An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011 Brian McLean, CISSP Sr Technology Consultant, RSA

Changing Threats and More Demanding Regulations External attacks Malicious insiders taking financial info Data Center R&D Careless users leaking IP Costly audit requirements Executive Financial DMZ Ever-changing business requirements New Web 2.0 and P2P technologies

IT Staff Feels the Pressure Security team lacks visibility into the IT environment. Overwhelming to process raw log and event volume. Compliance is costly and resource-intensive. Real-time security posture is difficult to understand.

Issues and Needs Security team cannot see into the IT environment. Non-intrusive log collection to access all event sources. Overwhelming to process raw log and event volume. Complete information lifecycle management process. Real-time security posture is difficult to understand. Real-time risk-based prioritization of events. Compliance is timeconsuming. Compliance reports in minutes not weeks.

RSA envision 3-in-1 SIEM Platform Simplifying Compliance Enhancing Security Optimizing IT & Network Operations Compliance reports for regulations and internal policy Real-time security alerting and analysis IT monitoring across the infrastructure Reporting Auditing Forensics Alert / correlation Network baseline Visibility Purpose-built database (IPDB) RSA envision Log Management platform security devices network devices applications / databases servers storage

Simplifying Compliance Robust Alerting & Reporting 1400 reports+ included out of the box Easily customizable Grouped according to standards, e.g. National Laws (SOX, Basel II, JSOX), Industry Regulations (PCI), Best Practices & Standards (ISO 27002, ITIL)

Enhancing Security Support the 3 key aspects of Security Operations Turn real time events, e.g. threats, into actionable data Create a closedloop incident handling gprocess Report on the effectiveness of security management SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources. This technology is used to filter incident information into data that can be acted on for the purposes of incident response and forensic analysis. Mark Nicolette, Gartner

Optimizing IT & Network Operations Identify anomalies, ease troubleshooting EMC Celerra System Shutdown System Failure

Benefits Turns raw log data into actionable information Increases visibility into security, compliance and operational issues Saves time through compliance reporting Streamlines the security incident handling process Lowers operational costs

Why envision? Any Data - Any Scale Collection of any type of log data, real-time correlation, and best-in-breed scalability Lowest TCO SIEM solution Lowest TCO SIEM solution Appliance form factor, agentless architecture Flexible but simple customization Most Complete Security Knowledge Comprehensive combination of event sources, correlation rules and reports Frequent updates to security knowledgebase Broad partner eco-system of strategic technology partners plus front-line security and compliance expertise Proven Solution with a large and active install base Unparalleled installed base of more than 1600 production customers Active online customer Intelligence Community for shared best practices and knowledge All from EMC/RSA Single strategic vendor with strong balance sheet Simplified IT operations, single point of contact, and global customer support Integration with RSA and EMC solutions (e.g. Access Manager, Authentication Manager, Voyence, Celerra, Symmetrix)

Simplifying Compliance

Compliance challenges Historically compliance processes involved dedicated resources performing multiple tasks, manually and repetitively The process for Data collection was long and laborious Valuable Data was often missed or not included Analysis and reporting was expensive and slow, and involved multiple log collection and analysis tools Companies struggle to keep pace with understanding and complying to relevant laws and regulations

A multitude of Laws/ Rules/ Regulations to which an organization must comply PCI DSS HIPAA Internal Policy GLBA HSPD 12 CSB 1386 FISMA Country Privacy Laws COCOM SOX EU CDR UK RIPA Data Security Act FACTA EU Data Privacy FFIEC BASEL II J-SOX IRS 97-22 NERC NISPOM Partner Rules ACSI 33 NIST 800 State Privacy Laws

Automated Analysis for Simplifying the Compliance Lifecycle RSA envision automatically sorts event log data into information categories required for adhering to compliance requirements: Access Control Configuration Control Malicious Code Detection User Monitoring and Management Policy Enforcement Environmental & Transmission Security

Event Taxonomy All 120,000+ distinct messages have been classified Hierarchical structure, 10 top level l categories, 250 total categories Open, Extensible architecture Administrators can add their own messages and categories Reports using these categories will automatically be updated as new devices and dd d Example: User Taxonomy Categories User.Activity User.Activity.Failed Logins User.Activity.File Access User.Activity.Known Bad Commands User.Activity.Login User.Activity.Login.Workstation Unlock User.Activity.Logoff User.Activity.Logoff.Workstation Lock User.Activity.Normal Activity User.Activity.Privileged Use.Denied User.Activity.Privileged Use.Successful User.Management User.Management.Groups.Additions User.Management.Groups.Deletions User.Management.Groups.Modifications User.Management.Groups.Modifications.User Added User.Management.Groups.Modifications.User Removed User.Management.Password.Expriation User.Management.Password.Modification User.Management.Password.Modification.Failed User.Management.Permissions User.Management.Users.Additions User.Management.Users.Deletions User.Management.Users.Disabled User.Management.Users.Modifications

RSA envision and the Compliance Lifecycle : The information gathered by RSA envision can be used dto help an organization understand d If it is compliant with regulations and laws What it needs to do to become compliant To show/ prove that t it is compliant to auditors To provide evidence on compliance that can be used in a court of law

Enhancing Security Operations

Agenda Detecting High-Risk Incidents Streamlining the Incident Handling Process M i th V l f Measuring the Value of Security Operations

Real Time Incident Detection Finding Incidents in a Mountain of Data Billions of raw events Thousands of security-relevant events Correlated alerts Incidents!!! Dozens of high priority events

Real Time Incident Detection Comprehensive Log Data RSA envision collects all log data from almost any third party device Asset Context RSA envision allows import of data about IT assets from asset management systems What Do I Need to Detect? Suspicious User Activity High Risk Vulnerabilities and Threats Suspicious Network Activity Description Unusual authentication or access control issues, like multiple failed logons, or unauthorized system accesses Detect new high risk vulnerabilities on critical assets, or likely attacks on vulnerable hosts Unusual deviations in network behavior, or network activity that violates policy

Real Time Incident Detection Correlation rules, filters and watchlists thlit RSA envision provides ability to define correlation rules, watchlists of dynamic information Timely threat information RSA envision provides regular updates of vulnerabilities, IDS signatures, event knowledge and correlation rules CRL-00011 Comprehensive correlation rules delivered out-of-the-box Several Failed Logins Followed By A Successful Login / Possible Successful Brute Force Attack Detected Detailed library of background information

Use Case: Vulnerable Server Attacked Attacker Attack IDS VA Scanner Configuration Management Database Knows it s being attacked Knows it s vulnerable Knows it s critical RSA envision Analyst Knows a critical, vulnerable server is being attacked Alert

Agenda Detecting High-Risk Incidents Streamlining the Incident Handling Process M i th V l f Measuring the Value of Security Operations

Monitoring and Management Key Metrics & Dashboards Network Activity by Category IDS Top Threats Incident rate Most Vulnerable Assets by Severity

Summary Benefits Reduced risk Highest priority issues identified Most vulnerable assets highlighted Increased analyst productivity Streamlined incident management process Improved management visibility ibilit Focus staff on highest risk areas Fully auditable process for compliance reporting

Optimizing IT and Network Operations

How SIEM helps IT & Network Managers The analysis of event logs from the network helps IT and Network Operations managers: Optimize network performance by identifying issues and faulty equipment Assist IT managers with Helpdesk Operations by: helping reveal what is going on in the network. providing global views of all network activity alerting them to network problems automatically providing them with customised Dashboards of essential information Gain visibility into specific behavioral aspects of individuals or groups of users Let s look at these in more detail 27

Identifying Issues & Optimizing Network Performance Performance management Log events contain information on utilization and error conditions Example: Disk space running low, high bandwidth utilization Fault management Use alerts to Highlight potential network problems when deviations from standard baseline activity occur Integration with IT operations systems (e.g. EMC SMARTS) helps enable detection and response to faults Example: Read/Write failures, power spikes, fan failure Generate Alerts if observed activity stops on any important asset (device or application may be down) 28

Assisting Helpdesk Operations RSA envision provides helpdesk operations with a clearer view of what events are taking place in the network: That affect users That affect hardware/ software That affects business systems Example use cases include: Creating automated reports that provide activity reports on chosen assets Generating reports on activity relating to specific IP addresses Using Event Explorer to analyze historical data relating to incidents cde Alerting on detection of virus activity within network 29

Assisting Helpdesk Operations to investigate user problems 30 The IT/ Network manager can run a variety of reports, each focusing on a specific question that t may need to be investigated Example Use Case: IT Operations in multi-national organization spent 3 days trying to establish why an executive could not log onto the network User had logged off, changed his password, could not log back on Several IT staff looked at this problem for 3 days Eventually they ran a report on RSA envision looking at all logs for user globally over past 6 months Within 15 minutes, established that manager had travelled to Singapore, had logged onto the network but had NOT logged off IT support logged user off network in Singapore and user could now log back onto the network with new password!

Building more complex alerts: Correlated Alerts Correlated Alerts enable IT & Operations staff to build more complex, customized alerts that t fire only upon a sequence of activity occurring. Enables IT & Operations staff to Focus only on important issues Rationalize resources Be creative in alerting X Y If x and y then fire alert. Generate An ALERT! 31

Summary: How SIEM helps IT & Network Managers Can be used to Optimize network performance by identifying i issues and faulty equipment Troubleshooting network problems Assist IT managers with Helpdesk Operations by: helping reveal what is going on in the network. providing global views of all network activity alerting them to network problems automatically providing them with customized Dashboards of essential information providing a tool for detailed forensic work Gives IT & Network Operations visibility into specific behavioural aspects of individuals or groups of users 32

RSA envision Stand-alone Appliances to Distributed Solutions 300,000 30000 EPS LS Series 10000 7500 5000 ES Series 2500 1000 500 # DEVICES 100 200 400 750 1250 1500 2048 30,000

RSA envision Deployment Scales from a single appliance. Baseline Correlated Report Realtime Interactive Integrated Incident Alerts Forensics Analysis Query Mgmt. Event Explorer Analyze Manage Collect Collect Collect UDS Windows Server Netscreen Firewall Cisco IPS Juniper IDP Microsoft ISS Trend Micro Antivirus Device Device RSA envision Supported Devices Legacy