An Introduction to SIEM & RSA enVision(Security Information and Event Management)

January, 2011Brian McLean, CISSP Sr Technology Consultant, RSA

Changing Threats and More Demanding Regulations

External attacks Malicious insiders taking financial info

Careless sers leaking

taking financial info

R&DR&DData CenterData Center

users leaking IP

FinancialFinancialExecutiveExecutive

DMZDMZCostly audit requirements

FinancialFinancial

New Web 2.0 and P2P

technologiesEver-changing

business requirements

IT Staff Feels the Pressure

Overwhelming to process raw log and event volume

Security team lacks visibility into the IT environment raw log and event volume.into the IT environment.

Real-time security posture is difficult to understand.

Compliance is costly and resource-intensive.

Issues and Needs

Non-intrusive log collection to Non-intrusive log collection to Security team cannot see

Overwhelming to process

access all event sources.access all event sources.

Complete information lifecycleComplete information lifecycle

into the IT environment.

Overwhelming to process raw log and event volume.

Complete information lifecycle management process.Complete information lifecycle management process.

Real-time security posture is difficult to understand.

Real-time risk-based prioritization of events. Real-time risk-based prioritization of events.

Compliance reports in minutes not weeks.Compliance reports in minutes not weeks.

Compliance is time-consuming.

RSA enVision 3-in-1 SIEM Platform

SimplifyingCompliance

EnhancingSecurity

Optimizing IT & Network Operations

Compliance reports for regulations and

internal policy

Real-time security alerting and analysis

IT monitoring across the infrastructure

AuditingReporting Forensics Alert / correlation

VisibilityNetwork baseline

Purpose-built database(IPDB)

RSA enVision Log Management platform(IPDB)

servers storageapplications / databases

security devices

network devices

Simplifying ComplianceRobust Alerting & Reporting

1400 reports+ included out of the box

E il t i blEasily customizable

Grouped according to standards, e.g. National Laws (SOX, Basel II, JSOX), Industry Regulations (PCI) BestIndustry Regulations (PCI), Best Practices & Standards (ISO 27002, ITIL)

Enhancing SecuritySupport the 3 key aspects of Security Operations

Turn real time events, e.g. threats, into

Create a closed-loop incident handling process

Report on the effectiveness of security

actionable datag p

management

SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources This technology is used to filter incidentdata from a wide set of heterogeneous sources. This technology is used to filter incident information into data that can be acted on for the purposes of incident response and forensic analysis.

Mark Nicolette, Gartner

Optimizing IT & Network OperationsIdentify anomalies, ease troubleshooting

EMC EMC CelerraCelerra

System Shutdown

System Shutdown

System FailureSystem Failure

Benefits

Turns raw log data into actionable information

Increases visibility into security, compliance and operational issues

Saves time through compliance reporting

Streamlines the security incident handling process

Lowers operational costs

Why enVision?

Any Data - Any Scale– Collection of any type of log data, real-time correlation, and best-in-breed scalability

Lowest TCO SIEM solutionLowest TCO SIEM solution– Appliance form factor, agentless architecture– Flexible but simple customization

Most Complete Security Knowledge– Comprehensive combination of event sources, correlation rules and reports– Frequent updates to security knowledgebase– Broad partner eco-system of strategic technology partners plus front-line security and

compliance expertiseProven Solution with a large and active install base– Unparalleled installed base of more than 1600 production customers– Active online customer “Intelligence Community” for shared best practices and knowledge

All from EMC/RSA– Single strategic vendor with strong balance sheet– Simplified IT operations, single point of contact, and global customer support– Integration with RSA and EMC solutions (e.g. Access Manager, Authentication Manager,

Voyence, Celerra, Symmetrix)

Simplifying ComplianceSimplifying Compliance

Compliance challenges

Historically compliance processes involved dedicated resourcesinvolved dedicated resources performing multiple tasks, manually and repetitively

The process for Data collection as– The process for Data collection was long and laborious

– Valuable Data was often missed or not includedincluded

– Analysis and reporting was expensive and slow, and involved multiple log collection and analysis toolscollection and analysis tools

Companies struggle to keep pace with understanding and complying to relevant laws and regulationsrelevant laws and regulations

A multitude of Laws/ Rules/ Regulations to which an organization must comply…

PCIDSS HIPAA Internal

Policy GLBA HSPD 12DSS Policy

CSB 1386CountryPrivacyLaws

SOX EU CDR UK RIPALaws

FISMA COCOMData

Security Act

FACTA EU DataPrivacyAct

FFIEC BASEL II J-SOX IRS 97-22 NERC

NISPOM PartnerRules ACSI 33 NIST 800

StatePrivacy

Laws

Automated Analysis for Simplifying the Compliance Lifecycle

RSA enVision automatically sorts event log d t i t i f ti t i i d fdata into information categories required for adhering to compliance requirements:

Access Control

Configuration Control

Malicious Code Detection

User Monitoring and Management

Policy Enforcement

Environmental & Transmission Security

Event Taxonomy

–All 120,000+ distinct messages have been User.Activity

User.Activity.Failed Logins

Example: User Taxonomy Categories

classified

–Hierarchical structure, 10 t l l t i 250

User.Activity.File Access

User.Activity.Known Bad Commands

User.Activity.Login

User.Activity.Login.Workstation Unlock

User.Activity.Logoff

top level categories, 250 total categories

–Open Extensible

User.Activity.Logoff.Workstation LockUser.Activity.Normal Activity

User.Activity.Privileged Use.Denied

User.Activity.Privileged Use.SuccessfulUser.ManagementOpen, Extensible

architecture• Administrators can add their

User.Management.Groups.Additions

User.Management.Groups.Deletions

User.Management.Groups.Modifications

User.Management.Groups.Modifications.User AddedUser.Management.Groups.Modifications.User Removed

own messages and categories

–Reports using these categories will

User.Management.Password.Expriation

User.Management.Password.Modification

User.Management.Password.Modification.FailedUser.Management.Permissions

User.Management.Users.Additionscategories will automatically be updated as new devices and

dd d

User.Management.Users.Deletions

User.Management.Users.DisabledUser.Management.Users.Modifications

RSA enVision and the Compliance Lifecycle :

The information gathered by RSA enVision can be d t h l i ti d t d

– If it is compliant with regulations and laws

used to help an organization understand

– What it needs to do to become compliant

T h / th t it i li t– To show/ prove that it is compliant to auditors

– To provide evidence on compliance that can be used in a court of law

Enhancing Security OperationsEnhancing Security Operations

Agenda

Detecting High-Risk Incidents

Streamlining the IncidentStreamlining the Incident Handling Process

M i th V l fMeasuring the Value of Security Operations

Real Time Incident DetectionFinding Incidents in a Mountain of Data

Billions of raw events

Thousands of security-relevant events

Billions of raw events

Incidents

Correlated alerts

!! !!

Dozens of high priority events

Real Time Incident Detection

Comprehensive Log What Do I Need to

Descriptionp g

Data– RSA enVision collects all

l d f l

Need to Detect?Suspicious User Activity

Unusual authentication or access control

log data from almost any third party device

Asset Context

issues, like multiple failed logons, or unauthorized system accessesAsset Context

– RSA enVision allows import of data about IT assets from asset

accessesHigh Risk Vulnerabilities and Threats

Detect new high risk vulnerabilities on critical assets, or likely assets from asset

management systems

, yattacks on vulnerable hosts

Suspicious Unusual deviations in Network Activity

network behavior, or network activity that violates policy

Real Time Incident Detection

Correlation rules, filters and t hli t

Comprehensive correlation rules

watchlists– RSA enVision provides ability

to define correlation rules, CRL-00011 Several Failed Logins Followed By A

Successful Login / Possible Successful Brute Force Attack Detected

delivered out-of-the-box

,watchlists of dynamic information

Timely threat informationTimely threat information– RSA enVision provides regular

updates of vulnerabilities, IDS signatures, event knowledge and correlation rules

Detailed library of background information

Use Case: Vulnerable Server Attacked

Attack

Attacker

IDS VA ScannerConfiguration Management

Database

Knows it’s being attacked Knows it’s vulnerable Knows it’s critical

RSA enVisionAnalyst

Knows a critical, vulnerable server isbeing attacked

Alert

Agenda

Detecting High-Risk Incidents

Streamlining the IncidentStreamlining the Incident Handling Process

M i th V l fMeasuring the Value of Security Operations

Monitoring and ManagementKey Metrics & Dashboards

Network Activity byNetwork

Activity by

IDS Top ThreatsIDS Top Threats

Activity by Category

Activity by Category

ThreatsThreats

Incident rate

Incident rate

Most Vulnerable

Most VulnerableVulnerable Assets by Severity

Vulnerable Assets by Severity

Summary Benefits

Reduced risk– Highest priority issues identified

– Most vulnerable assets highlighted

Increased analyst productivity – Streamlined incident management process

I d t i ibilitImproved management visibility– Focus staff on highest risk areas

Fully auditable process for compliance reportingFully auditable process for compliance reporting

Optimizing IT and Network OperationsOptimizing IT and Network Operations

How SIEM helps IT & Network Managers

The analysis of event logs from the network helps IT and Network Operations managers:Network Operations managers:– Optimize network performance by identifying issues and faulty

equipment– Assist IT managers with Helpdesk Operations by:Assist IT managers with Helpdesk Operations by:

• helping reveal what is going on in the network.• providing global views of all network activity• alerting them to network problems• alerting them to network problems• automatically providing them with customised Dashboards of

essential information– Gain visibility into specific behavioral aspects of individuals orGain visibility into specific behavioral aspects of individuals or

groups of users

Let’s look at these in more detail

27

Let s look at these in more detail…

Identifying Issues & Optimizing Network Performance

Performance management– Log events contain information on utilization and error conditions

• Example: Disk space running low, high bandwidth utilization

F lt tFault management– Use alerts to Highlight potential network problems when

deviations from standard baseline activity occury

– Integration with IT operations systems (e.g. EMC SMARTS) helps enable detection and response to faults

• E ample Read/Write fail res po er spikes fan fail re• Example: Read/Write failures, power spikes, fan failure

– Generate Alerts if observed activity stops on any important asset (device or application may be down)

28

Assisting Helpdesk Operations

RSA enVision provides helpdesk operations with a clearer i f h t t t ki l i th t kview of what events are taking place in the network:– That affect users

– That affect hardware/ software– That affect hardware/ software

– That affects business systems

Example use cases include:Example use cases include: – Creating automated reports that provide activity reports on chosen

assets

– Generating reports on activity relating to specific IP addresses

– Using Event Explorer to analyze historical data relating to incidents

29

c de ts

– Alerting on detection of virus activity within network

Assisting Helpdesk Operations to investigate user problems

The IT/ Network manager can run a variety of reports, h f i ifi ti th t d t beach focusing on a specific question that may need to be

investigated

Example Use Case:Example Use Case: – IT Operations in multi-national organization spent 3 days trying to

establish why an executive could not log onto the network

– User had logged off, changed his password, could not log back on

– Several IT staff looked at this problem for 3 days

– Eventually they ran a report on RSA enVision looking at all logs for user globally over past 6 months

– Within 15 minutes, established that manager had travelled to

30

Singapore, had logged onto the network but had NOT logged off

– IT support logged user off network in Singapore and user could now log back onto the network with new password!

Building more complex alerts: “Correlated Alerts”

Correlated Alerts enable IT & Operations staff to build l t i d l t th t fi lmore complex, customized alerts that fire only upon a

sequence of activity occurring.

Enables IT & Operations staff toEnables IT & Operations staff to– Focus only on important issues

– Rationalize resources YXIf “x” and “y”Rationalize resources

– Be creative in alertingIf x and y then fire alert.

31

GenerateAn

ALERT!

Summary: How SIEM helps IT & Network Managers

Can be used to Optimize network performance by id tif i i d f lt i tidentifying issues and faulty equipment

• Troubleshooting network problems

Assist IT managers with Helpdesk Operations by:Assist IT managers with Helpdesk Operations by: – helping reveal what is going on in the network.

– providing global views of all network activityproviding global views of all network activity

– alerting them to network problems

– automatically providing them with customized Dashboards of essential information

– providing a tool for detailed forensic work

Gives IT & Network Operations visibility into specific

32

Gives IT & Network Operations visibility into specific behavioural aspects of individuals or groups of users

RSA enVisionStand-alone Appliances to Distributed Solutions

300,000

LS S iEPS

10000

30000LS Series

5000

7500ES Series

2500

5000

500

1000

# DEVICES

100 200 400 750 1250 1500 2048 30,000

RSA enVision DeploymentScales from a single appliance….

Baseline Report ForensicsCorrelated

AlertsRealtimeA l i

Integrated Incident M t

Interactive QueryForensicsAlerts Analysis Mgmt.

EventExplorer

Query

Manage

Analyze

Collect Collect Collect

Manage

DeviceDeviceTrend MicroAntivirus

MicrosoftISS

JuniperIDP

CiscoIPS

NetscreenFirewall

WindowsServer

UDS

LegacyRSA enVision Supported Devices