A federal official, speaking at the Splunk>Live! conference in Washington, described how he used sophisticated continuous monitoring software to protect his agency following the highly publicized breach of RSA’s SecurID system in March 2011.
Each SecurID token generates a pseudo-random code every 30 seconds which, along with a User Name and PIN, are used to authenticate logins to numerous federal and private networks. The apparently successful Advanced Persistent Threat (APT) attack may have compromised the security of the token codes, leaving systems at increased risk of attacks using SecureID codes with various random/guessed sets of user names and PINs. Since the system in question was extensively used by authorized personnel around the world, it was not practical to cut off all service or connections from selected geographic areas.
The IT security official developed a strategy that successfully protected his agency’s systems using continuous monitoring software. The continuous monitoring tool was able to combine and analyze data from three very different information sources, firewalls, a VPN concentrator, and data from RSA on login attempts using SecurID token codes.
By analyzing data in ten second increments, the official and his team were able to determine which IP addresses were generating an inordinate number of login attempts using multiple User Names and block them. Thus, the official devised a new method of using an existing tool to address a new threat.
The key lesson learned from the case study is that continuous monitoring software needs to capable of adapting to new needs, of the fly, and be able to combine data from multiple sources. These are essential continuous monitoring capabilities that should be incorporated in NIST’s draft continuous monitoring guidance document, SP 800-137.
See, CRE SP 800-137 comments to NIST found here.