Skip to content

RSA and The “New Normal” of Cybersecurity – Part 2

March 23, 2011

Having Access to All Security Data

by John Linkous

Last week, RSA announced that a successful advanced persistent threat (APT) attack against the company’s infrastructure has resulted in the exfiltration of data that could potentially be used to reduce the effectiveness of RSA’s wildly popular SecurID two-factor authentication products.  While we don’t yet know what was compromised (A token seeding database? Future product design data? We may never know…) or who conducted the attack (China? The Anonymous group?), we do know one thing: the perception of the effectiveness of “secure” authentication and encryption has been deeply shaken.  The fallout from this compromise will likely be swift, and significant.

In my previous post I offered three things that organizations can do to mitigate these complex, advanced threats.

Having Access to All Security Data

Knowing How All the Security Data is Related

Near-Real Time Visibility to Make Effective Decisions.

In this and two subsequent posts, I wanted to provide a little more detail on each of these topics.  First, I want to discuss the importance of having access to ALL security data:

Many vendors — and frankly, many enterprise organizations – believe that events are the panacea of security monitoring, and rely heavily on SIEM technologies to monitor their environment.  And it’s certainly true that events provide a good starting point for security-related data.  However, it’s critical to understand that you cannot detect many APTs simply by using event-based data alone.  System configurations (such as Windows registry values, UNIX /etc/*.conf file contents, and firewall port/protocol mappings), asset changes and discrepancies (e.g., a new wireless access point that suddenly appears on the network), network traffic analysis (netflow, SPI and/or DPI), and performance metrics are all critical pieces to the APT puzzle, and they cannot easily encapsulated (if at all) in event-based data.  Collecting all of this security-related data — events, asset information, host/device/application/database configurations (including changes), performance metrics, network traffic, and other event-based and non-event data – is the critical first step to discovering APTs.

Do you have access to ALL of your security data?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: