RSA EnVision 4.0 Overview Guide

RSA enVision 4.0 Overview Guide

Contact Information

Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks

RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies.

License agreement

This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by RSA.

Third-party licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Limit distribution of this document to trusted personnel.

RSA notice

The RC5™ Block Encryption Algorithm With Data-Dependent Rotations is protected by U.S. Patent #5,724,428 and #5,835,600.

© 2010 RSA Security Inc. All rights reserved.January 2010

www.rsa.com

www.rsa.com/legal/trademarks_list.pdf


Contents

Preface................................................................................................................................... 5About This Guide................................................................................................................ 5

RSA enVision Documentation............................................................................................ 5

Related Documentation....................................................................................................... 5

Getting Support and Service ............................................................................................... 5

Chapter 1: About RSA enVision ............................................................................ 7RSA enVision Solution....................................................................................................... 7

RSA enVision Platform ...................................................................................................... 8

User Experience .................................................................................................................11

Chapter 2: Event Collection ................................................................................... 13Event Sources.................................................................................................................... 13

Message Categories........................................................................................................... 13

Event Storage .................................................................................................................... 14

Chapter 3: Vulnerability and Asset Management ..................................... 15Asset Data ......................................................................................................................... 15

Vulnerability Data............................................................................................................. 15

Chapter 4: Incident Management........................................................................ 17Real-Time Alerts............................................................................................................... 17

Incident-Response Tasks................................................................................................... 20

Forensic Analysis .............................................................................................................. 21

Chapter 5: Reports and Queries.......................................................................... 25Reports .............................................................................................................................. 25

Queries .............................................................................................................................. 26

Chapter 6: Compliance.............................................................................................. 29

Chapter 7: Further Information and Assistance........................................ 31Help Systems..................................................................................................................... 31

Online Resources .............................................................................................................. 32

Event Source, Report, Correlation Rule, and VAM Updates ........................................... 33

Assistance.......................................................................................................................... 34

Contents 3


Preface

About This Guide

This guide introduces RSA enVision features and capabilities. The intended audience for this guide includes enVision administrators, enVision users, or anyone who requires a high-level understanding of enVision.

RSA enVision Documentation

For more information about RSA enVision, see the following documentation:

Hardware Guide. Instructions on setting up your RSA enVision appliances. Intended audience is the system administrator.

Configuration Guide. Instructions on configuring your RSA enVision site. Intended audience is the system administrator.

Migration Guide. Instructions on migrating your data from a previous version of RSA enVision to the current version.

RSA enVision Help. Comprehensive embedded guide to setting up RSA enVision processing options and using RSA enVision analysis tools.

Related Documentation

For more information about RSA enVision Event Explorer, see the following documentation:

Installation Guide. Instructions on installing the RSA enVision Event Explorer client on your personal computer. Intended audience is the end user.

RSA enVision Event Explorer Help. Comprehensive embedded guide to setting up and using RSA enVision Event Explorer.

Getting Support and Service

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads.

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.rsa.com/support

RSA Secured Partner Solutions Directory www.rsasecured.com

Preface 5

https://knowledge.rsasecurity.com

www.rsa.com/support

www.rsasecured.com


The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.

Before You Call Customer Support

Make sure that you have direct access to the computer running the RSA enVision software.

Please have the following information available when you call:

Your RSA Customer/License ID

RSA enVision software version number

The make and model of the machine on which the problem occurs

The name and version of the operating system under which the problem occurs

6 Preface


1 About RSA enVision

The RSA enVision platform is a security information and event management (SIEM) solution. It collects log messages and vulnerability and asset data from the entire IT network, applies logic to the data, and provides actionable information in the form of reports and real-time alerts.

RSA enVision Solution

RSA enVision gives users a single, integrated SIEM solution for meeting the following business needs:

• Enhanced security

• Simplified compliance

• Optimized IT oversight

Enhanced Security

RSA enVision provides security specialists with a clear view of threats and risks and the means to counter them.

RSA enVision collects all the logs generated by network assets, such as servers, switches, routers, storage arrays, operating systems, and firewalls. It analyzes the logs in real time, and can generate alerts when it detects suspicious patterns of activity. Because enVision contains information about common threats, it detects many common security attacks.

In addition, enVision contains data from supported configuration management systems and asset scanners. Using this data, enVision recognizes the asset under threat and calibrates the urgency of the alert.

Security staff can then use RSA enVision Event Explorer, an advanced analytical tool, to examine the full volume of stored and incoming data.

RSA enVision

InterpretsAnalyzes

Stores

Inputs Outputs

Log MessagesVulnerability Scans

AlertsReports

1: About RSA enVision 7


Simplified Compliance

RSA enVision eases the burden of complying with regulations, standards, and an organization’s own policies. It enables event monitoring and incident response, and includes compliance reports tailored to specific requirements. For example, enVision provides reports for demonstrating compliance with laws (such as the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act) and with industry standards (such as the Payment Card Industry Data Security Standard and ISO 27002).

RSA enVision automates the process of collecting, sorting, analyzing, and storing log messages. All logs are gathered without filtration or normalization and are protected from tampering. Compliance specialists can find in the stored logs a complete accounting of network activity. RSA enVision thus provides a verifiably authentic archive of data that simplifies compliance with today’s requirements and with whatever legislation may emerge in the future.

Optimized IT Oversight

Managed log data is the best source of information about infrastructure status and performance and the activities of applications and users.

RSA enVision can alert IT staff in real time to faulty equipment and anomalous network activity, as well as provide granular visibility into the specific behaviors of applications and end users. Its incident-handling facilities manage the creation and assignment of remediation tasks to administrators and help desk personnel and assist in tracking their progress.

In addition, the enVision baselining, trending, and reporting functionality provides a long-term graphical overview of system performance and events.

RSA enVision Platform

RSA enVision scales from a single appliance to a large, distributed, multiple appliance system. In all deployments, authorized users can use enVision to find all the logs and other data.

Platform Components

RSA enVision consists of the following integrated components, each with a specialized function:

Collector. Receives and interprets log messages from network assets, and stores this event data in the LogSmart Internet Protocol Database (IPDB). (RSA refers to these processed log messages as events.)

Database Server (D-SRV). Retrieves event data from the IPDB in response to user requests.

Application Server (A-SRV). Runs the applications that enable user and administrator actions, such as creating users, querying the data, and directing enVision to generate alerts and reports. Users and administrators can log on to the enVision user interface through a web browser on their personal computers.

8 1: About RSA enVision


Event Explorer. A client application that is specialized for incident handling and forensic analysis. Event Explorer runs on users’ personal computers and connects to enVision to access the collected data.

The following figure illustrates the enVision components, their functions, and the connections among them.

Platform Deployments

RSA enVision runs on a standalone appliance or within a scalable, distributed architecture able to cope with the demands of the largest enterprise networks.

The simplest deployment has the enVision components (Collector, D-SRV, and A-SRV) preinstalled in one appliance. It can be supplemented with external storage.

Depending on the model, a single enVision appliance supports up to 14 simultaneous users. The high-end appliance can, with external storage, accommodate up to 1,250 event sources.



For larger deployments, the Collector, D-SRV, and A-SRV are each installed on a separate appliance and supplemented with network-attached storage. The appliances are collectively referred to as a site.

A site has a single D-SRV appliance supporting multiple A-SRV appliances and Collector appliances, including Collectors in remote geographic locations.

In this distributed deployment, each A-SRV can accommodate 16 simultaneous users. A single site can accommodate up to 6,144 event sources.

The largest deployments include several sites, each supporting multiple A-SRVs and Collectors.

For information on enVision deployments, contact your RSA sales representative, or go to www.rsa.com/products/envision/datasheets/9245_3in1_DS_0209-lowres.pdf.

A-SRV

Site 1

Site 2

Collector

A-SRV

CollectorCollector

D-SRV

Logs

Event Sources

Logs

Event Sources

Logs

Event Sources



User Experience

Users and administrators control enVision and Event Explorer through graphical user interfaces (GUIs). The enVision administrator creates users and user groups with varying levels of permissions, and each user sees only the operations for which permission has been granted.

RSA enVision GUI

All pages of the enVision GUI show the navigation tools in the left panel and the current window on the right.

The landing page is the Dashboard. Each user and administrator can configure a personal dashboard that shows his or her choice of reports. The navigation tree on the left is expanded at startup to show the available reports and those selected for display.

For example, the following figure shows an enVision landing page with the expanded navigation tree (Overview > Dashboard) on the left and the Dashboard window configured to show several graphical and tabular reports.

To navigate the enVision GUI, select a tab at the top of the left panel: Overview, Alerts, Analysis, or Reports. The panel refreshes to display the choices available under the selected tab.

Tabs

Availablereports

Other overiewtopics

User-selected reports



RSA enVision provides a comprehensive Help system with instructions for using the features on each window. When using any window in the GUI, click the question mark icon to see context-sensitive Help for that window. RSA enVision displays the Help topic for the current window in a new browser window, with the Help Table of Contents in the left panel. The left panel also displays links to a Help index and a search facility.

RSA enVision Event Explorer GUI

RSA enVision Event Explorer is specialized for performing forensic analysis and managing tasks involved in incident response. Event Explorer receives the incident-response tasks that enVision generates and enables users to analyze the data that enVision collects.

The Event Explorer GUI has panels related to its two primary functions, Event Traces (for forensic analysis) and Task Triage (for handling incidents), as well as additional panels showing more details about traces and tasks. Users can display just one or multiple panels at a time.

Event Explorer Help is available by clicking Help on the menu bar on any window. Event Explorer displays the Help Table of Contents in a new browser window. It includes an index and a search facility.

Trace views

Tasks

Task Triage

Event Traces



2 Event Collection

RSA enVision collects, analyzes, and stores logs from event sources throughout an organization’s IT environment. The logs and the descriptive metadata that enVision adds are stored in the LogSmart Internet Protocol Database (IPDB).

Event Sources

Event sources are the IP assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls.

The enVision administrator configures event sources to send their logs to the Collector or configures the Collector to poll event sources and retrieve their logs. As a result, the Collector receives all system logs in their original form, without filtering, normalization, or compression.

Message Categories

The Collector is equipped with files for each supported event source. These files enable the Collector to interpret the often cryptic log messages, no matter what their format. RSA updates these files frequently to support new event sources and new log messages that event source vendors have added. RSA enVision collects syslog and it also has other collection services including NIC Windows Service, NIC FW-1 LEA Client Service, NIC File Reader Service, NIC SFTP Agent, NIC ODBC Service, and NIC Secure SDEE Collection Service.

For each message, the Collector records the event source and time received, and assigns the message a numeric ID. The Collector also assigns each message to a message category that indicates the kind of action that gave rise to the message. This descriptive metadata (source, time, ID, and category) is used in configuring alerts and in retrieving events for forensic analysis.

The message categories are hierarchical. The top level, called the NIC category, has ten possible values:

• Attacks• Reconnaissance (such as port scans)• Content (web content events, such as normal transactions or suspect requests)• Authentication (authentication events)• User (such as logon and file access)• Policies (such as firewall rule events)• System (hardware errors)• Configuration (administrator modifications)• Network (such as usage or routing errors)

• Other

2: Event Collection 13


Within NIC categories, messages are further classified by alert category and then by up to three levels of event category. For example, a log message in the Attacks category might be further categorized as Malicious Code (alert category), and further as a Worm (event category).

The following figure shows a five-level message classification, as well as the syntax for specifying categories when configuring alerts or conducting analysis.

The enVision administrator uses message categories in configuring alerts. When incoming messages and possibly other criteria, such as event source or time frame, meet the conditions that the administrator has specified for an alert, the alert is triggered immediately.

In addition, the categorization of log messages enables enVision to establish activity baselines, which it can use to determine whether a certain activity or level of activity is anomalous. The categorized log data is also used for alerting and reporting.

Event Storage

After enVision analyzes log messages, it stores the original log messages and their descriptive metadata in the IPDB.

This method of storage has several advantages over traditional relational databases. The IPDB:

• Works efficiently with unstructured data without requiring preprocessing or data normalization.

• Optimizes retrieval based on event source, message category, event ID, and time received.

• Uses a write-once-read-many approach that ensures that after data is committed to the database, it can never be altered.

RSA enVision secures the data from tampering and protects it with access authentication. As a result, enVision provides a complete and verifiable repository of IT information that meets both current and future demands.

Attacks.Access.Informational .Network Based .TELNET

NIC Category

Alert Category

Event Categories

14 2: Event Collection


3 Vulnerability and Asset Management

IT assets (hosts, software systems, and other devices) have well-known vulnerabilities. RSA enVision uses this information about enterprise assets to minimize false positive alerts and to prioritize alerts. Vulnerability information also provides the contextual data that security analysts need to respond to incidents and to perform forensic analysis.

Both enVision and RSA enVision Event Explorer have vulnerability and asset browsers that enable security analysts to access this information quickly and efficiently

Asset Data

RSA enVision maintains an Asset Database (ADB), containing information about the assets reported by one of the supported asset tracking tools (asset scanning devices).

RSA enVision supplements its own information about assets by importing data from third-party asset scanners and configuration management systems. For example, enVision imports data from the QualysGuard Security and Compliance Suite.

If one of these third-party scanners reports an asset that is not in the enVision ADB, enVision creates a new record for the asset and adds the available information, such as operating system, ports, and services.

Vulnerability Data

The enVision Vulnerability Knowledge Database (VDB) is an embedded repository of vulnerability information.

The VDB is derived from the National Vulnerability Database of the U. S. Department of Homeland Security. The National Vulnerability Database integrates all vulnerability data from publicly available resources. It contains detailed descriptions about each current vulnerability, such as its potential impact, the type of loss it can cause, and an indication of how an attack can result in a confidentiality breach.

RSA enVision

Knows Asset A and its importanceKnows Asset A’s vulnerabilies and threatsKnows events that signal an attack on Asset A

Logs

Asset A

ADBVDBIPDB

3: Vulnerability and Asset Management 15


Vulnerability and asset management features enable enVision users to configure confidence level filtering on the detected set of vulnerabilities of each scanned asset. When enVision receives event information from a supported intrusion detection system (IDS) or intrusion prevention system (IPS), it applies the confidence level filter to respond appropriately to the received information.

Examples of supported IDS and IPS devices include Juniper Networks Intrusion Detection and Prevention Appliances and Cisco Intrusion Prevention Sensor. These systems continuously scan the network to detect such threats as outsiders gathering information about the assets.

RSA frequently updates vulnerability information, threat signatures, and support for vulnerability scanners. Customers can download these updates to the enVision VDB.

16 3: Vulnerability and Asset Management


4 Incident Management

An incident is an event or set of events that warrants further investigation, such as a disk failure, an unexpected spike in network traffic, or the signature of a known threat. Because of the wealth of data that the RSA enVision platform automatically collects, it can be configured to recognize incidents and issue real-time alerts.

The alert is the beginning of the enVision incident-management process. RSA enVision provides for closed-loop incident management, from configuring alerts, through creating and assigning response tasks, to monitoring incident response and resolution.

Real-Time Alerts

RSA enVision generates real-time alerts in response to sets of circumstances that the administrator has specified. RSA enVision analyzes all incoming events, and issues an alert immediately when the specified conditions are met.

The alert is reported in the enVision GUI and can be directed to other destinations, such as e-mail, instant message, or a text file stored on the local system. An alert can also be configured to automatically generate an incident-response task.

Views

A view defines the devices, messages, correlated rules, and user-defined criteria for which enVision issues alerts. An enVision administrator creates views that specify the conditions—the event sources, events, user-defined criteria, and correlations among criteria—that are worthy of investigation.

One of the following conditions can generate an alert:

• A single event message, such as one reporting an asset malfunction

• A string within an event message, such as content that matches a configured list (referred to as a watchlist) of known spammers

• A specified combination of events within a given time frame, such as a series of logon attempts that suggest a possible denial-of-service attack

Within a view, an administrator can specify filters and thresholds, such as a percentage increase of activity above the baseline, to rate the severity of the events and focus on those of highest priority. Views can also use watchlists, which filter events by string, IP address, port, protocol, or regular expressions.

An administrator can also configure the view to send various alerts using specific protocols such as SNMP, e-mail, instant message, or text file. These configuration settings are called output actions. Another possible output action is the automatic generation of an incident-response task. Each view specifies the users who are permitted to monitor the alerts generated for that view.

4: Incident Management 17


Correlated Alerts

Views frequently include correlation rules for alerts. A correlation rule specifies a set of events within a time period and a set of conditions that will generate an alert. The correlation rule includes a message ID and message text for the alert.

For example, the following figure illustrates the logic of a correlation rule for recognizing a threat.

When the correlation rule criteria are met, enVision generates the alert message defined in the view and sends it to the specified destination.

RSA enVision provides a wide range of correlation rules that detect incidents and reduce or eliminate the risk of exposure. The enVision administrator can enhance or modify these rules to suit the environment. The set of predefined rules is continually updated and available for download from RSA.

Cisco PIX Firewall 106001Cisco PIX Firewall 106010Cisco PIX Firewall 106012Cisco PIX Firewall 106015Cisco PIX Firewall 106016Cisco PIX Firewall 307001Check Point Firewall-1 050010

Defined set of events

+ filters, and conditionsDefined thresholds,

Specified time period

18 4: Incident Management


Monitoring Alerts by Using Views

Administrators, and users with the appropriate permissions, can monitor alerts in the enVision GUI and in the destination specified in the associated view.

For example, the following figure shows how the enVision GUI displays the number and severity of alerts, by NIC catagory, above the established baseline. From this window, administrators and users can drill down to display the particular alerts that have occurred and drill down further for information on the messages that triggered an alert.

RSA enVision can also generate summary reports of alerts, such as recent alerts, alerts by category, and alert trends.

Alert levelsby NICcategory

Alert levelsby severity

Alert details



Incident-Response Tasks

RSA enVision can group events into tasks for the purpose of investigation, and assign the tasks to analysts (or to an intermediate dispatcher) for response. Analysts display and work with the tasks in RSA enVision Event Explorer. Managers and administrators can monitor the analysts’ progress in the enVision GUI.

Monitoring Alerts by Creating Tasks

In enVision, the administrator can specify the creation of a task based on a correlated alert. When the alert fires, enVision creates the task and sends it to Event Explorer for resolution or to an external application, such as a third-party ticketing system.

Managing Tasks in RSA enVision Event Explorer

When enVision forwards tasks to Event Explorer, Event Explorer displays a list of tasks and the details of individual tasks.

Depending on the Event Explorer user’s permissions (as set by the enVision administrator), the user assigned to a task can acknowledge the task, view and edit task data, assign the task to another analyst, and close or delete the task. The user can also escalate the task an external application, such as a ticketing system. The external application can update tasks and send the updates back to Event Explorer.

Multiple users can access the same task from different Event Explorer clients. Event Explorer displays a warning message if different users attempt to make conflicting changes to the task.

New Task Created

Task Opened

Task Closed

Create

Acknowledge

EscalateClose

Delete

Reopen

Delete

Delete

Close

External Application(Ticketing System) Update

Task

Task escalated to external application



Monitoring Tasks

Administrators can monitor the status of tasks in the enVision GUI, as illustrated in the following figure.

Administrators can also generate summary reports of tasks, showing such productivity metrics as departmental workload, open tasks, and time to closure.

Forensic Analysis

Many enVision features rely on real-time alerts and other dynamic information to help resolve incidents in progress. Sometimes analysts need to drill into historical (static) data to research some event that happened in the past. Research using static data is called forensic analysis.

Forensic analysis can help determine a sequence of events leading to a given state of a network asset. Forensic analysis can be used when an asset fails, is attacked, or is otherwise compromised.



The following figure illustrates how events stored in the enVision IPDB can indicate suspicious activity on an event source, in this case a laptop containing sensitive data.

Event Explorer is the primary interface used for both real-time and historical data mining. Event Explorer is a client application that analysts use with enVision to retrieve and examine event data. The user must have an enVision account to use Event Explorer.

Event log analysis involves logging on to the relevant Application Server and creating an event trace to retrieve specific messages. The event trace wizard (a tool within Event Explorer ) assists users in setting up and managing an event trace.

An event trace specifies the messages, the event sources that generated the messages, and the time frame in which the messages were received by enVision. Users can limit the data retrieved by filtering for specific message content. Event traces display returned data in tables and charts:

• Standard tables and charts enable data selection without requiring users to know how to use the SQL commands that Event Explorer uses internally.

• Advanced tables and charts require users to enter SQL statements to define how the data is displayed, providing more control over data selection and display.



The following figure shows a standard table trace view.

RSA enVision can also display data as an area, bar, stacking bar, line, plot, or pie chart. The following figure shows a standard chart trace view.

The data displayed in tables and charts derives from actual or aggregated logs (events) and can provide a trail of events causing an asset compromise or failure.



5 Reports and Queries

Reports and queries offer complementary methods to summarize information about the event sources monitored by RSA enVision.

Reports

Reports provide convenient summaries of incidents and security-related statistics for defined time periods. Reports support incident handling, workflow process management, and auditing needs by providing essential statistics in graphs or tables.

RSA enVision provides over 1200 standard reports that gather common network security and traffic analysis statistics into tables and graphs. Administrators can copy and modify these reports or create custom reports to meet specific reporting needs.

Administrators and users with the appropriate permissions can create, manage, and run both scheduled and ad hoc reports. Optionally, a report can run once on a specified day or run repeatedly at specified times.

RSA enVision can e-mail generated reports to departments and people who need them such as IT, human resources, the CIO office, compliance officers, and managers.

RSA enVision provides reports for security, host, network, storage, and other devices.

RSA enVision also provides a number of report packages to satisfy compliance needs such as Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPAA).

5: Reports and Queries 25


An enVision report consists of a single graph or a single table. For some purposes, a user may need more data than can be included in a single graph or table. RSA enVision can group multiple reports together so they run at the same time.

The following figure shows examples of a graphical report and a tabular report.

Queries

Queries are similar to reports except that queries are ad hoc only. They generally execute faster, as they are intended to deal with smaller amounts of data than reports. A query returns only tabular data. Analysts might use queries in forensic analysis, for example to drill quickly into an alert or other condition discovered in RSA enVision Event Explorer or to audit some past event.

Queries help users and administrators retrieve and examine any data collected by enVision. Query results can be based on IP addresses, dates and times, event message types, and other criteria. Users can generate a query in response to an alert condition appearing in Event Explorer.

Queries use SQL syntax to construct statements for accessing database tables for conditions and events including:

• General traffic flows and events that were allowed

• Accesses that were denied or prevented from happening based on policy

• Status and health parameters

• URL information indicating where users have visited

Graphical Report

Tabular Report

26 5: Reports and Queries


Users can compose simple or complex queries:

• A simple query is a single logical statement (a single row in the Edit query table).

• A complex query consists of multiple statements (multiple rows in the Edit query table) logically joined using AND or OR. Multiple statements can narrow a query or extract a more accurate set of results for given criteria.

The following figure shows the Create New Query window.

Edit query

Select device group

Select time range

Run the query

5: Reports and Queries 27


6 Compliance

Organizations often must comply with organizational security requirements or regulations imposed by state or federal government. RSA enVision helps meet compliance needs by monitoring and reporting on the following IT criteria used to show whether an organization is in compliance:

• Access control

• Configuration control

• Malicious software

• Policy enforcements

• User monitoring and management

• Environmental and transmissions security

RSA enVision helps organizations collect and maintain evidence of compliance in the form of reports on mandated systems. Compliance packages are sets of report templates that summarize the precise data needed by a regulatory body.

RSA enVision offers the following regulatory compliance packages:

• BASEL II—International Convergence of Capital Measurement and Capital Standards

• Bill 198—Ontario Securities Commission regulations

• FISMA—Federal Information Security Management Act

• GLBA—Gramm-Leach-Bliley Act

• HIPAA—Health Insurance Portability and Accountability Act

• ISO 27002—Best practice recommendations on information security management

• Memo 22—Protective monitoring of UK National Infrastructure Security systems

• NERC—North American Electric Reliability Council

• NISPOM—National Industrial Security Program Operating Manual

• PCI—Payment Card Industry Data Security Standard

• SOX—Sarbanes-Oxley Act

• SAS 70—Statement on Auditing Standards No. 70

6: Compliance 29


7 Further Information and Assistance

RSA provides numerous sources of additional information and hands-on assistance with deploying and using the RSA enVision platform.

Help Systems

The primary source of usage and administrative information about enVision is the Help system. Both enVision and RSA enVision Event Explorer have embedded Help systems. You can also download and view the Help separately from the products.

Locate Embedded Help

To find Help within enVision:

Do one of the following:

• On the enVision navigation panel, select Overview > Best Practices > Product Usage > Help to view the Help Table of Contents.

• On any enVision window, click the question mark icon to view the Help

topic that describes the current window.

The Help is displayed in a new window.

To find Help within Event Explorer:

On any Event Explorer page, click Help to view the Help Table of Contents.

The Help is displayed in a new window.

Download Stand-Alone Help

To download enVision Help:

1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. (For registration information, see “Accessing RSA SecurCare Online” on page 33.)

2. Click Home > RSA enVision > Product Documentation > RSA enVision Platform 4.0 Documentation > RSA enVision 4.0 Online Help.

3. On the File Download pop-up window, click Save.

4. Specify the download destination, or accept the default. Click Save.

5. Unzip the downloaded Help files.

6. In the folder containing the unzipped Help files, click nic.htm to open the Help. The Table of Contents is displayed, with links to all the Help topics.

7: Further Information and Assistance 31


To download Event Explorer Help

1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. (For registration information, see “Accessing RSA SecurCare Online” on page 33.)

2. Click Home > RSA enVision > Product Documentation > Event Explorer 4.0 Documentation > Event Explorer Online Help Files.

3. On the File Download pop-up window, click Save.

4. Specify the download destination, or accept the default. Click Save.

5. Unzip the downloaded Help files.

6. In the folder containing the unzipped Help files, click Event_Explorer.htm to open the Help. (If prompted to accept Active X content, click Yes.)The Table of Contents is displayed, with links to all the Help topics.

Online Resources

The RSA web site and RSA SecurCare Online, an e-support system, provide a wealth of resources for RSA customers: technical information, solutions, and support.

RSA Web Site

On the enVision product pages on the RSA web site, www.rsa.com, you can find:

• Descriptions of enVision, including white papers, solution summaries, data sheets, and news releases

• A link to the RSA enVision Intelligence Community, an active online community of enVision users, at https://rsaenvision.lithium.com/nic/user_signon

• A link to RSA SecurCare Online at https://knowledge.rsasecurity.com

• A link to a list of event sources that enVision supports at http://rsa.com/rsasecured/results.aspx?program=116

RSA SecurCare Online

Within SecurCare Online, https://knowledge.rsasecurity.com, you can access:

• RSA enVision Service Pack Updates

• A list of supported event sources (devices) and their configuration guides

• RSA enVision Event Source Updates (including event sources, correlation rules, and reports)

• RSA enVision VAM & Signature Updates

• Sample watchlists

• Technical Knowledge Base (product issues and resolution)

32 7: Further Information and Assistance


• Product documentation for enVision and Event Explorer:

– RSA enVision Online Help– RSA enVision Configuration Guide– RSA enVision Hardware Guide– RSA enVision Migration Guide– RSA enVision Event Explorer Online Help– RSA enVision Event Explorer Installation Guide

Accessing RSA SecurCare Online

RSA SecurCare Online is available to customers who have an RSA product covered under a maintenance contract. Register with SecurCare Online from the RSA web site by selecting Support > RSA SecurCare Online e-support system > Register for RSA SecurCare Online, or go to https://knowledge.rsasecurity.com/registration.asp.

Event Source, Report, Correlation Rule, and VAM Updates

RSA is continually adding and updating event source support, reports, correlation rules, and VAM data.

If you have an RSA maintenance contract, you will receive e-mail notification of these updates as soon as they become available. You can then log on to SecurCare Online and download the update packages. (The e-mail notification includes a link to SecurCare Online. For registration information, see the previous section, “Accessing RSA SecurCare Online.” )

Event Source Updates include files that enable the enVision Collectors to recognize additional event sources and to interpret their log messages. Updates also include files that enable the Collectors to interpret log messages that event source vendors have recently added.

Event Source Updates also contain new reports, as well as new correlation rules that you can add to enVision and use when configuring correlated alerts.

VAM & Signature Updates enable the enVision vulnerability and asset manager to recognize additional network assets and new vulnerabilities.

7: Further Information and Assistance 33


Assistance

As an enVision customer, you can get hands-on assistance in the form of technical support, training, professional services, or outsourcing to RSA partners:

Technical Support. Support is available via telephone and the RSA SecurCare Online e-support service. For instructions and telephone numbers, see RSA.com > Support > Contacting Support, or go to http://rsa.com/node.aspx?id=1068.

Training. RSA offers instruction in enVision administration and operations at customer sites and at RSA and EMC facilities worldwide. For courses available and information on registration, see RSA.com > Services > Training & Certification, or go to http://rsa.com/node.aspx?id=1258.

Professional Services. RSA Professional Services offers end-to-end Security Information and Event Management (SIEM) services, including strategy development, solution design, enVision deployment, and staff augmentation and assistance. RSA enVision is most effective when combined with supporting policies and procedures for incident handling. RSA Professional Services can help customers to leverage their investment in the product by building out a security operations program with enVision as the core technology. For more information, see RSA.com > Services or your sales representative, or go to http://rsa.com/node.aspx?id=1243.

RSA partners. RSA has business partners who specialize in SIEM using the RSA enVision platform. To explore outsourcing some or all of your organization’s SIEM activities and to identify a potential source of assistance, see RSA.com > Partners > Find a Business Partner, or go to http://www.rsasecurity.com/partners/partnerfinder.asp.

34 7: Further Information and Assistance

RSA EnVision 4.0 Overview Guide

Documents

Transcript of RSA EnVision 4.0 Overview Guide