Transcription
RSA Solution Brief RSA enVision PlatformReal-time Actionable Security Information,Streamlined Incident Handling, EffectiveSecurity MeasuresRSA Solution Brief
The job of Security Operations, whether a large organization with a dedicated staffand resources, or one person with multiple responsibilities, is to keep informationassets secure by continually monitoring the organization’s IT environment,anticipate and respond to immediate threats and long-term vulnerabilities, andprovide advice and guidance on security matters to both senior management andbusiness units. To be effective, security operations professionals must draw ontools that day in and day out turn a myriad of real time events into actionabledata. They need an efficient closed-loop process for handling incidents andmitigating risk. They also need the visibility necessary to assess and fine-tune theeffectiveness of security policies, processes and resources.The RSA enVision platform collects, analyzes,correlates and alerts on log data from all eventsources across the network and IT infrastructure. Italso intelligently combines real-time threat,vulnerability, IT asset and environmental data. Thisenables organizations to respond quickly andthoroughly to high-risk security issues and pinpointthe places where problems are likely to appear. Byautomating manual processes and increasingproductivity, the RSA enVision platform deliversincreased security while reducing cost.With over 1600 production customers world-wideacross every industry, including 5 of the Fortune 10and 40% of top global banks, the RSA enVisionplatform:To be effective, securityoperations professionals mustturn a myriad of real time eventsinto actionable data.1RSA Solution Brief– Provides real-time, actionable security informationfor quick and accurate threat detection and alerting– by combining event data, asset and vulnerabilityinformation, and utilizing intelligent correlationcapabilities, security professionals prioritize andfocus on the issues that support the businessneeds.– Improves analyst productivity by streamlining theincident handling process – by providing access toreal, empirical data and offering a built-in workflow,from initial identification and prioritization of anincident, to investigation with contextualinformation, to escalation, resolution, closure andarchiving, security professionals efficiently andeffectively accelerate problem resolution.– Increases the effectiveness of security measures andresources – by giving security professionals visibilityinto their enterprise, the status of an incident , thevulnerability and risk of high-priority assets and theuse of security resources through comprehensivereporting and easy to use dash-boards, securityorganizations can focus staff on high-risk issues andadapt and adjust policies, procedures andinvestments in order to mitigate risk.
The RSA enVision Platform – What Is It?Analysts agree that the RSA enVision platform is amarket-leading solution for security information andevent management (SIEM). It gives organizations asingle, integrated 3-in-1 log management solution forsimplifying compliance, enhancing security operationsand risk mitigation and optimizing IT and networkoperations through the automated collection,analysis, alerting, auditing, reporting and storage ofall logs.Simplify compliance.Enhance security operations.Optimize network operations.Enhancing Security esData/Tools NeededRSA enVision SolutionInterface between theSecurity status “at a glance”;Graphical and tabular executive dashboards;business and Securitysecurity metricsextensive out-of-the-box reportsDesign & maintain SecurityMetrics to track effectivenessExtensive reports (security and compliance); out-of-Policy and controls; generalof policies and controlsthe-box and easy to customize dashboards; historicalOperations; set direction;justify budgetSecurityArchitectunderstanding of state ofand trend reportssecurity and complianceSecurityOversee Security OperationsResource and securitySecurity status and productivity dashboardsresources and budgets;metrics, including incidentincluding: team workload, incident rate, tasks byincident response oversightresponse statisticspriority for workload management; and vulnerabilityManagerdashboards including most vulnerable assets rankedby severity or by business ratingMonitor consoles, deviceAsset & vulnerability status,Baseline, event, asset and vulnerability data toconfiguration & vulnerabilitythreat information, real-timereduce false positives and alert, in real-time, on highmanagement, detectand long-term event data,security-risk incidents; extensive content-richSecurityincidents, respond to alerts,baseline, policy and identitycorrelation rules (e.g. SANS Top 20); automatedAnalystconduct investigations,information. NeedWatchlists (e.g. Privileged User Monitoring);manage incident resolution;collaborative incidentcollaborative closed-loop incident handling process,provide technical advicehandling process; tools tofrom incident identification and research throughfocus on high-risk incidentsresolution, closing and archivingRSA Solution Brief2
Real-time Incident DetectionCorrelation rules,filters, watchlistsComprehensive log dataIncidentDetectionEvent sourceknowledgeAsset contextSecuritySecurityAnalystArchitectReal-Time, Actionable Information forQuick and Accurate Threat Detection andAlertingThe RSA enVision platform examines and analyzesevents in real-time to detect and alert on high priorityincidents. It combines best-of-breed log managementcapabilities, advanced correlation functions andcomprehensive knowledge of threats andvulnerabilities to provide security organizations theability to efficiently and accurately “find the needle inthe haystack.”Event Data Collection – The RSA enVision platformwas purpose-built to collect event data from any andevery event source, including network, security, hostand storage devices as well as applications anddatabases. With its LogSmart IPDB (Internet ProtocolData Base) architecture, RSA enVision softwarecollects events without agents, allowing for fasterdeployment and reduced ongoing management. Itdoes not filter, reduce, normalize or alter the raw3RSA Solution BriefTimely threatinformationVulnerability dataevent information, allowing organizations to accesscomplete data and therefore to identify an incident inreal-time, investigate it, anticipate problems andconduct complete forensic analysis for internal orexternal auditors. Secure, scalable storage andindustry-leading compression rates deliver a costeffective solution.Vulnerability and Asset Management – The RSAenVision platform gives event data additional contextby combining it with data from vulnerabilityassessment tools and configuration managementsystems. This allows it to alert administrators whenvulnerabilities appear on critical systems andprioritize security alerts based upon the value of theasset being attacked and its vulnerabilities. It alsomakes a rich set of contextual data available toanalysts investigating security incidents so that theycan make better decisions about how to respond.
Advanced Correlation Rules & Watchlists – The RSAenVision platform provides a wide set of content-richcorrelation rules that define the conditions underwhich an alert or notification should be automaticallytriggered. These correlation rules can be easilyenhanced with new content, and can be tailored tocreate environment-specific conditions that will detectrisk and eliminate or reduce the window of exposure.With watchlists, organizations can easily create andupdate lists of mission critical assets, or of accepted(or forbidden) assets so that, for example, corebusiness applications, privileged users, formeremployees, spammers, known hackers, or bot-netservers can be automatically monitored. The SANS Top20 Watchlist, for instance, monitors for any exploitrelated to the SANS Top 20 list.Timely Threat Information – The RSA enVision platformimports information from IDS/IPS devices commonlyused by enterprises. These devices continually scanthe network to detect occurring threats such ashackers attacking systems or gathering informationfrom them. It also contains an embedded vulnerabilityrepository derived from the Department of HomelandSecurity’s National Vulnerability Database; it containsdetailed descriptions about current vulnerabilitiessuch as an explanation of its potential impact, thetype of loss it can cause and an indication of how anexploit may result in a confidentiality ect high-risk administrative actions onAdministrativecritical assets, like out-of-policy configurationActivitychanges to high- risk assets, or unusualprivilege delegationSuspiciousDetect unusual authentication or accessUser Activitycontrol issues, like multiple failed logons, orunauthorized system accessesHigh RiskDetect new high risk vulnerabilities on criticalVulnerabilitiesassets, or likely attacks on vulnerable hostsSuspiciousDetect unusual deviations in network behavior,Networkor network activity that violates policyActivityCriticalDetect critical errors on high-priority systemsSystem Errorsthat might result in a system outageThe RSA enVision platform thus performs theautomatic correlation of security events with what isknown about an IT asset, its priority to the businessand its relative vulnerability. In this way, itdramatically reduces false positives and alerts onhigh-risk events, enabling the security operationsteam to take immediate action on prioritizedincidents.A large global post-trade processing infrastructure companylooking for multiple logging protocols, event aggregationand correlation, real-time alerts, privileged user monitoringand focused threat detection found that enVision helpedthem “ find the needle in the haystack. [It] points us to thearea to look for the needle and sometimes it puts the needleright on top of the haystack.”RSA Solution Brief4
SecuritySecurityAnalystManagerStreamlined Incident Handling ProcessA closed-loop,collaborative processRSA enVision software provides real-time notificationof high-risk security issues that need to be handled bysecurity analysts and specialists. Whether in an email, a console alert, or a blackberry message, anotification begins the incident handling processwhere the goal is to quickly reach effective resolutionand closure.Examine all available information & supportingevidence with easy to use UI, broad searchcapabilities with contextual information includingpowerful asset and vulnerability lookupSort, categorize & prioritizeincoming incidentsAnalysisGather, document and preserveinformation and analysis of evidence;audit trail of complete investigationTriageForensicsReports onincident statusNotificationTrack & TraceTrace views to monitor activity byuser, IP address, etc.CloseEscalate and/orRemediateAccept status change fromdownstream ticketing system forcomplete closed-loop processAutomatically escalate to downstream systems (e.g.ticketing, configuration management) or to domain expert,and include all relevant annotations and log recordsRemediate: Track and document incidentresolution/remediation5RSA Solution Brief
With an intuitive interface that supports theprocesses, workflows and procedures required bysecurity operations organizations, the RSA enVisionplatform provides a closed-loop, collaborativeworkflow that– provides track and trace capabilities to monitoractivity by user, IP address, etc.,– efficiently triages the incident to the appropriatesecurity analyst/specialist;– accepts updates from downstream systems andmonitors incident resolution through closure, and– enables detailed analysis and forensics with accessto comprehensive event, asset and vulnerabilityinformation;– creates incident reports and dashboards.– offers the ability to escalate incidents withinsecurity operations or to downstream systems (e.g.ticketing systems);Security Incident Management WorkflowWork llyclose taskNotificationsLogon of unauthorized user triggers anExternalticketingsystemalert and creates a task. The task isautomatically escalated to the externalticketing system. IT Operations disablesthe account and the task is closed via2-way integration. Security Operationsvalidates the remediation, updates thereport. The closed task is saved.RSA Solution Brief6
tIncident Management Metrics and DashboardsIncreased Visibility into the Effectivenessof Threat Detection & Security Measuresand ResourcesWhether to get a snapshot of the overall state ofsecurity of the organization, to understand thevulnerability of key IT assets, or to assess theeffectiveness of the security operations team, thesecurity operations team needs quick access toinformation that will enable timely and accuratecommunication, decision-making and resourceoptimization.The RSA enVision platform provides the complete rangeof monitoring and measurement information: fromhigh-level graphical dashboards to detailed scheduledor on-demand reporting capabilities that can displayessential data graphically or in tabular format.Security operations management also needs easyIncident Management metrics and dashboards.With RSA enVision software, managers can quicklyassess the effectiveness of the securityorganization with pre-defined or customizabledashboards that present incident handling metricssuch as:– team workload including open incidents by owner– incident rate– recent activity– closure rate– average time to closure– unacknowledged tasksVulnerability Management Metrics and DashboardsSecurity operations management needs accurate,timely risk and vulnerability information that enableeffective communication to the executive team and tothe business. The RSA enVision platform presentsmanagers graphical dashboards and detailed reportsthat include:– summarized asset risk (vulnerabilities, patches, etc)– most vulnerable assets by severity– most vulnerable assets by business rating– incident trendsSecurity Operations Dashboard forIncident ManagementSecurity Operations Dashboard forVulnerability Management7RSA Solution Brief
ConclusionThe RSA enVision platform dramatically enhances theeffectiveness and efficiency of security operationsteams. By providing complete, in-depth data onevents, assets, vulnerabilities and business priorities,and offering powerful correlation capabilities,organizations are alleviated from chasing falsepositives and can focus on the organization’s highpriority issues. By offering a collaborative, closed-loopincident handling process supported by rich content,comprehensive search function and drill-down forensiccapability, organizations accelerate closure rates. Bypresenting informative, easy-to-use dashboards andreports, security management gets an accurate view ofthe state of security and can assess the effectivenessand efficiency of its security measures andorganization.Simplifying ComplianceCompliance reportsfor regulations andinternal policyReportingAuditingPurpose-builtdatabase (IPDB)Security devicesAn end-to-end SIEM solutionRSA enVision 3-in-1 SIEM PlatformThe RSA enVision platform offers an end-to-end SIEMsolution that enables the transformation of securityoperations: it increases analyst productivity, providessecurity managers timely insight into their operations,enhances integration with enterprise systems – allsupported with rich content that evolves with businessrequirements and emerging threats. Its powerful 3-in-1platform also dramatically simplifies compliance andprovides essential information to IT & networkoperations teams. All within a single product.Enhancing SecurityOptimizing IT &Network OperationsReal-time securityalerting and analysisIT monitoring acrossthe infrastructureForensicsAlert /correlationNetworkbaselineVisibilityRSA enVision Log Management platformNetwork devicesApplications /databasesServersStorageRSA Solution Brief8
Getting StartedThe RSA enVision platform is designed for easydeployment and management. However, manyorganizations look for guidance and assistance toexpedite time-to-value, facilitate the integration withexisting systems and processes, establish bestpractices and to ensure the alignment of technologieswith security goals or simply to complement in-houseresources.With RSA Professional Services you get world-classexpertise to guide solution planning, design anddeployment. Smart, experienced, skilled andcommitted to your success, the people of RSAProfessional Services can help you quickly achieve thebenefits of proven RSA enVision technology whilereducing the risks often associated with newtechnology initiatives.9RSA Solution Brief
RSA Solution Brief10
RSA is your trusted partnerRSA, the Security Division of EMC, is the premierprovider of security solutions for business acceleration,helping the world’s leading organizations succeed bysolving their most complex and sensitive securitychallenges. RSA’s information-centric approach tosecurity guards the integrity and confidentiality ofinformation throughout its lifecycle – no matter whereit moves, who accesses it or how it is used.RSA offers industry-leading solutions in identityassurance & access control, data loss prevention &encryption, compliance & security information management and fraud protection. These solutions bring trustto millions of user identities, the transactions that theyperform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.RSA, RSA Security, Event Explorer, enVision, LogSmart and the RSA logoare either registered trademarks or trademarks of RSA Security Inc. inthe United States and/or other countries. EMC is a registered trademarkof EMC. All other products or services mentioned are trademarks of theirrespective companies.ENVSO SB 020912
RSA Solution Brief 2 The RSA enVision Platform – What Is It? Analysts agree that the RSA enVision platform is a market-leading solution for security information and event management (SIEM). It gives organizations a single, integrated 3-in-1 log management solution
