Enabling Security Operations with RSA envision August, 2009
Agenda What is security operations? How does RSA envision help with security operations? How does RSA envision fit with other EMC products?
If you have somebody who Monitors firewalls Researches threats Responds to security incidents Fiddles with Group Policy security settings Provides advice about how to deal with bad stuff that s happening then you re doing security operations
In some places it s really formal and hightech
..other places not so much
Security Operations Best Practices To be effective in Security Operations, You Need to: Turn real time events, e.g. threats, into actionable data Create a closedloop incident handling process Report on the effectiveness of security management SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources. This technology is used to filter incident information into data that can be acted on for the purposes of incident response and forensic analysis. Mark Nicolett, Gartner
Real Time Incident Detection Finding Incidents in a Mountain of Data Billions of raw events Thousands of security-relevant events Correlated alerts Incidents!!! Dozens of high priority events
Agenda What is security operations? How does RSA envision help with security operations? How does RSA envision fit with other EMC products?
RSA envision 3-in-1 SIEM Platform Simplifying Compliance Enhancing Security Optimizing IT & Network Operations Compliance reports for regulations and internal policy Real-time security alerting and analysis IT monitoring across the infrastructure Reporting Auditing Forensics Alert / correlation Network baseline Visibility Purpose-built database (IPDB) RSA envision Log Management platform security devices network devices applications / databases servers storage
RSA envision and Real Time Incident Detection Essential elements Comprehensive log data Correlation rules, filters, watchlists Event source knowledge Incident Detection Timely threat information Asset context Vulnerability data
Real Time Incident Detection Comprehensive Log Data Need to collect all log data from the infrastructure you re monitoring RSA envision collects all log data from almost any third party device Event Source Knowledge Need to know what the event logs mean RSA envision translates logs 130+ third party products to a common set of event descriptions (e.g. failed logons) Asset Context Need background information about the infrastructure where the log data is coming from RSA envision allows import of data about IT assets from asset management systems
Real Time Incident Detection Vulnerability Data Need information about vulnerable infrastructure components in IT environment RSA envision collects data from most common vulnerability scanners Correlation rules, filters and watchlists Need environment specific rules to look for high-risk issues RSA envision provides ability to define correlation rules, watchlists of dynamic information Timely threat information Need regular updates as threats and vulnerabilities evolve RSA envision provides regular updates of vulnerabilities, IDS signatures, event knowledge and correlation rules
In-depth Correlation Rules Provided out-of-the-box RSA envision 4.0 provides comprehensive correlation rules CRL-00011 Several Failed Logins Followed By A Successful Login / Possible Successful Brute Force Attack Detected Intuitive GUI to tailor rules Detailed library of background Information
Example: Detecting Botnets An increase in detected AV activity Changes in DNS utilization Inbound or outbound IRC traffic Host file modifications Outbound SMTP traffic volume increase Built-in envision rules automatically detect if two or more of these are happening
Use Case: Vulnerable Server Attacked Attacker Attack IDS VA Scanner Configuration Management Database Knows it s being attacked Knows it s vulnerable Knows it s critical RSA Knowledge RSA envision Knows a critical, vulnerable server is being attacked Alert Analyst
Security Operations means end-to-end Incident Handling RSA envision supports each step in this process Notification Triage Analysis Forensics Track & Trace Remediatio n Receive Automatically Examine all Gather, Track or trace Track incident message sort, available document and intruder entry, resolution indicating categorize & information & preserve access, potential prioritize supporting information origination and incident incoming evidence and analysis of systems incidents evidence involved Framework developed by Carnegie Mellon University
Event Aggregation RSA envision & Archer in EMC CIRC envision IPS AV EP Auth WAF DLP FW AD WLAN URL Identity Data Enhancement Location Division Department Geo Info Regulation Data Asset Value Business Reporting Incidents CIRT Eng. Legal Archer Threats HR Policies SOC Investigatio
RSA envision Monitoring and Management Key Metrics & Dashboards Network Activity by Category IDS Top Threats Incident rate Most Vulnerable Assets by Severity
Archer dashboard shows posture at a business level
Agenda What is security operations? How does RSA envision help with security operations? How does RSA envision fit with other EMC products?
Example: Single point of investigation User downloads undetected malware Malware replicates to servers EMC RSA envision Security Operations Offering Analyst Know exactly where the virus has spread and how to remediate Malware makes changes to servers DLP Network Malware attempts to to send sensitive information (analyst alerted) RSA envision & RSA DLP Shows who communicated with whom, what violations occured, when changes were made Ionix SCA, SCM & NCM Shows precisely what the malware changed Integrated solution Provides unifed view into the extent of the infection, and how to remediate
Example: Auditor asks for details of all config changes Analyst Firewall logs Router logs Server Logs Security device alerts applications / databases
Example: Auditor asks for details of all config changes Analyst EMC Compliance Offering Firewall logs RSA envision Gathers logs, which show who made changes and when Router logs Server Logs Ionix SCA, SCM & NCM Shows precisely what changed Security device alerts applications / databases Integrated solution Provides unified view of precisely what changes were made, when and by whom
Manages the Lifecycle of Security Information ILM User Defines Log Retention Policies RSA envision Automatically Enforces Policies Online Policy (~ 15 months) Retention Policy Store Retain Capture Compress Secure Retire Online in Nearline EMC Celerra EMC Centera
Virtualization adds new challenges for Security Practitioners and Compliance Officers New compliance requirements Additional set of IT controls required New tools and processes required to report on it activities in the virtual environment New set of activities to understand Who is creating/cloning/moving virtual machines and when? Who is accessing the infrastructure that underlies the virtual environment New risks need tracking Hosted OS are now subject to new attacks inside the Virtualized environment. As OS s get deployed on the fly vulnerability scans become more important New processes needed for incidents handling and business continuity planning When a Virtualized OS becomes compromised, what will be my new BC plan? How do I collect and analyze information about the virtualization layer?
Scenario: Legacy mainframe application and VDI VMWare View Manager RSA envision Rogue Administrator gives internal attacker privileges to customer management environment Admin Assigning privileges outside of AD Groups? Secure Network Zone Physical Host Mainframe Customer mgmt virtual desktop Legacy Customer Mgmt Application Internal attacker uses virtual desktop to attack legacy application ESX Firewall w/ very restrictive policy
Security Case Study DTCC The Depository Trust Clearing Corporation Challenge: Continual audits and SEC evaluations mean DTCC requires real-time security monitoring Complex threats made DTCC realize a passive approach to security was not an option Solution: Collection of logs from disparate systems, legacy and new Aggregation and correlation of data to understand behaviors and trends that can trigger security alerts Results: DTCC captures 85 million log events per day, which they use to make better security decisions DTCC has better visibility into user behavior, giving them data to solve problems around unusual user access
Summary Benefits Reduced risk Highest priority issues identified Most vulnerable assets highlighted Increased analyst productivity Streamlined incident management process Improved management visibility Focus staff on highest risk areas Fully auditable process for compliance reporting