SIEM and the recent RSA breach

IMG_2839By now you’ve no doubt heard of the recent breach of RSA’s infrastructure and potential data loss related to its SecureID line of products. In an effort to help its customers, RSA has sent out the following list of recommendations:

  1. We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
  2. We recommend customers enforce strong password and pin policies.
  3. We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
  4. We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
  5. We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
  6. We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
  7. We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
  8. We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
  9. We recommend customers update their security products and the operating systems hosting them with the latest patches.

One thing that surprised me is the two highlighted entries (items 5 & 6) that expressly call out SIEM as a recommended platform for monitoring subsequent breaches as a result of RSA’s breach. Now I know that RSA has its own SIEM product (enVision), but this is the first set of post-breach recommendations that suggested SIEM as a supportive monitoring tool that I can remember that didn’t come from a pure-play SIEM vendor – which is why I wanted to blog about it. RSA has a portfolio of products and it took the time to mention SIEM in 2 of its 9 bullet points.

Photo: RSA SecurID tokens (br2dotcom/Flickr)

Scroll to top