RSA SIEM and DLP Infrastructure and Information Monitoring in One Solution David Mateju RSA Sales Consultant, RSA CSE david.mateju@rsa.com
Adding an information-centric view Infrastructure Information Infrastructure Logs Infrastructure Vulnerabilities Infrastructure Configuration Information Location Information Sharing Information Usage DLP Datacenter DLP Network DLP Endpoint
Use Case: Security incident classification DLP detects information leaving network DLP Network Analyst investigates malware outbreak Antivirus detects malware DLP tells you if confidential data lost as a result Without DLP True impact of malware infection not known Without envision Slower detection of malware outbreak More resourceintensive investigation Without integration Analyst needs training in 2 products No single pane of glass to get full picture
Use Case: Data forensics Employee leaves to join competition Server logs show which files employee accessed Analyst needs to find out what information employee accessed in final days DLP Endpoint DLP Network DLP events tell you which files were sensitive and what the employee did with them Without envision Resource-intensive to find out which files employee accessed Without DLP Impossible to to know know what which the files employee were sensitive did with Impossible those files to know what the employee did with those files Without Without integration integration Analyst Analyst needs needs training in training 2 products in 2 products No No single single pane pane of of glass to glass get full to picture get full picture
The SIEM Solution RSA envision
RSA envision 3-in-1 SIEM Platform Simplifying Compliance Enhancing Security Optimizing IT & Network Operations Compliance reports for regulations and internal policy Real-time security alerting and analysis IT monitoring across the infrastructure Reporting Auditing Forensics Alert / correlation Network baseline Visibility Purpose-built database (IPDB) RSA envision Log Management platform security devices network devices applications / databases servers storage
Supported Event Sources (cont.) RSA envision supports and understands 215 event sources out-of-the-box, leading the SIEM industry. New event sources are added monthly. More than 30 RSA engineers work just on this task. RSA envision Universal Device Support allows adding any new or custom event source via Windows GUI tool RSA envision ESI (Event Source Integrator).
RSA envision Transformation of Data into Actionable Intelligence Dashboards >1450+ reports for regulatory compliance & security operations
Live Visual Alerts
Robust Alerting & Reporting 1450+ reports included out of the box Easily customizable Grouped according to standards, e.g. National Laws (SOX, Basel II, JSOX), Industry Regulations (PCI), Best Practices & Standards (ISO 27002, ITIL)
1450+ Reports for Typical Use Cases
Report Example List of Monitored Devices
Why DLP then?! RSA envision (SIEM) gives you information about what is/was happening in your IT infrastructure from the security, compliance and operations point of view. RSA DLP gives you visibility of who and how is working with your sensitive/compliance data. Only SIEM and DLP together can give you the whole picture.
The DLP Solution RSA Data Loss Prevention
RSA Data Loss Prevention Suite Unified Policy Mgmt & Enforcement Incident Workflow DLP Enterprise Manager Dashboard & Reporting User & System Administration DLP Datacenter DLP Network DLP Endpoint Discover File shares, SharePoint sites, Databases, SAN/NAS Remediate Delete, Move, Quarantine Monitor Email, webmail, IM/Chat, FTP, HTTP/S, TCP/IP Enforce Allow, Notify, Block, Encrypt Discover Local drives, PST files, Office files, 300+ file types Enforce Allow, Justify, Block on Copy, Save As, Print, USB, Burn, etc. edrm Encryption Access Controls Supports 300+ file types, databases, repositories, CMS Leverages vast number of protocols
RSA DLP Classification Methodology Content Analysis Described Content Analysis Fingerprinted Analysis
RSA DLP Classification Methodology Custom Classification Templates Keywords, phrases, RegEx, dictionaries Special patterns - Entities Proximity analysis Positive and negative rules Described Content Analysis
RSA DLP Classification Methodology Known Sensitive Data Templates Register known sensitive data Applicable for any binary/digital file Intellectual property protection Automated fingerprinting Fingerprinted Analysis
RSA DLP Classification Methodology Identity Analysis Understand who and where Insight into organization and hierarchy Real-time data from Active Directory
RSA DLP Classification Methodology
RSA envision Dashboard with DLP Views
RSA envision & RSA DLP Integration Benefits Reduced security risk Increased likelihood of early detection of security incident Prioritization of incidents based upon data sensitivity Reduced impact of security incidents Quicker cleanup and remediation of security problems Lower cost of responding to compliance audit requests Single place to create reports around where sensitive data resides, who is accessing it, where it s going, and when it s at risk Centralized auditable framework for security incident response Single-click reports regarding non-compliant systems and the information they contain Lower personnel costs Fewer training requirements for compliance and security analysts Single pane of glass for Level 1 response to security and compliance issues