RSA enVision 4.

1
Overview Guide

Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks
RSA, the RSA Logo, RSA enVision, RSA Event Explorer and EMC are either registered trademarks or trademarks of EMC
Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective
owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.

License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to
third-party software in this product may be viewed in the thirdpartylicenses.pdf file.
Portions of this application include technology used under license from Visual Mining, Inc. 2000-2010.
Portions of this application include iAnywhere technology, 2001-2010.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.

Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright 2011 EMC Corporation. All Rights Reserved. Published in the USA.
September 2011

RSA enVision 4.1 Overview Guide

Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5
RSA enVision Documentation............................................................................................ 5
Related Documentation....................................................................................................... 6
Support and Service ............................................................................................................ 6

Chapter 1: About the RSA enVision Platform ............................................... 9

RSA enVision Solution....................................................................................................... 9
RSA enVision Platform .................................................................................................... 10
User Experience ................................................................................................................ 13

Chapter 2: Event Collection ................................................................................... 15

Event Sources.................................................................................................................... 15
Message Categories........................................................................................................... 15
Event Storage .................................................................................................................... 17
Event Export ..................................................................................................................... 17

Chapter 3: Vulnerability and Asset Management ..................................... 19

Asset Data ......................................................................................................................... 19
Vulnerability Data............................................................................................................. 20

Chapter 4: Incident Management ........................................................................ 21

Real-Time Alerts............................................................................................................... 21
Incident-Response Tasks................................................................................................... 24
Forensic Analysis.............................................................................................................. 25

Chapter 5: Reports and Queries.......................................................................... 29

Reports .............................................................................................................................. 29
Queries .............................................................................................................................. 30

Chapter 6: Compliance.............................................................................................. 33
Chapter 7: Further Information and Assistance........................................ 35
Help Systems..................................................................................................................... 35
Online Resources .............................................................................................................. 36
Event Source, Report, Correlation Rule, and VAM Updates ........................................... 38
Assistance.......................................................................................................................... 39

Glossary ............................................................................................................................. 41
Index ..................................................................................................................................... 47

Contents

RSA enVision 4.1 Overview Guide

Preface
About This Guide
This guide introduces RSA enVision features and capabilities. The intended audience
for this guide includes enVision administrators, enVision users, or anyone who
requires a high-level understanding of enVision.

RSA enVision Documentation

For information about the RSA enVision platform, see the following documentation:
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues. The latest version of the
Release Notes is available on RSA SecurCare Online at
https://knowledge.rsasecurity.com.
Overview Guide. Provides an introduction to RSA enVision platform features and
capabilities.
Hardware Setup and Maintenance Guide. Provides instructions on setting up and
maintaining RSA enVision appliances. Intended audience is the system
administrator.
Configuration Guide. Provides instructions on configuring an RSA enVision site.
Intended audience is the system administrator.
Migration Guide. Provides instructions on migrating data from a previous version
of the RSA enVision platform to the current version.
Virtual Deployment Guide. Provides instructions on installing an RSA enVision
single appliance site or Remote Collector on a virtual infrastructure.
Administrators Guide. Provides instructions on the basic setup and maintenance
of the RSA enVision platform. Includes instructions for the most common
administrator tasks.
Users Guide. Provides information that helps users to get started using the
RSA enVision platform. Includes instructions for the most common user tasks.
Backup and Recovery Guide. Provides instructions on backing up an
RSA enVision system and recovering from a hardware failure.
Security Configuration Guide. Provides an overview of security configuration
settings in the RSA enVision platform.
Universal Device Support Guide. Describes how to add log collection and
analysis support for event sources that the RSA enVision platform does not
support.
RSA enVision Help. Provides comprehensive instructions on setting up
RSA enVision processing options and using RSA enVision analysis tools.

Preface

RSA enVision 4.1 Overview Guide

RSA continues to assess and improve the documentation. Check RSA SecurCare
Online for the latest documentation.

Related Documentation
For information about the RSA enVision Event Explorer module, see the following
documentation:
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues.
Installation Guide. Provides instructions on installing the RSA enVision Event
Explorer module on your client machine in separate guides for Microsoft
Windows and Apple Macintosh operating systems. Intended audience is the end
user.
RSA enVision Event Explorer Help. Provides comprehensive instructions on
setting up and using the RSA enVision Event Explorer module.
For information about the RSA enVision EventSource Integrator, see the following
documentation:
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues.
Overview Guide. Provides an introduction to RSA enVision EventSource
Integrator features and capabilities.
RSA enVision EventSource Integrator Help. Provides comprehensive
instructions on using RSA enVision Event Source Integrator.

Support and Service

RSA SecurCare Online

https://knowledge.rsasecurity.com

Customer Support Information

www.rsa.com/support

RSA Secured Partner Solutions Directory

www.rsasecured.com

RSA SecurCare Online offers a knowledgebase that contains answers to common

questions and solutions to known problems. SecureCare Online also offers
information on new releases, important technical news, and software downloads.
The RSA Secured Partner Solutions Directory provides information about third-party
hardware and software products that have been certified to work with RSA products.
The directory includes Implementation Guides with step-by-step instructions and
other information about interoperation of RSA products with these third-party
products.

Preface

RSA enVision 4.1 Overview Guide

Before You Call Customer Support

Make sure that you have direct access to the computer running the RSA enVision
software.
Please have the following information available when you call:
One of the following:

On a 60-series appliance, the serial number of the appliance.

You can find the seven-character serial number on the chassis tag on the back
of the appliance, or open a Dell Openmanage Server Administrator session,
and click System > Properties > Summary to find the serial number in the
chassis service tag field.

On a virtual appliance, the serial number of the RSA enVision software.

Open the C:\WINDOWS\system32\drivers\etc\Nie-oe.dat file, and locate
the line that begins with S/N=.

RSA enVision software version number.

The name and version of the operating system under which the problem occurs.
On a virtual appliance, the VMware ESX or ESXi server details.

Preface

RSA enVision 4.1 Overview Guide

About the RSA enVision Platform

The RSA enVision is a security information and event management (SIEM)
solution. It collects log messages and vulnerability and asset data from the entire IT
network, applies logic to the data, and provides actionable information in the form of
reports and real-time alerts.

Inputs
Log Messages
Vulnerability Scans

RSA enVision
Interprets
Analyzes
Stores

Outputs
Alerts
Reports

RSA enVision Solution

RSA enVision gives users a single, integrated SIEM solution for meeting the
following business needs:

Enhanced security

Simplified compliance

Optimized IT oversight

Enhanced Security
RSA enVision provides security specialists with a clear view of threats and risks and
the means to counter them.
RSA enVision collects all the logs generated by network assets, such as servers,
switches, routers, storage arrays, operating systems, and firewalls. It analyzes the logs
in real time, and can generate alerts when it detects suspicious patterns of activity.
Because enVision contains information about common threats, it detects many
common security attacks.
In addition, enVision contains data from supported configuration management
systems and asset scanners.The access to enVision data is secured with strong
passwords. Using this data, enVision recognizes the asset under threat and calibrates
the urgency of the alert.
Security staff can then use the RSA enVision Event Explorer module, an advanced
analytical tool, to examine the full volume of stored and incoming data.

1: About the RSA enVision Platform

RSA enVision 4.1 Overview Guide

Simplified Compliance
RSA enVision eases the burden of complying with regulations, standards, and
organizational policies. It enables event monitoring and incident response, and
includes compliance reports tailored to specific requirements. For example, enVision
provides reports for demonstrating compliance with laws (such as the Sarbanes-Oxley
Act and the Gramm-Leach-Bliley Act) and with industry standards (such as the
Payment Card Industry Data Security Standard and ISO 27002).
RSA enVision automates the process of collecting, sorting, analyzing, and storing log
messages. All logs are gathered without filtration or normalization and are protected
from tampering. Compliance specialists can find in the stored logs a complete
accounting of network activity. RSA enVision thus provides a verifiably authentic
archive of data that simplifies compliance with modern requirements and with
whatever legislation may emerge in the future.

Optimized IT Oversight
Managed log data is the best source of information about infrastructure status and
performance and the activities of applications and users.
RSA enVision can alert IT staff in real time to faulty equipment and anomalous
network activity, and can also provide granular visibility into the specific behaviors of
applications and end users. The incident-handling facilities of enVision manage the
creation and assignment of remediation tasks to administrators and help desk
personnel and assist in tracking their progress.
In addition, the enVision baselining, trending, and reporting functionality provides a
long-term graphical overview of system performance and events.

RSA enVision Platform

RSA enVision scales from a single appliance to a large, distributed, multiple appliance
system. In all deployments, authorized users can use enVision to find all the logs and
other data.

Platform Components
RSA enVision consists of the following integrated components, each with a
specialized function:
Collector. Receives and interprets log messages from network assets, and stores
this event data in the LogSmart Internet Protocol Database (IPDB) (RSA refers to
these processed log messages as events.).
Database Server (D-SRV). Retrieves event data from the IPDB in response to
user requests.
Application Server (A-SRV). Runs the applications that enable user and
administrator actions, such as creating users, querying the data, and directing
enVision to generate alerts and reports. Users and administrators can log on to the
enVision user interface through a web browser on their personal computers.

10

1: About the RSA enVision Platform

RSA enVision 4.1 Overview Guide

Event Explorer. A client application that is specialized for incident handling and
forensic analysis. Event Explorer runs on users personal computers and connects
to enVision to access the collected data.
The following figure illustrates the enVision components, their functions, and the
connections among them.

Platform Deployments
RSA enVision runs on a standalone appliance or within a scalable, distributed
architecture able to cope with the demands of the largest enterprise networks.
The simplest deployment has the enVision components (Collector, D-SRV, and
A-SRV) preinstalled in one appliance. It can be supplemented with external storage.
Depending on the model, a single enVision appliance supports up to 14 simultaneous
users. The high-end appliance can, with external storage, accommodate up to 1,250
event sources.

1: About the RSA enVision Platform

11

RSA enVision 4.1 Overview Guide

For larger deployments, the Collector, D-SRV, and A-SRV are each installed on a
separate appliance and supplemented with network-attached storage. The appliances
are collectively referred to as a site.
A site has one or more D-SRV appliances supporting multiple A-SRV appliances and
Collector appliances, including Collectors in remote geographic locations.

Site 1
A-SRV

A-SRV

D-SRV1

D-SRV2

Site 2

Collector

Collector

Collector

Logs

Logs

Logs

Event Sources

Event Sources

Event Sources

In this distributed deployment, each A-SRV can accommodate 16 simultaneous users.

A single Collector appliance in a site can accommodate up to 2,048 event sources,
however, a Collector appliance in a remote geographic location can accommodate up
to 1,024 event sources.
The largest deployments include several sites, each supporting multiple A-SRVs,
D-SRVs, and Collectors.
For information on enVision deployments, contact your RSA sales representative, or
go to www.rsa.com/products/envision/datasheets/9245_3in1_DS_0209-lowres.pdf.

Virtual Deployments
RSA enVision can be deployed on a virtual machine for single appliance and remote
collector sites. For more information, see the RSA enVision 4.1 Virtual Deployment
Guide.

12

1: About the RSA enVision Platform

RSA enVision 4.1 Overview Guide

User Experience
Users and administrators control RSA enVision and Event Explorer through graphical
user interfaces (GUIs). enVision administrator creates users and user groups with
varying levels of permissions, and each user sees only the operations for which
permission has been granted.

RSA enVision GUI

All pages of the enVision GUI show the navigation tools in the left panel and the
current window on the right.
The landing page is the Dashboard. Each user and administrator can configure a
personal dashboard that shows a customized selection of reports. The navigation tree
on the left is expanded at startup to show the available reports and those selected for
display.
For example, the following figure shows an enVision landing page with the expanded
navigation tree (Overview > Dashboard) on the left and the Dashboard window
configured to show several graphical and tabular reports.

Tabs

Available
reports

User-selected
reports

Other
overview
topics

To navigate the enVision GUI, select a tab at the top of the left panel: Overview,
Alerts, Analysis, or Reports. The panel refreshes to display the choices available
under the selected tab.

1: About the RSA enVision Platform

13

RSA enVision 4.1 Overview Guide

RSA enVision provides a comprehensive Help system with instructions for using the
features on each window. When using any window in the GUI, click the question mark
icon
to see context-sensitive Help for that window. RSA enVision displays the
Help topic for the current window in a new browser window, with the Help Table of
Contents in the left panel. The left panel also displays links to a Help index and a
search field.

RSA enVision Event Explorer GUI

Event Explorer is specialized for managing incidents and performing forensic
analysis. Event Explorer receives the incidents that enVision generates and enables
users to analyze the data that the platform collects.
The Event Explorer GUI has two modes related to its primary functions: Incident
Management mode (for handling incidents) and Event Trace Library mode (for
forensic analysis). Each mode has individual panels and views that display the details
for incident management and forensic analysis. You can select which mode displays
by default when you open Event Explorer.

Event Explorer Help is available by clicking Help on the menu bar. Event Explorer
displays the Help Table of Contents in a new browser window. It includes an index
and a search field.

14

1: About the RSA enVision Platform

RSA enVision 4.1 Overview Guide

Event Collection
RSA enVision collects, analyzes, and stores logs from event sources throughout an
organizations IT environment. The logs and the descriptive metadata that enVision
adds are stored in the LogSmart Internet Protocol Database (IPDB).

Event Sources
Event sources are the IP assets on the network, such as servers, switches, routers,
storage arrays, operating systems, and firewalls.
RSA enVision administrator configures event sources to send logs to the Collector or
configures the Collector to poll event sources and retrieve logs. As a result, the
Collector receives all system logs in their original form, without filtering,
normalization, or compression.
New event sources are being developed to match the Content 2.0 standard. The RSA
enVision 4.1 release supports the Universal Event Table in report and query interface.
This table is a new data structure that represents all the event data contained within
Content 2.0 event sources. For more information see the Help topic, Content 2.0.
RSA enVision EventSource Integrator is a graphical tool that enables you to integrate
event sources with RSA enVision. Using EventSource Integrator, you can define how
enVision reads and monitors the events from event sources. These definitions are
stored as an XML file, called an event source XML file, which is deployed on
enVision. Using EventSource Integrator, you can create a new event source XML file
for an event source that is not currently supported by enVision or edit an existing event
source XML file. After you deploy the event source XML file, enVision is able to
interpret the events and monitor the event source.

Message Categories
The Collector is equipped with files for each supported event source. These files
enable the Collector to interpret the often cryptic log messages, no matter what format
the messages use. RSA updates these files frequently to support new event sources
and new log messages that event source vendors have added. RSA enVision collects
messages in syslog format and also has other collection services including NIC
Windows Service, NIC FW-1 LEA Client Service, NIC File Reader Service, NIC
SFTP Agent, NIC ODBC Service, NIC Secure SDEE Collection Service, VMware,
and Windows 2008 Service.
For each message, the Collector records the event source and time received and
assigns the message a numeric ID. The Collector also assigns each message to a
message category that indicates the kind of action that causes the message. This
descriptive metadata (source, time, ID, and category) is used in configuring alerts and
in retrieving events for forensic analysis.

2: Event Collection

15

RSA enVision 4.1 Overview Guide

The message categories are hierarchical. The top level, called the NIC category, has
ten possible values:

Attacks
Reconnaissance (such as port scans)
Content (web content events, such as normal transactions or suspect requests)
Authentication (authentication events)
User (such as logon and file access)
Policies (such as firewall rule events)
System (hardware errors)
Configuration (administrator modifications)
Network (such as usage or routing errors)
Other

Within NIC categories, messages are further classified by alert category and then by
up to three levels of event category. For example, a log message in the Attacks
category might be further categorized as Malicious Code (alert category), and further
as a Worm (event category).
The following figure shows a five-level message classification, as well as the syntax
for specifying categories when configuring alerts or conducting analysis.

Attacks.Access.Informational .Network Based . TELNET

NIC Category

Alert Category

Event Categories

RSA enVision administrator uses message categories in configuring alerts. When

incoming messages and possibly other criteria, such as event source or time frame,
meet the conditions that the administrator has specified for an alert, the alert is
triggered immediately.
In addition, the categorization of log messages enables enVision to establish activity
baselines, which it can use to determine whether a certain activity or level of activity
is anomalous. The categorized log data is also used for alerting and reporting.

16

2: Event Collection

RSA enVision 4.1 Overview Guide

Event Storage
After enVision analyzes log messages, it stores the original log messages and their
descriptive metadata in the IPDB.
This method of storage has several advantages over traditional relational databases.
The IPDB:

Works efficiently with unstructured data without requiring preprocessing or data

normalization.

Optimizes retrieval based on event source, message category, event ID, and time
received.

Uses a write-once-read-many approach that ensures that after data is committed to

the database, it can never be altered.

The access to the IPDB data is controlled and only authorized users are allowed to
access the data. To ensure integrity of the event data collected in the IPDB, the
SHA-256 hash of the event data is computed and stored. The enVision administrator
can verify the integrity of the event data stored in the IPDB using the maintenance
tool. For more information on the maintenance tool, see the Help topic, Maintenance
Command Line Interface Utility (lsmaint.exe) Actions and Arguments.

Event Export
RSA enVision has the capability to export event data from IPDB to external data
destinations, such as databases or data warehouse technologies and event processing
systems. You can then use the data for data aggregation, staking, enrichment, and
further investigation.
When you install version 4.1 of enVision, you can export events from the platform.
Events can be exported at scheduled intervals to a comma-separated value (CSV) file
which can be imported into a desired destination. For more information, see the
Administrators Guide.

2: Event Collection

17

RSA enVision 4.1 Overview Guide

Vulnerability and Asset Management

IT assets (hosts, software systems, and other devices) have well-known
vulnerabilities. RSA enVision uses this information about enterprise assets to
minimize false positive alerts and to prioritize alerts. Vulnerability information also
provides the contextual data that security analysts need to respond to incidents and to
perform forensic analysis.

RSA enVision
Logs

ADB
VDB
IPDB

Knows Asset A and its importance

Knows Asset As vulnerabilies and threats
Knows events that signal an attack on Asset A

Asset A

Both enVision and RSA enVision Event Explorer have vulnerability and asset
browsers that enable security analysts to access this information quickly and
efficiently.

Asset Data
RSA enVision maintains an Asset Database (ADB) containing information about the
assets reported by one of the supported asset tracking tools (asset scanning devices).
RSA enVision supplements its own information about assets by importing data from
third-party asset scanners and configuration management systems. For example,
enVision imports data from the QualysGuard Security and Compliance Suite.
If one of these third-party scanners reports an asset that is not in the enVision ADB,
enVision creates a new record for the asset and adds any available information, such
as operating system, ports, and services.

3: Vulnerability and Asset Management

19

RSA enVision 4.1 Overview Guide

Vulnerability Data
The enVision Vulnerability Knowledge Database (VDB) is an embedded repository of
vulnerability information.
The VDB is derived from the National Vulnerability Database of the U. S. Department
of Homeland Security. The National Vulnerability Database integrates all
vulnerability data from publicly available resources. It contains detailed descriptions
about each current vulnerability, such as potential impact, the type of losses caused,
and an indication of how an attack can result in a confidentiality breach.
Vulnerability and asset management features enable enVision users to configure
confidence level filtering on the detected set of vulnerabilities of each scanned asset.
When enVision receives event information from a supported intrusion detection
system (IDS) or intrusion prevention system (IPS), it applies the confidence level
filter to respond appropriately to the received information.
Examples of supported IDS and IPS devices include Juniper Networks Intrusion
Detection and Prevention Appliances and Cisco Intrusion Prevention Sensor. These
systems continuously scan the network to detect such threats as outsiders gathering
information about the assets.
RSA frequently updates vulnerability information, threat signatures, and support for
vulnerability scanners. Customers can download these updates to the enVision VDB.

20

3: Vulnerability and Asset Management

RSA enVision 4.1 Overview Guide

Incident Management
An incident is an event or set of events that warrants further investigation, such as a
disk failure, an unexpected spike in network traffic, or the signature of a known threat.
Because of the wealth of data that the RSA enVision platform automatically collects,
it can be configured to recognize incidents and issue real-time alerts.
The alert is the beginning of the enVision incident-management process.
RSA enVision provides for closed-loop incident management, from configuring alerts
by creating and assigning response tasks to monitoring incident response and
resolution.

Real-Time Alerts
RSA enVision generates real-time alerts in response to sets of circumstances that the
administrator has specified. RSA enVision analyzes all incoming events and issues an
alert immediately when the specified conditions are met.
The alert is reported in the enVision GUI and can be directed to other destinations,
such as e-mail, instant message, or a text file stored on the local system. An alert can
also be configured to automatically generate an incident-response task.

Views
A view defines the devices, messages, correlated rules, and user-defined criteria for
which enVision issues alerts. An enVision administrator creates views that specify the
conditionsthe event sources, events, user-defined criteria, and correlations among
criteriathat are worthy of investigation.
Any of the following conditions can generate an alert:

A single event message, such as one reporting an asset malfunction

A string within an event message, such as content that matches a configured list
(referred to as a watchlist) of known spammers

A specified combination of events within a given time frame, such as a series of

logon attempts that suggest a possible denial-of-service attack

Within a view, an administrator can specify filters and thresholds, such as a percentage
increase of activity above the baseline, to rate the severity of the events and focus on
those of highest priority. Views can also use watchlists, which filter events by string,
IP address, port, protocol, or regular expressions.
An administrator can also configure the view to send various alerts using specific
protocols such as SNMP, e-mail, instant message, or text file. These configuration
settings are called output actions. Another possible output action is the automatic
generation of an incident-response task. Each view specifies the users who are
permitted to monitor the alerts generated for that view.

4: Incident Management

21

RSA enVision 4.1 Overview Guide

Correlated Alerts
Views frequently include correlation rules for alerts. A correlation rule specifies a set
of events within a time period and a set of conditions that will generate an alert. The
correlation rule includes a message ID and message text for the alert.
For example, the following figure illustrates the logic of a correlation rule for
recognizing a threat.
Specified time period
Defined set of events
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Check

PIX Firewall
PIX Firewall
PIX Firewall
PIX Firewall
PIX Firewall
PIX Firewall
Point Firewall-1

106001
106010
106012
106015
106016
307001
050010

Defined thresholds,
filters, and conditions

When the correlation rule criteria are met, enVision generates the alert message
defined in the view and sends that alert to the specified destination.
RSA enVision provides a wide range of correlation rules that detect incidents and
reduce or eliminate the risk of exposure. The enVision administrator can enhance or
modify these rules to suit the environment. The set of predefined rules is continually
updated and available for download from RSA SecurCare Online.

22

4: Incident Management

RSA enVision 4.1 Overview Guide

Monitoring Alerts by Using Views

Administrators and users with the appropriate permissions can monitor alerts in the
RSA enVision GUI and in the destination specified in the associated view.
For example, the following figure shows how the enVision GUI displays the number
and severity of alerts by NIC category above the established baseline. From this
window, administrators and users can drill down to display the particular alerts that
have occurred and drill down further for information on the messages that triggered an
alert.

Alert levels
by NIC
category

Alert levels
by severity

Alert details

RSA enVision can also generate summary reports of alerts, such as recent alerts, alerts
by category, and alert trends.

4: Incident Management

23

RSA enVision 4.1 Overview Guide

Incident-Response Tasks
RSA enVision can group events into tasks for the purpose of investigation, and can
assign these tasks to analysts (or to an intermediate dispatcher) for response. Analysts
display and work with the tasks in RSA enVision Event Explorer. Managers and
administrators can monitor the analysts progress in the enVision GUI.

Monitoring Alerts by Creating Tasks

In enVision, the administrator can specify the creation of a task based on a correlated
alert. When the alert fires, enVision creates the task and sends it to Event Explorer for
resolution or to an external application, such as a third-party ticketing system.

Managing Tasks in RSA enVision Event Explorer

When enVision forwards tasks to Event Explorer, Event Explorer displays a list of
tasks and the details of individual tasks.
Depending on the Event Explorer users permissions (as set by the enVision
administrator), the user assigned to a task can acknowledge the task, view and edit
task data, assign the task to another analyst, and close or delete the task. The user can
also escalate the task an external application, such as a ticketing system. The external
application can update tasks and send the updates back to Event Explorer.

Create

New Task Created

Acknowledge
Reopen

Task Opened
Close
Escalate
External
Application
(Ticketing
System)

Task escalated to
external application
Update
Task

Delete

Delete
Task Closed

Delete

Close

Multiple users can access the same task from different Event Explorer clients. Event
Explorer displays a warning message if different users attempt to make conflicting
changes to the task.

24

4: Incident Management

RSA enVision 4.1 Overview Guide

Monitoring Tasks
Administrators can monitor the status of tasks in the RSA enVision GUI, as illustrated
in the following figure.

Administrators can also generate summary reports of tasks, showing such productivity
metrics as departmental workload, open tasks, and time to closure.

Forensic Analysis
Many RSA enVision features rely on real-time alerts and other dynamic information
to help resolve incidents in progress. Sometimes analysts need to drill into historical
(static) data to research some event that happened in the past. Research using static
data is called forensic analysis.
Forensic analysis can help determine a sequence of events leading to a given state of a
network asset. Forensic analysis can be used when an asset fails, is attacked, or is
otherwise compromised.

4: Incident Management

25

RSA enVision 4.1 Overview Guide

The following figure illustrates how events stored in the enVision IPDB can indicate
suspicious activity on an event source, in this case a laptop containing sensitive data.

Event Explorer is the primary interface used for both real-time and historical data
mining. Event Explorer is a client application that analysts use with enVision to
retrieve and examine event data. The user must have an enVision account to use Event
Explorer.
Event log analysis involves logging on to the relevant Application Server and creating
an event trace to retrieve specific messages. The event trace wizard (a tool within
Event Explorer) assists users in setting up and managing an event trace.
An event trace specifies the messages, the event sources that generated the messages,
and the time frame in which the messages were received by enVision. Users can limit
the data retrieved by filtering for specific message content. Event traces display
returned data in tables and charts:

26

Standard tables and charts enable data selection without requiring users to know
how to use the SQL commands that Event Explorer uses internally.

Advanced tables and charts require users to enter SQL statements to define how
the data is displayed, providing more control over data selection and display.

4: Incident Management

RSA enVision 4.1 Overview Guide

The following figure shows a standard table trace view.

RSA Event Explorer can also display data as an area, stacking area, bar, stacking bar,
line, plot, pie, bubble, or spider web chart. The following figure shows a standard
chart trace view.

The data displayed in tables and charts derives from actual or aggregated logs (events)
and can provide a trail of events causing an asset compromise or failure.

4: Incident Management

27

RSA enVision 4.1 Overview Guide

Reports and Queries

Reports and queries offer complementary methods to summarize information about
the event sources monitored by RSA enVision.

Reports
Reports provide convenient summaries of incidents and security-related statistics for
defined time periods. Reports support incident handling, workflow process
management, and auditing needs by providing essential statistics in graphs or tables.
RSA enVision provides over 1200 standard reports that gather common network
security and traffic analysis statistics into tables and graphs. Administrators can copy
and modify these reports or create custom reports to meet specific reporting needs.
Administrators and users with the appropriate permissions can copy and modify the
reports, or create custom reports to meet specific reporting needs. Optionally, a report
can run once on a specified day or run repeatedly at specified times.
RSA enVision can archive or delete generated reports that no longer need to be
viewed through the UI.
RSA enVision can e-mail generated reports to departments and people who need them
such as IT, human resources, the CIO office, compliance officers, and managers.
RSA enVision provides reports for security, host, network, storage, and other devices.
RSA enVision also provides a number of report packages to satisfy compliance needs
such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and
Accountability Act (HIPAA).

5: Reports and Queries

29

RSA enVision 4.1 Overview Guide

An enVision report consists of a single graph or a single table. For some purposes, a
user may need more data than can be included in a single graph or table.
RSA enVision can group multiple reports together so that they run at the same time.
The following figure shows examples of a graphical report and a tabular report.
Graphical Report

Tabular Report

Queries
Queries are similar to reports but are only run ad hoc. They generally execute faster, as
they are intended to deal with smaller amounts of data than reports. A query returns
only tabular data. Analysts might use queries in forensic analysis, for example to drill
quickly into an alert or other condition discovered in RSA enVision Event Explorer or
to audit some past event.
Queries help users and administrators retrieve and examine any data collected by
enVision. Query results can be based on IP addresses, dates and times, event message
types, and other criteria. Users can generate a query in response to an alert condition
appearing in Event Explorer.
Queries use SQL syntax to construct statements for accessing database tables for
conditions and events including:

30

General traffic flows and events that were allowed

Accesses that were denied or prevented from happening based on policy

Status and health parameters

URL information indicating where users have visited

5: Reports and Queries

RSA enVision 4.1 Overview Guide

Users can compose simple or complex queries:

A simple query is a single logical statement (a single row in the Edit query table).

A complex query consists of multiple statements (multiple rows in the Edit query
table) logically joined using AND or OR. Multiple statements can narrow a query
or extract a more accurate set of results for given criteria.

The following figure shows the Create New Query window.

Edit query

Select device group

Select time range

Run the query

5: Reports and Queries

31

RSA enVision 4.1 Overview Guide

Compliance
Organizations often must comply with organizational security requirements or
regulations imposed by the state or federal government. RSA enVision helps meet
compliance needs by monitoring and reporting on the following IT criteria used to
show whether an organization is in compliance:

Access control

Configuration control

Malicious software

Policy enforcements

User monitoring and management

Environmental and transmissions security

RSA enVision helps organizations collect and maintain evidence of compliance in the
form of reports on mandated systems. Compliance packages are sets of report
templates that summarize the precise data needed by a regulatory body.
RSA enVision offers the following regulatory compliance packages:

6: Compliance

BASEL IIInternational Convergence of Capital Measurement and Capital

Standards

Bill 198Ontario Securities Commission regulations

FISMAFederal Information Security Management Act

GPG-13Good Practice Guide 13

GLBAGramm-Leach-Bliley Act

HIPAAHealth Insurance Portability and Accountability Act

ISO 27002Best practice recommendations on information security

management

Memo 22Protective monitoring of UK National Infrastructure Security systems

NERCNorth American Electric Reliability Council

NISPOMNational Industrial Security Program Operating Manual

PCIPayment Card Industry Data Security Standard

SOXSarbanes-Oxley Act

SAS 70Statement on Auditing Standards No. 70

33

RSA enVision 4.1 Overview Guide

Further Information and Assistance

RSA provides numerous sources of additional information and hands-on assistance
with deploying and using the RSA enVision platform.

Help Systems
The primary source of usage and administrative information about enVision is the
Help system. Both enVision and RSA enVision Event Explorer have embedded Help
systems. You can also download and view the Help separately from the products
through RSA SecurCare Online.

Locate Embedded Help

To find the Help within enVision:

Do one of the following:

On the enVision navigation panel, select Overview > Best Practices >
Product Usage > Help to view the Help Table of Contents.

On any enVision window, click the question mark icon

topic that describes the current window.

to view the Help

The Help is displayed in a new window.

To find the Help within Event Explorer:

On any Event Explorer page, click Help to view the Help Table of Contents.
The Help is displayed in a new window.

Download Stand-Alone Help

To download the RSA enVision Help:

1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online.

(For registration information, see Accessing RSA SecurCare Online on
page 37.)
2. Click Home > RSA enVision > Product Documentation >
RSA enVision Platform 4.1 Documentation > RSA enVision 4.1 Online Help.
3. On the File Download pop-up window, click Save.
4. Specify the download destination, or accept the default. Click Save.
5. Unzip the downloaded Help files.
6. In the folder containing the unzipped Help files, click nic.htm to open the Help.
The Table of Contents is displayed, with links to all the Help topics.

7: Further Information and Assistance

35

RSA enVision 4.1 Overview Guide

To download the Event Explorer Help:

1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online.

(For registration information, see Accessing RSA SecurCare Online on
page 37.)
2. Click Home > RSA enVision > Product Documentation >
Event Explorer 4.1 Documentation > Event Explorer Online Help Files.
3. On the File Download pop-up window, click Save.
4. Specify the download destination, or accept the default. Click Save.
5. Unzip the downloaded Help files.
6. In the folder containing the unzipped Help files, click Event_Explorer.htm to
open the Help. (If prompted to accept Active X content, click Yes.)
The Table of Contents is displayed, with links to all the Help topics.

Online Resources
The RSA web site and RSA SecurCare Online, an e-support system, provide a wealth
of resources for RSA customers including technical information, solutions, and
support.

RSA Web Site

On the RSA enVision product pages on the RSA web site, www.rsa.com, you can
find:

Descriptions of enVision, including white papers, solution summaries, data

sheets, and news releases

A link to the RSA enVision Intelligence Community, an active online community

of enVision users, at https://rsaenvision.lithium.com/nic/user_signon

A link to RSA SecurCare Online at https://knowledge.rsasecurity.com

A link to a list of event sources that enVision supports at

http://rsa.com/rsasecured/results.aspx?program=116

RSA SecurCare Online

Within SecurCare Online, https://knowledge.rsasecurity.com, you can access:

36

RSA enVision Service Pack Updates

A list of supported event sources (devices) and their configuration guides

RSA enVision Event Source Updates (including event sources, correlation rules,
and reports)

RSA enVision VAM & Signature Updates

Sample watchlists

Technical Knowledge Base (product issues and resolution)

7: Further Information and Assistance

RSA enVision 4.1 Overview Guide

Product documentation for enVision and Event Explorer:

RSA enVision Help

RSA enVision Release Notes

RSA enVision Overview Guide

RSA enVision Hardware Setup and Maintenance Guide

RSA enVision Configuration Guide

RSA enVision Migration Guide

RSA enVision Virtual Deployment Guide

RSA enVision Administrators Guide

RSA enVision Users Guide

RSA enVision Backup and Recovery Guide

RSA enVision Security Configuration Guide

RSA enVision Universal Device Support Guide

RSA enVision Event Explorer Help

RSA enVision Event Explorer Release Notes

RSA enVision Event Explorer Installation Guide

Accessing RSA SecurCare Online

RSA SecurCare Online is available to customers who have an RSA product covered
under a maintenance contract. Register with SecurCare Online from the RSA web site
by selecting Support > RSA SecurCare Online e-support system >
Register for RSA SecurCare Online, or go to
https://knowledge.rsasecurity.com/registration.asp.

7: Further Information and Assistance

37

RSA enVision 4.1 Overview Guide

Event Source, Report, Correlation Rule, and VAM Updates

RSA is continually adding and updating event source support, reports, correlation
rules, and VAM data.
If you have an RSA maintenance contract, you will receive e-mail notification of these
updates as soon as they become available. You can then log on to SecurCare Online
and download the update packages. (The e-mail notification includes a link to
SecurCare Online. For registration information, see the previous section, Accessing
RSA SecurCare Online.)
Event Source Updates include files that enable the RSA enVision Collectors to
recognize additional event sources and to interpret their log messages. Updates also
include files that enable the Collectors to interpret log messages that event source
vendors have recently added.
Event Source Updates also contain new reports, as well as new correlation rules that
you can add to enVision and use when configuring correlated alerts.
VAM and Signature Updates enable the enVision vulnerability and asset manager to
recognize additional network assets and new vulnerabilities.

38

7: Further Information and Assistance

RSA enVision 4.1 Overview Guide

Assistance
As an RSA enVision customer, you can get hands-on assistance in the form of
technical support, training, professional services, or outsourcing to RSA partners:
Technical Support. Support is available by telephone and the RSA SecurCare
Online e-support service. For instructions and telephone numbers, see
RSA.com > Support > Contacting Support, or go to
http://rsa.com/node.aspx?id=1068.
Training. RSA offers instruction in enVision administration and operations at
customer sites and at RSA and EMC facilities worldwide. For courses available
and information on registration, see RSA.com > Services >
Training & Certification, or go to http://rsa.com/node.aspx?id=1258.
Professional Services. RSA Professional Services offers end-to-end Security
Information and Event Management (SIEM) services, including strategy
development, solution design, enVision deployment, and staff augmentation and
assistance. RSA enVision is most effective when combined with supporting
policies and procedures for incident handling. RSA Professional Services can help
customers to leverage their investment in the product by building out a security
operations program with enVision as the core technology. For more information,
see RSA.com > Services or your sales representative, or go to
http://rsa.com/node.aspx?id=1243.
RSA partners. RSA has business partners who specialize in SIEM using the
RSA enVision platform. To explore outsourcing some or all of your
organizations SIEM activities and to identify a potential source of assistance, see
RSA.com > Partners > Find a Business Partner, or go to
http://www.rsasecurity.com/partners/partnerfinder.asp.

7: Further Information and Assistance

39

RSA enVision 4.1 Overview Guide

Glossary
A-SRV
See Application Server.
ad hoc report
An unscheduled report that runs immediately.
ADB
See Asset Database.
administrator
A user responsible for setting up and maintaining the RSA enVision platform. An
administrator has access to all enVision functions.
alert
An indication that an event, or a sequence of events, requires further investigation.
The enVision platform sends alerts based on messages received under a configured set
of circumstances such as filters. The administrator defines alerts for each view.
Alert History tool
The RSA enVision tool that is used to display alerts from the events database.
Alerts module
The RSA enVision module that provides tools to monitor, display, and configure
alerts.
Analysis module
The RSA enVision module that provides tools to view, query, and analyze collected
data.
appliance
The hardware on which RSA enVision software is deployed. See single appliance site
and multiple appliance site.
Application Server (A-SRV)
The appliance or component of the RSA enVision platform that supports interactive
users and runs the suite of enVision analysis tools. In a single appliance site, the
Application Server (A-SRV) is a component of the enVision system. In a multiple
appliance site, the A-SRV is installed on its own appliance. See single appliance site
and multiple appliance site.
asset
A system, such as a host, software system, workstation, or device, that is within a
network and makes up the enterprise environment.
Asset Database (ADB)
A unified view of assets created by merging data from supported vulnerability
assessment (VA) tools and imported asset information in the asset tracking tools. The
ADB provides security managers with insight into their operations.

Glossary

41

RSA enVision 4.1 Overview Guide

attribute category
A group of categories defined by the RSA enVision platform for device and asset
attributes. The nine categories are properties, location, organization, owner, physical,
function, importance, vulnerability, and zone. Users can define custom categories.
bind report
A group of reports that can be scheduled to run as a single report.
collection
The process of collecting, analyzing, and storing logs from event sources. the
RSA enVision platform stores the logs, with descriptive metadata, in the Log Smart
Internet Protocol Database (IPDB).
Collector
The appliance or component of the RSA enVision platform that captures incoming
events. In a single appliance site, the Collector is a component of the enVision system.
In a multiple appliance site, the Collector is installed on its own appliance.
Common Storage Directory (CSD)
A single directory that contains the configuration and statistical information for data
collected on a site. The Common Storage Directory (CSD) can be located on a single
appliance site, on the Database Server of a multiple appliance site, or on the Remote
Collector of a distributed system.
computer name
See node.
confidence level filtering
A filter defined by the administrator to determine if a supported intrusion detection
system (IDS) or an intrusion prevention system (IPS) can be trusted for its truthfulness
and applicability. The confidence level detects if a message from an IDS or an IPS
should be considered an alert.
Configuration database (nic.db)
A repository that stores a users configuration settings such as user information,
permissions, and views.
correlation
A relationship between a set of events and a set of specific conditions.
D-SRV
See Database Server.
Database Server (D-SRV)
The appliance or component of the RSA enVision platform that manages access and
retrieval of captured events. In a single appliance site, the Database Server (D-SRV) is
a component of the enVision system. In a multiple appliance site, the D-SRV is
installed on its own appliance. See single appliance site and multiple appliance site.
device
See event source.
device class
Identifies the classification of the event source. A device class provides a framework
for organizing event sources by their general function.

42

Glossary

RSA enVision 4.1 Overview Guide

device type (dtype)

An assigned internal name for an event source that is used by RSA enVision tools and
utilities. The dtype value is displayed on the enVision interface, reports, and queries.
EA
See Enhanced Availability.
Enhanced Availability (EA)
A site with Enhanced Availability (EA) is a multiple appliance site where the Local
Collector (LC) functionality runs on Cluster Appliances (CAs).
EPS
See events per second.
event category
System-defined or administrator-defined group of messages for alerting and reporting
that is assigned across device classes.
Event Explorer
RSA enVision module that provides advanced tools for analysis of real-time and
historical data. These tools allow users to sift through logged data and apply security
forensics.
event source
An asset such as a physical device, software, or appliance that produces a message
(log) and is configured to send the log to the RSA enVision platform. Event sources
include firewalls, VPNs, antivirus software, operating systems, security platforms,
routers, and switches.
events per second (EPS)
Events captured per second by the RSA enVision platform.
incident escalation
See task escalation.
incident management
See task triage.
IPDB
See LogSmart IPDB.
LC
See Local Collector.
Local Collector (LC)
A component of an RSA enVision multiple appliance site that captures incoming
events. A multiple appliance site can have up to three Local Collectors (LCs). See
multiple appliance site.
LogSmart IPDB
The LogSmart Internet Protocol Database (IPDB) stores internet protocol-based
information, storing each source element in a separate container. Each log data
message is identified by the IP address of the event source from which the message
originated. The LogSmart IPDB maps this IP address to the originating event source
and determines the format of the incoming message. The log message is the metadata
that describes the event.

Glossary

43

RSA enVision 4.1 Overview Guide

message category
A group of messages. Message categories are hierarchical, consisting of up to five
levels: a NIC category, an alert category, and up to three levels of event category.
message variable
Defines a type of data that is extracted from message payloads. Message variables are
useful when analyzing and reporting on data.
monitored device
A supported event source that has been configured to send event messages to the
RSA enVision platform. The enVision platform collects and stores events from
monitored devices.
multiple appliance site
An RSA enVision site in which each enVision component (Application, Collector,
and Database) is on its own appliance.
NIC
The acronym used to label many essential RSA enVision components, services, and
tools.
NIC database
See Configuration database (nic.db).
NIC domain
A group of multiple appliance sites that constitute an organization's entire deployment
of the RSA enVision platform. One site acts as the NIC domain master site.
NIC message ID
A number that identifies a message. This number may or may not be the same as the
vendor message ID.
NIC System device
Generates event messages to indicate the health and activity of the RSA enVision
platform, such as disk space usage, current EPS, data retrieval statistics, and user
activity messages.
NIC_View
Allows users to monitor the health of the RSA enVision system. The NIC_View alerts
users to problems within the enVision software environment.
node
An appliance in an RSA enVision site.
output action
Configured notification method for alerts. The primary output actions are SMTP,
SNMP, SNPP, Instant Messenger, syslog, run a command, text file, and task triage.
Overview module
The RSA enVision module that provides tools to configure the enVision platform and
monitor system health and performance.
RC
See Remote Collector.

44

Glossary

RSA enVision 4.1 Overview Guide

Remote Collector (RC)

An optional component of an RSA enVision multiple appliance site that captures
incoming events at a remote location. A Remote Collector (RC) runs on its own
appliance. Up to 16 RCs can be associated with a site.
Reports module
The RSA enVision module that provides tools to run standard network security and
traffic analysis reports, or create and run custom reports.
single appliance site
An RSA enVision site in which all enVision components (Application, Collector, and
Database) are on one appliance.
site
The basis on which the RSA enVision platform is deployed. Each site consists of three
main components: Application Server, Collector, and Database Server.
site name
The name of the site, defined during the configuration of the RSA enVision platform.
standard report
Reports that are supplied within the RSA enVision platform for compliance,
correlated alerts, event sources, as well as for task triage, and vulnerability and asset
management.
task escalation
A function that allows users to send tasks to an external application, such as a
ticketing system, for offline investigation.
task triage
A feature that allows users to group events into tasks for the purpose of investigation.
Tasks can be further analyzed in the RSA enVision Event Explorer module, escalated
to an external ticketing system, or both.
trace view
A set of parameters that define the information that is displayed in the form of tables
and charts. The two forms of trace views are standard and advanced trace views.
UDC
See Universal Device Collection.
Universal Device Collection (UDC)
Allows the RSA enVision platform to collect log data from any event source that logs
through SNMP, ODBC, or File Reader.
VAM
See vulnerability and asset management.
VDB
See Vulnerability Knowledge Database.
view
An administrator-defined set of event sources, messages, correlation rules, and
criteria, within a single site, for which the RSA enVision platform issues alerts.

Glossary

45

RSA enVision 4.1 Overview Guide

vulnerability and asset management

A feature that provides unified management of assets and vulnerability incident
analysis.
Vulnerability Knowledge Database (VDB)
An embedded repository of vulnerability information derived from the National
Vulnerability Database (NVD).
watchlist
A named collection of strings that represent a list of like-values. A watchlist can easily
function as a filter for events in reporting and alerting.

46

Glossary

RSA enVision 4.1 Overview Guide

Index
A
ADB. See Asset Database
alerts
correlated alerts, 22
correlation rules, 22
described, 21
monitoring, 2324
real-time alerts, 21
views, 21
analysis
Event Explorer, 2627
event traces, 2627
examining historical data, 2527
forensic analysis, 2527
Application Server, 10
A-SRV. See Application Server
Asset Database, 19

C
capabilities, 910
certification, 39
classes, 39
Collector, 10
compliance reports, 33
components, 1011
context-sensitive Help, 35
correlation rules
described, 22
updates, 38
Customer Support, 6, 39

D
data flow, 11
Database Server, 10
deployment assistance, 39
deployments, 1112
documentation, 3637
D-SRV. See Database Server

E
event collection
Collector, 10
event sources, 15
Internet Protocol Database, 17
message categories, 1516

Event Explorer
data analysis, 2627
described, 11
GUI, 14
Help, 3536
interface, 14
Event Source Updates, 38
event sources
described, 15
list, 3637
updates, 38
event storage, 17

F
forensic analysis, 2527
functions, 910

G
GUI
enVision, 13
Event Explorer, 14

H
Help, 3536
help desk, 6, 39
historical data, examining, 2527

I
incidents, 21
interface
enVision, 13
Event Explorer, 14
Internet Protocol Database, 17
IPDB. See Internet Protocol Database

K
knowledge base, 3637

M
messages
categories, 1516
storage, 17

O
outsourcing security, 39

Index

47

RSA enVision 4.1 Overview Guide

P
professional services, 39

Q
queries, 3031

R
real-time alerts, 21
reports
compliance reports, 33
described, 2930
updates, 38
RSA partners, 39
RSA Professional Services, 39
RSA SecurCare Online, 3637
RSA web site, 36
rules
described, 22
updates, 38

S
SecurCare Online, 3637
security strategy assistance, 39
sites, 1112
support, technical, 6, 39

T
task management, 24

48

tasks
described, 24
managing, 24
monitoring, 25
technical support, 6, 39
training, 39

U
updates, 38

V
VAM. See Vulnerability and Asset
Management
VDB. See Vulnerability Knowledge
Database
views, 21
Vulnerability and Asset Management
Asset Database, 19
described, 19
IDS and IPS, 20
updates, 38
VAM & Signature Updates, 38
VAM event sources, 20
Vulnerability Knowledge Database, 20
Vulnerability Knowledge Database, 20

W
web site, 36

Index