End-to-end Solutions to Enable Log Management Best Practices

White paper End-to-end Solutions to Enable Log Management Best Practices Deploying a Comprehensive Security Information and Event Management Platform

Executive Summary More and more organizations today are recognizing that log and event data can provide a wealth of intelligence information about the entire enterprise IT environment. Especially as regulations continue to get more complex and organizations face increasingly sophisticated and targeted attacks, the need to know what is happening on your network, and within your systems and applications, is essential. To meet this challenge, organizations must build an enterprise competency in log (event) management, including developing best practices, establishing an infrastructure and deploying technology solutions. To help meet this challenge, RSA has developed a series of white papers. The first paper in the series provides a set of 40 recommended best practices. The second takes the next logical step by guiding organizations in establishing the criteria for an infrastructure to help realize best practices. This third paper describes end-to-end solutions that combine security information and event management (SIEM) and tiered storage technologies based on the RSA envision platform and EMC networked storage solutions. The volume of log data organizations must analyze and retain is constantly increasing and retention periods are becoming longer. Therefore, solutions for log management must incorporate an information lifecycle management (ILM) strategy; which ensures that the data will be managed efficiently and effectively from creation to deletion. The RSA envision platform aggregates logs from across the enterprise and turns this information into actionable intelligence for compliance and security. By combining the RSA envision platform with EMC storage systems, organizations can incorporate an ILM strategy for log data and deploy end-to-end solutions that enable best practices in log management. This paper details how RSA s solutions meet the complete set of requirements for a log management infrastructure, including general requirements and specific requirements in log generation and capture; log retention and storage; log analysis; and log security and protection. It is intended to help organizations deploy a comprehensive security information and event management platform in order to reap extensive benefits including improved security operations and sustainable compliance programs. Contents Definition of Log (Event) Management page 1 Developing a Log Management Capability page 1 RSA End-to-end Solutions for Log (Event) Management page 2 Meeting the Requirements of an Infrastructure for Log Management page 2 I. General Requirements page 2 II. Log Generation and Capture page 6 III. Log Retention and Storage page 7 IV. Log Analysis page 8 V. Log Security and Protection page 9 Conclusion page 10

Definition of Log (Event) Management Developing a Log Management Capability This white paper is the third in a series of three white papers on log management. In each paper, the definition of log (event) management is provided in order to clarify the meanings of terms used throughout the series. A log is a record of an event or activity occurring within an organization s systems or networks. Examples of these events include a firewall allowing or denying access to a network resource, a change to the configuration of the operating system performed by an administrator, a system shut down or start up, a user logging-in to an application or an application allowing or denying access to a file. For more examples of events or activities, please see the companion white paper Log Management Best Practices: The Foundation for Comprehensive Security Information and Event Management, Appendix 1, Sources and contents of logs. Log (event) management is the collection, analysis (realtime or historical), management and storage of logs from a range of sources across the enterprise including security systems, networking devices, storage systems, operating systems and applications. Log management is the foundation for comprehensive security information and event management (SIEM) including the following use cases: Real-time threat detection and mitigation Incident investigation and forensics Compliance to regulations and standards Capacity planning, performance and uptime Evidence for legal and human resources cases Detecting and preventing IP theft Auditing and enforcing employee productivity Troubleshooting system and network problems Auditing and enforcing IT security policy Well informed organizations have recognized that log and event data can provide a wealth of intelligence information about the entire enterprise IT environment. Especially as regulations continue to get more complex and organizations face increasingly sophisticated and targeted attacks, the need to know what is happening on your network and within your systems and applications, is essential. But the volume of log data can be staggering and the retention requirements seem unmanageable. How do you get through the mountains of data to track the right events? Can you detect problems fast enough? Will you have the right information on hand for your next audit or forensic investigation? And all of this must be done efficiently and cost-effectively. To meet this challenge, organizations must build an enterprise competency in log (event) management, which includes developing best practices, establishing an infrastructure and deploying a technology solution. To help meet this challenge, RSA has developed a series of white papers: 1. Log Management Best Practices: The Foundation for Comprehensive Security Information and Event Management 2. Building an Infrastructure that Enables Log Management Best Practices: A Technology Strategy for Comprehensive Security Information and Event Management 3. End-to-end Solutions to Enable Log Management Best Practices: Deploying a Comprehensive Security Information and Event Management Platform The first paper in the series provides the rationale and methodology for developing best practices as well as puts forth RSA s set of 40 recommended best practices. The best practices address the requirements of regulations and standards, the evolving threat landscape and business objectives. The second paper takes the next logical step by guiding organizations in establishing the criteria for an infrastructure to help realize best practices and build a technology strategy for comprehensive security information and event management. It also lays out a list of infrastructure requirements in several categories of log management. RSA White Paper 1

This third paper describes end-to-end solutions that combine security information and event management (SIEM) and tiered storage technologies based on the RSA envision platform and EMC networked storage solutions. It details how the RSA solutions meet the complete list of infrastructure requirements. Each paper can be read individually, but the three-part series offers a complete resource for developing a log management capability. The RSA envision platform works seamlessly with EMC storage solutions for end-to-end solutions in log (event) management that incorporate an ILM strategy. By combining RSA envision with EMC Symmetrix, Clariion, Celerra, Centera and/or the EMC Disk Library storage systems, organizations can manage the huge volumes of logged data from creation to deletion in order to meet regulatory compliance, security operations and business requirements. RSA End-to-end Solutions for Log (Event) Management The volume of log data organizations must analyze and retain is constantly increasing and retention periods are becoming longer. Therefore, solutions for log management must incorporate an information lifecycle management (ILM) strategy; which ensures that the data will be managed efficiently and effectively from creation to deletion. RSA provides solutions for building centrally-managed dedicated infrastructures for log (event) management which combine the RSA envision security information and event management (SIEM) platform and EMC networked storage systems. Organizations also have the option of using storage systems from other leading vendors, including integrating the RSA envision platform with existing storage systems, whether from EMC or other vendors. The RSA envision platform captures, manages and analyzes logs from across the enterprise and turns this information into actionable intelligence for compliance and security. By combining RSA envision technology and networked storage solutions, organizations can manage the entire lifecycle of log data using a tiered storage approach, whereby logs are kept on different storage resources based on the age of and need for the data. With tiered storage, log data that requires frequent or ready access, such as production data (actively used for real-time analysis, on-going review and periodic audits and assessments) may be stored on-line. Log data not requiring as frequent or ready access, such as backup data (mirror image of production data needed in case of compromise or damage) may be stored near-line or off-line. Active archive data (subset of production data stored longer-term for record-keeping purposes) is also not needed as frequently and may be stored near-line. At some point, depending upon the organization s data retention and access policies, subsets of the archived data may be moved off-line. Meeting the Requirements of an Infrastructure for Log Management To build an infrastructure for log management that will lay the foundation for comprehensive security information and event management, an organization should consider the following categories of requirements: General requirements Log generation and capture Log retention and storage Log analysis Log security and protection A detailed discussion of the requirements in each of these categories can be found in the companion paper, Building an Infrastructure that Enables Log Management Best Practices: A Technology Strategy for Comprehensive Security Information and Event Management. The following describes how RSA solutions meet the requirements in each of the categories. I. General Requirements 1. Provides high and consistent performance The RSA envision platform was designed to deliver high and consistent performance and match the demands of organizations from small businesses to large enterprises. It collects, manages and analyzes All the Data from sources across the entire organization, including network devices, operating systems, back-office applications and e- commerce environments. Its ability to achieve extremely high performance levels is based on a unique database and a flexible, open architecture. The database is an innovative approach called the LogSmart Internet Protocol database (IPDB). It was purpose-built for gathering and storing security events as 2 RSA White Paper

quickly as possible and designed specifically to address the major limitations of SIEM technology based on relational databases. Unlike traditional relational database systems (RDBS), the LogSmart IPDB is designed to work efficiently with unstructured log (event) data in its native format and does not require pre-processing of the data upon input. With a traditional RDBS, the data must be put into structured columns; the construction of tables and other overhead slows things down. In contrast, the LogSmart IPDB uses the raw event logs themselves to form the database with no overhead required. With the RSA envision platform, information is parsed on the way out of the database when requested instead of being parsed on the way in. This saves precious time and machine resources and allows all the data to be collected unaltered. As well, the LogSmart IPDB is highly writeoptimized. Even though the number of reads will far outweigh the number of writes, by optimizing the writes, any subsequent reads will become far more efficient and save overall I/O load on the host system. With the capability to stream log (event) data to storage and, in parallel, conduct real-time analysis, the RSA envision platform can provide the high performance necessary to satisfy even the most demanding corporate requirements. The RSA envision platform is an appliance-based solution that provides a range of performance levels to fit with any size organization or application. The ES series of powerful stand-alone appliances are designed to sustain collection speeds of up to 7,500 events per second (EPS) and support up to 1250 devices and 14 simultaneous users using a single appliance. The LS series of appliances takes a distributed architecture approach with collectors, database servers and application servers. By implementing appliances at the collection, data management and analysis levels, an organization can use the building blocks to scale at each level and exactly meet their performance needs. The appliances can be scaled to achieve in excess of 500,000 EPS, collecting from over 100,000 devices. Since every application server can support up to 16 simultaneous users, the number of concurrent users can be scaled to meet even the largest organization s requirements. The distributed architecture approach enables very high levels of performance while minimizing the use of network bandwidth; data is collected and stored close to the source, rapidly retrieved by the data management level and quickly processed for analysis and reporting at the application layer. 2. Enables a distributed deployment With RSA envision technology, multiple components including the collectors, database servers and application servers can be distributed across an organization s networks, even across the globe. Log and event data flows from the devices, systems and applications to the local data collectors, where the raw data (packaged and secured) resides permanently. Metadata (information about the data s location) is derived and stored on the database servers at the data management level for use in locating the data. Historical and trend analysis take place at the application server level. Queries are initiated by the application servers and prompt the data management level to do efficient data retrieval from the local collectors. The RSA envision platform performs local collection, yet provides a global view of the data for analysis. Analysis can be done from anywhere in the world, regardless of where the data has been collected. Users can access the entire enterprise-wide log data set no matter where they are located. Fine-grained, role-based access control ensures that only the right people have access to the right data. Security operations can access enterprise-wide log data for real-time correlation. Multiple modes of event alerting are supported. The high-speed deep forensic analysis enables drill-down from a high level aggregated alert to the associated individual raw events. Compliance teams can leverage multiple years of historical event information and automatically computed baselines. Reporting pertaining to conformance to policy can be done as pre-scheduled or runtime ad hoc reports. Organizations can also implement a federated strategy, whereby divisional data is collected, managed and analyzed by the individual divisions, while headquarters performs analysis of the enterprise-wide data for oversight purposes. In fact, the oversight capabilities enabled by RSA envision platform can be integrated with existing deployments of RSA envision appliances or even other SIEM technology that has been deployed in a siloed approach by individual divisions. A distributed deployment has the flexibility to meet the needs of today s large, geographically dispersed and/or dynamic organizations. The infrastructure can be mapped to any kind of organizational structure and quickly adapted to changes as systems or groups of users are added or moved. Another benefit of RSA envision architecture is that data collection and storage is localized, so it is fast and reliable. This helps to ensure that no data is lost or corrupted and RSA White Paper 3

makes regulatory compliance easier for laws that prohibit data from being physically moved to another country for processing. Data is stored locally and specific records can be selectively accessed by authorized users based on content and context. In a distributed deployment, RSA envision technology works in conjunction with EMC networked storage systems to provide for retention and retrieval of log data over a network, allowing users across the organization to have secure, role-based access to the shared storage devices containing the log data. 3. Easily integrates with existing infrastructure The RSA envision solution was designed to be easily integrated with any organization s IT infrastructure and manageable within the context of its existing operations. Many features of the RSA envision platform make it easy to integrate. For collection, the platform provides built-in support for hundreds of source devices and tools to add any new sources on-the-fly. Because it is an agentless solution, organizations will not have to install and configure agents in order to collect data from log sources. The RSA envision platform also supports a wide range of EMC and other storage solutions and can easily be used with existing storage systems. RSA envision Platform Scalability Scenario 1. Single appliance Supported devices Because it is easy to use and manage, the RSA envision platform does not require the organization to hire specialized staff such as database or network administrators. It also does not require specialized enterprise application management or maintenance and backup tools, but instead is designed specifically to work with existing third-party tools. For incident management, it can easily integrate with current procedures and even streamline these with a built-in triage process and incident response workflow. The RSA envision platform was engineered to live within IPbased networks and is optimized for file system storage. Its distributed and flexible architecture ensures that its deployment will not negatively impact the performance of other systems or create major disruptions to operations. As well, organizations can easily implement a phased or staged rollout. 4. Ensures parallel analysis and storage The high performance characteristics of the RSA envision platform (and specifically the RSA envision LogSmart IPDB) enables it to deliver in-line analysis real-time analysis, which is independent of incoming EPS. It supports real-time alerts and at the same time, is reliably retaining all of the log data as it is collected so that the data will be available later for compliance reporting, audits or forensic analysis. 5. Offers scalability to meet not only current needs but also future needs Because the RSA envision platform was built specifically for high performance capture and analysis of log data, it can easily handle the peak loads that organizations will Windows server Netscreen firewall Cisco IPS Analyze Report Correlated alerts Baseline Juniper IDP Microsoft ISS Trend Micro anti-virus Collect Event Explorer Real-time analysis Forensics Interactive query Integrated incident mgmt. Legacy device Legacy device Manage 4 RSA White Paper

RSA envision Platform Scalability Scenario 2. Local collection with global analysis in a distributed enterprise-wide architecture Storage device New York Oracle financial Windows server Collect Analyze Event Explorer Real-time correlation Netscreen firewall Manage Windows work station Real-time alerting Boston Cisco IPS Trend Micro anti-virus Collect Manage email alerts Paris London Cisco IPS Storage device Oracle financial Collect remotely Collect Manage Analyze Event Explorer Ad-hoc reports Scheduled reports experience, such as sudden increased activity surges in the volume of log or event data. With its flexible architecture, the infrastructure can be scaled to meet higher performance requirements over time; for example, if regulatory demands increase or the whole IT environment grows, resulting in an increase in the overall volume of log data. The RSA envision platform provides uninterrupted scalability from a single appliance to multiple appliance deployments, supporting from 500 EPS up to over 500,000 EPS. It also provides the ability to add additional storage capacity on-the-fly from gigabytes to terabytes to petabytes. EMC storage solutions enable organizations to cost-effectively expand capacity to petabytes of storage and to non-disruptively and automatically discover and reconfigure new drives. 6. Provides a low total cost of ownership The RSA envision platform delivers a low total cost of ownership by minimizing the costs of deployment and the impact on IT systems and staff. It can also reduce the ongoing costs of security operations and compliance. By providing out-of-the-box support for hundreds of devices, the RSA envision platform saves the organization from having to do a lot of custom work. Since it is an agent-less solution, it does not require installation, configuration and on-going maintenance of agents and will not cause a drain on host devices. As an appliance-based solution, the RSA envision platform provides a standardized and controlled combination of hardware, OS and software. Because an appliance is a controlled, secure environment with a locked down operating system running just one application, it is immune to third-party driver conflicts, bugs, viruses and other issues that might plague a software-based solution. All of this adds up to lower costs for installation, maintenance and management. It is possible to plug the RSA envision appliance into a power source, attach it to the network and be up and running in an hour. With software-based solutions, this may take a day, a week or a month. Storage is minimized by the LogSmart IPDB since it does not generate extraneous overhead data and provides extremely RSA White Paper 5

efficient compression. By enabling a tiered storage approach, RSA solutions optimize the use of storage resources. Using primary tiers (on-line storage) for production data and secondary tiers (near-line and off-line) for backup and active archive data is a cost-effective use of storage. It reduces the overall cost per MB and puts off the need to acquire additional primary storage systems. As well, the RSA envision platform can use existing storage systems, saving the cost of new systems. Since the platform was specifically designed to be easy to deploy, manage and maintain, it will save the costs of hiring specialized staff such as database or network administrators. Organizations will also be able to forgo the purchase of specialized enterprise application management or maintenance and backup tools; and simply use existing tools. With features such as a built-in triage process and incident response workflow, it can actually reduce the costs of security operations by increasing efficiency. By automating analysis, the RSA envision platform makes it more effective and reduces real-time monitoring expenses such as personnel costs. It frees up personnel to do more productive tasks. More effective monitoring through correlation tools also reduces false positives, which can ultimately reduce downtime and increase efficiencies by enabling personnel to focus on the right threats. Another way that this solution helps reduce costs over the long term is by helping to minimize the costs of compliance by automating reporting and reducing the time it takes to perform audits. Many out-of-the-box reports are provided for a complete range of regulations and standards so organizations can save the costs of building these reports manually. The RSA envision platform helps organizations to have the right data and reports readily available for auditors and to be able to quickly prove that requirements are met. This helps build a sustainable compliance program. 7. Supports the retention and retrieval of evidence-grade log data Organizations may be required to produce log records to be used as legal evidence or to meet regulatory requests for information. To be used as evidence, logs should be in the original, unaltered form. In fact, both NIST and ISO standards indicate that the organization should preserve the original log data for it to be used as evidence. As discussed earlier, the LogSmart IPDB design does not filter or otherwise transform log messages on input. This preserves the native structure of the incoming data and 6 RSA White Paper ensures original logs are retained in their original form. The RSA envision platform s unique process provides a nonrefutable warehouse of compressed, encrypted and authenticated event log data. Each event receives a digital fingerprint to prove the chain of custody. With a Write Once Read Many (WORM) approach, once data is committed to the database, it can never be altered. II. Log Generation and Capture 1. Enables collection of logs from any source and the addition of new sources The RSA envision platform has built-in support for the hundreds of devices across an enterprise and from all points within the infrastructure network, security, host, applications and storage. Out-of-the box supported devices include products by Cisco, Microsoft, EMC, Juniper, Check Point, IBM, Oracle, Symantec and many others. In addition, RSA envision open architecture provides universal device support (UDS), an easy to use tool for adding new source devices, systems and applications in real-time. Ideal for in-house auditing applications and for second-tier devices, UDS offers: A graphical user interface to add new messages, Control over device and message classification, Simple definition of message IDs and payload data and Support for multiple applications running on the same host. 2. Supports collection of large volumes of data The ability of RSA envision technology to collect large volumes of data is primarily based on the design of the LogSmart IPDB. SIEM technology most often uses a generalpurpose, traditional relational database engine, which is typically designed for structured data. For a relational database system (RDBS) to perform well in collecting log messages and event data, the information sent to the system must be structured. However, log messages and event data are not structured; therefore relational databases are relatively slow at log data collection. With RDBS, the query speed is also slowed because it has a more restricted write-and-read engine so that data is locked during either writes or reads. The LogSmart IPDB does not parse log messages on input, but retains all of them in original unstructured form and retrieves and parses them only as needed on output for reporting. Taking this approach, the system can easily handle extremely high data input rates.

3. Performs accurate data collection Accurate data collection can also be attributed to the LogSmart IPDB. SIEM technology based on a traditional RDBS parses the log messages in order to put the data into structured tables. With this method, it is very possible that data will be incorrectly written to the database or even be lost. The LogSmart IPDB, on the other hand, is not a RDBS and therefore will not mix-up or drop log data upon input or arbitrarily discard information to fit a limited RDBMS schema. The collection layer of the LogSmart IPDB easily handles both the push methodology of UDP-based logging protocols like syslog, syslog-ng and SNMP and the pull methodology found in TCP/IP-based logging protocols, delivering 100% data capture even when capturing many tens of thousands of events per second. It uses a distributed architecture that, among other benefits, allows local log collection to continue normally even during wide area network outages. Through RSA envision universal taxonomy, it is easy to verify that specific events have been logged. All events collected by the RSA envision platform are classified into easy to understand categories. The categories can be used for creating reports, alerts and correlation rules. III. Log Retention and Storage 1. Supports an ILM strategy whereby data is stored relative to the need for the data using tiered storage The RSA envision platform supports an information lifecycle management strategy. The platform can be combined with networked storage solutions to manage the entire lifecycle of log data using a tiered storage approach. EMC has a continuum of scalable storage solutions to address every phase of the security information lifecycle. Combine the RSA envision platform with EMC Symmetrix, Clariion or Celerra storage systems for on-line storage of production data. EMC Centera content-addressable storage system provides for near-line storage of active archive data or backup data. The EMC Disk Library storage system provides for off-line storage of archive or backup data. 2. Enables a cradle to grave security information lifecycle management strategy The combination of the RSA envision platform with EMC storage systems is a powerful solution for managing log (event) data from collection to storage on different tiers, and eventually deletion. Organization-defined policies for retention and disposal periods can be automatically enforced. The platform supports varying retention periods ranging from months to years and allows selective retention of logs from different applications for different time periods. Administrators can migrate logs from one storage mechanism to another such as moving from on-line to near-line storage and can delete logs meeting certain criteria. The RSA envision platform provides access to all of the data regardless of the particular (qualified) storage resource (EMC as well as other leading storage vendors). Administrators and reviewers can quickly access data of interest in on-line and near-line storage; and even restore data of interest, found in near-line or off-line storage, for analysis. With EMC technology, even after data is moved from primary storage to a digital archive, it is still active and available online. Users and applications can still access it as they always would and promote the file back to the primary storage system if needed. 3. Enables fast and fine-grained retrieval of log data regardless of where it is stored (on-line, near-line, off-line) The RSA envision platform enables fast and fine-grained retrieval of stored data logs by: Integrating with networked storage systems, which enable fast access to log data (rather than loading archived logs from tape) Using centrally managed shared storage resources so that the entire pool of log data from across the enterprise is searchable at once (rather than having to search through multiple storage systems individually) Not using a relational database, which is too slow to search up to petabytes of data and, because RDBS technologies merge multiple data elements together into rows or tables, cannot provide fine-grained access to the data elements Taking a tiered storage approach and removing infrequently accessed data from primary storage systems, helping users to find relevant data quicker 4. Allows organizations to easily manage log data disposal The RSA envision platform can be used with EMC storage to define and automatically enforce disposal policies. As well, EMC storage solutions can be configured to use EMC s Certified Data Erasure Service to overwrite and digitally shred information in a manner that conforms to the US Department of Defense 5220.22-M (i.e., DoD 5015.2) standard for permanently deleting digital information. RSA White Paper 7

IV. Log Analysis 1. Provides unified and comprehensive visibility of log information from across the organization The RSA envision platform provides a single global view. Users can access and analyze All the Data aggregated from devices, systems and applications from across the entire enterprise, including all sites and geographies. This delivers a complete picture of an organization s security posture and compliance status and allows organizations to respond faster to external threats and discern internal ones. Powerful real-time or historical analysis is displayed via an easy-to-use graphical user interface (GUI). Users can dynamically view All the Data and zoom into selected perspectives. The GUI enables a wide range of issues to be investigated simultaneously. Analysts can quickly identify problems, detect anomalous events and find and review all available related data. The GUI uses a speedometer and gauge metaphor to display important information at a glance, with more detailed data only a click away. Much of the background information is displayed as charts and graphs in the well-organized and well-designed interface. As well, the analysis and visualization tools are customizable to fit an organization s particular needs. 2. Detects significant events through correlation The RSA envision platform provides advanced event correlation and alerting with consistent performance independent of incoming EPS. It correlates multiple events from multiple assets (devices, systems and applications) across the entire enterprise. The correlation capabilities allow an organization to: Reduce false positives by correlating events from multiple devices, systems and applications Rank security devices and threats, allowing personnel to focus on the most critical issues correlation of threats from the most critical assets are brought to immediate attention Display all security alerts from all locations on a single screen Incorporate vulnerability data from vulnerability assessment (VA) products. VA data adds another dimension to correlation and greatly reduces false positives It supports rule-based correlation whereby advanced Boolean logic-driven correlation enables real-time evaluation against corporate policies. Anomaly-based correlation is also supported; it detects and alerts on variations from automatically computed baselines of both events and alerts. The analysis and correlation capabilities also include asset awareness and asset prioritization. The asset database integrates with security systems such as Qualys, ISS, McAfee, ncircle and Nessus. 3. Generates alerts for all types of attacks and violations With the RSA envision platform, events can be stored for extended periods of time. Therefore security events that happen only occasionally, such as an incorrect user or password entry from a single IP address outside the network, can be monitored and detected to ensure they are not indications of an under-the-radar break-in attempt. Along with the platform s powerful base-lining, trending and watch list capabilities, the ability to monitor events over extended periods gives organizations the intelligence to detect even low and slow attacks that happen over long stretches of time. The platform includes watch list alerting and reporting for efficient surveillance of specific high-risk scenarios or anticipated events. For example, the system will notify personnel when specific events occur, when sequences of events occur or when the rate of events exceeds a certain condition. Time is saved by targeting monitoring to look for discrete and/or correlated anomalies. Other use cases include watching for a particular IP address that matches a list of top attacking IP addresses or watching for a particular name on a money laundering watch list. Organizations can use the watch list capability to create alerts for potential compliance violations as they occur in real-time, such as events contrary to security policy or regulations and standards. Examples are when a user is attempting an unauthorized access of protected information or when an administrator initiates an unauthorized configuration change. When compliance violations can be detected in real-time, it can greatly reduce the risk of failed audits or penalties. The alerting system also helps to make personnel more productive and efficient by prioritizing and ranking events that represent significant attacks or violations. 4. Provides automated baselines The RSA envision platform creates baselines from All the Data, providing comprehensive trends of activity and events from the organization s entire environment. Baselines are built automatically from the moment the RSA envision 8 RSA White Paper

appliance is connected to the network. Organizations can establish baselines of network behavior in order to perform trend analysis or trigger alerts to traffic patterns that are out of the norm. When a deviation occurs, organizations can quickly and effectively troubleshoot the issue. As baselines are established, network assets can be configured by business impact, function, importance to the organization and geographical locations. Assets can be imported from network and vulnerability systems, so not only can the platform baseline that information, it can provide detailed asset reports and correlated alerts. 5. Provides automated and customized reporting With more than 1100 pre-built reports and custom reporting, the RSA envision platform can easily be configured to provide extensive information on a wide variety of issues, providing reports for specific regulations and standards or on specific activities. Sample reports include: Privileged User Monitoring: Super User Activity Report Sarbanes Oxley: Reports on Changes to Access Controls or Configuration Controls HIPAA: ephi Access Report PCI: Invalid Logical Access Attempts Report 5. Facilitates incident management Organizations worldwide are experiencing an increasing rate of incidents, therefore the amount of time available to analyze and respond to each incident decreases. The platform helps manage these incidents, including evaluating their significance and formulating a response plan. The task triage and ticketing system provides a complete incident response workflow, including flexible management and reporting of incidents, attributes and queues; as well as automated task generation and integration with major enterprise ticketing systems. With integrated incident response workflow, operations can be simplified, staff and resources can be utilized more efficiently and resolution of issues will be faster with fewer errors. RSA envision platform provides the only vulnerability and asset management (VAM) solution in the industry that automatically maps event information from intrusion detection/prevention system (IDS/IPS) alerts to vulnerability intelligence through an enterprise-class platform that collects, manages and analyzes all the event and asset data. The platform incorporates vulnerability data from the national vulnerability database (NVD), which is regularly updated. Benefits of VAM include accurate and automatic identification of real vulnerabilities, false positive reduction, improved effectiveness of security personnel, improved security posture and reduced cost of incident management. 6. Provides extensive querying and filtering The RSA envision platform provides a detailed view of the events that trigger security threats thanks to extensive drilldown capabilities. Security administrators can see exactly what patterns are forming on their networks and the specific IP addresses, ports, hosts, users and protocols involved in these patterns. Extensive querying and filtering capabilities and robust user interface tools all help users to search for data by any user-defined attribute. V. Log Security and Protection 1. Protects data integrity throughout the security information lifecycle With the RSA envision platform, log messages pass through three steps that guard them permanently against tampering: authentication, lossless compression and encryption. As well, the IPDB utilizes a Write Once Read Many (WORM) approach to the data itself, which assures that once data is committed to the database, it can never be altered. EMC storage solutions also provide WORM protection for files. This capability is designed to protect files and directories from deletion, alteration, renaming or overwriting during a designated retention period. To meet the unique requirements of storing and managing fixed content that is, unchanging digital assets into an active archive storage solution, EMC Centera uses Content Addressable Storage technology, whereby classes of security information can be marked as un-erasable over a given retention period to comply with corporate and government data retention policies or be put on litigation hold if ordered. Corporate auditors can be assured that the data retrieved from storage exactly matches what was securely written several years prior. This capability is ideal for long-retention regulatory requirements. Many EMC storage systems have successfully completed the evaluation for Common Criteria Certification to an EAL 2 assurance level. RSA White Paper 9

2. Controls access to log data The RSA envision platform provides fine-grained, role-based access control to ensure that only authorized users have access to the particular data they need to do their job. For example, each device s data is stored separately within the IPDB. Access can be granted on a per device and per analysis tool basis to individuals or groups. 3. Provides for high availability including for log collection, analysis and storage Several features of the RSA envision platform help provide high availability for log collection, analysis and storage. Planned or unplanned downtime of collection services can lead to the loss of critical event log information. The platform provides a high availability feature set for collection services which includes support for automatic failure detection, quick fail-over, transparent recovery, active/standby operation support with optional high availability configurations. These features help to significantly reduce the risk of data loss and negative business impact with uninterrupted data collection and provide greater flexibility and less impact on operations of scheduled system downtime. High availability has been built into the architecture of the RSA envision LS series of appliances; users can setup and receive alerts as well as run reports from any site in the distributed domain. As well, through features such as redundant switch architecture and network interface teaming, the LS series of appliances supports high availability networking. All ES and LS appliances have been hardened according to the NSA Gold Disk standard, meeting the security technical implementation guideline (STIG) for secure servers. As well, the appliances have redundancy built into the hardware such as redundant power supplies. EMC storage solutions provide capabilities designed to support disaster recovery and business continuance operations, including: Redundant hardware components. To help protect against the loss of data and system downtime, EMC storage solutions provide redundancy for many key hardware components, including power supplies, connection to storage systems and network connections. Backup. The systems support sophisticated data backup techniques that, among other things, allow information to be archived to tape and other media in a manner that minimizes the impact on system performance. Notifications. The solutions can be configured to automatically provide a variety of detailed notification to system administrators when components are failing or when the system otherwise requires the administrator s attention in order to prevent potential system downtime and/or data loss. Conclusion Developing a log (event) management capability has reached the top of the agenda for many organizations around the globe from small businesses to large enterprises. As organizations strive to develop log management best practices, establish infrastructure requirements and deploy solutions, RSA is helping organizations around the world to meet the challenges. As detailed in this paper, the features of RSA solutions map to the complete range of requirements for a centrallymanaged dedicated infrastructure for log management from high performance and scalability to accurate collection and advanced analytics. One of the most important aspects of an infrastructure is that it incorporates an information lifecycle management (ILM) strategy for log data. With the combination of the RSA envision platform and EMC networked storage solutions, organizations can manage the huge volumes of logged data from creation to deletion in order to meet regulatory compliance, security operations and business requirements. About RSA RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to cost-effectively secure critical information assets and online identities wherever they live and at every step of the way, and manage security information and events to ease the burden of compliance. For more information, please visit www.rsa.com and www.emc.com. RSA, envision, LogSmart, All the Data and the RSA logo are registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC, Symmetrix, Clariion, Celerra and Centera are registered trademarks or trademarks of EMC Corporation. All other products or services mentioned are trademarks of their respective owners. 2007 RSA Security Inc. All rights reserved. 10 RSA White Paper LMBP3 WP 1007