Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS

Published byMonica Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS"— Presentation transcript:

1 TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS
Matthew Gardiner, RSA Steve Garrett, RSA

2 Why RSA Security Analytics
Key dates & financial incentives Planning & executing a transition Agenda

3 Why RSA Security Analytics?

4 Focused on the Challenge of Advanced Threats Compliance as an outcome of effective security controls
1 TARGETED SPECIFIC OBJECTIVE STEALTHY LOW AND SLOW 2 3 INTERACTIVE HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete How are today’s threats different? It’s not just that they are more sophisticated, but attack methods have fundamentally changed. First they are targeted, with a specific objective. Previously, we may have seen threats such as mass malware that can infect PCs or random attacks on unnecessary services running on external-facing servers. Advanced threats typically use custom malware that targets an individual or group of employees at a specific organization. The attackers are seeking specific information – intellectual property or confidential documents. And their entry point to the organization is the compromise of an individual user’s credentials that they can use to establish an non-suspicious initial foothold in their target organization. Second, once their initial intrusion is successful, advanced attackers are much more stealthy. Unlike a “smash and grab” password theft or website defacement, advanced attackers seek to remain hidden inside the organization, establishing multiple footholds in case their initial access is shut down, and keeping suspicious activity that might alert security operations teams to a minimum as they seek their target. They cover their tracks by erasing logs and other evidence of their activity. And they are much more interactive. They don’t follow set scripts. They react to being detected and having access shut down by coming in through another backdoor they established and using different tactics than the ones that led to their discovery. Against these fundamentally different attacks, we need a fundamentally different response. We need to spend less time trying to keep attackers out, but focus instead on accelerating our ability to detect and respond to intrusions, and reducing the amount of time they are in the network (which we call “dwell time”). Our goal is to ensure that intrusion and compromise do not result in business damage or loss. Attack Identified Response TIME Dwell Time Response Time Decrease Dwell Time 1 Speed Response Time 2

5 Key Part of an Incident Response Solution
Detect/Investigate/Respond RSA Live Intelligence Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions WAREHOUSE ANALYTICS RSA Security Analytics SharePoint File Servers Databases NAS/SAN Endpoints RSA Data Discovery Enabled by RSA DLP RSA ECAT RSA Archer for Security Operations Windows Clients/Servers Asset Context Incident Management Vulnerability Risk Management Security Operations Management

6 Innovating Security Monitoring to Better Address Advanced Threats
RSA Security Analytics Requirements Traditional SIEM Tools Scale and performance Difficulty scaling, performance too slow to react fast enough Queries that used to take hours now taking minutes - 30K EPS, peak 80K+ KEY TAKEAWAY: SIEM Promised a lot (column 1) but doesn’t deliver (column 2). Security Analytics is taking the promise of SIEM and actually offering up a security management platform, not just a compliance platform. Analytical firepower Not real time, mostly a collection of rules to detect “known knowns” Pivot across TBs of data, real-time & long term investigations, detects “unknown unknowns” Visibility Logs/Events Only, Limited Scope, Summary activity only Logs/Events & Packets, pervasive visibility, log sources Intelligence At best minimal intelligence, not operationalized Operationalized and fused with your data, retroactive queries

7 Most Requested Enhancements for enVision All Addressed in RSA Security Analytics
Log Collection Reporting Correlation 2k Message Restriction Credential Management Event Source Bulk Import\Export i18N Support Enhanced Charting Options i18N Support Multiple Data Source Support Enriched Correlation Data Support for SQL Constructs and Pattern Matching Customizable Notification Text Collection 2k Message Restriction – enVision could consume logs 2048 bits or smaller. Larger logs were chopped off and in some cases this means you lose valuab;e data. SA does not have this restriction. Credential Management – enVision made you enter credentials for each even source manually. SA automates this process thru something we call credential aliasing, allowing you to enter credentials once and then have them used by all devices in a given domain. Event Source Bulk Import\Export – makes it easier to manage your environment. i18N Support – we can now collect logs in other languages without screwing them up. Reporting Charting options – SA uses a new and robust charting technology, allowing for dynamic and modern charts. enVision’s charting library was written when Clinton was in office and looked pretty old. i18N Support – we can include foreign languages in our reports. Multiple Data Source Support – you can write a single report that leverages data from IPDB, NW, SAW, and soon to be the Archive. Correlation Enriched Correlation Data – SA parses data infused with Threat Intelligence and business context in real time. This means the data available to the correlation engine has been augmented with every piece of data that the customer desires to add in addition to the data collected from the event source. Support for SQl and Pattern Matching – CEP is an advanced correlation engine – I can explain this stuff in more detail. Customizable Notification Text – we can customize the notification message based on the delivery protocol, this means we can tailor the alert message based on where it’s going.

8 Key dates

9 Key Dates In Q RSA enVision ES/LS was released on new hardware appliance (Dell 620s) Same hardware as RSA Security Analytics “60-Series” Dell 2950-based enVision ES/LS is end of support life December 31, 2013 “60-Series” Dell 710-based enVision ES/LS has no EOSL yet RSA enVision 4.1 has no EOSL yet All current support information will continue to be updated here as it becomes available:

10 Financial Incentives

11 Financial Incentives RSA enVision customers can acquire RSA Security Analytics for Logs using Tech Refresh pricing Basically is the cost of the new hardware (appliances & storage) Only pay SA maintenance, but receive support for both Simultaneous use of enVision & SA is assumed during migration Any unused enVision maintenance can be applied to SA maintenance at the time of purchase RSA enVision customers can also acquire Dell 620- based enVision at Tech Refresh pricing

12 Planning & Executing a Transition to RSA Security Analytics

13 Transition Overview Phase 1 Phase 2 Phase 3 Install Config Log Ingest
Packet Ingest Incident Detection Phase 1 Reports Alerts Complex Event Processing Compliance Phase 2 Archer AIMS ACI Business Context Phase 3

14 Transition Strategy – Phase 1
Goal: Get data into the platform to enable Incident Detection Begin moving data into Security Analytics (logs and/or packets) Start building your team’s skills and knowledge with the Product on day one Become familiar with the power and flexibility of Security Analytic’s normalized Meta Data framework Subscribe to RSA Live Threat Intelligence feeds for best-in-breed detection Integrate the Incident Detection capabilities of the platform with your incident response team Investigator and Reporter will interact with the Concentrator to provide visibility into data on the wire in near-real time Packets

15 Phase 1 Topology Multiple Log Ingest Options
Investigator interacts with the Concentrator Perform real time, free form contextual analysis of captured log data Report Engine interacts with the Concentrator Leverage out of the box content for Compliance use cases Live Charting and Dashboards Message Queue Packets Remote Log Collection Native Z-Connector enVision 4.1 Local Collectors or ES RSA LIVE INTELLIGENCE Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions

16 Transition Strategy – Phase 2
Goal: Import or Recreate Reports and Alerts to meet Compliance Objectives Run the enVision Transition Tool on your enVision stack Exports various configuration elements (can be directly imported to SA as feeds) Examines enVision reports and emits per report guidance on SA rule syntax needed Create Reports in Security Analytics Leverage the near-real time capabilities of the Concentrator for short term Reporting and Dashboards Leverage the batch capabilities of Warehouse for long term intensive queries or for reporting over compressed data storage Create Alerts in Security Analytics Leverage Event Stream Analysis Packets

17 Phase 2: Meet Compliance Objectives
TODAY Future Warehouse Warehouse Archiving Event Stream Analysis Packets MapR Hadoop powered warehouse Archiving storage Correlation & ESA Lucene (text search) MapR Hadoop powered warehouse Future advanced analytics capabilities Lucene (text search) Archiving storage (lower cost) Indexing and compression (via separate archiver) Correlation & Event Stream Analysis RSA LIVE INTELLIGENCE Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions

18 Security Analytics Appliance
......to SA 10.x with SAW Tap/Span/Log Feed Capture, process & store 1 RAW (Logs only) W Node 1 META 2 Decoder to Warehouse node ratio Each Decoder will write to an individual volume on the warehouse. Multiple Decoders can write to a single warehouse node at one time. Recommendation currently for Series 4 hardware is no more than 4 Decoders writing to a single node as once. RAM drive warehouse write buffer The Series 4 decoders have a RAM drive dedicated to buffering data that will be written to the warehouse. This drive enables the decoder to buffer data when capture rates exceed the rate at which the decoder can write data to the warehouse. If this buffer is exceeded then writes will fail. For the Series 4 appliance there is an optional buffer upgrade where 2 SSD drives can be added to expand this capability. Series 3 hardware has no room for additional drive so expanding the RAM drive on Series 3 is not an option. Connectivity Where possible, the warehouse and decoders should be located near each other as the capture rate of the decoder, RAM drive capacity, and network latency all affect the effective NFS write speed to the warehouse. Index & direct query W (Session and Logs) Node 2 W Security Analytics Appliance Node 3 Distributed query Raw Data (logs only) sent from Decoder Meta Data (packets & logs) sent from Concentrator Query from SA (HiveQL) 3 Data Analytics

19 Analytics Warehouse Reporting
Title Month Year Analytics Warehouse Reporting Hive query builder for SAW – consistent user experience across rule types *** Preliminary lab results, with one simple rule and unconstrained I/O

20 Analytic Concepts Batch Analytics Stream Analytics
“Need to conduct long term analysis and discover patterns and trends therein” Compute Intense, long-term visibility Incident Response Advanced Threat Analysis Machine Learning Stream Analytics “Give me the speed and smarts to discover and investigate potential threats in near real time” Real-time, short-term visibility SOC Operations Rapid Decision Making Batch.. Iterating over your data Stream.. Alerting that needs to happen in near real time fashion Two very different reasons for analyzing your data

21 Transition Strategy – Phase 3
Goal: Integrate Security Analytics with your Ecosystem Archer Integration Options Incident Management Asset information ECAT Packets

22 RSA Security Analytics
Asset Context Asset Intelligence IP Address Criticality Rating Business Unit Facility RSA Archer SOM Asset List Device Type Device IDs Content (DLP) Category IP/MAC Add IT Info Device Owner Business Owner Business Unit Process RPO / RTO Biz Context ACI is about creating a common system of records for your asset. This could be done in a couple of different ways, asset information can be summarized from CMDBs, DLP Scans, Vulnerability Scans, etc. Once the asset list is available, it is important to collect what is the business context of those assets. This could be accomplished using the questionnaires or surveys. Once this is done ACI can have a pre-programmed Criticality Rating (fully configurable based on the organization). The combination of the asset information and business context determines the criticality rating. Once this information is available, ACI makes this available to RSA Security Analytics and effectively the security operations team has a good view of the business context of the IT assets. By providing the business context information to the security operations team, we have effectively eliminated the silos that exist between security and business teams. RSA Security Analytics Criticality Rating Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. CMDBs, DLP scans, etc.

23 Asset Information in Security Analytics
Helps analyst better understand risk To prioritize investigation & response Asset criticality represented as metadata

24 Incident Management for Security
RSA Archer Business & Security Users RSA Security Analytics <See in Slide Show Mode> Previously we discussed the ability to provide business context to the security operations team through ACI. Using the asset criticality information, the security analyst was able to define rules for security events of interest. What if you could build alerts for highly valued assets of an organization and were able to manage these incidents using an advanced incident management workflow. So, let’s see how this is done, RSA Security Analytics helps you find the advanced threats in your environment. <CLICK> Once alerts have been defined in Security Analytics, RSA Advanced Incident Management for Security (AIMS) groups the alerts that have common characteristics and sends them to RSA Archer. RSA Advanced Incident Management for Security (AIMS) software can help add a broader incident management layer to RSA Security Analytics to effectively track progress and engage key business stakeholders during a security incident investigation. AIMS uses the rich Incident Management capabilities of Archer to manage the entire lifecycle of an incident. Manage Workflows Provide Visibility Group Alerts Capture & Analyze – NW Packets, Logs & Threat Feeds Alerts Based on Rules

25 Seamless Investigations with RSA ECAT and RSA Security Analytics
Complete network and host visibility Directly query RSA SA for detailed network analysis Faster investigations to shorten attacker dwell time The host-based visibility of RSA ECAT complements the in-depth network visibility provided by RSA Security Analytics to give organizations a holistic view of their environment during investigations. Scenario: Analyst investigating an endpoint in the ECAT console identifies a suspicious network connection (i.e. Windows Explorer (explorer.exe…not intenet explorer) is generating network traffic, which is not typical, and connecting to an IP address that doenst have a domain name associated with it. Based on the statistical analysis done by ECAT, it also appears to be beaconing out. The analysts can select that network connection, right click, and directly query SA. The SA console will pop-up and the analyst can now continue digging into the network packets and logs. This helps speed up investigations, and further shortens attacker free time. With ECAT and SA, you can also very quickly gauge the magnitude of a compromise by identifying other machines connecting out to known bad IP, or other machines found with the same malicious files identified in ECAT. RSA ECAT Identify suspicious network traffic on host

26 Converting from enVision ES
enVision ES box ES-560 ES-1060 ES-1260 SA All-in-One Appliance ES-2560 ES-3060 SA Direct Attached Capacity (optional) enVision ES box ES-5060 ES-7560 enVision Direct Attached Storage SA All-in-One Appliance SA Direct Attached Capacity

27 Converting from a small enVision LS
Before After A-SRV Analytics Server D-SRV LC05 Hybrid Up to 10k EPS Security Analytics Warehouse Nodes High Density DAC LC05 As needed 3 node cluster holds 6k average EPS for 2 years RC01

28 Converting from a large enVision LS
Before After A-SRV Analytics Server D-SRV Broker RC01 Decoder Concentrat Up to 30k EPS Security Analytics Warehouse Nodes RC02 + LC05 High Density DAC Concentrator DAC As needed 3 node cluster holds 6k average EPS for 2 years LC10

29 Transition Tools Tools to minimize transition time
Title Month Year Transition Tools Tools to minimize transition time Collects Reports for creation in SA Watchlists for creation in SA Collection configuration information from enVision configuration database Device groups Manage monitored devices “meta” Converts Fields in enVision reports to corresponding SA meta Numerical items in enVision reports to corresponding names i.e. dtype 186 = Microsoft ACS. Export in CSV format for Import into SA So, why is this food for enVision customers? We get better SOC functionality now. WE get visibility across network and log data, improved investigative capabilities, plus automated integration of threat intelligence This new architecture brings orders of magnitude improvements of scale and performance. Queries that used to take hours, now take minutes or seconds Also we’re eliminating many of the frustrations that enVision customers have had around enVision. For example, this system will be CentOS based, there’ll be no more 2k event size limitation, plus we’ll be able to collect in international character formats, and from IPv6 environments, plus we’ll be eliminating many of the operational limitations. We’re also providing a platform to succeed where other SIEMs have failed. This means not just allowing customers to see the data, its about interacting with the data to support alerting and investigative processes It also provides a way forward for enVision customers to move forward and protect the investment that they’ve made with RSA thus far

30 Conclusion & Next Steps
Migration is something you can start now But enVision 4.1 remains supported Parallel operation with RSA Security Analytics is often ideal Work with your RSA account team/partner/professional services to come up with a plan for you Keep track of RSA enVision key support dates here:

31

Download ppt "TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
HP Quality Center Overview.

HP Quality Center Overview.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
A Fast Growing Market. Interesting New Players Lyzasoft.

A Fast Growing Market. Interesting New Players Lyzasoft.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
11© 2011 Hitachi Data Systems. All rights reserved. HITACHI DATA DISCOVERY FOR MICROSOFT® SHAREPOINT ® SOLUTION SCALING YOUR SHAREPOINT ENVIRONMENT PRESENTER.

11© 2011 Hitachi Data Systems. All rights reserved. HITACHI DATA DISCOVERY FOR MICROSOFT® SHAREPOINT ® SOLUTION SCALING YOUR SHAREPOINT ENVIRONMENT PRESENTER.
Observation Pattern Theory Hypothesis What will happen? How can we make it happen? Predictive Analytics Prescriptive Analytics What happened? Why.

Observation Pattern Theory Hypothesis What will happen? How can we make it happen? Predictive Analytics Prescriptive Analytics What happened? Why.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Confidential Crisis Management Innovations, LLC. CMI CrisisPad TM Product Overview Copyright © 2011, Crisis Management Innovations, LLC. All Rights Reserved.

Confidential Crisis Management Innovations, LLC. CMI CrisisPad TM Product Overview Copyright © 2011, Crisis Management Innovations, LLC. All Rights Reserved.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
Training Workshop Windows Azure Platform. Presentation Outline (hidden slide): Technical Level: 200 Intended Audience: Developers Objectives (what do.

Training Workshop Windows Azure Platform. Presentation Outline (hidden slide): Technical Level: 200 Intended Audience: Developers Objectives (what do.
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.
Adra Match BALANCER: Balance Sheet Reconciliation Software Powered by the Microsoft Azure Cloud MICROSOFT AZURE ISV PROFILE: ADRA MATCH Adra Match develops.

Adra Match BALANCER: Balance Sheet Reconciliation Software Powered by the Microsoft Azure Cloud MICROSOFT AZURE ISV PROFILE: ADRA MATCH Adra Match develops.
DBSQL 14-1 Copyright © Genetic Computer School 2009 Chapter 14 Microsoft SQL Server.

DBSQL 14-1 Copyright © Genetic Computer School 2009 Chapter 14 Microsoft SQL Server.
Module 10: Monitoring ISA Server 2004. Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.

Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
Electronic Records Management: A Checklist for Success Jesse Wilkins April 15, 2009.

Electronic Records Management: A Checklist for Success Jesse Wilkins April 15, 2009.
Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.

Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.

Similar presentations

Ads by Google