the individual members of the band.  This is the magic that makes the performance great.    The strength of the Performance is through the Visibility and Accountability the band members have with each other, the music and the audience.

To make it simple using my analogy, you have to have Musicality AND Performance to completely capture an audience.  Artists such as Michael Jackson, Prince, Frank Sinatra and many others have epitomized this unique blend of talent, personality and commitment.  GRC needs both Performance Optimization as a goal with Visibility and Accountability enabling the performance.  The program must be absolutely concerned about the positive impact to its audience AND based on a collaborative, connected ecosystem of contributors.

What are your organization’s end goals for GRC?  How do your GRC musicians connect, share and keep the audience engaged and entertained?  Do you feel your organization is bringing both performance (focus on business optimization) and musicality (visibility and accountability) to the concert hall?

In light of the recent events I’ve reflected on how valuable electronic health records (EHR) and health information exchange (HIE) participation can be in a time of crisis to immediately access critical life saving data on impacted victims.  EHRs not only allow for first responders to quickly access victims’ healthcare information, but also allows for more accurate ambulatory, ER and clinical decision making in life or death situations.

Accompanying the increase of business efficiency and convenience delivered with EHRs, organizations must also maintain concern about privacy, secure access, fraud and the growing cost of security breaches. However, too often in the mix of the chaos we tend to forget how important it is to secure electronic health information during these types of incidents to mitigate the potential risk of theft and non compliance to relevant regulatory requirements. Healthcare (and law enforcement) organizations need to ensure that all first responders, staff members – and volunteers who have access to patient information must be educated and in compliance with their security and privacy policies so that it is not inappropriately leaked to media and even worse used by fraudsters looking to capitalize on a tragedy.

The Healthcare Information Security Today survey, sponsored by RSA, highlights what healthcare organizations are taking into consideration to comply with the HIPAA Omnibus Rule.  The survey shows that most organization’s top security priorities are preventing and detecting breaches, improving regulatory compliance and improving security training.    Also, it reveals that one of the biggest perceived security threats for healthcare organizations is the growing use of mobile devices and business associates taking inadequate security precautions; only 32% of survey respondents expressed confidence in security controls of their BAs and as you can see on the HHS “wall of shame”, a majority of breaches were caused by lost or stolen devices or misplaced laptops.

Yet surprisingly, implementing multi-factor authentication is not one of the top five priorities for technology investments this year. Only 16% are currently using some type of one time password with two-factor authentication and over 89% are just using user name and password to guard against inappropriate access to EHRs.

Source: Healthcare Information Security Today

The survey also shows 27% of organizations already offer a personal health record (PHR) portal and 35% have something in the works. The growth in adoption of consumer personal health record (PHR) portals really drives the need for why traditional authentication needs to make way for more dynamic and risk-based authentication.  The financial and online retail verticals have had to rely on such advanced authentication for multimillion user consumer bases.  The time has come for the healthcare industry to adopt these notions as well and deploy an adaptive intelligent framework which can morph as the threats do.  Transparent risk based authentication allows for instant, but secure, access to records in both patient and physician portals which is necessary to expedite emergency situations.  For example, if someone is accessing a patient record in an ER type of situation they need to quickly access data and do not want to be interrupted in their login workflow.  However, if someone is accessing clinical trial information remotely via a mobile device, you may want to require additional or stronger authentication requirements.  The level of authentication should be aligned to the level of risk. Integrating risk-based authentication with access management and identity federation helps organizations establish this balance because the data in a healthcare environment ranges in risk and value (e.g., credit card data for billing to PHI to appointment schedules) and multiple people across multiple functions and entitlements are accessing it.

Source: Healthcare Information Security Today

During a time of crisis organizations do not need to be more vulnerable to medical identity theft and fraud.  Advanced security solutions have provided the opportunity to help balance the risk, cost and convenience across all aspects of the healthcare ecosystem mitigating against threats while at the same time taking advantage of the benefits of easier information sharing.

Bottom line – this means improved patient care safety, streamlined business processes, physician productivity, cost efficiencies and most important – saved lives.

Angel Grant is a Senior Manager for RSA’s Authentication and Anti-Fraud solutions. She is responsible for a variety of initiatives which protect organizations against fraud and identity theft.  She has more than 20 years of experience in the security and financial services industries.

Although the title of this blog may call to mind the first line of quite a number of old jokes, it appears that hacktivists, phishers and the everyday Internet user have enough in common to raise concerns of financial fraud, especially in light of the recent hacktivist-conceived operation dubbed #OpUSA.

While it is true that most cyber-attacks orchestrated by hacktivists focus on DDoS onslaughts targeting authority-type entities and banks, all too many times they add a sting to the operation and hack into immense databases containing private user information.

Hacktivism:  Disruption or Corruption?
On their quest for notoriety, media attention and overall making their points, critics say that hacktivists tend to cross the line when they publicly release untoldamounts of data, providing links to the trove and facilitating its free-for-all download.

Some hacktivists will call out every target on their list and post their threats publicly and well in advance, while those targeted will prepare to fend off the attack and advise users as needed. But at the end of the day, who plays the role of the defenseless meek? Not the targeted entities who are expecting the blow, but rather, very much like other wars—innocent bystanders and ‘average Joes.’

#OpUSA-Themed Tweets
Do the lines between idealistic motives and money get blurred for hacktivists?

Out Go The Hacktivists, In Come the Phisherman

In one of the largest hacks perpetrated in the name of hacktivist ideals, the end result, beyond the damaged brand reputation of a multinational corporation, was a public leak of account information belonging to nearly 25 million Sony Entertainment users. That was about a third of a previous leak of over 70 million accounts, also inflicted by hackers operating in the name of an opinion they formed and acted upon.

Taking the Sony case as a mere example, because hacktivist cases such as these have been increasingly plaguing the Internet, it is clear that the one party that did not expect the hack – other than Sony, of course – were the millions of ordinary users whose data was offered up freely thereafter. Those same users were also the ones who did not have advisors, lawyers and information security experts to help them recover from the actual and potential damages of the hack and its possible effects on their identities and personal finances.

For fraudsters, the large-scale hacks are like candy. Hacktivists will set up publicly available download links for anyone to be able to see the exposed databases, their hunting trophy, and end their part there. But as soon as the links are public, phishers and fraudsters – the vultures, if you will – will access and download it before it is taken down by the hosting authorities. By that time, the real damage to these average Joes is nearly done.

PHISH-N’-LISTS Phish-N’-Lists
Large hacks containing a database replete with email addresses, not to mention payment cards or other financial data, are an attractive loot for phishers to come for and discuss in underground communities. Instead of having to do their own hacking, collecting and stealing, they can enjoy the spoils and bank on the “freshly” dumped data, compliments of zealous hacktivists, paving a shortcut to fraud scenarios that make a phisher’s daily bread:

• Monetizing gaming account credentials by selling them to other gamers
• Enjoying a list of valid email addresses to target with phishing spam
• Leading potential victims to phishing and malware sites and getting paid per install
• Harvesting financial information that can be sold to fraudsters and CC shops
• Using leaked and stolen data for fraud and identity theft
• Checking what other accounts that user has, because as recent research shows, 61% of accounts are set-up with reused passwords.

It’s easy to see how an attack that stems from idealistic motivations, targeting very large entities and supposedly conceived in order to protect people’s rights to information, ends up serving the fraudsters and flooding the Internet with confidential data.

With the variety of actors that gain access to information publicly posted online, hacktivists end up inadvertently damaging the very people whose interests they claim to represent.

Conclusion
The number of phishing attacks recorded monthly is known to vary, fluctuating upwards and downwards and there’s limited capability to forecast a trend that is so dependent on fraudster resources.

Although totals are often tricky to predict, some seasonal trends do repeat every year, and perhaps, without realizing, a rise in phishing is to be expected after large database hacks that release millions of account addresses into the cybercrime wild.

Phishing attacks in April 2013 have so far only shown a moderate increase over the previous month, likely linked with tax season-themed attacks, but as OpUSA is executed, and news of hacked accounts wash through Pastebin and the Internet, we may just see a more significant rise before the quarter is out.

Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter

So how exactly do we protect the borderless enterprise?  As the saying goes, “Nothing Endures but Change” and to help navigate the current threat landscape, IAM solutions need to adapt as fast as the rapidly-changing threat scenarios.  Identities are at the front lines of the everyday battle for cyber security and IAM systems must become the front line of defense.

Next-Generation IAM

We’ve been talking a lot this year about the notion of an “anti-fragile” security system – the idea that security solutions must become stronger and smarter with each attack or disorder.  These solutions must be adaptable and intelligent to make detecting and responding to both current and future attacks a much quicker process.

In a recently released technology brief called “Adaptive IAM: Defending the Borderless Enterprise,” we examine this concept for IAM.  The brief discusses how IAM must be reinvented to be more intelligent and adaptable in order to stay relevant in today’s hyper-extended IT environments.

Instead of guarding stationary perimeters, Adaptive IAM patrols a dynamic “situational perimeter” to help enforce security whenever and wherever users interact with corporate data and resources. With the rise of Advanced Threats and multi-vector attacks, gone are the days where trust can be established by a single successful log-on; trust must be continually verified and re-checked with each interaction between user and protected resource.

Adaptive IAM includes 4 guiding principles:

1. Identity is established via a rich user profile that helps spot significant deviations from “normal” behavior, which can often signal security problems.
2. Identity and access controls must be risk-based to verify users while adjusting access controls based on the risk levels of each transaction/activity.
3. Real-time analytics must be used to assess risk creating the intelligence needed to distinguish good behavior from bad. This will require Big Data analytics to analyze vast amounts of data, assess risk, detect problems and interrupt users attempting unsafe activities.
4. Consumer-level convenience must be the norm by making identity controls and analytics invisible to corporate end users.  Users are only disrupted if unacceptable activities or levels of risk are detected.

Journey to Adaptive IAM

Going from the current state of IAM to this next-generation will certainly be a journey – not only for customers, but for the vendor community as well.  We need to pave a smooth migration path for our customers and while no one is 100% of the way there yet, advances are being made toward this IAM ideal.  Our recent launch of RSA Authentication Manager 8 was a big first step, and we’ve been hard at work evolving other parts of the RSA Identity and Access Management portfolio.  Today we announced several of updates and critical integrations that can help drive the journey for our customers:

• Rich User Profile:  RSA’s market-leading risk-based engine, delivered in the recently launched RSA Authentication Manager 8 software as well as RSA Adaptive Authentication software, is designed to transparently absorb information from a variety of device, user and environmental factors to determine normal user behavior. To make even more secure authentication and authorization decisions, the latest version of RSA Adaptive Directory 6.1 software is designed to allow organizations to aggregate and centrally manage identity information across both on-premise identity data stores as well as cloud applications to create rich user profiles.

• Real-time Analytics to Assess Risk and Integrate with Risk-based Access Controls: Deeper integration between RSA Access Manager 6.2  software and RSA Adaptive Authentication software as well as with RSA Authentication Manager 8  software can help customers blend risk analytics to determine deviations from the norm in the user’s profile  with stronger authentication and access controls.

• Convenience:  Updated releases of the RSA Adaptive Federation 1.5  software-as-a-service as well as on-premise RSA Federated Identity Manager software support seamless single-sign on to cloud-based applications.

IAM solutions need to adapt as fast as the rapidly changing threat scenarios.  This is security’s “new normal” and we must evolve.  By creating an IAM solution that embodies the anti-fragile concept – one that is adaptable and dynamic – we can create ‘situational perimeters’ around the borderless enterprise and arm ourselves for the front lines of this cyber security battle.

We had the opportunity to explore this new vision for security in our birds-of-a-feather session on “Building Your Trusted Cloud.” We talked about the threat landscape for cloud, security capabilities that cloud service providers should have, best practices in security for the cloud and in engaging with CSPs. And there were great questions that led us into topics that we hadn’t foreseen.

One of the best of these questions was from Mike Versace of IDC, who asked “What are the big breakthroughs that will make a difference in cloud security?”

Mike’s question was excellent because it challenged us to think about what really mattered in establishing and maintaining that sea of trust. RSA’s Rob Sadowski responded with the developments in GRC tools, best practices and standards that help you manage the risk inherent in moving data and workloads into private, hybrid or public clouds. RSA Software Engineer Matt Coles emphasized the embedding of data security capabilities into technology, like encryption built into storage. EMC infosecurity expert Davi Ottenheimer spoke to the critical developments in embedded security in the virtual infrastructure. Matthew Gardiner of RSA called out the importance of new developments in security visibility and analytics technologies. And EMC security consultant John McDonald spoke about the breakthroughs in risk-based authentication as critical to the mobile user environment.

It was great to have such a range of breakthroughs recognized, especially because they also represented a good cut at the most essential capabilities for establishing trust in the cloud. Sure there’s lots of work still needed in making these breakthroughs fully effective. But the essential elements for establishing and maintaining the trusted cloud are here. Maybe that’s the biggest breakthrough of all.