TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Advertisements

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
HP Quality Center Overview.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
A Fast Growing Market. Interesting New Players Lyzasoft.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
11© 2011 Hitachi Data Systems. All rights reserved. HITACHI DATA DISCOVERY FOR MICROSOFT® SHAREPOINT ® SOLUTION SCALING YOUR SHAREPOINT ENVIRONMENT PRESENTER.
Observation Pattern Theory Hypothesis What will happen? How can we make it happen? Predictive Analytics Prescriptive Analytics What happened? Why.
© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Confidential Crisis Management Innovations, LLC. CMI CrisisPad TM Product Overview Copyright © 2011, Crisis Management Innovations, LLC. All Rights Reserved.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
Training Workshop Windows Azure Platform. Presentation Outline (hidden slide): Technical Level: 200 Intended Audience: Developers Objectives (what do.
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.
Adra Match BALANCER: Balance Sheet Reconciliation Software Powered by the Microsoft Azure Cloud MICROSOFT AZURE ISV PROFILE: ADRA MATCH Adra Match develops.
DBSQL 14-1 Copyright © Genetic Computer School 2009 Chapter 14 Microsoft SQL Server.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
Electronic Records Management: A Checklist for Success Jesse Wilkins April 15, 2009.
Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Increasing Manufacturing Uptime Is Made Easier with RtTech’s Industrial Facilities Application RtDuet, Powered by the Microsoft Azure Cloud MICROSOFT AZURE.
Developer TECH REFRESH 15 Junho 2015 #pttechrefres h Understand your end-users and your app with Application Insights.
IBM Bluemix Ecosystem Development Hands on Workshop Section 1 - Overview.
1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.
SQL Server 2008 R2 Manageability. Challenges facing database administrators today: Scaling management to multiple data centers Proactively monitoring.
Powered by Microsoft Azure, PointMatter Is a Flexible Solution to Move and Share Data between Business Groups and IT MICROSOFT AZURE ISV PROFILE: LOGICMATTER.
TACTIC | Workflow: Project Management OSS on Microsoft Azure Helps Enterprises to Create Streamline, Manage, and Track Digital Content MICROSOFT AZURE.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
+ Logentries Is a Real-Time Log Analytics Service for Aggregating, Analyzing, and Alerting on Log Data from Microsoft Azure Apps and Systems MICROSOFT.
Bring Your Own Security (BYOS™): Deploy Applications in a Manageable Java Container with Waratek Locker on Microsoft Azure MICROSOFT AZURE ISV PROFILE:
Microsoft Azure and DataStax: Start Anywhere and Scale to Any Size in the Cloud, On- Premises, or Both with a Leading Distributed Database MICROSOFT AZURE.
Easy-to-Use RedFlag System Delivers Notifications via Phone, , Text, Social Media, and More to Improve Effectiveness of Your Communications COMPANY.
Axis AI Solves Challenges of Complex Data Extraction and Document Classification through Advanced Natural Language Processing and Machine Learning MICROSOFT.
Built on the Powerful Microsoft Azure Platform, Forensic Advantage Helps Public Safety and National Security Agencies Collect, Analyze, Report, and Distribute.
Saasabi’s Analytical Processing Engine in the Cloud Makes Business Intelligence Affordable for Everyone COMPANY PROFILE: Saasabi Saasabi is a BizSpark.
Smart Grid Big Data: Automating Analysis of Distribution Systems Steve Pascoe Manager Business Development E&O - NISC.
1 © Copyright 2015 EMC Corporation. All rights reserved. What’s new in RSA Via Lifecycle and Governance 7.0 RSA Customer Update – July 2015.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
Maintaining and Updating Windows Server 2008 Lesson 8.
Enterprise Alert on Microsoft Azure Fully Automates Critical Incident Communication and Transforms It into an Intelligent, Reliable, and Mobile Experience.
Improve the Performance, Scalability, and Reliability of Applications in the Cloud with jetNEXUS Load Balancer for Microsoft Azure MICROSOFT AZURE ISV.
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
SQL Server 2008 R2 Report Builder 3.0 SQL Server 2008 Feature Pack Report Builder 2.0 SQL Server 2008 General Availability Authoring & Collaboration (Acquisition:
 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.
Sales Play - ADP 2.0 HPE ArcSight Partner Enablement
BUILD BIG DATA ENTERPRISE SOLUTIONS FASTER ON AZURE HDINSIGHT
Data Platform and Analytics Foundational Training
C IBM Security QRadar SIEM V7.2.6 Associate Analyst
Hybrid Management and Security
Microsoft Operations Management Suite Insight and Analytics
NGAGE Intelligence Leverages Microsoft Azure Platform to Provide Essential Analytics for Hybrid SharePoint Server/Office 365 Environments MICROSOFT AZURE.
Migration Strategies – Business Desktop Deployment (BDD) Overview
Replace with Application Image
Yellowfin: An Azure-Compatible Business Intelligence Platform That Connects People with Their Data for Better Decision Making MICROSOFT AZURE APP BUILDER.
Logsign All-In-One Security Information and Event Management (SIEM) Solution Built on Azure Improves Security & Business Continuity MICROSOFT AZURE APP.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Ed oms team OMS: Log Analytics Ed oms team.
Shifting from “Incident” to “Continuous” Response
Druva inSync: A 360° Endpoint and Cloud App Data Protection and Information Management Solution Powered by Azure for the Modern Mobile Workforce MICROSOFT.
Dell Data Protection | Rapid Recovery: Simple, Quick, Configurable, and Affordable Cloud-Based Backup, Retention, and Archiving Powered by Microsoft Azure.
Cloud Analytics for Microsoft Azure
Media365 Portal by Ctrl365 is Powered by Azure and Enables Easy and Seamless Dissemination of Video for Enhanced B2C and B2B Communication MICROSOFT AZURE.
XtremeData on the Microsoft Azure Cloud Platform:
AIMS for BizTalk, Built on the Microsoft Azure Platform, Empowers Enterprises to Automate Insight and Analytics and Boost Value Creation MICROSOFT AZURE.
Technical Capabilities
Presentation transcript:

TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS Matthew Gardiner, RSA Steve Garrett, RSA

Why RSA Security Analytics Key dates & financial incentives Planning & executing a transition Agenda

Why RSA Security Analytics?

Focused on the Challenge of Advanced Threats Compliance as an outcome of effective security controls 1 TARGETED SPECIFIC OBJECTIVE STEALTHY LOW AND SLOW 2 3 INTERACTIVE HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete How are today’s threats different? It’s not just that they are more sophisticated, but attack methods have fundamentally changed. First they are targeted, with a specific objective. Previously, we may have seen threats such as mass malware that can infect PCs or random attacks on unnecessary services running on external-facing servers. Advanced threats typically use custom malware that targets an individual or group of employees at a specific organization. The attackers are seeking specific information – intellectual property or confidential documents. And their entry point to the organization is the compromise of an individual user’s credentials that they can use to establish an non-suspicious initial foothold in their target organization. Second, once their initial intrusion is successful, advanced attackers are much more stealthy. Unlike a “smash and grab” password theft or website defacement, advanced attackers seek to remain hidden inside the organization, establishing multiple footholds in case their initial access is shut down, and keeping suspicious activity that might alert security operations teams to a minimum as they seek their target. They cover their tracks by erasing logs and other evidence of their activity. And they are much more interactive. They don’t follow set scripts. They react to being detected and having access shut down by coming in through another backdoor they established and using different tactics than the ones that led to their discovery. Against these fundamentally different attacks, we need a fundamentally different response. We need to spend less time trying to keep attackers out, but focus instead on accelerating our ability to detect and respond to intrusions, and reducing the amount of time they are in the network (which we call “dwell time”). Our goal is to ensure that intrusion and compromise do not result in business damage or loss. Attack Identified Response TIME Dwell Time Response Time Decrease Dwell Time 1 Speed Response Time 2

Key Part of an Incident Response Solution Detect/Investigate/Respond RSA Live Intelligence Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions WAREHOUSE ANALYTICS RSA Security Analytics SharePoint File Servers Databases NAS/SAN Endpoints RSA Data Discovery Enabled by RSA DLP RSA ECAT RSA Archer for Security Operations Windows Clients/Servers Asset Context Incident Management Vulnerability Risk Management Security Operations Management

Innovating Security Monitoring to Better Address Advanced Threats RSA Security Analytics Requirements Traditional SIEM Tools Scale and performance Difficulty scaling, performance too slow to react fast enough Queries that used to take hours now taking minutes - 30K EPS, peak 80K+ KEY TAKEAWAY: SIEM Promised a lot (column 1) but doesn’t deliver (column 2). Security Analytics is taking the promise of SIEM and actually offering up a security management platform, not just a compliance platform. Analytical firepower Not real time, mostly a collection of rules to detect “known knowns” Pivot across TBs of data, real-time & long term investigations, detects “unknown unknowns” Visibility Logs/Events Only, Limited Scope, Summary activity only Logs/Events & Packets, pervasive visibility, 350+ log sources Intelligence At best minimal intelligence, not operationalized Operationalized and fused with your data, retroactive queries

Most Requested Enhancements for enVision All Addressed in RSA Security Analytics Log Collection Reporting Correlation 2k Message Restriction Credential Management Event Source Bulk Import\Export i18N Support Enhanced Charting Options i18N Support Multiple Data Source Support Enriched Correlation Data Support for SQL Constructs and Pattern Matching Customizable Notification Text Collection 2k Message Restriction – enVision could consume logs 2048 bits or smaller. Larger logs were chopped off and in some cases this means you lose valuab;e data. SA does not have this restriction. Credential Management – enVision made you enter credentials for each even source manually. SA automates this process thru something we call credential aliasing, allowing you to enter credentials once and then have them used by all devices in a given domain. Event Source Bulk Import\Export – makes it easier to manage your environment. i18N Support – we can now collect logs in other languages without screwing them up. Reporting Charting options – SA uses a new and robust charting technology, allowing for dynamic and modern charts. enVision’s charting library was written when Clinton was in office and looked pretty old. i18N Support – we can include foreign languages in our reports. Multiple Data Source Support – you can write a single report that leverages data from IPDB, NW, SAW, and soon to be the Archive. Correlation Enriched Correlation Data – SA parses data infused with Threat Intelligence and business context in real time. This means the data available to the correlation engine has been augmented with every piece of data that the customer desires to add in addition to the data collected from the event source. Support for SQl and Pattern Matching – CEP is an advanced correlation engine – I can explain this stuff in more detail. Customizable Notification Text – we can customize the notification message based on the delivery protocol, this means we can tailor the alert message based on where it’s going.

Key dates

Key Dates In Q1 2013 RSA enVision ES/LS was released on new hardware appliance (Dell 620s) Same hardware as RSA Security Analytics “60-Series” Dell 2950-based enVision ES/LS is end of support life December 31, 2013 “60-Series” Dell 710-based enVision ES/LS has no EOSL yet RSA enVision 4.1 has no EOSL yet All current support information will continue to be updated here as it becomes available: http://www.emc.com/support/rsa/eops/siem.htm

Financial Incentives

Financial Incentives RSA enVision customers can acquire RSA Security Analytics for Logs using Tech Refresh pricing Basically is the cost of the new hardware (appliances & storage) Only pay SA maintenance, but receive support for both Simultaneous use of enVision & SA is assumed during migration Any unused enVision maintenance can be applied to SA maintenance at the time of purchase RSA enVision customers can also acquire Dell 620- based enVision at Tech Refresh pricing

Planning & Executing a Transition to RSA Security Analytics

Transition Overview Phase 1 Phase 2 Phase 3 Install Config Log Ingest Packet Ingest Incident Detection Phase 1 Reports Alerts Complex Event Processing Compliance Phase 2 Archer AIMS ACI Business Context Phase 3

Transition Strategy – Phase 1 Goal: Get data into the platform to enable Incident Detection Begin moving data into Security Analytics (logs and/or packets) Start building your team’s skills and knowledge with the Product on day one Become familiar with the power and flexibility of Security Analytic’s normalized Meta Data framework Subscribe to RSA Live Threat Intelligence feeds for best-in-breed detection Integrate the Incident Detection capabilities of the platform with your incident response team Investigator and Reporter will interact with the Concentrator to provide visibility into data on the wire in near-real time Packets

Phase 1 Topology Multiple Log Ingest Options Investigator interacts with the Concentrator Perform real time, free form contextual analysis of captured log data Report Engine interacts with the Concentrator Leverage out of the box content for Compliance use cases Live Charting and Dashboards Message Queue Packets Remote Log Collection Native Z-Connector enVision 4.1 Local Collectors or ES RSA LIVE INTELLIGENCE Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions

Transition Strategy – Phase 2 Goal: Import or Recreate Reports and Alerts to meet Compliance Objectives Run the enVision Transition Tool on your enVision stack Exports various configuration elements (can be directly imported to SA as feeds) Examines enVision reports and emits per report guidance on SA rule syntax needed Create Reports in Security Analytics Leverage the near-real time capabilities of the Concentrator for short term Reporting and Dashboards Leverage the batch capabilities of Warehouse for long term intensive queries or for reporting over compressed data storage Create Alerts in Security Analytics Leverage Event Stream Analysis Packets

Phase 2: Meet Compliance Objectives TODAY Future Warehouse Warehouse Archiving Event Stream Analysis Packets MapR Hadoop powered warehouse Archiving storage Correlation & ESA Lucene (text search) MapR Hadoop powered warehouse Future advanced analytics capabilities Lucene (text search) Archiving storage (lower cost) Indexing and compression (via separate archiver) Correlation & Event Stream Analysis RSA LIVE INTELLIGENCE Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions

Security Analytics Appliance ......to SA 10.x with SAW Tap/Span/Log Feed Capture, process & store 1 RAW (Logs only) W Node 1 META 2 Decoder to Warehouse node ratio Each Decoder will write to an individual volume on the warehouse. Multiple Decoders can write to a single warehouse node at one time. Recommendation currently for Series 4 hardware is no more than 4 Decoders writing to a single node as once. RAM drive warehouse write buffer The Series 4 decoders have a RAM drive dedicated to buffering data that will be written to the warehouse. This drive enables the decoder to buffer data when capture rates exceed the rate at which the decoder can write data to the warehouse. If this buffer is exceeded then writes will fail. For the Series 4 appliance there is an optional buffer upgrade where 2 SSD drives can be added to expand this capability. Series 3 hardware has no room for additional drive so expanding the RAM drive on Series 3 is not an option. Connectivity Where possible, the warehouse and decoders should be located near each other as the capture rate of the decoder, RAM drive capacity, and network latency all affect the effective NFS write speed to the warehouse. Index & direct query W (Session and Logs) Node 2 W Security Analytics Appliance Node 3 Distributed query Raw Data (logs only) sent from Decoder Meta Data (packets & logs) sent from Concentrator Query from SA (HiveQL) 3 Data Analytics

Analytics Warehouse Reporting Title Month Year Analytics Warehouse Reporting Hive query builder for SAW – consistent user experience across rule types *** Preliminary lab results, with one simple rule and unconstrained I/O

Analytic Concepts Batch Analytics Stream Analytics “Need to conduct long term analysis and discover patterns and trends therein” Compute Intense, long-term visibility Incident Response Advanced Threat Analysis Machine Learning Stream Analytics “Give me the speed and smarts to discover and investigate potential threats in near real time” Real-time, short-term visibility SOC Operations Rapid Decision Making Batch.. Iterating over your data Stream.. Alerting that needs to happen in near real time fashion Two very different reasons for analyzing your data

Transition Strategy – Phase 3 Goal: Integrate Security Analytics with your Ecosystem Archer Integration Options Incident Management Asset information ECAT Packets

RSA Security Analytics Asset Context Asset Intelligence IP Address Criticality Rating Business Unit Facility RSA Archer SOM Asset List Device Type Device IDs Content (DLP) Category IP/MAC Add IT Info Device Owner Business Owner Business Unit Process RPO / RTO Biz Context ACI is about creating a common system of records for your asset. This could be done in a couple of different ways, asset information can be summarized from CMDBs, DLP Scans, Vulnerability Scans, etc. Once the asset list is available, it is important to collect what is the business context of those assets. This could be accomplished using the questionnaires or surveys. Once this is done ACI can have a pre-programmed Criticality Rating (fully configurable based on the organization). The combination of the asset information and business context determines the criticality rating. Once this information is available, ACI makes this available to RSA Security Analytics and effectively the security operations team has a good view of the business context of the IT assets. By providing the business context information to the security operations team, we have effectively eliminated the silos that exist between security and business teams. RSA Security Analytics Criticality Rating Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. CMDBs, DLP scans, etc.

Asset Information in Security Analytics Helps analyst better understand risk To prioritize investigation & response Asset criticality represented as metadata

Incident Management for Security RSA Archer Business & Security Users RSA Security Analytics <See in Slide Show Mode> Previously we discussed the ability to provide business context to the security operations team through ACI. Using the asset criticality information, the security analyst was able to define rules for security events of interest. What if you could build alerts for highly valued assets of an organization and were able to manage these incidents using an advanced incident management workflow. So, let’s see how this is done, RSA Security Analytics helps you find the advanced threats in your environment. <CLICK> Once alerts have been defined in Security Analytics, RSA Advanced Incident Management for Security (AIMS) groups the alerts that have common characteristics and sends them to RSA Archer. RSA Advanced Incident Management for Security (AIMS) software can help add a broader incident management layer to RSA Security Analytics to effectively track progress and engage key business stakeholders during a security incident investigation. AIMS uses the rich Incident Management capabilities of Archer to manage the entire lifecycle of an incident. Manage Workflows Provide Visibility Group Alerts Capture & Analyze – NW Packets, Logs & Threat Feeds Alerts Based on Rules

Seamless Investigations with RSA ECAT and RSA Security Analytics Complete network and host visibility Directly query RSA SA for detailed network analysis Faster investigations to shorten attacker dwell time The host-based visibility of RSA ECAT complements the in-depth network visibility provided by RSA Security Analytics to give organizations a holistic view of their environment during investigations. Scenario: Analyst investigating an endpoint in the ECAT console identifies a suspicious network connection (i.e. Windows Explorer (explorer.exe…not intenet explorer) is generating network traffic, which is not typical, and connecting to an IP address that doenst have a domain name associated with it. Based on the statistical analysis done by ECAT, it also appears to be beaconing out. The analysts can select that network connection, right click, and directly query SA. The SA console will pop-up and the analyst can now continue digging into the network packets and logs. This helps speed up investigations, and further shortens attacker free time. With ECAT and SA, you can also very quickly gauge the magnitude of a compromise by identifying other machines connecting out to known bad IP, or other machines found with the same malicious files identified in ECAT. RSA ECAT Identify suspicious network traffic on host

Converting from enVision ES enVision ES box ES-560 ES-1060 ES-1260 SA All-in-One Appliance ES-2560 ES-3060 SA Direct Attached Capacity (optional) enVision ES box ES-5060 ES-7560 enVision Direct Attached Storage SA All-in-One Appliance SA Direct Attached Capacity

Converting from a small enVision LS Before After A-SRV Analytics Server D-SRV LC05 Hybrid Up to 10k EPS Security Analytics Warehouse Nodes High Density DAC LC05 As needed 3 node cluster holds 6k average EPS for 2 years RC01

Converting from a large enVision LS Before After A-SRV Analytics Server D-SRV Broker RC01 Decoder Concentrat Up to 30k EPS Security Analytics Warehouse Nodes RC02 + LC05 High Density DAC Concentrator DAC As needed 3 node cluster holds 6k average EPS for 2 years LC10

Transition Tools Tools to minimize transition time Title Month Year Transition Tools Tools to minimize transition time Collects Reports for creation in SA Watchlists for creation in SA Collection configuration information from enVision configuration database Device groups Manage monitored devices “meta” Converts Fields in enVision reports to corresponding SA meta Numerical items in enVision reports to corresponding names i.e. dtype 186 = Microsoft ACS. Export in CSV format for Import into SA So, why is this food for enVision customers? We get better SOC functionality now. WE get visibility across network and log data, improved investigative capabilities, plus automated integration of threat intelligence This new architecture brings orders of magnitude improvements of scale and performance. Queries that used to take hours, now take minutes or seconds Also we’re eliminating many of the frustrations that enVision customers have had around enVision. For example, this system will be CentOS based, there’ll be no more 2k event size limitation, plus we’ll be able to collect in international character formats, and from IPv6 environments, plus we’ll be eliminating many of the operational limitations. We’re also providing a platform to succeed where other SIEMs have failed. This means not just allowing customers to see the data, its about interacting with the data to support alerting and investigative processes It also provides a way forward for enVision customers to move forward and protect the investment that they’ve made with RSA thus far

Conclusion & Next Steps Migration is something you can start now But enVision 4.1 remains supported Parallel operation with RSA Security Analytics is often ideal Work with your RSA account team/partner/professional services to come up with a plan for you Keep track of RSA enVision key support dates here: http://www.emc.com/support/rsa/eops/siem.htm

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.