RSA breach and APT – Detection Controls and Access Control

I would like to comment on RSA’s use of the term Advanced Persistent Threat (APT) in their Open Letter to RSA Customers. From my perspective, any company’s trade secrets are subject to APTs from someone. There is always some competitor or government that can benefit from your trade secrets. All APT means is that someone is willing to focus on your organization with resources of approximately the value of a penetration test plus the cost of acquiring a 0-day attack.

This means that you must assume that you are or will be compromised and therefore you must invest in “detection controls.”  In other words, your security portfolio must include detection as well as prevention controls. Important detection controls include intrusion detection, behavior anomaly detection, botnet command & control communications detection, and Security Information & Event Management (SIEM). If you don’t have the resources to administer and monitor these controls then you need to hire a managed security services provider (MSSP).

Furthermore, organizations must take a close look at their internal access control systems. Are they operationally and cost effective? Are you compromising effectiveness due to budget constraints? Are you suffering from “role explosion?” A three thousand person company with 800 Active Directory Groups is difficult to manage, to say the least. Does your access control system impede your responsiveness to changes in business requirements? Have you effectively implemented Separation of Duties? Can you cost effectively audit authorization?

Advanced Persistent Threats and Ponemon

Last week the Ponemon Institute announced the results of a survey they did,funded by Netwitness, entitled Growing Risk of Advanced Threats: Study of IT Practitioners in the United States.

I agree with the concerns expressed by Richard Bejtlich in his blog post, Ponemon Institute Misses the Mark, regarding the use of the term “advanced threat” and “Advanced Persistent Threat” (APT). In reality the Ponemon research used the term “advanced threat” to include almost anything including APT. I agree with Richard that Ponemon seems to be creating confusion rather than clarity.

I certainly have no argument with the value of a full packet capture product in the investigation of APTs. Full disclosure, Cymbel is a partner with a competitive full packet capture product manufacturer, Solera Networks. However, I am sensitive to marketing FUD, to which unfortunately our industry is prone. I wrote about the meaning of Advanced Persistent Threats in my personal blog last February. It’s bad enough without conflating it with other serious security threats. Here is the final paragraph of that post:

In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second, the focus is on stealing intellectual property rather than money to advance the adversary’s strategic technical, economic, political, and military goals.