An Introduction to enVision Enterprise Platform for Security and Compliance Operations Karol Piling Consultant - Central & Eastern Europe RSA The Security Division of EMC Introducing Information-centric Security secure enterprise data Preserve the confidentiality and integrity of critical data wherever it resides secure employee access Enable secure, anytime, anywhere access to corporate resources secure access secure data customers secure partner access Open internal systems to trusted partners partners employees secure customer access Offer self-service channels, prevent fraud, and enhance consumer confidence security information management manage security information Comply with security policy and regulations RSA enVision – Market Proven Leadership Vision Information Management Platform for transforming event, log, asset and other data into actionable related intelligence Market Presence Over 800 major enterprise and government accounts Technology Proven Patent-pending Internet Protocol Database™ (IPDB) All the data for compliance and security success Partners Network Technology Partners - Cisco - Juniper - Nortel - Foundry Security - Symantec - ISS - McAfee - Check Point - RSA Operating System - Microsoft - Linux / Unix - Sun / HP - IBM AS400/Main Application - MS Exchange - Oracle - MS SQL Other - Websense - Bluecoat - Apache - EMC Over 130 device partners Accolades “Leader, 3rd Year in a Row” “Only vendor with all the data” “Excellent” “2005 Appliance bake-off winner” “Leader” “Largest Market Presence” What is enVision? enVision is a network based technology platform that helps you • • • • • See into Understand Protect data and assets Report on Store records of what happened within the network and at its edges What is enVision? 800+ customers 50% of Fortune 10 40% of top Global Banks 30% of top US Banks RSA enVision Market-Proven Leadership Energy & Utility Healthcare Fortune 500 Financial Services The Enterprise Today Mountains of data, many stakeholders Malicious Code Detection Spyware detection Real-Time Monitoring Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized Service Detection False Positive Reduction IP Leakage Web server activity logs User Monitoring Switch logs VA Scan logs Windows domain logins Windows logs Web cache & proxy logs SLA Monitoring Content management logs IDS/IDP logs Router logs VPN logs Firewall logs Wireless access logs Oracle Financial Logs Mainframe logs Linux, Unix, Windows OS logs Client & file server logs DHCP logs San File Access Logs VLAN Access & Control logs Database Logs How do you collect & protect all the data necessary to secure your network and comply with critical regulations? Growth of Enterprise Silos Redundant Information Management ACCESS CONTROL SOFTWARE FINANCIAL SOFTWARE FIREWALLS OPERATING SYSTEMS WORKSTATIONS ANTIVIRUS SOFTWARE INTRUSION PREVENTION Solution: RSA enVision An Information Management Platform… Server Engineering Business Ops. Compliance Audit Baseline Asset Ident. Log Mgmt. Risk Mgmt. Security Ops. Report Compliance Operations Access Control Configuration Control Malicious Software Policy Enforcements User Monitoring & Management Environmental & Transmission Security Desktop Ops. Network Ops. Alert/Correlation Security Operations Forensics Access Control Enforcement SLA Compliance Monitoring False Positive Reduction Real-time Monitoring Unauthorized Network Service Detection More… All the Data Log Management Any enterprise IP device – Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information No agents required …For Compliance & Security Operations Application & Database Incident Mgmt. Log Management ® with the LogSmart Internet Protocol Database ® LogSmart Internet Protocol Database Security event & operations info. No data filtering No agents required Flexible XML UDS engine Parallel architecture ensures alert performance Raw logs (95%+ data compression) ~70% overall compression Easy to deploy appliance packaging Customizable work environments Fully customizable compliance & security reports RSA enVision and LogSmart IPDB All the Data™ with Consistently High Performance Limitations of Relational Database • Not designed for unstructured data (log) • Requires processing (filter, normalize, parse) • Unpredictable consumption: Parallel analysis collection bottleneck impacts use of data (e.g. alerts) • Data Loss: events are lost due to selective collection or system bottleneck •Authenticated Data Explosion: Relational Database indexes & related data structure information Compressed is added (can result in <10x data) Encrypted LogSmart IPDB RSA Envision: The LogSmart® IPDB™ Advantage Data Storage Advantage Collection Rate Advantage (EPS) GBs Per Day 250 10,000 9,000 200 8,000 7,000 150 6,000 5,000 100 4,000 3,000 50 2,000 1,000 0 1000 EPS 5000 EPS 10,000 EPS Events Per Second (EPS) RDBMS LogSmart IPDB 0 System Performance RDBMS LogSmart IPDB RSA enVision Deployment Scales from a single appliance…. Baseline Correlated Alerts Realtime Analysis Report Forensics Interactive Query Integrated Incident Mgmt. Event Explorer Analyze Manage Collect Collect Collect UDS Windows Server Netscreen Firewall Cisco IPS Juniper IDP Microsoft ISS RSA enVision Supported Devices Trend Micro Antivirus Device Device Legacy RSA enVision Deployment …To a distributed, enterprise-wide architecture D-SRV A-SRV LC D-SRV NAS NAS LC London European Headquarters Chicago WW Security Operations A-SRV D-SRV D-SRV Bombay Remote Office NAS LC A-SRV: D-SRV: LC: RC: Analysis Server Data Server Local Collector Remote Collector LC New York WW Compliance Operations Security and Compliance Solutions RSA enVision Protects the Enterprise Internal Systems & Applications Secure operations of all systems and data associated with internal network services and applications eCommerce Operations Secure operations of all systems and data associated with eCommerce operations Perimeter Network Operations Securely connect the enterprise to the Internet and other required corporate entities RSA enVision A Framework for Security Operations Security Environment Internal Systems & Applications eCommerce Operations Perimeter Network Operations Security Objective Access Control Enforcement Real-time Monitoring Privileged user monitoring Product Capabilities Corporate policy conformance Troubleshoot network & security events Log Management “What is happening?” False Positive Reduction Correlated Threat Detection Watchlist Enforcement Unauthorized Network Service Detection SLA Compliance Monitoring = Most critical = Highly desired = Desired Confirm IDS alerts Enable critical alert escalation Watch remote network areas Consolidate distributed IDS alerts External threat exposure Internal investigations Shutdown rogue services Intellectual property leakage Proof of delivery Monitor against baselines Asset Identification Baseline Report & Audit Alert Forensic Analysis Incident Management Correlation Example – Worm Detection Correlation Rule Name: W32.Blaster Worm The goal of this rule is to detect Blaster worm variants as well as other malicious code by analyzing network traffic patterns. Vulnerability and Asset Management (VAM) Customer objective: Leverage information about enterprise assets and known vulnerabilities to identify false-positive IDS messages and to provide content on assets and vulnerabilities. • VAM will help reduce the costs associated with incident handling by providing analysts direct insight into the state of an asset (e.g. detected vulnerabilities) and into the details of the identified vulnerability Features: • • • • Enhanced collection of asset data from vulnerability assessment tools. • VA tools supported at 3.5.0 are ISS and Nessus. • NEW VA tools supported in 3.7 : McAfee Foundscan, nCircle IP360, Qualys Inc. QualysGuard Incorporation of vulnerability data from NVD, periodically updated. Display of asset and vulnerability data in web UI and EE. Suppression of IDS messages in alerting, based on confidence levels determined from attributes of assets and vulnerabilities. • IDS products supported at 3.5.0 are Dragon, ISS, and Snort. • IDS Producst supported at 3.7 are: ISS Real Secure, Cisco IDS, McAfee Intrushield, Juniper IDP [Netscreen] 3COM/Tipping Point Unity One Vulnerability and Asset Management (VAM) RSA enVision A Platform for Compliance Operations COBIT NIST ISO COSO RSA enVision ITIL “Companies that choose individual solutions for each regulatory challenge they face will spend 10 times more on compliance projects than those that take a proactive approach.” Lane Leskela, Gartner Research Director RSA enVision Transformation of Data into Actionable Intelligence Dashboards Over 800 reports for regulatory compliance & security operations Information Lifecycle Management (ILM) Challenge: Explosive Growth of Security Data Extensive Data Retention Requirements Regulation Data Retention Requirements Penalties Fines to $5M Sarbanes-Oxley 5 years PCI Corporate Policy GLBA 6 years Fines Basel II 7 years Fines Imprisonment to 10 years Fines Loss of credit card privileges 6 years HIPAA $25,000 2 years after patient death NERC 3 years TBD FISMA 3 years Fines NISPOM 6 months to 1 year Fines Source: Enterprise Strategy Group, 2006 Security Information Lifecycle Management Up to 1 Year Capture Compress The Retention Policy Retain Store lifecycle of Security Log inData Secure Nearline Online The Lifecycle of Security Log Data Retire RSA enVision ILM Maximized Data Value at Lowest Infrastructure Cost ILM User Defines Log Retention Policies RSA enVision Automatically Enforces Policies Online Policy (1 Year) Capture Compress Secure Retention Policy Store Online EMC Celerra Retain in Nearline EMC Centera Retire Supported Protocols > Syslog, Syslog NG > SNMP > Formatted log files >Comma/tab/space delimited, other > ODBC connection to remote databases > Push/pull XML files via HTTP > Windows event logging API > CheckPoint OPSEC interface > Cisco IDS POP/RDEP/SDEE B-2 RSA enVision Stand-alone Appliances to Distributed Solutions 300,000 30000 LS Series EPS 10000 7500 ES Series 5000 2500 1000 # DEVICES 500 100 200 400 750 1250 1500 2048 30,000 Industry Leading Scalability Organization Locations Events Devices Driver MSSP INTERNAL 30,000 Security •Configuration Control •Access Control Enforcement •Privileged User Monitoring 5.6T/ Year 20,000 Compliance & Security •Real-Time Monitoring •False Positive Reduction •Access Control Enforcement 38.8T/ Day 148T/ Year 28,000 Compliance •SAS 70 Compliance 80K/ Sec 6.9B/ Day 2.5T/ Year 4,000 95K/ Sec 8.2T/ Day 2.9T/ Year 17,000 34 240K/ Sec 20B/ Day 76.8T/ Year 18 180K/ Sec 15.5B/ Day 28 450K/ Sec 4 3 Compliance & Security •Log Management •Monitoring Firewalls For Audits Compliance •Internal Audit Network Intelligence Compliance and Security Operations Asset Identification Baseline Enterprise-wide Log Management Platform All the Data Reports Alerts Forensics Incident Management Business Operations Compliance Operations Security Operations Thank you! Vulnerability and Asset Management (VAM) Customer objective: Leverage information about enterprise assets and known vulnerabilities to identify false-positive IDS messages and to provide content on assets and vulnerabilities. • VAM will help reduce the costs associated with incident handling by providing analysts direct insight into the state of an asset (e.g. detected vulnerabilities) and into the details of the identified vulnerability Features: • • • • Enhanced collection of asset data from vulnerability assessment tools. • VA tools supported at 3.5.0 are ISS and Nessus. • NEW VA tools supported in 3.7 : McAfee Foundscan, nCircle IP360, Qualys Inc. QualysGuard Incorporation of vulnerability data from NVD, periodically updated. Display of asset and vulnerability data in web UI and EE. Suppression of IDS messages in alerting, based on confidence levels determined from attributes of assets and vulnerabilities. • IDS products supported at 3.5.0 are Dragon, ISS, and Snort. • IDS Producst supported at 3.7 are: ISS Real Secure, Cisco IDS, McAfee Intrushield, Juniper IDP [Netscreen] 3COM/Tipping Point Unity One Vulnerability and Asset Management (VAM) Existing VA Scanners • • Open Source Nessus ISS SiteProtector New VA Scanners • • • McAfee Foundscan nCircle IP360 Qualys Inc. QualysGuard New IDS/IPS Vulnerability Mapping References (Cont) Supported IDS Devices • • • • • • • Dragon IDS Snort / Sourcefire ISS Real Secure Cisco IDS McAfee Intrushield Juniper IDP [Netscreen] 3COM/Tipping Point Unity One New Device Additions In 3.7.0 F5BigIP MS DHCP MSIAS EMC Celerra CIFS Lotus Domino RSA Access Manager Aventail Qualysguard Foundscan nCircle