ArcSight - RSA SecureID v6 Monitoring Use Case

Summary:

This document describes a monitoring package designed for RSA's SecureID v6.1.x software, specifically targeting the ACE Server version 6.1.x. The primary purpose of this package is to assist in monitoring remote access logins following security breaches reported by RSA in 2011. Upon installation, the package content is organized under a specific directory structure within the ArcSight ESM system, including predefined ActiveLists, filters, rules, templates, reports, and trends. Key components of this package include: 1. **Active Lists**: These are used to track login failures for future reporting. Examples include "RSA SecureID Login Failures Previous Month" which records all failed login attempts over the past 30 days. Special rules detect unknown user administrative actions and failed log-ins to admin accounts. 2. **Filters**: The package includes pre-built filters based on real customer logs from ACE Server version 6.1.x, covering various log conditions specified in RSA documentation. 3. **Rules**: These automatically track login failures and unauthorized activities by detecting administrative actions and unknown user logins. 4. **Templates and Reports**: Although not detailed, these are implied to be generated based on captured data for further analysis. 5. **Trends**: Statistical representations of login patterns derived from logs, providing visual summaries of user activities and potential issues. The package is designed for environments with RSA SecureID v6.1.x systems and follows version 6.1.x specifications. It includes a set of predefined reports stored in the /All Reports/Public folder, containing ActiveList entries and hourly Trend information. There's one disabled trend located in the /All Trends/Public folder. All queries are labeled with their specific objectives and time frames within the /All Queries/Public folder. The summary highlights how two sets of queries work together: "Trend Creation" generates an hourly trend based on data from a 30-day ActiveList, while "Trend Reporting" retrieves previously generated data from this hourly trend for detailed analysis and reporting.

Details:

This document outlines a package designed for monitoring remote access logins using RSA's SecureID v6.1.x, specifically targeting the ACE Server version 6.1.x. The package is intended to assist in monitoring and reporting on login activities that occurred during security breaches reported by RSA in 2011. Installation of this package will populate a set of predefined ActiveLists, filters, rules, templates, reports, and trends under a specific directory structure within the ArcSight ESM system. Upon installation, the package content is organized under /All <*>/Public/. The main components include: 1. **Active Lists**: These are used to track login failures for future reporting. Key lists such as "RSA SecureID Login Failures Previous Month" keep records of all failed login attempts over the past 30 days, including details like username, full name, type of failure, and time of failure. Additionally, there are special rules designed to detect administrative actions by unknown users and failures to log into admin accounts. 2. **Filters**: The package includes a set of pre-built filters based on real customer logs from the ACE Server version 6.1.x. These filters cover all possible log conditions specified in RSA documentation, which is not applicable for versions beyond 7.1 due to lack of corresponding system logs. 3. **Rules**: Special rules are included that automatically track administrative actions and login failures as mentioned above. These rules help in identifying unauthorized activities within the user base. 4. **Templates and Reports**: The package does not specify detailed templates or reports, but it is implied that these would be generated based on the data captured by the ActiveLists and filters for further analysis and reporting purposes. 5. **Trends**: These are statistical representations of login patterns derived from logs, providing a visual summary of user activities and potential issues. The package's content adheres to the version 6.1.x specifications as it was designed based on customer environments with this specific software version. It is recommended for use in organizations where RSA SecureID v6.1.x systems are being actively monitored and managed following security breach incidents. The ACE Administrative guide is a tool designed to track user actions, containing various rules and reports which can be used to monitor RSA activity. Rules within this package focus on detecting specific activities related to administrator accounts and general user login failures but lack defined rule actions beyond adding information to the 30-day ActiveList. All rules are stored in the /All Rules/Public folder, with customer-selected rules moved to the /All Rules/Real-time Rules/ folder. Rule names describe detected actions, and detailed login source information is not available without correlation from event sources like VPN devices. The package includes numerous reports which can be implemented by the customer, stored in the /All Reports/Public folder, containing a mix of ActiveList entries and hourly Trend information. There is only one disabled trend included in the package, located in the /All Trends/Public folder. All queries are labeled with their specific objectives and time frames, found in the /All Queries/Public folder. These components collectively provide a framework for monitoring and analyzing user activities within an organization's RSA environment. This summary explains how two sets of queries work together within an RSA SecureID monitoring system. Firstly, there's a "Trend Creation" query located in /All Queries/Public/RSA SecureID Monitoring that generates an hourly trend based on data from the 30-day ActiveList. Secondly, there are "Trend Reporting" queries found in the same section which retrieve previously generated data from this hourly trend to provide detailed information for analysis and reporting purposes.