Post on 01-Jan-2016
An Introduction to SIEM & RSA enVision(Security Information and Event Management)
January, 2011Brian McLean, CISSP Sr Technology Consultant, RSA
Changing Threats and More Demanding Regulations
External attacks Malicious insiders taking financial info
Careless sers leaking
taking financial info
R&DR&DData CenterData Center
users leaking IP
FinancialFinancialExecutiveExecutive
DMZDMZCostly audit requirements
FinancialFinancial
New Web 2.0 and P2P
technologiesEver-changing
business requirements
IT Staff Feels the Pressure
Overwhelming to process raw log and event volume
Security team lacks visibility into the IT environment raw log and event volume.into the IT environment.
Real-time security posture is difficult to understand.
Compliance is costly and resource-intensive.
Issues and Needs
Non-intrusive log collection to Non-intrusive log collection to Security team cannot see
Overwhelming to process
access all event sources.access all event sources.
Complete information lifecycleComplete information lifecycle
into the IT environment.
Overwhelming to process raw log and event volume.
Complete information lifecycle management process.Complete information lifecycle management process.
Real-time security posture is difficult to understand.
Real-time risk-based prioritization of events. Real-time risk-based prioritization of events.
Compliance reports in minutes not weeks.Compliance reports in minutes not weeks.
Compliance is time-consuming.
RSA enVision 3-in-1 SIEM Platform
SimplifyingCompliance
EnhancingSecurity
Optimizing IT & Network Operations
Compliance reports for regulations and
internal policy
Real-time security alerting and analysis
IT monitoring across the infrastructure
AuditingReporting Forensics Alert / correlation
VisibilityNetwork baseline
Purpose-built database(IPDB)
RSA enVision Log Management platform(IPDB)
servers storageapplications / databases
security devices
network devices
Simplifying ComplianceRobust Alerting & Reporting
1400 reports+ included out of the box
E il t i blEasily customizable
Grouped according to standards, e.g. National Laws (SOX, Basel II, JSOX), Industry Regulations (PCI) BestIndustry Regulations (PCI), Best Practices & Standards (ISO 27002, ITIL)
Enhancing SecuritySupport the 3 key aspects of Security Operations
Turn real time events, e.g. threats, into
Create a closed-loop incident handling process
Report on the effectiveness of security
actionable datag p
management
SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources This technology is used to filter incidentdata from a wide set of heterogeneous sources. This technology is used to filter incident information into data that can be acted on for the purposes of incident response and forensic analysis.
Mark Nicolette, Gartner
Optimizing IT & Network OperationsIdentify anomalies, ease troubleshooting
EMC EMC CelerraCelerra
System Shutdown
System Shutdown
System FailureSystem Failure
Benefits
Turns raw log data into actionable information
Increases visibility into security, compliance and operational issues
Saves time through compliance reporting
Streamlines the security incident handling process
Lowers operational costs
Why enVision?
Any Data - Any Scale– Collection of any type of log data, real-time correlation, and best-in-breed scalability
Lowest TCO SIEM solutionLowest TCO SIEM solution– Appliance form factor, agentless architecture– Flexible but simple customization
Most Complete Security Knowledge– Comprehensive combination of event sources, correlation rules and reports– Frequent updates to security knowledgebase– Broad partner eco-system of strategic technology partners plus front-line security and
compliance expertiseProven Solution with a large and active install base– Unparalleled installed base of more than 1600 production customers– Active online customer “Intelligence Community” for shared best practices and knowledge
All from EMC/RSA– Single strategic vendor with strong balance sheet– Simplified IT operations, single point of contact, and global customer support– Integration with RSA and EMC solutions (e.g. Access Manager, Authentication Manager,
Voyence, Celerra, Symmetrix)
Simplifying ComplianceSimplifying Compliance
Compliance challenges
Historically compliance processes involved dedicated resourcesinvolved dedicated resources performing multiple tasks, manually and repetitively
The process for Data collection as– The process for Data collection was long and laborious
– Valuable Data was often missed or not includedincluded
– Analysis and reporting was expensive and slow, and involved multiple log collection and analysis toolscollection and analysis tools
Companies struggle to keep pace with understanding and complying to relevant laws and regulationsrelevant laws and regulations
A multitude of Laws/ Rules/ Regulations to which an organization must comply…
PCIDSS HIPAA Internal
Policy GLBA HSPD 12DSS Policy
CSB 1386CountryPrivacyLaws
SOX EU CDR UK RIPALaws
FISMA COCOMData
Security Act
FACTA EU DataPrivacyAct
FFIEC BASEL II J-SOX IRS 97-22 NERC
NISPOM PartnerRules ACSI 33 NIST 800
StatePrivacy
Laws
Automated Analysis for Simplifying the Compliance Lifecycle
RSA enVision automatically sorts event log d t i t i f ti t i i d fdata into information categories required for adhering to compliance requirements:
Access Control
Configuration Control
Malicious Code Detection
User Monitoring and Management
Policy Enforcement
Environmental & Transmission Security
Event Taxonomy
–All 120,000+ distinct messages have been User.Activity
User.Activity.Failed Logins
Example: User Taxonomy Categories
classified
–Hierarchical structure, 10 t l l t i 250
User.Activity.File Access
User.Activity.Known Bad Commands
User.Activity.Login
User.Activity.Login.Workstation Unlock
User.Activity.Logoff
top level categories, 250 total categories
–Open Extensible
User.Activity.Logoff.Workstation LockUser.Activity.Normal Activity
User.Activity.Privileged Use.Denied
User.Activity.Privileged Use.SuccessfulUser.ManagementOpen, Extensible
architecture• Administrators can add their
User.Management.Groups.Additions
User.Management.Groups.Deletions
User.Management.Groups.Modifications
User.Management.Groups.Modifications.User AddedUser.Management.Groups.Modifications.User Removed
own messages and categories
–Reports using these categories will
User.Management.Password.Expriation
User.Management.Password.Modification
User.Management.Password.Modification.FailedUser.Management.Permissions
User.Management.Users.Additionscategories will automatically be updated as new devices and
dd d
User.Management.Users.Deletions
User.Management.Users.DisabledUser.Management.Users.Modifications
RSA enVision and the Compliance Lifecycle :
The information gathered by RSA enVision can be d t h l i ti d t d
– If it is compliant with regulations and laws
used to help an organization understand
– What it needs to do to become compliant
T h / th t it i li t– To show/ prove that it is compliant to auditors
– To provide evidence on compliance that can be used in a court of law
Enhancing Security OperationsEnhancing Security Operations
Agenda
Detecting High-Risk Incidents
Streamlining the IncidentStreamlining the Incident Handling Process
M i th V l fMeasuring the Value of Security Operations
Real Time Incident DetectionFinding Incidents in a Mountain of Data
Billions of raw events
Thousands of security-relevant events
Billions of raw events
Incidents
Correlated alerts
!! !!
Dozens of high priority events
Real Time Incident Detection
Comprehensive Log What Do I Need to
Descriptionp g
Data– RSA enVision collects all
l d f l
Need to Detect?Suspicious User Activity
Unusual authentication or access control
log data from almost any third party device
Asset Context
issues, like multiple failed logons, or unauthorized system accessesAsset Context
– RSA enVision allows import of data about IT assets from asset
accessesHigh Risk Vulnerabilities and Threats
Detect new high risk vulnerabilities on critical assets, or likely assets from asset
management systems
, yattacks on vulnerable hosts
Suspicious Unusual deviations in Network Activity
network behavior, or network activity that violates policy
Real Time Incident Detection
Correlation rules, filters and t hli t
Comprehensive correlation rules
watchlists– RSA enVision provides ability
to define correlation rules, CRL-00011 Several Failed Logins Followed By A
Successful Login / Possible Successful Brute Force Attack Detected
delivered out-of-the-box
,watchlists of dynamic information
Timely threat informationTimely threat information– RSA enVision provides regular
updates of vulnerabilities, IDS signatures, event knowledge and correlation rules
Detailed library of background information
Use Case: Vulnerable Server Attacked
Attack
Attacker
IDS VA ScannerConfiguration Management
Database
Knows it’s being attacked Knows it’s vulnerable Knows it’s critical
RSA enVisionAnalyst
Knows a critical, vulnerable server isbeing attacked
Alert
Agenda
Detecting High-Risk Incidents
Streamlining the IncidentStreamlining the Incident Handling Process
M i th V l fMeasuring the Value of Security Operations
Monitoring and ManagementKey Metrics & Dashboards
Network Activity byNetwork
Activity by
IDS Top ThreatsIDS Top Threats
Activity by Category
Activity by Category
ThreatsThreats
Incident rate
Incident rate
Most Vulnerable
Most VulnerableVulnerable Assets by Severity
Vulnerable Assets by Severity
Summary Benefits
Reduced risk– Highest priority issues identified
– Most vulnerable assets highlighted
Increased analyst productivity – Streamlined incident management process
I d t i ibilitImproved management visibility– Focus staff on highest risk areas
Fully auditable process for compliance reportingFully auditable process for compliance reporting
Optimizing IT and Network OperationsOptimizing IT and Network Operations
How SIEM helps IT & Network Managers
The analysis of event logs from the network helps IT and Network Operations managers:Network Operations managers:– Optimize network performance by identifying issues and faulty
equipment– Assist IT managers with Helpdesk Operations by:Assist IT managers with Helpdesk Operations by:
• helping reveal what is going on in the network.• providing global views of all network activity• alerting them to network problems• alerting them to network problems• automatically providing them with customised Dashboards of
essential information– Gain visibility into specific behavioral aspects of individuals orGain visibility into specific behavioral aspects of individuals or
groups of users
Let’s look at these in more detail
27
Let s look at these in more detail…
Identifying Issues & Optimizing Network Performance
Performance management– Log events contain information on utilization and error conditions
• Example: Disk space running low, high bandwidth utilization
F lt tFault management– Use alerts to Highlight potential network problems when
deviations from standard baseline activity occury
– Integration with IT operations systems (e.g. EMC SMARTS) helps enable detection and response to faults
• E ample Read/Write fail res po er spikes fan fail re• Example: Read/Write failures, power spikes, fan failure
– Generate Alerts if observed activity stops on any important asset (device or application may be down)
28
Assisting Helpdesk Operations
RSA enVision provides helpdesk operations with a clearer i f h t t t ki l i th t kview of what events are taking place in the network:– That affect users
– That affect hardware/ software– That affect hardware/ software
– That affects business systems
Example use cases include:Example use cases include: – Creating automated reports that provide activity reports on chosen
assets
– Generating reports on activity relating to specific IP addresses
– Using Event Explorer to analyze historical data relating to incidents
29
c de ts
– Alerting on detection of virus activity within network
Assisting Helpdesk Operations to investigate user problems
The IT/ Network manager can run a variety of reports, h f i ifi ti th t d t beach focusing on a specific question that may need to be
investigated
Example Use Case:Example Use Case: – IT Operations in multi-national organization spent 3 days trying to
establish why an executive could not log onto the network
– User had logged off, changed his password, could not log back on
– Several IT staff looked at this problem for 3 days
– Eventually they ran a report on RSA enVision looking at all logs for user globally over past 6 months
– Within 15 minutes, established that manager had travelled to
30
Singapore, had logged onto the network but had NOT logged off
– IT support logged user off network in Singapore and user could now log back onto the network with new password!
Building more complex alerts: “Correlated Alerts”
Correlated Alerts enable IT & Operations staff to build l t i d l t th t fi lmore complex, customized alerts that fire only upon a
sequence of activity occurring.
Enables IT & Operations staff toEnables IT & Operations staff to– Focus only on important issues
– Rationalize resources YXIf “x” and “y”Rationalize resources
– Be creative in alertingIf x and y then fire alert.
31
GenerateAn
ALERT!
Summary: How SIEM helps IT & Network Managers
Can be used to Optimize network performance by id tif i i d f lt i tidentifying issues and faulty equipment
• Troubleshooting network problems
Assist IT managers with Helpdesk Operations by:Assist IT managers with Helpdesk Operations by: – helping reveal what is going on in the network.
– providing global views of all network activityproviding global views of all network activity
– alerting them to network problems
– automatically providing them with customized Dashboards of essential information
– providing a tool for detailed forensic work
Gives IT & Network Operations visibility into specific
32
Gives IT & Network Operations visibility into specific behavioural aspects of individuals or groups of users
RSA enVisionStand-alone Appliances to Distributed Solutions
300,000
LS S iEPS
10000
30000LS Series
5000
7500ES Series
2500
5000
500
1000
# DEVICES
100 200 400 750 1250 1500 2048 30,000
RSA enVision DeploymentScales from a single appliance….
Baseline Report ForensicsCorrelated
AlertsRealtimeA l i
Integrated Incident M t
Interactive QueryForensicsAlerts Analysis Mgmt.
EventExplorer
Query
Manage
Analyze
Collect Collect Collect
Manage
DeviceDeviceTrend MicroAntivirus
MicrosoftISS
JuniperIDP
CiscoIPS
NetscreenFirewall
WindowsServer
UDS
LegacyRSA enVision Supported Devices