An Introduction to enVisionEnterprise Platform for Security and Compliance Operations
Karol Piling
Consultant - Central & Eastern Europe
RSA The Security Division of EMC
secure datasecure access
Introducing Information-centric Security
customers
partners
employees
security information managementsecurity information management
secure enterprise dataPreserve the confidentiality and integrity of critical data wherever it resides
secure employee accessEnable secure, anytime, anywhere access to corporate resources
secure partner accessOpen internal systems to trusted partners
secure customer accessOffer self-service channels, prevent fraud, and enhance consumer confidence
manage security informationComply with security policy and regulations
Over 800 major enterprise and government accountsMarket Presence
Information Management Platform for transforming event, log, asset and other data into actionable related intelligenceVision
Proven Patent-pending Internet Protocol Database™ (IPDB)
All the data for compliance and security successTechnology
RSA enVision – Market Proven LeadershipRSA enVision – Market Proven Leadership
Partners
- Cisco- Juniper- Nortel- Foundry
- Symantec- ISS- McAfee- Check Point- RSA
- Microsoft- Linux / Unix- Sun / HP- IBM AS400/Main
- MS Exchange- Oracle- MS SQL
- Websense- Bluecoat- Apache- EMC
Network Security Operating System Application Other
Over 130 device partners
Accolades“Leader, 3rd Year in a Row”“Only vendor with all the data”
“Excellent”“2005 Appliance bake-off winner”
“Leader”“Largest Market Presence”
Technology Partners
What is enVision?
enVision is a network based technology platform that helps you
• See into
• Understand
• Protect data and assets
• Report on
• Store records of
what happened within the network and at its edges
What is enVision?
Fortune 500Fortune 500
HealthcareHealthcareEnergy & UtilityEnergy & Utility
Financial ServicesFinancial Services
800+ customers 50% of Fortune 10 40% of top Global Banks 30% of top US Banks
RSA enVisionMarket-Proven Leadership
The Enterprise TodayMountains of data, many stakeholders
How do you collect & protect all the data necessary to secure your network and comply with critical regulations?
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Switch logs
Windows logs
Client & file server logs
Wireless access
logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control logs
DHCP logs
Linux, Unix, Windows OS
logs
Mainframe logs
Database Logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
UnauthorizedService Detection
IP Leakage
Configuration ControlLockdown enforcement
False Positive Reduction
Access Control EnforcementPrivileged User Management
Malicious Code DetectionSpyware detection
Real-Time MonitoringTroubleshooting
User Monitoring
SLA Monitoring
Growth of Enterprise SilosRedundant Information Management
ACCESSCONTROL
SOFTWARE
FINANCIALSOFTWARE
FIREWALLSOPERATING
SYSTEMSWORK-
STATIONSANTIVIRUSSOFTWARE
INTRUSIONPREVENTION
Solution: RSA enVisionAn Information Management Platform…
Compliance Operations Security OperationsAccess Control
Configuration ControlMalicious Software
Policy EnforcementsUser Monitoring & Management
Environmental & Transmission Security
Access Control EnforcementSLA Compliance MonitoringFalse Positive ReductionReal-time MonitoringUnauthorized Network Service DetectionMore…
All the Data
Log Management
Any enterprise IP device – Universal Device Support (UDS)
No filtering, normalizing, or data reduction
Security events & operational information
No agents required
Server Engineering Business Ops. Compliance Audit Application & DatabaseNetwork Ops.Risk Mgmt. Security Ops. Desktop Ops.
ReportAlert/Correlation
Incident Mgmt.Log Mgmt.
Asset Ident. Forensics
Baseline
…For Compliance & Security Operations
Log Management with the LogSmart® Internet Protocol Database
LogSmart® Internet Protocol Database
No agents requiredFlexible XML UDS engine
Raw logs (95%+ data compression)~70% overall compression
Security event & operations info. No data filtering
Easy to deploy appliance packaging
Parallel architecture ensures alert performance
Customizable work environmentsFully customizable compliance & security reports
• Unpredictable consumption: collection bottleneck impacts use of data (e.g. alerts)
RSA enVision and LogSmart IPDBAll the Data™ with Consistently High Performance
Relational Database
Limitations of Relational Database
• Not designed for unstructured data (log)
• Requires processing (filter, normalize, parse)
Data
Explos
ion
• Data Explosion: indexes & related data structure information is added (can result in <10x data)
Data Loss
• Data Loss: events are lost due to selective collection or system bottleneck
LogSmart IPDB
Encrypted
Compressed
Parallel analysis
Authenticated
Unpredictable Alerts
RSA Envision:The LogSmart® IPDB™ Advantage
CollectCollect CollectCollect CollectCollect
RSA enVision DeploymentScales from a single appliance….
Baseline Report Forensics
ManageManage
DeviceDevice
DeviceDeviceTrend Micro
Antivirus
Trend MicroAntivirusMicrosoft
ISS
MicrosoftISSJuniper
IDP
JuniperIDPCisco
IPS
CiscoIPSNetscreen
Firewall
NetscreenFirewallWindows
Server
WindowsServer
CorrelatedAlerts
RealtimeAnalysis
LegacyRSA enVision Supported Devices
Integrated Incident Mgmt.
AnalyzeAnalyze
EventExplorer
UDS
Interactive Query
RSA enVision Deployment…To a distributed, enterprise-wide architecture
A-SRV: Analysis Server
D-SRV: Data Server
LC: Local Collector
RC: Remote Collector
Bombay
Remote Office
NAS
Chicago
WW Security
Operations
LC
D-SRV
A-SRV
NAS
London
European
Headquarters
D-SRV
LC
NAS
New York
WW Compliance
Operations
A-SRV
D-SRV D-SRV
LC LC
Security and Compliance Solutions
RSA enVision Protects the Enterprise
eCommerce Operations
Secure operations of all systems and data associated with
eCommerce operations
Internal Systems & Applications
Secure operations of all systems and data associated with internal network services
and applications
Perimeter Network Operations
Securely connect the enterprise to the Internet
and other required corporate entities
RSA enVisionA Framework for Security Operations
Perim
eter Netw
ork O
peratio
ns
eCo
mm
erceO
peratio
ns
Intern
al System
s &
Ap
plicatio
ns
Access Control EnforcementAccess Control Enforcement Privileged user monitoringPrivileged user monitoring
Corporate policy conformanceCorporate policy conformance
Real-time MonitoringReal-time MonitoringTroubleshoot network & security Troubleshoot network & security eventsevents
““What is happening?”What is happening?”
False Positive ReductionFalse Positive ReductionConfirm IDS alertsConfirm IDS alerts
Enable critical alert escalationEnable critical alert escalation
Correlated Threat DetectionCorrelated Threat DetectionWatch remote network areasWatch remote network areas
Consolidate distributed IDS alertsConsolidate distributed IDS alerts
Watchlist EnforcementWatchlist EnforcementExternal threat exposureExternal threat exposure
Internal investigationsInternal investigations
Unauthorized Network Service Unauthorized Network Service DetectionDetection
Shutdown rogue servicesShutdown rogue services
Intellectual property leakageIntellectual property leakage
SLA Compliance MonitoringSLA Compliance MonitoringProof of deliveryProof of delivery
Monitor against baselinesMonitor against baselines= Most critical = Highly desired = Desired
Security Objective
Security Environment
Product Capabilities
Log Management
Asset Identification
Baseline
Report & Audit
Alert
Forensic Analysis
Incident Management
Correlation Example – Worm Detection
Correlation Rule Name: W32.Blaster Worm
The goal of this rule is to detect Blaster worm variants as well as other malicious code by analyzing network traffic patterns.
Vulnerability and Asset Management (VAM)
Customer objective: Leverage information about enterprise assets and known vulnerabilities to identify false-positive IDS messages and to provide content on assets and vulnerabilities.• VAM will help reduce the costs associated with incident handling by providing analysts direct
insight into the state of an asset (e.g. detected vulnerabilities) and into the details of the identified vulnerability
Features:• Enhanced collection of asset data from vulnerability assessment tools.
• VA tools supported at 3.5.0 are ISS and Nessus.
• NEW VA tools supported in 3.7 : McAfee Foundscan, nCircle IP360, Qualys Inc. QualysGuard
• Incorporation of vulnerability data from NVD, periodically updated.
• Display of asset and vulnerability data in web UI and EE.
• Suppression of IDS messages in alerting, based on confidence levels determined from attributes of assets and vulnerabilities.
• IDS products supported at 3.5.0 are Dragon, ISS, and Snort.
• IDS Producst supported at 3.7 are: ISS Real Secure, Cisco IDS, McAfee Intrushield, Juniper IDP [Netscreen] 3COM/Tipping Point Unity One
Vulnerability and Asset Management (VAM)
“Companies that choose individual solutions for each regulatory challenge they face will spend 10 times more on compliance projects than those that take a
proactive approach.”Lane Leskela, Gartner Research Director
RSA enVisionA Platform for Compliance Operations
ISOISO
NISTNISTCOBITCOBIT
COSOCOSO
ITILITILRSA enVision
Over 800 reports forregulatory compliance& security operations
Dashboards
RSA enVisionTransformation of Data into Actionable Intelligence
Information Lifecycle Management (ILM)
RegulationData Retention
RequirementsPenalties
Sarbanes-Oxley 5 yearsFines to $5M
Imprisonment to 10 years
PCI Corporate PolicyFines
Loss of credit card privileges
GLBA 6 years Fines
Basel II 7 years Fines
HIPAA6 years
2 years after patient death$25,000
NERC 3 years TBD
FISMA 3 years Fines
NISPOM 6 months to 1 year Fines
Source: Enterprise Strategy Group, 2006
Challenge: Explosive Growth of Security DataExtensive Data Retention Requirements
Security Information Lifecycle Management
The lifecycle of Security Log DataThe lifecycle of Security Log DataCapture Compress Secure Retire
The Lifecycle of Security Log DataThe Lifecycle of Security Log Data
Retain in Nearline
Retain in Nearline
Retention PolicyRetention Policy
Store Online
Up to 1 YearUp to 1 Year
Capture Compress Secure RetireRetain in Nearline
Retain in Nearline
Store Online
User Defines Log Retention Policies
RSA enVision Automatically Enforces Policies
ILM
Retention PolicyRetention Policy
EMC Centera
RSA enVision ILMMaximized Data Value at Lowest Infrastructure Cost
Online Policy (1 Year)Online Policy (1 Year)
EMC Celerra
Supported Protocols
> Syslog, Syslog NG> SNMP > Formatted log files
>Comma/tab/space delimited, other> ODBC connection to remote databases> Push/pull XML files via HTTP> Windows event logging API> CheckPoint OPSEC interface> Cisco IDS POP/RDEP/SDEE
> Syslog, Syslog NG> SNMP > Formatted log files
>Comma/tab/space delimited, other> ODBC connection to remote databases> Push/pull XML files via HTTP> Windows event logging API> CheckPoint OPSEC interface> Cisco IDS POP/RDEP/SDEE
B-2
RSA enVisionStand-alone Appliances to Distributed Solutions
EPS
500
1000
2500
5000
10000
30000
# DEVICES
7500
300,000
100 200 400 750 1250 1500 2048 30,000
ES Series
LS Series
Industry Leading Scalability
34
18
28
4
30,000
20,000
28,000
4,000
Security•Configuration Control•Access Control Enforcement•Privileged User Monitoring
Compliance & Security•Real-Time Monitoring•False Positive Reduction•Access Control Enforcement
Compliance•SAS 70 Compliance
Compliance & Security•Log Management•Monitoring Firewalls For Audits
MS
SP
INTER
NA
L
Locations Events Devices DriverOrganization
240K/Sec
20B/Day
76.8T/Year
180K/Sec
15.5B/Day
5.6T/Year
450K/Sec
38.8T/Day
148T/Year
80K/Sec
6.9B/Day
2.5T/Year
3 17,000 Compliance•Internal Audit
95K/Sec
8.2T/Day
2.9T/Year
Network IntelligenceCompliance and Security Operations
Enterprise-wide Log Management
Platform
Baseline
Reports
Alerts
Forensics
Asset Identification
Incident Management
All theData
ComplianceOperations
Business Operations
Security Operations
Thank you!
Vulnerability and Asset Management (VAM)
Customer objective: Leverage information about enterprise assets and known vulnerabilities to identify false-positive IDS messages and to provide content on assets and vulnerabilities.• VAM will help reduce the costs associated with incident handling by providing analysts direct
insight into the state of an asset (e.g. detected vulnerabilities) and into the details of the identified vulnerability
Features:• Enhanced collection of asset data from vulnerability assessment tools.
• VA tools supported at 3.5.0 are ISS and Nessus.
• NEW VA tools supported in 3.7 : McAfee Foundscan, nCircle IP360, Qualys Inc. QualysGuard
• Incorporation of vulnerability data from NVD, periodically updated.
• Display of asset and vulnerability data in web UI and EE.
• Suppression of IDS messages in alerting, based on confidence levels determined from attributes of assets and vulnerabilities.
• IDS products supported at 3.5.0 are Dragon, ISS, and Snort.
• IDS Producst supported at 3.7 are: ISS Real Secure, Cisco IDS, McAfee Intrushield, Juniper IDP [Netscreen] 3COM/Tipping Point Unity One
Vulnerability and Asset Management (VAM)
Existing VA Scanners• Open Source Nessus
• ISS SiteProtector
New VA Scanners• McAfee Foundscan
• nCircle IP360
• Qualys Inc. QualysGuard
New IDS/IPS Vulnerability Mapping References (Cont)
Supported IDS Devices• Dragon IDS
• Snort / Sourcefire
• ISS Real Secure
• Cisco IDS
• McAfee Intrushield
• Juniper IDP [Netscreen]
• 3COM/Tipping Point Unity One
New Device Additions In 3.7.0
F5BigIP
MS DHCP
MSIAS
EMC Celerra CIFS
Lotus Domino
RSA Access Manager
Aventail
Qualysguard
Foundscan
nCircle