1 / 31

TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS

TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS. Matthew Gardiner, RSA Steve Garrett, RSA. Why RSA Security Analytics Key dates & financial incentives Planning & executing a transition. Agenda. Why RSA Security Analytics?.

delano
Download Presentation

TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS Matthew Gardiner, RSA Steve Garrett, RSA

  2. Why RSA Security Analytics • Key dates & financial incentives • Planning & executing a transition • Agenda

  3. Why RSA Security Analytics?

  4. Focused on the Challenge of Advanced ThreatsCompliance as an outcome of effective security controls 1 TARGETED 2 3 SPECIFIC OBJECTIVE INTERACTIVE STEALTHY Cover-UpComplete HUMAN INVOLVEMENT LOW AND SLOW System Intrusion AttackBegins Cover-Up Discovery Leap Frog Attacks Dwell Time Response Time Response Attack Identified TIME 1 2 Decrease Dwell Time Speed Response Time

  5. Key Part of an Incident Response Solution Detect/Investigate/Respond • AssetContext • Incident • Management • Vulnerability Risk Management • Security Operations Management Windows Clients/Servers SharePoint RSA Security Analytics RSA Archer for Security Operations RSA ECAT RSA Data Discovery Enabled by RSA DLP File Servers ANALYTICS Databases WAREHOUSE NAS/SAN Endpoints RSA Live Intelligence Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions

  6. Innovating Security Monitoring to Better Address Advanced Threats RSA Security Analytics Requirements TraditionalSIEM Tools • Scale and performance Difficulty scaling, performance too slow to react fast enough • Queries that used to take hours now taking minutes - 30K EPS, peak 80K+ Analytical firepower • Not real time, mostly a collection of rules to detect “known knowns” Pivot across TBs of data, real-time & long term investigations, detects “unknown unknowns” • Visibility Logs/Events Only, Limited Scope, Summary activity only • Logs/Events & Packets, pervasive visibility, 350+ log sources Intelligence • At best minimal intelligence, not operationalized Operationalized and fused with your data, retroactive queries

  7. Most Requested Enhancements for enVisionAll Addressed in RSA Security Analytics Log Collection Reporting Correlation • 2k Message Restriction • Credential Management • Event Source Bulk Import\Export • i18N Support • Enhanced Charting Options • i18N Support • Multiple Data Source Support Enriched Correlation Data Support for SQL Constructs and Pattern Matching Customizable Notification Text

  8. Key dates

  9. Key Dates • In Q1 2013 RSA enVision ES/LS was released on new hardware appliance (Dell 620s) • Same hardware as RSA Security Analytics • “60-Series” Dell 2950-based enVision ES/LS is end of support life December 31, 2013 • “60-Series” Dell 710-based enVision ES/LS has no EOSL yet • RSA enVision 4.1 has no EOSL yet • All current support information will continue to be updated here as it becomes available: • http://www.emc.com/support/rsa/eops/siem.htm

  10. Financial Incentives

  11. Financial Incentives • RSA enVision customers can acquire RSA Security Analytics for Logs using Tech Refresh pricing • Basically is the cost of the new hardware (appliances & storage) • Only pay SA maintenance, but receive support for both • Simultaneous use of enVision & SA is assumed during migration • Any unused enVision maintenance can be applied to SA maintenance at the time of purchase • RSA enVision customers can also acquire Dell 620-based enVision at Tech Refresh pricing

  12. Planning & Executing a Transition to RSA Security Analytics

  13. Transition Overview Phase 1 Install Config Log Ingest Packet Ingest Incident Detection Reports Alerts Complex Event Processing Compliance Phase 2 Archer AIMS ACI Business Context Phase 3

  14. Packets Transition Strategy – Phase 1 Goal: Get data into the platform to enable Incident Detection • Begin moving data into Security Analytics (logs and/or packets) • Start building your team’s skills and knowledge with the Product on day one • Become familiar with the power and flexibility of Security Analytic’s normalized Meta Data framework • Subscribe to RSA Live Threat Intelligence feeds for best-in-breed detection • Integrate the Incident Detection capabilities of the platform with your incident response team • Investigator and Reporter will interact with the Concentrator to provide visibility into data on the wire in near-real time

  15. Packets Phase 1 Topology Message Queue • Multiple Log Ingest Options • Investigator interacts with the Concentrator • Perform real time, free form contextual analysis of captured log data • Report Engine interacts with the Concentrator • Leverage out of the box content for Compliance use cases • Live Charting and Dashboards Remote Log Collection Native Z-Connector enVision 4.1 Local Collectors or ES RSA LIVEINTELLIGENCE • Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions

  16. Packets Transition Strategy – Phase 2 Goal: Import or Recreate Reports and Alerts to meet Compliance Objectives • Run the enVision Transition Tool on your enVision stack • Exports various configuration elements (can be directly imported to SA as feeds) • Examines enVision reports and emits per report guidance on SA rule syntax needed • Create Reports in Security Analytics • Leverage the near-real time capabilities of the Concentrator for short term Reporting and Dashboards • Leverage the batch capabilities of Warehouse for long term intensive queries or for reporting over compressed data storage • Create Alerts in Security Analytics • Leverage Event Stream Analysis

  17. Packets Phase 2: Meet Compliance Objectives Event Stream Analysis TODAY Future • MapR Hadoop powered warehouse • Archiving storage • Correlation & ESA • Lucene(text search) Warehouse Warehouse • MapR Hadoop powered warehouse • Future advanced analytics capabilities • Lucene (text search) • Archiving storage (lower cost) • Indexing and compression (via separate archiver) • Correlation & Event Stream Analysis Archiving RSA LIVEINTELLIGENCE • Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions

  18. ......to SA 10.x with SAW Tap/Span/Log Feed Capture, process & store 1 RAW (Logs only) W Node 1 META 2 Index & direct query W (Session and Logs) Node 2 W Security Analytics Appliance Node 3 Distributed query Raw Data (logs only) sent from Decoder Meta Data (packets & logs) sent from Concentrator Query from SA (HiveQL) 3 Data Analytics

  19. Analytics Warehouse Reporting *** Preliminary lab results, with one simple rule and unconstrained I/O

  20. Analytic Concepts • Batch Analytics • “Need to conduct long term analysis and discover patterns and trends therein” • Compute Intense, long-term visibility • Incident Response • Advanced Threat Analysis • Machine Learning • Stream Analytics • “Give me the speed and smarts to discover and investigate potential threats in near real time” • Real-time, short-term visibility • SOC Operations • Rapid Decision Making

  21. Packets Transition Strategy – Phase 3 Goal: Integrate Security Analytics with your Ecosystem • Archer Integration Options • Incident Management • Asset information • ECAT

  22. Asset Context • Asset Intelligence • IP Address • Criticality Rating • Business Unit • Facility IT Info Biz Context RSA Archer SOM Asset List Device Type Device IDs Content (DLP) Category IP/MAC Add Device Owner Business Owner Business Unit Process RPO / RTO RSA Security Analytics Criticality Rating Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. CMDBs, DLP scans, etc.

  23. Asset Information in Security Analytics • Helps analyst better understand risk • To prioritize investigation & response • Asset criticality represented as metadata

  24. Incident Management for Security Business & Security Users RSA Archer RSA Security Analytics Manage Workflows Provide Visibility Group Alerts Capture & Analyze – NW Packets, Logs & Threat Feeds Alerts Based on Rules

  25. Seamless Investigations with RSA ECAT and RSA Security Analytics RSA Security Analytics • Complete network and host visibility • Directly query RSA SA for detailed network analysis • Faster investigations to shorten attacker dwell time RSA ECAT Identify suspicious network traffic on host

  26. Converting from enVision ES enVision ES box SA All-in-One Appliance enVision ES box SA All-in-One Appliance ES-560 ES-1060 ES-1260 ES-5060 ES-7560 enVision Direct Attached Storage SA Direct Attached Capacity SA All-in-One Appliance enVision ES box ES-2560 ES-3060 SA Direct Attached Capacity (optional)

  27. Converting from a small enVision LS Before After A-SRV Analytics Server D-SRV LC05 Hybrid Up to 10k EPS Security Analytics Warehouse Nodes High Density DAC LC05 As needed 3 node cluster holds 6k average EPS for 2 years RC01

  28. Converting from a large enVision LS Before After A-SRV Analytics Server D-SRV Broker RC01 Decoder Concentrat Up to 30k EPS Security Analytics Warehouse Nodes RC02 + LC05 High Density DAC Concentrator DAC As needed 3 node cluster holds 6k average EPS for 2 years LC10

  29. Transition Tools Tools to minimize transition time • Collects • Reports for creation in SA • Watchlists for creation in SA • Collection configuration information from enVisionconfiguration database • Device groups • Manage monitored devices “meta” • Converts • Fields in enVisionreports to corresponding SA meta • Numerical items in enVisionreports to corresponding names • i.e. dtype 186 = Microsoft ACS. • Export in CSV format for Import into SA

  30. Conclusion & Next Steps • Migration is something you can start now • But enVision 4.1 remains supported • Parallel operation with RSA Security Analytics is often ideal • Work with your RSA account team/partner/professional services to come up with a plan for you • Keep track of RSA enVision key support dates here: • http://www.emc.com/support/rsa/eops/siem.htm

More Related