Data Security updates in RSA Web Threat Detection
2 years ago
Originally Published: 2016-10-07
Article Number
000044833
Applies To
RSA Product Set: Web Threat Detection
RSA Product/Service Type: Mitigator
RSA Version/Condition: 4.6, 5.x, 6.0
 
Issue
Customer may be concerned with the current data security standards (data in motion, and data at rest) that WTD uses and wants assurance that these standards are compliant with a modern industry standard such as PCI Compliance. 

Example of a customer requirement --

Based on the security document provided by RSA**, it appears Silvertail/WTD uses RSA for encryption, which is an acceptable algorithm, however, RC4 is no longer accepted based on the current Payment Card Industry (PCI) standards.

An approved encryption algorithm that RSA Silvertail/WTD can use would be AES 128 bit is acceptable, but 256 bit would be much better.

** Last Data Access and Security document was published for Version 3.1 in 2012  
Resolution
Update from Engineering and Product Management in September 2016.

After investigating the issue, Engineering has determined the current state of WTD(version 6.0 and affecting all versions)
  •  AES-128 demonstrates a better security vs. performance ratio.
  • Currently WTD uses a combination of RSA+RC4 key to encrypt logs.
  • While PCI 3.1 recommended migrating from RC4 ciphers, PCI 3.2 (April 2016) obliges disabling weak ciphers such as RC4, MD5 etc. 
This means WTD will not be PCI compliant (3.2 and above) until this issue is resolved.

To add support for stronger encryption, the client should have a choice what to use
  • Our major concern is about data retention, which will have to include handling of both "old" and "new" ciphers.
  • Current option on the table involves developing a tool to migrate(convert) encrypted logs from RC4 to the new AES cipher suite.
Due to the complexities of making changes to create PCI compliance, this will be a commitment that will be addressed in version 6.2 ( currently targeted Q1 2017).  

Project Management believes that this commitment to a fix should provide PCI compliance going forward. 
Don't see what you're looking for?