An Introduction to enVision Enterprise Platform for

advertisement
An Introduction to enVision
Enterprise Platform for Security and Compliance
Operations
Karol Piling
Consultant - Central & Eastern Europe
RSA The Security Division of EMC
Introducing Information-centric Security
secure enterprise data
Preserve the confidentiality and integrity
of critical data wherever it resides
secure employee access
Enable secure, anytime, anywhere access
to corporate resources
secure access
secure data
customers
secure partner access
Open internal systems to trusted partners
partners
employees
secure customer access
Offer self-service channels, prevent fraud,
and enhance consumer confidence
security information management
manage security information
Comply with security policy and regulations
RSA enVision – Market Proven Leadership
Vision
Information Management Platform for transforming event, log, asset
and other data into actionable related intelligence
Market Presence Over 800 major enterprise and government accounts
Technology
Proven Patent-pending Internet Protocol Database™ (IPDB)
All the data for compliance and security success
Partners
Network
Technology
Partners
- Cisco
- Juniper
- Nortel
- Foundry
Security
- Symantec
- ISS
- McAfee
- Check Point
- RSA
Operating System
- Microsoft
- Linux / Unix
- Sun / HP
- IBM AS400/Main
Application
- MS Exchange
- Oracle
- MS SQL
Other
- Websense
- Bluecoat
- Apache
- EMC
Over 130 device partners
Accolades
“Leader, 3rd Year in a Row”
“Only vendor with all the data”
“Excellent”
“2005 Appliance bake-off winner”
“Leader”
“Largest Market Presence”
What is enVision?
enVision is a network based technology platform that
helps you
•
•
•
•
•
See into
Understand
Protect data and assets
Report on
Store records of
what happened within the network and at its edges
What is enVision?
 800+ customers
 50% of Fortune 10
 40% of top Global Banks
 30% of top US Banks
RSA enVision
Market-Proven Leadership
Energy & Utility
Healthcare
Fortune 500
Financial Services
The Enterprise Today
Mountains of data, many stakeholders
Malicious Code Detection
Spyware detection
Real-Time Monitoring
Troubleshooting
Access Control Enforcement
Configuration Control
Privileged User Management
Lockdown enforcement
Unauthorized
Service Detection
False Positive
Reduction
IP Leakage
Web server
activity logs
User
Monitoring
Switch logs
VA Scan logs
Windows
domain
logins
Windows logs
Web cache & proxy logs
SLA Monitoring
Content management logs
IDS/IDP logs
Router logs
VPN logs
Firewall logs
Wireless
access
logs
Oracle Financial
Logs
Mainframe
logs
Linux, Unix,
Windows OS
logs
Client & file
server logs
DHCP logs
San File
Access
Logs
VLAN Access
& Control logs
Database Logs
How do you collect & protect all the data necessary to secure
your network and comply with critical regulations?
Growth of Enterprise Silos
Redundant Information Management
ACCESS
CONTROL
SOFTWARE
FINANCIAL
SOFTWARE
FIREWALLS
OPERATING
SYSTEMS
WORKSTATIONS
ANTIVIRUS
SOFTWARE
INTRUSION
PREVENTION
Solution: RSA enVision
An Information Management Platform…
Server Engineering
Business Ops.
Compliance Audit
Baseline
Asset Ident.
Log Mgmt.
Risk Mgmt.
Security Ops.
Report
Compliance Operations
Access Control
Configuration Control
Malicious Software
Policy Enforcements
User Monitoring & Management
Environmental & Transmission Security
Desktop Ops.
Network Ops.
Alert/Correlation
Security Operations
Forensics
Access Control Enforcement
SLA Compliance Monitoring
False Positive Reduction
Real-time Monitoring
Unauthorized Network Service Detection
More…
All the Data
Log Management
Any enterprise IP device – Universal Device Support (UDS)
No filtering, normalizing, or data reduction
Security events & operational information
No agents required
…For
Compliance &
Security Operations
Application & Database
Incident Mgmt.
Log Management
®
with the LogSmart Internet Protocol
Database
®
LogSmart Internet Protocol Database
Security event & operations
info. No data filtering
No agents required
Flexible XML UDS engine
Parallel architecture ensures alert
performance
Raw logs (95%+ data compression)
~70% overall compression
Easy to deploy appliance
packaging
Customizable work environments
Fully customizable compliance & security reports
RSA enVision and LogSmart IPDB
All the Data™ with Consistently High Performance
Limitations of
Relational Database
• Not designed for
unstructured data (log)
• Requires processing
(filter, normalize, parse)
• Unpredictable consumption:
Parallel analysis
collection bottleneck impacts
use of data (e.g. alerts)
• Data Loss: events are lost
due to selective collection or
system bottleneck
•Authenticated
Data Explosion:
Relational Database
indexes &
related
data structure information
Compressed
is added (can result in <10x data)
Encrypted
LogSmart IPDB
RSA Envision:
The LogSmart® IPDB™ Advantage
Data Storage Advantage
Collection Rate Advantage
(EPS)
GBs Per Day
250
10,000
9,000
200
8,000
7,000
150
6,000
5,000
100
4,000
3,000
50
2,000
1,000
0
1000 EPS
5000 EPS
10,000 EPS
Events Per Second (EPS)
RDBMS
LogSmart IPDB
0
System Performance
RDBMS
LogSmart IPDB
RSA enVision Deployment
Scales from a single appliance….
Baseline
Correlated
Alerts
Realtime
Analysis
Report
Forensics
Interactive
Query
Integrated Incident
Mgmt.
Event
Explorer
Analyze
Manage
Collect
Collect
Collect
UDS
Windows
Server
Netscreen
Firewall
Cisco
IPS
Juniper
IDP
Microsoft
ISS
RSA enVision Supported Devices
Trend Micro
Antivirus
Device
Device
Legacy
RSA enVision Deployment
…To a distributed, enterprise-wide architecture
D-SRV
A-SRV
LC
D-SRV
NAS
NAS
LC
London
European
Headquarters
Chicago
WW Security
Operations
A-SRV
D-SRV
D-SRV
Bombay
Remote Office
NAS
LC
A-SRV:
D-SRV:
LC:
RC:
Analysis Server
Data Server
Local Collector
Remote Collector
LC
New York
WW Compliance
Operations
Security and Compliance Solutions
RSA enVision
Protects the Enterprise
Internal Systems &
Applications
Secure operations of all
systems and data associated
with internal network services
and applications
eCommerce
Operations
Secure operations of all
systems and data
associated with
eCommerce operations
Perimeter Network
Operations
Securely connect the
enterprise to the Internet
and other required
corporate entities
RSA enVision
A Framework for Security Operations
Security Environment
Internal Systems
& Applications
eCommerce
Operations
Perimeter
Network
Operations
Security Objective
Access Control Enforcement
Real-time Monitoring
Privileged user monitoring
Product
Capabilities
Corporate policy conformance
Troubleshoot network & security
events
Log Management
“What is happening?”
False Positive Reduction
Correlated Threat Detection
Watchlist Enforcement
Unauthorized Network Service
Detection
SLA Compliance Monitoring
= Most critical
= Highly desired
= Desired
Confirm IDS alerts
Enable critical alert escalation
Watch remote network areas
Consolidate distributed IDS alerts
External threat exposure
Internal investigations
Shutdown rogue services
Intellectual property leakage
Proof of delivery
Monitor against baselines
Asset Identification
Baseline
Report & Audit
Alert
Forensic Analysis
Incident Management
Correlation Example – Worm Detection
Correlation Rule Name: W32.Blaster Worm
The goal of this rule is to detect Blaster worm variants as well as other
malicious code by analyzing network traffic patterns.
Vulnerability and Asset Management (VAM)
Customer objective: Leverage information about enterprise assets and known
vulnerabilities to identify false-positive IDS messages and to provide content on assets
and vulnerabilities.
•
VAM will help reduce the costs associated with incident handling by providing analysts direct
insight into the state of an asset (e.g. detected vulnerabilities) and into the details of the
identified vulnerability
Features:
•
•
•
•
Enhanced collection of asset data from vulnerability assessment tools.
•
VA tools supported at 3.5.0 are ISS and Nessus.
•
NEW VA tools supported in 3.7 : McAfee Foundscan, nCircle IP360, Qualys Inc. QualysGuard
Incorporation of vulnerability data from NVD, periodically updated.
Display of asset and vulnerability data in web UI and EE.
Suppression of IDS messages in alerting, based on confidence levels determined from attributes of assets and
vulnerabilities.
•
IDS products supported at 3.5.0 are Dragon, ISS, and Snort.
•
IDS Producst supported at 3.7 are: ISS Real Secure, Cisco IDS, McAfee Intrushield, Juniper IDP [Netscreen]
3COM/Tipping Point Unity One
Vulnerability and Asset Management (VAM)
RSA enVision
A Platform for Compliance Operations
COBIT
NIST
ISO
COSO
RSA enVision
ITIL
“Companies that choose individual solutions for each regulatory
challenge they face will spend 10 times more on compliance
projects than those that take a proactive approach.”
Lane Leskela, Gartner Research Director
RSA enVision
Transformation of Data into Actionable Intelligence
Dashboards
Over 800 reports for
regulatory compliance
& security operations
Information Lifecycle Management
(ILM)
Challenge: Explosive Growth of Security Data
Extensive Data Retention Requirements
Regulation
Data Retention
Requirements
Penalties
Fines to $5M
Sarbanes-Oxley
5 years
PCI
Corporate Policy
GLBA
6 years
Fines
Basel II
7 years
Fines
Imprisonment to 10 years
Fines
Loss of credit card privileges
6 years
HIPAA
$25,000
2 years after patient death
NERC
3 years
TBD
FISMA
3 years
Fines
NISPOM
6 months to 1 year
Fines
Source: Enterprise Strategy Group, 2006
Security Information Lifecycle Management
Up to 1 Year
Capture
Compress
The
Retention Policy
Retain
Store
lifecycle
of Security
Log inData
Secure
Nearline
Online
The Lifecycle of Security Log Data
Retire
RSA enVision ILM
Maximized Data Value at Lowest Infrastructure Cost
ILM
 User Defines Log Retention Policies
 RSA enVision Automatically Enforces Policies
Online Policy (1 Year)
Capture
Compress
Secure
Retention Policy
Store
Online
EMC Celerra
Retain
in Nearline
EMC Centera
Retire
Supported Protocols
> Syslog, Syslog NG
> SNMP
> Formatted log files
>Comma/tab/space delimited, other
> ODBC connection to remote databases
> Push/pull XML files via HTTP
> Windows event logging API
> CheckPoint OPSEC interface
> Cisco IDS POP/RDEP/SDEE
B-2
RSA enVision
Stand-alone Appliances to Distributed Solutions
300,000
30000
LS Series
EPS
10000
7500
ES Series
5000
2500
1000
# DEVICES
500
100
200
400
750
1250
1500
2048
30,000
Industry Leading Scalability
Organization
Locations
Events
Devices
Driver
MSSP
INTERNAL
30,000
Security
•Configuration Control
•Access Control Enforcement
•Privileged User Monitoring
5.6T/
Year
20,000
Compliance & Security
•Real-Time Monitoring
•False Positive Reduction
•Access Control Enforcement
38.8T/
Day
148T/
Year
28,000
Compliance
•SAS 70 Compliance
80K/
Sec
6.9B/
Day
2.5T/
Year
4,000
95K/
Sec
8.2T/
Day
2.9T/
Year
17,000
34
240K/
Sec
20B/
Day
76.8T/
Year
18
180K/
Sec
15.5B/
Day
28
450K/
Sec
4
3
Compliance & Security
•Log Management
•Monitoring Firewalls For Audits
Compliance
•Internal Audit
Network Intelligence
Compliance and Security Operations
Asset Identification
Baseline
Enterprise-wide
Log Management
Platform
All the
Data
Reports
Alerts
Forensics
Incident Management
Business
Operations
Compliance
Operations
Security
Operations
Thank you!
Vulnerability and Asset Management (VAM)
Customer objective: Leverage information about enterprise assets and known
vulnerabilities to identify false-positive IDS messages and to provide content on assets
and vulnerabilities.
•
VAM will help reduce the costs associated with incident handling by providing analysts direct
insight into the state of an asset (e.g. detected vulnerabilities) and into the details of the
identified vulnerability
Features:
•
•
•
•
Enhanced collection of asset data from vulnerability assessment tools.
•
VA tools supported at 3.5.0 are ISS and Nessus.
•
NEW VA tools supported in 3.7 : McAfee Foundscan, nCircle IP360, Qualys Inc. QualysGuard
Incorporation of vulnerability data from NVD, periodically updated.
Display of asset and vulnerability data in web UI and EE.
Suppression of IDS messages in alerting, based on confidence levels determined from attributes of assets and
vulnerabilities.
•
IDS products supported at 3.5.0 are Dragon, ISS, and Snort.
•
IDS Producst supported at 3.7 are: ISS Real Secure, Cisco IDS, McAfee Intrushield, Juniper IDP [Netscreen]
3COM/Tipping Point Unity One
Vulnerability and Asset Management (VAM)
Existing VA Scanners
•
•
Open Source Nessus
ISS SiteProtector
New VA Scanners
•
•
•
McAfee Foundscan
nCircle IP360
Qualys Inc. QualysGuard
New IDS/IPS Vulnerability Mapping
References (Cont)
Supported IDS Devices
•
•
•
•
•
•
•
Dragon IDS
Snort / Sourcefire
ISS Real Secure
Cisco IDS
McAfee Intrushield
Juniper IDP [Netscreen]
3COM/Tipping Point Unity One
New Device Additions In 3.7.0
F5BigIP
MS DHCP
MSIAS
EMC Celerra CIFS
Lotus Domino
RSA Access Manager
Aventail
Qualysguard
Foundscan
nCircle
Download