Skip navigation
All Places > Products > RSA SecurID Access > Blog > 2020 > May
2020

Organizations have been subjected to more regulations (eg. New PCI standards, CCPA etc.) than before and this creates additional burden for IAM teams to keep up with such regulatory requirements. An authentication platform should be able to help meet such regulations while helping meet security and privacy requirements. As an IAM practitioner one needs to consider the following guide paths when considering a free Microsoft Azure AD MFA or RSA SecurID Access or any authentication solution.

 

  • Regulatory requirements - A single platform that helps address organizations myriad regulatory MFA compliance requirements

Some regulations mandate strongest form of authenticators as per the NIST assurance levels (eg. AAL 2 and 3) for your workforce. An example is EPCS where strong proofing, 2FA and access logging are required for prescribing electronic prescriptions. RSA SecurID Access can enable such organizations with in-person proofing and secure distribution of 2FA tokens out of band. For organizations subjected to DFAR,  RSA SecurID Access can provide FIPS compliant solution to meet 2FA requirements. The PCI-DSS 2.0 regulations call for knowledge of success or failure of a factor is not provided to individuals until all factors have been submitted. RSA SecurID Access can support such requirements through multi-factor and multi-step process for network login into secure cardholder environment.

 

  • Unified visibility across cloud and on-premise (hybrid) infrastructure to help meet auditing needs

Auditors need visibility into which users had access to applications and systems on both cloud and on-premise infrastructure.  Specifically, they need data on users, applications accessed, level of authentication used to gain access to those systems. RSA SecurID Access enables such visibility into an organization’s access infrastructure through out of the box reporting and the ability to export such events to external systems for further reporting or analysis. With a hybrid IT model (on-premise and cloud applications), IAM teams will benefit from a platform that provides comprehensive view of all user access events across multiple applications types and user population.

 

  • Security teams – Reduce identity specific attacks with a powerful policy engine

Security policies need to support different assurance levels based on sensitivity of applications and user level risk. IAM teams need to manage policies centrally that helps in achieving such assurance levels through right level of authentication assurance.  RSA SecurID Access provides different assurance levels so that the right level of access controls are implemented. Organizations can use the behavioral analytics risk engine to determine user level risk against peer population based on application, device or location anomaly that can be used on day one.  

With a combination of powerful assurance level driven policy engine and behavioral risk capabilities security teams can be rest assured to mitigate identity threats and support their broader security goals.

 

  • Privacy requirements - A solution needs to understand and help with an organization’s privacy stature

Users have privacy concerns around security teams  installing apps on their mobile devices.  Some security policies mandate that no phones are allowed inside call-centers or data centers. An authentication solution should be flexible to accommodate such requirements. RSA SecurID Access can help  meet such requirements through a hardware OTP tokens or FIDO keys.  

Some organizations are subject to strict data residency requirements (eg. Europe) due to the countries that they operate in. RSA SecurID Access has data centers in local regions where data never leaves the respective regions borders to support data protection and privacy requirements.  

 

Evaluate whether a free MFA solution from Microsoft will help breeze through such regulations, security and privacy requirements. RSA SecurID Access can help untangle complexity and reduce burden for IAM teams by helping meet such regulatory requirements.

Better Together: SecurID Access with your SIEM Platform

 

Introduction

Everyone wants better visibility into the behaviors (or misbehaviors) of their users. We are often asked by customers a simple question. What should we watch out for? 

 

The RSA SecurID® Access Cloud Authentication Service produces a large list of events for a variety of purposes. These are emitted from both the Cloud Service itself and the supporting Idenity Router virtual appliance clusters. These events are intended to be used for a variety of purposes, including:

 

  • Security and Event monitoring
  • System health
  • Supporting audit activities
  • Troubleshooting system or integration issues

 

These events fall under three major categories and severity levels: Administration, System and User events. 

 

To help you get started, we have collated a shortlist of events that may be of interest. We emphasised events that were related to security and critical health warnings. Be warned! This list does not encapsulate every possible event of interest for your deployment and is not intended as an exhaustive list specific to your organisation.

 

RSA recommends augmenting this guidance with your knowledgeable delivery partner or with  RSA Professional Services to help provide specific advice for YOUR organisation. 

Furthermore, when alerting on events related to the SecurID Cloud Risk Engine, this provides an additional dimension of visibility around suspicious behaviour. This is relevant even if your organisation does not use the risk engine to drive down the frequency of user challenge - even organisations that wish to challenge specific apps or users can gain the benefits of the risk engine as a monitoring tool for user and device behaviour.

 

Please consult the full list of Cloud Service Events here: https://community.rsa.com/docs/DOC-99818

If you are a lucky customer that uses the RSA Netwitness Platform as your SIEM, consult the official documentation on how to connect it to the Cloud: https://community.rsa.com/api/core/v3/contents/26032/data?v=1 

 

If you have another SIEM platform, also consult the following document on how to pull Cloud Service Events into your SIEM via the Cloud Event API: https://community.rsa.com/docs/DOC-96948

 

Cloud Administration Events

It is recommended that all administrative activity relating to SecurID Cloud Authentication Service be examined as this represents changes to a system that may have broad reaching consequences. A list of activities that should be monitored is presented in the following table.

 

Activity Key

Activity Code

Message

 Suggested Action

SIGNIN_FAILURE

80002

Admin {0} sign-in failed

Repeated failures should be alerted upon

LOCKED_ADMIN_ACCOUNT

80003

System locked admin {0} account

Alert

UNLOCKED_ADMIN_ACCOUNT

80004

System unlocked admin {0} account

Alert

DELETE_POLICY

80202

Admin {0} deleted access policy {1}

Alert

DELETE_IDR

80302

Admin {0} deleted identity router {1}

Alert

RESET_IDR_PASSWORD

80308

Admin {0} reset the identity router {1} password

Alert

DELETE_CLUSTER

80322

Admin {0} deleted cluster {1}

Alert

DELETE_TRUSTED_LOCATION

80902

Admin {0} deleted trusted location {1}

Alert

DELETE_ALL_TRUSTED_LOCATIONS

80903

Admin {0} deleted all trusted locations

Alert

DELETE_TRUSTED_NETWORK

81003

Admin {0} deleted trusted network {1}

Alert

DELETE_ALL_TRUSTED_NETWORK

81004

Admin {0} deleted all trusted networks

Alert

DELETE_ADMIN_USER

82002

Admin {0} deleted admin user {1}

Alert

DELETE_APPLICATION

82302

Admin {0} deleted application {1}

Alert

DELETE_RELYING_PARTY

82502

Admin {0} deleted relying party {1}

Alert

 

 


 

Cloud System Events

 

System events trigger the following messages to appear in the System Event Monitor.

 

Event Code

Level

Category

Description

Suggested Action

2507

error

Identity Source Sync

Identity source synchronization not completed successfully.

Alert

2508

notice

Identity Source Sync

Users are missing one or more unique identifiers. Check the user attribute configurations in both the cloud identity source and the directory server.

Alert

20152

error

Identity Router

Identity router cannot initiate contact with the Authentication Manager server.

Alert

20155

error

Identity Router

Identity router cannot connect to Authentication Manager - Unknown error.

Alert

20161

error

Identity Router

The identity router cannot connect to any configured identity sources.

Alert

20162

error

Identity Router

The identity router cannot connect to some configured identity sources.

Alert

20165

error

Identity Router

Some of the configured DNS servers are not working properly.

Alert

20166

error

Identity Router

None of the configured DNS servers are working properly.

Alert

20184

error

Identity Router

Identity router CPU usage exceeds the threshold limit.

Alert

20187

error

Identity Router

Cluster is offline and not in quorum. No configured identity routers are online.

Alert

20189

error

Identity Router

Identity router memory usage exceeds the threshold limit.

Alert

 


 

Cloud User Events

 

Event Code

Level

Description

Suggested Action

104

error

Authenticate Tokencode authentication failed - Invalid tokencode.

Alert on repeated attempts

105

error

Authenticate Tokencode authentication failed - Previously used tokencode detected.

Alert on repeated attempts

114

error

Identity router API tokencode authentication failed - Cloud Authentication Service unreachable.

Alert – IDR unable to reach cloud

117

error

Identity router API user status check - Identity source unreachable.

Alert – LDAP unavailable

213

error

LDAP password authentication failed - Cannot establish a trusted SSL/TLS connection with the LDAP directory server. Check for invalid certificate.

Alert – LDAP unavailable

215

error

LDAP password authentication failed - Sign-in failure: unknown username or invalid password.

Repeated failures should be alerted upon

224

error

LDAP password authentication failed - LDAP account locked out.

Alert – user locked out

409

error

Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact identity router.

Alert – IDR unavailable from Cloud

410

error

Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact directory server.

Alert – LDAP unavailable for sync

608

error

RSA SecurID user authentication failed - RSA SecurID service is not available.

Repeated failures - alert – Cloud service down?

906

error

Portal sign-in failed - Password reset required.

Alert  Possibly to alert helpdesk

910

error

Protected application authentication failed.

Repeated failures should be alerted upon

913

error

Additional authentication failed.

Repeated failures should be alerted upon

932

error

Additional authentication failed - User account disabled.

Alert  Possibly to alert helpdesk

933

error

Password authentication succeeded - Client does not support required additional authentication methods - Access denied.

Alert  Possibly to alert helpdesk

935

error

Unsuccessful password authentication – Access denied.

Repeated failures should be alerted upon

940

error

Password authentication succeeded - User prohibited by policy settings - Access denied.

Repeated failures should be alerted upon

941

error

Password authentication succeeded - Access prohibited by conditional policy settings - Access denied.

Repeated failures should be alerted upon

3013

error

RSA MFA Agent for Microsoft Windows configuration not approved.

Alert  Possibly to alert helpdesk

3015

error

RSA MFA Agent for Microsoft Windows unsuccessful configuration.

Alert  Possibly to alert helpdesk

20403

error

SAML IdP - Error response sent.

If Authentication Details includes "Message was rejected due to issue instant expiration" or "Message was rejected because was issued in the future," then there might be a time-synchronization issue between the service provider and the Cloud Authentication Service. If you see this message during an additional authentication flow for an SSO Agent application, check the time on the identity router.

Alert 

20601

error

RADIUS - LDAP authentication succeeded - Policy contains no RADIUS-compatible methods for additional authentication - Access denied.

Alert 

20605

error

RADIUS - Cloud Authentication Service unreachable - Access denied.

Repeated failures - alert – Cloud service down?

20615

notice

RADIUS – Authentication failed.

Repeated failures should be alerted upon

20701

error

Access denied – User not a member of any identity source in access policy.

Repeated failures should be alerted upon

20702

error

Access denied – User does not match any rule sets or matches a deny rule set in access policy.

Repeated failures should be alerted upon

20703

error

Access denied – Policy authentication conditions deny access.

Repeated failures should be alerted upon

20802

error

SMS Tokencode message transmission attempt failed - Invalid phone number.

Alert  Possibly to alert helpdesk

20852

error

Voice Tokencode call attempt failed - Invalid phone number.

Alert  Possibly to alert helpdesk

21903

error

SMS Tokencode authentication method locked – User exceeded maximum tokencodes allowed.

Alert  Possibly to alert helpdesk

21953

error

Voice Tokencode authentication method locked - User exceeded maximum tokencodes allowed.

Alert  Possibly to alert helpdesk

25001

notice

Evaluated identity confidence. See Condition Attributes for Access Policies - Reporting a User's Identity Confidence Score for details.

SEE BELOW. When the “Confidence” attribute is greater than the “Confidence Threshold” the risk is low, therefore do nothing. When the “Confidence” attribute is lower than the “Confidence Threshold” the risk is high and therefore alert.

26004

error

Emergency Tokencode locked - User previously exceeded maximum attempts.

Alert  Possibly to alert helpdesk

26005

error

Emergency Tokencode now locked.

Alert  Possibly to alert helpdesk

 

 


 

Evaluated Identity Confidence Event (Risk Engine)

 

As you can see from the log sample below, the parser must be configured to conditionally evaluate the value of the confidence attribute against the confidenceThreshold value. If confidence is lower than confidenceThreshold the risk is considered high and therefore an alert should be generated containing the named user identifier.

 

 

 Identity Router Events

Please consult the full list of events emanating from the Identity Router here: https://community.rsa.com/docs/DOC-54120

 

User Audit Events

Description

Suggested Action

User Audit Events contain no security or health events

 

 

Web Services Audit Events

Description

Suggested Action

Web Service Audit Events contain no security or health events

 

 

System Audit Events

Description

Suggested Action

SYSTEM_ERROR

An error occurred on the identity router.

Alert

SYSTEM_REBOOT

The identity router rebooted.

Alert

 

 

IDR Status Events

Description

Suggested Action

RSA recommends that all IDR system health events be monitored.

Consult the full list of events here, under the “Identity Router Status Events” table:

https://community.rsa.com/docs/DOC-54120

 

 

RADIUS Audit Events

Description

Suggested Action

RADIUS_CHALLENGE_METHODS_NOT_SUPPORTED

A user attempted RADIUS authentication, but RADIUS or the user's device does not support any of the authentication methods allowed by the access policy.

Alert – triage to IT or helpdesk

RADIUS_USER_DEVICE_NOT_REGISTERED

A user attempted RADIUS authentication using a method that requires a mobile device, but no device is registered for the user.

Alert – possibly helpdesk

RADIUS_INTERNAL_ERROR

The RADIUS service encountered an error.

Alert

 

 

The RSA SecurID Access team is excited to provide the following updates as part of the May, 2020 release.  

 

Emergency Access now available for FIDO protected resources 

Emergency access greatly enhances productivity by unblocking access to business critical resources when a user may have lost, misplaced or forgot their authentication device.  Emergency access codes may be used for a fixed period of time as determined by the issuing help desk administrator.

Many organizations are providing passwordless experience to their users to access SaaS/Web applications using FIDO2 as a primary authentication method.  In the May release, users who are using FIDO2 when configured for primary authentication, lose or misplace their security key, can obtain an Emergency Access Code (EAC) as authenticator to gain access to their critical resources protected by FIDO with no loss in productivity.  And they can logon to the RSA My Page Self Service Portal with their EAC to begin the process begin the process of enrolling to obtain a replacement FIDO Security Key.

 

Improved Security for Administrators Who Require Resetting Their Password

The password reset process for all administrators has been made more secure.  For existing administrators, to securely reset any Cloud Administration Console password, the password reset must be completed within two hours of requesting the password reset link. 

 

See the May Release Notes which provides complete details on these new capabilities and other miscellaneous updates coming out in the May 2020 release. 

Filter Blog

By date: By tag: