Professional Documents
Culture Documents
RSA EnVision 4.0 Overview Guide
RSA EnVision 4.0 Overview Guide
0 Overview Guide
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com
Trademarks
RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies.
License agreement
This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.
Distribution
Limit distribution of this document to trusted personnel.
RSA notice
The RC5 Block Encryption Algorithm With Data-Dependent Rotations is protected by U.S. Patent #5,724,428 and #5,835,600.
Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5 RSA enVision Documentation............................................................................................ 5 Related Documentation....................................................................................................... 5 Getting Support and Service ............................................................................................... 5
Contents
Preface
About This Guide
This guide introduces RSA enVision features and capabilities. The intended audience for this guide includes enVision administrators, enVision users, or anyone who requires a high-level understanding of enVision.
Related Documentation
For more information about RSA enVision Event Explorer, see the following documentation: Installation Guide. Instructions on installing the RSA enVision Event Explorer client on your personal computer. Intended audience is the end user. RSA enVision Event Explorer Help. Comprehensive embedded guide to setting up and using RSA enVision Event Explorer.
RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads.
Preface
The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.
Preface
Inputs
Log Messages Vulnerability Scans
RSA enVision
Interprets Analyzes Stores
Outputs
Alerts Reports
Enhanced Security
RSA enVision provides security specialists with a clear view of threats and risks and the means to counter them. RSA enVision collects all the logs generated by network assets, such as servers, switches, routers, storage arrays, operating systems, and firewalls. It analyzes the logs in real time, and can generate alerts when it detects suspicious patterns of activity. Because enVision contains information about common threats, it detects many common security attacks. In addition, enVision contains data from supported configuration management systems and asset scanners. Using this data, enVision recognizes the asset under threat and calibrates the urgency of the alert. Security staff can then use RSA enVision Event Explorer, an advanced analytical tool, to examine the full volume of stored and incoming data.
Simplified Compliance
RSA enVision eases the burden of complying with regulations, standards, and an organizations own policies. It enables event monitoring and incident response, and includes compliance reports tailored to specific requirements. For example, enVision provides reports for demonstrating compliance with laws (such as the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act) and with industry standards (such as the Payment Card Industry Data Security Standard and ISO 27002). RSA enVision automates the process of collecting, sorting, analyzing, and storing log messages. All logs are gathered without filtration or normalization and are protected from tampering. Compliance specialists can find in the stored logs a complete accounting of network activity. RSA enVision thus provides a verifiably authentic archive of data that simplifies compliance with todays requirements and with whatever legislation may emerge in the future.
Optimized IT Oversight
Managed log data is the best source of information about infrastructure status and performance and the activities of applications and users. RSA enVision can alert IT staff in real time to faulty equipment and anomalous network activity, as well as provide granular visibility into the specific behaviors of applications and end users. Its incident-handling facilities manage the creation and assignment of remediation tasks to administrators and help desk personnel and assist in tracking their progress. In addition, the enVision baselining, trending, and reporting functionality provides a long-term graphical overview of system performance and events.
Platform Components
RSA enVision consists of the following integrated components, each with a specialized function: Collector. Receives and interprets log messages from network assets, and stores this event data in the LogSmart Internet Protocol Database (IPDB). (RSA refers to these processed log messages as events.) Database Server (D-SRV). Retrieves event data from the IPDB in response to user requests. Application Server (A-SRV). Runs the applications that enable user and administrator actions, such as creating users, querying the data, and directing enVision to generate alerts and reports. Users and administrators can log on to the enVision user interface through a web browser on their personal computers.
Event Explorer. A client application that is specialized for incident handling and forensic analysis. Event Explorer runs on users personal computers and connects to enVision to access the collected data. The following figure illustrates the enVision components, their functions, and the connections among them.
Platform Deployments
RSA enVision runs on a standalone appliance or within a scalable, distributed architecture able to cope with the demands of the largest enterprise networks. The simplest deployment has the enVision components (Collector, D-SRV, and A-SRV) preinstalled in one appliance. It can be supplemented with external storage. Depending on the model, a single enVision appliance supports up to 14 simultaneous users. The high-end appliance can, with external storage, accommodate up to 1,250 event sources.
For larger deployments, the Collector, D-SRV, and A-SRV are each installed on a separate appliance and supplemented with network-attached storage. The appliances are collectively referred to as a site. A site has a single D-SRV appliance supporting multiple A-SRV appliances and Collector appliances, including Collectors in remote geographic locations.
Site 1
A-SRV A-SRV
D-SRV
Site 2
Collector
Collector
Collector
Logs
Logs
Logs
Event Sources
Event Sources
Event Sources
In this distributed deployment, each A-SRV can accommodate 16 simultaneous users. A single site can accommodate up to 6,144 event sources. The largest deployments include several sites, each supporting multiple A-SRVs and Collectors. For information on enVision deployments, contact your RSA sales representative, or go to www.rsa.com/products/envision/datasheets/9245_3in1_DS_0209-lowres.pdf.
10
User Experience
Users and administrators control enVision and Event Explorer through graphical user interfaces (GUIs). The enVision administrator creates users and user groups with varying levels of permissions, and each user sees only the operations for which permission has been granted.
Tabs
Available reports
User-selected reports
To navigate the enVision GUI, select a tab at the top of the left panel: Overview, Alerts, Analysis, or Reports. The panel refreshes to display the choices available under the selected tab.
11
RSA enVision provides a comprehensive Help system with instructions for using the features on each window. When using any window in the GUI, click the question mark icon to see context-sensitive Help for that window. RSA enVision displays the Help topic for the current window in a new browser window, with the Help Table of Contents in the left panel. The left panel also displays links to a Help index and a search facility.
Tasks
Event Explorer Help is available by clicking Help on the menu bar on any window. Event Explorer displays the Help Table of Contents in a new browser window. It includes an index and a search facility.
12
Event Collection
RSA enVision collects, analyzes, and stores logs from event sources throughout an organizations IT environment. The logs and the descriptive metadata that enVision adds are stored in the LogSmart Internet Protocol Database (IPDB).
Event Sources
Event sources are the IP assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. The enVision administrator configures event sources to send their logs to the Collector or configures the Collector to poll event sources and retrieve their logs. As a result, the Collector receives all system logs in their original form, without filtering, normalization, or compression.
Message Categories
The Collector is equipped with files for each supported event source. These files enable the Collector to interpret the often cryptic log messages, no matter what their format. RSA updates these files frequently to support new event sources and new log messages that event source vendors have added. RSA enVision collects syslog and it also has other collection services including NIC Windows Service, NIC FW-1 LEA Client Service, NIC File Reader Service, NIC SFTP Agent, NIC ODBC Service, and NIC Secure SDEE Collection Service. For each message, the Collector records the event source and time received, and assigns the message a numeric ID. The Collector also assigns each message to a message category that indicates the kind of action that gave rise to the message. This descriptive metadata (source, time, ID, and category) is used in configuring alerts and in retrieving events for forensic analysis. The message categories are hierarchical. The top level, called the NIC category, has ten possible values: Attacks Reconnaissance (such as port scans) Content (web content events, such as normal transactions or suspect requests) Authentication (authentication events) User (such as logon and file access) Policies (such as firewall rule events) System (hardware errors) Configuration (administrator modifications) Network (such as usage or routing errors) Other
2: Event Collection
13
Within NIC categories, messages are further classified by alert category and then by up to three levels of event category. For example, a log message in the Attacks category might be further categorized as Malicious Code (alert category), and further as a Worm (event category). The following figure shows a five-level message classification, as well as the syntax for specifying categories when configuring alerts or conducting analysis.
Alert Category
Event Categories
The enVision administrator uses message categories in configuring alerts. When incoming messages and possibly other criteria, such as event source or time frame, meet the conditions that the administrator has specified for an alert, the alert is triggered immediately. In addition, the categorization of log messages enables enVision to establish activity baselines, which it can use to determine whether a certain activity or level of activity is anomalous. The categorized log data is also used for alerting and reporting.
Event Storage
After enVision analyzes log messages, it stores the original log messages and their descriptive metadata in the IPDB. This method of storage has several advantages over traditional relational databases. The IPDB: Works efficiently with unstructured data without requiring preprocessing or data normalization. Optimizes retrieval based on event source, message category, event ID, and time received. Uses a write-once-read-many approach that ensures that after data is committed to the database, it can never be altered.
RSA enVision secures the data from tampering and protects it with access authentication. As a result, enVision provides a complete and verifiable repository of IT information that meets both current and future demands.
14
2: Event Collection
RSA enVision
Logs ADB VDB IPDB Knows Asset A and its importance Knows Asset As vulnerabilies and threats Knows events that signal an attack on Asset A
Asset A
Both enVision and RSA enVision Event Explorer have vulnerability and asset browsers that enable security analysts to access this information quickly and efficiently
Asset Data
RSA enVision maintains an Asset Database (ADB), containing information about the assets reported by one of the supported asset tracking tools (asset scanning devices). RSA enVision supplements its own information about assets by importing data from third-party asset scanners and configuration management systems. For example, enVision imports data from the QualysGuard Security and Compliance Suite. If one of these third-party scanners reports an asset that is not in the enVision ADB, enVision creates a new record for the asset and adds the available information, such as operating system, ports, and services.
Vulnerability Data
The enVision Vulnerability Knowledge Database (VDB) is an embedded repository of vulnerability information. The VDB is derived from the National Vulnerability Database of the U. S. Department of Homeland Security. The National Vulnerability Database integrates all vulnerability data from publicly available resources. It contains detailed descriptions about each current vulnerability, such as its potential impact, the type of loss it can cause, and an indication of how an attack can result in a confidentiality breach.
15
Vulnerability and asset management features enable enVision users to configure confidence level filtering on the detected set of vulnerabilities of each scanned asset. When enVision receives event information from a supported intrusion detection system (IDS) or intrusion prevention system (IPS), it applies the confidence level filter to respond appropriately to the received information. Examples of supported IDS and IPS devices include Juniper Networks Intrusion Detection and Prevention Appliances and Cisco Intrusion Prevention Sensor. These systems continuously scan the network to detect such threats as outsiders gathering information about the assets. RSA frequently updates vulnerability information, threat signatures, and support for vulnerability scanners. Customers can download these updates to the enVision VDB.
16
Incident Management
An incident is an event or set of events that warrants further investigation, such as a disk failure, an unexpected spike in network traffic, or the signature of a known threat. Because of the wealth of data that the RSA enVision platform automatically collects, it can be configured to recognize incidents and issue real-time alerts. The alert is the beginning of the enVision incident-management process. RSA enVision provides for closed-loop incident management, from configuring alerts, through creating and assigning response tasks, to monitoring incident response and resolution.
Real-Time Alerts
RSA enVision generates real-time alerts in response to sets of circumstances that the administrator has specified. RSA enVision analyzes all incoming events, and issues an alert immediately when the specified conditions are met. The alert is reported in the enVision GUI and can be directed to other destinations, such as e-mail, instant message, or a text file stored on the local system. An alert can also be configured to automatically generate an incident-response task.
Views
A view defines the devices, messages, correlated rules, and user-defined criteria for which enVision issues alerts. An enVision administrator creates views that specify the conditionsthe event sources, events, user-defined criteria, and correlations among criteriathat are worthy of investigation. One of the following conditions can generate an alert: A single event message, such as one reporting an asset malfunction A string within an event message, such as content that matches a configured list (referred to as a watchlist) of known spammers A specified combination of events within a given time frame, such as a series of logon attempts that suggest a possible denial-of-service attack
Within a view, an administrator can specify filters and thresholds, such as a percentage increase of activity above the baseline, to rate the severity of the events and focus on those of highest priority. Views can also use watchlists, which filter events by string, IP address, port, protocol, or regular expressions. An administrator can also configure the view to send various alerts using specific protocols such as SNMP, e-mail, instant message, or text file. These configuration settings are called output actions. Another possible output action is the automatic generation of an incident-response task. Each view specifies the users who are permitted to monitor the alerts generated for that view.
4: Incident Management
17
Correlated Alerts
Views frequently include correlation rules for alerts. A correlation rule specifies a set of events within a time period and a set of conditions that will generate an alert. The correlation rule includes a message ID and message text for the alert. For example, the following figure illustrates the logic of a correlation rule for recognizing a threat.
Specified time period Defined set of events
Cisco Cisco Cisco Cisco Cisco Cisco Check PIX Firewall PIX Firewall PIX Firewall PIX Firewall PIX Firewall PIX Firewall Point Firewall-1 106001 106010 106012 106015 106016 307001 050010
When the correlation rule criteria are met, enVision generates the alert message defined in the view and sends it to the specified destination. RSA enVision provides a wide range of correlation rules that detect incidents and reduce or eliminate the risk of exposure. The enVision administrator can enhance or modify these rules to suit the environment. The set of predefined rules is continually updated and available for download from RSA.
18
4: Incident Management
Alert details
RSA enVision can also generate summary reports of alerts, such as recent alerts, alerts by category, and alert trends.
4: Incident Management
19
Incident-Response Tasks
RSA enVision can group events into tasks for the purpose of investigation, and assign the tasks to analysts (or to an intermediate dispatcher) for response. Analysts display and work with the tasks in RSA enVision Event Explorer. Managers and administrators can monitor the analysts progress in the enVision GUI.
Create
New Task Created Acknowledge Task Opened Close Escalate External Application (Ticketing System) Task escalated to external application Update Task Close Delete Delete Task Closed Reopen
Delete
Multiple users can access the same task from different Event Explorer clients. Event Explorer displays a warning message if different users attempt to make conflicting changes to the task.
20
4: Incident Management
Monitoring Tasks
Administrators can monitor the status of tasks in the enVision GUI, as illustrated in the following figure.
Administrators can also generate summary reports of tasks, showing such productivity metrics as departmental workload, open tasks, and time to closure.
Forensic Analysis
Many enVision features rely on real-time alerts and other dynamic information to help resolve incidents in progress. Sometimes analysts need to drill into historical (static) data to research some event that happened in the past. Research using static data is called forensic analysis. Forensic analysis can help determine a sequence of events leading to a given state of a network asset. Forensic analysis can be used when an asset fails, is attacked, or is otherwise compromised.
4: Incident Management
21
The following figure illustrates how events stored in the enVision IPDB can indicate suspicious activity on an event source, in this case a laptop containing sensitive data.
Event Explorer is the primary interface used for both real-time and historical data mining. Event Explorer is a client application that analysts use with enVision to retrieve and examine event data. The user must have an enVision account to use Event Explorer. Event log analysis involves logging on to the relevant Application Server and creating an event trace to retrieve specific messages. The event trace wizard (a tool within Event Explorer ) assists users in setting up and managing an event trace. An event trace specifies the messages, the event sources that generated the messages, and the time frame in which the messages were received by enVision. Users can limit the data retrieved by filtering for specific message content. Event traces display returned data in tables and charts: Standard tables and charts enable data selection without requiring users to know how to use the SQL commands that Event Explorer uses internally. Advanced tables and charts require users to enter SQL statements to define how the data is displayed, providing more control over data selection and display.
22
4: Incident Management
RSA enVision can also display data as an area, bar, stacking bar, line, plot, or pie chart. The following figure shows a standard chart trace view.
The data displayed in tables and charts derives from actual or aggregated logs (events) and can provide a trail of events causing an asset compromise or failure.
4: Incident Management
23
5
Reports
Reports provide convenient summaries of incidents and security-related statistics for defined time periods. Reports support incident handling, workflow process management, and auditing needs by providing essential statistics in graphs or tables. RSA enVision provides over 1200 standard reports that gather common network security and traffic analysis statistics into tables and graphs. Administrators can copy and modify these reports or create custom reports to meet specific reporting needs. Administrators and users with the appropriate permissions can create, manage, and run both scheduled and ad hoc reports. Optionally, a report can run once on a specified day or run repeatedly at specified times. RSA enVision can e-mail generated reports to departments and people who need them such as IT, human resources, the CIO office, compliance officers, and managers. RSA enVision provides reports for security, host, network, storage, and other devices. RSA enVision also provides a number of report packages to satisfy compliance needs such as Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPAA).
25
An enVision report consists of a single graph or a single table. For some purposes, a user may need more data than can be included in a single graph or table. RSA enVision can group multiple reports together so they run at the same time. The following figure shows examples of a graphical report and a tabular report.
Graphical Report
Tabular Report
Queries
Queries are similar to reports except that queries are ad hoc only. They generally execute faster, as they are intended to deal with smaller amounts of data than reports. A query returns only tabular data. Analysts might use queries in forensic analysis, for example to drill quickly into an alert or other condition discovered in RSA enVision Event Explorer or to audit some past event. Queries help users and administrators retrieve and examine any data collected by enVision. Query results can be based on IP addresses, dates and times, event message types, and other criteria. Users can generate a query in response to an alert condition appearing in Event Explorer. Queries use SQL syntax to construct statements for accessing database tables for conditions and events including: General traffic flows and events that were allowed Accesses that were denied or prevented from happening based on policy Status and health parameters URL information indicating where users have visited
26
Users can compose simple or complex queries: A simple query is a single logical statement (a single row in the Edit query table). A complex query consists of multiple statements (multiple rows in the Edit query table) logically joined using AND or OR. Multiple statements can narrow a query or extract a more accurate set of results for given criteria.
Edit query
27
Compliance
Organizations often must comply with organizational security requirements or regulations imposed by state or federal government. RSA enVision helps meet compliance needs by monitoring and reporting on the following IT criteria used to show whether an organization is in compliance: Access control Configuration control Malicious software Policy enforcements User monitoring and management Environmental and transmissions security
RSA enVision helps organizations collect and maintain evidence of compliance in the form of reports on mandated systems. Compliance packages are sets of report templates that summarize the precise data needed by a regulatory body. RSA enVision offers the following regulatory compliance packages: BASEL IIInternational Convergence of Capital Measurement and Capital Standards Bill 198Ontario Securities Commission regulations FISMAFederal Information Security Management Act GLBAGramm-Leach-Bliley Act HIPAAHealth Insurance Portability and Accountability Act ISO 27002Best practice recommendations on information security management Memo 22Protective monitoring of UK National Infrastructure Security systems NERCNorth American Electric Reliability Council NISPOMNational Industrial Security Program Operating Manual PCIPayment Card Industry Data Security Standard SOXSarbanes-Oxley Act SAS 70Statement on Auditing Standards No. 70
6: Compliance
29
Help Systems
The primary source of usage and administrative information about enVision is the Help system. Both enVision and RSA enVision Event Explorer have embedded Help systems. You can also download and view the Help separately from the products.
Do one of the following: On the enVision navigation panel, select Overview > Best Practices > Product Usage > Help to view the Help Table of Contents. On any enVision window, click the question mark icon topic that describes the current window. to view the Help
On any Event Explorer page, click Help to view the Help Table of Contents. The Help is displayed in a new window.
1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. (For registration information, see Accessing RSA SecurCare Online on page 33.) 2. Click Home > RSA enVision > Product Documentation > RSA enVision Platform 4.0 Documentation > RSA enVision 4.0 Online Help. 3. On the File Download pop-up window, click Save. 4. Specify the download destination, or accept the default. Click Save. 5. Unzip the downloaded Help files. 6. In the folder containing the unzipped Help files, click nic.htm to open the Help. The Table of Contents is displayed, with links to all the Help topics.
31
1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. (For registration information, see Accessing RSA SecurCare Online on page 33.) 2. Click Home > RSA enVision > Product Documentation > Event Explorer 4.0 Documentation > Event Explorer Online Help Files. 3. On the File Download pop-up window, click Save. 4. Specify the download destination, or accept the default. Click Save. 5. Unzip the downloaded Help files. 6. In the folder containing the unzipped Help files, click Event_Explorer.htm to open the Help. (If prompted to accept Active X content, click Yes.) The Table of Contents is displayed, with links to all the Help topics.
Online Resources
The RSA web site and RSA SecurCare Online, an e-support system, provide a wealth of resources for RSA customers: technical information, solutions, and support.
32
Product documentation for enVision and Event Explorer: RSA enVision Online Help RSA enVision Configuration Guide RSA enVision Hardware Guide RSA enVision Migration Guide RSA enVision Event Explorer Online Help RSA enVision Event Explorer Installation Guide
Accessing RSA SecurCare Online RSA SecurCare Online is available to customers who have an RSA product covered under a maintenance contract. Register with SecurCare Online from the RSA web site by selecting Support > RSA SecurCare Online e-support system > Register for RSA SecurCare Online, or go to https://knowledge.rsasecurity.com/registration.asp.
33
Assistance
As an enVision customer, you can get hands-on assistance in the form of technical support, training, professional services, or outsourcing to RSA partners: Technical Support. Support is available via telephone and the RSA SecurCare Online e-support service. For instructions and telephone numbers, see RSA.com > Support > Contacting Support, or go to http://rsa.com/node.aspx?id=1068. Training. RSA offers instruction in enVision administration and operations at customer sites and at RSA and EMC facilities worldwide. For courses available and information on registration, see RSA.com > Services > Training & Certification, or go to http://rsa.com/node.aspx?id=1258. Professional Services. RSA Professional Services offers end-to-end Security Information and Event Management (SIEM) services, including strategy development, solution design, enVision deployment, and staff augmentation and assistance. RSA enVision is most effective when combined with supporting policies and procedures for incident handling. RSA Professional Services can help customers to leverage their investment in the product by building out a security operations program with enVision as the core technology. For more information, see RSA.com > Services or your sales representative, or go to http://rsa.com/node.aspx?id=1243. RSA partners. RSA has business partners who specialize in SIEM using the RSA enVision platform. To explore outsourcing some or all of your organizations SIEM activities and to identify a potential source of assistance, see RSA.com > Partners > Find a Business Partner, or go to http://www.rsasecurity.com/partners/partnerfinder.asp.
34