An Introduction to SIEM & RSA enVision

(Security Information and Event Management)

January, 2011
Brian McLean, CISSP Sr Technology Consultant, RSA

Changing Threats and More Demanding Regulations

External attacks

Malicious insiders taking financial info Careless users sers leaking IP

R&D Data Center Costly audit requirements Executive Financial

DMZ

Ever-changing business requirements

New Web 2.0 and P2P technologies

IT Staff Feels the Pressure

Security team lacks visibility into the IT environment environment. Overwhelming to process raw log and event volume volume.

Compliance is costly and resource-intensive.

Real-time security posture is difficult to understand.

Issues and Needs

Security team cannot see into the IT environment. Overwhelming to process raw log and event volume. Real-time security posture is difficult to understand. Compliance is timeconsuming.

Non-intrusive log collection to access all event sources. Complete information lifecycle management process. Real-time risk-based prioritization of events. Compliance reports in minutes not weeks.

RSA enVision 3-in-1 SIEM Platform

Simplifying Compliance
Compliance reports for regulations and internal policy Reporting Auditing

Enhancing Security
Real-time security alerting and analysis

Optimizing IT & Network Operations

IT monitoring across the infrastructure

Forensics

Alert / correlation

Network baseline

Visibility

Purpose-built database (IPDB)

RSA enVision Log Management platform

security devices

network devices

applications / databases

servers

storage

Simplifying Compliance
Robust Alerting & Reporting
1400 reports+ included out of the box Easily E il customizable t i bl Grouped according to standards, e.g. National Laws (SOX, Basel II, JSOX), Industry Regulations (PCI) (PCI), Best Practices & Standards (ISO 27002, ITIL)

Enhancing Security
Support the 3 key aspects of Security Operations

Turn real time events, e.g. threats, into actionable data

Create a closedloop incident handling gp process

Report on the effectiveness of security management

SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources. sources This technology is used to filter incident information into data that can be acted on for the purposes of incident response and forensic analysis. Mark Nicolette, Gartner

Optimizing IT & Network Operations

Identify anomalies, ease troubleshooting

EMC Celerra

System Shutdown

System Failure

Benefits

Turns raw log data into actionable information Increases visibility into security, compliance and operational issues Saves time through compliance reporting Streamlines the security incident handling process Lowers operational costs

Why enVision?
Any Data - Any Scale

Collection of any type of log data, real-time correlation, and best-in-breed scalability Appliance form factor, agentless architecture Flexible but simple customization Comprehensive combination of event sources, correlation rules and reports Frequent updates to security knowledgebase Broad partner eco-system of strategic technology partners plus front-line security and compliance expertise Unparalleled installed base of more than 1600 production customers Active online customer Intelligence Community for shared best practices and knowledge Single strategic vendor with strong balance sheet Simplified IT operations, single point of contact, and global customer support Integration with RSA and EMC solutions (e.g. Access Manager, Authentication Manager, Voyence, Celerra, Symmetrix)

Lowest TCO SIEM solution

Most Complete Security Knowledge

Proven Solution with a large and active install base

All from EMC/RSA

Simplifying Compliance

Compliance challenges
Historically compliance processes involved dedicated resources performing multiple tasks, manually and repetitively

The process for Data collection was as long and laborious Valuable Data was often missed or not included Analysis and reporting was expensive and slow, and involved multiple log collection and analysis tools

Companies struggle to keep pace with understanding and complying to relevant laws and regulations

A multitude of Laws/ Rules/ Regulations to which an organization must comply

PCI DSS CSB 1386 HIPAA Country Privacy Laws COCOM Internal Policy SOX Data Security Act J-SOX GLBA HSPD 12

EU CDR

UK RIPA EU Data Privacy NERC State Privacy Laws

FISMA

FACTA

FFIEC

BASEL II Partner Rules

IRS 97-22

NISPOM

ACSI 33

NIST 800

Automated Analysis for Simplifying the Compliance Lifecycle

RSA enVision automatically sorts event log d t into data i t information i f ti categories t i required i df for adhering to compliance requirements:
Access Control Configuration Control Malicious Code Detection User Monitoring and Management Policy Enforcement Environmental & Transmission Security

Event Taxonomy

All 120,000+ distinct

messages have been classified

Example: User Taxonomy Categories

User.Activity User.Activity.Failed Logins User.Activity.File Access User.Activity.Known Bad Commands User.Activity.Login User.Activity.Login.Workstation Unlock User.Activity.Logoff User.Activity.Logoff.Workstation Lock User.Activity.Normal Activity User.Activity.Privileged Use.Denied User.Activity.Privileged Use.Successful User.Management User.Management.Groups.Additions User.Management.Groups.Deletions User.Management.Groups.Modifications User.Management.Groups.Modifications.User Added User.Management.Groups.Modifications.User Removed User.Management.Password.Expriation User.Management.Password.Modification User.Management.Password.Modification.Failed User.Management.Permissions User.Management.Users.Additions User.Management.Users.Deletions User.Management.Users.Disabled User.Management.Users.Modifications

Hierarchical structure, 10
top level t l l categories, t i 250 total categories

Open, Open Extensible

architecture

Administrators can add their

own messages and categories

Reports using these

categories will automatically be updated as new devices and dd d

RSA enVision and the Compliance Lifecycle :

The information gathered by RSA enVision can be used dt to h help l an organization i ti understand d t d

If it is compliant with regulations and laws What it needs to do to become compliant To show/ T h / prove that th t it is i compliant li t to auditors To provide evidence on compliance that can be used in a court of law

Enhancing Security Operations

Agenda
Detecting High-Risk Incidents Streamlining the Incident Handling Process Measuring M i th the V Value l of f Security Operations

Real Time Incident Detection

Finding Incidents in a Mountain of Data

Billions of raw events Thousands of security-relevant events Correlated alerts Incidents

! !

Dozens of high priority events

Real Time Incident Detection

What Do I Need to Detect? Suspicious User Activity Description

Comprehensive p Log g Data

RSA enVision collects all l d log data f from almost l any third party device

Asset Context

Unusual authentication or access control issues, like multiple failed logons, or unauthorized system accesses

RSA enVision allows import of data about IT assets from asset management systems

High Risk Detect new high risk Vulnerabilities vulnerabilities on and Threats critical assets, , or likely y attacks on vulnerable hosts Suspicious Network Activity Unusual deviations in network behavior, or network activity that violates policy

Real Time Incident Detection

Correlation rules, filters and watchlists t hli t
Comprehensive correlation rules delivered out-of-the-box
CRL-00011 Several Failed Logins Followed By A Successful Login / Possible Successful Brute Force Attack Detected

RSA enVision provides ability to define correlation rules, , watchlists of dynamic information

Timely threat information

RSA enVision provides regular updates of vulnerabilities, IDS signatures, event knowledge and correlation rules Detailed library of background information

Use Case: Vulnerable Server Attacked

Attacker Attack

IDS

VA Scanner

Configuration Management Database

Knows its being attacked

Knows its vulnerable

Knows its critical

Analyst

RSA enVision

Knows a critical, vulnerable server is being attacked

Alert

Agenda
Detecting High-Risk Incidents Streamlining the Incident Handling Process Measuring M i th the V Value l of f Security Operations

Monitoring and Management

Key Metrics & Dashboards
Network Activity by Category IDS Top Threats

Incident rate

Most Vulnerable Assets by Severity

Summary Benefits
Reduced risk

Highest priority issues identified Most vulnerable assets highlighted

Increased analyst productivity

Streamlined incident management process

I Improved d management t visibility i ibilit

Focus staff on highest risk areas

Fully auditable process for compliance reporting

Optimizing IT and Network Operations

How SIEM helps IT & Network Managers

The analysis of event logs from the network helps IT and Network Operations managers:

Optimize network performance by identifying issues and faulty equipment Assist IT managers with Helpdesk Operations by:

helping reveal what is going on in the network. providing global views of all network activity alerting them to network problems automatically providing them with customised Dashboards of
essential information

Gain visibility into specific behavioral aspects of individuals or groups of users

Lets Let s look at these in more detail detail

27

Identifying Issues & Optimizing Network Performance

Performance management

Log events contain information on utilization and error conditions

Example: Disk space running low, high bandwidth utilization

F lt management Fault t

Use alerts to Highlight potential network problems when deviations from standard baseline activity y occur Integration with IT operations systems (e.g. EMC SMARTS) helps enable detection and response to faults

E ample Read/Write failures, Example: fail res po power er spikes spikes, fan fail failure re

Generate Alerts if observed activity stops on any important asset (device or application may be down)

28

Assisting Helpdesk Operations

RSA enVision provides helpdesk operations with a clearer view i of f what h t events t are taking t ki place l i in th the network: t k

29

That affect users That affect hardware/ software That affects business systems

Example use cases include:

Creating automated reports that provide activity reports on chosen assets Generating reports on activity relating to specific IP addresses Using Event Explorer to analyze historical data relating to c de ts incidents Alerting on detection of virus activity within network

Assisting Helpdesk Operations to investigate user problems

The IT/ Network manager can run a variety of reports, each hf focusing i on a specific ifi question ti th that t may need dt to b be investigated Example Use Case:

30

IT Operations in multi-national organization spent 3 days trying to establish why an executive could not log onto the network User had logged off, changed his password, could not log back on Several IT staff looked at this problem for 3 days Eventually they ran a report on RSA enVision looking at all logs for user globally over past 6 months Within 15 minutes, established that manager had travelled to Singapore, had logged onto the network but had NOT logged off IT support logged user off network in Singapore and user could now log back onto the network with new password!

Building more complex alerts: Correlated Alerts

Correlated Alerts enable IT & Operations staff to build more complex, l customized t i d alerts l t th that t fi fire only l upon a sequence of activity occurring. Enables IT & Operations staff to

Focus only on important issues Rationalize resources Be creative in alerting

X Y If x x and y y then fire alert.

Generate An ALERT! 31

Summary: How SIEM helps IT & Network Managers

Can be used to Optimize network performance by id tif i i identifying issues and df faulty lt equipment i t Troubleshooting network problems Assist IT managers with Helpdesk Operations by:

helping reveal what is going on in the network. providing global views of all network activity alerting them to network problems automatically providing them with customized Dashboards of essential information providing a tool for detailed forensic work

Gives IT & Network Operations visibility into specific behavioural aspects of individuals or groups of users
32

RSA enVision
Stand-alone Appliances to Distributed Solutions
300,000 30000 10000 7500

EPS

LS S Series i

ES Series
5000 2500 1000

500 100 200 400 750 1250 1500

# DEVICES
2048 30,000

RSA enVision Deployment

Scales from a single appliance.

Baseline

Correlated Alerts

Report

Realtime A l i Analysis

Forensics

Interactive Query

Integrated Incident M t Mgmt.

Event Explorer

Analyze Manage
Collect Collect Collect
UDS
Windows Server Netscreen Firewall Cisco IPS Juniper IDP Microsoft ISS Trend Micro Antivirus Device Device

RSA enVision Supported Devices

Legacy