SANS Log Management 2

!"#!$!%&'($"))*+,$-./$0+)+/121)'$!*3415

6+3'$778$913%4%)/$0.31$:+,*1$;3.2$0.31$9+'+

<1335$!(1)=$ !3>$!"#!$+)+,5?'

@ AAA>?+)?>.3/

B'( "))*+,$-./$0+)+/121)'$!*3415

!"#$%&"'&()*+,-.*#/0&1*"2*,%%&"'&$"2&3#4#2,3,45&647)%5*-87,456'-&1*"9$,3%&)%,*%&#*,&:#+642

;"*,&<"2&=#5#<"2&%,*+,*&64/*,#%,%<"2&%")*/,&64/*,#%,%

;"*,&>%,%;"*,&1,"1$,&'647642&$"2%&)%,')$

@ AAA>?+)?>.3/2

-./$!13413$7)C31+?1?

@ AAA>?+)?>.3/3

-./$!.*3C1$7)C31+?1?

D%31A+,,?E$3.*'13?E$?A%'C(1?E$79!F76!E$1'C>!13413?"GG,%C+'%.)?9+'+H+?1?7I1)'%'5$!.*3C1?91?='.G?6(5?%C+,$I14%C1?$ J:"KE$H+I/1$+CC1??E$G,+)'$C.)'3.,

@ AAA>?+)?>.3/4

L1+?.)?$;.3$K.,,1C'%)/

@ AAA>?+)?>.3/5

-./$9+'+$M?1;*,)1??

@ AAA>?+)?>.3/6

K(+,,1)/1?

@ AAA>?+)?>.3/7

L1+?.)?$;.3$K.,,1C'%)/

@ AAA>?+)?>.3/8

N(+'$:1)I.3?$#11I$'.$9.

K.)?%?'1)C5$%)$-./$9+'+$O*'G*'?:#42,%&9,5@,,4&+,*%6"4%?"4%6%5,4/-&64&1*"7)/5&$64,

01+)%)/;*,E$6+3?+H,1$01??+/1?

')4/56"4&#47&#&+#*6#9$,&$6%5?"4%6%5,45&$#-")5

OG'%.)?$;.3$P).*/($9+'+=,9)2&$,+,$&$"22642&6%&#&46/,&"156"4

@ AAA>?+)?>.3/9

N(+'$-./$0+)+/121)'$:1)I.3?$#11I$'.$9.

L1G.3'%)/$+)I$")+,5?%?!1+3C(%)/",,.A$P+?5$!*GG.3'$.;$K*?'.2$914%C1?N%)I.A?$-./?

@ AAA>?+)?>.3/10

N(+'$M?13?$#11I$'.$9.

L14%1A$-./?$9+%,5!'+3'$QPDOLP$R(131$%?$+$63.H,12S1''%)/$?'+3'1I>%,&7#5#&*,7)/56"4&5,/:46A),%BC/$)7,&7#5#&64&%,#*/:,%D4"@&-")*&7#5#D4"@&-")*&$"2%

N+'C($D.3$!*3415$#1&'$T1+3E,&*,#7&5:,&/"33,45%

@ AAA>?+)?>.3/11

!*22+35

0.31$K.2G+)%1?$K.,,1C'%)/$-./?0.31$914%C1?0.31$M?1;*,R.G$K(+,,1)/1$ L1G.3'%)/$+)I$")+,5?%?

@ AAA>?+)?>.3/12

!"#$"%&'()*%$'"#%'#+',+',$*

!"(-#.'&&$/# 0$&1*%'&#'2#3&'()*%#.4&51%$",

6 7778/4"/8'&,

9:1#+',#.4"4,1;1"%#<#="%1>>$,1"*1#?';@4"-

A'&>(#B$&/%/C!"#$%&'(()"'*+,-.'$,/&)01&2'*'1,2,*%&()'%30#2!"#$%&/,/"+'%,/&)01&2'*'1,2,*%&(#0/4+%$&30#&$(,+"3"+&+02()"'*+,&2'*/'%,$!"#$%&+02()"'*+,&50#63)05&'4%02'%"0*&30#&4$,#&'+%"7"%8&#,7",5!"#$%&%0&/,)"7,#&4*"7,#$')&)01&(#0+,$$"*1&30#&6*05*&'*/&4*6*05*&/'%'!"#$%&%0&/,)"7,#&34))-%,9%&"*/,9&.'$,/&)01&$,'#+:&'*/&#,(0#%$!"#$%&0(,*&)01-(05,#,/&;<=!"#$%&/,7,)0(,#&+0224*"%8&30#&)01&'*/&$,+4#"%8&2'*'1,2,*%!"#$%&%0&/,)"7,#&.,:'7"0#')&'),#%$&.'$,/&0*&)01&/'%'!"#$%&%0&+02."*,&"*/,9,/&$,'#+:&5"%:&*0#2')">,/&#,(0#%"*1!"#$%&?@AB&+02()"'*%&)01&'*/&$,+4#"%8&2'*'1,2,*%!"#$%&%0&,9+,,/&CDEDDD&)01&2,$$'1,&(,#&$,+0*/&+0)),+%"0*&0*&'&$"*1),&'(()"'*+,!"#$%&%0&(#07"/,&+,*%#')">,/&)01&$,'#+:&'*/&#,(0#%"*1&'+#0$$&2'*8&'(()"'*+,$!"#$%&7"$4')&:,%,#01,*,04$&*,%50#6&$,+4#"%8&(0)"+8&+0*3"14#'%"0*!"#$%&30+4$,/&$,+4#"%8&2'*'1,2,*%&7,*/0#&%0&,9+,,/&FEDDD&+4$%02,#$!"#$%&,*/&%0&,*/&'4%02'%"+&(0)"+8&1,*,#'%"0*&30#&3"#,5'))$E&#04%,#$E&'*/&$5"%+:,$!"#$%&$,+4#"%8&#4),&1,*,#'%"0*&.'$,/&0*&1#'(:"+')&#,(#,$,*%'%"0*!"#$%&%0&'4%02'%"+'))8&1,*,#'%,&=<B,+&34))8-2,$:,/&0#&:4.-'*/-$(06,&G<?&+0*3"14#'%"0*$&30#&24)%"-7,*/0#$

.451&/#'2CH01H01"+&I(,*&H01&J'*'1,2,*%&<)'%30#2&H01H01"+&K02()"'*+,&J'*'1,#&H01H01"+&B,+4#"%8&@7,*%&J'*'1,#H01H01"+&L'%'.'$,&B,+4#"%8&J'*'1,#

D)@@'&%$",#EF1&#GHHH#?)/%';1&/

6 7778/4"/8'&,3

!"#"$%&&'()$*+,$

-(&(,./.&0$1'23.4

5.667.$8/6(9:

1+)'07+&;$-(2<.07&,=$>+3.2&(&9.=$?7;<$(&@$A+/B)7(&9.

?1%=$C:.$1.9'2704$5737;7+&$+D$E-A

F GGGH;(&;H+2,

physical and virtual servers

storageapplications / databases

security devices

network devices

SimplifyingCompliance

Compliance reports for regulations and

internal policy

AuditingReporting

EnhancingSecurity

Real-time security alerting and analysis

ForensicsAlert /

correlation

Optimizing IT & Network Operations

IT monitoring across the infrastructure

VisibilityNetwork baseline

Purpose-built database RSA enVision Log Management platform

?1%$.&I7;7+&$JF7&F#$1KE-$L)(0D+2/

I7;7+&M$N2+/$E3.&0$A+)).907+&$

0+$O';7&.;;$?.B+207&,

2007 May 16 17:14:21 CDT -04:00 %CDP-4-NVLANMISMATCH:Native vlan mismatch detected on port 5/24

TJ-DC-PSA-FW-204-01: NetScreen device_id=TJ-DC-PSA-FW-204-01 [Root]system-information-00536: IKE<221.239.59.66> Phase 2 msg ID <8d16a105>: Responded to the peer's first message. (Feb 20 00:02:15)<000>

Individual log entries or alerts

RSA enVision - Operational Statistics & Detailed Reports

Archer Business level dashboardsCompliance process management

System Administrator

Compliance or Security

Analyst

Business Executive

J

P.)B$8;$P.)B$Q+'

!"#$$%&'%()*+,-./01(,234567'(4#&#'%/%&1(-*%(8#*%*9,%&:(%;/#0$(179!"#$%&'()(*&$+&,%--(.%&/%$0*112&(,34%1/5/*1!-<<%&1(=,>(%&?0*07&(8-*17/%<*@(A7*1(0&(1"%(A7<1#$9

"11A955<*#%&B0*07&C$01"0-/C87/51D5E%*1;F<#8108%5.:;A5E%*1F<#8108%

G%(H0$$(1%$$(I7-(0J( #&:("7H( =,>(8#&(*7$B%(I7-<(-*%(8#*%

F GGGH;(&;H+2,4

http://rsaenvision.lithium.com/t5/Best-Practice/bd-p/BestPractice





Am I secure right now?

Which of my assets are at risk?

How do I respond effectively? Am I compliant?

Threat/RiskAsssement

Measurement& Reporting

Mitigation& Remediation

SituationalAwareness

!"#$%&#"''()'&!"# *+,%-*&.(*('-*(")&/+-##%)'%0&()&,%-#1*(.%

2%34/%&0%/4,(*5&*+,%-*&/".6#%7(*5&8+(#%&()/,%-0()'&,%-/*(")&*(.%&-)3&%99(/(%)/5

:,"$(3%&/".6#%*%&0%/4,(*5&$(0(;(#(*5& 9,".&*+%&0.-##%0*&",'-)(<-*(")0&*"&*+%&#-,'%0*&%)*%,6,(0%0

!/-#%&1 =99%/*($%#5&9(*&8(*+()&-)5&",'-)(<-*(")0&()9,-0*,4/*4,%&0(<%&-)3&;43'%*&/")0*,-()*0

>,-/5&?4#$%,@&A:&"9&:,"34/*0&-)3&B-,C%*()'*+4#$%,D)%*9",%)0(/0E/".888E)%*9",%)0(/0E/".

FGHEGIGEJKKK

http://www.netforensics.com/

Documents

SANS Log Management 2