TRANSITIONING FROM
RSA ENVISION -> RSA
SECURITY ANALYTICS
Matthew Gardiner, RSA
Steve Garrett, RSA
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
1
 Why RSA Security Analytics
 Key dates & financial incentives
 Planning & executing a transition
Agenda
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
2
Why RSA Security Analytics?
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
3
Focused on the Challenge of Advanced Threats
Compliance as an outcome of effective security controls
1TARGETED 2 STEALTHY 3INTERACTIVE
LOW AND SLOW
SPECIFIC OBJECTIVE
System
Intrusion
Attack
Begins
TIME
Cover-Up Discovery
Leap Frog Attacks
HUMAN INVOLVEMENT
Cover-Up
Complete
Dwell Time
Response Time
Attack Identified
1
Decrease
Dwell Time
2
© Copyright 2013 EMC Corporation. All rights reserved.
Response
Speed
Response Time
#SASummit
4
Key Part of an Incident Response Solution
Detect/Investigate/Respond
Asset
Context
Incident
Vulnerability Risk
Security
Management
Management
Operations
Management
SharePoint
RSA Archer
for Security
Operations
File
Servers
RSA Security Analytics
Databases
RSA Data
Discovery
Enabled by
RSA DLP
ANALYTICS
Windows
Clients/Servers
RSA
ECAT
NAS/SAN
Endpoints
#SASummit
RSA Live Intelligence
Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions
© Copyright 2013 EMC Corporation. All rights reserved.
5
Innovating Security Monitoring to Better
Address Advanced Threats
Requirements
Traditional
SIEM Tools
RSA
Security
Analytics
Scale and
performance
Difficulty scaling,
performance too slow to
react fast enough
Queries that used to take
hours now taking minutes 30K EPS, peak 80K+
Analytical
firepower
Not real time, mostly a
collection of rules to detect
“known knowns”
Pivot across TBs of data,
real-time & long term
investigations, detects
“unknown unknowns”
Visibility
Logs/Events Only, Limited
Scope, Summary activity
only
Logs/Events & Packets,
pervasive visibility, 350+
log sources
Intelligence
At best minimal
intelligence, not
operationalized
Operationalized and
fused with your data,
retroactive queries
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
6
Most Requested Enhancements for enVision
All Addressed in RSA Security Analytics
Log Collection
2k Message
Restriction
Credential
Management
Event Source Bulk
Import\Export
Reporting
Enhanced Charting
Options
Correlation
Enriched
Correlation Data
i18N Support
Support for SQL
Constructs and
Pattern Matching
Multiple Data
Source Support
Customizable
Notification Text
i18N Support
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
7
Key dates
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
8
Key Dates
 In Q1 2013 RSA enVision ES/LS was released on new
hardware appliance (Dell 620s)
– Same hardware as RSA Security Analytics
 “60-Series” Dell 2950-based enVision ES/LS is end of
support life December 31, 2013
 “60-Series” Dell 710-based enVision ES/LS has no
EOSL yet
 RSA enVision 4.1 has no EOSL yet
 All current support information will continue to be
updated here as it becomes available:
– http://www.emc.com/support/rsa/eops/siem.htm
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
9
Financial Incentives
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
10
Financial Incentives
 RSA enVision customers can acquire RSA Security
Analytics for Logs using Tech Refresh pricing
– Basically is the cost of the new hardware (appliances &
storage)
– Only pay SA maintenance, but receive support for both
▪ Simultaneous use of enVision & SA is assumed during
migration
– Any unused enVision maintenance can be applied to SA
maintenance at the time of purchase
 RSA enVision customers can also acquire Dell 620based enVision at Tech Refresh pricing
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
11
Planning & Executing a
Transition to RSA
Security Analytics
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
12
Transition Overview
Phase 1
Install
Config
Log
Ingest
Packet
Ingest
Incident
Detection
Compliance
Business
Context
Phase 2
Reports
Alerts
Complex
Event
Processing
Phase 3
Archer
AIMS
ACI
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
13
Transition Strategy – Phase 1
Goal: Get data into the platform to enable Incident Detection
 Begin moving data into Security Analytics (logs
Packets
and/or packets)
– Start building your team’s skills and knowledge with the Product
on day one
– Become familiar with the power and flexibility of Security
Analytic’s normalized Meta Data framework
– Subscribe to RSA Live Threat Intelligence feeds for best-in-breed
detection
 Integrate the Incident Detection capabilities of the
platform with your incident response team
– Investigator and Reporter will interact with the Concentrator to
provide visibility into data on the wire in near-real time
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
14
Z-Connector
Remote Log
Collection
Native
Message
Queue
Phase 1 Topology
 Multiple Log Ingest
Options
 InvestigatorPackets
interacts
with the Concentrator
– Perform real time, free form
contextual analysis of
captured log data
 Report Engine interacts
with the Concentrator
– Leverage out of the box
content for Compliance use
cases
– Live Charting and
Dashboards
enVision 4.1
Local Collectors
or ES
RSA LIVE
INTELLIGENCE
#SASummit
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
© Copyright 2013 EMC Corporation. All rights reserved.
15
Transition Strategy – Phase 2
Goal: Import or Recreate Reports and Alerts to meet Compliance
Objectives
Packets
 Run the enVision Transition Tool on your
enVision stack
– Exports various configuration elements (can be directly imported to SA as
feeds)
– Examines enVision reports and emits per report guidance on SA rule syntax
needed
 Create Reports in Security Analytics
– Leverage the near-real time capabilities of the Concentrator for short term Reporting
and Dashboards
– Leverage the batch capabilities of Warehouse for long term intensive queries or for
reporting over compressed data storage
 Create Alerts in Security Analytics
– Leverage Event Stream Analysis
© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
16
Phase 2: Meet Compliance Objectives
TODAY
Future
Packets
 MapR Hadoop
powered warehouse
 Archiving storage
 Correlation & ESA
 Lucene (text
search)
RSA LIVE
INTELLIGENCE
• MapR Hadoop
powered
warehouse
• Future advanced
analytics
capabilities
• Archiving storage
(lower cost)
• Indexing and
compression (via
separate archiver)
• Correlation &
Event Stream
Analysis
• Lucene (text
search)
#SASummit
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
© Copyright 2013 EMC Corporation. All rights reserved.
17
......to SA 10.x with SAW
Tap/Span/Log Feed
Capture,
process & store
1
W
Node 1
W
Node 2
W
Node 3
META
2
Index & direct
query
(Session and
Logs)
SECURITY ANALYTICS APPLIANCE
1. Raw Data (logs only)
sent from Decoder
2. Meta Data (packets &
logs) sent from
Concentrator
3. Query from SA (HiveQL)
Distributed query
3
© Copyright 2013 EMC Corporation. All rights reserved.
Data Analytics
#SASummit
18
Analytics Warehouse Reporting
#SASummit
*** Preliminary lab results, with one simple rule and unconstrained I/O
© Copyright 2013 EMC Corporation. All rights reserved.
19
Analytic Concepts
Batch Analytics
Stream Analytics
“Need to conduct long term
analysis and discover patterns
and trends therein”
“Give me the speed and
smarts to discover and
investigate potential threats
in near real time”
Compute Intense, long-term
visibility
Incident Response
Advanced Threat Analysis
Machine Learning
Real-time, short-term
visibility
SOC Operations
Rapid Decision Making
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
20
Transition Strategy – Phase 3
Goal: Integrate Security Analytics with your Ecosystem
 Archer Integration Options
Packets
– Incident Management
– Asset information
 ECAT
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
21
Asset Context
Asset Intelligence
IT Info
Biz Context
RSA Archer
SOM




IP Address
Criticality Rating
Business Unit
Facility
Asset List
Device Owner
Device Type
Business Owner
Device IDs
Business Unit
Content
(DLP)
Criticality
Rating
Process
Category
RPO / RTO
IP/MAC Add
CMDBs, DLP scans, etc.
RSA Security
Analytics
Security analysts
now have asset
intelligence and
business context to
better analyze and
prioritize alerts.
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
22
Asset Information in Security Analytics
• Helps analyst
better understand
risk
• To prioritize
investigation &
response
• Asset criticality
represented as
metadata
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
23
Incident Management for Security
Business &
Security Users
RSA Archer
RSA Security Analytics
Capture & Analyze – NW Packets, Logs &
Threat Feeds
Alerts Based
on Rules
Group
Alerts
Manage
Workflows
Provide
Visibility
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
24
Seamless Investigations with RSA ECAT
and RSA Security Analytics
RSA Security Analytics
 Complete network
and host visibility
 Directly query RSA
SA for detailed
network analysis
 Faster investigations
to shorten attacker
dwell time
RSA ECAT
Identify
suspicious
network traffic
on host
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
25
Converting from enVision ES
ES-560
ES-1060
ES-1260
ES-2560
ES-3060
ES-5060
ES-7560
enVision ES
box
enVision ES
box
SA All-in-One
Appliance
SA All-in-One
Appliance
SA Direct
Attached
Capacity
(optional)
enVision ES
box
SA All-in-One
Appliance
enVision Direct
Attached
Storage
SA Direct
Attached
Capacity
© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
26
Converting from a small enVision LS
Before
After
A-SRV
Analytics
Server
D-SRV
LC05
Hybrid
LC05
High
Density
DAC
Up to 10k EPS
Security
Analytics
Warehouse
Nodes
As needed
3 node cluster
holds
6k average EPS for
2 years
RC01
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
27
Converting from a large enVision LS
Before
A-SRV
D-SRV
RC01
After
Analytics
Server
Broker
Decoder
Concentrat
High
Density
DAC
Concentrat
or DAC
Up to 30k EPS
RC02
LC05
LC10
+
Security
Analytics
Warehouse
Nodes
As needed
3 node cluster
holds
6k average EPS for
2 years
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
28
Transition Tools
Tools to minimize transition time
 Collects
– Reports for creation in SA
– Watchlists for creation in SA
– Collection configuration information from enVision configuration
database
– Device groups
– Manage monitored devices “meta”
 Converts
– Fields in enVision reports to corresponding SA meta
– Numerical items in enVision reports to corresponding names
▪ i.e. dtype 186 = Microsoft ACS.
– Export in CSV format for Import into SA
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
29
Conclusion & Next Steps
 Migration is something you can start now
– But enVision 4.1 remains supported
– Parallel operation with RSA Security Analytics is often ideal
 Work with your RSA account
team/partner/professional services to come up with
a plan for you
 Keep track of RSA enVision key support dates here:
– http://www.emc.com/support/rsa/eops/siem.htm
#SASummit
© Copyright 2013 EMC Corporation. All rights reserved.
30
#SASummit
Thank you.