TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS Matthew Gardiner, RSA Steve Garrett, RSA #SASummit © Copyright 2013 EMC Corporation. All rights reserved. #SASummit 1 Why RSA Security Analytics Key dates & financial incentives Planning & executing a transition Agenda #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 2 Why RSA Security Analytics? #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 3 Focused on the Challenge of Advanced Threats Compliance as an outcome of effective security controls 1TARGETED 2 STEALTHY 3INTERACTIVE LOW AND SLOW SPECIFIC OBJECTIVE System Intrusion Attack Begins TIME Cover-Up Discovery Leap Frog Attacks HUMAN INVOLVEMENT Cover-Up Complete Dwell Time Response Time Attack Identified 1 Decrease Dwell Time 2 © Copyright 2013 EMC Corporation. All rights reserved. Response Speed Response Time #SASummit 4 Key Part of an Incident Response Solution Detect/Investigate/Respond Asset Context Incident Vulnerability Risk Security Management Management Operations Management SharePoint RSA Archer for Security Operations File Servers RSA Security Analytics Databases RSA Data Discovery Enabled by RSA DLP ANALYTICS Windows Clients/Servers RSA ECAT NAS/SAN Endpoints #SASummit RSA Live Intelligence Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions © Copyright 2013 EMC Corporation. All rights reserved. 5 Innovating Security Monitoring to Better Address Advanced Threats Requirements Traditional SIEM Tools RSA Security Analytics Scale and performance Difficulty scaling, performance too slow to react fast enough Queries that used to take hours now taking minutes 30K EPS, peak 80K+ Analytical firepower Not real time, mostly a collection of rules to detect “known knowns” Pivot across TBs of data, real-time & long term investigations, detects “unknown unknowns” Visibility Logs/Events Only, Limited Scope, Summary activity only Logs/Events & Packets, pervasive visibility, 350+ log sources Intelligence At best minimal intelligence, not operationalized Operationalized and fused with your data, retroactive queries #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 6 Most Requested Enhancements for enVision All Addressed in RSA Security Analytics Log Collection 2k Message Restriction Credential Management Event Source Bulk Import\Export Reporting Enhanced Charting Options Correlation Enriched Correlation Data i18N Support Support for SQL Constructs and Pattern Matching Multiple Data Source Support Customizable Notification Text i18N Support #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 7 Key dates #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 8 Key Dates In Q1 2013 RSA enVision ES/LS was released on new hardware appliance (Dell 620s) – Same hardware as RSA Security Analytics “60-Series” Dell 2950-based enVision ES/LS is end of support life December 31, 2013 “60-Series” Dell 710-based enVision ES/LS has no EOSL yet RSA enVision 4.1 has no EOSL yet All current support information will continue to be updated here as it becomes available: – http://www.emc.com/support/rsa/eops/siem.htm #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 9 Financial Incentives #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 10 Financial Incentives RSA enVision customers can acquire RSA Security Analytics for Logs using Tech Refresh pricing – Basically is the cost of the new hardware (appliances & storage) – Only pay SA maintenance, but receive support for both ▪ Simultaneous use of enVision & SA is assumed during migration – Any unused enVision maintenance can be applied to SA maintenance at the time of purchase RSA enVision customers can also acquire Dell 620based enVision at Tech Refresh pricing #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 11 Planning & Executing a Transition to RSA Security Analytics #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 12 Transition Overview Phase 1 Install Config Log Ingest Packet Ingest Incident Detection Compliance Business Context Phase 2 Reports Alerts Complex Event Processing Phase 3 Archer AIMS ACI #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 13 Transition Strategy – Phase 1 Goal: Get data into the platform to enable Incident Detection Begin moving data into Security Analytics (logs Packets and/or packets) – Start building your team’s skills and knowledge with the Product on day one – Become familiar with the power and flexibility of Security Analytic’s normalized Meta Data framework – Subscribe to RSA Live Threat Intelligence feeds for best-in-breed detection Integrate the Incident Detection capabilities of the platform with your incident response team – Investigator and Reporter will interact with the Concentrator to provide visibility into data on the wire in near-real time #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 14 Z-Connector Remote Log Collection Native Message Queue Phase 1 Topology Multiple Log Ingest Options InvestigatorPackets interacts with the Concentrator – Perform real time, free form contextual analysis of captured log data Report Engine interacts with the Concentrator – Leverage out of the box content for Compliance use cases – Live Charting and Dashboards enVision 4.1 Local Collectors or ES RSA LIVE INTELLIGENCE #SASummit Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions © Copyright 2013 EMC Corporation. All rights reserved. 15 Transition Strategy – Phase 2 Goal: Import or Recreate Reports and Alerts to meet Compliance Objectives Packets Run the enVision Transition Tool on your enVision stack – Exports various configuration elements (can be directly imported to SA as feeds) – Examines enVision reports and emits per report guidance on SA rule syntax needed Create Reports in Security Analytics – Leverage the near-real time capabilities of the Concentrator for short term Reporting and Dashboards – Leverage the batch capabilities of Warehouse for long term intensive queries or for reporting over compressed data storage Create Alerts in Security Analytics – Leverage Event Stream Analysis © Copyright 2013 EMC Corporation. All rights reserved. #SASummit 16 Phase 2: Meet Compliance Objectives TODAY Future Packets MapR Hadoop powered warehouse Archiving storage Correlation & ESA Lucene (text search) RSA LIVE INTELLIGENCE • MapR Hadoop powered warehouse • Future advanced analytics capabilities • Archiving storage (lower cost) • Indexing and compression (via separate archiver) • Correlation & Event Stream Analysis • Lucene (text search) #SASummit Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions © Copyright 2013 EMC Corporation. All rights reserved. 17 ......to SA 10.x with SAW Tap/Span/Log Feed Capture, process & store 1 W Node 1 W Node 2 W Node 3 META 2 Index & direct query (Session and Logs) SECURITY ANALYTICS APPLIANCE 1. Raw Data (logs only) sent from Decoder 2. Meta Data (packets & logs) sent from Concentrator 3. Query from SA (HiveQL) Distributed query 3 © Copyright 2013 EMC Corporation. All rights reserved. Data Analytics #SASummit 18 Analytics Warehouse Reporting #SASummit *** Preliminary lab results, with one simple rule and unconstrained I/O © Copyright 2013 EMC Corporation. All rights reserved. 19 Analytic Concepts Batch Analytics Stream Analytics “Need to conduct long term analysis and discover patterns and trends therein” “Give me the speed and smarts to discover and investigate potential threats in near real time” Compute Intense, long-term visibility Incident Response Advanced Threat Analysis Machine Learning Real-time, short-term visibility SOC Operations Rapid Decision Making #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 20 Transition Strategy – Phase 3 Goal: Integrate Security Analytics with your Ecosystem Archer Integration Options Packets – Incident Management – Asset information ECAT #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 21 Asset Context Asset Intelligence IT Info Biz Context RSA Archer SOM IP Address Criticality Rating Business Unit Facility Asset List Device Owner Device Type Business Owner Device IDs Business Unit Content (DLP) Criticality Rating Process Category RPO / RTO IP/MAC Add CMDBs, DLP scans, etc. RSA Security Analytics Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 22 Asset Information in Security Analytics • Helps analyst better understand risk • To prioritize investigation & response • Asset criticality represented as metadata #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 23 Incident Management for Security Business & Security Users RSA Archer RSA Security Analytics Capture & Analyze – NW Packets, Logs & Threat Feeds Alerts Based on Rules Group Alerts Manage Workflows Provide Visibility #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 24 Seamless Investigations with RSA ECAT and RSA Security Analytics RSA Security Analytics Complete network and host visibility Directly query RSA SA for detailed network analysis Faster investigations to shorten attacker dwell time RSA ECAT Identify suspicious network traffic on host #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 25 Converting from enVision ES ES-560 ES-1060 ES-1260 ES-2560 ES-3060 ES-5060 ES-7560 enVision ES box enVision ES box SA All-in-One Appliance SA All-in-One Appliance SA Direct Attached Capacity (optional) enVision ES box SA All-in-One Appliance enVision Direct Attached Storage SA Direct Attached Capacity © Copyright 2013 EMC Corporation. All rights reserved. #SASummit 26 Converting from a small enVision LS Before After A-SRV Analytics Server D-SRV LC05 Hybrid LC05 High Density DAC Up to 10k EPS Security Analytics Warehouse Nodes As needed 3 node cluster holds 6k average EPS for 2 years RC01 #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 27 Converting from a large enVision LS Before A-SRV D-SRV RC01 After Analytics Server Broker Decoder Concentrat High Density DAC Concentrat or DAC Up to 30k EPS RC02 LC05 LC10 + Security Analytics Warehouse Nodes As needed 3 node cluster holds 6k average EPS for 2 years #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 28 Transition Tools Tools to minimize transition time Collects – Reports for creation in SA – Watchlists for creation in SA – Collection configuration information from enVision configuration database – Device groups – Manage monitored devices “meta” Converts – Fields in enVision reports to corresponding SA meta – Numerical items in enVision reports to corresponding names ▪ i.e. dtype 186 = Microsoft ACS. – Export in CSV format for Import into SA #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 29 Conclusion & Next Steps Migration is something you can start now – But enVision 4.1 remains supported – Parallel operation with RSA Security Analytics is often ideal Work with your RSA account team/partner/professional services to come up with a plan for you Keep track of RSA enVision key support dates here: – http://www.emc.com/support/rsa/eops/siem.htm #SASummit © Copyright 2013 EMC Corporation. All rights reserved. 30 #SASummit Thank you.