330 likes | 853 Views
TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS. Matthew Gardiner, RSA Steve Garrett, RSA. Why RSA Security Analytics Key dates & financial incentives Planning & executing a transition. Agenda. Why RSA Security Analytics?.
E N D
TRANSITIONING FROM RSA ENVISION -> RSA SECURITY ANALYTICS Matthew Gardiner, RSA Steve Garrett, RSA
Why RSA Security Analytics • Key dates & financial incentives • Planning & executing a transition • Agenda
Focused on the Challenge of Advanced ThreatsCompliance as an outcome of effective security controls 1 TARGETED 2 3 SPECIFIC OBJECTIVE INTERACTIVE STEALTHY Cover-UpComplete HUMAN INVOLVEMENT LOW AND SLOW System Intrusion AttackBegins Cover-Up Discovery Leap Frog Attacks Dwell Time Response Time Response Attack Identified TIME 1 2 Decrease Dwell Time Speed Response Time
Key Part of an Incident Response Solution Detect/Investigate/Respond • AssetContext • Incident • Management • Vulnerability Risk Management • Security Operations Management Windows Clients/Servers SharePoint RSA Security Analytics RSA Archer for Security Operations RSA ECAT RSA Data Discovery Enabled by RSA DLP File Servers ANALYTICS Databases WAREHOUSE NAS/SAN Endpoints RSA Live Intelligence Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions
Innovating Security Monitoring to Better Address Advanced Threats RSA Security Analytics Requirements TraditionalSIEM Tools • Scale and performance Difficulty scaling, performance too slow to react fast enough • Queries that used to take hours now taking minutes - 30K EPS, peak 80K+ Analytical firepower • Not real time, mostly a collection of rules to detect “known knowns” Pivot across TBs of data, real-time & long term investigations, detects “unknown unknowns” • Visibility Logs/Events Only, Limited Scope, Summary activity only • Logs/Events & Packets, pervasive visibility, 350+ log sources Intelligence • At best minimal intelligence, not operationalized Operationalized and fused with your data, retroactive queries
Most Requested Enhancements for enVisionAll Addressed in RSA Security Analytics Log Collection Reporting Correlation • 2k Message Restriction • Credential Management • Event Source Bulk Import\Export • i18N Support • Enhanced Charting Options • i18N Support • Multiple Data Source Support Enriched Correlation Data Support for SQL Constructs and Pattern Matching Customizable Notification Text
Key Dates • In Q1 2013 RSA enVision ES/LS was released on new hardware appliance (Dell 620s) • Same hardware as RSA Security Analytics • “60-Series” Dell 2950-based enVision ES/LS is end of support life December 31, 2013 • “60-Series” Dell 710-based enVision ES/LS has no EOSL yet • RSA enVision 4.1 has no EOSL yet • All current support information will continue to be updated here as it becomes available: • http://www.emc.com/support/rsa/eops/siem.htm
Financial Incentives • RSA enVision customers can acquire RSA Security Analytics for Logs using Tech Refresh pricing • Basically is the cost of the new hardware (appliances & storage) • Only pay SA maintenance, but receive support for both • Simultaneous use of enVision & SA is assumed during migration • Any unused enVision maintenance can be applied to SA maintenance at the time of purchase • RSA enVision customers can also acquire Dell 620-based enVision at Tech Refresh pricing
Transition Overview Phase 1 Install Config Log Ingest Packet Ingest Incident Detection Reports Alerts Complex Event Processing Compliance Phase 2 Archer AIMS ACI Business Context Phase 3
Packets Transition Strategy – Phase 1 Goal: Get data into the platform to enable Incident Detection • Begin moving data into Security Analytics (logs and/or packets) • Start building your team’s skills and knowledge with the Product on day one • Become familiar with the power and flexibility of Security Analytic’s normalized Meta Data framework • Subscribe to RSA Live Threat Intelligence feeds for best-in-breed detection • Integrate the Incident Detection capabilities of the platform with your incident response team • Investigator and Reporter will interact with the Concentrator to provide visibility into data on the wire in near-real time
Packets Phase 1 Topology Message Queue • Multiple Log Ingest Options • Investigator interacts with the Concentrator • Perform real time, free form contextual analysis of captured log data • Report Engine interacts with the Concentrator • Leverage out of the box content for Compliance use cases • Live Charting and Dashboards Remote Log Collection Native Z-Connector enVision 4.1 Local Collectors or ES RSA LIVEINTELLIGENCE • Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
Packets Transition Strategy – Phase 2 Goal: Import or Recreate Reports and Alerts to meet Compliance Objectives • Run the enVision Transition Tool on your enVision stack • Exports various configuration elements (can be directly imported to SA as feeds) • Examines enVision reports and emits per report guidance on SA rule syntax needed • Create Reports in Security Analytics • Leverage the near-real time capabilities of the Concentrator for short term Reporting and Dashboards • Leverage the batch capabilities of Warehouse for long term intensive queries or for reporting over compressed data storage • Create Alerts in Security Analytics • Leverage Event Stream Analysis
Packets Phase 2: Meet Compliance Objectives Event Stream Analysis TODAY Future • MapR Hadoop powered warehouse • Archiving storage • Correlation & ESA • Lucene(text search) Warehouse Warehouse • MapR Hadoop powered warehouse • Future advanced analytics capabilities • Lucene (text search) • Archiving storage (lower cost) • Indexing and compression (via separate archiver) • Correlation & Event Stream Analysis Archiving RSA LIVEINTELLIGENCE • Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
......to SA 10.x with SAW Tap/Span/Log Feed Capture, process & store 1 RAW (Logs only) W Node 1 META 2 Index & direct query W (Session and Logs) Node 2 W Security Analytics Appliance Node 3 Distributed query Raw Data (logs only) sent from Decoder Meta Data (packets & logs) sent from Concentrator Query from SA (HiveQL) 3 Data Analytics
Analytics Warehouse Reporting *** Preliminary lab results, with one simple rule and unconstrained I/O
Analytic Concepts • Batch Analytics • “Need to conduct long term analysis and discover patterns and trends therein” • Compute Intense, long-term visibility • Incident Response • Advanced Threat Analysis • Machine Learning • Stream Analytics • “Give me the speed and smarts to discover and investigate potential threats in near real time” • Real-time, short-term visibility • SOC Operations • Rapid Decision Making
Packets Transition Strategy – Phase 3 Goal: Integrate Security Analytics with your Ecosystem • Archer Integration Options • Incident Management • Asset information • ECAT
Asset Context • Asset Intelligence • IP Address • Criticality Rating • Business Unit • Facility IT Info Biz Context RSA Archer SOM Asset List Device Type Device IDs Content (DLP) Category IP/MAC Add Device Owner Business Owner Business Unit Process RPO / RTO RSA Security Analytics Criticality Rating Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. CMDBs, DLP scans, etc.
Asset Information in Security Analytics • Helps analyst better understand risk • To prioritize investigation & response • Asset criticality represented as metadata
Incident Management for Security Business & Security Users RSA Archer RSA Security Analytics Manage Workflows Provide Visibility Group Alerts Capture & Analyze – NW Packets, Logs & Threat Feeds Alerts Based on Rules
Seamless Investigations with RSA ECAT and RSA Security Analytics RSA Security Analytics • Complete network and host visibility • Directly query RSA SA for detailed network analysis • Faster investigations to shorten attacker dwell time RSA ECAT Identify suspicious network traffic on host
Converting from enVision ES enVision ES box SA All-in-One Appliance enVision ES box SA All-in-One Appliance ES-560 ES-1060 ES-1260 ES-5060 ES-7560 enVision Direct Attached Storage SA Direct Attached Capacity SA All-in-One Appliance enVision ES box ES-2560 ES-3060 SA Direct Attached Capacity (optional)
Converting from a small enVision LS Before After A-SRV Analytics Server D-SRV LC05 Hybrid Up to 10k EPS Security Analytics Warehouse Nodes High Density DAC LC05 As needed 3 node cluster holds 6k average EPS for 2 years RC01
Converting from a large enVision LS Before After A-SRV Analytics Server D-SRV Broker RC01 Decoder Concentrat Up to 30k EPS Security Analytics Warehouse Nodes RC02 + LC05 High Density DAC Concentrator DAC As needed 3 node cluster holds 6k average EPS for 2 years LC10
Transition Tools Tools to minimize transition time • Collects • Reports for creation in SA • Watchlists for creation in SA • Collection configuration information from enVisionconfiguration database • Device groups • Manage monitored devices “meta” • Converts • Fields in enVisionreports to corresponding SA meta • Numerical items in enVisionreports to corresponding names • i.e. dtype 186 = Microsoft ACS. • Export in CSV format for Import into SA
Conclusion & Next Steps • Migration is something you can start now • But enVision 4.1 remains supported • Parallel operation with RSA Security Analytics is often ideal • Work with your RSA account team/partner/professional services to come up with a plan for you • Keep track of RSA enVision key support dates here: • http://www.emc.com/support/rsa/eops/siem.htm