1© copyright 2013 emc corporation. all rights reserved. #sasummit transitioning from rsa envision...
TRANSCRIPT
1© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit#SASummit
TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS
Matthew Gardiner, RSASteve Garrett, RSA
2© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Why RSA Security Analytics
Key dates & financial incentives
Planning & executing a transition
Agenda
4© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Focused on the Challenge of Advanced ThreatsCompliance as an outcome of effective security controls
SpeedResponse Time2Decrease
Dwell Time1
TIME
Attack Identified Response
SystemIntrusion
AttackBegins
Cover-UpComplete
Cover-Up DiscoveryLeap Frog Attacks
1TARGETEDSPECIFIC OBJECTIVE
STEALTHYLOW AND SLOW
2 3 INTERACTIVEHUMAN INVOLVEMENT
Dwell Time Response Time
5© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
RSA Live IntelligenceThreat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions
ANALYTICS
RSA Security Analytics
SharePoint
File Servers
Databases
NAS/SAN
Endpoints
RSA Data Discovery
Enabled by RSA DLP
RSAECAT
RSA Archer for Security Operations
Windows Clients/Servers
AssetContext
IncidentManagement
Vulnerability Risk Management
Security Operations
Management
Key Part of an Incident Response Solution Detect/Investigate/Respond
6© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Innovating Security Monitoring to Better Address Advanced Threats
RSA Security Analytics
TraditionalSIEM Tools
Requirements
Scale and performance
Analytical firepower
Visibility
Intelligence
Difficulty scaling, performance too slow to
react fast enough
Not real time, mostly a collection of rules to detect
“known knowns”
Logs/Events Only, Limited Scope, Summary activity
only
At best minimal intelligence, not operationalized
Queries that used to take hours now taking minutes -
30K EPS, peak 80K+
Pivot across TBs of data, real-time & long term investigations, detects “unknown unknowns”
Logs/Events & Packets, pervasive visibility, 350+
log sources
Operationalized and fused with your data, retroactive queries
7© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Most Requested Enhancements for enVisionAll Addressed in RSA Security Analytics
2k Message Restriction
Credential Management
Event Source Bulk Import\Export
i18N Support
Log Collection Reporting Correlation
Enhanced Charting Options
i18N Support
Multiple Data Source Support
Enriched Correlation Data
Support for SQL Constructs and
Pattern Matching
Customizable Notification Text
9© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Key Dates In Q1 2013 RSA enVision ES/LS was released on new
hardware appliance (Dell 620s)– Same hardware as RSA Security Analytics
“60-Series” Dell 2950-based enVision ES/LS is end of support life December 31, 2013
“60-Series” Dell 710-based enVision ES/LS has no EOSL yet
RSA enVision 4.1 has no EOSL yet
All current support information will continue to be updated here as it becomes available:
– http://www.emc.com/support/rsa/eops/siem.htm
11© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Financial Incentives
RSA enVision customers can acquire RSA Security Analytics for Logs using Tech Refresh pricing
– Basically is the cost of the new hardware (appliances & storage)
– Only pay SA maintenance, but receive support for both▪ Simultaneous use of enVision & SA is assumed during
migration– Any unused enVision maintenance can be applied to SA
maintenance at the time of purchase
RSA enVision customers can also acquire Dell 620-based enVision at Tech Refresh pricing
12© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Planning & Executing a Transition to RSA Security Analytics
13© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Transition Overview
Log Ingest
Packet Ingest
Incident Detection
Phase 1
Reports AlertsPhase 2
ArcherBusiness Context
Phase 3
Compliance
Install Config
Complex Event
Processing
AIMS ACI
14© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Transition Strategy – Phase 1
Packets Begin moving data into Security Analytics (logs
and/or packets)– Start building your team’s skills and knowledge with the Product
on day one– Become familiar with the power and flexibility of Security
Analytic’s normalized Meta Data framework – Subscribe to RSA Live Threat Intelligence feeds for best-in-breed
detection
Integrate the Incident Detection capabilities of the platform with your incident response team
– Investigator and Reporter will interact with the Concentrator to provide visibility into data on the wire in near-real time
Goal: Get data into the platform to enable Incident Detection
15© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Phase 1 Topology
Packets
Multiple Log Ingest Options
Investigator interacts with the Concentrator
– Perform real time, free form contextual analysis of captured log data
Report Engine interacts with the Concentrator
– Leverage out of the box content for Compliance use cases
– Live Charting and Dashboards
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom ActionsRSA LIVE
INTELLIGENCE
Z-C
on
necto
r
enVision 4.1Local Collectors
or ES
Remote Log Collection
Messag
e
Qu
eu
eN
ati
ve
16© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Transition Strategy – Phase 2
Packets Run the enVision Transition Tool on your enVision stack
– Exports various configuration elements (can be directly imported to SA as feeds)
– Examines enVision reports and emits per report guidance on SA rule syntax needed
Create Reports in Security Analytics– Leverage the near-real time capabilities of the Concentrator for short term Reporting
and Dashboards– Leverage the batch capabilities of Warehouse for long term intensive queries or for
reporting over compressed data storage
Create Alerts in Security Analytics– Leverage Event Stream Analysis
Goal: Import or Recreate Reports and Alerts to meet Compliance Objectives
17© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Phase 2: Meet Compliance Objectives
Packets
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom ActionsRSA LIVE
INTELLIGENCE
MapR Hadoop powered warehouse
Archiving storage
Correlation & ESA
Lucene (text search)
• MapR Hadoop powered warehouse
• Future advanced analytics capabilities
• Lucene (text search)
• Archiving storage (lower cost)
• Indexing and compression (via separate archiver)
TODAY Future
• Correlation & Event Stream Analysis
18© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Capture, process & store
Index & direct query
Distributed query
Data Analytics
Tap/Span/Log Feed
W Node 1
W Node 2
W Node 3
META
RAW
(Logs
only)
(Session and Logs)
SECURITY ANALYTICS APPLIANCE
1. Raw Data (logs only) sent from Decoder
2. Meta Data (packets & logs) sent from Concentrator
3. Query from SA (HiveQL)
3
2
1
......to SA 10.x with SAW
19© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Analytics Warehouse Reporting
*** Preliminary lab results, with one simple rule and unconstrained I/O
20© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Analytic Concepts
Stream Analytics“Give me the speed and smarts to discover and investigate potential threats in near real time”
Real-time, short-term visibility
SOC OperationsRapid Decision Making
Batch Analytics“Need to conduct long term analysis and discover patterns and trends therein”
Compute Intense, long-term visibility
Incident ResponseAdvanced Threat AnalysisMachine Learning
21© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Transition Strategy – Phase 3
Packets Archer Integration Options– Incident Management– Asset information
ECAT
Goal: Integrate Security Analytics with your Ecosystem
22© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Asset Context
RSA Security Analytics
Criticality Rating
Device Owner
Business Owner
Business Unit
Process
RPO / RTO
Biz ContextRSA Archer
SOM
Asset Intelligence
IP Address Criticality Rating Business Unit Facility
Security analysts now have asset intelligence and
business context to better analyze and prioritize alerts.
Asset List
Device Type
Device IDs
Content (DLP)
Category
IP/MAC Add
IT Info
CMDBs, DLP scans, etc.
23© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Asset Information in Security Analytics
• Helps analyst better understand risk
• To prioritize investigation & response
• Asset criticality represented as metadata
24© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
RSA Archer
Business & Security Users
Incident Management for Security
RSA Security Analytics
Group Alerts
Manage Workflows
Provide Visibility
Alerts Based on Rules
Capture & Analyze – NW Packets, Logs & Threat Feeds
25© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Seamless Investigations with RSA ECAT and RSA Security Analytics
RSA ECAT
Identify suspicious
network traffic on host
RSA Security Analytics
Complete network and host visibility
Directly query RSA SA for detailed network analysis
Faster investigations to shorten attacker dwell time
26© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Converting from enVision ES
enVision ES box
ES-560ES-1060ES-1260
SA All-in-One Appliance
enVision ES box
ES-2560ES-3060
SA All-in-One Appliance
SA Direct Attached Capacity (optional)
enVision ES box
ES-5060ES-7560
enVision Direct Attached Storage
SA All-in-One Appliance
SA Direct Attached Capacity
27© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Converting from a small enVision LS
A-SRV
D-SRV
LC05
LC05
RC01
Analytics Server
Hybrid
High Density
DAC
Security Analytics
Warehouse Nodes
Up to 10k EPS
Before After
As needed
3 node cluster holds6k average EPS for 2 years
28© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Converting from a large enVision LS
A-SRV
D-SRV
LC10
LC05
RC02
RC01
Analytics Server
Broker
Decoder
High Density
DAC
Concentrat
Concentrator DAC
Security Analytics
Warehouse Nodes
+
Before After
As needed
3 node cluster holds6k average EPS for 2 years
Up to 30k EPS
29© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Transition Tools Tools to minimize transition time Collects
– Reports for creation in SA– Watchlists for creation in SA– Collection configuration information from enVision configuration
database– Device groups– Manage monitored devices “meta”
Converts – Fields in enVision reports to corresponding SA meta– Numerical items in enVision reports to corresponding names
▪ i.e. dtype 186 = Microsoft ACS.– Export in CSV format for Import into SA
30© Copyright 2013 EMC Corporation. All rights reserved.
#SASummit
Conclusion & Next Steps Migration is something you can start now
– But enVision 4.1 remains supported– Parallel operation with RSA Security Analytics is often ideal
Work with your RSA account team/partner/professional services to come up with a plan for you
Keep track of RSA enVision key support dates here:– http://www.emc.com/support/rsa/eops/siem.htm