1© copyright 2013 emc corporation. all rights reserved. #sasummit transitioning from rsa envision...

1© Copyright 2013 EMC Corporation. All rights reserved.

#SASummit#SASummit

TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS

Matthew Gardiner, RSASteve Garrett, RSA


#SASummit

Why RSA Security Analytics

Key dates & financial incentives

Planning & executing a transition

Agenda


#SASummit

Why RSA Security Analytics?


#SASummit

Focused on the Challenge of Advanced ThreatsCompliance as an outcome of effective security controls

SpeedResponse Time2Decrease

Dwell Time1

TIME

Attack Identified Response

SystemIntrusion

AttackBegins

Cover-UpComplete

Cover-Up DiscoveryLeap Frog Attacks

1TARGETEDSPECIFIC OBJECTIVE

STEALTHYLOW AND SLOW

2 3 INTERACTIVEHUMAN INVOLVEMENT

Dwell Time Response Time


#SASummit

RSA Live IntelligenceThreat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions

ANALYTICS

RSA Security Analytics

SharePoint

File Servers

Databases

NAS/SAN

Endpoints

RSA Data Discovery

Enabled by RSA DLP

RSAECAT

RSA Archer for Security Operations

Windows Clients/Servers

AssetContext

IncidentManagement

Vulnerability Risk Management

Security Operations

Management

Key Part of an Incident Response Solution Detect/Investigate/Respond


#SASummit

Innovating Security Monitoring to Better Address Advanced Threats


TraditionalSIEM Tools

Requirements

Scale and performance

Analytical firepower

Visibility

Intelligence

Difficulty scaling, performance too slow to

react fast enough

Not real time, mostly a collection of rules to detect

“known knowns”

Logs/Events Only, Limited Scope, Summary activity

only

At best minimal intelligence, not operationalized

Queries that used to take hours now taking minutes -

30K EPS, peak 80K+

Pivot across TBs of data, real-time & long term investigations, detects “unknown unknowns”

Logs/Events & Packets, pervasive visibility, 350+

log sources

Operationalized and fused with your data, retroactive queries


#SASummit

Most Requested Enhancements for enVisionAll Addressed in RSA Security Analytics

2k Message Restriction

Credential Management

Event Source Bulk Import\Export

i18N Support

Log Collection Reporting Correlation

Enhanced Charting Options

i18N Support

Multiple Data Source Support

Enriched Correlation Data

Support for SQL Constructs and

Pattern Matching

Customizable Notification Text


#SASummit

Key dates


#SASummit

Key Dates In Q1 2013 RSA enVision ES/LS was released on new

hardware appliance (Dell 620s)– Same hardware as RSA Security Analytics

“60-Series” Dell 2950-based enVision ES/LS is end of support life December 31, 2013

“60-Series” Dell 710-based enVision ES/LS has no EOSL yet

RSA enVision 4.1 has no EOSL yet

All current support information will continue to be updated here as it becomes available:

– http://www.emc.com/support/rsa/eops/siem.htm

http://www.emc.com/support/rsa/eops/siem.htm


#SASummit

Financial Incentives


#SASummit

Financial Incentives

RSA enVision customers can acquire RSA Security Analytics for Logs using Tech Refresh pricing

– Basically is the cost of the new hardware (appliances & storage)

– Only pay SA maintenance, but receive support for both▪ Simultaneous use of enVision & SA is assumed during

migration– Any unused enVision maintenance can be applied to SA

maintenance at the time of purchase

RSA enVision customers can also acquire Dell 620-based enVision at Tech Refresh pricing


#SASummit

Planning & Executing a Transition to RSA Security Analytics


#SASummit

Transition Overview

Log Ingest

Packet Ingest

Incident Detection

Phase 1

Reports AlertsPhase 2

ArcherBusiness Context

Phase 3

Compliance

Install Config

Complex Event

Processing

AIMS ACI


#SASummit

Transition Strategy – Phase 1

Packets Begin moving data into Security Analytics (logs

and/or packets)– Start building your team’s skills and knowledge with the Product

on day one– Become familiar with the power and flexibility of Security

Analytic’s normalized Meta Data framework – Subscribe to RSA Live Threat Intelligence feeds for best-in-breed

detection

Integrate the Incident Detection capabilities of the platform with your incident response team

– Investigator and Reporter will interact with the Concentrator to provide visibility into data on the wire in near-real time

Goal: Get data into the platform to enable Incident Detection


#SASummit

Phase 1 Topology

Packets

Multiple Log Ingest Options

Investigator interacts with the Concentrator

– Perform real time, free form contextual analysis of captured log data

Report Engine interacts with the Concentrator

– Leverage out of the box content for Compliance use cases

– Live Charting and Dashboards

Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom ActionsRSA LIVE

INTELLIGENCE

Z-C

on

necto

r

enVision 4.1Local Collectors

or ES

Remote Log Collection

Messag

e

Qu

eu

eN

ati

ve


#SASummit


Packets Run the enVision Transition Tool on your enVision stack

– Exports various configuration elements (can be directly imported to SA as feeds)

– Examines enVision reports and emits per report guidance on SA rule syntax needed

Create Reports in Security Analytics– Leverage the near-real time capabilities of the Concentrator for short term Reporting

and Dashboards– Leverage the batch capabilities of Warehouse for long term intensive queries or for

reporting over compressed data storage

Create Alerts in Security Analytics– Leverage Event Stream Analysis

Goal: Import or Recreate Reports and Alerts to meet Compliance Objectives


#SASummit

Phase 2: Meet Compliance Objectives

Packets

Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom ActionsRSA LIVE

INTELLIGENCE

MapR Hadoop powered warehouse

Archiving storage

Correlation & ESA

Lucene (text search)

• MapR Hadoop powered warehouse

• Future advanced analytics capabilities

• Lucene (text search)

• Archiving storage (lower cost)

• Indexing and compression (via separate archiver)

TODAY Future

• Correlation & Event Stream Analysis


#SASummit

Capture, process & store

Index & direct query

Distributed query

Data Analytics

Tap/Span/Log Feed

W Node 1

W Node 2

W Node 3

META

RAW

(Logs

only)

(Session and Logs)

SECURITY ANALYTICS APPLIANCE

1. Raw Data (logs only) sent from Decoder

2. Meta Data (packets & logs) sent from Concentrator

3. Query from SA (HiveQL)

3

2

1

......to SA 10.x with SAW


#SASummit

Analytics Warehouse Reporting

*** Preliminary lab results, with one simple rule and unconstrained I/O


#SASummit

Analytic Concepts

Stream Analytics“Give me the speed and smarts to discover and investigate potential threats in near real time”

Real-time, short-term visibility

SOC OperationsRapid Decision Making

Batch Analytics“Need to conduct long term analysis and discover patterns and trends therein”

Compute Intense, long-term visibility

Incident ResponseAdvanced Threat AnalysisMachine Learning


#SASummit


Packets Archer Integration Options– Incident Management– Asset information

ECAT

Goal: Integrate Security Analytics with your Ecosystem


#SASummit

Asset Context


Criticality Rating

Device Owner

Business Owner

Business Unit

Process

RPO / RTO

Biz ContextRSA Archer

SOM

Asset Intelligence

IP Address Criticality Rating Business Unit Facility

Security analysts now have asset intelligence and

business context to better analyze and prioritize alerts.

Asset List

Device Type

Device IDs

Content (DLP)

Category

IP/MAC Add

IT Info

CMDBs, DLP scans, etc.


#SASummit

Asset Information in Security Analytics

• Helps analyst better understand risk

• To prioritize investigation & response

• Asset criticality represented as metadata


#SASummit

RSA Archer

Business & Security Users

Incident Management for Security


Group Alerts

Manage Workflows

Provide Visibility

Alerts Based on Rules

Capture & Analyze – NW Packets, Logs & Threat Feeds


#SASummit

Seamless Investigations with RSA ECAT and RSA Security Analytics

RSA ECAT

Identify suspicious

network traffic on host


Complete network and host visibility

Directly query RSA SA for detailed network analysis

Faster investigations to shorten attacker dwell time


#SASummit

Converting from enVision ES

enVision ES box

ES-560ES-1060ES-1260

SA All-in-One Appliance

enVision ES box

ES-2560ES-3060


SA Direct Attached Capacity (optional)

enVision ES box

ES-5060ES-7560

enVision Direct Attached Storage


SA Direct Attached Capacity


#SASummit

Converting from a small enVision LS

A-SRV

D-SRV

LC05

LC05

RC01

Analytics Server

Hybrid

High Density

DAC

Security Analytics

Warehouse Nodes

Up to 10k EPS

Before After

As needed

3 node cluster holds6k average EPS for 2 years


#SASummit

Converting from a large enVision LS

A-SRV

D-SRV

LC10

LC05

RC02

RC01

Analytics Server

Broker

Decoder

High Density

DAC

Concentrat

Concentrator DAC

Security Analytics

Warehouse Nodes

+

Before After

As needed

3 node cluster holds6k average EPS for 2 years

Up to 30k EPS


#SASummit

Transition Tools Tools to minimize transition time Collects

– Reports for creation in SA– Watchlists for creation in SA– Collection configuration information from enVision configuration

database– Device groups– Manage monitored devices “meta”

Converts – Fields in enVision reports to corresponding SA meta– Numerical items in enVision reports to corresponding names

▪ i.e. dtype 186 = Microsoft ACS.– Export in CSV format for Import into SA


#SASummit

Conclusion & Next Steps Migration is something you can start now

– But enVision 4.1 remains supported– Parallel operation with RSA Security Analytics is often ideal

Work with your RSA account team/partner/professional services to come up with a plan for you

Keep track of RSA enVision key support dates here:– http://www.emc.com/support/rsa/eops/siem.htm

http://www.emc.com/support/rsa/eops/siem.htm

Thank you.

#SASummit

1© copyright 2013 emc corporation. all rights reserved. #sasummit transitioning from rsa envision...

Documents