Post on 13-Dec-2015
description
RSA and Cisco SIEM Partnership
February, 2010
2
Agenda
Cisco – RSA/EMC Partnership Overview
Cisco – RSA enVision integrations
Enhancing security
Simplifying compliance
Optimizing network & IT operations
Comprehensive Cisco device coverage
Solution benefits
3
Cisco – RSA/EMC Partnership Overview
Cisco and RSA/EMC’s long standing partnership provides customers with tightly integrated and certified solutions in remote access, virtualization, DLP, Web security, wireless, core routing, & IP telephony
Two key proof points:
RSA Email DLP
“RSA Email DLP” software add-on for IronPort C-Series V7.0
Developed by Cisco based on RSA DLP SDK & policies
Available since Nov 2009 and offered by Cisco
33 deals closed in first 9 weeks of availability
Cisco IronPort RSA Email DLP add-on
#2. RSA DLP and Cisco IronPort offer built-in approach to data security
#1. VMware, Cisco and EMC partner to offer Vblock infrastructure packages
4
Cisco – RSA enVision Integrations (1/2)
High quality integrations due to Cisco and RSA partnership
– Sharing of roadmaps, log/event knowledge
– Optimized log/event parsing, correlation rules, and reports
20+ Cisco devices supported by RSA enVision
– Latest versions for Security, Networking, Wireless and Virtualization products
– Cisco updates supported by RSA typically within 1 quarter of production release
– enVision product infrastructure designed to be able to easily add Cisco devices
5
Cisco – RSA enVision Integrations (2/2)
RSA enVision - MARS integration highlights
– Capture all 100+ MARS alerts and correlate them with other devices & applications throughout your infrastructure OR
– Send all raw logs from MARS Archives to enVision for processing
6
RSA enVision Enhances Cisco’s Security Capabilities
RSA enVision improves Cisco’s security visibility
– Correlates alerts from Cisco devices with information across other event streams to improve protection of business critical data and assets
– Includes event streams from applications, databases, data loss prevention systems, physical and virtual servers, etc.
– Provides an interface to investigate issues Cisco devices identify
Logs and events from Cisco devices captured by enVision enable numerous use cases, e.g.:
– Latest IPS 7.0 reputation scoring
– Location aware access monitoring & alerting (via Cisco MSE)
– CS MARS & ASA Botnet detection
– Proactive views on Web Security Gateways
7
Use Case: Security Incident Classification(Leverages Cisco IPS 7.0 reputation score)
Cisco IPS 7.0 detects negative reputation
score signatures
RSA DLP detects information leaving network
Analyst investigates malware outbreak
DLP tells you if confidential data lost
as a result
Without enVision to correlate Cisco IPS and DLP events
• Analyst needs training in 2 products
• No single pane of glass to get full picture
Without DLP• True impact of
malware infection not known
Without Cisco IPS• Slower detection of
malware outbreak• More resource-
intensive investigation
DLP Network
8
Use Case: RSA enVision Uses Cisco Location Data to Enforce Business PolicyBefore: Without MSE - privileged usersin unauthorized locations are undetected
1 2
Enterprise Network
Finance Department
CafeteriaEvents
Analyst
Critical Host
Finance Manager accesses confidential data from her office. At lunch time she takes her laptop with her to finish working in the cafeteria.
RSA enVision detects when the user has accessed the financial database and on what device but cannot determine the location.
Analyst does not have location information needed to determine if an unauthorized location policy breach has occurred.
3
9
After: With MSE–Unauthorized location accessdetected immediately through correlated alert
1
2
EnterpriseNetwork
Events
Analyst
Critical Host
Finance Manager accesses confidential data from her office. At lunch time she takes her laptop with her to finish working in the cafeteria.
RSA enVision now receives location information from the Cisco MSE and correlates logs from the critical host to alert that policy violation has occurred.
RSA enVision alerts the analyst of the policy breach who can report the incident and take appropriate action.
Cisco MSE
Location
3
Use Case: RSA enVision Uses Cisco Location Data to Enforce Business Policy
Finance Department
Cafeteria
10
Example enVision SOC Dashboard
11
RSA enVision In Action At a SOCEMC Critical Incident Response Center
12
RSA enVision Simplifies Compliance for Cisco Customers
Maps Cisco data back to specific standards, e.g. National Laws (SOX, Basel II, JSOX), Industry Regulations (PCI), Standards (ISO 27002, ITIL)
Presents Cisco log data alongside other compliance-relevant information (e.g. server logs, application activity, user activity, etc.)
1300 reports+ included out of the box, including many that are Cisco-specific
Easily customizable
13
Use Case: Auditor Asks for Logs of All Config Changes
applications / databases
Cisco Firewall Logs
Cisco Router Logs
Server Logs
Cisco Security Device Alerts
Analyst
14
Use Case: Auditor Asks for Logs of All Privileged Users
applications / databases
Cisco Firewall Logs
Cisco Router Logs
Server Logs
Cisco Security Device Alerts
Analyst
Active Directory
GREP… GREP… GREP… GREP… GREP…
15
Sample Compliance ReportsPCI: Cisco router config changes; Cisco ASA top sources
16
RSA enVision Optimizes IT & Network Operations for Cisco Customers
RSA enVision provides a single global view into all network activity, enabling IT operations analysts to
– Discover anomalies
– Quickly determine root cause of non-security related problems
Examples of issues easily identified with enVision:
– Configuration changes
– System failures
– System shutdowns
– Service restarts
17
Use Case: Security Change Audit & Compliance Enforcement for Cisco Network
Problem: Security ops requires full lifecycle view including change auditing capabilities across the Cisco network
– Who changed what and when? Was it approved?
Solution:
– Ionix NCM change management continually monitors configuration changes and notifies RSA enVision
– Delivers key data on in-process and out-of-process changes
– Who, what, when, approved/non-approved
Benefits:
– Auditability, visibility of IT Operations
– Identify approved and unapproved changes
Config
Change Configs & Out-of-Policy
Events
Network Security Usage & Status Events IT Administrator
reconfiguring network components
ReportsCorrelated
Alerts
EMC Ionix Network Configuration Manager
network
18
RSA: Broad and Deep Cisco SupportenVision integrated with 20+ Cisco devices
• Access Control Server - versions 3.3, 4.0, 4.2 (software only)
• Access Control Server - versions 4.0, 4.1, 4.2 (appliance)
• Secure Access Control Server Express - version 5.0
• Cisco Adaptive Security Appliance Software - versions 8.2, 7.1(2), 7.2 (to generate syslog events)
• Cisco ASA Security Services Module Software - version 5.1(1p1) (to generate IDS events)
• Aironet AP (Wireless Access Point) - version IOS 12.2
• Catalyst Switch 6500 CATOS - version 8.3 (alerting only)
• CiscoWorks Network Compliance Manager - version 1.4 SP2
• Content Engine - versions 5.0, 5.4
• Content Services Switch - versions 5.10, 8.10
• IronPort Email Security Appliance - version 5.7.0
• IronPort Web Security Appliance- version 5.7.0, 6.3
• Mobility Services Engine - version 5.2.91.0
• PIX Firewall - version 8.2, 7.0
• Router - version IOS, 12.4
• Secure IDS - versions 4.x, 5.0, 5.1, 6.0, 6.1, 6.2, 7.0
• Security Agent - versions 4.0, 5.1, 6.0
• Security Manager (also branded as CiscoWorks Common Services) - version 2.3, 3.0, 3.3
• VPN 3000 Concentrator - versions 3.6.7 , 4.0, 4.1, 4.7
• Wireless LAN Controller (WLC) - version 5.2.157.0
• CS MARS – version 6.x
• Cisco UCS Version 1.1
19
RSA: Broad and Deep Cisco SupportCisco device roadmap for Q1 2010
New devices
– Cisco MARS Archives
– Cisco FWSM
– Cisco ASR 1000 v2.5
Device updates
– Cisco Adaptive Security Appliance Software v8.0.2
– IronPort Email Security Appliance v7.0
– Router v15.M1
Cisco product updates supported by RSA typically within 1 quarter of production release
20
Cisco - RSA enVision Solution Benefits
Reduce security risk
•Prioritize incidents by correlating threats with data sensitivity
• Identify threats more quickly with smarter correlation based on location
Simplify Compliance
•Map Cisco data (plus other compliance-relevant data, e.g. server logs) back to specific standards & regulations
•1300+ reports out-of- the-box
Optimize IT Operations
•Audit security changes
•Enforce compliance•Ease troubleshooting via global view into network logs / events
21
22
Sample List of Standard Firewall Reports
Top 10 requested URL/FTP destinations
Top 20 bandwidth users
Top 10 source addresses of alarms
Denied inbound IP spoofing
Blocked URL events
Denied connections per hour
FTP requests: by hour, dept, foreign/local address
Outbound e-mail/ftp/HTTP traffic
23
Example ASA Reports