An Introduction to enVision

abdomendebonairΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

87 εμφανίσεις

An Introduction to enVision

Enterprise Platform for Security and Compliance
Operations

Karol Piling

Consultant
-

Central & Eastern Europe

RSA The Security Division of EMC

secure data

secure access

Introducing Information
-
centric Security

customers

partners

employees

security information management

secure enterprise data

Preserve the confidentiality and integrity

of critical data wherever it resides


secure employee access

Enable secure, anytime, anywhere access
to corporate resources



secure partner access

Open internal systems to trusted partners


secure customer access

Offer self
-
service channels, prevent fraud,
and enhance consumer confidence


manage security information

Comply with security policy and regulations











Over 800 major enterprise and government accounts

Market Presence

Information Management Platform for transforming event, log, asset
and other data into actionable related intelligence

Vision

Proven Patent
-
pending Internet Protocol Database


(IPDB)

All the data for compliance and security success

Technology

RSA enVision


Market Proven Leadership

Partners

-

Cisco

-

Juniper

-

Nortel

-

Foundry

-

Symantec

-

ISS

-

McAfee

-

Check Point

-

RSA

-

Microsoft

-

Linux / Unix

-

Sun / HP

-

IBM AS400/Main

-

MS Exchange

-

Oracle

-

MS SQL

-

Websense

-

Bluecoat

-

Apache

-

EMC

Network

Security

Operating System

Application

Other

Over 130 device partners



Accolades

“Leader, 3
rd

Year in a Row”

“Only vendor with all the data”

“Excellent”

“2005 Appliance bake
-
off winner”

“Leader”

“Largest Market Presence”


Technology


Partners

What is enVision?

en
Vision

is a network based technology platform that
helps you



See into


Understand


Protect data and assets


Report on


Store records of


what happened within the network and at its edges


What is enVision?

Fortune 500

Healthcare

Energy & Utility

Financial Services



800+ customers



50% of Fortune 10



40% of top Global Banks



30% of top US Banks

RSA enVision

Market
-
Proven Leadership

The Enterprise Today

Mountains of data, many stakeholders

How do you collect & protect all the data necessary to secure
your network
and

comply with critical regulations?

Router logs

IDS/IDP logs

VPN logs

Firewall logs

Switch logs

Windows logs

Client & file
server logs

Wireless
access
logs

Windows
domain
logins

Oracle Financial
Logs

San File
Access
Logs

VLAN Access
& Control logs

DHCP logs

Linux, Unix,
Windows OS
logs

Mainframe
logs


Database Logs

Web server
activity logs

Content management logs

Web cache & proxy logs

VA Scan logs

Unauthorized

Service Detection

IP Leakage

Configuration Control

Lockdown enforcement

False Positive

Reduction

Access Control Enforcement

Privileged User Management

Malicious Code Detection

Spyware detection

Real
-
Time Monitoring

Troubleshooting

User

Monitoring

SLA Monitoring

Growth of Enterprise Silos

Redundant Information Management

ACCESS

CONTROL

SOFTWARE

FINANCIAL

SOFTWARE

FIREWALLS

OPERATING

SYSTEMS

WORK
-

STATIONS

ANTIVIRUS

SOFTWARE

INTRUSION

PREVENTION

Solution: RSA enVision

An Information Management Platform


Compliance Operations

Security Operations

Access Control

Configuration Control

Malicious Software

Policy Enforcements

User Monitoring & Management

Environmental & Transmission Security

Access Control Enforcement

SLA Compliance Monitoring

False Positive Reduction

Real
-
time Monitoring

Unauthorized Network Service Detection

More…

All the Data

Log Management

Any

enterprise IP device


Universal Device Support (UDS)

No filtering, normalizing, or data reduction

Security events & operational information

No agents required

Server Engineering

Business Ops.

Compliance Audit

Application & Database

Network Ops.

Risk Mgmt.

Security Ops.

Desktop Ops.

Report

Alert/Correlation

Incident Mgmt.

Log Mgmt.

Asset Ident.

Forensics

Baseline

…For

Compliance &
Security Operations

Log Management

with the LogSmart
®

Internet Protocol
Database

LogSmart
®

Internet Protocol Database

No agents required

Flexible XML UDS engine

Raw logs (95%+ data compression)

~70% overall compression

Security event & operations
info. No data filtering

Easy to deploy appliance
packaging

Parallel architecture ensures alert
performance

Customizable work environments

Fully customizable compliance & security reports



Unpredictable consumption:
collection bottleneck impacts
use of data (e.g. alerts)

RSA enVision and LogSmart IPDB

All the Data™ with Consistently High Performance

Relational Database

Limitations of
Relational Database



Not designed for
unstructured data (log)



Requires processing
(filter, normalize, parse)



Data Explosion: indexes &
related data structure information
is added (can result in <10x data)



Data Loss: events are lost
due to selective collection or
system bottleneck

LogSmart IPDB

Encrypted

Compressed

Parallel analysis

Authenticated

RSA Envision:

The LogSmart
®

IPDB


Advantage

Collect

Collect

Collect

RSA enVision Deployment

Scales from a single appliance….

Baseline

Report

Forensics

Manage

Device

Device

Trend Micro

Antivirus

Microsoft

ISS

Juniper

IDP

Cisco

IPS

Netscreen

Firewall

Windows

Server

Correlated

Alerts

Realtime

Analysis

Legacy

RSA enVision Supported Devices

Integrated Incident

Mgmt.

Analyze

Event

Explorer

UDS

Interactive

Query

RSA enVision Deployment

…To a distributed, enterprise
-
wide architecture

A
-
SRV:

Analysis Server

D
-
SRV:

Data Server

LC:

Local Collector

RC:

Remote Collector

Bombay

Remote Office

NAS

Chicago

WW Security

Operations

LC

D
-
SRV

A
-
SRV

NAS

London

European

Headquarters

D
-
SRV

LC

NAS

New York

WW Compliance

Operations

A
-
SRV

D
-
SRV

D
-
SRV

LC

LC

Security and Compliance Solutions

RSA enVision

Protects the Enterprise

eCommerce
Operations


Secure operations of all
systems and data
associated with
eCommerce operations

Internal Systems &
Applications


Secure operations of all
systems and data associated
with internal network services
and applications

Perimeter Network
Operations

Securely connect the
enterprise to the Internet
and other required
corporate entities

RSA enVision

A Framework for Security Operations


Perimeter
Network
Operations

eCommerce

Operations

Internal Systems
& Applications

Access Control Enforcement


Privileged user monitoring


Corporate policy conformance

Real
-
time Monitoring

Troubleshoot network & security
events

“What is happening?”

False Positive Reduction

Confirm IDS alerts

Enable critical alert escalation

Correlated Threat Detection

Watch remote network areas

Consolidate distributed IDS alerts

Watchlist Enforcement

External threat exposure

Internal investigations

Unauthorized Network Service
Detection

Shutdown rogue services

Intellectual property leakage

SLA Compliance Monitoring

Proof of delivery

Monitor against baselines

= Most critical

= Highly desired

= Desired

Security
Objective

Security Environment

Product

Capabilities


Log Management



Asset Identification



Baseline



Report & Audit



Alert



Forensic Analysis



Incident Management

Correlation Example


Worm Detection

Correlation Rule Name: W32.Blaster Worm


The goal of this rule is to detect Blaster worm variants as well as other
malicious code by analyzing network traffic patterns.

Vulnerability and Asset Management (VAM)

Customer objective: Leverage information about enterprise assets and known
vulnerabilities to identify false
-
positive IDS messages and to provide content on assets
and vulnerabilities.


VAM will help reduce the costs associated with incident handling by providing analysts direct
insight into the state of an asset (e.g. detected vulnerabilities) and into the details of the
identified vulnerability

Features:


Enhanced collection of asset data from vulnerability assessment tools.


VA tools supported at 3.5.0 are ISS and Nessus.


NEW VA tools supported in 3.7 : McAfee Foundscan, nCircle IP360, Qualys Inc. QualysGuard


Incorporation of vulnerability data from NVD, periodically updated.


Display of asset and vulnerability data in web UI and EE.


Suppression of IDS messages in alerting, based on confidence levels determined from attributes of assets and
vulnerabilities.


IDS products supported at 3.5.0 are Dragon, ISS, and Snort.


IDS Producst supported at 3.7 are: ISS Real Secure, Cisco IDS, McAfee Intrushield, Juniper IDP [Netscreen]
3COM/Tipping Point Unity One


Vulnerability and Asset Management (VAM)

“Companies that choose individual solutions for each regulatory
challenge they face will spend 10 times more on compliance
projects than those that take a proactive approach.”

Lane Leskela, Gartner Research Director

RSA enVision

A Platform for Compliance Operations


ISO

NIST

COBIT

COSO

ITIL

RSA enVision

Over 800 reports for

regulatory compliance

& security operations

Dashboards

RSA enVision

Transformation of Data into Actionable Intelligence


Information Lifecycle Management
(ILM)

Regulation

Data Retention

Requirements

Penalties

Sarbanes
-
Oxley

5 years

Fines to $5M

Imprisonment to 10 years

PCI

Corporate Policy

Fines

Loss of credit card privileges

GLBA

6 years

Fines

Basel II

7 years

Fines

HIPAA

6 years

2 years after patient death

$25,000

NERC

3 years

TBD

FISMA

3 years

Fines

NISPOM

6 months to 1 year

Fines

Source: Enterprise Strategy Group, 2006

Challenge: Explosive Growth of Security Data

Extensive Data Retention Requirements

Security Information Lifecycle Management

The lifecycle of Security Log Data

Capture

Compress

Secure

Retire

The Lifecycle of Security Log Data

Retain

in Nearline

Retention Policy

Store

Online

Up to 1 Year

Capture

Compress

Secure

Retire

Retain

in Nearline

Store

Online




User Defines Log Retention Policies





RSA enVision Automatically Enforces Policies


ILM

Retention Policy

EMC Centera

RSA enVision ILM

Maximized Data Value at Lowest Infrastructure Cost

Online Policy (1 Year)

EMC Celerra

Supported Protocols

>

Syslog, Syslog NG

>

SNMP

>

Formatted log files

>
Comma/tab/space delimited, other

>

ODBC connection to remote databases

>

Push/pull XML files via HTTP

>

Windows event logging API

>

CheckPoint OPSEC interface

>

Cisco IDS POP/RDEP/SDEE

B
-
2

RSA enVision

Stand
-
alone Appliances to Distributed Solutions

EPS

500

1000

2500

5000

10000

30000

# DEVICES

7500

300,000



100 200


400


750 1250 1500 2048 30,000

ES Series

LS Series

Industry Leading Scalability

34

18

28

4

30,000

20,000

28,000

4,000

Security


Configuration Control


Access Control Enforcement


Privileged User Monitoring

Compliance & Security


Real
-
Time Monitoring


False Positive Reduction


Access Control Enforcement

Compliance


SAS 70 Compliance

Compliance & Security


Log Management


Monitoring Firewalls For Audits

MSSP

INTERNAL

Locations

Events

Devices

Driver

Organization

240K/

Sec

20B/

Day

76.8T/

Year

180K/

Sec

15.5B/

Day

5.6T/

Year

450K/

Sec

38.8T/

Day

148T/

Year

80K/

Sec

6.9B/

Day

2.5T/

Year

3

17,000

Compliance


Internal Audit

95K/

Sec

8.2T/

Day

2.9T/

Year

Network Intelligence

Compliance and Security Operations

Enterprise
-
wide

Log Management

Platform

Baseline

Reports

Alerts

Forensics

Asset Identification

Incident Management

All the

Data

Compliance

Operations

Business

Operations

Security

Operations

Thank you!

Vulnerability and Asset Management (VAM)

Customer objective: Leverage information about enterprise assets and known
vulnerabilities to identify false
-
positive IDS messages and to provide content on assets
and vulnerabilities.


VAM will help reduce the costs associated with incident handling by providing analysts direct
insight into the state of an asset (e.g. detected vulnerabilities) and into the details of the
identified vulnerability

Features:


Enhanced collection of asset data from vulnerability assessment tools.


VA tools supported at 3.5.0 are ISS and Nessus.


NEW VA tools supported in 3.7 : McAfee Foundscan, nCircle IP360, Qualys Inc. QualysGuard


Incorporation of vulnerability data from NVD, periodically updated.


Display of asset and vulnerability data in web UI and EE.


Suppression of IDS messages in alerting, based on confidence levels determined from attributes of assets and
vulnerabilities.


IDS products supported at 3.5.0 are Dragon, ISS, and Snort.


IDS Producst supported at 3.7 are: ISS Real Secure, Cisco IDS, McAfee Intrushield, Juniper IDP [Netscreen]
3COM/Tipping Point Unity One


Vulnerability and Asset Management (VAM)

Existing VA Scanners


Open Source
Nessus


ISS
SiteProtector

New VA Scanners


McAfee
Foundscan


nCircle
IP360


Qualys Inc.
QualysGuard

New IDS/IPS Vulnerability Mapping
References (Cont)

Supported IDS Devices


Dragon IDS


Snort / Sourcefire


ISS Real Secure


Cisco IDS


McAfee Intrushield


Juniper IDP [Netscreen]


3COM/Tipping Point Unity One


New Device Additions In 3.7.0



F5BigIP



MS DHCP



MSIAS



EMC Celerra CIFS



Lotus Domino



RSA Access Manager



Aventail



Qualysguard



Foundscan



nCircle