RSA enVision 4.

0 Overview Guide

Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks
RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies.

License agreement
This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA.

Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution
Limit distribution of this document to trusted personnel.

RSA notice
The RC5 Block Encryption Algorithm With Data-Dependent Rotations is protected by U.S. Patent #5,724,428 and #5,835,600.

2010 RSA Security Inc. All rights reserved. January 2010

RSA enVision 4.0 Overview Guide

Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5 RSA enVision Documentation............................................................................................ 5 Related Documentation....................................................................................................... 5 Getting Support and Service ............................................................................................... 5

Chapter 1: About RSA enVision ............................................................................ 7

RSA enVision Solution....................................................................................................... 7 RSA enVision Platform ...................................................................................................... 8 User Experience .................................................................................................................11

Chapter 2: Event Collection ................................................................................... 13

Event Sources.................................................................................................................... 13 Message Categories........................................................................................................... 13 Event Storage .................................................................................................................... 14

Chapter 3: Vulnerability and Asset Management ..................................... 15

Asset Data ......................................................................................................................... 15 Vulnerability Data............................................................................................................. 15

Chapter 4: Incident Management ........................................................................ 17

Real-Time Alerts............................................................................................................... 17 Incident-Response Tasks................................................................................................... 20 Forensic Analysis.............................................................................................................. 21

Chapter 5: Reports and Queries.......................................................................... 25

Reports .............................................................................................................................. 25 Queries .............................................................................................................................. 26

Chapter 6: Compliance.............................................................................................. 29 Chapter 7: Further Information and Assistance........................................ 31

Help Systems..................................................................................................................... 31 Online Resources .............................................................................................................. 32 Event Source, Report, Correlation Rule, and VAM Updates ........................................... 33 Assistance.......................................................................................................................... 34

Contents

RSA enVision 4.0 Overview Guide

Preface
About This Guide
This guide introduces RSA enVision features and capabilities. The intended audience for this guide includes enVision administrators, enVision users, or anyone who requires a high-level understanding of enVision.

RSA enVision Documentation

For more information about RSA enVision, see the following documentation: Hardware Guide. Instructions on setting up your RSA enVision appliances. Intended audience is the system administrator. Configuration Guide. Instructions on configuring your RSA enVision site. Intended audience is the system administrator. Migration Guide. Instructions on migrating your data from a previous version of RSA enVision to the current version. RSA enVision Help. Comprehensive embedded guide to setting up RSA enVision processing options and using RSA enVision analysis tools.

Related Documentation
For more information about RSA enVision Event Explorer, see the following documentation: Installation Guide. Instructions on installing the RSA enVision Event Explorer client on your personal computer. Intended audience is the end user. RSA enVision Event Explorer Help. Comprehensive embedded guide to setting up and using RSA enVision Event Explorer.

Getting Support and Service

RSA SecurCare Online Customer Support Information RSA Secured Partner Solutions Directory https://knowledge.rsasecurity.com www.rsa.com/support www.rsasecured.com

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads.

Preface

RSA enVision 4.0 Overview Guide

The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.

Before You Call Customer Support

Make sure that you have direct access to the computer running the RSA enVision software. Please have the following information available when you call: Your RSA Customer/License ID RSA enVision software version number The make and model of the machine on which the problem occurs The name and version of the operating system under which the problem occurs

Preface

RSA enVision 4.0 Overview Guide

About RSA enVision

The RSA enVision platform is a security information and event management (SIEM) solution. It collects log messages and vulnerability and asset data from the entire IT network, applies logic to the data, and provides actionable information in the form of reports and real-time alerts.

Inputs
Log Messages Vulnerability Scans

RSA enVision
Interprets Analyzes Stores

Outputs
Alerts Reports

RSA enVision Solution

RSA enVision gives users a single, integrated SIEM solution for meeting the following business needs: Enhanced security Simplified compliance Optimized IT oversight

Enhanced Security
RSA enVision provides security specialists with a clear view of threats and risks and the means to counter them. RSA enVision collects all the logs generated by network assets, such as servers, switches, routers, storage arrays, operating systems, and firewalls. It analyzes the logs in real time, and can generate alerts when it detects suspicious patterns of activity. Because enVision contains information about common threats, it detects many common security attacks. In addition, enVision contains data from supported configuration management systems and asset scanners. Using this data, enVision recognizes the asset under threat and calibrates the urgency of the alert. Security staff can then use RSA enVision Event Explorer, an advanced analytical tool, to examine the full volume of stored and incoming data.

1: About RSA enVision

RSA enVision 4.0 Overview Guide

Simplified Compliance
RSA enVision eases the burden of complying with regulations, standards, and an organizations own policies. It enables event monitoring and incident response, and includes compliance reports tailored to specific requirements. For example, enVision provides reports for demonstrating compliance with laws (such as the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act) and with industry standards (such as the Payment Card Industry Data Security Standard and ISO 27002). RSA enVision automates the process of collecting, sorting, analyzing, and storing log messages. All logs are gathered without filtration or normalization and are protected from tampering. Compliance specialists can find in the stored logs a complete accounting of network activity. RSA enVision thus provides a verifiably authentic archive of data that simplifies compliance with todays requirements and with whatever legislation may emerge in the future.

Optimized IT Oversight
Managed log data is the best source of information about infrastructure status and performance and the activities of applications and users. RSA enVision can alert IT staff in real time to faulty equipment and anomalous network activity, as well as provide granular visibility into the specific behaviors of applications and end users. Its incident-handling facilities manage the creation and assignment of remediation tasks to administrators and help desk personnel and assist in tracking their progress. In addition, the enVision baselining, trending, and reporting functionality provides a long-term graphical overview of system performance and events.

RSA enVision Platform

RSA enVision scales from a single appliance to a large, distributed, multiple appliance system. In all deployments, authorized users can use enVision to find all the logs and other data.

Platform Components
RSA enVision consists of the following integrated components, each with a specialized function: Collector. Receives and interprets log messages from network assets, and stores this event data in the LogSmart Internet Protocol Database (IPDB). (RSA refers to these processed log messages as events.) Database Server (D-SRV). Retrieves event data from the IPDB in response to user requests. Application Server (A-SRV). Runs the applications that enable user and administrator actions, such as creating users, querying the data, and directing enVision to generate alerts and reports. Users and administrators can log on to the enVision user interface through a web browser on their personal computers.

1: About RSA enVision

RSA enVision 4.0 Overview Guide

Event Explorer. A client application that is specialized for incident handling and forensic analysis. Event Explorer runs on users personal computers and connects to enVision to access the collected data. The following figure illustrates the enVision components, their functions, and the connections among them.

Platform Deployments
RSA enVision runs on a standalone appliance or within a scalable, distributed architecture able to cope with the demands of the largest enterprise networks. The simplest deployment has the enVision components (Collector, D-SRV, and A-SRV) preinstalled in one appliance. It can be supplemented with external storage. Depending on the model, a single enVision appliance supports up to 14 simultaneous users. The high-end appliance can, with external storage, accommodate up to 1,250 event sources.

1: About RSA enVision

RSA enVision 4.0 Overview Guide

For larger deployments, the Collector, D-SRV, and A-SRV are each installed on a separate appliance and supplemented with network-attached storage. The appliances are collectively referred to as a site. A site has a single D-SRV appliance supporting multiple A-SRV appliances and Collector appliances, including Collectors in remote geographic locations.

Site 1
A-SRV A-SRV

D-SRV

Site 2

Collector

Collector

Collector

Logs

Logs

Logs

Event Sources

Event Sources

Event Sources

In this distributed deployment, each A-SRV can accommodate 16 simultaneous users. A single site can accommodate up to 6,144 event sources. The largest deployments include several sites, each supporting multiple A-SRVs and Collectors. For information on enVision deployments, contact your RSA sales representative, or go to www.rsa.com/products/envision/datasheets/9245_3in1_DS_0209-lowres.pdf.

10

1: About RSA enVision

RSA enVision 4.0 Overview Guide

User Experience
Users and administrators control enVision and Event Explorer through graphical user interfaces (GUIs). The enVision administrator creates users and user groups with varying levels of permissions, and each user sees only the operations for which permission has been granted.

RSA enVision GUI

All pages of the enVision GUI show the navigation tools in the left panel and the current window on the right. The landing page is the Dashboard. Each user and administrator can configure a personal dashboard that shows his or her choice of reports. The navigation tree on the left is expanded at startup to show the available reports and those selected for display. For example, the following figure shows an enVision landing page with the expanded navigation tree (Overview > Dashboard) on the left and the Dashboard window configured to show several graphical and tabular reports.

Tabs

Available reports

User-selected reports

Other overiew topics

To navigate the enVision GUI, select a tab at the top of the left panel: Overview, Alerts, Analysis, or Reports. The panel refreshes to display the choices available under the selected tab.

1: About RSA enVision

11

RSA enVision 4.0 Overview Guide

RSA enVision provides a comprehensive Help system with instructions for using the features on each window. When using any window in the GUI, click the question mark icon to see context-sensitive Help for that window. RSA enVision displays the Help topic for the current window in a new browser window, with the Help Table of Contents in the left panel. The left panel also displays links to a Help index and a search facility.

RSA enVision Event Explorer GUI

RSA enVision Event Explorer is specialized for performing forensic analysis and managing tasks involved in incident response. Event Explorer receives the incident-response tasks that enVision generates and enables users to analyze the data that enVision collects. The Event Explorer GUI has panels related to its two primary functions, Event Traces (for forensic analysis) and Task Triage (for handling incidents), as well as additional panels showing more details about traces and tasks. Users can display just one or multiple panels at a time.
Event Traces

Trace views Task Triage

Tasks

Event Explorer Help is available by clicking Help on the menu bar on any window. Event Explorer displays the Help Table of Contents in a new browser window. It includes an index and a search facility.

12

1: About RSA enVision

RSA enVision 4.0 Overview Guide

Event Collection
RSA enVision collects, analyzes, and stores logs from event sources throughout an organizations IT environment. The logs and the descriptive metadata that enVision adds are stored in the LogSmart Internet Protocol Database (IPDB).

Event Sources
Event sources are the IP assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. The enVision administrator configures event sources to send their logs to the Collector or configures the Collector to poll event sources and retrieve their logs. As a result, the Collector receives all system logs in their original form, without filtering, normalization, or compression.

Message Categories
The Collector is equipped with files for each supported event source. These files enable the Collector to interpret the often cryptic log messages, no matter what their format. RSA updates these files frequently to support new event sources and new log messages that event source vendors have added. RSA enVision collects syslog and it also has other collection services including NIC Windows Service, NIC FW-1 LEA Client Service, NIC File Reader Service, NIC SFTP Agent, NIC ODBC Service, and NIC Secure SDEE Collection Service. For each message, the Collector records the event source and time received, and assigns the message a numeric ID. The Collector also assigns each message to a message category that indicates the kind of action that gave rise to the message. This descriptive metadata (source, time, ID, and category) is used in configuring alerts and in retrieving events for forensic analysis. The message categories are hierarchical. The top level, called the NIC category, has ten possible values: Attacks Reconnaissance (such as port scans) Content (web content events, such as normal transactions or suspect requests) Authentication (authentication events) User (such as logon and file access) Policies (such as firewall rule events) System (hardware errors) Configuration (administrator modifications) Network (such as usage or routing errors) Other

2: Event Collection

13

RSA enVision 4.0 Overview Guide

Within NIC categories, messages are further classified by alert category and then by up to three levels of event category. For example, a log message in the Attacks category might be further categorized as Malicious Code (alert category), and further as a Worm (event category). The following figure shows a five-level message classification, as well as the syntax for specifying categories when configuring alerts or conducting analysis.

Attacks.Access.Informational .Network Based . TELNET

NIC Category

Alert Category

Event Categories

The enVision administrator uses message categories in configuring alerts. When incoming messages and possibly other criteria, such as event source or time frame, meet the conditions that the administrator has specified for an alert, the alert is triggered immediately. In addition, the categorization of log messages enables enVision to establish activity baselines, which it can use to determine whether a certain activity or level of activity is anomalous. The categorized log data is also used for alerting and reporting.

Event Storage
After enVision analyzes log messages, it stores the original log messages and their descriptive metadata in the IPDB. This method of storage has several advantages over traditional relational databases. The IPDB: Works efficiently with unstructured data without requiring preprocessing or data normalization. Optimizes retrieval based on event source, message category, event ID, and time received. Uses a write-once-read-many approach that ensures that after data is committed to the database, it can never be altered.

RSA enVision secures the data from tampering and protects it with access authentication. As a result, enVision provides a complete and verifiable repository of IT information that meets both current and future demands.

14

2: Event Collection

RSA enVision 4.0 Overview Guide

Vulnerability and Asset Management

IT assets (hosts, software systems, and other devices) have well-known vulnerabilities. RSA enVision uses this information about enterprise assets to minimize false positive alerts and to prioritize alerts. Vulnerability information also provides the contextual data that security analysts need to respond to incidents and to perform forensic analysis.

RSA enVision
Logs ADB VDB IPDB Knows Asset A and its importance Knows Asset As vulnerabilies and threats Knows events that signal an attack on Asset A

Asset A

Both enVision and RSA enVision Event Explorer have vulnerability and asset browsers that enable security analysts to access this information quickly and efficiently

Asset Data
RSA enVision maintains an Asset Database (ADB), containing information about the assets reported by one of the supported asset tracking tools (asset scanning devices). RSA enVision supplements its own information about assets by importing data from third-party asset scanners and configuration management systems. For example, enVision imports data from the QualysGuard Security and Compliance Suite. If one of these third-party scanners reports an asset that is not in the enVision ADB, enVision creates a new record for the asset and adds the available information, such as operating system, ports, and services.

Vulnerability Data
The enVision Vulnerability Knowledge Database (VDB) is an embedded repository of vulnerability information. The VDB is derived from the National Vulnerability Database of the U. S. Department of Homeland Security. The National Vulnerability Database integrates all vulnerability data from publicly available resources. It contains detailed descriptions about each current vulnerability, such as its potential impact, the type of loss it can cause, and an indication of how an attack can result in a confidentiality breach.

3: Vulnerability and Asset Management

15

RSA enVision 4.0 Overview Guide

Vulnerability and asset management features enable enVision users to configure confidence level filtering on the detected set of vulnerabilities of each scanned asset. When enVision receives event information from a supported intrusion detection system (IDS) or intrusion prevention system (IPS), it applies the confidence level filter to respond appropriately to the received information. Examples of supported IDS and IPS devices include Juniper Networks Intrusion Detection and Prevention Appliances and Cisco Intrusion Prevention Sensor. These systems continuously scan the network to detect such threats as outsiders gathering information about the assets. RSA frequently updates vulnerability information, threat signatures, and support for vulnerability scanners. Customers can download these updates to the enVision VDB.

16

3: Vulnerability and Asset Management

RSA enVision 4.0 Overview Guide

Incident Management
An incident is an event or set of events that warrants further investigation, such as a disk failure, an unexpected spike in network traffic, or the signature of a known threat. Because of the wealth of data that the RSA enVision platform automatically collects, it can be configured to recognize incidents and issue real-time alerts. The alert is the beginning of the enVision incident-management process. RSA enVision provides for closed-loop incident management, from configuring alerts, through creating and assigning response tasks, to monitoring incident response and resolution.

Real-Time Alerts
RSA enVision generates real-time alerts in response to sets of circumstances that the administrator has specified. RSA enVision analyzes all incoming events, and issues an alert immediately when the specified conditions are met. The alert is reported in the enVision GUI and can be directed to other destinations, such as e-mail, instant message, or a text file stored on the local system. An alert can also be configured to automatically generate an incident-response task.

Views
A view defines the devices, messages, correlated rules, and user-defined criteria for which enVision issues alerts. An enVision administrator creates views that specify the conditionsthe event sources, events, user-defined criteria, and correlations among criteriathat are worthy of investigation. One of the following conditions can generate an alert: A single event message, such as one reporting an asset malfunction A string within an event message, such as content that matches a configured list (referred to as a watchlist) of known spammers A specified combination of events within a given time frame, such as a series of logon attempts that suggest a possible denial-of-service attack

Within a view, an administrator can specify filters and thresholds, such as a percentage increase of activity above the baseline, to rate the severity of the events and focus on those of highest priority. Views can also use watchlists, which filter events by string, IP address, port, protocol, or regular expressions. An administrator can also configure the view to send various alerts using specific protocols such as SNMP, e-mail, instant message, or text file. These configuration settings are called output actions. Another possible output action is the automatic generation of an incident-response task. Each view specifies the users who are permitted to monitor the alerts generated for that view.

4: Incident Management

17

RSA enVision 4.0 Overview Guide

Correlated Alerts
Views frequently include correlation rules for alerts. A correlation rule specifies a set of events within a time period and a set of conditions that will generate an alert. The correlation rule includes a message ID and message text for the alert. For example, the following figure illustrates the logic of a correlation rule for recognizing a threat.
Specified time period Defined set of events
Cisco Cisco Cisco Cisco Cisco Cisco Check PIX Firewall PIX Firewall PIX Firewall PIX Firewall PIX Firewall PIX Firewall Point Firewall-1 106001 106010 106012 106015 106016 307001 050010

Defined thresholds, filters, and conditions

When the correlation rule criteria are met, enVision generates the alert message defined in the view and sends it to the specified destination. RSA enVision provides a wide range of correlation rules that detect incidents and reduce or eliminate the risk of exposure. The enVision administrator can enhance or modify these rules to suit the environment. The set of predefined rules is continually updated and available for download from RSA.

18

4: Incident Management

RSA enVision 4.0 Overview Guide

Monitoring Alerts by Using Views

Administrators, and users with the appropriate permissions, can monitor alerts in the enVision GUI and in the destination specified in the associated view. For example, the following figure shows how the enVision GUI displays the number and severity of alerts, by NIC catagory, above the established baseline. From this window, administrators and users can drill down to display the particular alerts that have occurred and drill down further for information on the messages that triggered an alert.

Alert levels by NIC category

Alert levels by severity

Alert details

RSA enVision can also generate summary reports of alerts, such as recent alerts, alerts by category, and alert trends.

4: Incident Management

19

RSA enVision 4.0 Overview Guide

Incident-Response Tasks
RSA enVision can group events into tasks for the purpose of investigation, and assign the tasks to analysts (or to an intermediate dispatcher) for response. Analysts display and work with the tasks in RSA enVision Event Explorer. Managers and administrators can monitor the analysts progress in the enVision GUI.

Monitoring Alerts by Creating Tasks

In enVision, the administrator can specify the creation of a task based on a correlated alert. When the alert fires, enVision creates the task and sends it to Event Explorer for resolution or to an external application, such as a third-party ticketing system.

Managing Tasks in RSA enVision Event Explorer

When enVision forwards tasks to Event Explorer, Event Explorer displays a list of tasks and the details of individual tasks. Depending on the Event Explorer users permissions (as set by the enVision administrator), the user assigned to a task can acknowledge the task, view and edit task data, assign the task to another analyst, and close or delete the task. The user can also escalate the task an external application, such as a ticketing system. The external application can update tasks and send the updates back to Event Explorer.

Create

New Task Created Acknowledge Task Opened Close Escalate External Application (Ticketing System) Task escalated to external application Update Task Close Delete Delete Task Closed Reopen

Delete

Multiple users can access the same task from different Event Explorer clients. Event Explorer displays a warning message if different users attempt to make conflicting changes to the task.

20

4: Incident Management

RSA enVision 4.0 Overview Guide

Monitoring Tasks
Administrators can monitor the status of tasks in the enVision GUI, as illustrated in the following figure.

Administrators can also generate summary reports of tasks, showing such productivity metrics as departmental workload, open tasks, and time to closure.

Forensic Analysis
Many enVision features rely on real-time alerts and other dynamic information to help resolve incidents in progress. Sometimes analysts need to drill into historical (static) data to research some event that happened in the past. Research using static data is called forensic analysis. Forensic analysis can help determine a sequence of events leading to a given state of a network asset. Forensic analysis can be used when an asset fails, is attacked, or is otherwise compromised.

4: Incident Management

21

RSA enVision 4.0 Overview Guide

The following figure illustrates how events stored in the enVision IPDB can indicate suspicious activity on an event source, in this case a laptop containing sensitive data.

Event Explorer is the primary interface used for both real-time and historical data mining. Event Explorer is a client application that analysts use with enVision to retrieve and examine event data. The user must have an enVision account to use Event Explorer. Event log analysis involves logging on to the relevant Application Server and creating an event trace to retrieve specific messages. The event trace wizard (a tool within Event Explorer ) assists users in setting up and managing an event trace. An event trace specifies the messages, the event sources that generated the messages, and the time frame in which the messages were received by enVision. Users can limit the data retrieved by filtering for specific message content. Event traces display returned data in tables and charts: Standard tables and charts enable data selection without requiring users to know how to use the SQL commands that Event Explorer uses internally. Advanced tables and charts require users to enter SQL statements to define how the data is displayed, providing more control over data selection and display.

22

4: Incident Management

RSA enVision 4.0 Overview Guide

The following figure shows a standard table trace view.

RSA enVision can also display data as an area, bar, stacking bar, line, plot, or pie chart. The following figure shows a standard chart trace view.

The data displayed in tables and charts derives from actual or aggregated logs (events) and can provide a trail of events causing an asset compromise or failure.

4: Incident Management

23

RSA enVision 4.0 Overview Guide

5
Reports

Reports and Queries

Reports and queries offer complementary methods to summarize information about the event sources monitored by RSA enVision.

Reports provide convenient summaries of incidents and security-related statistics for defined time periods. Reports support incident handling, workflow process management, and auditing needs by providing essential statistics in graphs or tables. RSA enVision provides over 1200 standard reports that gather common network security and traffic analysis statistics into tables and graphs. Administrators can copy and modify these reports or create custom reports to meet specific reporting needs. Administrators and users with the appropriate permissions can create, manage, and run both scheduled and ad hoc reports. Optionally, a report can run once on a specified day or run repeatedly at specified times. RSA enVision can e-mail generated reports to departments and people who need them such as IT, human resources, the CIO office, compliance officers, and managers. RSA enVision provides reports for security, host, network, storage, and other devices. RSA enVision also provides a number of report packages to satisfy compliance needs such as Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPAA).

5: Reports and Queries

25

RSA enVision 4.0 Overview Guide

An enVision report consists of a single graph or a single table. For some purposes, a user may need more data than can be included in a single graph or table. RSA enVision can group multiple reports together so they run at the same time. The following figure shows examples of a graphical report and a tabular report.
Graphical Report

Tabular Report

Queries
Queries are similar to reports except that queries are ad hoc only. They generally execute faster, as they are intended to deal with smaller amounts of data than reports. A query returns only tabular data. Analysts might use queries in forensic analysis, for example to drill quickly into an alert or other condition discovered in RSA enVision Event Explorer or to audit some past event. Queries help users and administrators retrieve and examine any data collected by enVision. Query results can be based on IP addresses, dates and times, event message types, and other criteria. Users can generate a query in response to an alert condition appearing in Event Explorer. Queries use SQL syntax to construct statements for accessing database tables for conditions and events including: General traffic flows and events that were allowed Accesses that were denied or prevented from happening based on policy Status and health parameters URL information indicating where users have visited

26

5: Reports and Queries

RSA enVision 4.0 Overview Guide

Users can compose simple or complex queries: A simple query is a single logical statement (a single row in the Edit query table). A complex query consists of multiple statements (multiple rows in the Edit query table) logically joined using AND or OR. Multiple statements can narrow a query or extract a more accurate set of results for given criteria.

The following figure shows the Create New Query window.

Edit query

Select device group

Select time range Run the query

5: Reports and Queries

27

RSA enVision 4.0 Overview Guide

Compliance
Organizations often must comply with organizational security requirements or regulations imposed by state or federal government. RSA enVision helps meet compliance needs by monitoring and reporting on the following IT criteria used to show whether an organization is in compliance: Access control Configuration control Malicious software Policy enforcements User monitoring and management Environmental and transmissions security

RSA enVision helps organizations collect and maintain evidence of compliance in the form of reports on mandated systems. Compliance packages are sets of report templates that summarize the precise data needed by a regulatory body. RSA enVision offers the following regulatory compliance packages: BASEL IIInternational Convergence of Capital Measurement and Capital Standards Bill 198Ontario Securities Commission regulations FISMAFederal Information Security Management Act GLBAGramm-Leach-Bliley Act HIPAAHealth Insurance Portability and Accountability Act ISO 27002Best practice recommendations on information security management Memo 22Protective monitoring of UK National Infrastructure Security systems NERCNorth American Electric Reliability Council NISPOMNational Industrial Security Program Operating Manual PCIPayment Card Industry Data Security Standard SOXSarbanes-Oxley Act SAS 70Statement on Auditing Standards No. 70

6: Compliance

29

RSA enVision 4.0 Overview Guide

Further Information and Assistance

RSA provides numerous sources of additional information and hands-on assistance with deploying and using the RSA enVision platform.

Help Systems
The primary source of usage and administrative information about enVision is the Help system. Both enVision and RSA enVision Event Explorer have embedded Help systems. You can also download and view the Help separately from the products.

Locate Embedded Help

To find Help within enVision:

Do one of the following: On the enVision navigation panel, select Overview > Best Practices > Product Usage > Help to view the Help Table of Contents. On any enVision window, click the question mark icon topic that describes the current window. to view the Help

The Help is displayed in a new window.

To find Help within Event Explorer:

On any Event Explorer page, click Help to view the Help Table of Contents. The Help is displayed in a new window.

Download Stand-Alone Help

To download enVision Help:

1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. (For registration information, see Accessing RSA SecurCare Online on page 33.) 2. Click Home > RSA enVision > Product Documentation > RSA enVision Platform 4.0 Documentation > RSA enVision 4.0 Online Help. 3. On the File Download pop-up window, click Save. 4. Specify the download destination, or accept the default. Click Save. 5. Unzip the downloaded Help files. 6. In the folder containing the unzipped Help files, click nic.htm to open the Help. The Table of Contents is displayed, with links to all the Help topics.

7: Further Information and Assistance

31

RSA enVision 4.0 Overview Guide

To download Event Explorer Help

1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. (For registration information, see Accessing RSA SecurCare Online on page 33.) 2. Click Home > RSA enVision > Product Documentation > Event Explorer 4.0 Documentation > Event Explorer Online Help Files. 3. On the File Download pop-up window, click Save. 4. Specify the download destination, or accept the default. Click Save. 5. Unzip the downloaded Help files. 6. In the folder containing the unzipped Help files, click Event_Explorer.htm to open the Help. (If prompted to accept Active X content, click Yes.) The Table of Contents is displayed, with links to all the Help topics.

Online Resources
The RSA web site and RSA SecurCare Online, an e-support system, provide a wealth of resources for RSA customers: technical information, solutions, and support.

RSA Web Site

On the enVision product pages on the RSA web site, www.rsa.com, you can find: Descriptions of enVision, including white papers, solution summaries, data sheets, and news releases A link to the RSA enVision Intelligence Community, an active online community of enVision users, at https://rsaenvision.lithium.com/nic/user_signon A link to RSA SecurCare Online at https://knowledge.rsasecurity.com A link to a list of event sources that enVision supports at http://rsa.com/rsasecured/results.aspx?program=116

RSA SecurCare Online

Within SecurCare Online, https://knowledge.rsasecurity.com, you can access: RSA enVision Service Pack Updates A list of supported event sources (devices) and their configuration guides RSA enVision Event Source Updates (including event sources, correlation rules, and reports) RSA enVision VAM & Signature Updates Sample watchlists Technical Knowledge Base (product issues and resolution)

32

7: Further Information and Assistance

RSA enVision 4.0 Overview Guide

Product documentation for enVision and Event Explorer: RSA enVision Online Help RSA enVision Configuration Guide RSA enVision Hardware Guide RSA enVision Migration Guide RSA enVision Event Explorer Online Help RSA enVision Event Explorer Installation Guide

Accessing RSA SecurCare Online RSA SecurCare Online is available to customers who have an RSA product covered under a maintenance contract. Register with SecurCare Online from the RSA web site by selecting Support > RSA SecurCare Online e-support system > Register for RSA SecurCare Online, or go to https://knowledge.rsasecurity.com/registration.asp.

Event Source, Report, Correlation Rule, and VAM Updates

RSA is continually adding and updating event source support, reports, correlation rules, and VAM data. If you have an RSA maintenance contract, you will receive e-mail notification of these updates as soon as they become available. You can then log on to SecurCare Online and download the update packages. (The e-mail notification includes a link to SecurCare Online. For registration information, see the previous section, Accessing RSA SecurCare Online. ) Event Source Updates include files that enable the enVision Collectors to recognize additional event sources and to interpret their log messages. Updates also include files that enable the Collectors to interpret log messages that event source vendors have recently added. Event Source Updates also contain new reports, as well as new correlation rules that you can add to enVision and use when configuring correlated alerts. VAM & Signature Updates enable the enVision vulnerability and asset manager to recognize additional network assets and new vulnerabilities.

7: Further Information and Assistance

33

RSA enVision 4.0 Overview Guide

Assistance
As an enVision customer, you can get hands-on assistance in the form of technical support, training, professional services, or outsourcing to RSA partners: Technical Support. Support is available via telephone and the RSA SecurCare Online e-support service. For instructions and telephone numbers, see RSA.com > Support > Contacting Support, or go to http://rsa.com/node.aspx?id=1068. Training. RSA offers instruction in enVision administration and operations at customer sites and at RSA and EMC facilities worldwide. For courses available and information on registration, see RSA.com > Services > Training & Certification, or go to http://rsa.com/node.aspx?id=1258. Professional Services. RSA Professional Services offers end-to-end Security Information and Event Management (SIEM) services, including strategy development, solution design, enVision deployment, and staff augmentation and assistance. RSA enVision is most effective when combined with supporting policies and procedures for incident handling. RSA Professional Services can help customers to leverage their investment in the product by building out a security operations program with enVision as the core technology. For more information, see RSA.com > Services or your sales representative, or go to http://rsa.com/node.aspx?id=1243. RSA partners. RSA has business partners who specialize in SIEM using the RSA enVision platform. To explore outsourcing some or all of your organizations SIEM activities and to identify a potential source of assistance, see RSA.com > Partners > Find a Business Partner, or go to http://www.rsasecurity.com/partners/partnerfinder.asp.

34

7: Further Information and Assistance